From threats to solutions in data center networks [article]

Thimmaraju Kashyap, Technische Universität Berlin, Technische Universität Berlin, Jean-Pierre Seifert, Stefan Schmid
In this dissertation we adopt a threat model where the data center network infrastructure is potentially malicious. To describe practical threats and solutions related to malicious switches, we draw our attention to multi-tenant data center networks that i) consolidate control over the (hardware and software) switches to a logically centralized controller and ii) use virtualization techniques for multi-tenancy. Our extensive security analyses and evaluations of the design, specifications and
more » ... tems of logically centralized data center network controllers reveals the following. Malicious switches can covertly bypass network-wide security policies and mechanisms via the controller. We identify three reasons for the existence of such covert channels: i) malicious switches share the logical controller, ii) lack of authentication and authorization of switches to the controller and iii) introduction of automation and programmability of the network. These channels can be reliable (TCP-based) and fast (10 Mbps). As a result malicious switches can launch several network-based attacks in the data center, e.g., to circumvent firewalls to access unauthorized data. Furthermore, our state transition and delay model of the switch- controller handshake allows us to design, implement and evaluate a covert timing channel that uses a frame-based transmission scheme for accurate and low bandwidth (20 bps) communication, e.g., to exfiltrate private keys. We also initiate the discussion of practical countermeasures, e.g., coupling TLS with the switch- controller handshake for authentication. Next, our security analysis of network virtualization architectures that use virtual switches—a key system for enforcing network isolation in multi-tenant data center networks—sheds light on the following. Increasing network functionality in the virtual switch coupled with co-locating it with the hypervisor and the lack of appropriate threat models among other reasons has resulted in an insecure design. An attacker can escape host and network vir [...]
doi:10.14279/depositonce-9702 fatcat:cjbtmr2jdraulbbp3hcsnfan3q