Both academic researchers and network vendors have started to promote Software-Defined Networking (SDN) as a new network paradigm, in which controller systems play a major role. A modular and extensible design allows network operators to extend the controller’s functionality by so called network services. Unfortunately, in current designs such network services have unlimited access to mandatory SDN resources which enables different kinds of attacks. To retain control over network services (especially third-party ones), we adapt approved security mechanisms and propose a containment mechanism as well as a framework to ease containment configuration.
For both proposals, we provide proof-of-concept implementations for an open and industry-supported reference framework and hereby aim to improve security for a wide range of SDN controllers. Finally, our proposals achieve the ability to harden a mandatory SDN component (i. e., the SDN controller) and enable proactive security even against malicious network services.