1 The Data, Control and Management planes

Network devices perform 3 different operations:

  • Data plane ~> Process and forward the data in transit.

  • Control plane ~> Make forwarding decision (where to forward the data).

  • Management plane ~> Enable the administrator, or the management system, to give commands and read information from the device.

1.1 The Data plane

The data plane is responsible for forwarding information. It receives instructions from the control plane, such as routing tables, and forward packets from port to port. The forwarding tables can learn from various control plane functions.

The data plane is responsible for processing and delivering packets, so it is implemented on network interfaces and device CPUs.

Attacks on the forwarding table can be achieved by overloading the network.

Link flooding and Distributed Denial of Service (DDoS) attacks load the network.

1.2 The Control Plane

In this plane, we determine how data should be forwarded in the data plane. This plane includes routing protocols (exchange info between routers), multicast protocols, Quality of Service (QoS) protocols, and any other protocols that the network devices use to exchange info and make forwarding decisions. These protocols are running in the control plane, and their result is a forwarding table that is built in the data plane. The control plane is part of the network device software, and it runs in the device’s CPU.

Attacks like loading the device resource (CPU, memory), confusing the protocols (to send fake routing updates and try to divert traffic), or flooding device ARP caches (so that packets will be forwarded in the wrong direction), and so on.

1.3 The Management Plane

The management plane is responsible for interacting with network devices, whether these are interactions with the management system via protocols such as SNMP or Netflow, REST APIs, or any other method that the device can work with or human interactions via a CLI, web interface or a dedicated client.

2 Virtualize Network Operations

SDN and NFV are technologies from the early 2010’s that virtualize operations.

2.1 Software-defined Network (SDN)

SDN separates the data plane from the control plane, creating software programmable network infrastructure that can be manually and automatically adapted to application requirements. SDN is a technology that came from the enterprise network and data centers.

2.1.1 Traditional Networking

In traditional networking, network devices exchange info between them, learn the network topology, and forward packets.

  • In the control plane ~> Routing protocols exchange routing info between them, check restrictions such as access control lists (ACLs) and QoS requirements, and fill in routing tables.
  • In the data plane ~> From routing table, they build the forwarding tables. Then, when a packet enters the router, the router will forward it according to the forwarding tables.

2.1.2 SDN Networking

In SDN, switches are simple devices that forward according to commands they receive from the network controller.

In this network, we have a central controller, which acts as the network’s brain. This network controller acts as the control plane for the entire network.

  1. When a new session is opened and packets are send through the network, every switch receiving the first packet will send a request to the controller, asking how to forward it.

  2. Upon receiving the response, the switches will store it in their forwarding table. From now on , every packet will be forwarded according to it.

The above process is done through southbound interface using protocols like OpenFlow or Netconf.

Connection from the controller to the switches are established over the transport control protocol (TCP), with preferably with transport layer security (TLS).

On the northbound interface, the controller sends and receives info to and from SDN application via standard APIs such as RESTfull.

SDN application is a ‘Software defined - Wide Area Network’ (SD-WAN), which provides connectivity between remote sites over private and internet lines.

An SDN domain is all the devices under the same SDN controller. A network orchestrator is used to control multiple SDN domains. For example, when enterprise LANs are connected through a private SD-WAN service, there will be 3 controllers ~>

  • 2 controllers for the 2 LANs
  • 1 controller for the SD-WAN

The orchestrator controls it end-to-end connectivity.

2.1.3 Security breaches that can be used on a SDN network.

  • Attacks on the connections between the controller and the SDN switches that are implemented over a standard TCP connection with standard port number.
  • Attacks on network controllers and orchestrators.
  • Attacks on data plane switches.

2.2 Network Function Virtualization (NFV)

NFV takes the concepts of computing virtualization to the networking world. The concept is that instead of using dedicated hardware for every networking functions, we can use standard off the shelf (OTS) hardware, along with standard virtual machines (VMs), when the network functions are software running on these VMs.

  • Linux containers ~> Here VMs are implemented as linux containers, while the applications are installed on the container, together or separately.
  • Type 1 hypervisor ~> A type 1 hypervisor is installed directly over the hardware. Here, we can find the most common hypervisors like VMWare ESX/ESXi, Microsoft Hyper-V, and Citrix XenServer.
  • Type 2 hypervisor ~> It is installed over the host operating system. We can find PC-based hypervisors like VMWare workstations, Microsoft Virtual PC, and Oracle Virtual Box.

2.2.1 NFV Architecture

Linux containers dominate the networking marker in NFV. Let’s look at the architecture of a NFV.

  • Computing hardware ~> This includes computing and storage resources.
  • Virtual resources ~> Resources that are allocated to the VMs.
  • Virtual Network Functions (VMFs) ~> The VMs and the applications installed on them (like routers, firewalls, core cellular components, and other network functionalities).
  • Element managers (EMs) ~> Manages the network’s functionality.
  • NFV management and orchestratioin (MANO), along with operation support systems (OSSes) and business support systems (BSSes).

3 Attacks

Let’s understand the potential threats, types of attacks, and their potential causes.

3.1 Attacks on Internet

Attacks on the internet network itself are usually attacks that deny or slow down access to the internet, and attacks that divert traffic so that it will get to the destination through the attacker network or don’t get there at all.

3.1.1 DoS and DDoS Attacks

DDoS attacks are a very wide range of attacks that intend to prevent users from using a service. A DDoS targeting the network can be, for example, a worm that generates traffic that blocks communication lines, or TCP sessions that are generated for attacking the routers that forward the traffic.

DDoS attacks on the internet can be generating traffic to specific IP destinations, both from devices controlled by the attacker (direct attackers) and from 3rd party servers that are involuntarily used to reflect attack traffic (reflection attackers).

Here is a nice website reflecting daily DDoS attacks can be found.

3.1.2 Traffic Diversion

This type of attack involves making changes to the internet routers so the traffic is diverted through the attacker network.

This can be done by configuring Border Gateway Protocol (BGP) that reroute the data by telling the router A4 that B1 has a higher priority over C3.

3.2 Attacks on Firewalls

This type of attacks can be done by scanning the firewall to look for opened ports, and penetrate the internal network through that port.

Another approach can be crashing the firewall services so that it will only continue to work as a router.

We can also generate user login attempts to log in into the firewall as a VPN client and break into the secured network.

Remember that, when the firewall management console is installed on an external device, make sure it is hidden from the internet and protected with strong passwords.

3.3 Attacks on Servers

  • DDoS targeting
  • Running softwares like HTTP, mail, IP, telephony, file servers, databases, and other attacks.

3.4 Attacks on LANs

  • Attacks network devices ~> LAN switches and CPUs to cause them to drop packets and get to the point of inactivity.
  • Attacks on network protocols ~> Attacks on Spanning Tree Protocol (STP), attacks on ARP caches, and many others.
  • Network traffic analysis and eavesdropping.