The previously discussed FlowVisor

The previously discussed FlowVisor [55], which separates the network into disjunct slices
for controllers to manage, is a viable and practical approach. Although the presentation of
the software was performed with homogeneous NOX controllers, FlowVisor is theoretically
agnostic of the controller design due to the standardised OpenFlow communication protocol.
It might be feasible to implement diverse controllers as proposed in the threat vector approach (see Figure 4.1). Using distributed controllers for a single FlowVisor network slice it
is also possible to integrate further DoS robustness and the Replication aspect. FlowVisor,
however, is not able to operate multiple controller types on the same network slice without
introducing rule conflicts.
The hypervisor proposal CoVisor [108] addresses this problem and specifically focusses on
the deployment of different controller platforms and applications in the network in order to
provide administrators with the ability to select the best network applications and functions.
Using detailed access control the modification capabilities of the controllers are limited to
their dedicated purposes. Additionally, administrators can customise the control and topology view of the controller to limit the power of malicious or faulty devices. The project has
been published very recently in May 2015. Albeit an feasible concept, a full assessment of
its practicality is not possible yet.
If Diversity is present in the network the impact factor of individual vulnerabilities is
significantly reduced. Diversity specifically addresses the Denial of Service threat by reducing
the overall availability of switch and controller bugs to an attacker. The amount of security
holes and the resulting Tampering risk in the software might increase with different controller
types, but a software failure will not affect all network components. If a switch or controller
is incapacitated due to an attack, an immune device could theoretically take over the load in
the network and prevent Denial of Service. Additionally, Elevation of Privilege is limited as
the concurrent devices are restricted to only perform certain actions, as proposed in CoVisor.
It is achievable to utilise the FlowVisor mechanism to construct an architecture as described
in this chapter. However, the lack of current practical implementations impedes a proper
evaluation of the concept. Overall, negligence of controller interoperability and northbound
interface standardisation poses a potential future problem, which is currently circumvented
with the use of application hypervisors.
It might be a matter of debate, if a diverse system is a necessity when designing for security or if a homogeneous approach is not sufficient. In risk assessments such as CVSS [66]
homogeneous systems increase the severity of the environmental risk factor. On the other
hand high diversity might violate the Saltzer & Schroeder [64] principle of keeping the system simple. Many different controllers and switches in the network increase the complexity and
overall fault probability that SDN attempted to solve. A counterargument is the choice of
”best of breed applications” [108] to achieve maximum security and reliability. In summary,
Diversity is currently neglected in SDN and is not mandatory for security, but provides additional reliability, which could work in favour of the network. Nevertheless it is unlikely that
this principle can be fulfilled, as controller interoperability requires the same standardisation
process as the southbound interface. At this moment true diversity is not practical.