Security Features in a Hybrid Software-Defined Network

: The paper presents a novel paradigm of software-defined network that is significantly different from previous traditional networks and enables new opportunities in the architecture and implementation of security solutions. The analysis of network environments will compare traditional networks and software-defined networks and emphasize significant differences. A survey of the existing research includes vector attacks and troubleshooting using the capabilities of SDN with an emphasis on access control, detection, and prevention of attacks. This paper uses previous research and results to obtain information that will be used in improving critical system network protection and compares it with the existing conventional approach as well as implements it through a hybrid software-defined network.


INTRODUCTION
In traditional networks, the control and infrastructure layer of network devices are tightly integrated into physical devices. Security mechanisms, forwarding rules on routers, and transmission on switches are also tightly integrated into the physical network infrastructure, which makes implementing changes across a large number of devices difficult and complicated. Recent research suggests SDNbased mechanisms (software-defined network) enable greater flexibility, dynamic programmed performance, and reduction in operating costs.
SDN as a new paradigm of network architecture enables dynamic adaptation of the network environment to the current requirements or needs of users and applications, simplifies management to a great extent and increases network scalability. An additional advantage of SDN is the ability to use network components from different vendors that support SDN protocols, without knowing the devices themselves, because the entire network environment is managed via an SDN controller. The basic components of the SDN network architecture are the SDN controller, OpenFlow network devices and OpenFlow protocol of the communication channel that connects the components.
Traditional network security is often based on firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), access control, audits, and ruleset management. Traditional firewall functions are constructed on a static set of rules without fine precision, traffic filtering is done based on the source or destination IP address and TCP/UDP port. Therefore, existing static safety mechanisms lack flexibility and scalability. Another aspect of security is the management of access to network resources used to set appropriate permissions for users or devices accessing the network [1][2][3].
On many devices, it is very difficult to achieve frequent and rapid changes of network settings and network device configurations due to security or user requirements. When specifics are added to the mix, the traditional network troubleshooting becomes complicated. Once bypassed, the security mechanism leaves a network inadequately protected from the inside. Allowed activities within the network are not always properly authorized, and new solutions that will enable monitoring and filtering of unwanted and unauthorized network traffic are required. This paper presents an overview of security solutions with an emphasis on access control, detection, and intrusion prevention in the SDN network environment. Softwaredefined network (SDN) is a new network architecture that allows greater flexibility in achieving network security. The fact that in traditional networks the identity, authentication, and authorization of users takes place when entering the network justifies the use of SDN network elements to reduce and address this shortcoming. By adding SDN elements, all the advantages of traditional networks are retained and, simultaneously, new possibilities are added via SDN. Such networks are called hybrid networks. Improving the current security mechanisms of a traditional VPN network is yet another motif for research, which aims to implement a hybrid SDN system in an organic environment that will prevent external and unauthorized VPN users from accessing critical network resources. The main goal of this paper is to research the existing hybrid SDN implementation and how to achieve improved security of the traditional network. A model with characteristics of a hybrid SDN will be able to block the unwanted traffic with the help of several SDN devices as one of the factors that can achieve a higher level of security. One of the issues of the existing security troubleshooting is the inability to monitor and verify the identity of users after entering the protected part of the network. This particularly refers to insufficient control of legitimate and authorized users and their potentially unauthorized activities in systems with critical data. Detecting and blocking unwanted activities is extremely important in enterprise systems and it is necessary to provide critical systems and infrastructure as well as implement new solution models in the existing environment. In fact, the implementation of the hybrid SDN can improve the existing IDS and IPS systems.
The rest of the paper is organized in sections, where Section 2 presents an overview of network environments. A brief description of security SDN solutions and attack vectors is described in Section 3. Previous research on these topics is presented in Section 4, while the conclusion and guidelines for future research are presented in Section 5.

NETWORK ENVIRONMENTS
The new technologies and devices are causing the change in modern networking concept. Traditional network paradigms are seen as overly static and require greater efforts to physically be changed and reconfigured. The SDN paradigm has emerged as a new approach to better cope with the exponential growth of data traffic, network virtualization, and user mobility. SDN allows network administrators/operators program control of the network by helping them add new features without compromising performance, reliability, or user experience [4].
One of the goals of SDN is to enable the design of dynamic and programmable security controls that can fully operate with little or no human interaction in real time and provide access to legitimate users, protect systems from attacks and mitigate damage in the event of an attack. New controls and possibilities lead to new types of attacks, which did not exist in traditional networks [5].

Traditional Networks
In traditional networks, the characteristics of the device depend exclusively on the vendors. The control and infrastructure layer are connected, thus making it difficult to develop and implement new network features. Therefore, it is not easy to include new features because the process includes numerous different protocols built into different hardware such as firewalls, routers, switches, etc. The change in the network status needs to be communicated to all other devices so they could update the status of neighboring devices. The complexity of today's networks makes it difficult to apply a consistent approach, security, QoS and other features [6][7].

Software-defined Network
Virtual networks are not a novelty, they have existed in various forms over the years, such as MPLS, VPN, ATM, Frame Relay and VLAN. SDN has emerged as a new networking paradigm that separates the network control layer from the infrastructure layer. The goal is to separate the layers from specified hardware technologies and provide control, which significantly increases network agility. The layer separation allows the use of OpenFlow and other open protocols to access network switches and routers. Software networks are designed to automate and radically simplify the management of computer networks with a significant reduction in errors, unlike manual operation.
It allows networks to connect directly to applications through application programming interfaces (APIs), improving performance and creating a flexible and dynamic network architecture that can be modified when necessary. Controllers can dynamically reconfigure the network to avoid congestion, implement new services, add virtual infrastructure, etc. [8][9]. Some of the main features of the SDN architecture include [10]: a. Programmable management -control and configuration of the network is directly programmed because the forwarding function is decoupled from the control function and allows very fast configuration, management, provision, and optimization of network resources using automated programs. b. Agility -abstracting forwarding control allows dynamic adjustment of traffic flow across the entire network. c. Central management -network intelligence is centralized in SDN controllers that maintain a global view of the network. d. Open standards -SDN is open standards-based, which simplifies network design and operation because SDN controllers use universal protocols instead of vendorspecific ones.
Model SDN architecture presented in Fig. 2 is comprised of three layers connected via API: a. The application layer consists of end-user applications that use SDN communication services. b. The control layer provides consolidated management performance that monitors forwarding packets. c. The infrastructure layer consists of network elements and devices that allow packet forwarding.
In a software-defined network architecture, layers are connected through API as shown in Fig. 2. "Southbound" interface allows a particular component of a network to communicate with a lower-level component, while "northbound" denotes communication with a higher-level component.
The application layer consists of end users and applications that use SDN network services. The SDN application may request certain changes to the controller in the configuration and operation of the network. Network infrastructure management requests to take place via the "northbound" API interface to the controller and use these interfaces to provide an abstract view of the network. One of the most used APIs is the REST API.
The SDN controller in the control layer is mainly responsible for two tasks. One is to translate the application layer requirements into the infrastructure layer, and the other is to give an abstract physical network model to the application layer. The control layer is often referred to as a network operating system because it supports network management logic and provides the application layer with an abstract view of the global network. In an SDN environment, the controller uses APIs to communicate with the application layer, infrastructure layer, and other controllers. In distributed controller architecture, they communicate with each other using the so-called "eastbound"/"westbound" APIs, which are not used as often as the "northbound" and "southbound" APIs.
The infrastructure layer consists of packet forwarding devices, which is its main function-providing efficient forwarding mechanisms. Communication between the control and infrastructure layer takes place via the so-called "southbound" API interface, such as OpenFlow.
APIs are the key components of SDN. They make it a powerful tool for network management and working with features such as programmability, protocol independence, the ability to change network parameters as needed, elasticity. The control layer uses APIs to monitor, manage, and facilitate the communication of all other SDN layers. One of the advantages of SDN is the fact that the API is used in an open, neutral, and interoperable way [11][12][13][14][15].

Hybrid Software-defined Network
A network that is a combination of SDN and traditional network devices is commonly referred to as a hybrid SDN network. It offers numerous advantages and represents a transitional step towards the full adoption of SDN. A hybrid SDN network combines traditional networking and SDN protocols that operate in the same environment and allows the introduction of new SDN technologies such as OpenFlow protocols into traditional environments without a complete reconfiguration of the network architecture. A complete change of network to SDN without any testing poses high risk in terms of performance and security. In addition, large financial resources are required for SDN network components, and upgrading relatively new traditional network devices is considered unprofitable [16]. Hybrid SDN networks offer a number of advantages [17][18][19][20]: a. They reduce financial cost because the implementation of a complete SDN network is very expensive and additional investment is needed in education, design, configuration, and work on the SDN network. b. They can be used to take advantage of some of the SDN paradigms without implementing a full SDN network. The access network can use the legacy, traditional devices while the distribution network uses SDN devices. Therefore, a hybrid SDN network can be used to process most forwarding packets in the access network via legacy devices while SDN devices are used in the distribution network to take advantage of SDN. To ensure a smooth and controlled transition, it is recommended to initially implement SDN for only a small portion of non-critical traffic. c. SDN allows fine granulation of data flow control. If such control is required for only a small part of the network, a hybrid SDN network can be implemented, while the rest of the network uses traditional networking. d. Traditional routing protocols are very effective for some tasks, such as connecting SDN controllers to control different parts of the network. Thus, a hybrid SDN network can be applied to void the SDN controller of tasks that can be efficiently performed by traditional routing protocols. e. SDN devices are not as mature as traditional network devices. A hybrid SDN network facilitates the transition from legacy to SDN network devices. With the help of a hybrid SDN network, it is possible to gradually deploy more and more SDN devices and evaluate SDN performance. f. A hybrid network solves the connection of two separate SDN networks via traditional network devices. Fig. 3 depicts SDN network devices connected with traditional devices and functionally belonging to both the control and infrastructure layer. There are several possible hybrid SDN models described in [17,21]: a. topology-based model where the network is divided into zones so that each node belongs to only one zone, traditional or SDN. b. a service-based model where services are divided into traditional and SDN part of the network. In order to implement some services, such as network-wide forwarding, certain nodes may belong to both paradigms. c. a model based on the classification and division of traffic into traditional and SDN controlled traffic. d. an integrated model where SDN is responsible for all network services and uses traditional protocols as the packet forwarding interface. Hybrid SDN network is a possible way of migrating the traditional network to complete SDN network architecture. Tab. 1 shows the main differences among the three types of networks observed in the previous parts of this paper.

SECURITY FEATURES AND ATTACK VECTORS IN SOFTWARE DEFINED NETWORK
Numerous security issues related to traditional network architecture are also found in SDN architecture which is exposed to various security risks from a network architecture design perspective as it includes application, control, and infrastructure layer. One of the most significant security risks is the attack on the SDN controller in the control layer, which is very sensitive to attacks of denial of service, the so-called DoS attack. Compromised SDN switches can cause a large number of queries to SDN controller and can potentially cause delays or nonexecution of queries. Unprotected applications in the application layer are in high risk of manipulation and reprogramming network traffic flow. Communication between the control and infrastructure layer is susceptible to the so-called "man in the middle" attacks, where it is possible to modify the rules sent from the SDN controller to switches to take control of the packet forwarding function [22]. For effective security, overall visibility needs to be catered for, which includes: a. Information on each system user.
b. An overview of each digital conversation. c. Knowing which condition is normal. d. Information on each change in the system. e. Quick response to security threats.
A hybrid SDN is a transitional type from a traditional to a fully software-defined network that allows for numerous benefits to the existing traditional network mentioned in Chapter 2.3.
The controller is a particularly attractive target for security attacks, as it is an indispensable part of the SDN architecture. Unauthorized access and exploitation of network resources in the absence of a robust, secure controller platform allow an attacker to take control of the controller and carry out malicious activities. In the past, such attacks targeted DNS servers, but the attack on the SDN controller could cause much more damage. In [23], the authors demonstrated the feasibility of attacking controllers from a data layer, by implementing and testing the "fingerprint" technique of the SDN controller, with the primary goal of emphasizing the need for high controller security. By introducing open source SDN interfaces and known protocols to simplify programming, the network functionality allows attacker location detection presented in [24], where in a hybrid SDN the attacker is detected by analyzing the ARP request from the source. A graph-based switching mechanism is also used to detect the location of the attacker by checking legitimate users. The good side of the SDN architecture in terms of security is that it supports and enables a very fast system of reaction, monitoring, analysis, and response to a security attack. From a security perspective, SDN enables: a. Network forensics: facilitates fast and (pre-set) adaptive identification and management of security threats through a cycle of gathering information from the network, analysis and security policy updates, after which it is easy to reprogram and optimize network functionality. b. Security policy change: allows security policy to be defined and implemented on all elements of the network infrastructure, reducing the frequency of misconfigurations and conflicting policies throughout the infrastructure. c. New security services implementation: facilitates the implementation of security services where applications such as firewalls and intrusion detection systems (IDS) can be applied to specific network traffic according to the organization's rules.
Bearing all of the above in mind, SDN security will be as good as a well-defined security policy. The implementation of existing authentication and authorization verification mechanisms may address some aspects of the security challenge, but new threat detection and protection techniques need to be further developed [25].

SURVEY OF THE PREVIOUS RESEARCH
This section is a survey of the research conducted so far on software-defined networks, implementation, troubleshooting, and applied solutions. This paper analyzes various aspects of security attack mitigation and compares some of the approaches proposed to increase the security of SDN architecture in previous research. When the advantages of SDN and layered architecture are considered, the main strength of SDN architecture, i.e., programmability, is simultaneously the main vulnerable aspect exploited for security attacks. In addition, this basic feature of SDN cannot be completely removed as it can undo the fundamental function of SDN. This paper also analyzes and compares the approaches proposed in previous research to increase security and address specific security issues using SDN architecture. Access control, intrusion detection and prevention systems for network elements and network-connected systems are some of the observed attack vectors.

Access Control
The business environment requires traffic management established on the role of the user, such as limited access to some resources for users with limited privileges. Traditional policy management requires constant maintenance of the configuration of many network nodes. This calls for a solution that will simplify the configuration based on the abstract characteristics of the network architecture with the help of SDN. User identities should not only be considered at the application level, but also at the network level. Martinez-Julia et al. described the identity issue in their research on SDN [26][27], which describes an identity-based network architecture that sets digital identity in the middle of communication. This architecture adds new features to the network, such as user identification, management and authentication, and encryption. It is implemented in a higher layer of the network that allows entities to connect without the need for IP addresses. Alsmadi et al. [28] suggest a global central access control system that uses SDN that can provide all legitimate users with the exact levels of access they should have but will also prevent an illegitimate user or request to access internal resources. Their proposal reduces inconsistencies in decision-making between different decision points of the access control. Paladi et al. [29] suggest an SDN infrastructure that allows applications to execute a range of resource access requests. Jager [30] proposes an access control system and limits applications and the SDN controller to access only a reduced set of critical operations, so that the security of end-user SDN traffic can be significantly improved. The most common standard for access control of users and authorization on interfaces in access networks is applicable in SDN with 802.1X framework transformation on traditional switches. The FlowIdentity protocol presented by Yakasai et al. [31] and AuthFlow [32] by Mattos et al. use 802.1X framework in the SDN architecture. FlowIdentity is a network access control solution that uses 802.1X framework in the SDN architecture combined with a novel authorization method through a stateful role-based firewall on OpenFlow switches implemented by the separation of the authentication. The interface entity is transferred and centralized on the SDN controller, while interface controls (and logical interfaces) are maintained on the switches. The main concept of AuthFlow is authentication using infrastructure layer protocols and pairing user identities with data streams they created in the network. Therefore, the proposed mechanism applies the IEEE 802.1X standard and EAP (Extensible Authentication Protocol). Nayak et al. [33] suggested a model for determining dynamic rules for network control Resonance. Their research indicated that managing dynamic access controls in SDN is easier than in traditional networks. Access control management is implemented and based on real-time data flow information and alerts. Monitoring subsystems are integrated with the SDN controller for easier access control. Allouzi et al. [34] proposed a SafeFlow protocol designed to support authentication between the SDN switch and the controller each time the switch requests access to a classified resource. Casado et al. [35] introduced a new network architecture called Ethane that manages the network without allowing any communication between end devices without explicit permission.

Intrusion Detection Systems
The survey of the existing research offers new proposals for the use of SDN and new possibilities for security intrusion detection mechanisms. The detection of intrusion and attacks on controllers and the control layer of the SDN is specific to the SDN environment. Despite these novel security vulnerabilities, SDN creates new opportunities to implement more effective intrusion detection methods. Due to the openness of platforms that support SDN technologies, it is possible to use existing data collection mechanisms and protocols as a data source for SDN intrusion detection algorithms.
Jankowski et al. [36] describe an intrusion detection method integrated with an SDN controller where unauthorized activities performed in an SDN environment are classified. Some IDSs are designed as a service that seeks to detect and prevent the breach of malicious traffic and keep it away from gateways and compromising network elements. Such systems are designed based on centralized functions to increase the ease of control [37] [38]. Ajaeiya et al. [39] developed a method to detect different attacks using the advantages of SDN to measure traffic flow statistics that periodically collects flow statistics from OpenFlow switches and analyzes the obtained data. The proposed IDS for SDN was able to detect malicious traffic with high accuracy. Latah et al. [40] achieved a higher accuracy and precision of intrusion detection by combining IDS approach based on flow and data packets. Some research aims to increase the security of the SDN environment by building IDS using machine learning principles as proposed by Vetreslevi et al. [41]. Real-time traffic is monitored for intrusion detection, and IDS is divided into two phases, the first for attack detection and the second for categorization. This approach reduces the dependence and workload of the controller, as well as the high rate of attack detection. Honeypots are a type of active defensive security technology and they are expected to be attacked. Some SDN approaches with honeypots were presented in studies by Wang et al. 42] and Fan et al. [43]. These systems can simulate a large and realistic network to attract attackers and redirect intrusions to honeypots and provide further analysis. The SDN approach improves the shortcomings of the existing honeypot technologies whose mechanisms are noticeable and can be easily detected by attackers. The SDN controller allows users to configure their own network data management rules, which will forward or redirect traffic to appropriate honeypots depending on the type of alert.

Intrusion Prevention Systems
Similar to IDS, IPS monitors networks and systems for malicious activity or security policy violations and takes certain steps to mitigate such activities. IPS represents reliability and security in the network system and is considered one of the most popular security devices. In traditional network architecture, IPSs must be deployed at the input and output of each branch of the internal network, even at the input and output of each subnet of the internal network to protect data and devices in the internal network. The high cost of such an implementation and the low usability of an individual IPS are the reasons for discarding this approach. SDN-based IPS implementation can reduce the cost of implementing IPS, improve usability, and provide a higher level of security. In order to reduce implementation and maintenance costs compared to the traditional design and number of IPS systems, Zhang et al. [44] suggest the SDN/OpenFlow architecture-based IPS implementation. The implementation in the SDN environment leads to the improvement in the response (ping) of network devices as well as the usability of individual IPSs. SDN network with the so-called adaptive IPS [45] has the ability to detect attacks and can block advanced persistent threats based on the frequency and type of attack using fuzzy logic. Ammar et al. suggest an IPS system [46] that integrates with host security software and can use any security device that supports a remote system log. The control unit of the proposed framework consists of an agent and a log server integrated with the SDN controller. The security solution is independent of the SDN controller and allows greater scalability. The proposed framework demonstrates the ability to detect security threats and block an attacker at the network edge. One of the most common network attacks are denial-ofservice (DoS) attacks and distributed DoS (DDoS) attacks. To prevent these attacks, the authors in [47] suggest a distributed firewall and IPS modules on SDN switches that inspect packets entering the framework. In [48] authors use the existing Snort IDS for attacker information, and show that denial-of-service attacks can be monitored and mitigated by combining SDN security mechanisms, while the authors in [49] use a hybrid model of two types of machine learning (SVM and SOM) to improve the accuracy of DDoS attack detection relative to a separate machine learning approach. Neu et al. [50] present an SDN solution to prevent port scan attacks. They used the statistics collected on SDN networks and updated the OpenFlow routing rules when a port scan was observed. The results of the experimental evaluation indicated the method is effective in detecting malicious data flows with the help of statistics, which resulted in a decrease in false positive results. Some improvements to the existing IDS/IPS system were presented in a study by Xing et al. [51]. A complete SDN-based attack detection and prevention solution was called SDNIPS. It utilizes Snort and its detection capabilities and flexible SDN network configuration. The evaluation indicated better performance and efficiency compared to traditional approaches. In their research, Nam et al. [52] propose a structure to improve the security function of the SDN that performs intrusion detection and the automatic blocking function by monitoring the intrusion detection results of existing open source IDS/IPS software. When an attack is detected, the controller sends OpenFlow commands to the network device, the firewall function is activated, and the intrusion is automatically blocked. Birkinshaw et al. [53] showed in their study that it is possible to instantly reject a packet when an attack is detected with the help of SDN. The system was designed, implemented, and tested, and based on traffic anomalies. Two types of algorithms were used: a random pass threshold (CB-TRW) and a rate limit (RL). They introduced the Port Bingo (PB) port scan detection technique. The results of the experiment showed that port scans and DoS attacks can be detected and prevented in real time. The rate of false-positive results can be kept low enough by adjusting the threshold parameters of the attack detection algorithms.

CONCLUSION
The SDN paradigm introduces some advantages and improves network security through dynamic and centralized data flow control, broad network view, network programmability, data layer simplification, etc. Softwaredefined network is a next-generation network technology with innovations that open extensive research topics on network security. Nowadays networks presuppose a traditional topology with a logical network boundary and a single exit/entry point. In this approach, various security devices such as firewall, IDS, IPS, SIEM systems are usually implemented immediately at the entrance to the network, but network security also depends on the access control mechanisms and user authentication. Softwaredefined networks (SDNs) are broadly accepted in enterprise networks, so the gradual placement of several SDN devices among devices on a traditional network creates a hybrid SDN network and adds new features supported by SDN devices. A survey of the available literature focuses on the set of security aspects applied to SDN.
Access control, firewalls connected to the intrusion detection and prevention systems in the SDN environment can improve overall security. In addition, the security mechanisms of SDN have demonstrated the ability of SDN as a technology that can successfully overcome the existing flaws in a traditional network such as programmability, conditioned real-time response, central monitoring, and network view, etc. Even though firewall and IPS still play an important role in protecting the network and network systems, novel threats require a solution that can protect the network in as many layers as possible. Inadequate hardware and scalability issues with traditional approaches can be overcome by a hybrid SDN architecture. Each new major security implementation will probably include SDN performances. Based on existing research and analysis, it can be concluded that network security can be improved with appropriate SDN mechanisms. From the control point, the entire network can be monitored, as well as applications, data, user and device identities, and overall network behavior. SDN analysis tools can use information coming from all devices on the network, not just security devices, to find security threats and respond better to them.
The novelty of this paper is the conformation that the efficient use of SDN devices improves network security. The programmability as one of the main advantages of this network architecture allows changes in real time according to user requirements or by changing the environment. Device manufacturer independence, freedom in programming mode, standardized API queries, and centralized control are also the disadvantages and benefits of a hybrid software-defined network. This does not change the function of the network but introduces a great novelty at the device's programmability level because, as the name suggests, the network is defined by software from a central location and with an overall view of the network. The current way of configuring network devices is highly error-prone and can be fully automated and minimized.
Based on the surveyed research and results, future research will be based on troubleshooting of monitoring user actions in the network, primarily network scanning and flexible real-time firewall rules to make access control more effective. Port scanning (TCP, UDP) is commonly used as a preparation for security attacks by identifying available and potentially vulnerable devices in the network. The port scanning process itself is not designed to cause damage but as a preparation for a security attack that will allow more damage to occur. The IPS/IDS model with SDN performance will try to overcome the shortcomings of current solutions in detecting anomalies of common network traffic such as port scanning and improve existing algorithms whose performance and comparison will be based on publicly available test data. Each algorithm for detecting traffic anomalies will be reviewed to find which of them give the best result in the hybrid infrastructure of SDN. The best ones will be implemented in controlled conditions of the network infrastructure.