Software-defined networking (SDN) is a promising networking technology that provides a new way of network management to the customers. SDN provides more programmable and flexible network services. SDN breaks the vertical integration of control and data planes and promotes centralized network management. This unique characteristic of SDN offers security features to deal with the malicious activities. However, architectural design of SDN makes it vulnerable to several attacks. Therefore, it is important to investigate the crime through various forensic techniques. This work discusses a literature study of some possible forensic techniques. A framework is also presented for forensic investigation of SDN environment in attack scenario. The proposed framework includes the collection of evidence and preserves them against any damage. During investigation, protection of evidence and chain of custody are of utmost importance to avoid misleading of the investigators. The safe storage strategy as well as maintaining the custody link can be achieved through blockchain technology.
TopIntroduction
Networking has become an essential part of our daily lives as per the business requirements and personal experience. There are two major conceptual models in the networking technology, i.e., data plane and control plane. These planes describe the handling of network traffic or packets. The data plane consists of different networking and forwarding devices such as routers, switches, etc. The networking devices handle the forwarding of the packets. Therefore, the data plane is also known as forwarding plane having the forwarding functionality. The control logic for the forwarding decision making used by the data plane devices is placed in the control plane. In conventional networks, data and control planes are coupled with each other. These networks work in a distributed and static manner. The control logic is implemented in each networking device of the network. When a new mechanism or policy is required to add in the existing mechanism, the changes are done in all the networking devices. To overcome such limitations, a new networking paradigm has been developed, i.e., Software-defined networking (SDN). SDN is a unique networking technology that offers simplified and programmable network management to the users as per the requirements. SDN has attracted both academia and industry communities due to its flexible and programmable nature of handling the networking services. In the case of SDN, the control logic is separated from the data plane devices (Kreutz et al., 2015; Hakiri et al., 2014). This separation is the prime feature of SDN. In SDN, data plane includes SDN-specific switches and the control plane comprises a controller. The controller controls the forwarding devices and provides a global view of the complete network. The controller is the most important and intellectual component of SDN, which offers a centralized networking architecture. The data plane devices communicate with the control plane via a standard protocol - “OpenFlow” (McKeown et al., 2008; Lara et al., 2013). OpenFlow came into existence in 2008, which was developed by Open Networking Foundation (ONF) (Goransson et al., 2013). There may be required to add or update any existing policy in the network, then the changes are made in the control plane only (Kim et al., 2013). SDN makes this process cost-effective and less time-consuming over conventional networks. SDN also offers security features such as global visibility of malicious traffic in the network and updating a policy immediately to deal with malicious activities on the detection of an attack. Whenever or whichever networking technology is used, there are always chances of security issues. Similarly, SDN attracts several attacks like man-in-the-middle, sniffing, DDoS, saturation attacks, etc., because of its centralized control and separation of control-data planes (Swami et al., 2019; Swami et al., 2020). Out of all the SDN components, control plane is the most sensitive entity to the attacks, which may cause a single point of failure due to its centralized architecture. By exhausting the controller, the complete network can be collapsed that degrades the network’s performance for normal users. Therefore, it is necessary to secure the network against cyber-attacks by analyzing the malicious activities periodically. Investigating such attacks in SDN is a challenging task. For this purpose, a branch of digital forensics - “Network Forensics” is used in the network to investigate network traffic and all the network activities.
Network forensics plays a vital role in locating the source of attacks and to find out the type of attacks. The investigation process involves collection, acquisition, and attribution of the attacks, which is done systematically, requiring the investigators to identify digital evidence sources as their first priority (Liu et al., 2018). The investigation is purely based on evidence, and there is a need to preserve the evidence and protect them against any damage or tampering. Therefore, a strong evidence preservation model for investigation is proposed for the SDN environment employing a famous technology known as “Blockchain”. The investigation of the network is done in several phases that are documented in a clear way. Since all the data that is examined needs to be safe and secure, blockchain based framework allows the data storage in the form of transactions. The data is stored in the blocks as evidence and to maintain the chain of custody, the blocks are linked through cryptographic links. In order to preserve the victim device and the device under examination, the SDN controller maintains the smart contracts between the data collection module, switches, and hosts to avoid any unauthorized access to any system connected to the network.