ANALYSIS OF NETWORK SECURITY ORGANIZATION BASED ON SD-WAN TECHNOLOGY

.

uration Protocol Guard feature (DHCPguard). According to a study, DHCPguard increased throughput by up to 94 % and reduced CPU utilization by up to 92 %.
SDN provides a flexible way to manage traffic on networks. The deep Reinforcement Learning (DRL) algorithm was used to determine the traffic management method for QoS optimization in hybrid SDN. The simulation results showed that the method of this work can lead to a significant improvement in the optimization of the network QoS performance [8].
SD-WAN for Internet of Things (IoT) devices provides robust security solutions. IoT and SD-WAN edge devices communicate with a common controller. The cloud controller, in turn, informs and allows IoT and SD-WAN edge devices to take action to provide protection, especially at the edge of the enterprise, where large datasets are aggregated [9].
In [10], the Fake Link Layer Discovery Protocol (LLDP) Injection and LLDP replay methods are considered, which are used to create fake links on the controller. The results revealed that the Floodlight controller is vulnerable to attacks based on the use of LLDP. When receiving invalid routes, access to the network is lost and the network performance is underestimated.
In [11], the results of studies of a Distributed Denial of Service (DDoS) attack in SDN, detected using machine learning-based models, are presented. Feature selection methods are shown to be preferable for simplifying models and providing shorter training times. Classification models were built for Support Vector Machine (SVM), Naive Bayes (NB), Artificial neural network (ANN), and K-Nearest Neighbors (KNN). Based on the test results, it was shown that the use of the shell function selection with the KNN classifier allowed to achieve the highest level of accuracy (98.3 %) in detecting DDoS attacks. [12] describes a security architecture for the Internet of Things (IoT) based on software-defined networks (SDN) and discusses a new architecture of the IoT system. But there are still unresolved issues related to the analysis of the organization of network security based on SD-WAN technology.
The work [13] considers the preservation of the traditional network infrastructure and the gradual upgrade of this infrastructure to a hybrid SDN (hybrid SDN, hSDN). The authors examined hSDN models in the control and data planes, considered the optimization of the control plane of placement, scalability and security issues, privacy, as well as existing vulnerabilities and threats. An option to overcome the corresponding difficulties may be to update the network in both the outdated and SDN settings. This is the approach used in [13], however, modeling tools and public test benches are a completely undisclosed topic. All this suggests that it is advisable to conduct a study on the use of hSDN in 5G mobile networks, cloud and data centers, IoT connectivity, blockchain, SD-WAN and SD-Branch. In addition, network reliability, resiliency and load balancing are also investigated.
Study [14] discusses SD-WAN Flood Tracer to facilitate tracking of DDoS attacks on SD-WAN. Also, to track and prevent other sources of anomalies on legitimate traffic, the tracing scheme is divided into two parts. This scheme effectively monitors internal, external anomalies and prevents damage to communications in the network.
The growth in the volume of network traffic, the need to configure large-scale data transmission networks and the analysis of the above materials suggest that conducting a study on SD-WAN technology is promising.
Prevention System, IPS), quality of service (QoS) function, other proxy server that determine the behavior of the network are implemented; 2) control level -the main element is the SDN controller, which coordinates the network devices located at the infrastructure level; 3) infrastructure layer -provides processing and forwarding of packets based on the received instructions from the control layer; 4) north APIs -allow applications to use network security services, load balancing, traffic management, quality of service and dynamically configure the network; 5) southern APIs -provide efficient network management; 6) East/West interfaces -provide communication between objects of the control level and exchange of information for processing traffic at the level of infrastructures [2].
An important component of the SD-WAN architecture is a controller that centralizes and monitors the state of the network. Main characteristics of the controller: -performance -the number of threads processed by the controller per unit of time (threads/s); -processing time -the amount of time spent by the controller to process the request from the switch (c); -reliability -the number of failures at a given load profile; -resource intensity -utilization of the physical server's RAM by the controller, and the load on the processor cores; -scalability -multithreading support by the controller [3]. SD-WAN is based on the L2/L3 architecture, in which a centralized controller controls the data transfer of a set of distributed switches using a control protocol, for example, OpenFlow. OpenFlow is an open standard that allows developers to work with experimental protocols on a local area network [4][5][6].
Leading companies are moving to virtualized environments, so network architectures are needed that integrate seamlessly with SD-WAN controllers. One of the leading vendors in the implementation of SD-WAN technology is Juniper Networks (Sunnyvale, USA), which ensures full compatibility of the network infrastructure with existing resources.
SD-WAN is designed to address constraints such as high bandwidth costs, the cost of adding new nodes to the network, the cost of changing security policies, and the lack of network management automation. More than 90 % of enterprises will be using SD-WAN technology by the end of 2023, according to Gartner's analysis.
The developed models of SD-WAN technology indicate the relevance of research on methods of mathematical analysis for the classification of processing time of flows and rational planning of the placement of network elements at the stage of deployment and scaling.

Literature review and problem statement
The work [7] analyzed the security of embedded Dynamic Host Configuration Protocol (DHCP) services on three popular SDN controllers: Python and Apache licensed (POX), Open Network Operating System (ONOS) and Floodlight (an Apache licensed, Java-based OpenFlow controller). Vulnerabilities have been identified for overloading controllers when launching denial-of-service attacks. Studying modern methodologies, a DHCP security module on the POX controller was developed, the Dynamic Host Config-

The aim and objectives of research
The aim of research is to analyze the organization of network security based on SD-WAN technology.
To achieve this aim, the following objectives are being solved: -investigate methods and algorithms for complex protection against threats based on SD-WAN technology; -create an algorithm that provides protection against threats without sacrificing bandwidth, taking into account the possibility of protection against various types of attacks; -create a testing algorithm to optimize the network security system based on SD-WAN technology; -analyze the implementation of SD-WAN technology.

Materials and methods of research
The SD-WAN architecture consists of the following planes: data plane, control plane and application. The transmitted data packet is processed in the control plane of the router and goes to the second level. The packet travels along this route to the output port. All operations performed on packet transmission are embedded in the router [15].
The study [16] shows the basic model of SD-WAN service using the D-CPI (Data-Control Plane Interface) interface, the application and control plane -the A-CPI (Application-Control Plane Interface) interface ( Fig. 1).
SD-WAN is an integral part of cloud services because it provides flexible management capabilities for monitoring and analyzing network traffic using programmable objects. The main vulnerability of SD-WAN is a distributed denial of service (DDoS) attack. The work [17] proposes a scheme for detecting and protecting DDoS attacks using time series analysis for SD-WAN (Fig. 2). The obtained experimental result showed that the obtained algorithm has a high detection rate and a low false alarm.
In [18], the main design principle of the proposed method is to extract embedded OpenFlow messages in SDN to represent the state of the network and further detect the network anomaly. This method does not need to collect and add additional messages from the core switches. The results of attacks assessment (DDoS, Worm, Port Scan) show that the proposed method for detecting network anomalies can provide high detection accuracy and reduce SDN controller overhead (Fig. 3).  [17] One of the areas of SDN security is the use of blockchain for solving forensic problems. Blockchain is a distributed peer-to-peer network that can be used in SDN-based Internet of Things (IoT) environments for security. In [19], event logs are stored in the blockchain of the SDN-IoT architecture. Based on the results of the evaluation, the performance gains were derived from latency caused by the increase in the number of devices and requests (Fig. 4).
Comparison of latencies shows that Forensic SDN-IoT has the lowest latency, SDN-Fog latency variation is 0.2 milliseconds. The latency value gradually increases as the number of devices increases.

1. Research of methods and algorithms for complex protection against threats based on SD-WAN technology
The Open Network Foundation (ONF), a nonprofit organization, has developed a standards compliance certification program to advance the SDN vision. The main goal of SDN is to provide open software development interfaces for controlling the flow of network traffic with the ability to check and modify the network (Fig. 5) [20].
SDN has been researched in the field of road engineering and the following benefits have been identified: -a global controller that has an idea of the topology and state of the network, as well as the requirements for applications; -programmability -the data plane can be programmed to improve the allocation of network resources; -openness -the controller and forwarding devices do not depend on the device suppliers ( Fig. 6) [21].
In the study [22], the DELTA tool is proposed for disclosing SDN vulnerabilities. Based on the testing results, the authors identified 26 known attack scenarios on SDN controllers, as well as 9 new attacks for SDN applications.
The work [23] examines the development of SDN, as well as the introduction of this technology over the years in companies -Google, Cisco (Table 1).  Gartner estimates that there are about 80 vendors providing technology solutions based on SD-WAN (Fig. 7) [24].
According to Gartner researchers, the main leaders of SD-WAN are VMware (Palo Alto, USA), Fortinet (Sunnyvale, USA), Citrix (Fort Lauderdale, USA), HPE (Aruba) (Sunnyvale, USA), Huawei (Shenzhen, China) and others. SD-WAN product differentiation is based on security, application performance optimization and cloud functions.
In a study [25], to achieve robustness and low cost in controllers, RetroFlow is proposed, which maintains flow programmability in the event of failures. Simulations show that RetroFlow reduces communication costs by up to 52.6 % during moderate controller failure. Also, it recovers 90 % of the traffic from standalone switches, reducing costs by up to 61.2 % in the event of a severe controller failure.
Switches with OpenFlow support provide SNMP protocol operation and also support local controller operation.
The following information is defined for routing and network management: -the number of packets passed through the port; -the number of bytes transmitted through the port; -average speed in packets/s; -average speed in bytes/s; -load of the processor and memory of the switch; -port queue lengths [26]. Calculating the average time between packets is needed for routing and network management: where t -observation time; N -average number of packages.
Calculating variance for the distribution of time between packets: Using the above formulas, the number of packets per stream is calculated accurately, but according to manufacturers, it can differ from reality by up to 20 %.
Research data on SD-WAN technology methods and algorithms improves performance that accelerates security and network connectivity tasks. The cost-effectiveness of SD-WAN technologies is a key driver for the development of the network structure and provides a quick return on investment.

2. Development of an algorithm for throughput, taking into account the possibility of protection against various types of attacks
The formulas of mathematical statistics determine the characteristics of time intervals. In the study [26], statistics up to the third order were used, which allow one to judge the nature of the distribution of intervals.
The calculation of the average value of the packet interval is carried out according to the formula: where, t k -time of packet arrival, N -the number of analyzed intervals. The sample variance is: where 2 t -the second initial moment.
( ) The coefficient of variation where σ = в в . D Asymmetry is calculated: where 3 t -the third initial moment ( ) Using the above formulas, certain data showed the difference between the analyzed traffic and the Poisson one, since the coefficient of variation c>1, and the asymmetry value A s >2. Taking into account the ratio of the lengths of the packets of reverse requests (64 bytes) and the main packets (1500 bytes), reverse requests increase the load on the channels by about 4 %.

3. Development of a testing algorithm to optimize the network security system based on SD-WAN technology
In the study [16], applying the Poisson distribution formula over the time interval [T 0 , T f ]=mT i to estimate the probability of k-requests from the switch to the controller, we obtained: The probability of n events on the switch is determined by the formula: The total delay D, according to [9], is calculated by the formula: = ⋅ τ + ⋅ τ, NF D l d n d (11) where l and n are the number of time intervals. The network administrator who needs to upgrade the hardware in the SD-WAN can obtain specific packet processing times based on the latency formula.
The use of SD-WAN allows to more efficiently and economically use all available resources of traditional WAN networks within geographically distributed enterprises and optimize business processes. The optimal solution for corporate SD-WANs must align with security priorities.
The main types of security architecture for SD-WAN technologies: -SD-WAN with built-in firewall; -firewall with integrated SD-WAN facilities; -SD-WAN and next generation firewall from independent vendors; -SD-WAN with cloud security services [27].
To develop a testing algorithm to optimize the network security system based on SD-WAN technology, the Ubuntu distribution kit (South Africa) was chosen as the operating system for the server whose security is required. This operating system belongs to the Linux operating system family and consists of free and open source software. The server has the latest current version of this operating system -Ubuntu 20.04.3 LTS, obtained from the official repository. Recommended system requirements: 2 GHz dual-core processor, 4 GB of system memory, 25 GB of free hard disk space, Internet access ( Fig. 8-11).
Based on the data obtained from the access.log files, scripts were created for carrying out load tests, which are reduced copies of real DDoS attacks. Before starting the experiments, the values of the resources used were fixed. At zero load, that is, in the absence of active connections with the server, the processor load was about 0 %, the memory use was 457 Mb, the response time was less than 1 ms. With an average daily load, the resource utilization was: processor -31 %, RAM -514 Mb, response timeless than 1 ms.

4. Analysis of the implementation of SD-WAN technology
SD-WAN is a new paradigm in network design and management that enables network programmability and separation of control planes.
The research paper [28] deals with the Controller Placement Problem (CPP) and defines the Quality of Service (QoS) requirements. The proposed algorithms use graph theory to heuristically search for high-quality solutions. The SD-WAN topology is represented by a connected graph G (V,E), V=S∪C, where S is a set of switches with OpenFlow support, and C is controller locations, E is a set of weighted links.
Weighted links are propagation delays between nodes depending on their geographic location. Assuming the controllers can be in the same location as the switches, the potential controller locations are equal to the switch set (C=S).
In [28], two binary variables are defined, namely y j and x ij , to determine decisions about the location and assignment of controllers.
The specified limit (15) prevents the total load put on by the switches on the controller from exceeding its u c bandwidth.
The constraint in (16) expresses that the propagation delay between the switch and its assigned controllers satisfies the sc max delay constraint.
The maximum allowable delay among open controllers is provided by the constraint in (19).
(18) provides integrality constraints. [29] defines SD-WAN tasks such as the topology mechanism performed by the processor to obtain appropriate routing information and the definition of Internet Protocol Security (IPSec) tunnels among multiple network nodes. Non-limiting examples of routing information might include information related to IPSec tunnels and Virtual Local Area Network (VLAN) subnets. IPSec tunnels can contain information such as tunnel name, tunnel source and destination ID, cost, and role. In the example, the information related to IPSec tunnels might contain information related to IPSec tunnels that are used for load balancing.
SD-WAN provides real-time intelligent control and management to improve performance and efficient use of network resources through management. Experiments have shown that the approach successfully demonstrates robustness and efficiency through the use of SDN programmability for the global network [30,31].
Using the Hurst coefficient, the regularities of the length of transmitted packets in our network are determined.
First, the average mathematical expectation of the packet length is calculated: Calculation of the average standard deviation of the size of the packet length: Calculation of deviations from the mathematical expectation: Calculation of the range (amplitude) of the change in D values: Calculation of the Hurst coefficient: The result of the calculation in PHP (Fig. 12) The result of the testing algorithm showed that the most resource-intensive process is the web server process. This process creates the main load when generating dynamic pages using the PHP language interpreter.
According to analyzes, if the Hurst coefficient is greater than 0.5, it means that the process is self-sustaining, i.e. if the value of the quantity increases over time, then after that it continues to increase.
According to the results of Gartner (Fig. 7, Table 2), the leading companies are VMware, Cisco, Fortinet, Palo Alto Networks, Huawei and Oracle. An anonymous online survey was conducted among the employees of IT companies of the Republic of Kazakhstan. As shown by its results, 34 % of respondents know the general principles of SD-WAN operation, have not heard -45 %, try to pilot -14 %, use -7 % (Fig. 13).
According to expert analysis, SD-WAN implements cases of guaranteed connection of many geographically distributed points and is part of SASE (Secure Access Service Edge) (Fig. 14).
According to a report by analyst firm Dell'Oro Group, the global SD-WAN market grew by 39 % in 2021. Cisco is the leader in technology adoption, Fortinet is second, and VMware, Versa and HPE Aruba are also in the top five [32]. A survey by vendors showed that 21 % of respondents trusted Fortinet, Cisco was chosen by 18 %, VMware (13 %) and Oracle (11 %) ranked third and fourth. Closing in the top five Palo Alto Networks (9 %) (Fig. 15).
For the experiment of implementing SD-WAN, a laboratory bench from Cisco Viptela (San Jose, USA) is considered (Fig. 16).
Used for the software: According to analysis by Shin Umeda, Vice President at Dell'Oro Group, SD-WAN adoption in Europe and Asia is growing strongly. In the first half of 2021, 70 % of the market share was taken by the leading suppliers.
A subsidiary of Halyk Bank of Kazakhstan, Kazteleport Joint Stock Company and a large innovative construction holding BI Group are leaders in the implementation of SD-WAN technology. According to Kazteleport JSC, the introduction of SD-WAN technology has reduced the cost of dedicated channels with a bandwidth of 5 Mbit/s 3 times, received savings in administration and maintenance of the network.
As a result of the implementation of SD-WAN in the BI Group holding, the number of connection points has doubled -from 80 to 150 objects. The use of this technology is an indicator of high productivity growth and obtaining a fault-tolerant network with wide scalability [33,34].
How familiar are you with SD-WAN?
знаю общие принципы SD-WAN не слышали Know the general principles of SD-WAN Did not hear The SD-WAN concept is a technology for distributing network traffic over data network channels to automatically determine the most efficient route for traffic between an office and a data processing center (DPC). In the process, the network administrator determines the appropriate security policies. SD-WAN components are: -terminal devices that replace WAN routers; -orchestrator -configuring traffic routing policy and security functionality; -Analytics tools are reports based on data collected from endpoints, such as channel history, network application history, and node availability.
The SD-WAN security solution for on-premises and cloud-based security includes the following categories: network segmentation, corporate firewall, secure web gateway, and DNS-compromised security [35].
In the discussion, experts noted three SD-WAN security models, such as SD-WAN with built-in security, SD-WAN using a chain of services and cloud security, SD-WAN with a corporate firewall [36].
The head of the BI Group holding reports that, since the introduction of SD-WAN, the load on the information security department has dropped sharply, and this despite the fact that there are more objects, also, the quality of the network has dramatically improved [34].
One of the leading SD-WAN solution providers is Fortinet, which has received Recommended status from NSS Labs for the implementation of the next generation firewall (NGFW). NGFW provides ISO Level 3 through 7 security using its own security processor. The SD-WAN solution also monitors firewall rules and policies and offers recommendations for optimizing the entire security system [36].

Discussion of the results of the study of the throughput of controllers based on SD-WAN technology
One of the main goals of SD-WAN is to provide robust network management. SD-WAN performance depends on the operation of centralized controllers, which, when one controller fails, reassign to other active controllers.
In this paper, methods and algorithms for complex threat protection tools based on SD-WAN technology were investigated.
A model for detecting and protecting against DDoS for SDN [17] is considered, as well as the basic principles of designing a network state [18].
The results of the testing algorithm can be used in traffic control, when optimizing the network security system based on SD-WAN technology.
The unresolved issues in the analysis of the organization of network security based on SD-WAN technology are related to the choice of access policy. Since the implementation of SD-WAN simplifies the connection of branch offices and contributes to the growth of the overall network security using the IPSec protocol.
Implementation of SD-WAN improves control of access rights to the network and applications, qualitatively monitors the operations performed by the connected clients.
SD-WAN controllers -vManage, vSmart, vBond can be deployed both in a corporate network and in a public cloud environment.
The main characteristics of vBond: -provides connectivity between the planes of administration, control and data transfer; -starting point of authentication; -high resiliency; -authorizes all control connections ("whitelisting" model).
Key features of vManage: -a single management console for operations Day0, Day1 and Day2 (deployment, configuration, operation); -the formation of policies and templates; -monitoring and troubleshooting. Key features of vSmart: -provides discovery of devices in the factory; -propagates control plane information to vEdge devices; -applies control plane policies; -reduces the complexity of the control plane.
In the work, an experimental test bench was developed as a corporate network for analyzing the organization of network security over broadband Internet using SD-WAN. To measure the performance of the proposed solution, we used Cisco SD-WAN controllers -vManage, vSmart, vBond.

Conclusions
1. Results of research of methods and algorithms for complex protection against threats based on SD-WAN technology allows to manage large-scale corporate networks without manual configuration and high-security connections built-in security functions with the ability to redirect traffic to centralized protection services. This technology comprehensively solves the modernization of the network infrastructure of telecom operators, data centers and distributed corporate networks. Also, the platform includes orchestration of network services, organization of high-speed traffic processing and virtualization of network functions.
2. Development of a protection algorithm for bandwidth against various types of attacks optimized the use of communication channels, increased resiliency and accelerated network reconfiguration. Based on the calculation results, it was obtained: the Hurst coefficient is greater than 0.5. This proves that this process is self-sustaining.
3. The testing algorithm and the analyzes carried out revealed the leaders of the SD-WAN market, and according to Dell'Oro Group research, in the first half of 2021, the global SD-WAN market grew by 39 % and the share of growth will only increase. The application of SD-WAN technology to secure management of the cloud or on-premises environment can be tailored to meet the following needs: -providing local access to the Internet at remote sites; -SSL inspection with high bandwidth; -filtering web content for Internet security without using a separate Secure Web Gateway (SWG); -IPSec encryption; -centralized supervision and control of all internal, incoming and outgoing traffic.
The developed algorithm showed that at zero load, that is, in the absence of active connections with the server, the processor load was about 0 %, the memory use was 457 Mb, the response time was less than 1 ms. With an average daily load, the resource utilization was: processor -31 %, RAM -514 Mb, response time -less than 1 ms.
Centralized policy-based management allows the network engineer to send more (or less) traffic over broadband links at any time, without having to reconfigure routers on an individual basis. Vendors are increasingly using security features to differentiate their SD-WAN solutions in a competitive marketplace. Implementing SD-WAN improves performance, reduces the number of hardware devices in branch offices, and provides secure Internet access.
4. The SD-WAN is being implemented on the existing corporate network as part of the equipment upgrade. Initially, it is necessary to test the SD-WAN solution in a multi-site pilot zone. Also, it is necessary to configure the exchange of information with the existing corporate network and multiple terminal devices.