To say there has been a lot of buzz around Software Defined Networking (SDN) recently is an understatement. Even before the high-profile deployment of SDN at Google and VMware’s $1.25 billion acquisition of Nicira, industry insiders were calling SDN the ‘next big disruptive technology.’
Recent years have seen the rise of innovative, epoch-defining applications, even though the underlying network has remained essentially the same. However, with the emergence—and rapid adoption—of virtualization, there exists a need for a new type of networking architecture as organizations’
data centers need to create and configure virtual machines remotely rather than manually.
SDN is becoming increasingly attractive as it enables network administrators to have programmable, centralized control of traffic—without the need to physically access the network’s hardware devices. SDN utilizes several key features to encourage innovation and expand choice throughout networks. Typically, SDN involves the separation of data and the control planes with a uniform vendor-agnostic protocol, called OpenFlow, and the virtualization of the underlying network.
However, for all the excitement surrounding SDN, many still have serious concerns about its impact upon network security.
Specific Security Concerns Surrounding SDN
SDN puts every single forwarding decision into one centralized software process. Therefore, the greatest perceivable risk with SDN is that if, somehow, this one centralized process is compromised, then the entire network—including all applications and data—will also be compromised.
Additionally, while SDN may offer more flexibility in restructuring a network tackling substantial flooding, it may also face a unique type of DDoS attack. Rather than flooding routers or attacking hosts or applications, SDN-specific DDoS attacks may attack the SDN stack itself, creating traffic streams designed to boost the interactions between the switches and the controller—a Control Flow saturation attack.
How Enterprises Deploying SDN Can Make Themselves More Secure
The fact is that we are still in the very beginning stages of understanding exactly how security will be administered in advanced SDN networks. What is clear is a ‘layered’ approach to security is critical. The virtual security technology needed for an SDN environment should complement (not replace) existing physical safeguards.
Enterprises still need a firewall; they will always require intrusion prevention. In addition, virtual machines that talk to each other on a physical server will consistently need hypervisor security layers to be implemented. In fact, physical security may become even more important in an SDN environment. With data centers in only one or two locations, they need to be highly secure from a physical perspective.
Effectively-built security in an SDN environment should not replace existing security measures. All that is required is another layer, one that can be controlled and made even more secure, as it is going to be based off a software controller. The key is to ensure that these effective security solutions do not impede the flow of data and the flexibility that SDN provides.
SDN Benefits to Security
In principle, SDN should free network security, increasing both flexibility and control. For many years, attempts to attack a network had to be blocked. In an SDN environment, there are numerous other options to counter such attacks, including quarantine systems and OpenFlow-enabled honeynets.
SDN also offers the ability for VLAN’s to reach beyond the restrictions of an organization’s perimeter, increasing the likelihood of data staying secure. Furthermore, as some network perimeters can be unclear, it can be hard to decide exactly where to position security devices. With SDN, though, this problem may be a thing of the past as network administrators have the ability to route all traffic through a single centralized firewall.
The Role of Independent Technology Providers in Securing SDN
The architecture of SDN enables network engineers to support switching fabric across multi-vendor hardware, thus providing customers with almost unprecedented levels of choice. Independent technology providers can play a key role at the front end by helping their customers navigate all the different options available to them. In addition, as all the ‘decisions’ from each end point are put into one centralized process, independent technology providers can assist with the thorough planning processes that need to go into this.
In summary, the many advantages SDN can lend organizations are well documented. Nevertheless, one of the principle barriers to adoption of this exciting new technology is the concern that remains around SDN’s impact on security. Despite operating in a virtual arena, with virtual machines and applications, the need for physical security is by no means diminished. While virtual security will undoubtedly have its place, this will need to be combined with existing physical safeguards.