Software defined networking (SDN) is still immature, which means there is still confusion about what SDN can and can’t do. SDN was designed to centralize control of network data flow and virtualization by separating the control and data planes, providing independent logic to route network traffic. Among other things, this means centralized control of security policies. However, skeptics see software defined networking security creating more risks than rewards.
Enterprise security is becoming a high profile problem. There were 1.5 million monitored cyber-attacks in 2013. That represents a 12 percent increase in attacks from year to year. During 2013, between 68 and 82 percent of S&P 500 companies had their networks compromised by an observable event. As recent reported data thefts at Target and Nieman Marcus reveal, lack of network security can be costly. The worry is that with new software defined networking, security is going to be more challenging than ever.
While software defined networking security does require rethinking security strategies, the good news is that IT managers get more control over network security, not less. To clarify what we mean, here are four common myths about software defined networking security:
Myth 1: SDN is inherently insecurity.
SDN is as secure as any technology. When the old strategies are abandoned in favor of new approaches, the old guard often uses security as a means to discredit the latest innovation. When virtualization was introduced 20 years ago the skeptics pointed to the hypervisor as a security threat. Those fears have proven to be unfounded. The same is true of software defined networking security.
SDN security has been tested under extreme conditions and while it is generally understood that there is no such thing as a totally secure network, software defined networking security is not a real issue.
Myth 2: SDN makes managing network security more difficult.
In fact, SDN simplifies security and provides some real security advantages. For example, SDN views the network as a single entity, which means you get centralized control over the entire network, rather than having to manage security at the switch level. You can create or allow certain kinds of traffic and monitor and moderate security threats from one central controller.
And security policies can be applied in real time by integrating SDN and network security tools. Software defined network security can protect users from real-time threats by providing automated responses to threats that can be applied anywhere in the enterprise.
Myth 3: SDN security resides solely in the control plane.
The control plane is the central point of administration for an SDN network. It provides a means to distribute security policies and applications throughout the network, so in many ways it is the core of software defined networking security. The controller also presents a central point of attack to a potential hacker. Should a hacker gain access to an SDN controller the network could be compromised by the introduction of a new code or script to reroute network traffic to a location where a hacker could sniff it.
However, the controller isn’t the only potential source of failure. If a hacker gains access to a compromised node in the enterprise, that data agent device can be used to inject false data flows. These data flows would be distributed to other SDN agents and propagate as bogus traffic to overwhelm the network as a denial of service (DoS) attack.
As with any enterprise, end-to-end network security has to be considered.
Myth 4: Centralizing management using an SDN controller eliminates security errors.
The SDN controller is responsible for managing virtualized network services such as load balancers and firewalls, and authenticating applications, including security. Granted, the controller does provide a centralized security policy framework, but it also presents a central point to introduce security problems.
Any changes made at the control level are propagated throughout the network. The upside of this approach is that it ensures that all devices on the network have the same security policies, simplifying administration and promoting consistency. The downside is that a security error introduced from the SDN controller will propagate throughout the network just as quickly.
The solution is to demand clearer policies and tighter control over who has SDN Controller access.
The beauty of applying security defined networking security is that it separates the control and data planes so, theoretically, if a hacker were able to access the data plane they wouldn’t be able to use the data since the controls would no longer be embedded. However, new technologies require new security strategies. The risk from security defined networking security is not in the SDN approach, but in understanding how SDN functions and taking the appropriate precautions to make sure the SDN Controller is secure, the agents are secure, and the appropriate security policies are being distributed throughout the enterprise.