For every new enterprise technology there are new security concerns. The same is true for software defined networking security. Since SDN abstracts the network into controller and data planes, conventional enterprise security doesn’t apply. Software defined networking security requires a new approach.
SDN is taking the market by storm, partly because of its value for network security. According to a recent study by Brocade, one in five enterprise networks are currently using SDN, and 55 percent are evaluating SDN. The reasons cited for SDN adoption vary, but 22 percent of the IT professionals surveyed said software defined networking security was a principal reason.
The beauty of SDN is that it provides a centralized means to monitor and secure all data traffic, including traffic from the cloud. Security services are applied to connections and data flows to handle identity management, content inspection, malware threats, etc. Once SDN is deployed, security policies, performance monitoring, and problem resolution can be centralized, automated, and provisioned to every device on the network. However, to use software defined networking security as your enterprise strategy, the SDN itself needs to be secure.
The Challenge of SDN Security
Robert Hinden, a Check Point Fellow at Check Point Software Technologies, offered his views on software defined networking security at the RSA Conference in San Francisco earlier this year.
Hinden notes that the biggest challenge with SDN security is the fact that it uses centralized control. If the SDN server is attacked or a hacker gains access to the SDN controller network traffic could be rerouted around firewalls, malware inserted, or traffic could be sent to infected network nodes.
And how would an SDN controller deal with a network outage? Would the SDN controller understand how to deal with it? SDN is flow-based, and policies can be created to maintain data flow in the event of any contingency, but since every network device needs to receive the same instructions Hinden is concerned that such an approach is unwieldy.
Using software defined networking security has its benefits as well. The SDN controller ensures that the same security policies are pushed to all network devices. And if there is an infected host, SDN can route traffic around it to isolate the infected machine.
SDN Security Considerations
Here are eight considerations for software defined networking security:
- Traffic flow control – SDN abstracts the view of the overall network, using the controller plane to create rules to manage the network and the data plane disseminates those rules, so you can change traffic flow quickly and easily. The freedom and control offered by SDN offers better security. You can identify a network problem quickly from a centralized viewpoint and make changes as needed, such as rerouting network traffic to isolate a malware outbreak.
- Shaping data traffic – The ability to shape network traffic is also valuable for quality of service (QoS). Now network administrators can secure QoS packet traffic faster and more efficiently.
- Secure controller access – Securing the controller is paramount for SDN security. Start by making sure you know who has controller access and audit controller access.
- Verify the connection between the controller and end nodes – Use secure sockets layer (SSL) to communicate with routers and switches to prevent any malicious data reaching the controller.
- Verify high availability – Make sure that data is flowing freely so new instructions are reaching their destinations. If there isn’t high availability for the controllers then they can’t manage the network.
- Log everything – With centralized control you should log every network change. Use central log management to capture all the changes to enterprise traffic.
- Make sure data filters are up to date – Verify that any technology that might block network changes, such as security information and event management (SIEM) and in-plane switching (IPS) are updated. Track login failures, policy changes, and custom events with SIEM and correlate logs to manage changes.
- Configure communication rules – Be sure the rules in the filtering systems allow controllers to speak to the nodes and traffic isn’t being filtered out as malicious by IPS.
For software defined networking security to be effective, you start by securing the controller and make sure that each component has its own security. Consider how a denial of service (DoS) attack works in an SDN. Rather than targeting one network device and overwhelm the CPU, in an SDN DoS attack the hacker targets one SDN agent device, injects false data flows that are distributed to other SDN agents, that propagated bogus traffic overwhelms the controller’s CPU.
So to secure an SDN, you have to secure the controller and the data planes so both the central management server, traffic, and nodes are secure. With a secure SDN, the SDN can then centralize security management of the rest of the network.