In a previous SecurityWeek column in May of this year, I wrote about “Network Security Considerations for SDN”. As described in the article, SDN technology includes the separation of control plane from the data plane (onto a centralized controller), dynamic programmable flows via this centralized controller, and automation and orchestration for the various SDN components. In order to support this new architecture, I also proposed a set of considerations for network security in software defined networks including:
• Programmability – the ability to implement security “zones” that are abstracted from physical constructs
• Dynamic policies – the ability for security policies to track virtual workloads that move between servers
• Automation – the ability to automate and orchestrate security provisioning, but to preserve separation of duties so that the actual policies are defined by security IT administrators
But the true test of any technology is how it’s actually being used and deployed. Can a security solution with the above characteristics solve interesting use cases for organizations?
Let’s explore the following use cases.
Network access control
In a traditional network access control or 802.1X deployment, users/devices are authenticated on wired, wireless and remote access networks. Depending on how their roles are mapped in standard identity repositories, the user/device is then placed an appropriate VLAN, or a specific ACL authorization is enabled on an endpoint. In many cases, the identity information is captured and preserved, to be shared with other enforcement devices like firewalls.
This of course is an overly simplified version of network access control (NAC). The reality is that NAC is a notoriously challenging technology requiring multi-year rollouts to coordinate networking changes and VLAN creation. SDN can simplify this because traffic flows can be directed appropriately depending on the results of authentication. For example, if a user laptop is found to have malware, the policy flows for quarantine and remediation of this laptop can be programmed centrally.
Security for multi-tenant cloud deployments
In multi-tenant cloud environments, compute resources are pooled together to support multiple businesses. This optimizes costs and enables delivery of virtual applications to meet business demands. For services providers or enterprises delivering IT-as-a-service in this cloud environment, the security policies for these “tenants” or different business units may be different.
An SDN architecture provides a number of benefits. First, it provides the ability to program the behavior of networks to optimize parameters like network resilience, service performance and more. From a security perspective, an SDN controller can deliver dynamic service steering to allow traffic flows to be steered to services such as firewalling and intrusion preventions services that may reside on different parts of the network.
With a security solution that can support dynamic and programmable policies, the association of virtual networks and virtual workloads is automated with security policies. This provides not only better visibility and protection of virtual applications from authorized access and threats but can offer new offerings for service providers.
Firewall load balancing sandwich
Application delivery controllers (ADCs), the modern version of load balancers, are often deployed in a “firewall sandwich” to increase the availability and scalability of firewalls. There are two challenges with ADCs and firewalls. One issue is asymmetric routing through the firewalls—when one inbound packet goes through one firewall and the return packet goes through a different one. Another issue is the ability to recover from a firewall failure, particularly when the failure occurs after a complete connection has been established, or if a firewall passes the inbound packet but hasn’t processed the return packet yet.
While there are solutions to these firewall load balancing problems, SDN has the option to help with these problems in a more efficient manner by being able to direct flows to the appropriate firewall, and dealing with firewall failures.
Practical Use Case or Killer App?
Many have opined that security is the killer app for SDN… is this true? While SDN is a major innovation for networking, the security use cases outlined above are evolutionary, not revolutionary. However, SDN allows these use cases to be implemented in a manner that requires fewer configuration changes, and fewer networking headaches. Therefore, for countless IT administrators who are facing these challenges every day, it may be the killer app for them.
