Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

What Secure SDN Should Look Like

I’m no Nostradamus, but, then again, do I really need to be to say that software-defined networking (SDN) is the future of networking? C’mon, it’s a logical evolution, and one that will further enable both enterprises and service providers to take advantage of the cloud in terms of elastic scaling, flexible deployment, reduced time to service, and value-based cost.

I’m no Nostradamus, but, then again, do I really need to be to say that software-defined networking (SDN) is the future of networking? C’mon, it’s a logical evolution, and one that will further enable both enterprises and service providers to take advantage of the cloud in terms of elastic scaling, flexible deployment, reduced time to service, and value-based cost. Where I’d rather put a stake in the ground and bet my soothsaying reputation on is the importance—and logic—of including and integrating security into this SDN evolution through service chaining, the process of reconfiguring networks to scale and deliver new services.

Service Chaining of Today and Tomorrow

Today, service chaining functionality is accomplished by using separate network and security devices. It’s a rather rudimentary physical approach whereby separate devices are physically connected by Ethernet cables. Each device must be individually configured to establish the service chain and for a specific function.

Secure SDNSDN service chaining, on the other hand, uses software to insert services virtually into the flow of network traffic. A centralized controller can connect multiple network and security services in a series—or chain—across network devices. With SDN service chaining, networks can be reconfigured on the fly, allowing them to dynamically respond to the needs of the business. For both enterprises and service providers, this means that SDN service chaining will dramatically reduce the time, cost, and risk for them to design, test, and deliver new network and security services.

Security service chaining for SDN has many benefits and can include, say, the ability to elastically scale stateful firewalls that run as virtual machines. It’s all based on need and dynamically adjustable as instances of services come and go. What’s important to note, though, is that it’s not just about virtual firewalls (and I’m considering both VM hosted and perimeter firewalls). Rather, secure SDN should be as comprehensive as possible and therefore also include other virtual form factor services such as DDoS prevention, Web application security, SSL VPN, and UAC.

What Enterprises and Service Providers Want to Know about SDN Security

More and more, enterprises and service providers are looking at SDN and saying, “Great. I like the abstracted network concept and the idea of service chaining. Now, the first service I want to link up is security. How do I do this?” And they want specifics. They want to find out how to:

• Scrub traffic

• Protect the various elements (controllers, switches, etc.) of the SDN

• Authenticate and ensure authorization of changes to the dynamic network

• Optimize traffic flows (e.g., preferred treatment across data centers for payment traffic and/or lower prioritization for Web surfing)

• Correlate network changes with security changes (e.g., when a new virtual network is introduced, how are security devices (virtual and physical) manipulated to appropriately allow traffic to/from that network?)

• Scale up (e.g., if a customer wants 100G of firewall protection, would she need to buy a higher end firewall or would she be able to fulfill the same security needs with multiple virtual firewall instances that are coordinated by the SDN infrastructure?)

• Create and associate new service classes, such as URL filtering or antivirus, for customers

Native and Add-On Protections

To begin to answer some of these questions, it’s important to recognize that a solid and secure SDN solution should come with both native and add-on protections. When an enterprise or service provider installs their SDN product, they get some built-in protections. As mentioned earlier, this may include the implementation of a stateful firewall into a central controller. This controller can then manipulate packets to flow from one virtual machine to another, or one network to another, with the ability to do some basic stateless traffic filtering using access control lists (ACLs) that appropriately protects/blocks traffic going through the aforementioned areas.

The progression of secure SDN will entail taking out the stateless ACLs and providing better protection through stateful inspection and all the other goodies that come with purpose-built virtualization security—including compliance, introspection, intrusion detection, etc. It will make for a more solid solution by ensuring that no one can disable the controller.

Up next will be the ability to funnel traffic through a variety of security service VMs (firewalls, Web app security, DDoS protection) for appropriate traffic scrubbing. Businesses have all types of VMs or even physical servers and, in some cases, the traffic going to these systems merits more scrutiny (e.g., a credit card database versus a QA test system). Businesses need to be able to dictate that certain flows get funneled through different service VMs or multiple service VMs based on their class. And they don’t want to have to re-cable their infrastructure every time they bring on new systems or new service classes. The process needs to be dynamic—which is what SDN is all about. While SDN lets customers link up systems dynamically, secure SDN would let them do so with the necessary watch guards in place for monitoring and scrubbing traffic.

Related: Network Security Considerations for SDN

Related: Software Defined Networking – A New Network Weakness?

Written By

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...