Connect with us

Hi, what are you looking for?


Network Security

What Secure SDN Should Look Like

I’m no Nostradamus, but, then again, do I really need to be to say that software-defined networking (SDN) is the future of networking? C’mon, it’s a logical evolution, and one that will further enable both enterprises and service providers to take advantage of the cloud in terms of elastic scaling, flexible deployment, reduced time to service, and value-based cost.

I’m no Nostradamus, but, then again, do I really need to be to say that software-defined networking (SDN) is the future of networking? C’mon, it’s a logical evolution, and one that will further enable both enterprises and service providers to take advantage of the cloud in terms of elastic scaling, flexible deployment, reduced time to service, and value-based cost. Where I’d rather put a stake in the ground and bet my soothsaying reputation on is the importance—and logic—of including and integrating security into this SDN evolution through service chaining, the process of reconfiguring networks to scale and deliver new services.

Service Chaining of Today and Tomorrow

Today, service chaining functionality is accomplished by using separate network and security devices. It’s a rather rudimentary physical approach whereby separate devices are physically connected by Ethernet cables. Each device must be individually configured to establish the service chain and for a specific function.

Secure SDNSDN service chaining, on the other hand, uses software to insert services virtually into the flow of network traffic. A centralized controller can connect multiple network and security services in a series—or chain—across network devices. With SDN service chaining, networks can be reconfigured on the fly, allowing them to dynamically respond to the needs of the business. For both enterprises and service providers, this means that SDN service chaining will dramatically reduce the time, cost, and risk for them to design, test, and deliver new network and security services.

Security service chaining for SDN has many benefits and can include, say, the ability to elastically scale stateful firewalls that run as virtual machines. It’s all based on need and dynamically adjustable as instances of services come and go. What’s important to note, though, is that it’s not just about virtual firewalls (and I’m considering both VM hosted and perimeter firewalls). Rather, secure SDN should be as comprehensive as possible and therefore also include other virtual form factor services such as DDoS prevention, Web application security, SSL VPN, and UAC.

What Enterprises and Service Providers Want to Know about SDN Security

More and more, enterprises and service providers are looking at SDN and saying, “Great. I like the abstracted network concept and the idea of service chaining. Now, the first service I want to link up is security. How do I do this?” And they want specifics. They want to find out how to:

• Scrub traffic

• Protect the various elements (controllers, switches, etc.) of the SDN

Advertisement. Scroll to continue reading.

• Authenticate and ensure authorization of changes to the dynamic network

• Optimize traffic flows (e.g., preferred treatment across data centers for payment traffic and/or lower prioritization for Web surfing)

• Correlate network changes with security changes (e.g., when a new virtual network is introduced, how are security devices (virtual and physical) manipulated to appropriately allow traffic to/from that network?)

• Scale up (e.g., if a customer wants 100G of firewall protection, would she need to buy a higher end firewall or would she be able to fulfill the same security needs with multiple virtual firewall instances that are coordinated by the SDN infrastructure?)

• Create and associate new service classes, such as URL filtering or antivirus, for customers

Native and Add-On Protections

To begin to answer some of these questions, it’s important to recognize that a solid and secure SDN solution should come with both native and add-on protections. When an enterprise or service provider installs their SDN product, they get some built-in protections. As mentioned earlier, this may include the implementation of a stateful firewall into a central controller. This controller can then manipulate packets to flow from one virtual machine to another, or one network to another, with the ability to do some basic stateless traffic filtering using access control lists (ACLs) that appropriately protects/blocks traffic going through the aforementioned areas.

The progression of secure SDN will entail taking out the stateless ACLs and providing better protection through stateful inspection and all the other goodies that come with purpose-built virtualization security—including compliance, introspection, intrusion detection, etc. It will make for a more solid solution by ensuring that no one can disable the controller.

Up next will be the ability to funnel traffic through a variety of security service VMs (firewalls, Web app security, DDoS protection) for appropriate traffic scrubbing. Businesses have all types of VMs or even physical servers and, in some cases, the traffic going to these systems merits more scrutiny (e.g., a credit card database versus a QA test system). Businesses need to be able to dictate that certain flows get funneled through different service VMs or multiple service VMs based on their class. And they don’t want to have to re-cable their infrastructure every time they bring on new systems or new service classes. The process needs to be dynamic—which is what SDN is all about. While SDN lets customers link up systems dynamically, secure SDN would let them do so with the necessary watch guards in place for monitoring and scrubbing traffic.

Related: Network Security Considerations for SDN

Related: Software Defined Networking – A New Network Weakness?

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.