I’m no Nostradamus, but, then again, do I really need to be to say that software-defined networking (SDN) is the future of networking? C’mon, it’s a logical evolution, and one that will further enable both enterprises and service providers to take advantage of the cloud in terms of elastic scaling, flexible deployment, reduced time to service, and value-based cost. Where I’d rather put a stake in the ground and bet my soothsaying reputation on is the importance—and logic—of including and integrating security into this SDN evolution through service chaining, the process of reconfiguring networks to scale and deliver new services.
Service Chaining of Today and Tomorrow
Today, service chaining functionality is accomplished by using separate network and security devices. It’s a rather rudimentary physical approach whereby separate devices are physically connected by Ethernet cables. Each device must be individually configured to establish the service chain and for a specific function.
Security service chaining for SDN has many benefits and can include, say, the ability to elastically scale stateful firewalls that run as virtual machines. It’s all based on need and dynamically adjustable as instances of services come and go. What’s important to note, though, is that it’s not just about virtual firewalls (and I’m considering both VM hosted and perimeter firewalls). Rather, secure SDN should be as comprehensive as possible and therefore also include other virtual form factor services such as DDoS prevention, Web application security, SSL VPN, and UAC.
What Enterprises and Service Providers Want to Know about SDN Security
More and more, enterprises and service providers are looking at SDN and saying, “Great. I like the abstracted network concept and the idea of service chaining. Now, the first service I want to link up is security. How do I do this?” And they want specifics. They want to find out how to:
• Scrub traffic
• Protect the various elements (controllers, switches, etc.) of the SDN
• Authenticate and ensure authorization of changes to the dynamic network
• Optimize traffic flows (e.g., preferred treatment across data centers for payment traffic and/or lower prioritization for Web surfing)
• Correlate network changes with security changes (e.g., when a new virtual network is introduced, how are security devices (virtual and physical) manipulated to appropriately allow traffic to/from that network?)
• Scale up (e.g., if a customer wants 100G of firewall protection, would she need to buy a higher end firewall or would she be able to fulfill the same security needs with multiple virtual firewall instances that are coordinated by the SDN infrastructure?)
• Create and associate new service classes, such as URL filtering or antivirus, for customers
Native and Add-On Protections
To begin to answer some of these questions, it’s important to recognize that a solid and secure SDN solution should come with both native and add-on protections. When an enterprise or service provider installs their SDN product, they get some built-in protections. As mentioned earlier, this may include the implementation of a stateful firewall into a central controller. This controller can then manipulate packets to flow from one virtual machine to another, or one network to another, with the ability to do some basic stateless traffic filtering using access control lists (ACLs) that appropriately protects/blocks traffic going through the aforementioned areas.
The progression of secure SDN will entail taking out the stateless ACLs and providing better protection through stateful inspection and all the other goodies that come with purpose-built virtualization security—including compliance, introspection, intrusion detection, etc. It will make for a more solid solution by ensuring that no one can disable the controller.
Up next will be the ability to funnel traffic through a variety of security service VMs (firewalls, Web app security, DDoS protection) for appropriate traffic scrubbing. Businesses have all types of VMs or even physical servers and, in some cases, the traffic going to these systems merits more scrutiny (e.g., a credit card database versus a QA test system). Businesses need to be able to dictate that certain flows get funneled through different service VMs or multiple service VMs based on their class. And they don’t want to have to re-cable their infrastructure every time they bring on new systems or new service classes. The process needs to be dynamic—which is what SDN is all about. While SDN lets customers link up systems dynamically, secure SDN would let them do so with the necessary watch guards in place for monitoring and scrubbing traffic.
Related: Network Security Considerations for SDN
Related: Software Defined Networking – A New Network Weakness?