Our organization is starting to investigate security for software-defined networking. Should we approach it like...
we're securing an application service, somewhat similar to VoIP?
Network management software has traditionally been proprietary and vendor-specific for devices such as switches and routers. Software-defined networking (SDN) changes that by separating the physical device that processes network traffic from the software that inspects and controls the data flowing through it.
Many experts see SDN as the biggest transformation of networking in decades, as it gives an organization the ability to easily control access to its network and resources at a more granular level. For example, it helps administrators enforce BYOD policies, as they can set network rules to manage an individual device or user. Video conferencing traffic can be given priority over email, or rules can be created to quarantine traffic coming from or going to a certain destination. Once a set of rules has been developed, it can be deployed to an assorted range of networking hardware as long as the hardware complies with SDN technology.
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: firstname.lastname@example.org.
Although SDN products are starting to come to market, production SDNs are still in their infancy, which means caution is required because there are few SDN security case histories to analyze. Enterprises certainly need to physically and logically protect access to SDN controllers as attackers compromising them would be disastrous. Controllers are the centralized decision points for the control and management of the switches, routers and servers in an SDN. While they enable changes to a network's layout and traffic flow with just a few clicks, if compromised, they provide an attacker with the same abilities.
Direct access to controllers must be restricted, and administrative actions should be authenticated and logged. Strong, mutual authentication between network devices and controllers should be established to validate the identity and integrity of each controller. The communication channel between them should also be secured and encrypted to prevent man-in-the-middle, snooping and other attacks. To prevent rogue applications on the controller from taking over the network, each application should be authenticated before it runs, with tight privilege separation maintained between processes.
Develop a robust change-control policy to ensure changes are authorized and validated along with a roll-back procedure in case problems arise. Provide some form of redundancy to mitigate the effect of a controller going down and impacting the entire network. Test any fail-over mechanism to assess its reliability and latency. SDN logs provide reams of useful data for forensics, compliance, event correlation and reporting, but enterprises need to have a log analysis tool in place to handle such large amounts of data.
IDC predicts software-defined networking will grow from a $200 million market in 2013 to $2 billion by 2016 as organizations push for improved network speed, reliability, energy efficiency and security. However, because SDN operates at the heart of a network, its security must be given top priority. It also requires specialized technical and engineering capabilities to deploy. A test lab is essential while its potential and security requirements are investigated.
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Michael Cobb
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ...continue reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ...continue reading
App trackers were found in hundreds of Google Play apps. Expert Michael Cobb explains the threat they pose and how GDPR has the potential to reduce ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.