This article can also be found in the Premium Editorial Download "Information Security magazine: Security Readers' Choice Awards 2013."
Download it now to read this article plus other related content.
Software-defined networking (SDN) is a rare case of technology led by security—a fact that hasn't received nearly as much attention as it deserves.
The genesis of original ideas that led to SDN's creation occurred to Martin Casado, now VMware's chief technology officer of networking and security, just after 9/11 while he was working within the intelligence community on systems in incredibly secure settings.
How do you build isolated groups of compute that have their own security policy, which remains invariant independent of where the VMs go?
Martin Casado, chief technology officer of networking and security, VMware
Casado realized that it was entirely possible to program a computer to deal with security at that level, but the same wasn't remotely true for the network. They were pretty much stuck with whatever networking vendors were selling and there wasn't much they could do to change it. In terms of operationalizing security networks, it was the weakest link.
With a vision of bringing virtualization's agility and security properties to networks, Casado and his Ph.D. advisors Nick McKeown at Stanford, and Scott Shenker at the University of California at Berkeley, co-founded Nicira in 2007. The company's initial funding came from the intelligence agencies, and in 2012 VMware acquired Nicira.
"Not only is SDN itself a design with security as its foundation, but it's a way to get at much more secure network designs," Casado said. "It has the potential to address traditional networking's glaring security issues."
What is SDN?
SDN is a "stack" architecture that separates the network control plane from the forwarding plane and centralizes it in a controller that defines forwarding behavior through high-level policy. Northbound application programming interfaces (APIs) sit atop the controller and present a network abstraction interface to the applications and management. Southbound APIs, such as OpenFlow, allow a controller to define the behavior of switches at the bottom of the SDN stack.
Confusion abounds about what SDN is and isn't. "Bear in mind that there are ways to program a network that don't involve SDN—if it doesn't involve the separation of data plane and control plane, it's not SDN," said Brad Casemore, research director of datacenter networks for IDC. SDN also isn't a point-fix solution that's bolted onto the network's infrastructure.
One of the most important things to know about SDN in terms of security is that it involves a fundamental shift to a zero trust model. In this model, you assume that guests are untrusted, limit the code base and allow only the minimum access needed to carry out a job—a task that was incredibly difficult before SDN came along.
"As the security world knows, information gathering is often a predecessor to an attack. So we want to enforce two principles: least information and least privilege," Casado noted.
SDN allows consolidation of trust
Another key feature of SDN is the notion of consolidation of trust. In a physical world if you consolidate all your trusted stuff in a vault and lock it, you've reduced your security problem to the unlocking of that one vault.
Traditional networking has no notion of a central authority or trust authority where you can consolidate trust. As a result, potentially insecure elements are scattered throughout the network.
How Is SDN solving security problems?
WestJet, an international airline, became interested in virtual networking after identifying challenges within their security network and data center infrastructures. The IT team wanted to move forward with a new architecture for security design and decided to explore SDN, and network virtualization, in a lab environment before putting it into production.
"This was a journey for us, not a decision to just jump on SDN," explained Darrell Lizotte, technical architect at WestJet. "It was based on how we were going to solve problems."
One problem they wanted to solve is that their east-west traffic patterns—also known as server-to-server patterns—had increased substantially. "This was the biggest thing for us: we saw it as a way to keep the east-west traffic within the host as much as possible," Lizotte said.
With this move, WestJet changed its approach to network security and "went to a zero trust
security model so that the data center doesn't trust anything outside of it," according to
During the transition, the IT team realized that "traditional security was always bolted onto the infrastructure to protect certain parts from other parts. But we wanted to immerse security into the network—to make it part of all of the networking," noted Lizotte.
VMware's networking virtualization product fit into this vision. "Security became an integral part of all of the networking—they secured so much of it, and it's not just bolted onto the side; it's a part of it," Lizotte said.
One of the reasons for the proliferation of trust in traditional networking is that Internet technology was designed to grow organically—without any central authority.
The problem with all this rampant implicit trusting now is that "hackers take advantage of it routinely. SDN allows you to do trust consolidation and have a few trusted entities; everything else is untrusted," said Casado.
SDN provides more control of the architecture and the distribution model of the control plane, which makes it possible to consolidate trust into fewer elements.
Instead of worrying about thousands of elements, now you only need to worry about dozens of elements, pointed out Brent Salisbury, lead network engineer at the University of Kentucky.
"SDN shrinks your attack vector," Salisbury said. "Granted, those dozen devices become more important, but you can build up a security infrastructure around them instead of building up a security infrastructure around everything and replicating. The problem with traditional networks is the need to distribute the security infrastructure everywhere, which is cost prohibitive. With SDN, we can do it right a handful of times—saving money and significantly improving security at the same time."
SDN is a mechanism, not an implementation
Despite vendors' broad use of the terminology, it's important to realize SDN is a mechanism that's not synonymous with how the architecture is implemented. Big companies and recent startups alike—VMware, Cisco, Juniper Networks, Big Switch Networks, and Plexxi, to name only a handful—are pursuing different implementation approaches.
Casado worked on one of the first SDN implementations at Nicira, now part of VMware. The network virtualization platform, NSX, debuted at VMworld 2013 in late August. It enables the creation of an intelligent abstraction layer between virtualized hosts and an existing physical network.
Network virtualization is akin to server virtualization because it's a platform, a set of primitives that can be controlled by software, independent of the physical devices beneath it. It uses the same properties virtual machines give you: isolation and a limited trusted compute base.
"As a proof point of SDN or an application built on top of SDN, network virtualization has solid security properties," said Casado. "This was the use case I was after while working for the intelligence agencies: How do you build isolated groups of compute that have their own security policy, which remains invariant independent of where the VMs go? To me, that's the Holy Grail and it's why I think network virtualization is going to be a fundament of any secure deployment in the future."
Is the controller a giant target?
One huge concern people tend to express about SDN is that the controller is now a giant target for attackers. Guess what? It's not simple to attack at all.
In compute virtualization, trust consolidation is done in the hypervisor, so the security problem is reduced to protecting the hypervisor. Network virtualization relies on the same trust assumptions as compute virtualization; it also uses trust consolidation in the hypervisor.
For skeptics, who question how secure trust consolidation is on the hypervisor, Casado points to Amazon's Elastic Compute Cloud. The hypervisor is heavily trusted as its basis of isolation and runs millions of workloads.
"If you can trust the hypervisor today, then you'll trust it in exactly the same way with network virtualization. The controllers themselves aren't directly accessible by the tenants; they're not part of the control space. There's no way you could attack them," Casado explained. "You'd need to attack the hypervisor, which is what you'd have to do today, and we're using isolation between tenants anyway."
The bottom line is that today in the physical network, the equivalent to controllers is physical networking devices and any end host can attack them. "In network virtualization, controllers are totally hidden—they're not even in the address space of the guest, so they really can't be attacked," Casado said.
Opportunities ahead for security companies
SDN is a change in network architecture, and there are security implications. It allows you to build systems in different ways, which changes a lot of the security assumptions. This is a huge opportunity for the security world to take advantage of the new architecture and to help define the core set of rules and the new model for thinking about security.
VMware has developed an ecosystem to partner with the biggest names in security, including all of the traditional security appliance and end host antivirus companies. As part of the ecosystem, customers decide which security services they want, and from whom, as part of their virtual world.
As one of the first use cases for SDN, network virtualization is "changing the way we fundamentally think about security," Casado said. "It's an opportunity for us to redefine security so it's ubiquitous and provides global introspection so we can react to things dynamically. We're entering a realm of entirely new security."
This was first published in October 2013