ONOX HILL, Md. -- Software-defined networking may prove to be as inevitable as it is transformative, according to a Gartner analyst, but lacking security controls and shaky management features today make SDN a sizable risk to enterprise network security.
During a session last week at the Gartner Inc. 2014 Security & Risk Management Summit, Research Vice President and Lead Network Security Analyst Greg Young spoke at length about the security implications of software-defined networking (SDN).
Describing SDN as software technology that separates the network control layer from its forwarding layer, Young said it virtualizes networking by centralizing routing decisions in an SDN controller server.
It's good from a functionality perspective, but it scares the bejeebers out of security folks, and rightly so.
research vice president, Gartner Inc.
As far as security is concerned, Young said SDN is rife with unsolved security issues, including immature and varied security capabilities among various products, the risk posed by the SDN controller being a single point of failure, and the reality that security is optional in some SDN protocols.
"It's good from a functionality perspective," Young said of SDN, "but it scares the 'bejeebers' out of security folks, and rightly so."
SDN security shortcomings
Young said few SDN vendors are investing much effort into security; even worse, they're trying to maintain control of the functions within their products, so there's little incentive for them to collaborate with third-party security vendors on interoperable SDN security products.
Without the participation of security vendors, Young added, it's unlikely that SDN security standards will emerge anytime soon.
"We're at a low point right now with SDN security cooperation and collaboration," Young said.
Young also explained how current SDN products are a dream come true for attackers. In an SDN product, all routing decisions are made in the controller, so if an adversary can compromise the controller, he or she can take control of the entire network.
Citing recent SDN attack research conducted by Texas A&M University, Young said SDN technology is not only easy for attackers to detect, but is also susceptible to resource-intensive attacks like denial of service.
"In a network environment that's designed to be highly available, those are the hardest attacks to defend against," Young said. "Enterprises are going to have to be monitoring for these kinds of attacks, both intentional and unintentional, because it's something that hasn't been talked about."
Furthermore, Young detailed the security-related issues with SDN configuration and change control. He said SDN products come with their own management consoles that typically aren't interoperable with other networking and security management consoles, adding another layer of complexity to network security management processes.
Similarly, he added that it may prove difficult to manage and audit network configuration changes because a larger pool of users may need access privileges for SDN configuration.
"Think about how many fingers are going to be in this pie and who can make changes to the network," Young said. "It will be a wider community, using more consoles, and that's a wider aperture for attack and control."
SDN security: Not all bad
Young admitted there are some aspects of SDN that benefit security, particularly its simplified codebase. He said while most legacy network switches have up to 35 million lines of code, the SDN products he has seen are mostly based on slimmed-down versions of Linux, and have just 1-2 million, decreasing the opportunity for attackers to find vulnerabilities.
SDN may also prove to be a boon to network security policy management, Young said, because the SDN controller serves as the central point where policy is applied, as opposed to most networking products that require device-by-device policy management.
Fortunately, implementing SDN doesn't mean an organization must abandon all of its current network security technology. Young said it's OK, if not encouraged, to use traditional firewalls to segment an SDN network, as physical separation reduces security risk and may in turn serve to speed up SDN implementations.
More from #Gartnersec 2014
The psychology of user security training
A Gartner analyst offers some psychology tips to help security pros get inside users' heads and eliminate bad security behaviors.
Gartner: Spend less on prevention, more on detection
At its annual security confab, the research giant said enterprises buy too much threat prevention and not enough detection and response technology.
Young recommended a number of other SDN security best practices. First and foremost, protect the SDN controller. Admitting that's a huge challenge today because there are no viable products available for this purpose, he said security teams should consider encrypting communication between the controller and network switches.
That action will still leave SDN controllers vulnerable to denial-of-service and other resource-consumption attacks, so Young advised hardening the controller with redundant network paths to help ensure quality of service, as well as the use of intrusion prevention systems, authentication between switches, and any host-based controls built into the controller.
He also suggested revisiting the network security configuration management policy, as a technology like SDN often stresses existing workflow processes.
"You can't use old-school workflow and new-school architecture," Young said. "You have to change the process or change how changes are implemented. If it goes against polices you're audited against now, that has to be fixed."
Finally, despite the enterprise network security challenges SDN poses, Young recommended security pros embrace the technology when it arrives in their organizations because it will afford them the opportunity to not only push security as a priority from the beginning, but also have a say in the design and implementation.
"You can be the bridge for technical communications between the data center group and the network operations group," Young said. "It's great to get out ahead of this."