Problem solve Get help with specific problems with your technologies, process and projects.

OpenFlow security: Does OpenFlow secure software-defined networks?

Expert Brad Casey answers a question on OpenFlow security implications: Can the OpenFlow protocol foster software-defined networking (SDN) security?

How does OpenFlow work to enable and secure software-defined networking?

Ask the expert!

Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)

OpenFlow is a protocol that enables software-defined networking (SDN). SDN, in a nutshell, is an emerging approach to enterprise networking in which the control plane is decoupled from networking hardware. Instead, a software application called a controller governs the behavior of network devices. Many hope that SDN will enable greater levels of interoperability among network hardware vendors.

In essence, OpenFlow is the language that allows controllers and devices to talk to each other. When an OpenFlow-enabled switch is placed in a network, a controller is placed in line with it. The network administrator is tasked with configuring the different flow tables to be utilized within the network. Flow tables consist of "flows," which is just another way of defining expected network behavior. A flow could be a TCP connection, all traffic within a certain IP range, or any other type of network characteristic the network administrator chooses.

When packets consistent with established flow definitions reach the OpenFlow-enabled switch, they are forwarded in accordance with the established flow table. When packets that do not match anything within the flow table reach the switch, they are forwarded to the controller for further processing. This is where software-defined networking comes into play. Potentially, the network administrator could configure the flow tables at an extremely granular level so as to be consistent with the behavior of certain types of software. The network administrator could also change the flow tables on the fly, essentially routing traffic based on the application that is running.

This development offers exciting possibilities in the realm of software and/or protocol testing, as this would allow researchers to test their various applications in production environments without ever affecting the actual production traffic. Taken one step further -- once the technology matures -- the concept of SDN could actually be a useful security technique, as the network administrator could define at a detailed level what types of applications can and cannot traverse the various network devices. It could one day prove to be a whole new layer of defense-in-depth security.

That said, OpenFlow and SDN are extremely nascent technologies that aren't yet mature enough for most enterprises. Even though most of the major networking and IT vendors are involved with OpenFlow in some way, industry heavyweights like Cisco Systems Inc. and VMware Inc. are working on their own technologies that could threaten the universality of OpenFlow. Some even believe that SDN may pose a considerable security risk, as an attacker that successfully compromises an SDN controller could gain control of an entire network. Regardless, OpenFlow is a technology that enterprise network security pros should continue to track, as in a few years it may be the new lingua franca of enterprise networking.

This was last published in August 2013

Dig Deeper on IPv6 security and network protocols security