Software-defined networking: Anticipating SDN security for enterprises

Software-defined networking is set to transform networking technology, but what about security? Expert Michael Cobb provides an SDN security primer.

Our organization is starting to investigate security for software-defined networking. Should we approach it like we're securing an application service, somewhat similar to VoIP?

Network management software has traditionally been proprietary and vendor-specific for devices such as switches and routers. Software-defined networking (SDN) changes that by separating the physical device that processes network traffic from the software that inspects and controls the data flowing through it.

Many experts see SDN as the biggest transformation of networking in decades, as it gives an organization the ability to easily control access to its network and resources at a more granular level. For example, it helps administrators enforce BYOD policies, as they can set network rules to manage an individual device or user. Video conferencing traffic can be given priority over email, or rules can be created to quarantine traffic coming from or going to a certain destination. Once a set of rules has been developed, it can be deployed to an assorted range of networking hardware as long as the hardware complies with SDN technology.

Ask a question

SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: editor@searchsecurity.com.

Although SDN products are starting to come to market, production SDNs are still in their infancy, which means caution is required because there are few SDN security case histories to analyze. Enterprises certainly need to physically and logically protect access to SDN controllers as attackers compromising them would be disastrous. Controllers are the centralized decision points for the control and management of the switches, routers and servers in an SDN. While they enable changes to a network's layout and traffic flow with just a few clicks, if compromised, they provide an attacker with the same abilities.

Direct access to controllers must be restricted, and administrative actions should be authenticated and logged. Strong, mutual authentication between network devices and controllers should be established to validate the identity and integrity of each controller. The communication channel between them should also be secured and encrypted to prevent man-in-the-middle, snooping and other attacks. To prevent rogue applications on the controller from taking over the network, each application should be authenticated before it runs, with tight privilege separation maintained between processes.

Develop a robust change-control policy to ensure changes are authorized and validated along with a roll-back procedure in case problems arise. Provide some form of redundancy to mitigate the effect of a controller going down and impacting the entire network. Test any fail-over mechanism to assess its reliability and latency. SDN logs provide reams of useful data for forensics, compliance, event correlation and reporting, but enterprises need to have a log analysis tool in place to handle such large amounts of data.

IDC predicts software-defined networking will grow from a $200 million market in 2013 to $2 billion by 2016 as organizations push for improved network speed, reliability, energy efficiency and security. However, because SDN operates at the heart of a network, its security must be given top priority. It also requires specialized technical and engineering capabilities to deploy. A test lab is essential while its potential and security requirements are investigated.

This was last published in September 2012

Dig Deeper on IPv6 security and network protocols security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.