Software-defined networking, or SDN, is a bit of a loose term, to say the least. SDN means different things to...
different people. One of the original definitions skewed toward flow control. Network virtualization and NFV are commonly considered SDN. Another conception of SDN focuses on device management and configuration. Using SDN to provide software-defined network security is just as fluid of a topic. VMware's NSX has gained plenty of attention for its ability to protect data in virtualized workloads. Kevin Beaver (IT consultant and regular TechTarget contributor) provided significant details around leveraging the concept of zero trust and network segmentation using network virtualization. In this tip, I'll take a look at how software-defined network security is possible by extending SDN's role beyond enhanced network capability. I'll examine how SDN requires a new approach to securing the administration of SDN.
Current State of Network Management Security
Before we even start talking about data packets, let's discuss a practical consideration -- management security. In today's data center where network automation isn't a commonality, management security hasn't changed in almost 20 years. Today, network managers employ traditional identity and access management (IAM) tools to control and log access to network equipment. In a device-central model, this isn't overly complicated
In the device-central model, security administrators apply device-level rights via TACACS+, which may tie back to LDAP. Advanced environments may deploy role-based security for different layers of access to network functions. A challenge is this approach doesn't account for intent. It takes a great deal of effort to tie device-level rights with what ability specific administrators requires. For example, a junior administrator has the rights to create VLANs to support a general-purpose application. However, the junior administrators shouldn't have rights to create routes from non-secure areas to the PCI zone on the same switch.
Software-defined networking security
One way to eliminate this security issue noted above is using a "no-touch" design to network changes. Obviously, Web-scale companies such as Facebook and Google have moved away from having engineer logging into individual network devices to make changes. The technology is filtering down to the enterprise-scale data center. I spoke with Matt Oswalt, who is leading an open source project called Testing on Demand Driven (ToDD). ToDD enables network engineers to test network configuration changes. Oswalt views ToDD as a cog in the machine that becomes SDN-enabled automation.
In the future, SDN controllers and supporting applications and tools support a touchless configuration policy. Template-based configuration displaces device-based rules and configuration. Validation of configuration happens via centralized management and security audit tools. Instead of configuring devices via a command-line interface (CLI), administrators would make changes via a centralized orchestration tool. The tools validate that proposed changes are compliant with enterprise data-security policies.
There's a significant amount of work needed prior to reaching a future in which no-touch technology is in wide use and software-defined network security is common. Besides the technology challenge, there needs to be a change in the mindset of existing network managers and engineers. Organizations will need to tear down their conceptions of network change management and security to fully support not just automation but the higher standard for security in today's business climate.
Read about the rise of SDN security.
Learn both the pitfalls and benefits of software-defined security
How can SDN be made more secure?