As technologies continue to evolve, the nature of IT infrastructure is changing. Virtualisation, hyper-convergence and increased connectivity are presenting fresh opportunities for malicious intruders to gain access to networks.
One of the platforms presenting new possibilities to both network administrators and hackers is SDN.
A software-defined network or SDN is an architecture within which network administrators can govern traffic from a central administrative console, through software – rather than with switches and dials.
Services can be routed to wherever they’re required, regardless of the physical connection between servers and other devices.
At the heart of SDN technology lies the virtualisation of a network, programmed automation, and a separation of network functionalities.
Its objective is to empower network administrators to respond quickly to changing business needs, in a flexible environment similar to the storage and server infrastructure seen in a virtualised data centre.
Enterprise networks and data centres can use SDN to automate the provisioning of network resources, create and manage virtual machines, and engage software programming to streamline network operations.
How are SDNs Vulnerable?
Within an SDN architecture, the control of a network is divorced from its physical infrastructure. Administrators can separate the system which governs where the network traffic goes (known as the control plane) from the systems which forward network traffic to specific destinations (which is the data plane).
Network services may also be managed across a range of devices and equipment originating from different vendors.
This approach gives software-defined networking its inherent flexibility and efficiency – but it’s the very separation of control and data planes, coupled with potential security holes offered by third-party equipment, that can put an SDN at risk.
Security needs to be written into the DNA of a software-defined network from the start; built into its architecture, and delivered throughout the network as a service.
In this way, the integrity, availability and confidentiality of connected resources and data passing through the network may be maintained.
The central administrative console (known as the SDN Controller) is both the hub of the system and potentially its weakest link. To properly protect it:
1. Ensure that tight controls are put in place, so that unauthorised users cannot gain access to the SDN Controller.
2. Take physical and data redundancy measures to ensure that the SDN Controller is available, at all times. It’s the availability of the central console which ultimately determines the availability of the network, as a whole.
3. Monitor and vet the SDN Controller itself, all software applications loaded onto it, and all the devices it governs, to ensure that they are all secure and trusted entities, which are communicating with each other in legitimate ways.
4. Set out a monitoring and management policy to observe and ensure that the SDN Controller is operating as it should be.
5. Put forensic testing, disaster recovery, and remediation measures in place. If a cyber-attack, outage, or other incident occurs, these will enable administrators to quickly establish what actually happened, the steps needed to recover, and how such incidents may be guarded against, in future.
Optimising Your Security Strategies
As in all things, opinions vary as to which method of securing an SDN is best: embedded security within the network core, or dispersing it among the individual devices, servers, and storage.
Whatever measures you take, ensure that they are:
· Easy to implement, manage, and monitor: The SDN environment is in constant state of movement, and security measures that are hard to deploy will only add unneeded complexity to a dynamic system.
· Economical in scope and cost, so the protection can be distributed all over: Measures also need to be adaptable to an environment which is highly scalable.
· Up to date with the current threat levels and techniques being used to target organisations in your sector: Policies and tools will need to adapt to accommodate these new threats, as they come to light.
Reflecting the current trend towards integration of services and separation of physical functions, software-defined security or SDSec takes a similar approach to SDN, itself.
SDSec aims to enhance network security by de-coupling the security control plane from the plane governing security processing and forwarding. Enforcement of network security is essentially virtualised, and may be managed as a single system.
Network functions like intrusion and firewalls may be separated from their implementation through proprietary hardware, and run as software.
The Bottom Line
SDN security services, network tools and related software applications are on the increase, together with dedicated software for network virtualisation, and professional services in the software-defined networking sector.
With IDC predicting that the world-wide market for SDN will reach $8 billion by 2018, enhancing the deployment and security of software-defined network technology looks set to become a priority, for many network administrators.