Software defined Networking is here, and there’s plenty of talk about what this means for security. As Ericka Chickowski wrote in Security Must Adjust as SDN Goes Mainstream we know one thing: security will need to continue to adjust to compensate.
While the security concerns are real, there are also many benefits to security when it comes to Software Defined Networking (SDN). As enterprises virtualized their environments they are enjoying improved resiliency, agility, and automated operations management. And the move to SDN is changing how networks are deployed, managed, and secured.
As we wrote previously in The Software Defined Data Center Needs Software Defined Security, we know the security risks in SDN, “These include hypervisor vulnerabilities; controllers that are vulnerable to denial-of-service attacks and juicy targets such as the SDN controller which, if compromised, promises to be the modern version of a Disney E Ticket that gives attackers the full access to everything the network offers.”
This is why Global Market Insights expects SDN to reach 88 billion by 2024.
What are some possible security benefits of SDN? The first is Centralized intelligence. In physical networks it’s hard to keep security policies uniform, and uniformly enforced, across the network. Because in SDN network and security policies are maintained and managed in the controller, it becomes relatively less difficult to both get the policy evenly distributed throughout the network, and it becomes relatively easier to enforce those policies.
SDN also abstracts control away from the hardware devices, so it becomes easier to sidestep proprietary controls and develop tools that will simply security across the network. This comprehensive network view will make it more transparent for analysis and event response. The comprehensive view also makes it easier to identify something malicious and then respond accordingly.
SDN also provides all of the benefits of virtualization, generally, such as agility and cost-effective redundancy and scalability. With SDN security becomes scalable. It no longer requires a bunch of hardware and proprietary security controls be deployed and security can scale as software scales and as new clouds and workloads and network segments are provisioned. An example here is how VMware’s NSX Data Center provides very straightforward ways to segment and firewall virtual machines, which simplifies security.
This also provides flexibility to shut down misbehaving segments. The network-wide visibility makes it possible to identify malicious actions and take the appropriate steps, such as quarantines. If a worm or other malware enters, and starts diddling with the configuration, that can then be locked down or blocked.
Should a security update make it possible to mitigate pressing risks or stop an attack, the SDN controller can dispatch those updates throughout the network. Potentially troubling traffic can be automatically diverted for inspection.
Of course, with all of the centralized control in the SDN controller comes some risks: crack the controller and attackers crack the network. So best practices for controller security should be followed always, including traffic monitoring, system patching, access control, and high available to protect against potential denial of service attacks.
Nothing in this world comes without risks or some tradeoffs, but when it comes to security and SDN it’s clear that the security benefits of SDN outweigh the security risks.