Should SDN Admins Worry About Security?

Sometimes I think that IT security measures confuse employees more than they deter bad guys. Forcing people to change their passwords every 90 days, without letting them reuse one even a year later, is just a recipe for Post-It passwords. On the other hand, leaving the default password on the router ain’t so brilliant either. Somewhere there’s a middle ground.

Where does software-defined networking fall into this discussion? That headline is really a rhetorical question – of course you should worry about security. The real question is, do software-defined networks force admins to worry more about security? There, the answer is no.

That’s not to say there aren’t issues with SDN security. In an October NetworkWorld article, security consultant Scott Hogg presented an in-depth look at SDN attack vectors viz. controllers and data planes, suggesting ways to harden SDN networks both in those locations and at the networking layer.

An Open Networking Foundation solution brief on SDN security provides a great primer on SDN security issues as well, noting that “logically centralized (and typically physically distributed) SDN controllers are potentially subject to a different set of risks and threats compared to conventional network architectures.” For instance, because SDN uses a centralized network controller, it’s vulnerable as a single point of failure. As a result, the network infrastructure “must be capable of enduring occasional periods where the SDN controller is unavailable, yet ensure that any new flows will be synchronized once the devices resume communications with the controller.”

The ONF solution brief goes on to illustrate SDN’s security capabilities in defusing a malware attack. But network virtualization also supports other facets of security. VMware’s Rod Stuhlmuller actually put it best in an InfoWorld article, in which he discussed the dynamism that results when you start software-defining everything: “Cloud management software allocates compute, storage, and network capacity on demand. Add network virtualization to that dynamic environment, and the operational model for networking changes completely. Profound changes of this sort tend to make security professionals nervous.” (Or is it just that everything makes security professionals nervous?)

But he went on to discuss the security advantages that admins derive from network virtualization, including isolation, segmentation, distribution firewalling, and the ability to “chain” firewall and VPN services. Rather than making security more difficult, he notes, “network virtualization platforms can combine these features … to streamline security operations.”

Indeed, IT professionals already grasp the value of SDN when it comes to security. When Enterprise Strategy Group’s Jon Oltsik surveyed enterprise security professionals about SDN this past summer, they had an impressive laundry list of goals, including:

  • Selectively blocking malicious traffic to endpoints (cited by 28%)
  • Improving network security policy auditing and conflict detection (28%)
  • Centralizing network security service policy and configuration management (23%)
  • Automating network security remediation tasks (23%)

Unfortunately, a more recent ESG survey – just this month – reveals some organizational rather than technical issues when it comes to SDN and security, according to Oltsik. Among the interesting results: in 41% of enterprises, the networking team owns SDN infrastructure decisions, without input from other IT groups – including security. In only 7% of the organizations are decisions about SDN infrastructure made by a “cross-functional IT team including networking and infosec.”

As Oltsik notes, given SDN’s innovation, it’s logical that networking oversees it. But “SDN could have an equally important influence on the future of network security … [so it makes no sense that] 41% of organizations consider SDN a networking monopoly.”

That’s why, in a NetworkWorld article from last month, Oltsik also rightfully pushes CISOs to start getting involved in SDN. “Smart CISOs will push vendors to expose their SDN product plans and strategies. Security executives should be open-minded and cast a wide net during this timeframe.”

The takeaway is clear to anyone who’s looking at software-defined virtualization technologies. Because they span so many areas previously funneled into silos, IT administrators are going to have to start opening up to colleagues – both sharing and listening to their respective expertise. Together, they have to work on collaboratively building an infrastructure that’s both secure and efficient.

For more on security issues as they relate to cloud and network virtualization, check out this webinar with SDN security expert Ivan Pepelnjak and Nuage Networks’ Dimitri Stiliadis, as well as the OpenFlow site devoted to security.


Copyright © 2014 IDG Communications, Inc.