12:17 PM
Connect Directly
Repost This

Beware SDN Security Risks, Experts Warn

Software-defined networking is taking the industry by storm, but presents new security challenges, according to security specialists.

Though it remains in early stages in terms of adoption, software-defined networking (SDN) dominates conversations in the networking industry. But one subject missing from much of the talk is security.

"There's a lot of hype, and I think that some of the security are not as well-cooked as other things," Robert Hinden, a Check Point Fellow at Check Point Software Technologies, told Network Computing.

Hinden, who's giving a presentation on SDN security at the upcoming RSA Conference in San Francisco, said that while there are a number of benefits to software-defined networking, there are also several issues that need to be solved. The whole notion of a central controller requires that IT trusts what the controller is doing and pays close attention to whether it can be compromised, he said. After all, he said, why compromise a host when you can compromise the controller?

Scott Hazdra, principal security consultant for Neohapsis, agreed that the SDN controller needs to be a priority for security.

"Because the control plane plays a critical role and changes are typically propagated throughout the network, ensuring that applications are authenticated, connections are securely encrypted, security policies are properly applied and that there’s a system for creating audit trails is essential," he said. "It’s also very important to control who has access to the control plane and maintain strict change control procedures."

According to Ramnath Venugopalan of Intel Security (formerly McAfee), SDN opens potential security holes, especially in connections between controllers and network elements. "Security is not built into the SDN concept; it needs to be designed in from the beginning of development," he wrote in a blog post. "SDN configuration errors can have more complex consequences than in traditional settings."

He noted that security zones are typically not built into VPN solutions, so users must manually coordinate network access policies, port locations of security devices, and any exceptions.

"Because flexibility is a reason for SDN migration, it is likely that a change in the network might not be adequately reflected in the security infrastructure, or vice versa," he said. "Further, open APIs for security functions to SDN have not yet appeared and have not begun to standardize, so API incompatibilities may also cause security holes to appear."

[Learn about the security requirements for the many components of a SDN in "Securing The Software-Defined Network."]

Understanding how security systems fit into a SDN network -- for example, how firewalls, intrusion prevention systems and SDN interplay -- is critical, Ratinder Ahuja, CTO and vice president of mobile, network, cloud and content at Intel Security, said in an interview.

"If you look at the SDN model, the [orchestration layer's] job is to capture business requirements and then translate that to applications that run on top of the SDN controller," he said.

If the orchestration layer is designed correctly, "you can have interfaces that can take in security requirements, so that as you are provisioning the network for business needs, you can specify the security aspects as well," he said.

Adoption of SDN will force network operations and security teams to work together more closely, Hinden said.

"This is sort of moving us to a place where there will just be one group, so the networking group and the security group need to be merged," he said. "I think this perhaps is a bigger change than the technology."

View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/17/2014 | 8:03:54 PM
re: Beware SDN Security Risks, Experts Warn
I am sure that security will be pushed back as usual...
User Rank: Apprentice
2/13/2014 | 7:11:18 PM
re: Beware SDN Security Risks, Experts Warn
The real change here is that coordination across groups today is largely manual and governed by process. When you take out the human bottleneck, the pace of change accelerates. This exposes the human interaction bottleneck.

I would think that moving to more deployment automation (as with DevOps) would be a natural evolution to tighten the processes and provide a layer of validation.

This of course does nothing to add security. It just makes the security that exists a bit more tightly linked and verifiable.

-Mike Bushong (@ubm_techweb_disqus_sso_-1f1aa9da472195170d23a745dc1f3a27:disqus )
User Rank: Apprentice
2/13/2014 | 3:52:20 PM
re: Beware SDN Security Risks, Experts Warn
"FDA Warns That Living is Hazardous to Your Health" does not mean that we should stop living.

This headline could have likewise stated "Closed Corporate Networks A Fallacy, SDN Shifts Risk"

SDN actually improves security through application segmentation. Should one fall, a lateral domino effect is far less likely. Depending on which type of SDN you are speaking about, the security risks are actually minimized. Recognize there is:

* Do-It-Yourself (DIY) SDN for the Data Center
* Do-It-Yourself (DIY) SDN for the Enterprise WAN
* Managed Services SDN for the Enterprise WAN
* DIY SDN for Wireless Services
When speaking about the Enterprise WAN, the current architecture is porous, complex and unsustainable. SDN type services improve security by segmenting the app traffic, and thus narrowing the perimeter into discrete perimeters, allowing for easier perimeter fortification. That is a huge advancement over the current flawed architectures. As Brian Prince points out, it creates a new entry point to the network and that does pose some risk. But discrete networks have defined perimeters and are far easier to protect, detect and contain then intermingled networks. So SDN does shift some of the risk to the UPC, but when you look at the entire equation the risk quotient is far lower then the current traditional enterprise network.
Marcia Savage
Marcia Savage,
User Rank: Apprentice
2/12/2014 | 9:05:50 PM
re: Beware SDN Security Risks, Experts Warn
This illustrates how security teams need to be involved from the start of any enterprise SDN initiative. It could be easy for security to get overlooked in the rush to reap the agility and automation benefits SDN promises.
Hot Topics
Converged Infrastructure: 3 Considerations
Bill Kleyman, National Director of Strategy & Innovation, MTM Technologies,  4/16/2014
Heartbleed's Network Effect
Kelly Jackson Higgins, Senior Editor, Dark Reading,  4/16/2014
White Papers
Register for Network Computing Newsletters
Current Issue
Twitter Feed