Beware SDN Security Risks, Experts Warn
Software-defined networking is taking the industry by storm, but presents new security challenges, according to security specialists.
February 12, 2014
Though it remains in early stages in terms of adoption, software-defined networking (SDN) dominates conversations in the networking industry. But one subject missing from much of the talk is security.
"There's a lot of hype, and I think that some of the issues...like security are not as well-cooked as other things," Robert Hinden, a Check Point Fellow at Check Point Software Technologies, told Network Computing.
Hinden, who's giving a presentation on SDN security at the upcoming RSA Conference in San Francisco, said that while there are a number of benefits to software-defined networking, there are also several issues that need to be solved. The whole notion of a central controller requires that IT trusts what the controller is doing and pays close attention to whether it can be compromised, he said. After all, he said, why compromise a host when you can compromise the controller?
Scott Hazdra, principal security consultant for Neohapsis, agreed that the SDN controller needs to be a priority for security.
"Because the control plane plays a critical role and changes are typically propagated throughout the network, ensuring that applications are authenticated, connections are securely encrypted, security policies are properly applied and that there’s a system for creating audit trails is essential," he said. "It’s also very important to control who has access to the control plane and maintain strict change control procedures."
According to Ramnath Venugopalan of Intel Security (formerly McAfee), SDN opens potential security holes, especially in connections between controllers and network elements. "Security is not built into the SDN concept; it needs to be designed in from the beginning of development," he wrote in a blog post. "SDN configuration errors can have more complex consequences than in traditional settings."
He noted that security zones are typically not built into VPN solutions, so users must manually coordinate network access policies, port locations of security devices, and any exceptions.
"Because flexibility is a reason for SDN migration, it is likely that a change in the network might not be adequately reflected in the security infrastructure, or vice versa," he said. "Further, open APIs for security functions to SDN have not yet appeared and have not begun to standardize, so API incompatibilities may also cause security holes to appear."
[Learn about the security requirements for the many components of a SDN in "Securing The Software-Defined Network."]
Understanding how security systems fit into a SDN network -- for example, how firewalls, intrusion prevention systems and SDN interplay -- is critical, Ratinder Ahuja, CTO and vice president of mobile, network, cloud and content at Intel Security, said in an interview.
"If you look at the SDN model, the [orchestration layer's] job is to capture business requirements and then translate that to applications that run on top of the SDN controller," he said.
If the orchestration layer is designed correctly, "you can have interfaces that can take in security requirements, so that as you are provisioning the network for business needs, you can specify the security aspects as well," he said.
Adoption of SDN will force network operations and security teams to work together more closely, Hinden said.
"This is sort of moving us to a place where there will just be one group, so the networking group and the security group need to be merged," he said. "I think this perhaps is a bigger change than the technology."
You May Also Like