Advancing the SDN Security Conversation
Recently the Open Networking Summit brought together people from academia, the private sector (both vendors and potential customers), and the standards world to discuss the current state of software defined networking (SDN). I sat down with Matt Palmer from Wiretap Ventures, who spoke at the event, to get his thoughts on what’s happening in the space from a security perspective. Below is our discussion:
First of all, what would you say was the main take-away from the event?
I think we saw that software defined networking has hit a tipping point – it’s real and people are starting to see a path where they could actually deploy it. It was fascinating to hear Urs Hölzle, SVP of technical infrastructure from Google, talk about how they are running all the traffic for their internal datacenter WAN network on a SDN built using OpenFlow. That was a real eye-opener for a lot of people – you really can use this stuff to run a network. Google talked about how they are able to optimize flows and achieve better QoS visibility and predictability, which starts to deliver on some of the promise of SDNs, and they are hopeful they will be able to use it for some customer-facing applications soon.
So where is security in all of this? It seems to me it’s been missing from a lot of the SDN discussions.
It’s true, security hasn’t been a large part of the discussion. However, we are starting to see a lot of people raise the questions and concerns you have been talking about around “how do I secure this environment” – “how do I secure the controller,” “how do I secure the connections between the controllers and the switches/routers,” “how do I ensure I don’t have malicious things injected in the mix,” etc.
I think the reason we haven’t seen more of these discussions up to now is that we haven’t been close enough to deployments, so the security guys haven’t been brought in to validate the architecture or poke holes in the technologies.
Isn’t that one of the major stumbling blocks to wide-scale adoption? Security can’t really be an afterthought, it needs to be considered from the start.
True, but right now the trials are in the lab, and the people working on them are focused on solving the next generation networking problems. A lot of it’s theoretical – making it hard to understand the real implications and security issues. There are a limited number shipping products out there to test – but as products start to ship, people will want to know what the risks are.
If they haven’t thought about those risks, it will probably be a non-starter. CIO’s I have spoken with are looking for those companies who are thinking about and know how to solve for security before they will consider putting anything in a production environment. They can’t afford to disrupt their network or increase their risks – there’s just too much at stake.
Agreed, I think we are just now learning what security issues they may encounter and the security questions we need to be asking. I think you will see security and SDNs ramp up over the next phase of this evolution. We also see a number of early use-cases being in either single tenant, back-office deployments (ala Google), which means that SDN is deployed behind an already secure network. The second common early use-case we see are deployments in test and development environments where security is less of a concern because it is not outward facing and is in the experimental areas of the network.
What do you think SDNs can mean for security?
SDNs have the potential in certain situations to streamline security processes or even change how security is deployed, say from physical appliances to virtual appliances, or even virtual security services embedded within the infrastructure. While these are exciting and important developments – we do need to temper the excitement until customers and vendors have experimented and learned how to execute SDN to enhance network security.
One thing is for certain – it’s an interesting time and an interesting space to be in!