SDN Security has been a rich topic at SDNCentral including: hosting the SDN Security Seminar SDNCentral hosted last February; exploring research from Phil Porras at SRI around how to secure SDN Controllers; and sharing an SDN security market report shared by Sarah Sorenson — to name a few. A big reason our focus on security is until you can secure an SDN environment — and prove that network is secure to the security teams — SDN is not deployable for most enterprise or service providers.
This why I was thrilled when FireMon a leading provider of security management and risk analysis solutions joined the SDNCentral community, further expanding the SDN network security ecosystem.
Last week, I had a chance to speak with Jody Brazil, President of FireMon. In our conversation, Jody highlighted the need for security professionals to consider three components when it comes to using OpenFlow help secure the network:
- Enterprise-wide monitoring: A model of the complete, current network security infrastructure forms the basis for providing immediate results regarding the impact of a new access path.
- Real-time, risk-based decision engine: Granting access through the network will be a risk-based decision. The decision engine will grant or reject access based on the current threats and potential impact of the new access.
- Open APIs: Open APIs are central to the concepts behind SDN and are critical for systems joining the SDN ecosystem.
The one that piqued my interest is Jody’s point about Open APIs (see our list of APIs) — as the SDNCentral Community knows, there’s significant debates on Northbound APIs, Southbound APIs and the definition of ‘Open’ (See our post on Open vSwitch). While I’m not in a position to assert how open or closed FireMon’s API is, FireMon does have an interesting API-driven use case — where an application that speaks OpenFlow could call into the FireMon API to ask if a connection should be permitted. FireMon can then decide if the connection should be permitted or denied based on a defined risk threshold. This enables dynamic access control leveraging the enforcement via OpenFlow mechanisms while making effective use of the existing network security environment. It is dynamic since the risk and subsequently access decision is based on the changing threats, vulnerabilities and access control policies in the network.
This highlights to network operators the need to plan how you secure and manage network risk before you ask for budgets to deploy SDN and OpenFlow.
Learn more about FireMon’s vision for using OpenFlow as an important tool for securing the network.