Security needs to be everywhere within a software-defined network (SDN). SDN security needs to be built into the architecture, as well as delivered as a service to protect the availability, integrity, and privacy of all connected resources and information.
Within the architecture, you need to:
- Secure the Controller: as the centralized decision point, access to the SDN Controller needs to be tightly controlled.
- Protect the Controller: if the SDN Controller goes down (for example, because of a DDoS attack), so goes the network, which means the availability of the SDN Controller needs to be maintained.
- Establish Trust: protecting the communications throughout the network is critical. This means ensuring the SDN Controller, the applications loaded on it, and the devices it manages are all trusted entities that are operating as they should.
- Create a Robust Policy Framework: what’s needed is a system of checks and balances to make sure the SDN Controllers are doing what you actually want them to do.
- Conduct Forensics and Remediation: when an incident happens, you must be able to determine what it was, recover, potentially report on it, and then protect against it in the future.
Beyond the architecture itself, how SDN security should be deployed, managed, and controlled in an SDN environment is still very much up for grabs. There are competing approaches – some believe security is best embedded within the network, others feel it is best embedded in servers, storage and other computing devices. Regardless, the solutions need to be designed to create an environment that is more scalable, efficient, and secure. They must be:
- Simple: to deploy, manage and maintain in the highly dynamic SDN environment.
- Cost-effective: to ensure security can be deployed everywhere.
- Secure: to protect against the latest advanced, targeted threats facing your organization.
A new category is emerging for security within next-generation environments called software-defined security (SDSec), which delivers network security enforcement by separating the security control plane from the security processing and forwarding planes, similar to the way SDN abstracts the network control plane from the forwarding plane. The result is a dynamic distributed system that virtualizes the network security enforcement function, scales like virtual machines and is managed as a single, logical system.
SDSec is an example of network functions virtualization (NFV), which offers a new way to design, deploy, and manage networking services by decoupling the network function, such as firewalling and intrusion detection, from proprietary hardware appliances, so they can run in software. It’s designed to consolidate and deliver the networking components needed to support a fully virtualized infrastructure – including virtual servers, storage, and even other networks.