The potential security benefits and drawbacks within a software-defined network (SDN) are equally great. To be effective, security needs to be everywhere – it needs to be built into the architecture, as well as delivered as a service to protect the availability, integrity, and privacy of all connected resources and information to deliver software-defined security for SDN environments.
While everyone knows security is essential, there is still very little movement in terms of vendor solutions and technology advancements. The Open Networking Foundation (ONF) launched a study to determine how to make SDN more secure, and industry players are starting to incorporate security functionality into their solutions. Still, it is immature and will likely hamper adoption of SDN until addressed in a robust way.
Within the software-defined security for SDN architecture, you need to:
- Secure the Controller: as the centralized decision point, access to the controller needs to be tightly controlled.
- Protect the Controller: if the controller goes down (for example, because of a DDoS attack), so goes the network, which means the availability of the controller needs to be maintained.
- Establish Trust: protecting the communications throughout the network is critical. This means ensuring the controller, the applications loaded on it, and the devices it manages are all trusted entities that are operating as they should.
- Create a Robust Policy Framework: what’s needed is a system of checks and balances to make sure the controllers are doing what you actually want them to do.
- Conduct Forensics and Remediation: when an incident happens, you must be able to determine what it was, recover, potentially report on it, and then protect against it in the future.
Beyond the architecture, itself, how security should be deployed, managed, and controlled in an SDN environment is still very much up for grabs. There are competing approaches – some believe security is best embedded within the network, others feel it is best embedded in servers, storage and other computing devices. Regardless, the solutions need to be designed to create an environment that is more scalable, efficient and secure. They must be:
- Simple – to deploy, manage and maintain in the highly dynamic SDN environment.
- Cost-effective – to ensure security can be deployed everywhere.
- Secure – to protect against the latest advanced, targeted threats facing your organization.
A new category is emerging for security within next-generation environments, called software-defined security (SDSec), which delivers network security enforcement by separating the security control plane from the security processing and forwarding planes, similar to the way SDNs abstract the network control plane from the forwarding plane. The result is a dynamic distributed system that virtualizes the network security enforcement function, scales like virtual machines and is managed as a single, logical system.
SDSec is an example of network functions virtualization (NFV), which offers a new way to design, deploy and manage networking services by decoupling the network function, such as firewalling and intrusion detection, from proprietary hardware appliances, so they can run in software. It’s designed to consolidate and deliver the networking components needed to support a fully virtualized infrastructure – including virtual servers, storage and even other networks.