Today’s enterprise networks face the challenge of being under constant attack from evolving threats. Meeting that challenge requires advanced enterprise network management and protection tools to improve security. This requires changes in network design and security. At this stage of network evolution, software-defined networks (SDN) are better positioned to respond to these challenges.
The greatest impact of SDN is the shift from hardware to software. While that shift points to the future of networking, it also shows the nature of the evolving cyber threat landscape and more complex security challenges. To understand how SDN can be the foundation of network security, organizations should first understand the nature of the growing threat landscape.
IoT will become a bigger security risk as the network edge begins to fade. Enterprises will need holistic approaches to endpoint security to streamline processes, reduce the number of endpoint protection tools, and ultimately provide better protection for all devices that connect to the corporate network.
The last year has shown the potential devastation that cyberattacks can inflict, such as the Mirai botnet where attackers hijacked more than 500,000 webcams to launch a one Terabyte per second DDoS attack.
Millions of unsecured IoT devices increase the threat landscape for networks. As IoT devices become more widespread, bad actors may exploit vulnerabilities in these devices to launch DDoS and other attacks. Enterprise network security must be the line in the sand for protecting data and assets in a world of increasingly sophisticated attack vectors. The best way to harden that line of defense is by understanding how you can implement SDN architecture to deliver a more agile and adaptable network security foundation.
SDN Security Features
There are several robust security traits built into the architecture of SDN. To maximize those traits, organizations must factor in security when designing their own SDN solution. For example, the Centralized Network Control of SDN enables data packet routing through a single firewall. This increases security by making IDS and IPS data capture more efficient. Other security measures possible with SDN include:
- Dynamic programming and restructuring of network settings, which reduces the risk of DDoS attacks
- Automatic quarantine capabilities for specific network points infected by malicious code
SDN facilitates the central management of security policies to increase efficiency and flexibility for network operators and administrators. SDN also helps the organization move past current management approaches such as SNMP/CLI to more effective policy management. Central management with SDN architecture begins with the controller, which can deliver network-wide security features through careful system design.
Security and the SDN Controller
To make the most of the controller’s potential to positively impact network security and guard against the controller becoming the prime attack surface, requires Including security in your design plans right from the beginning to avoid problems down the road.
Just one of the enterprise network management and security possibilities with the SDN controller is its ability to push global security policy updates out centrally across the network. This makes network edge packet filtering possible via a virtualized switch for suspicious traffic redirection to other security devices for more analysis. SDN controller programmability gives engineers the power to install northbound interface security applications that create new ways for applying network security policies.
The major attack vulnerability in the controller requires that access be tightly controlled as a fundamental means of preventing unauthorized activity. To further secure the controller requires:
- Auditing, reviewing, monitoring, and updating role-based access policies
- A high-availability controller architecture for distributed denial-of-service (DDoS) attack prevention
- Encrypting northbound communication via TLS or SSH with secure coding of northbound applications
- Eliminating default application password use and implement application authentication for controller communication approval
- The use of TLS to authenticate endpoints for southbound communication
- Segregating control protocol traffic from the primary data flows via an out-of-band network.
SDN architecture is only as secure as the design, so IT groups should be prepared to use additional methods for securing the network, such as a holistic integration of third-party security solutions.
Strengthening SDN Security
SDN and network security require that network managers and admins learn how to appropriately set security levels to meet the dynamic needs of the environment. An example would be better leveraging of network telemetry data or flow-capture data that can be used to spot anomalies. This provides the ability to dynamically establish specific flow rules that divert flows to centralized or multiple enforcement points.
SDN can also be used for traffic engineering to direct network flows to specific security services or devices. These could include firewalls, intrusion detection systems/intrusion prevention systems (IDS/IPS), and web application firewalls (WAFs).
Another way that SDN can provide greater security is through micro-segmentation where policies are applied to individual workloads for greater attack resistance. By applying more granular segmentation to data center workloads, organizations can decrease the network’s attack surfaces.
In complex networks, east-west, as well as north-south traffic, can pose a security risk.
Solutions like SD-Access further facilitate centralized policies for all network switches so that security policies follow users wherever they move about your environment.
This level of granular segmentation makes it possible to increase documentation, integrate applications with network monitoring and add security features quickly and accurately.
Although SDN is emerging as the most promising option for enterprise network management and protection, it should be seen by enterprises as the foundation on which to build rather than an end in itself. This is because as the network changes to meet evolving enterprise needs, it must also evolve to meet new threats and attack vectors. The highly agile and adaptable nature of SDN is purpose designed to adapt to these changes over time easily.
That ongoing evolution requires enterprises to carefully plan and adapt SDN architecture over time through the use of automation features and automatic provisioning. This is the surest way for organizations to create a network capable of proactively stemming evolving threats.
Meeting these network security possibilities with SDN often requires deeper knowledge in planning and what is possible. Having a partner like Acadia Technology Group can deliver the planning and implementation expertise along with the resources to make your software-defined network secure against the threats to come.
Learn more about emerging security threats in 2018.