bluebay2014 - Fotolia


Addressing SDN security challenges means securing the controller

SDN security challenges become more of a concern, as deployments bring vulnerabilities to the forefront. But vendors and researchers are creating SDN products with security in mind.

Software-defined networks are no more immune from attack than traditionally managed networks. A long and continuing...

series of attacks has revealed many areas of network vulnerability, but SDN is a relatively new technology that is just beginning to be deployed widely. As such, any SDN security challenges and vulnerabilities, in addition to those that have been revealed in earlier network technologies, must be carefully considered and addressed.

The SDN controller is key to any software-defined network and offers attackers a target not present in earlier network technologies. Clearly, any successful attack on the controller will halt or disrupt network operations.

To address the methods that attackers can use to disrupt a controller -- and, therefore, the entire network -- researchers at SRI International, an independent, nonprofit research group based in Menlo Park, Calif., developed Security-Enhanced Floodlight (SE-Floodlight), a version of Big Switch Networks' public domain Floodlight controller.

SE-Floodlight adds role-based authentication to SDN controller interfaces. Authenticating the northbound application interface prevents attackers from issuing requests that could disrupt legitimate applications or gain access to data. Authenticating the southbound interface prevents attackers from generating path-creation requests that could overwhelm the SDN controller.

SE-Floodlight resolves rule conflicts, so a flow rule issued to a switch doesn't interfere with an existing flow. It also adds an audit subsystem that records network control layer activity, which is required for networks -- for example, payment card industry credit card processing that must meet security compliance specifications. Audit capability can also help verify correct application performance.

SRI International also developed two additional tools to address SDN security challenges:

  • SDN Security Actuator interfaces with existing security tools and generates OpenFlow messages to take actions, such as isolating an infected host or redirecting denial-of-service attacks away from the network.
  • BotHunter examines patterns of network traffic to identify and report interactions typical of malware attacks.

SDN security challenges affect all components

SDN was developed to manage large, complex networks. Applications consist of multiple components executing in virtual machines (VMs) often located on servers distributed across the network. These distributing servers result in east-west network traffic -- data moving from server to server across the network. This traffic is in addition to application input data and application output.

All of these components, links, applications, VMs and servers must be protected. Network vendors have recognized the need to provide security to each of these elements. Security approaches differ, but strict fences must be maintained between network components and resources in use by one application and by components in use by another. This separation is especially critical in multi-tenant public clouds to assign and maintain specific security policies among workloads. The term segmentation, or microsegmentation, is used to describe how vendors maintain the required separation.

Big Switch Networks, Cisco and vArmour provide examples of different ways to segment the network, and to prevent and report attempted attacks. Here's a look at how these three companies address SDN security challenges.

Cisco's Application Centric Infrastructure (ACI) security focuses on applications, rather than specific network devices. ACI defines endpoint groups (EPGs) that share the same set of policies, and no communication between EPGs is allowed unless specifically permitted by policies.

ACI's endpoint groups are independent of a network's physical location, since applications can move from one server to another as network load varies. An EPG may define application components or place the web interface components of an application in a different EPG from the processing components.

Segmentation is enforced by Layer 4 firewalls inserted in each network path. Firewalls inspect each packet and drop packets that do not adhere to specified policies. Security services, like intrusion prevention systems and Deep Packet Inspection, can be inserted along network paths.

Products will undoubtedly need to be enhanced as software-defined networks are more widely deployed and additional SDN security challenges and vulnerabilities are revealed.

VArmour's Distributed Security System (DSS) inspects each packet to detect attacks and maintain segregation. Additionally, DSS extends visibility across multiple clouds, which means consistent policies can be maintained across applications split across a public and a private cloud.

Sensors monitor all network traffic and inspect each packet up to Layer 7, the application layer, and exchange information across and within clouds to detect attacks. Traffic patterns are analyzed to recognize attacks and, if necessary, update security policies. Each application is protected by a deception capability that steers attack attempts away from the application.

Big Switch Networks' Big Monitoring Fabric acts as a software-defined network operating in parallel with the switching network. This fabric consists of bare-metal switch hardware connected to network switch tap and SPAN ports. Each Big Monitoring Fabric unit gathers input from up to 20 switches. Fabric units are interconnected with other fabric units, and all are managed by a SDN controller. Services like deduplication and deep packet inspection can be performed in x86-based service nodes. The controller provides an open interface that enables malware detection and performance analysis tools access to collected data.

Tools for SDN security challenges aim to cover all bases

In the past, detection tools, like firewalls and deep packet inspection, were implemented in hardware appliances, but applications move in software-defined networks and network paths change. Hardware appliances with fixed network connections cannot quickly shift as paths change. Virtualized tools, available from a number of vendors, now make it possible to move the tool along with the data path.

Current security products from researchers and vendors would appear to block all possible ways to attack a software-defined network, but experience may prove differently. Products will undoubtedly need to be enhanced as software-defined networks are more widely deployed and additional SDN security challenges and vulnerabilities are revealed.

Next Steps

The pros and cons of SDN security

How to prepare for SDN deployment

Find out more about SDN components

This was last published in May 2017

Dig Deeper on Network Security