Andrea Danti - Fotolia


SDN network security: Building a safer architecture

Software-defined networking may hold the key to better security. Networking expert Lee Doyle explains how to strengthen SDN network security to prevent breaches.

Securing critical data and remediating cyberattacks is the No. 1 challenge facing most IT organizations. Advances in SDN technologies enable the network to identify traffic patterns that signal a cyberattack and to segment the network to prevent attackers from moving throughout the organization.

Changing IT requirements

Rapid changes in IT technologies have altered the landscape of network security. With the advent of pervasive mobility, BYOD and the Internet of Things (IoT), organizations can no longer rely on a hardened network perimeter to prevent cyberattacks. Organizations are also deploying a mix of public and private cloud services (hybrid cloud), which creates security concerns around data migration. And the rise in popularity of the DevOps style of application development, with its rapid changes in application resource requirements, means the network must automatically provision security policies.

SDN network security

Software-defined networking provides capabilities to enhance the network's ability to identify and remediate cyberattacks.

Symantec has estimated that more than 348 million identities were exposed through data breaches in 2014 alone, and that each day nearly 500,000 Web attacks are blocked. IT and security professionals are searching for new tools to give them the ability to understand when and how they are being attacked, as well as the ability to rapidly neutralize specific security breaches. The network, as it moves all traffic, is a critical component of the IT organization's strategy to secure critical data.

Software-defined networking provides capabilities to enhance the network's ability to identify and remediate cyberattacks. Some key SDN network security features include:

  • Ability to provide network segmentation that can isolate attacks and prevent attackers from migrating across virtualized data center assets.
  • Programmable networks that allow customization so users can work efficiently with network security assets.
  • The ability to cost-effectively monitor all of the (rapidly increasing) network traffic flow to identify anomalies that can signal cyberattacks.
  • Flexibility to change the network to rapidly remediate threats once attacks are identified.

Another important practice for securing network traffic is to use encryption for data transport and data storage.

Network segmentation

Widespread adoption of server virtualization has led to tremendous increases in east-west server traffic between virtual machines. From a security standpoint, this can increase risk as attackers can migrate from their breach of a single virtual machine throughout the data center by leveraging trusted east-west traffic. By utilizing the segmentation capabilities of SDN, IT organizations can isolate parts of their infrastructure to protect sensitive data.

Network analysis

The network has the ability to "see" all traffic and potentially identify cyberattacks in progress. The challenge is to enable network analysis tools in the environment of rapid traffic growth. SDN network security features enable cost-effective analysis to monitor for traffic anomalies that often signal a cyberattack. And SDN can selectively report this data to security tools to aid in rapid remediation.

SDN technology options

IT buyers can select from a wide range of SDN tools to improve network security. VMware offers NSX to virtualize the network and provide micro-segmentation of data center assets. Cisco leverages the SDN capabilities of its Application Centric Infrastructure, in combination with its network security products, to enhance data center security. Other suppliers that offer SDN network security products include: Hewlett-Packard Enterprise, Big Switch Networks, Pluribus Networks, Plexxi, NetScout Systems (VSS), Gigamon, Spirent, Ixia, vArmour, Certes Networks and CohesiveFT.

In addition, a large number of network security suppliers -- including Intel, F5 Networks, Palo Alto Networks and Check Point Software Technologies -- work with SDN providers to integrate their security software and appliances with specific SDN capabilities.

Recommendations for IT leaders

With the increase in use of BYOD and IoT, the security perimeter provides insufficient protection to sensitive IT data. The network is a critical part of overall security practices, as it can help to identify and remediate cyberattacks. SDN technologies provide features to improve network security, including network segmentation, customized programming and cost-effective network monitoring. Organizations should adopt a layered security architecture, including SDN network security technologies, to provide "defense in depth" against cyberattacks. Data encryption is also recommended for all critical data traffic.

Next Steps

Software-defined networking security concerns are real

SDN will be critical in mobile network security

micro-segmentation helps secure ACI and NSX

This was last published in February 2016

Dig Deeper on Network Security