Since the dawn of the Internet, security has been tightly connected to enterprise networks.
The movement to software-defined networks brings dramatic changes in network design and security. Long term, corporations will benefit from more intelligent and secure network management. But in the short term, new networking features may open security holes that hinder the rollout of software-defined networks.
Network infrastructure -- Ethernet switches and routers -- typically operates at layers 2 and 3 of the seven-layer network model. Network security structures -- firewalls, intrusion detection, IP virtual private networks (VPNs) -- run at layers 4 to 7. However, the infrastructure and security elements are interdependent.
The typical response to any potential security threat is to block network access. Businesses try to create a hardened perimeter around data center systems; they identify threats with upper-level tools and block traffic at the lower layers. Coordination is needed in traditional setups between the physical network devices and the software running on top of them.
Recent technical advances have poked holes in that perimeter. Hackers can skirt the lower-layer security checkpoints and make their way into upper levels where data exchanges increasingly happen. Software-defined networks are pushing away from reliance on the lower-level hardware.
Software-defined-network technology separates the control plane from the data plane. The controller can now manage traffic flows through various paths in the network without limitations from physical devices and their proprietary software implementations. Network flows are typically (but not always) controlled with the OpenFlow protocol.
Traffic patterns are also changing, from North/South (user to data center) to East/West (within the data center). Traditionally, 70% to 80% of corporate traffic flowed over the enterprise network and about 20% to 30% moved in the data center. Today, those numbers are reversed, due to virtualization and converged architectures.
Threats, inside and out
Software defined network security deals with external and internal threats.
External threats -- individuals trying to get into the network who do not belong there -- are becoming more sophisticated. Traditionally, tools such as firewalls, intrusion-detection systems and intrusion-prevention systems, sandboxes, and deep packet inspection kept data safe.
Software-defined networks introduce new variables with these systems. They run virtual connections over existing physical infrastructures. Consequently, software-defined network security appliances need to understand encapsulated traffic. For example, to properly inspect incoming traffic, new network security tools must have the ability to decapsulate the traffic, or depend on gateways and switches to translate software-defined network encapsulation and decapsulation protocols to virtual LANs (VLANs) for context.
Internal threats are increasing in number and complexity. Businesses need to monitor information as it moves inside a system, e.g., between two virtual machines (VMs) or from a server to a storage system. Huge volumes of traffic move at incredible speeds as data flows among virtual systems, and traditional tools often cannot keep pace.
On the plus side, software-defined networks are built around open APIs, largely OpenFlow. The programmability enables controllers to define the behavior and performance of the network, based on the running applications.
Traditional physical network security policies are defined for static zones mapped to physical interfaces. Software-defined network security policies do not have to be tied to the infrastructure.
In a more dynamic software-defined network, security zones become decoupled from the physical plane, and network or host "objects" are programmatically defined. Flows are dynamically programmed with appropriate security appliances stationed along the data path. Also, security checks deal with application and VM challenges logically.
Businesses can also build more automated and sophisticated software-defined network security configurations. Systems monitor traffic patterns, identify anomalies and remediate potential problems before they occur.
If you build it, they will come
First, a software-based security infrastructure must be built for this software-defined network. There is nothing to monitor these new exchanges, so existing security systems need upgrades to support open protocols like OpenFlow.
Businesses currently do not have options to mediate security services across many controllers, a key component of mature software-defined network security.
Where will the new tools come from? One possibility is FRESCO, a joint project from SRI International Inc. and Texas A&M University. FRESCO is an application development framework to facilitate the rapid design and modular composition of OpenFlow-enabled security modules. The framework is an OpenFlow app that provides a scripting language geared to developing and sharing security detection and mitigation modules. Researchers write modules and then prototype more complex security services. When deployed, these services operate with various controllers to ensure that the controller enforces the flow rules as security policies.
Startup vendors are building up the software-defined network security software treasure trove. GuardiCore provides solutions for detecting advanced persistent threats, malware propagation and insider attacks. VArmour is working on a software-defined network security suite. Executives from Juniper Networks (NetScreen), Citrix, Riverbed Technology and IBM are on its management team.
About the author:
Paul Korzeniowski is a freelance writer who specializes in data center issues. He has been covering IT issues for more than two decades, is based in Sudbury, Mass. and can be reached at firstname.lastname@example.org.