This focus on the Software Defined Enterprise can prove to be exhilarating discussion topics for IT enthusiasts and leaders, but at some point the responsible voice in the room has to chime in and ask the all-important question, “how secure is it and what are the security implications of implementing it?”
The fact that Software Defined Networking (SDN) is such a new and maturing technology justifies some trepidations when it comes to the security aspect of it. The implementation of SDN and the attainment of a true Software Defined Enterprise will foist enterprises into a completely new security model, which may not be a bad thing.
When you think about it, IT security has its origin from the middle ages. The king had a moat that circled a great wall that was seemingly insurmountable (but in the end was almost always breached) which protected the castle and all of its inhabitants. Similarly, the basic IT security model has consisted of a strong formidable firewall or UTM that served as a perimeter of protection for the IT devices that were hidden behind it. The bigger the firewall, the safer we felt about the network. All traffic, both incoming and outgoing, was physically forced through this device, allowing it to scan the traffic for known signatures or unrecognizable suspicious behavior. In addition, we utilized small security garrisons placed at strategic points throughout the network to control traffic through the use of access control lists. As a point of last resort, we configured local firewalls on vital servers and even desktops. It was very materially structured and required a team of security professionals to constantly monitor and manage it all.
Unfortunately, the traditional network perimeter around the data center is permanently dissolving thanks to the mobility of both users and their devices today. As a result, it is more difficult to defend company data from the increasing gaps in security, and to verify that users accessing data are protected. In traditional networking, we opened up everything and then used access control lists and firewalls to stop it. With Software Defined Security (SDSec), nothing is sent unless a specific policy allows it. In other words, we don’t use SDSec to plug holes, instead we use it to dictate every move of the network. Furthermore, security will be handled network-wide in automated fashion. Policies will be created for new devices or application deployments, assuring that these resources are fully protected from their initial startup. Imagine a concept such as Software Defined Encryption (SDE) in which data is encrypted as it is created.
The concept of SDSec is core to all aspects of the software defined enterprise, that being the abstraction of the control plane from the data or forwarding plane. This vastly increases scalability of network security as administrators must manage each separate device individually through some type of device interface. With SDSec, security personnel will create policies within the centralized controller that will then be delivered to all relevant security devices. The dynamic networks of today in which users and their collective devices come and go, creates the need for dynamic security. We must forget about merely securing the perimeter but instead accept the fact that security needs to be everywhere. Security needs to be built into the very fabric and architecture of the network and like so many other facets of IT, delivered as a service.
Rather than based on location and physicality, SDSec is not based upon logical policies, allowing data and configurations to be protected wherever they reside. What’s more, once these policies are created and put in place, new devices falling under their umbrella will be automatically protected from the initial boot up.
SECURITY CENTRALIZED CONTROL
Let’s face it, managing each and every individual security device is a daunting and tedious task for any IT force in a medium or large enterprise as organizations have responded to security concerns by deploying a new tool to address each new risk. It is demanding to keep up with multiple interfaces, multiple logon authentications and either having to remember CLI commands that vary by vendor or navigating a web of navigation hyperlinks. IT security staff members are not only consumed by this never ending process but the high frequency nature of all of these manual configuration tasks increase the odds of human error which may expose areas of the network to open vulnerability.
BENEFITS OF SDN BASED SECURITY
- Reduce Human Error. By consolidating the configuration of all security devices within a centralized controller so that all devices are configured at once, the possibility of human error is greatly diminished. Even more importantly, the time to complete configuration time is slashed dramatically.
- Improve visibility. Centralizing security monitoring and management into a centralized orchestrator opens visibility to all facets of your network whether it is hardware based or virtual. Understanding traffic flows will ensure that blind spots are corrected under the idea that if you can see every packet, you can protect it.
- Alleviate the workload. Like SDN, the enterprise will not require as many device administrators to update, monitor, and manage an entire fleet of devices. This will alleviate the workload of IT security personnel, allowing them to work on security prevention rather than repeated remediation.
CHALLENGES OF SDN BASED SECURITY
- Misconfiguration can be detrimental. The constant process of accessing individual devices in order to configure them one-by-one amplifies the chance of human error. It also restricts the consequences of human error to that device or defined area. The aftermath of deploying a misconfiguration to the entire network through a centralized controller would be far more detrimental. In order to alleviate this, testing and planning will be imperative.
- Highly targeted attacks are possible. Because the security of the entire network will be managed by a single controller, it will be the focus of malevolent attacks. Attacks can target the northbound interface in order to seize control of the network. The southbound interface can be susceptible to DOS and similar attacks that attempt to degrade performance and availability. Obviously the control presents a potential single point of failure that must be protected. The southbound interface can be shored up by requiring authentication using certificates and encryption to secure all connections.
- New security policy and training required. Communication and training will be paramount as a wellintentioned policy can counteract or interfere with existing policies. Just as security will be directed everywhere, all network administrators will be responsible for security and policy planning and coordinating.
Software Defined Security is not a mature technology as of yet. The idea of not being behind the big bad perimeter can be a little scary, but just as the formidable fortresses are completely vulnerable to today’s military technology, physical security that is non-dynamic in nature has reached its point of usefulness and extinction. The era of Software Defined Security is approaching.
