• United States




SDN solves a lot of network problems, but security isn’t one of them

Mar 27, 20176 mins
Enterprise ApplicationsIT LeadershipNetworking

SDN security: More capabilities versus protocol and dependency weaknesses

As the digital enterprise struggles to find the best security solutions to defend their ever-expanding networks, many are looking to next generation tools that offer interoperability capabilities.

Software defined networking (SDN) holds lots of promises. By consolidating the control planes of multiple devices into a single controller, that controller becomes the omnipotent decision maker over the entire network.

That’s a lot of power, yet developers still don’t have security at the forefront of their minds when building SDN products, which is why there are weaknesses in SDN that can compromise enterprise security.

Fabio De Gaspari, PhD student, Sapienza University of Rome, said, “The main risks associated with SDN are compromise of the control plane and potential scalability concerns of the control plane.”

How the control plane is implemented determines its vulnerability, but if an attacker is able to access the controller, the results, “Can range from catastrophic with the attacker obtaining full control over the whole network, to a high security risk in a multi-controller SDN, where non compromised controllers can potentially detect and mitigate the compromised one,” De Gaspari said. 

Since the switches cannot operate properly in the absence of the controller, De Gaspari said, “The results of poor control plane scalability can range from poor network efficiency to network devices that are completely unresponsive to new network flows.” 

Generally, the main security risks come from poor or incorrect configuration of the devices. While this is not only true in SDN, De Gaspari said it is potentially even more important given how flexible, and therefore how easy it is to misconfigure the architecture.  

Despite the gaps in security, though, SDN continues to be an emerging alternative solution to the problems of modern day networks. Gregory Pickett, cybersecurity operations at Hellfire Security, said that there is a lot of good that comes with SDN. 

“It allows for operations that providers have wanted for decades, operations such as maintenance dry-out, customer egress selection, enhanced BGP security through reputation-based route selection, faster convergence of routes, and granular peering at the IXP. SDN renders these all these problems moot,” Pickett wrote.

In his Black Hat 2015 presentation, Abusing Software Defined Networks, Pickett said that SDN offers the ability to have the network respond on its own to threats. While it offers promise, SDN still has security holes.

“The hole is that people are not looking at security before they release their product. They’re still not taking security seriously,” Pickett said.

Part of the reason why security remains a challenge with SDN is that there is no clearly established definition of what software defined networking actually is, said Pickett.

“My impression is that the concept is a buzz word. Your SDN might not be my SDN. Look at Cisco, they have their own version of SDN,” said Pickett. There are, however, sundry versions of SDN that vary depending on the vendor.

“Vendors are going to define [SDN] in a way that fits their product line. What’s happening is that the product line is not moving in the direction of SDN, but the definition of SDN is moving to the product line,” said Pickett.

Ironically, SDN is supposed to bring consistency to the network, yet there is a lot of ambiguity around exactly what SDN is, which is one reason why Jon Oltsik, senior principal analyst, said that as enterprises are doing strategic planning around SDN, they need to get the security team involved.

The security practitioners are the ones that can work to identify and mitigate risk. “They can look for risks in the technology, implementation, or operations and try to mitigate those as much as possible,” Oltsik said.

The controller can be a single point of failure, and Oltsik said, “When SDN is implemented, it has oversight over the whole network. In a traditional network, if I compromised a layer 2 switch, I may be able to look at traffic to and from that switch, but not the whole network.”

Though SDN is not a new development, there is much about the newly designed protocols that makes it very similar to a new technology. “We haven’t shaken out all of the bugs yet. There’s a high degree of innovation happening, but it’s not as stable as established technologies,” Oltsik said.

In ironing out the kinks, the software is changing rapidly, but there aren’t a lot of SDN specialists out there for hire, Oltsik said. “It’s established by a networking team or a data center operations team who wants to simplify, and they are using software to do that, but they are not security experts.”

The desire to have a modern means of controlling the network has spawned a new wave of network management tools, but new products don’t mitigate security risks. 

Paul Querna, CTO abd Co-founder of ScaleFT, said, “The security risks are not all that different than they are in general networking. It’s still people on the network.”

“The reality is the most advanced attackers have already figured out how to access the network in an SDN world. For weaker attackers, the SDN is more secure because they can more easily route things around,” Querna said. 

Yet, risks vary depending on the exact SDN technology they are using. “If you’re deploying an SDN, you need to be careful about doing switches and how you are implementing those rules in hardware and understand what is happening if you are not,” Querna said.

Vitaly Mzokov, solution business lead, data center and virtualization security at Kaspersky Lab, said, “Whether or not organizations have SDN, their security strategy should integrate multiple layers of cybersecurity to protect the corporate environment.”

In days of old, Mzokov said,”Organizations had to predict or estimate how cyber criminals would want to attack the corporate infrastructure and what vectors they may use. Then, they would start designing the proper IT environment, along with configuring network and firewall policies.”

But modern cyber criminals have learned agility is a key to success. They have to change their tactics in near real-time as technology evolves. “This means that the more time spent trying to predict attack vectors and then design proper infrastructure, the more vulnerable organizations become to modern or unknown threats,” Mzokov said.

Newer cyber threats are hard to identify because they are less understood in the industry and hard to detect with old-fashioned security solutions. “SDN allows for faster reconfiguration of the environment, and also brings micro-segmentation into the picture,” Mzokov said.

“Without proper integration or interoperation with anti-malware solutions, any SDN technology is just a powerful tool that people underutilize. An organization should simply let SDN know what is happening inside the virtual machine from a security perspective, and they will see how much more efficient SDN’s operation and overall corporate environment can be,” said Mzokov.

Understanding what they are getting remains a critical piece of software defined network security. Yes, traditional means of securing controllers still apply, but Pickett said, “It is important that we step up our game. And to do this, security needs to be part of the discussion.”

If you’d like to comment, head to our Facebook page.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author