As the digital enterprise struggles to find the best security solutions to defend their ever-expanding networks, many are looking to next generation tools that offer interoperability capabilities.
Software defined networking (SDN) holds lots of promises. By consolidating the control planes of multiple devices into a single controller, that controller becomes the omnipotent decision maker over the entire network.
That's a lot of power, yet developers still don't have security at the forefront of their minds when building SDN products, which is why there are weaknesses in SDN that can compromise enterprise security.
Fabio De Gaspari, PhD student, Sapienza University of Rome, said, "The main risks associated with SDN are compromise of the control plane and potential scalability concerns of the control plane."
How the control plane is implemented determines its vulnerability, but if an attacker is able to access the controller, the results, "Can range from catastrophic with the attacker obtaining full control over the whole network, to a high security risk in a multi-controller SDN, where non compromised controllers can potentially detect and mitigate the compromised one," De Gaspari said.
Since the switches cannot operate properly in the absence of the controller, De Gaspari said, "The results of poor control plane scalability can range from poor network efficiency to network devices that are completely unresponsive to new network flows."
Generally, the main security risks come from poor or incorrect configuration of the devices. While this is not only true in SDN, De Gaspari said it is potentially even more important given how flexible, and therefore how easy it is to misconfigure the architecture.
Despite the gaps in security, though, SDN continues to be an emerging alternative solution to the problems of modern day networks. Gregory Pickett, cybersecurity operations at Hellfire Security, said that there is a lot of good that comes with SDN.
"It allows for operations that providers have wanted for decades, operations such as maintenance dry-out, customer egress selection, enhanced BGP security through reputation-based route selection, faster convergence of routes, and granular peering at the IXP. SDN renders these all these problems moot," Pickett wrote.
In his Black Hat 2015 presentation, Abusing Software Defined Networks, Pickett said that SDN offers the ability to have the network respond on its own to threats. While it offers promise, SDN still has security holes.
"The hole is that people are not looking at security before they release their product. They're still not taking security seriously," Pickett said.
Part of the reason why security remains a challenge with SDN is that there is no clearly established definition of what software defined networking actually is, said Pickett.
"My impression is that the concept is a buzz word. Your SDN might not be my SDN. Look at Cisco, they have their own version of SDN," said Pickett. There are, however, sundry versions of SDN that vary depending on the vendor.
"Vendors are going to define [SDN] in a way that fits their product line. What's happening is that the product line is not moving in the direction of SDN, but the definition of SDN is moving to the product line," said Pickett.
Ironically, SDN is supposed to bring consistency to the network, yet there is a lot of ambiguity around exactly what SDN is, which is one reason why Jon Oltsik, senior principal analyst, said that as enterprises are doing strategic planning around SDN, they need to get the security team involved.
The security practitioners are the ones that can work to identify and mitigate risk. "They can look for risks in the technology, implementation, or operations and try to mitigate those as much as possible," Oltsik said.
The controller can be a single point of failure, and Oltsik said, "When SDN is implemented, it has oversight over the whole network. In a traditional network, if I compromised a layer 2 switch, I may be able to look at traffic to and from that switch, but not the whole network."