A NEW BREED
1LxhtJc
1LxhtJc
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
networkage<br />
Hardening<br />
software-defined<br />
Software-defined networking is empowering businesses to scale and adapt<br />
like never before, but it’s still early days, and protecting these networks<br />
remains a top issue. So just how mature is the security around SDN?<br />
O<br />
ver the past few<br />
years, innovations<br />
in software-defined<br />
networking (SDN) have<br />
helped IT tackle barriers that inhibit<br />
agility, automation and scale, helping<br />
their businesses to flourish. But if<br />
there’s one thing we’ve learnt, it’s that<br />
convenience usually comes at a price<br />
– are network managers rushing into<br />
the brave new world of SDN while<br />
forgetting that its underlying security<br />
remains essentially unproven?<br />
Some of the world’s biggest<br />
universities, like Stanford and<br />
Berkeley, use software-defined<br />
networks to collaborate on opensource<br />
research data, and Google<br />
revealed a few years ago how it is<br />
using its own software-defined<br />
network to power its data centre<br />
WAN, and cost-effectively handle its<br />
vast traffic loads. Similarly, hyperscale<br />
companies like Microsoft have had to<br />
write their own SDN solutions, such as<br />
for their Azure cloud, when the<br />
flexibility and speed required to fuel<br />
their explosive growth just didn’t<br />
exist in traditional networking<br />
approaches.<br />
But SDN marks a huge change in the<br />
security model. As with any new<br />
technology, there are numerous<br />
‘SDN allows security<br />
services and policies to be<br />
controlled, automated<br />
and provisioned to every<br />
device on the network<br />
from a single point’<br />
>> John Vestberg, Clavister<br />
security weaknesses both present and<br />
yet to be discovered, primarily due to<br />
being relatively untested. And just like<br />
virtualisation made servers instantly<br />
both more and less secure – more<br />
because of the abstraction layer, less<br />
because you no longer need physical<br />
access – we see this pattern repeating<br />
with SDN. While a physical network<br />
changes at the speed of the human<br />
managing it, the software-defined<br />
version can change at the speed of a<br />
machine.<br />
And although we’re yet to see any<br />
major SDN security breaches hit the<br />
headlines, the vulnerabilities are<br />
starting to become apparent. Multivendor<br />
SDN project OpenDaylight<br />
learnt this the hard way last August<br />
when it was forced to patch a<br />
serious vulnerability that took until<br />
December to fix.<br />
Openflow weaknesses can emerge<br />
from the separation of the control<br />
plane (the high-level management of<br />
network devices) and the data plane<br />
(the actual hardware itself) that<br />
defines SDN.<br />
As Scott Pendlebury, lead cyber<br />
threat intelligence analyst at Fujitsu,<br />
explains, it’s the communication<br />
between these layers where the<br />
security concerns arise.<br />
‘The layers communicate with<br />
each other through API calls that,<br />
depending on which layer the attacker<br />
decides to target, can present a<br />
number of options,’ says Pendlebury.<br />
‘For example, an attacker could spoof<br />
the API calls made at the controller<br />
layer heading to the network<br />
September 15 information-age.com<br />
33