Security in a software-defined world

Justin Hadler looks at the security requirements in a software-defined networking environment

Google has deployed software-defined networking and VMware bought Nicira – these are just two events indicating that software-defined networking could be the next disruptive technological trend.

Recent years have seen the rise of innovative applications such as Salesforce.com, yet the underlying network has remained essentially the same.

In a virtualised environment, a new type of networking architecture is needed, as virtual machines (VMs) are remotely, automatically created and configured.

Software-defined networking enables programmable, centralised control of traffic without the need to physically access the network's hardware devices. Typically, data and control planes are separated using a uniform vendor-agnostic protocol called OpenFlow.

However, many still have serious concerns about the impact on network security. Every single forwarding decision is put into one centralised software process. If this one process is compromised, the entire network will also be compromised.

Software-defined networking may offer more flexibility in restructuring a substantially flooded network but may also be vulnerable to a special type of DDoS attack.

Rather than flooding routers or attacking hosts or applications, the software-defined network stack itself may be attacked, creating traffic streams aimed at boosting the interactions between the switches and the controller – a control flow saturation attack.

We are still in the very early stages of understanding exactly how security will be administered in advanced software-defined networks. What is clear, however, is that a complementary, layered approach is critical.

Enterprises will still need a firewall and intrusion prevention. In addition, VMs that talk to each other on a physical server will need hypervisor security layers. In fact, it could even be argued that physical security will become even more important in a software-defined networking environment.

With datacentres in only one or two locations, they need to be highly secure from a physical perspective.

Effectively built security in a software-defined networking environment should not replace any existing security measures. All that is required is another layer, one that can be controlled and secured, because it is going to be based on a software controller.

The key is to ensure that security does not impede the flow of data and the flexibility that software-defined networking is intended to provide.

In principle, software-defined networking should free network security, increasing both flexibility and control. For many years, attempts to attack a network had to be blocked. In a software-defined networking environment, there are numerous options for countering such attacks, including quarantine systems and OpenFlow-enabled honeynets.

It offers the ability for VLANs to go beyond the perimeter, increasing the probability data will remain secure. It can be hard to decide exactly where to put security devices – but with software-defined networking the network administrator can route all traffic through one centralised firewall.

The architecture of software-defined networking enables network engineers to support switching fabric across multi-vendor hardware, thus providing customers with almost unprecedented levels of choice.

Independent technology providers obviously will help customers navigate the different options. While virtual security will undoubtedly have its place, this will need to be combined with existing physical safeguards.

Justin Hadler is director of engineering at Hardware.com