SDN- A Step Forward or Backward for Infrastructure Security?

By Jerry Irvine, CIO & EVP, Prescient Solutions

Jerry Irvine, CIO & EVP, Prescient Solutions

Those of us who have been in the IT industry for more than 20 years remember centralized computing with a discrete point of view. Large backend computing (mainframes, minis, DASD) connected by serial connections and terminals had the ability to perform limited tasks. Security in these systems was easier to maintain because only the host needed protection and, for the most part, hackers did not exist.

"SDN can increase performance and fault tolerance while providing more efficient means of management and greater security controls"

As these systems grew and technology matured, centralized computing and networking was replaced with distributed environments that increased productivity through the addition of more resources, processors, memory and storage. Even at this time security consisted of entry level authentication requirements (i.e. ID and passwords) and cursory access control lists with ‘allow’ and ‘deny’ attributes. As services and processes became more efficient and automated in the distributed environment, the manpower to support this environment increased and system’s functionality continued to grow.  

Because of the distributed nature of systems, networking and data storage, breach or loss of individual systems affected only portions of the environment. This distribution of systems and resources limited the potential of loss for the enterprise. In fact, many of these environments ran on completely segmented networks with their own dedicated servers and access controls. Security in these environments was implemented at the system level, with access and authorization controls and network security controls provided by physical segmentation or ‘air gap’ between them and other systems. 

Since the distribution of IT services began, these separate, disparate systems and applications have been integrated through private and public networks, and recently the cloud, to allow the sharing of input, reporting, data repositories and centralized management. Combining separate systems into common enterprise resources, along with the increased connectivity requirements of internet and mobility of systems, has changed the landscape of the enterprise. These separate, distributed environments now have the ability to provide access and control of all enterprise systems and resources, just as the old legacy centralized backend host processors and storage solutions allowed. Unfortunately, during the cyclical evolution and maturity of the IT environment, neither the security of a centralized host-based system nor the security of distributed processing IT environments were mastered. Now, the new collaborative enterprise resource environment is more vulnerable than either of the two of its predecessors.

Systems and applications have been integrated, virtualized and placed in the cloud; however, until recently networking was maintained by separate, autonomous devices performing physical and logical segmentation of systems, communications and connectivity. Although centralized management solutions, which allow remote configuration management and monitoring exist, networking functionality and processes, continued to be performed by and at the switches. Software-defined networking (SDN) segments the major functions of networking into the control layer and transfers all networking functionality to a control host(s), leaving only packet forwarding functions at the switch level. This design provides a number of benefits, including decreased cost for switches as they only need to providebasic forwarding functions, increased management, monitoring, control and analysis abilities. These benefits are realized, for the most part, due to the increased view of the entire enterprise’s network communications provided by the centralized control host. Yet, these added functionalities and benefits do not come without some concerns.

The SDN control host(s) represents some significant threats to the enterprise network environment. Depending on the SDN solution being considered, control hosts are mainly categorized into 1 of 3 types: 

• Switch manufacturers solutions, which range from proprietary systems to open SDN platforms

• Blackbox platforms, which may have customized Linux kernels or simply control applications running on Linux servers

• Solutions provider control systems that provide a combination of the above platforms. 

By design, controller devices have the ability to install applications, or integrate to applications through APIs to monitor, manage and control all of the switches. In short, control hosts are servers designed to take control of the network infrastructure and communications and create easier access.

According to the Verizon Data Breach Investigations Report, more than 92 percent of hacks or attacks are not highly difficult and are directed toward servers, workstations, applications and end users with network infrastructure devices being the least attacked platforms in the enterprise. This is due, in part, to the proprietary nature of network devices and the specific and limited nature of their functionality. Servers, workstations, applications and end users provide a greater attack surface for unauthorized and malicious users to target. There are also a greater number of known vulnerabilities across their operating systems, applications and users. 

Because control hosts are servers, they share many of the same vulnerabilities and risks as other servers, such as weaknesses of applications installed on them and those of the servers’ OS. Companies need to implement and control patch management solutions for the controller systems and all applications installed on them. Other potentially critical vulnerabilities of the control host deal with the protocols and encryption of the communications between the host and switches. All packets between the controller and switches need to be encrypted and use digital certifications to mitigate the potential of Man in the Middle attacks. Denial of Service (DoS) attacks directed to the controller can place the entire infrastructure environment at risk because all networking functions are managed and performed at the controller level. DoS can be mitigated with the combination of implementing redundant controllers and the strategic placement of these devices throughout the network environment in order to reduce communications and propagation delays. Due to the critical nature of the control hosts, the result of compromise places the entire enterprise at risk of DoS, loss or corruption of data or complete remote control of critical devices within the environment.

However, detailed configuration and implementation of the SDN environment can provide some significant security benefits because of the same configuration that places SDN at risk—centralization. Centralizing networking functions provides a global view of the communications within the network allowing IPS and monitoring solutions to view both source(s) and destination(s) of packets as well as the effects they are having on the environment. At the same time, this global view of the environment provides greater access controls and the ability to respond to the effects of the communications throughout the infrastructure more quickly.

Today’s complex enterprises with distributed backend and cloud solutions have increased the security requirements, functionality and productivity of the enterprise; SDN networks have the ability to do the same. Yet, to achieve the benefits, the systems must be planned, designed and architected considering all potential risks, vulnerabilities and threats that could affect the environment. Traditional segmentation of environments can provide greater levels of security simply through the limitation of access allowed; however, today’s enterprise requirements call for greater access requirements. If implemented correctly, SDN can increase performance and fault tolerance while providing more efficient means of management and greater security controls. SDN is yet another step forward for enterprise infrastructure security.