In the traditional model of networking, the main vectors that needed securing were the networking devices themselves and particularly any external management measures.
[easy-tweet tweet=”The measures used to secure an SDN environment are not dissimilar to those used in a traditional environment”]
With the SDN model, there are now additional layers. These include the separation of the control plane from the data plane and the ability to be able to programmatically manage networks through an application front end.
With functionality moved into these additional layers you now have to worry less about the network devices themselves as they typically just move packets. However, the devices that have flows pushed down, the SDN controllers, the application frontends and the APIs that allow the layers to interact with each other need to be rigorously assessed as flaws here could impact the entire network.
Hybrid networks that still use more traditional networking devices, but support SDN protocols, will need to ensure the security assurance of the network devices as well, as more traditional attack surfaces will remain.
Preventing attacks in a changing environment
The first step is to identify the key parts of the existing infrastructure and where important assets are stored. Focusing on securing these and then architecting future changes with security in mind should help prevent issues arising.
Traditional measures such as the use of firewall rules and access control lists will still be applicable and the use of SDN may allow more flexible application of firewall rules to hosts that move around the network. VLANs and containers can be rapidly configured and hosts placed into network zones that both restrict traffic and allow detection opportunities for inter-zone traffic.
It may be possible to interface threat management and monitoring systems with the network controllers. Rather than alerting that a host is making a connection to a malicious IP address or domain, the firewall rules could be automatically modified to prevent the connection from going out at all when the Indicators of Compromise (IoC) feed is updated. Network routing protocols such as BGP could be reconfigured in the event of a volumetric attack such as a DDoS attack to black hole malicious traffic.ย
Using Out Of Band (OOB) channels for control traffic and the use of hardened bastion hosts or jump boxes will remain a key way of protecting administration interfaces.
Security tools
With the use of encrypted data channels, the monitoring of endpoints and logging information becomes increasingly necessary. Cloud services can be difficult to monitor and perform forensic activities on and so a focus should be on analysis of the logs those services make available.
Although SSL encrypted traffic can prevent deep packet inspection, flow data showing which hosts were communicating can allow investigation to identify which hosts to analyse. A greater focus on endpoint monitoring can overcome some of the challenges presented. However, these solutions will be most effective if constantly monitored to determine baseline behaviour and maintained, rather than just relied on in the event of a breach.
Cloud services can be difficult to monitor and perform forensic activities on and so a focus should be on analysis of the logs those services make available
Cost effective implementation
For telcos, implementing additional measures such as implementing OOB connectivity between data centre points of presence will be relatively cheaper than a business trying to achieve the same objective across an enterprise WAN at different offices. Many SDN solutions are open source, meaning a lower capex and allowing resources to be invested in the staff who will support and secure the equipment.
The main cost will be building and growing the security capability for the organisation. This can be achieved either by recruiting and training an in-house team or through outsourced services. It is only with this capability and effective processes that an operator will be able to efficiently make use of security systems that they invest in.
Although a number of products exist on the market, as networks get more complex, organisations will find that skilled defenders become increasingly important and armed with an array of open source tools.
The future
With increasingly dynamic systems, the need for stringent change management and documentation processes will be required to maintain a current view of the landscape. Out of date records and documentation is already a common problem with more static infrastructure and as it becomes more fluid this will grow exponentially if not brought under control.
The measures used to secure and monitor an SDN environment are not that dissimilar to those used in a traditional environment. The main difference will be that, with the ability to programmatically manage the system, there will potentially be a larger landscape to secure in a faster changing environment. This difference also means that, if leveraged properly, it could also be easier to document, manage and maintain through automatic means.
[easy-tweet tweet=”As networks get more complex, organisations will find that skilled defenders become increasingly important”]
Summary
There are now opportunities to take advantage of the ability to programmatically manage a network. It could be easier to manage systems in a manner that overcomes the issues of managing security in an increasingly dynamic landscape, such as in a cloud environment where virtualised hosts can be created and removed in different geographical locations to cope with changing demands. The challenge now is to evolve processes and culture to be able to keep pace with the constantly changing nature of threats and the risks they pose.
Terry Ip, Security Consultant, MWR InfoSecurity
Terry Ip is a security consultant at MWR InfoSecurity. As well as penetration testing, his research interests include networking and infrastructure.