The SDN Effect on Network Security

For enterprise organizations around the world, Software Defined Networking (SDN) is transforming the way we build and operate our networking infrastructure. Similar to the way virtualization technology has revolutionized application servers and storage, we are now going through the same evolution on the networking side of the house. The promise of SDN touches on several aspects. Simplicity and speed of rolling out new services across an organization is one. Flexibility and operational efficiencies to reduce cost is another. However one of the most critical aspects of SDN is its implications on security. With the almost weekly news of hackers penetrating critical institutions around the world, this cannot come soon enough. Let’s look at three ways SDN can help organizations secure their networks and keep hackers at bay.

  1. Micro-segmentation. Networks were originally designed to connect devices and users together. However, as more applications and services started to move to IP (think of CCTV cameras, building management systems, telephones, etc.), the need to separate those devices into separate zones became essential. Using one physical converged network makes sense from a cost and management perspective, but SDN would allow us splitting up this network into secure isolated zones. An attacker, whether an external hacker or even a disgruntled employee, will not be able to have access to any network services outside of their allocated zone. Micro-segmentation allows for even further granularity, separating individual servers, devices, or users into unique secure zones. Recent attacks on banks have relied on attacking one publicly exposed server, and then using it to access other internal servers. Micro-segmentation would contain attacks to specific servers and prevent wider exposure.

  2. Stealth Networking. As traffic travels through legacy networks, network devices which handle this traffic are all exposed. Attackers can probe each of those hops for exploits and eventually find ways of getting in. SDN with fabric foundation technologies rely on layer 2 traffic tunneling, so the traffic now flies over the network and lands at the destination with virtually one hop. Think of taking a direct flight between two cities, versus the traditional way of stopping at several transit hops. SDN allows the entire network between source and destination to be hidden, and attackers probing your network can only see a black hole instead.

  3. Dynamic Network Workflow Automation. The nature of network attacks is that they happen instantly. The network has to have the ability to automate its response, at the same time as the appropriate teams are notified. This used to be very difficult in the past, as making any network configurations was a complex task that was almost impossible to automate. However, SDN’s inherent simplicity and openness presents the opportunity to design an automated workflow that is put into motion once triggered. As an example, the network can detect that a contractor’s laptop in one of the bank’s offices is transmitting some suspicious traffic patterns. It can automatically create a new quarantine zone, move that machine there to put it under full forensics, pull in the CCTV cameras of that area, and put the administrators remotely on the same video call so they have full eyes on the attacker’s location. This scenario was simply not possible in the past with legacy network technologies.

We are moving to a new age where attackers are constantly finding innovative ways to penetrate security layers. Organizations have a legal and ethical responsibility to their customers to keep their private information safe. Adopting new technologies like SDN to benefit from its security advantages is one of the ways of evolving through next generation technologies to stay one step ahead in the never-ending security race.