Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

SDN solves a lot of network problems, but security isn't one of them

Kacy Zurkus | March 28, 2017
SDN security: More capabilities versus protocol and dependency weaknesses


As the digital enterprise struggles to find the best security solutions to defend their ever-expanding networks, many are looking to next generation tools that offer interoperability capabilities.

Software defined networking (SDN) holds lots of promises. By consolidating the control planes of multiple devices into a single controller, that controller becomes the omnipotent decision maker over the entire network.

That's a lot of power, yet developers still don't have security at the forefront of their minds when building SDN products, which is why there are weaknesses in SDN that can compromise enterprise security.

Fabio De Gaspari, PhD student, Sapienza University of Rome, said, "The main risks associated with SDN are compromise of the control plane and potential scalability concerns of the control plane."

How the control plane is implemented determines its vulnerability, but if an attacker is able to access the controller, the results, "Can range from catastrophic with the attacker obtaining full control over the whole network, to a high security risk in a multi-controller SDN, where non compromised controllers can potentially detect and mitigate the compromised one," De Gaspari said. 

Since the switches cannot operate properly in the absence of the controller, De Gaspari said, "The results of poor control plane scalability can range from poor network efficiency to network devices that are completely unresponsive to new network flows." 

Generally, the main security risks come from poor or incorrect configuration of the devices. While this is not only true in SDN, De Gaspari said it is potentially even more important given how flexible, and therefore how easy it is to misconfigure the architecture.  

Despite the gaps in security, though, SDN continues to be an emerging alternative solution to the problems of modern day networks. Gregory Pickett, cybersecurity operations at Hellfire Security, said that there is a lot of good that comes with SDN. 

"It allows for operations that providers have wanted for decades, operations such as maintenance dry-out, customer egress selection, enhanced BGP security through reputation-based route selection, faster convergence of routes, and granular peering at the IXP. SDN renders these all these problems moot," Pickett wrote.

In his Black Hat 2015 presentation, Abusing Software Defined Networks, Pickett said that SDN offers the ability to have the network respond on its own to threats. While it offers promise, SDN still has security holes.

"The hole is that people are not looking at security before they release their product. They're still not taking security seriously," Pickett said.

Part of the reason why security remains a challenge with SDN is that there is no clearly established definition of what software defined networking actually is, said Pickett.


1  2  3  Next Page 

Sign up for Computerworld eNewsletters.