SDN can make networks flexible and efficient, but the companies applying this technology must handle it cautiously to avoid security breaches.
FREMONT, CA: Traditional network architecture has reached a point where it can no longer adapt to dynamic conditions, such as those allowed by virtualization technologies. SDN increases system abstraction by separating the control plane from the data plane, which paves the way for network programmability, improved speed of operations, and simplification.
The SDN controller (SDNc) lies at the core of SDN architecture. The SDNc is located between network elements (NEs) and SDN applications (SDN apps) and serves as an interface between them. Its centralized location can offer other SDN elements a global overview of what's going on in the network. It can optimize NEs on the move and decide the best route for traffic. The SDNc and the move to centralized control distinguishes SDN architecture from conventional networks, where control is distributed. But the SDNc's centralized location makes it a prime target for hackers.
A logically centralized control plane allows for the maintenance of a network-wide view of resources that can then be revealed to the application layer. SDN uses one or more NEs that interface with the SDNc to offer such a centralized architecture. Simplified network management and increased agility are two advantages of developing the network in this way.
Benefits and vulnerabilities
SDN allows security appliances to be integrated into networks directly on top of the control plane, rather than being added as separate appliances or implemented through multiple NEs. The centralized management method of SDN allows collecting and aggregate events across the entire network. It results in a broader, coherent, and accurate image of the network's status, making it easy to enforce security strategies and monitor it.
The ability to enforce security mechanisms directly on top of the controller or on guiding traffic at run time (utilizing legacy appliances as needed) allows for the dynamic addition of taps and sensors at different points in the network, leading to more efficient network monitoring. With a clear picture of its current state, the network can better detect attacks and reduce the number of false positives registered. In practice, if a tap alerts the SDNc about the possibility of a device being hijacked by a botnet, the SDNc will channel the potentially malicious traffic to ids for analysis and monitoring. If the ids conclude that the traffic is malicious, the SDNc will filter it and instruct the first Ne accordingly.
SDN's ability to automate the detection and resolution of any security violation, along with the collection of network status information, makes it suitable for integrating into network threat intelligence centers and Service Operation Centers (SOCs). SDN's comprehensive features also give a broader attacking surface than conventional networks.