Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:45 PM
Connect Directly

Sidestepping SDN Security Woes

SDN does hold potential security upsides, but organizations should also look out for pitfalls

As IT departments consider the potential security upsides of building out software-defined networking (SDN) infrastructure, they should also mull over the flip side of the coin. The earlier they can prepare for SDN control issues and bake in protection, the less likely they'll be surprised by security issues that could present themselves without proper foresight, experts say.

Even if it can be used for the greater security good, SDN is a design strategy, not an out-of-the-box security tool. That means security needs to be thoughtfully architected from the beginning.

"In some ways, SDN is just another concern for security people -- another thing that needs to be protected," says Reuven Harrison, CTO of Tufin Technologies. "It's not like security is automatically provided by SDN."

And in spite of paradigm shifts in the way networking is done, some of the same problems will stick around, Harrison says.

"When SDN does become more popular, it will have a very similar problem to today's problems because it will be different vendors with different APIs. Although there is a standard, the vendors aren't actually following the standard, and so there will be multivendor complexity," he says. "It's another big business problem we'll need proper management, automation, and orchestration to be able to control."

According to Christofer Hoff, vice president of strategic planning for the security business group at Juniper Networks, the increased dependence on automation and the interconnectivity between network controllers in an SDN network will actually make the security basics even more imperative than it is today.

"We really have to make sure the Is are dotted and the Ts are crossed, so that we make sure we have strong authentication, and that we don't allow elements like SSL/TLS and encryption be optional between, let's say, a forwarding plane and a control plane," he says, explaining that the increase in controllers will expose northbound interfaces to other applications that will interact with the controller and the rest of the network. "If I start opening up the crown jewels of my network, the control plane, to external elements that beforehand had to go through these disintermediated correlation elements, we really need to make sure we nail that."

Additionally, with controllers requiring a secure, dedicated connection to elements they're managing, the threat of denial of service and the risks caused by it go up.

"So we need to ensure that these different elements-- the controllers, the forwarding nodes, the analytics planes -- are protected against denial of service," Hoff says.

Perhaps more importantly, though, is the issues arising from SDN's consolidation of control.

"In a centralized architecture like SDN, the central control framework for network services is the absolute arbiter of connection rules, and if you compromise it, you have compromised everything," says Tom Nolle, president of CIMI Corporation, a strategic IT consultancy. "With centralized SDN, now there's this nice, convenient central place to attack, and if you successfully attack it, you gain complete control of the network."

And attacks against that control plane aren't the only risk posed by this central arbiter of policies. There's also the issue of policy collisions, says Hoff, explaining that while SDN enables automation, without proper management of the policies that drive the automatic control of the infrastructure, problems may well lurk.

"There are any number of scenarios you can paint where you imagine administrator A and admin B, both of whom are trusted users and not doing anything bad," he says, "but they could do things that could cause all sorts of problems with visibility and transparency that might be difficult to troubleshoot."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Moderator
10/24/2013 | 5:46:21 PM
re: Sidestepping SDN Security Woes
Perfect time for security organizations to address the issue of SDN security. The network regardless of whether it is physical or software defined is often the heartbeat of the organization and while SDN provides a host of benefits. proven security strategies need to be at the core. I look forward to hearing the discussion around the best way to protect SDN environments.

Peter Fretty, IDG blogger working on behalf of Sophos
User Rank: Apprentice
10/8/2013 | 10:12:37 PM
re: Sidestepping SDN Security Woes
The issue of SDN security came up during a panel discussion at last week's Interop; some panelists stressed the importance of securing the controller while a Facebook's network engineering director said a benefit of SDN is that centralization provides more powerful audit capabilities.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
10/7/2013 | 9:18:21 PM
re: Sidestepping SDN Security Woes
Glad to see the SDN security discussion starting now, while SDN is in its infancy. I hope we can address core security basics as controllers and APIs are being developed, rather than trying to bolt on security as an afterthought. That being said, there's definately an SDN land grab happening, so my guess is security will come later, rather than sooner, once the market settles on a couple of big players.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...