Perhaps the defining aspect of wide-area routing over Internet infrastructure has been decentralized control. Routers are manufactured to support protocols as stand-alone entities that accept, process, and route packets independently based on locally observed and remotely obtained forwarding information. Such decentralized control allowed many different groups to participate in routing, which in turn helped enable the exponential growth of the Internet.
In recent years, however, the increasing complexity of packet forwarding has led network designers to look for ways to simplify this massively distributed system. One approach to simplification involves centralizing network control functions, not unlike how signaling systems control traditional time division multiplexing. Such network management centralization, which separates control functions from packet forwarding, is called Software-Defined Networking (SDN) and can be conveniently implemented by service providers in the cloud.
Many network security practitioners initially recoiled at the cloud-aspect of SDN, citing concerns about weak data protection methods found in many public clouds. Ironically, these same practitioners were also searching for solutions to deal with their increasingly ineffective perimeter boundaries. As a result, the idea of securely stitching infrastructure across heterogeneous cloud infrastructure began to look much better, as long as cloud providers improved their security practices. SDN-based application programming interfaces (APIs) provide an excellent backbone for such hybrid cloud usage.
An additional factor is that the ever-increasing demand for extremely high performance routers has begun to wane somewhat with cloud architectures. With the shift from perimeter-based enterprise networks to distributed clouds, the topology of the typical enterprise is more like a spider web than a collection of high throughput demilitarized zone (DMZ) gateways. Network function virtualization (NFV) is thus more feasible, albeit at manageable throughput levels. Security functions can also be virtualized in such an arrangement, resulting in a virtual perimeter across public, hybrid, and private systems.
"Network function virtualization (NFV) is more feasible, albeit at manageable throughput levels"
So with all these technology trends, shifts, and changes, the question of how enterprise cyber security is impacted by SDN and NFV has become a hot topic. It is the belief at AT&T that this shift of networking toward more virtual, centralized, software-based control will have a significantly positive impact on the avoidance of malicious threats for the vast majority of users. Below are several reasons for this view:
Holistic Views of Security: Software-defined networking (SDN) offers more holistic network management views than traditional routing, because control functions are removed from the forwarding plane and combined into the cloud. Before SDN operators make the decision, for example, to block or divert malicious traffic during a distributed denial of service (DDOS) attack, SDN applications can be used to predictively and more accurately model the effects of such action in real-time on a more comprehensive view of the entire network.
Security Design Integration: SDN allows designers to go “back to the drawing board” with security features in the wide area network (WAN). This is exemplified by the integration of security-relevant functions such as data analytics into SDN controllers rather than as an add-on overlay capability. Thus, whereas Big Data security analytic tools work today in conjunction with log management to perform event correlation of a network “from the outside-in,” SDN controllers with embedded analytics can offer complementary correlative views of network activity “from the inside-out.”
Improved Incident Response and Forensics: Traditional incident response involves humans initiating action after some security event has been discovered. SDN provides an improved means for response, including swapping and restoring the underlying cloud hardware because it is decoupled from its software. Incident response can also include simplified patching through the provision of clean virtual images, rather than trying to diagnose and fix infected systems. SDN also provides a means for more complete forensic images of virtual machines in the network to be collected with minimal disruption.
On-Demand Security Expansion: Because SDN is designed for on-demand expansion of features, real-time provisioning of additional security functions can be made by human administrators through portals or by automated systems through cloud application programming interfaces (APIs). This capability allows for the addition of improved security protections during an attack. Suppose, for example, that an organization suspects that an advanced persistent threat (APT) might be embedded in their systems. Dynamic and real-time provisioning of additional outbound security filtering is possible through SDN portals to immediately reduce the risk of exfiltration.
DDOS Attack Absorption: While SDN infrastructure will require continued vigilance against DDOS attacks aimed at shared access points such as provisioning portals, cloud expansion offers the potential for targeted systems to expand dynamically during a DDOS attack to thwart resource exhaustion. The idea is that as resources experience degradation through accelerated use, the virtualization inherent in SDN makes possible the creation of new virtual machines to absorb the requests. Such dynamic expansion can then contract after the event has subsided.
These SDN security benefits—–like all benefits from new technology—–do come with some costs, the most obvious of which is the collective challenge associated with the software engineering of complex systems. Even after almost five decades since the original reference to software engineering, practitioners still struggle with the creation of software that is devoid of errors. For the security engineer, these errors are often exploitable by malicious intruders.
As such, correctness concerns achieved through attention to strict process controls, design and code quality initiatives, extensive testing, and rigorous verification processes will increase in relevance as SDN deployment carries critical infrastructure traffic supporting essential services. Such attention, when combined with the security advantages listed above for SDN, should result in a future virtual telecommunications infrastructure that will safely and securely serve consumers, business, and government for many years.