Security Must Adjust as SDN Goes Mainstream

After years of hype, 2018 may finally see the start of the mainstream adoption of software-defined networking (SDN). And with it, network virtualization and software defined data centers (SDDC) could be on the cusp of big breakthroughs. So say the results of the new research from Enterprise Management Associates (EMA).

According to EMA’s “Network Management Megatrends 2018” research, cloud and SDCC architectures are finally starting to dominate IT initiatives. The report’s author, Shamus McGillicuddy, recently summed up the top takeaway in a NetworkWorld column. According to him, for the last ten years EMA has been asking network managers to name the top initiatives that are driving their priorities. For most of that time, server virtualization has come up on top.

“Cloud and software-defined data center (SDDC) architectures have always been secondary or tertiary drivers,” he explains. ” In 2018, this pattern has finally broken. This shift in drivers is also leading to mainstream focus on SDN network virtualization and software-defined wide-area networking (SD-WAN).”

Whereas in previous years these three “were afterthoughts” on prioritization lists, McGillicuddy reports that this year SDN was cited by 40% of network managers, network virtualization by 37% and SD-WAN by 36% as one their top networking priorities for 2018.

Interestingly, all three of these priorities took the back seat to network security. 

Security was network managers’ number one cited priority, named by 43% of respondents. The prioritization of security above the initiatives that enable SDDCs logically invites the question of how the mainstreaming of software-defined architectures will jibe with security goals.

As awareness has grown in recent years around software-defined architectures, security pundits have started to recognize that they present a bit of a double-edged sword in regard to network defense.

One positive side, SDN and network function virtualization (NFV) presents a huge boon for network and data center visibility and control. Additionally, the innate characteristics of SDN that enable easier network administration also can help streamline and simplify security updates for more timely patching and upgrades.

“NFV promises to distribute monitoring functions more economically and more widely, enabling much more agile responses to threats to customers,” wrote Steve Goeringer, principal security architect for CableLabs, a couple years back. “In addition, NFV can harness specific virtualization techniques recommended by NIST (such as hypervisor introspection) to ensure active monitoring of applications. Moreover, SDN provides the potential to quickly limit or block malicious traffic flows much closer to the source of attacks.”

This kind of security agility is already being achieved by organizations out in the real world. A recent case study published by EdTech Magazine explained that not only are staffers at University of New Mexico able to spin up new machines in their SDDC, but the change in architecture has helped them better automate security tasks so they can apply policies across the institution in a very timely manner.

“Data protection has improved many times over what we had in the past,” says UNM’s Deputy CIO Brian Pietrewicz told EdTech. “We’re now able to manage security in a much more granular way.”

This kind of success story today illustrates a point that Goeringer made back in 2016–namely that the shift to SDN and network virtualization also presents a once in a generation architectural opportunity. By revamping the architecture, organizations can embed security more effectively into the plumbing of newer data centers.

“Most of the core network technologies in place today–routing, switching, DNS, etc.–were developed over 20 years ago. The industry providing broadband services knows so much more today than when the initial broadband and enterprise networks were first deployed,” he explains “NFV and SDN technologies provide an opportunity to largely clean the slate and remove intrinsic vulnerabilities.”

However, while organizations might be able to remove yesterday’s intrinsic vulnerabilities, if they’re not careful they’ll expose themselves to a whole new raft of risks unique to the SDN model.

“A significant issue regarding SDN security is that virtualizing every aspect of the network infrastructure increases your attack footprint,” explained Mark Dargin, a security architect, earlier this year. “The SDN controller is typically the primary target for attackers because it is the central point for decisions in a network and a central point of failure.”

In other words, your SDN controller becomes a very risky single point of failure. After so many years working to implement best practices around network segmentation to limit risk exposure, SDN could wipe out a lot of those benefits through its inherent design.

“Attackers can try to get control of the network by breaking into a controller or pretending to be one,” wrote Dargin. “Once a central controller is compromised, an attacker can gain complete control over your network.”

Not only do confidentiality and integrity concerns abound with this concentration of risk around the controller, but availability also becomes a big worry. As Dargin explains, SDN architectures also invite new forms high-powered DDoS attacks.

The whole lesson here is to understand that as software-defined architectures finally go mainstream, security will need to adjust quickly to compensate. Fortunately, McGillicuddy with EMA noted in his report that many organizations are increasing the amount of collaboration between network management and IT security. Approximately 42% of network management report more collaboration and 35% say enterprises use security risk reduction as a measure of network management success.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Ericka Chickowski. Read the original post at:

Ericka Chickowski

An award-winning freelance writer, Ericka Chickowski covers information technology and business innovation. Her perspectives on business and technology have appeared in dozens of trade and consumer magazines, including Entrepreneur, Consumers Digest, Channel Insider, CIO Insight, Dark Reading and InformationWeek. She's made it her specialty to explain in plain English how technology trends affect real people.

ericka-chickowski has 88 posts and counting.See all posts by ericka-chickowski

Secure Coding Practices