Many service providers of cloud and network alike are eagerly crunching away at SDN implementations that they are certain will revolutionise their service and add unimaginable gains in their operational efficiency. To be certain, SDN is exciting! It represents no less than the elimination of the typical days or weeks wait each time a network change is required; that’s big news for customers and operators alike! The question being posed (not nearly often enough if you ask me) is what will this mean for security?
Let’s start with a basic primer of what SDN really is. We all know it stands for Software Defined Networking, however it’s important to make the distinction between something that’s software defined and something that’s software controlled. We already have today loads of examples of software controlled networking. When you go on your ISP’s website and click a button and your Internet connection speed is upgraded, if not right away, within hours, and without the involvement of a human operator, that’s software controlling their network. In many respects the MPLS networks that we’ve operated for years are software controlled in that they use concepts like pseudo-wire and “virtual” cross connects in place of actual physical wires and cross connects; it’s the software in the MPLS network that’s controlling the traffic. Let’s be clear, none of this is software defined.
When we talk about software defined networks, we’re talking about removing the control! Yes, you got that right, we’re making our networks LESS controlled! You see inside a network we talk about three “planes”, the data plane (where all the bits move about), the control plane (where the decisions about which bits move where happen) and the management plane (where the operator inputs commands and configurations). In its simplest term, SDN removes the control plane from the network and replaces it with a piece of software run either on a purpose built appliance or somewhere in the operator’s private cloud.
The reason this is a good thing (and bear with me, it is!), is because making changes in the control plane of traditional networking, done via the management plane of course, often causes disruption or carries with it risk; and so the operators have to be extremely careful and have adopted strict change management procedures to make sure that customers are not negatively impacted when changes are happening. What SDN promises is the ability to change how the network works on-demand, in real-time in response to any number of inputs from the operator, the customer, or just in reaction to particular traffic patterns in the network. This means that networks can be far more optimised than they are today, and they can recover from failures in a much more intelligent manner. See I did tell you this was a good thing!
The worry now, what happens to the strict change control procedures? How do we know that the real-time, on-demand changes the network is making are appropriate / desirable / safe? That’s the concern that we’ve not seen adequately addressed. The well-publicised security breaches across the cloud and Internet have forewarned us that early adopters, those that rush into new technology not having carefully weighed the risks and planned their defences may suffer some unpleasant unintended damages.
SDN is by its very flexible, accessible and open nature a totally new and terrifying attack surface for cyber-criminals. Where in the past the criminal would have had to gain physical access to move a connection, or break into a whole string of separate devices and reprogram them without being noticed to exploit the network; with SDN simply compromising the one point of control would allow them to do virtually anything on the network! Redirecting traffic, stealing copies of data in-transit, disrupting service, inserting themselves into the middle between sender and receiver, the possibilities are almost too frightening to think about.
Let’s not however be put off, like all cyber-security problems that came before, this challenge will be addressed, but let’s be mindful that we’re properly vetting our SDN providers to ensure that they are, indeed, proactively addressing these challenges.