Terry Ip, Security Consultant
4 mins read
Hybrid networks that use networking devices which are more traditional devices, but support SDN protocols, will need to ensure the security assurance of the network devices as well, as more traditional attack surfaces will remain.
The first step is to identify the key parts of the existing infrastructure, and where important assets are stored. Focusing on securing these and then architecting future changes with security in mind should help prevent issues arising.
Traditional measures, such as the use of firewall rules and access control lists, will still be applicable and the use of SDN may allow more flexible application of firewall rules to hosts that move around the network. VLANs and containers can be rapidly configured, and hosts placed into network zones that both restrict traffic and allow detection opportunities for inter-zone traffic. Using an Out Of Band (OOB) channel for control traffic and the use of hardened bastion or jump boxes will remain a key way of protecting administration interfaces.
With the use of encrypted data channels, the monitoring of endpoints and logging information becomes increasingly necessary. Cloud services can be difficult to monitor and perform forensic activities on, and so a focus should be on analysis of the logs those services make available.
Although SSL encrypted traffic can prevent deep packet inspection, flow data showing which hosts were communicating can allow investigation to identify which hosts to analyze. A greater focus on endpoint monitoring can overcome some of the challenges presented. However, these solutions will be most effective if constantly monitored to determine baseline behaviour and maintained, rather than just relied on in the event of a breach.
For telcos, implementing additional measures such as implementing OOB connectivity between data centre points of presence will be relatively cheaper than a business trying to achieve the same objective across an enterprise WAN at different offices. Many SDN solutions are open source, meaning a lower capex and allowing resources to be invested in the staff who will support and secure the equipment.
The main cost will be building and growing the security capability for the organization. This can be achieved by either recruiting and training an in-house team, or through outsourced services. It is only with this capability and effective processes that an operator will be able to efficiently make use of security systems that they invest in. Although a number of products exist on the market, as networks get more complex organizations will find that skilled defenders become increasingly important and armed with an array of open source tools.
With increasingly dynamic systems, the need for stringent change management and documentation processes will be required to maintain a current view of the landscape. Out of date records and documentation is already a common problem with more static infrastructure, and as it becomes more fluid this will grow exponentially if not brought under control.
The measures used to secure and monitor an SDN environment are not that dissimilar to those used in a traditional environment. The main difference will be that, with the ability to programmatically manage the system, there will potentially be a larger landscape to secure in a faster changing environment. This difference also means that, if leveraged properly, it could also be easier to document, manage and maintain through automatic means.
There are now opportunities to take advantage of the ability to programmatically manage a network. It could be easier to manage firewall rules in a manner that overcomes the issues of managing security in an increasingly dynamic landscape, such as in a cloud environment where virtualised hosts can be created and removed in different geographical locations to cope with changing demands.
It may be possible to interface threat management and monitoring systems with the network controllers. Rather than alerting that a host is making a connection to a malicious IP address or domain, the firewall rules could be automatically modified to prevent the connection from going out at all when the Indicators of Compromise (IoC) feed is updated. Network routing could be reconfigured in the event of a volumetric attack such as a DDoS attack.