BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
With the rise of technologies such as software-defined networking, hyper-converged infrastructure and the Internet of Things, customers are facing new security vulnerabilities as the attack surface of their IT environment shifts in dramatic ways.
To help channel partners address these issues, we conducted interviews with several key industry executives who discussed how these technologies are changing the security landscape, identified important security weaknesses and shared tips on how to strengthen a customer's security posture.
In this IT security tutorial, we examine IT security associated with SDN technology, which separates a network's control plane from the data plane, enabling administrators to manage traffic and program network devices from a centralized control console.
Software-defined networking tutorial: Key vulnerabilities
The software switch: A key software-defined networking (SDN) vulnerability is that the switch -- also known as 'soft switch' or 'vswitch' -- is now part of the compute fabric, said Randy Bias, vice president of technology at EMC Corp. Previously, network switches were separate hardware devices that had to be penetrated separately, making an attacker's job harder. Now if a hypervisor or any Linux system with a software switch is compromised, the attacker has access to the entire switch fabric and could craft packets that spread throughout the network.
The control plane: SDN organizes resources in one place. In the past, network devices came from a number of vendors and were mostly deployed as islands, so organizations had a heterogeneous system with many control planes. This is different from SDN, which separates the control plane and data plane. The control plane is the intelligence and application program interfaces (APIs) that manage the data plane. The data plane consists of the software and hardware switches that forward traffic and control flows. It may also include more advanced network services such as firewalls and load balancers. Under SDN, there is a unified, homogeneous control plane that has a unified API that can control where network traffic goes, how it's secured and how it's managed. Bias said this reduces complexity and increases operational efficiency, but it also means that if the control plane is penetrated, the attacker owns everything.
More points of entry: Under SDN, customers can easily and quickly increase the number of servers that are being deployed, which facilitates an increase in productivity but also adds to the number of virtual machines and expands the attack surface, giving unauthorized users more points of entry to attack the data, said Rob Chee, principal security architect at Force 3, a network security company based in Crofton, Md.
Third-party vendors: Vendors are introducing more features that allow third-party vendors to use APIs, Chee warned. By adding new features and new tools to support those features at a rapid pace, it's difficult to tie security to those features. The potential to open up security vulnerabilities increases.
Mitigation strategies for SDN technology
Bias recommended that control planes for SDN technology should have extremely restricted access to curtail the number of authorized individuals who are allowed to use the system.
Chee recommened several initiatives, including:
- As virtual machines are added, channel partners and customers must make sure they keep up to date with their patch management program.
- Have a distributed firewall operating at high speed within the hypervisor kernel in front of every virtual machine, as well as firewalls in between different layers such as database apps or Web tiers.
- Rely on security information and event management as well as log management technology, which can expand visibility and allow you to better detect and prevent data center intrusion.
Brad Medairy, senior vice president and executive at Booz Allen Hamilton's Strategic Innovation Group, which serves clients across the defense, commercial and civil markets, said information needs to be prioritized under an SDN infrastructure. Channel partners and their customers must keep in mind that the most important information in the enterprise must be protected. For example, financial data, personally identifiable information and protected health information should be maintained and stored in a compliant manner that adheres to government and industry regulations.
This software-defined networking tutorial is part of an IT security tutorial on emerging technologies. The tutorial also examines hyper-converged infrastructure and Internet of Things technology.
Five SDN misconceptions debunked
The channel may stand to benefit from SDN technology
Learn about SDN adoption and increased agility