In October 2011, Chris Hoff wrote a blog post, "The Killer App For OpenFlow and SDN? Security." In it, he argues...
that centralized control and widespread automation will be the core functionality of software-defined networking -- ultimately enabling adaptive and automated network security. This vision is beginning to come to fruition.
The centralized control enabled by SDN will ultimately result in security-defined routing and other SDN security strategies that could forever change how we defend the network and the applications or data running across it.
What is security-defined routing?
The academic work of Texas A&M PhD candidate Seungwon Shin offers insight into how SDN will change network security. Shin hosts two papers on his university page addressing SDN network security strategies. The first, "CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks," describes a paradigm for performing security monitoring in cloud environments leveraging SDN control platforms, such as NOX and Beacon (the original Stanford-developed SDN controller for OpenFlow).
Shin and his colleague, Texas A&M PhD candidate Guofei Gu, describe a new policy language that can be used to identify network devices and their specific monitoring capability sets. Using this language, controllers can direct monitoring to network flows between specific devices. They can also automatically route traffic for virtual machine migrations and other dynamic events in cloud environments to specific areas of the network. That means, for example, they can push specific flows to intrusion detection systems (IDS) devices, allowing security teams to monitor events as needed in very dynamic environments. In this model, Shin and Gu essentially lay out the fundamentals of security-defined routing and flow control -- even with traditional network security controls in place.
SDN security applications for OpenFlow controllers
In Shin's second paper, "FRESCO: Modular Composable Security Services for Software-Deﬁned Networks," Shin and colleagues Phillip Porras, Vinod Yegneswaran, Martin Fong, Guofei Gu, and Mabry Tyson, discuss the lack of definitive security applications for SDN, and OpenFlow in particular, and offer a new development framework for SDN security use cases called FRESCO. This framework's scripting capability allows security practitioners to create new modular libraries that integrate and extend security functions to control and manage traffic with OpenFlow controllers and hardware. FRESCO includes 16 modules, each of which has five interfaces: input, output, event, parameter and action. By assigning values to these interfaces, a number of common network security platforms and functions can be implemented, mimicking firewalls, IDS and traffic management tools.
SDN and automated network security in action
More on SDN security strategies
Cisco says SDN can improve network security
Exploring SDN security pros and cons
While these ideas are still in the academic research phase, there are quite a few more tactical examples of vendors and standards groups working to enable SDN-based security strategies. For example, a blog, "sFlow Packet Broker," at the sflow.com site describes a simple Python script that configures inMon's sFlow-RT controller application to inspect all traffic, looking specifically for Generic Route Encapsulation tunnels containing traffic destined for TCP port 22 (SSH). Once troubling traffic is detected, it generates an alert that leads to a packet capture for analysis. These alerts could also lead to more advanced responses like firewall API integration for throttling the traffic, opening or closing ports, moving the traffic to a different segment or VLAN, and more.
Meanwhile, virtual firewalls are already paving the way for using open APIs to integrate security functions into the network. Richard Park, director of product management at Netuitive Inc., wrote a blog post back in 2011 where he describes using Perl code for querying and updating VMware vShield firewall rules using a RESTful API, and this is just the tip of the iceberg. With new SDN tools and orchestration platforms, most of our network security detection and response functions may soon become much more automated, allowing for more rapid incident handling and perhaps a bit of "breathing room" when an attack occurs.
With the rapid onset of toolkits like FRESCO, new and powerful APIs available from network and virtualization vendors for automation and orchestration, and growing support for protocols like OpenFlow and standards like sFlow, we could finally see adaptive security that is better integrated into the network.
About the author:
Dave Shackleford is senior vice president of research and chief technology officer (CTO) at IANS, and a SANS analyst, instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as chief security officer for Configuresoft; CTO for the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, and he recently co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.