This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Where did your network go? We’re rapidly approaching a time when enterprises won’t be able to actually see their networks’ cables or the blinking router lights. Software defined networks drive efficiency and agility and make businesses more scalable and flexible. But SDNs also incite uncertainty about security because the network is moving out of plain sight.
If you can’t see the network, how do you control and secure it?
One useful analogy is the anxiety some people feel when flying; they are afraid of flying yet aren’t at all anxious about driving a car. Yet, statistically, a plane is far safer than the car as a mode of transport. The key issue here is control. Sitting in the drivers’ seat, most of us feel in control. We know how to drive the car and how to stay safe. But we’re not at the controls of the plane and, what’s more, most of us don’t know how to fly them. It’s unfamiliar territory, with no visibility.
Similar dynamics are at play when it comes to SDN security. IT managers are working with networks they can’t see. So it’s easy to feel less secure with a software-defined environment than with an entirely on-premise infrastructure where you install and control the security infrastructure.
But in reality, SDN is often more secure than an on-premise network. It’s more adaptive, more agile and automated, and therefore allows managers to spend more time defining their security policies, and less time enforcing those policies with cumbersome manual processes.
Securing the software defined net
The basics of security in SDNs are the same as in any other network environment. You need to know what’s happening within your network through rigorous monitoring. You need to properly manage all changes, put risk analysis at the heart of your security posture, maintain the notion of least privileged, segment the network according to business critical applications, and maintain governance and compliance requirements.
Security of the network perimeter will depend on whether you’re using a public cloud (in which case it will depend on what’s provided by the platform provider) or a private cloud (in which case it is up to your own security team to provide).
Security inside the SDN is where things get more flexible. Current options include:
- Virtual firewalls, which offer the advantage of familiarity but also force network traffic through a single ‘choke’ or access point – an old-fashioned approach.
- Host agents that utilize existing host-based firewalls. They work across clouds and provide some advanced functionality, but add cost and management overhead.
- Cloud provider security groups or “distributed firewall”, which provide abstracted firewalls at the network fabric level. These are extremely granular and are usually free, but they are also different for every cloud provider and they currently lag behind commercial firewalls when it comes to advanced features such as application and user based policies.
Automation is key
In addition to these options there is one crucial element that organizations should use to manage SDN security – automation. When Gartner asked businesses about their primary motivation for deploying cloud infrastructure as a service (IaaS), the winning factor – by a significant margin – was agility. It is crucial, therefore, that security does not become the bottleneck that prevents fast, agile deployments (and decommissioning processes) in a cloud environment.
Yet, by 2019, according to Gartner, 80% of all cloud breaches will be due to user misconfiguration as well as mismanaged credentials or insider theft, rather than provider-based vulnerabilities, which illustrates that the biggest potential vulnerability in SDN is user error rather than an inherent lack of security.
This is where automation comes in. Making manual changes to network and security processes policies every time a new application is deployed or a new server added is a cumbersome, error-prone process in on-premise networks. But in a hybrid cloud environment making changes manually quickly becomes downright impossible. A security policy management solution that automatically calculates, implements and documents all change processes, from connectivity discovery right through to security policy decommissioning, is therefore essential for SDN.
Network security implementation in SDN is undoubtedly different to that in an on-premise environment. Businesses that take the same approach to network security in both situations are doing it wrong.
However, the security fundamentals in SDN environments remain the same. It is extremely helpful for organizations migrating to an SDN environment to bring cloud experts onto their network security teams, to evaluate the different cloud security controls available, to help select the best one for that organization’s needs, and to ensure that security policies are managed in a consistent way across the entire environment. When using the right automation tools and processes, managing security processes across SDN provide the same levels of visibility and control as they are in on- premise networks, helping to take the fear out of moving your networks.
This story, "Automation key to getting SDN security right" was originally published by Network World.