Software Defined Networks seems to be the big buzzword of the moment, well it certainly is in our office.
SDN brings core functions such as centralised control and automation to your virtualised networks, allowing new environments and networks to be spun up in a matter of minutes.
However with new technologies, there are always new security concerns.
Among those concerns are subjects such as
- Securing the controller
- Physical and Virtual Security
- Traditional Vs Next Generation Firewalls
- Security Event and Incident Management
- Automation and APIs
A lot of these concerns and questions have arisen in my mind whilst I’ve been researching the SDN Security in preparation of our new Office SDN Lab and, as ever, there is a wealth of information from numerous sources online. In fact, there may even be too much out there to digest easily, so I’m going to start with one topic per blog and will talk about some of the concerns around each and what can be done to mitigate the risks involved.
Today we are going to talk about the Securing the controller.
What is the controller?
Essentially the controller is the brain behind the switching and routing in your virtual environment, with the ability to push changes centrally to all subscribed network nodes and as such it becomes the single biggest point of risk.
A simple misconfiguration from the controller, whether by design or not, has the ability to take the network down.
The following points are all important considerations when designing your network.
As with any management system, consideration as to its location on your networks and how that location reached is vital. I am a big fan of dedicated and protected management networks, ensuring that all management is allowed granularity and is kept separate from production networks. It is also important to ensure that all system access is logged, so you know by whom and when the system has been accessed.
Communication, not only to the controller, but also from the controller, in particular to the network nodes needs to be secure. Most Switches and Routers will have SSH and SSL capabilities, which can easily be utilised.
The underlying operating system for the controller will need to be hardened to ensure that no OS vulnerabilities compromise the system.
Ensure that everything that comes out of your controller is logged. Admins will have control centrally over the Virtual Network and therefore all changes made via the controller should be logged and exported to your infrastructure Event Manager. This should be standard practice when dealing with multi tenant environments in order to ensure full audit paths.
As mentioned at the start of this blog, the controller is the brain behind the routing and switching, therefore if the controller goes down (for example, because of a DDoS attack), so does the ability to manage your network. As with any resilient network, high availability should be considered when designing.
Next Blog from me, will be looking at Physical and Virtual firewalls and Traditional vs Next Generation firewalls within SDN.
For more information on SDN please contact us at firstname.lastname@example.org