Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Automation key to getting SDN security right

Nimmy Reichenberg, VP of Strategy, AlgoSec | Aug. 8, 2016
If you can’t see the network, how do you control and secure it?

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Where did your network go?  We’re rapidly approaching a time when enterprises won’t be able to actually see their networks’ cables or the blinking router lights. Software defined networks drive efficiency and agility and make businesses more scalable and flexible. But SDNs also incite uncertainty about security because the network is moving out of plain sight.

If you can’t see the network, how do you control and secure it?  

One useful analogy is the anxiety some people feel when flying; they are afraid of flying yet aren’t at all anxious about driving a car. Yet, statistically, a plane is far safer than the car as a mode of transport.  The key issue here is control.  Sitting in the drivers’ seat, most of us feel in control. We know how to drive the car and how to stay safe. But we’re not at the controls of the plane and, what’s more, most of us don’t know how to fly them. It’s unfamiliar territory, with no visibility.

Similar dynamics are at play when it comes to SDN security. IT managers are working with networks they can’t see. So it’s easy to feel less secure with a software-defined environment than with an entirely on-premise infrastructure where you install and control the security infrastructure.

But in reality, SDN is often more secure than an on-premise network. It’s more adaptive, more agile and automated, and therefore allows managers to spend more time defining their security policies, and less time enforcing those policies with cumbersome manual processes.

Securing the software defined net

The basics of security in SDNs are the same as in any other network environment.  You need to know what’s happening within your network through rigorous monitoring. You need to properly manage all changes, put risk analysis at the heart of your security posture, maintain the notion of least privileged, segment the network according to business critical applications, and maintain governance and compliance requirements. 

Security of the network perimeter will depend on whether you’re using a public cloud (in which case it will depend on what’s provided by the platform provider) or a private cloud (in which case it is up to your own security team to provide).

Security inside the SDN is where things get more flexible. Current options include:

  • Virtual firewalls, which offer the advantage of familiarity but also force network traffic through a single ‘choke’ or access point – an old-fashioned approach.
  • Host agents that utilize existing host-based firewalls. They work across clouds and provide some advanced functionality, but add cost and management overhead.
  • Cloud provider security groups or “distributed firewall”, which provide abstracted firewalls at the network fabric level. These are extremely granular and are usually free, but they are also different for every cloud provider and they currently lag behind commercial firewalls when it comes to advanced features such as application and user based policies.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.