The security challenges posed by SDN’s centralised control plane and roots of trust – how attacks can be prevented
The adoption of Software Defined Networking (SDN) continues to grow at a hugely impressive rate, with forecasts from IDC suggesting that the market will surge from $960 million last year to over $8 billion by 2018, representing a CAGR of 89.4%.
Organisations across a range of industries, including communications service providers, are aware of the technology and many have plans to evaluate SDN solutions in the near future. However, as with any new technology, its fast pace of growth has meant a rise in related security concerns. Many of these stem from its structure, and in particular the centralised control plane and Roots of Trust (RoT) issues.
One of the major advantages of deploying SDN architectures is the centralisation of the control plane of the network allowing for simplification of components within the infrastructure and for much greater flexibility in routing decisions based on a more holistic view of requirements and network activities.
However, by centralising the control, you also create a significant attack path for malicious activity. If this control plane is compromised then the whole network infrastructure could be at risk. Protecting the control plane of an SDN infrastructure is a major concern for service providers who are looking to deploy this new technology. Centralised control architecture is by definition connected everywhere and needs to be securely isolated from the flows of user traffic in the network. The access control to the management and control plane of the infrastructure also needs to be tightly administered.
SDN in service provider networks is regularly combined with Network Functions Virtualisation
(NFV). With NFV service providers now have the ability to dynamically create software based network components such as routers and firewalls etc within their next generation infrastructures. However access to these functions needs to be controlled. Service providers can create logical infrastructures for customers and allow them some level of control, however this will all require an authentication system of some description. If this is compromised it would allow, for example, customer networks to be accessed externally.
The question is: how will this authentication system be administered and what would prevent hackers creating rogue functions in the infrastructure? Whatever system is used it will need to be linked to an authority – someone who can set the rules in the infrastructure for access control. In technical terms this is a called Root of Trust (RoT). For example, the service provider can be the RoT and can set access control for each customer, but if this is compromised someone else could open up the whole network. How the RoT will be secured and what methods are used for authentication and access control in SDN/NFV networks is a key area which needs to be addressed as these technologies develop.
In addition, it is important to note that SDN only forms part of a wider network and ICT environment, and organisations need to look at security holistically. The onus falls very much on the service providers to make sure they have rigorous processes and robust technologies in place to safeguard their customers’ data and applications. Telecoms companies should therefore be building security measures into every layer of the network. Analytics are particularly important here. Operators should be automatically identifying any traffic abnormalities. Deviation from normal activity, such as large peak-flows and behavioural changes, can often be a good indicator that there is an attack in progress
SDN and NFV are defining the new architectural paradigm for service provider networks of the future; there are new challenges in security which the industry is working to solve. One of the key advantages is that now we can build in security from the very roots of the infrastructure, creating multiple layers of protection and isolation. This means that it should be possible for these networks to be even more secure than current service provider infrastructures of today.
 SDN Momentum Builds in Datacenter and Enterprise Networks, IDC, 2014
By Brian Levy, CTO, EMEA, Brocade