Software-defined networking (SDN) technology pulls a network's control plane into a dedicated SDN controller, which manages and mediates all functions and services on virtual and physical networks. Because of this separation and control, SDN security strategies offer a deeper level of granularity to packet analysis, network monitoring and traffic control that will go a long way in preventing network attacks.
The rise of software-defined monitoring
Recently Microsoft revealed that it is internally using a homegrown OpenFlow-based network tap aggregation platform (dubbed Distributed Ethernet Monitoring, or DEMON). The tool is aimed to tackle the huge volume of traffic within Microsoft's cloud network. Previously, the thousands of individual connections and flows were entirely too much for traditional taps and capture mechanisms like SPAN or mirror ports to handle.
By programming flexible switches and other network devices to act as packet interception and redirection platforms, security teams can potentially detect and mitigate a variety of attacks that are commonly seen today.
By programming flexible switches and other network devices to act as packet interception and redirection platforms, security teams can potentially detect and mitigate a variety of attacks that are commonly seen today. Many industry sources are referring to SDN-driven security analysis as software-defined monitoring (SDM). In SDM, SDN switches can act as packet brokers and controllers can aid in monitoring and analysis.
Using SDN for security monitoring and packet analysis
To start with, relatively inexpensive commodity SDN-programmable switches from vendors like IBM, Juniper, HP and Arista Networks can be used to take the place of more expensive packet brokers. Similar to the Microsoft use case, large numbers of individual connections and flows can be aggregated and collectively sent to multiple security packet capture and analysis platforms. A first layer of switches could be used for capture and packet routing, while a second (and potentially third) layer would be used for terminating monitoring ports from the first layer. These switches could also potentially aggregate traffic and send flow and statistical data to other monitoring devices and platforms.
An OpenFlow-compatible (preferably sFlow-compatible as well) SDN controller, such as the Big Switch Controller, can be used to program and manage multiple SDN-compatible switches. Meanwhile, security monitoring overlay software products like Big Switch's Big Tap, enable engineers to program more granular filtering and port assignment capabilities to emulate traditional tap functionality in the SDN switches.
Within this context, multiple layers of packet analysis tools can receive traffic from the SDM ports. The SDM ports can serve hardware tools, such as packet brokers and network forensics devices, or software-based protocol analyzers, such as Wireshark.
How SDN security strategies tackle network attack prevention
SDN offers a new level of network visibility even in the most complex environment. As a result, controllers and switches are able to identify various packet attributes. This allows for automated blocking or offloading of traffic in Denial of Service (DoS) attacks, for example. Indeed, SDN can take a number of attacks, including:
- Volumetric attacks, such as SYN floods: These attacks consist of huge quantities of TCP packets with only the SYN flags set. This can clog bandwidth, and also fill up connection queues on particular systems that may be targeted. SDN-programmed switches may be able to act as a first line of defense in identification of particular patterns and thresholds of packet volume from a single source or multiple sources within a particular timeframe. These switches can then drop the traffic or redirect it using other techniques and protocols. Most routers and other network platforms lack this level of granular control.
- Application and service-specific attacks: These attacks target Web services with very particular series of HTTP requests (using specific user-agent strings with specific cookie variables and the like). SDN devices can identify, log and discard these requests.
- DDoS attacks targeting protocol behavior: These attacks fill network device state tables, but SDN devices can identify this behavior based on flow timing and connection limits.
More on SDN and security
The dark side of SDN and security
Can SDN be used to control network access?
Additionally, SDN can emulate many basic firewall functions. Controllers can execute scripts and commands that can quickly update MAC and IP address and port filtering, allowing for rapid response and updates to traffic policies and rules. This also frees up other network devices from handling large quantities of traffic.
This just begins to scratch the surface of SDN security capabilities. With the ability to handle much larger quantities of traffic, honing in on specific packet attributes, network security analysts can do much more than basic packet filtering and DDoS detection. More advanced intrusion detection and incident response use cases are not only possible, but also likely.
About the author: Dave Shackleford is owner and principal consultant at Voodoo Security, senior vice president of research and CTO at IANS, and a SANS analyst, instructor, and course author. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He co-authored the first published course on virtualization security for the SANS Institute, serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance. Send comments on this article to firstname.lastname@example.org.