Skip to main content

Software Defined Networks: An Introduction

Description of the technology


(Urias, Stout, & Loverro, 2015) Software defined networks (SDNs) is an emerging technology that is changing the defense and networking paradigm. (Hande, Jadhav, Patil, & Zagade, n.d.) Traditionally, network devices like switches and routers, using protocols (on the control plane) such as Open Shortest Path First(OSPF), Border Gateway Protocol(BGP) and Spanning Tree Protocol(STP) determine the best port or interface to forward packets (on the data plane). These routing protocols use static information such as hop count to determine the best path through the network. Moreover, (Ali, Sivaraman, Radford, & Jha, 2015) this decentralized method of network management is the leading cause of network faults and bugs due to errors during configuration. Not to mention, a proliferation of ’internet ossification phenomenon’ which is basically the stagnated network innovation. Additionally, there was no segregation of control and data plane which is hardware centric and does not provide the flexibility, extensibility, reliability and manageability as with SDNs.
On the other hand, according to (Chiang et al., 2016) and (Masoudi & Ghaffari, 2016) SDNs simplify and improve networking management by decoupling the data (forwarding) from the control (network) plane. This separation allows the control plan to program the forwarding plane via control protocols such as OpenFlow. (Masoudi & Ghaffari, 2016) Its’ architecture consists of a logically centralized controller which has a global view of the network and forwarding devices also known as SDN switches (equivalent to routers, switches, NAT firewalls). (Ali et al., 2015) In SDN, switching devices (forwarding devices/data plane element) contain flow tables which contain flow rules which determine how packets will be handled based on matching fields or criteria. Examples of fields/criteria are header content and incoming port. These rules are managed remotely by the controller (control plane element) via a control protocol. Flow tables can be updated reactively or via the controller. Reactively meaning flow rules are updated based on an event occurring such as the arrival of a packet. The controller continuously polls statistics from the data plane elements resulting the view of real time network state. API’s can then be used to expose the state, allowing developers to build innovate network management applications like dynamic load balancing and advanced threat mitigation.
(Scott-Hayward, O’Callaghan, & Sezer, 2013) This emerging technology can be exploited to enhance information security by creating highly reactive networking monitoring, traffic analysis and response systems presenting new ways to prevent, detect and react to threats.

Security problems it addresses

SDN’s can be used to improve security controls making it adaptive and reactive in real time to internal and external threats. (Ali et al., 2015) Security policies today consists of a combination of security solutions that are distributed, complicated and specialized in functionality. Implementing an enterprise wide security management system consists of integrating and harmonizing these disparate controls. Usually these controls are at high layers in the OSI stack which can be undermined by vulnerabilities in the lower levels. However, SDNs enforces security at the link layer which leaves no room for lower level exploits. In addition, SDNS can be integrated with prevention, detection and response techniques to improve overall functionality to create agile security systems.
(Ali et al., 2015) In the case of DoS attacks, network state information can be used by applications interacting with the controller to reprogram switches to drop malicious traffic (compared to normal baseline traffic), thereby preventing a potential DoS attack. Similarly, with malware containment, by instructing switches to restrict traffic flows to an infected network segment and diverting traffic from the infected hosts to a quarantine server, it prevents further damage to an organizations networking infrastructure and spoiling data theft and ransomeware attacks.
Using other technologies like machine learning and data mining techniques, statistics collected by the SDN controller can be analyzed to identify and detect threat patterns. This feature would only be made possible because of the controller having network state view and availability of the open application programmable interface provided by SDNs. In traditional networks, traffic dropping was the only response to a possible threat. However, SDNs highly programmable feature promotes more dynamic responses such as quarantining, traffic redirection, and entrapment and deception mechanism (Carroll & Grosu, 2011) like honey pots and tarpits.

Business Benefits/Implications 

SDN deployment is gaining momentum across the global (Ali et al., 2015) for example, Google has deployed software defined networks for handling a datacenter backbone traffic and other companies like Cisco, Dell, Juniper networks have announced support towards this emerging technology. There a numerous benefits to businesses due to the adoption of this upcoming trend that is changing the traditional networking paradigm.
Apart from creating security as a service (Ali et al., 2015) solutions, SDNs enables an elastic cost model for value added services as security capabilities and controls can be selectively invoked on demand. (Nunes, Mendonca, Nguyen, Obraczka, & Turletti, 2014) In addition, outsourcing network security is enabled by SDNs which is a plus since there seems to be a short supply of skill security professionals. This move further decreases cost of protecting businesses with a projected cost savings of 53 percent according to (Brief, 2016).
SDNs extensible, flexible, programmable nature provide a holistic management approach which is synonymous to how information security management is implemented. This allows enhanced productivity as business do not have to invest significantly in securing their assets and focus on its business aspects. (Brief, 2016) In addition, the application layer enables applications to be developed which increases manageability of networks.
Real time reaction to threats decreases risks associated with any vulnerabilities. Like all technologies, (Scott-Hayward, Natarajan, & Sezer, 2015) SDNs are not without its potential disadvantages, however, due to the evolving threat landscape, businesses also have to evolve with new protection mechanisms. 

References

Ali, S. T., Sivaraman, V., Radford, A., & Jha, S. (2015). A survey of securing networks
using software defined networking. IEEE transactions on reliability, 64 (3),
1086–1097.

Brief, E. (2016). SDN Growth Takes IT Infrastructure by Storm.

Carroll, T. E., & Grosu, D. (2011). A game theoretic investigation of deception in
network security. Security and Communication Networks, 4 (10), 1162–1172.

Chiang, C.-Y. J., Gottlieb, Y. M., Sugrim, S. J., Chadha, R., Serban, C., Poylisher, A.,
. . . Santos, J. (2016). Acyds: An adaptive cyber deception system. In Military
communications conference, milcom 2016-2016 ieee (pp. 800–805).

Hande, Y., Jadhav, A., Patil, A., & Zagade, R. (n.d.). Software defined networking
with intrusion detection system.

Masoudi, R., & Ghaffari, A. (2016). Software defined networks: A survey. Journal of
Network and Computer Applications, 67 , 1–25.

Nunes, B. A. A., Mendonca, M., Nguyen, X.-N., Obraczka, K., & Turletti, T. (2014). A
survey of software-defined networking: Past, present, and future of programmable networks. IEEE Communications Surveys & Tutorials, 16 (3), 1617–1634.

Scott-Hayward, S., Natarajan, S., & Sezer, S. (2015). A survey of security in software
defined networks. IEEE Communications Surveys & Tutorials, 18 (1), 623–654.

Scott-Hayward, S., O’Callaghan, G., & Sezer, S. (2013). Sdn security: A survey. In
Future networks and services (sdn4fns), 2013 ieee sdn for (pp. 1–7).

Urias, V. E., Stout, W. M., & Loverro, C. (2015). Computer network deception as a
moving target defense. In Security technology (iccst), 2015 international carnahan
conference on (pp. 1–6).




Labels:

Comments

Post a Comment

Popular posts from this blog

Summary: NIST SP 800-64 Rev 2

Although there may be numerous methodologies available today for developing software whether it is based on a sequential, prototyping or even iterative model, the absence of security at each phase will render applications being vulnerable and easily exploitable when deployed. NIST 800-64 Rev. 2 provides a guide that incorporates security into a sequential model of a SDLC. Currently, at my organization this type of model is preferred since there are small development teams. One of the first recommendations made by is NIST 800-64 Rev. 2 is based on policy and guidelines. It states that there should be a written SDLC policy tailored to suit whether the business develops its own software or outsources software development and even maintenance. At my organization, there is a mesh of both. Large complex enterprise systems are usually outsourced while smaller manageable applications are developed in-house where there may not be an alternative available at a low cost. For example, human re...
1 comment
Read more

Summary: NIST SP 800-61 Rev 2

On another note, with respect to incident response management, the purpose is to provide a plan for a clear path of resolving a security breach. According to the Special Publication NIST 800-61 Rev. 2, the first thing that an organization should do is establish a clear organizational meaning of the word “incident”. It provides a guide to incident handling and recommends establishing response capabilities, incident response policies, an IR plan, procedures, information sharing mechanisms, team structure and even collaboration with external groups. The team’s structure, the services they provide along with the policies and procedures are established. This team consists of: internet service providers, incident reporters, law enforcement agencies, software and support vendors, customers and media as well as other teams. The recommended incident handling procedure consists of: preparation, detection and analysis, containment, eradication and recovery. During the preparation phase, the s...
1 comment
Read more