Evaluating the Security of Software Defined Networking

Similar documents
SDN Technologies Primer: Revolution or Evolution in Architecture?

TEN ESSENTIAL NETWORK VIRTUALIZATION DEFINITIONS

Server Hardware for Virtualization: Exploring the Options

VMware vsphere Beginner s Guide

E-Guide CLOUDS ARE MORE SECURE THAN TRADITIONAL IT SYSTEMS -- AND HERE S WHY

SUPPLEMENTARY DEFENSES FOR ENDPOINT SECURITY

Best Practices for the Hybrid Cloud

ADDRESSING TODAY S VULNERABILITIES

E-Guide BENEFITS AND DRAWBACKS OF SSD, CACHING, AND PCIE BASED SSD

NETWORK-BASED CONTROLS: SECURING THE INTERNET OF THINGS

Storage Virtualization Explained

MANAGING ENDPOINTS WITH DEFENSE- IN-DEPTH

BUYING SERVER HARDWARE FOR A SCALABLE VIRTUAL INFRASTRUCTURE

WHAT NETWORK VIRTUALIZATION TECHNOLOGY CAN DO FOR YOUR NETWORK TODAY

SECURITY MONITORING: BE EVERYWHERE AT ONCE

Desktop Virtualization: What Windows Managers Should Know

Identify and Eliminate Oracle Database Bottlenecks

Utilizing Windows Server 2012 without the GUI Key workarounds for avoiding the Modern UI

SSL Certificate Management: Common Mistakes and How to Avoid Them

An introduction to the VDI landscape

BRING SPEAR PHISHING PROTECTION TO THE MASSES

KNOW THE FEATURES OF WINDOWS SERVER 2012 R2

BEST PRACTICES TO PROTECTING AWS CLOUD RESOURCES

AS ATTACKERS TARGET APPLICATION CODING ERRORS, ARE STATIC ANALYSIS TOOLS THE ANSWER?

Requirements for virtualizing Exchange Server 2010

AUTHENTICATION AND AUTHORIZATION: TWO SECURITY ESSENTIALS THAT WORK TOGETHER

10 Cloud Storage Concepts to Master

PREVENTING PRIVILEGE CREEP

Solid State Storage: Trends, Pricing Concerns, and Predictions for the Future

Disaster recovery planning for health care data and HIPAA compliance regulations

Disaster Recovery Planning: Weighing your customer s options

ADOPTING FIDO SearchSecurity

E-Guide WHAT WINDOWS 10 ADOPTION MEANS FOR IT

The Emergence of SDN in WLAN

Network Security Protection Alternatives for the Cloud

Understanding the Value behind Enterprise Application-Aware Firewalls

LESSONS LEARNED FROM AN OFFICE 365 MIGRATION

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

STORAGE NETWORKING TECHNOLOGY STEPS UP TO PERFORMANCE CHALLENGES

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Backup Appliances: Key Players and Criteria for Selection

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Securing the Virtualized Environment: Meeting a New Class of Challenges with Check Point Security Gateway Virtual Edition

Disaggregation and Virtualization within the Juniper Networks Mobile Cloud Architecture. White Paper

E-Guide DATABASE DESIGN HAS EVERYTHING TO DO WITH PERFORMANCE

5 Steps to Government IT Modernization

SIEM: Five Requirements that Solve the Bigger Business Issues

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC)

The Top Five Reasons to Deploy Software-Defined Networks and Network Functions Virtualization

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Dynamic Datacenter Security Solidex, November 2009

Industrial Defender ASM. for Automation Systems Management

Backup solutions for today s Data Center

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

A primer to SQL Server 2012

The Evolution of Data Center Security, Risk and Compliance

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

5 Reasons to Choose Parallels RAS Over Citrix Solutions

Securing the Software-Defined Data Center

Total Threat Protection. Whitepaper

GUIDE. MetaDefender Kiosk Deployment Guide

Copyright 2011 Trend Micro Inc.

Introduction. Delivering Management as Agile as the Cloud: Enabling New Architectures with CA Technologies Virtual Network Assurance Solution

ADVANCED SECURITY MECHANISMS TO PROTECT ASSETS AND NETWORKS: SOFTWARE-DEFINED SECURITY

Expert Reference Series of White Papers. Cisco Completes the Security Picture with Sourcefire

Validating the Security of the Borderless Infrastructure

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

MODERNIZE YOUR DATA CENTER. With Cisco Nexus Switches

Accelerating SDN and NFV Deployments. Malathi Malla Spirent Communications

Unlocking the Power of the Cloud

SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

BUILDING A NEXT-GENERATION FIREWALL

Nuage Networks Product Architecture. White Paper

Why the cloud matters?

YOUR APPLICATION S JOURNEY TO THE CLOUD. What s the best way to get cloud native capabilities for your existing applications?

The threat landscape is constantly

Innovative Solutions. Trusted Performance. Intelligently Engineered. Comparison of SD WAN Solutions. Technology Brief

AKAMAI CLOUD SECURITY SOLUTIONS

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Snort: The World s Most Widely Deployed IPS Technology

Cisco APIC Enterprise Module Simplifies Network Operations

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Security in Cloud Environments

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Micro Focus Network Operations Management Suite Supports SDN and Network Virtualization Engineering and Operations

Cisco IOS Inline Intrusion Prevention System (IPS)

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Potpuna virtualizacija od servera do desktopa. Saša Hederić Senior Systems Engineer VMware Inc.

Parallels Virtuozzo Containers

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Symantec Security Monitoring Services

Cloud Computing the VMware Perspective. Bogomil Balkansky Product Marketing

Ending the Confusion About Software- Defined Networking: A Taxonomy

Securing Your Digital Transformation

Changing face of endpoint security

Transcription:

Evaluating the Security of Software Defined Networking

This expert e-guide explores the latest challenges in network security. Get tips for evaluating network security virtualization and explore the security pros and of software-defined networking. Dave Shackleford, SearchSecurity.com Contributor Along with business units' and IT operations' steady push to virtualize data center servers and components comes a new conundrum for security professionals: how best to maintain adequate controls inside the virtual environment. Fortunately, there is now a new breed of mature network security options that encompass virtualization, with enhanced features that rival those of their physical counterparts. In this tip, we'll review key factors to ider when evaluating network. The first step (and arguably the most important one) in the evaluation process is to determine which would be a good fit for you and your organization. The following specific points can help to determine this: Cost. Cost is primarily a factor when weighing whether to replace existing network security technology that likely has limited or no virtualization security capabilities or augment or replace it with new virtual technology. Many vendors have pricing models for virtual platforms that license per hypervisor, per a certain number of virtual machines or per CPU. This may not only result in applying a totally different formula for evaluating the cost of the product, but also the incurrence of additional costs as virtualization use increases over time. Page 1 of 8

Vendor viability. As with any vendor, make sure you do your homework. Some suppliers are more viable than others, and you should talk to their existing customers to see what they think of both the product and their relationship with the vendor. It's wise to scan the recent headlines for any news pertaining to vendors' executive leadership changes, funding announcements or acquisition rumors. Native integration with hypervisor platforms. In looking at more technical iderations, most virtual security vendors focus on VMware as the market leader, but more technology companies support Microsoft Hyper-V, Citrix, KVM, and other platforms as well. If your organization has chosen a single virtualization platform vendor, then the security vendor evaluation process becomes easier; if several different virtualization platforms exist, then multiplatform support is a must. Management capabilities. Consider whether the virtual network appliance is easy to manage, whether it integrates into existing security oles, what type of remote access is available (SSH, for example) and whether the system provides granular role-based access. Performance impact and scalability. How much RAM and other resources does the virtual network appliance require? What are the average peak usage scenarios? Vendors should be able to supply some of this information. Architecture flexibility. How many virtual NICs/ports can the virtual firewall support? What kinds of rules are supported and at which protocol stack layers? Virtualization-specific features. What features are available to help control and protect virtual assets, ranging from the hypervisors to VMs? Speaking of features, there are a number that are good to look for, depending on the type of virtual firewall, switch or gateway you are interested in. One of the most important is API extensibility, allowing integration with orchestration platforms, automation environments and other vendors'. Many virtual firewalls today offer stateful inspection, intrusion detection capabilities, anti-malware features, and configuration and patch Page 2 of 8

assessment and monitoring for the virtual infrastructure. Ensure the platform can perform both intra-vm (internal flows on the hypervisor) and inter-vm (between virtual machines and external networks) monitoring and filtering. Deep integration with the hypervisor environment, preferably at the kernel level, will improve performance and reduce overhead, as well. The ability to identify, monitor and control virtualization-specific traffic and dynamic VM migration operations like vmotion should also be a priority when choosing one of these solutions. Many options exist today, from both well-known vendors and startups. Juniper Networks offers its vgw (vgateway) series of virtual appliances, Cisco Systems has the Nexus 1000v virtual switch and ASA 1000v virtual firewall, and 5Nine Security Manager for Hyper-V offers anti-malware and traffic access controls for Microsoft environments. Most IDS/IPS vendors have virtual models, as well, including Sourcefire, McAfee, TippingPoint and others. SDN security pros and Matthew Pascucci In the technology industry, hype is a tant. This is no different with the upand-coming technology of software-defined networks. In this case, however, the hype is justified: SDN could change the network security landscape as we know it. Over the past couple of years, software-defined networking (SDN) has developed from merely an idea to a paradigm that large networking vendors are not only embracing, but also talking up as their model for future enterprise network management. This technology adds greater granularity, dynamics and manageability to networking, but brings up other concerns that should be seen from a security perspective. Page 3 of 8

In this tip, we'll explain what SDN is and explore the network security pros and that enterprise networking and security pros need to know. Contents A definition of software-defined networking To understand a few of the security benefits and downfalls of softwaredefined networking, let's take a quick tour of the technology. Softwaredefined networking is the ability to split the data plane from the control plane in routers and switches. The control plane, which has historically been proprietary and known only to the vendors that developed them, would be open and controlled centrally with SDN while having commands and logic sent back down to the data planes of the hardware (routers or switches). This provides a view of the entire network and affords the ability to make changes centrally without a device-centric configuration on each router or switch. The ability to manage the control planes through open protocols such as the OpenFlow standard allows for precise changes to networks or devices that will increase the speed and security of the network. SDN security benefits Like everything else, there will be both benefits and concerns when implementing new technology. Let's review some of the benefits of softwaredefined networking: By having the free-moving network of SDN, engineers are able to change the rules by having a quick, high-level view into all areas of the network and being able to modify the network. This freedom and control also allows for better security of your systems. By having the ability to quickly limit and see inside the network from a centralized viewpoint, managers can make changes with efficiency. For example, if there were a malware outbreak within your network, with SDN and OpenFlow you'd be able to quickly limit the outbreak from one centralized control plane that would stop the traffic without having to access multiple routers or switches. Being able to quickly change things in the network enables managers to perform traffic shaping and QoS of packets in a more secure matter. This ability exists now, but the speed and efficiency Page 4 of 8

doesn't exist and will limit the manager's ability when attempting to secure the network. Contents SDN security concerns With innovative new technology come security concerns that could easily go overlooked. Let's take a look at a few security-related issues to be aware of when implementing SDN. The majority of software-defined networking security concerns are going to evolve around the controller itself. The controller can be idered the brains of the switching/routing, which allows the control panel from each system to be centrally managed. The largest SDN challenge for security managers is securing the controller at all costs. Now that the brains have been taken out of the routers or switches and replaced with the new controller, this device needs to be hardened and secured through the following steps: Knowing and auditing who has access to the controller and where it resides on the network is a big security concern. It's important to remember that access to the controller could potentially give complete control to an attacker, so it's vital that it is secured. Verify the security between the controller and end nodes (routers or switches) -- specifically that they're communicating over SSL to prevent any malicious intent from accessing the controller. As with anything else, if security isn't baked in from the start, it must be added later on, and it's always more difficult and expensive to do it that way. Make sure the security between the node and controller is configured properly. Verify that there is high availability in the controllers. Creating a business continuity effort for controllers is important because if they are lost, the ability to manage the network is also lost -- and equently, so are all the benefits of SDN and OpenFlow. Verify that everything that comes out of the system is logged. Since managers have control over the network centrally, log every change made and send it to the company's log management solution. When implementing SDN, verify that the organization's SIEM, IPS and any other filtering technology that might block or log changes is updated accordingly. Correlate the logs from the SIEM to alert the Page 5 of 8

manager of changes. Tracking custom events with the SIEM on the control, like login failures and policy changes, will assist with the security of the system. Verify that the IPS isn't identifying any of this traffic as malicious. Configure the appropriate rules in the filtering systems to allow the controller to speak with the nodes when needed. In conclusion, software-defined networking is an emerging technology that can allow for granular security by giving an administrator a complete view of the enterprise network. However, by giving the SDN controller centralized management over network nodes to push down changes to these systems, it becomes imperative that the security around this system is locked down. This system is the brains of SDN, and without proper security wrapped around it, the network becomes completely vulnerable to malicious attacks or accidental changes, both of which can take a network down. Now is the time for organizations to ensure that security is a primary ideration in the design, deployment and management of SDNs. About the author Matthew Pascucci is senior information security engineer at a large retail company where he leads the threat and vulnerability management program. He has written for various information security publications and spoken for many industry companies, and is heavily involved with his local InfraGard chapter. You can follow him on Twitter @matthewpascucci or check out his blog at www.frontlinesentinel.com. Page 6 of 8

Free resources for technology professionals TechTarget publishes targeted technology media that address your need for information and resources for researching, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. Related TechTarget Websites Page 7 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback