Software Defined Networking Mitigates Risk, Provides Reward

Eric Stuhl Blog

Infinite Attack Surfaces

Traditional security architectures generally consist of a perimeter that is hardened, while the internal network is left open and is more trusting. This design is perpetuated mostly by focusing on external threats and is driven by limitations around scaling – placing hardware based security devices between all points would be prohibitively expensive and impossible to maintain in any sort of reasonable fashion. Historically, most protection of traffic (data) flows occurs between the outside network (i.e. the internet) and the rest of the (internal) environment, with little to no consideration placed on protecting traffic between devices within the internal network.  This enables bad actors to rapidly expand beyond a single device once a breach occurs.  An attack that penetrates this perimeter then can spread almost instantaneously throughout the rest of the network as there is no real barrier between devices internally.  With the increasing number of attacks that appear to be internally sourced, how can we overcome this limitation?

Enter Software Defined Networking

The concept of software defined networking is relatively straightforward:  a centralized controller contains a set of policies that defines desired behavior and then, using those policies, the device provides configuration to all devices that make up the networking infrastructure.  With this controller, one can now expand beyond the limitations of hardware appliances and human inefficiencies to define security controls at every level of the network.  This creates a situation where instead of a gated community filled with houses and no locks, there is now a community filled with houses protected by their own internal security systems.  The ability to create these security controls is commonly referred to as microsegmentation.

With microsegmentation, one can now define controls at the individual device layer, including both physical and virtual.  This is an incredibly powerful tool to both limit the possibility of attack and contain the spread of a breach.  By inserting firewalls on virtual hosts or using advanced traffic tagging methods, one can now enforce security policies at any and every position in the network simultaneously.  As these firewalls are defined in software, rather than through hardware appliances, consistent controls can be automatically be placed on new devices and hosts that are added to the network, without human intervention.  This limits the possibility of improperly configured devices or devices that are added to the network without the security controls installed. We now have created a truly secure design.  While this does not obviate the threats of malicious activity, it provides a solid foundation from which risks can be managed.

The Policy Driven Model

Freed from the necessity of configuring and maintaining each individual device in the network, the burden of the administrators then can shift to creating explicit and effective policies to drive the infrastructure.  In the datacenter, these policies are typically tied to applications.  One defines a specific workload, its dependencies and connections and then all devices associated with that workload receive the same policies throughout the environment.  As capacity expands, new hosts will automatically be given the same level of protection through the defined policies. Transparency and consistency can be maintained through individually tailored controls on a per workflow basis across all applications. Changes to security policy are enabled through a single point, reducing complexity and minimizing the chance of error.  All of this combined builds a more resilient, stable and secure environment for applications to grow to meet the needs of the  modern mission.

In the access space, we continue with policy driven model, but we shift the focus from the application to the individual.  We group personnel into subsets based on similar requirements and create policies to control access to the network and its resources.   This allows for a consistent user experience, no matter how a user connects to the network – be it a traditional wired computer, a mobile device connecting wirelessly, or some other form of connectivity.  Any device, any access method: all contain the same unified security controls without needing to manually configure each network appliance in the path. This is how we manage IT, augmented with the automation and best practices throughout.

Roadmap to the Future

Moving to a policy driven, software defined world requires a shift in understanding.  Engineers move from configuring individual devices and resources to creating policies on controllers to define the model of the network. Expansion becomes trivial, as bolting on additional resources no longer requires a complete redesign or human intervention.  Engineers become more proactive and are less focused on manual reaction to changes in the network.  All of this combines to create an environment that is more efficient and scalable without requiring massive overhead.  This allows us to change cost curves, increase protections and allow the machines to handle the repetitive functions freeing up our human capital.  Software Defined Networking must be a part of any Network refresh and security strategy.