Security in an SDN World
With change comes uncertainty, and the rise of virtualization in enterprise environments is no exception. One area that many organizations view with skepticism is security. Many administrators wonder what effects software defined networking and other virtual fabrics will have on how they protect their networks. But take heart: evolving security methodologies have the potential to bring meaningful long-term benefits.
Security challenges of SDN
Historically, security technologies have been very network-focused. Variations on the theme have been tried along the way—securing information and applications, for example—with varying degrees of success and staying power, "but the majority of the controls are implemented in the network layer," said Christofer Hoff, vice president of strategic planning for the security business unit at Juniper Networks. "As the network becomes virtualized, we don't have the same capabilities or abilities to deploy network-based security controls." Shifting the approach to accommodate workable security methodologies in an SDN environment is easier said than done for many enterprises, which may need to work through several layers of internal disciplines to ensure the right measures are deployed in the right places.
Operational issues often compound the problem. Randal Asay, chief technology officer at Catbird, pointed out a significant, if often unspoken, challenge: "Like everything else in the life of technology, security seems to be the last to the table." That may be a workable approach when security measures have proven effective within the traditional framework and are deployed along a single layer. But this challenge has the potential to cause real concern when security teams are implementing relatively new techniques, or even conventional techniques in new ways. Asay said that a number of vendors in the space are working to assist enterprises with the transition but added, "You do have to take somewhat of a leap."
The idea of that leap can be daunting, and often for good reason. Before organizations dismiss an aversion to change as knee-jerk conservatism, it's worth remembering that many concerns are rooted in reality. Those responsible for network security often worry about the prospect of on-the-fly resource and policy creation in production environments. They also worry about the prospect of non-security people constructing firewall rules or implementing other changes to the network. Rod Stuhlmuller, director of product marketing for the networking and security business unit at VMware, said the thought process makes sense. "I am fearful of losing the control that I need to have in order to make sure that the business stays compliant," he explained. That loss of control, particularly when it could negatively impact the network (not to mention the security person's job), understandably looks like a very bad thing. Getting a better handle on how these virtual environments can be completely isolated, both from the underlying physical infrastructure and from each other, may help increase the comfort level all around.
Aside from posing operational and organizational issues, the task of learning a completely different security architecture may present a challenge in itself. The changes SDN promises to bring will be enormous. Bob Shaw, senior vice president of Net Optics Integration at Net Optics, an Ixia company, said that he's hearing leaders in the industry talk about the need for completely new architecture as a way to create a security-centric SDN model. "Instead of thinking about the functional areas of responsibility or the way their organizations are designed, they're saying, 'How do we design security across the entire infrastructure?' And that is a big statement." Those big statements may look insurmountable at the outset. That doesn't make the implementation of successful security protocols seem any easier.
How SDN can improve security
Virtualized environments don't just bring security challenges, however. They also offer real solutions. For one thing, the level of automation SDN makes possible may actually improve security postures. Many of the mistakes made by human beings can be eliminated (or at least mitigated) through virtualization. "You can leverage automation to essentially enable you to get better visibility and a more streamlined, orderly and optimized policy deployment, whether it is in physical, virtual or a combination thereof, and to get rid of a lot of those human mistakes," Hoff explained. This reduction in human error may also address some of the problems enterprises encounter not only with security breaches, but also with uptime and even scalability.
Along the same lines, Stuhlmuller pointed to the use of profiles, rather than policies, as a way virtualization can boost security. When applications are decommissioned, for instance, the rules associated with that application aren't always removed or modified. "These rule sets get gigantic, and over time people don't clean them up," he explained. If wiping the policy could have any potential negative impact down the road, the IT group is likely to simply leave it in place. "Availability trumps security almost all the time," Stuhlmuller said. But with profiles, the rules associated with an asset such as a virtual machine are removed when the VM is deleted. "I simply do that centrally and then push it out, and any VM out there that has been deployed with that profile gets updated automatically." That one change is updated everywhere, and enterprises no longer need to rely on humans to manually find and either modify or remove every instance of the policy.
The sheer flexibility of virtualization, which looks like a scary prospect on the security front, also translates into improved security if approached in the right way. The relative slowness or inertia some attribute to the security industry can create vulnerabilities. "Any security device that you purchase today is, from the time you unbox it, 18 to 24 months behind the most current technology," Shaw said. That gap is a potential opening for all manner of security threats, but it's also a tremendous opportunity for enterprises running virtualized or software-defined environments. "It gives them the ability to write rapid new features or new pieces of code and to deploy them, so they're able to deal with either new attacks or new viruses, or a new way of re-architecting the network," Shaw explained.
Asay stressed that virtualization isn't typically an all-or-nothing approach. "When you consider the millions and millions of dollars in investment companies have made in infrastructure, very few people are going to just jump ship," he said. Time-tested hardware, such as firewall appliances, don't necessarily need to go away just because virtualization has entered the room. And by looking ahead while still leveraging what works today, enterprises, Asay said, "will be able to better define their application requirements, which will, in turn, make SDN a security solution versus being a security problem."
Photo courtesy of Shutterstock.