SDN and cloud security challenges-important role of visibility
SDN is designed to transform modern networks and data centers into highly agile frameworks that can be quickly reconfigured based on changing business needs. Although SDN is still unfamiliar to the public, almost all organizations are developing plans for this purpose, to adapt to this claim, we can achieve on-demand supply for each network service, including bandwidth allocation, and extend server virtualization and cloud computing efficiency to an unprecedented final architecture transformation.
However, many organizations also recognize that high-moving workloads and automatically configured applications and services mean a loss of communication visibility and performance optimization, security is weakened. However, it is always necessary to make progress with caution. Because of the unprecedented efficiency and scale effect, cloud computing and migration to SDN must be the trend of the times. To achieve smooth migration as much as possible and ensure security is not weakened, the most important thing is to take some basic steps. Among them, the device's overall sustainable visibility for network communication is the top priority.
So what is SDN?
The SDN architecture separates the control layer from the data layer. A highly programmable and scalable architecture that allows you to view the control framework and provides a single logical abstract network.
In this architecture, the orchestration and provided services are more easily managed by consistent and automatic application of the expected configuration. This new network architecture brings the scale, flexibility, and selectivity of the underlying hardware infrastructure to an unprecedented level. In addition to significantly reducing asset costs and operating costs, the SDN architecture stimulates innovation without any damages or overhead and adapts to the rapidly changing needs.
SDN architecture launched by the Open Network Foundation
How can we distinguish between cloud security and SDN security?
In practice, cloud security is often compared with SDN security because of the key support of the cloud computing framework, namely the virtualization of servers and storage, which uses the same concepts as SDN. In fact, for the cloud, there are completely different security challenges from SDN. It is necessary to make a summary here.
Cloud security problems
First, it is very important that the cloud often takes virtualization computing and storage as the core. In virtualization design, virtual workloads or virtual machines replace physical servers. You can allocate, set, and operate servers with just a few clicks. ESX of VMWare, XEN of Citrix, and Hyper V of Microsoft are virtual machine monitoring programs supporting server virtualization. The cloud computing framework has three different configuration forms: private cloud, public cloud, and hybrid cloud.
Private clouds are all server and storage virtualization deployed within the Organization and within the controllable range. This means that an organization or company has ownership of the cloud framework and is responsible for its security. The security problem here is that a virtual machine is infected with malware. When the virtual machine is moved, changed, or reassigned in the data center, other virtual machines sharing the same host are infected.
Traditional security devices cannot "see" the spread of malware between virtual machines, because communication between virtual machines is mainly carried out in virtual network segments. In this case, it is necessary to visualize the virtual communication of security devices on the ground network and achieve specific or purposeful virtualization when establishing access control.
Public clouds are owned by enterprises that provide cloud access sharing framework leasing services, such as Amazon AWS and Microsoft Azure. The security issue here is generally about user isolation. Because the workload and assets of many organizations are hosted by cloud service providers, any negligence may result in unclear user access boundaries and cross-user access permissions.
Security Control focuses on two aspects: access control for the workloads hosted by cloud service providers, and the supplier service plane protocol is required to provide security control for communication visibility and managed resources.
Hybrid cloud may be the most common framework. Most organizations and enterprises carry and implement some workloads in the form of virtual machines. At the same time, some workloads will be placed on the public cloud, this forms a "hybrid cloud" framework structure in which both public and private clouds exist.
Of course, the security mechanism of hybrid cloud must also comply with the above suggestions. However, we must pay close attention to market choices because the market is changing rapidly. At present, the visibility and security control framework of hybrid cloud still need to piece together some technologies, but such a large market demand will certainly have some unified and professional vendors. Interestingly, there are also some overlapping technologies in emerging fields. Stakeholders of hybrid cloud need to be cautious about market trends, especially when migrating to SDN.
SDN security problems
As mentioned above, SDN not only virtualizes servers, but also all aspects of network infrastructure and management. In addition to network infrastructure, security issues related to SDN also extend to many aspects including control plane and data plane.
For example, if an attacker can take over the control plane or SDN Controller, in essence, they will have the ownership of the entire network and all its infrastructure, it can be said that you have unlimited permissions. The infected data plane can theoretically spread at a faster speed, because SDN is more common than server virtualization deployment. Communication between the control plane and the data plane is difficult and confusing. It may also create a vulnerability for attackers to use new methods to break through the perimeter of the network.
When talking about how to build a secure SDN, we have long had a detailed architecture guide, partly because there are many different methods to implement SDN between existing vendors and open-source organizations. The key here is to ensure the visibility of all networks, including traditional networks, virtual networks, and software-defined networks. Understanding the communication flows between these network types will ensure that blind spots are corrected and bottlenecks can be solved in the fastest way.
This "visibility" spans all network and workload types to ensure the universality and continuity of visible views. This is why visibility does not provide a point solution, but an architecture layer comparable to virtualization.
Role of visibility in SDN
Network visibility is a basic element in a ground network and becomes more important in a highly dynamic SDN architecture. However, the loss of SDN network visibility will not impede the company's pace of advancement. Companies that provide visibility construction are already working with standard communities and major SDN architecture vendors to ensure that the performance and security of applications are maintained during and after SDN migration.
Accelerate SDN visibility Construction
The visibility structure essentially makes the network (including SDN) visible. As a common layer, communication flow views are combined in physical and virtual network segments. Specifically, network visibility provides detailed information about communication flows and data packets that are critical to these networks:
Monitor the status of the SDN Network
Monitor available SDN applications
Ensure maintenance Security
Visibility architecture Implementation of private cloud or SDN Environment Security delivery platform
No matter whether the selected SDN architecture is built on OpenFlow, or on network virtualization like VMWare's NSX, Cisco ACI, or a certain framework, the above key requirements still exist. In SDN, although the control and forwarding layers implement independent management, a combination of functions is also required. Synchronization between these layers may be caused by network latency or vendor network infrastructure differences, which may cause bottlenecks and damage.
When talking about SDN applications and services, the benefits of on-demand supply are undeniable. However, this kind of dynamic configuration will lead to unpredictable communication modes, making it difficult to solve the problem by placing performance management tools in the foreseeable areas of the network.
Communication visibility in SDN must be constant, and tools must be centralized to get all communication streams and data packets. Similar logic also applies to security requirements. Security devices can be placed in important network segments of traditional networks, which is untenable in SDN. Centralized deployment and overall access to all internal SDN communications provide the best chance to collect statistics on embedded malware and abnormal modes for security and performance management technologies.