SDN technology transfers network control to a dedicated SDN controller, which manages and controls all functions of virtual networks and physical networks. Because SDN security policies implement such isolation and control, it supports deeper packet analysis, network monitoring, and traffic control, which is very helpful for defending against network attacks.
The rise of Software Defined monitoring
Recently, Microsoft announced that it has used a self-developed and OpenFlow-based network shunting aggregation platform (called Distributed Ethernet Monitoring and DEMON) internally ). This tool can be used to handle large volumes of traffic on the Microsoft cloud network. In the past, thousands of internal connections and network streams were beyond the processing capability of traditional shunting and capturing mechanisms (such as SPAN or port images.
The security team can detect and defend against common attacks by Using Programmable flexible switches and other network devices as a data packet interception and redirection platform. Many industries call SDN-driven Security Analysis Technology Software Defined monitoring (SDM ). In SDM, SDN switches act as data packet analysis devices, while controllers act as monitoring and analysis devices.
Use SDN to monitor security and analyze data packets
First, cheaper consumer programmable SDN switches from vendors such as IBM, Juniper, HP, and Arista Networks can be used to replace expensive data packet analysis devices. Similar to Microsoft's use cases, a large number of personal connections and data streams are aggregated and sent to multiple secure data packet capture and analysis platforms. The first layer switch can be used to capture and forward data packets, and the second (or third layer) device terminates the first layer of monitoring port. In addition, these switches can aggregate traffic and send data streams and statistics to other monitoring devices and platforms.
SDK controllers compatible with OpenFlow (preferably sFlow) can be used to program and manage multiple SDN-compatible switches, such as Big Switch controllers. At the same time, the security monitoring stack software product (Big Tap of Big Switch) can help engineers program more fine-grained filtering and port allocation functions, so as to model the traditional traffic distribution function on the SDN Switch.
In this environment, multiple layers of data packet analysis tools can receive traffic from the SDM port. SDM ports can be connected to various hardware tools, such as data packet analysis devices and network detection devices, or software-based protocol analyzers, such as Wireshark.
How can SDN security policies defend against network attacks?
SDN can provide more advanced network monitoring functions for the most complex environment. Therefore, the controller and the switch can distinguish various packet attributes. For example, DoS attacks can be automatically blocked or uninstalled. In fact, SDN can defend against many attacks:
1. Flood attacks, such as SYN flood attacks: these attacks contain a large number of TCP packets with only SYN labels. They occupy the bandwidth and fill the connection queue of the target system. A vswitch developed based on SDN can act as the first line of defense to distinguish between a specific mode and set the threshold value of data packet capacity from one or more sources within a specific period of time. These switches can then discard the data packet or redirect it to another destination using other technologies and protocols. Most routers and other network platforms do not have such a detailed control mechanism.
2. Attacks against specific applications and services: these attacks only target Web services with very special HTTP request sequences (using user proxy strings with special Cookie variables and other information ). SDN devices can identify, record, and discard these requests.
3. DDoS attacks against protocol behaviors: these attacks will fill the device status table, but SDN devices can identify these behaviors according to the stream sequence and connection restrictions.
In addition, SDN can simulate many basic firewall functions. The controller can execute scripts and commands to quickly update MAC, IP addresses, and port filtering methods. Therefore, it can quickly respond to and update traffic policies and rules. In addition, it can free up other network devices so that they do not need to handle a large amount of traffic.
The most basic SDN security functions are described earlier. Because it can process more traffic and specific packet attributes, network security analysis can implement security functions not only basic packet filtering and DDoS detection. Moreover, it is likely to be able to handle more advanced intrusion detection and unexpected responses.