Some Security Misunderstandings under SDN

Source: Internet
Author: User
Keywords sdn security security misunderstandings
Cause: Software Defined-Networking (SDN) restructured the network working mechanism by separating the control and data planes and improved the efficiency of network operation and maintenance. Garnter believes that the overall SDN technology will land in 5-10 years, and the OpenFlow protocol, which was once the only standard for SDN, will land in about 2-5 years. In recent years, everyone in the industry will mention SDN when they talk about the Internet. Whether it is praise or derogation, the undeniable result is that SDN technology has moved from a concept to a practical case.

When cloud computing first started, people had many questions, such as customers' data privacy concerns about cloud computing systems, virtualization performance constraints, and so on. After the concept of SDN was proposed, a lot of discussions have also appeared in the industry, and some opinions have inevitably emerged. This article does some explanations on the security dimension, and hope that readers will not fall into the misunderstanding.

Myth 1: SDN has revolutionized the network, and our traditional security equipment and security solutions cannot be deployed.

When a customer asks a pre-sales or sales colleague: "We have deployed an SDN environment, do you have a corresponding security protection plan?"

My colleague thought: I don't know about SDN. I only know that SDN is completely different from traditional networking technologies. All routing protocols have changed. Then our security plan, especially the deployment and working mode of security equipment, is closely related to the network, so it is estimated that it will not work properly.

In fact, after understanding the working principle of SDN, then we will not have this question. Although SDN has changed the network architecture, moved the control plane up, and took over the routing protocols that used to be distributed on various network devices, and replaced it with centralized topology, routing and forwarding control, the packet processing of network devices has no external performance. Special changes. For example, when a TCP data packet enters from a certain port of the switch and then is output from another port, the header and payload of the data packet remain unchanged. The security device is connected to the network device as an intermediate device (middlebox) or endpoint device, and it receives and sends the same TCP data packet, so the internal processing engine does not need to have any special changes, which is not required for connecting ordinary servers to the SDN network What to change is a truth. In other words, under normal circumstances, ordinary security devices can theoretically be directly deployed into SDN networks, which is no different from traditional networks.

The data packet passes through the security device itself without change

Of course, what needs to be noticed is that some SDN controllers only support routing, not Layer 2 switching. This mode brings challenges to the IDS, IPS and other devices that work at Layer 2. However, a feasible method is to deploy a tunnel-supporting switch (such as Openvswitch) in front of these devices. The GRE tunnel can be connected to the opposite end through IP, so that the SDN controller can transmit data to the tunnel port of the switch, and the switch will After the tunnel header of the data packet is removed, it is forwarded to the security device, so that the function of the layer 2 device "supporting" the tunnel is realized.

Under the SDN controller that only provides routing, a network device with a tunnel can be added as a proxy


In essence, SDN has not made a revolutionary change in function, but has achieved automation and high efficiency. After understanding this, you should understand that the deployment of security equipment to the SDN network is completely credible.

Misunderstanding 2: Since SDN is only for the revolution of the network, it has nothing to do with security, and security vendors do not need to care.

When we explained Misunderstanding 1, we mentioned that SDN is a revolution in the network world and will not cause too much trouble to the deployment of security equipment and security solutions. Then some students will come to the conclusion that the two parties do not interfere with each other. Don't worry about the details of SDN technology.

There are two points in this misunderstanding that need to be clarified:

(1) SDN itself has security issues. The availability and implementation of SDN applications and SDN controllers, as well as the security of north-south protocols, may have security risks. Therefore, protecting the components of the SDN system is a security mechanism that needs to be considered. This is a big topic, and I can continue to talk about it later.

(2) SDN operates flexibly on network traffic, and the SDN controller has a global network view, which is very beneficial to the security management and control system. If SDN can use SDN's real-time, global insight and control of the overall network, security applications can deploy and schedule security resources flexibly, and combined with software-defined security architecture, a very powerful security operation capability and emergency response mechanism can be established.

For example, in terms of traffic visualization, xFlow can be used to achieve traffic-based anomaly detection, which can be applied to the detection of DDoS attacks and the discovery of APT attacks on the corporate intranet. In terms of traffic scheduling, the ability to quickly adjust routing and forwarding rules can be used to realize the on-demand protection of multiple security devices in the service chain and the cleaning of abnormal traffic; with the help of fine-grained flow control capabilities, it can achieve load balancing of flexible stacking of multiple security devices Solution: With the help of the natural data forwarding plane of network equipment, access control of 2-4 layers is realized, and so on.

(3) SDN itself is an agile network operation concept, which has a good reference meaning for the current security mechanism and security system. The concept of software-defined security has also attracted more and more attention in the industry, and of course this is a very big topic.

It can be said that security is an important application of SDN. At present, we can see that most SDN controller vendors are happy to cooperate with security vendors to launch cases that can demonstrate the use of SDN technology to accelerate security protection.

Misunderstanding 3: SDN is combined with security. There are no actual cases of security solutions.

Now that we explained Misunderstanding 2, Misunderstanding 3 should not be a big problem. At present, there are few cases where you see the combination of SDN and security, not because the two lack a chemical reaction, but because the development of SDN technology still takes time, don’t you see that there are still relatively few successful cases of SDN itself. However, since VMWare has announced that the development of NSX has surpassed that of Vsphere, Garnter predicted last year that SDN technology will be implemented in about 5-10 years (OpenFlow will be implemented in 2-5 years). We believe that the application of SDN in the security field will be even greater. early. An example is the application of SDN in anti-denial of service. Because traffic-based denial of service has obvious patterns in traffic characteristics and can be cleaned by traffic traction, SDN technology has a place to be used. Many friends in the industry are making attempts in this regard.

Radware has integrated a set of anti-DDoS modules and applications on the open source SDN controller platform Opendaylight (ODL), called Defense4ALL. Its architecture is shown in the figure. There are two main parts: security extensions in the controller, including statistics services after receiving flow information, and traffic redirection services for cleaning; independent northbound security applications, including such as anomaly detection engine and Manager for traffic cleaning.

Defense4ALL architecture

Brocade's Real-Time SDN Analytics for DDoS Mitigation won the ONS (Open Networking Summits) 2014 IDOL, which is an amazing award. Because ONS is the industry's most influential conference in the field of SDN and NFV, the ONS IDOL award best reflects the direction that can promote the development of the industry.

Through virtualization technology, cloud computing systems can prepare computing, storage, and network resources in a relatively short period of time, while SDN technology can flexibly adjust traffic to achieve business online together. Therefore, SDN has natural advantages in cloud computing and virtualization scenarios, so Openstack+Opendaylight and VMWare Vsphere+NSX are all applications of the above scenarios. But if you only see these, you can conclude that SDN is only suitable for cloud computing scenarios, which is somewhat biased. Not to mention that most of the anti-D requirements in Misunderstanding 3 are in traditional environmental physical networks. Let's say that the software-defined BYOD security protection system we made is a good example. Through the combination of hardware and software SDN switches, wireless access can be flexibly deployed in a traditional IT environment to achieve unified identity authentication and identity-based access control, which is more flexible than the traditional NAC method. Enterprises in ShadowIT and mixed IT environments have very good management results.

For access control in the BYOD environment, the middle SDN switch is a hardware device, and the right OVS bridge is a software device. Figure 4 Access control in a BYOD environment, the middle SDN switch is a hardware device, and the right OVS bridge is a software device

Conclusion In conclusion, the current development of SDN is fast. On the one hand, the current security mechanism can be deployed normally in the SDN environment; on the other hand, SDN technology also brings a lot of imagination to the security protection mechanism. I hope that this article will help you all. When discussing security solutions in the new network environment, you will not have any worries and try boldly.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.