eBooks

FierceWireless.com 16 15 M AY 2 0 14 M AY 2 0 14 FierceWireless Security attacks today are multifaceted and involve multiple components. SDN could make networks more vulnerable but also make it easier for the industry to respond to attacks. Ensuring networks are secure in a virtualized world is not necessarily more difficult than protecting legacy networks, but it is different. While some observers contend software-defined networking could make networks more vulnerable to attack, it also appears that SDN may make identifying and responding to attacks easier. As mobile operators shift from proprietary hardware solutions to more standard servers and software, which are IP-based, they become exposed to a full range of threats--including malware propagation, man-in-the-middle attacks, denial-of-service (DOS) attacks and numerous other application-level and network- level attacks--just like any cloud provider or Internet service provider, said Ron Meyran, director of security solutions at network security specialist Radware. "SDN is really a new way to manage network elements, and it's all based on this idea of central control," said enterprise security specialist Robert Hinden, who is a Check Point fellow at Check Point Software, which provides security solutions for enterprises and consumers. "This also creates security problems because if you compromise the controller…you don't have to attack the network elements separately. You can just attack one and do whatever you want to the network," he added. Dan Joe Barry, vice president of marketing at Napatech, stresses that virtualization is only one piece of the security puzzle. "It's not so much SDN and NFV (network functions virtualization) themselves that expose security issues because the fact of the matter is that security attacks today are usually multifaceted and involve multiple components as well. So it's not just one attack; it's a combination of attacks at different points in the network in order to bring down your defenses," he said. Nonetheless, Hinden feels the SDN architecture it lacking in that security is not structurally addressed. SDN: Feeling a Bit Insecure BY TA MM Y PA R K E R "They've done things such as using SSL to talk between a controller and particular node so that data is encrypted. But SSL certainly has a lot of weaknesses," he said, citing, for example, the problems caused by the SSL-based Heartbleed bug. "The man-in-the-middle attack with SSL is so common people now call it a product feature," Hinden joked. "People need to understand that [with SDN] you're putting all of your trust into a single system, and you have to make sure that you have ways of verifying that it's doing what you want it to do," he added. To that end, Hinden suggests SDN architecture should include implementation of a security system that validates what a controller is doing every time it goes to push out a policy. SECURITY STARTS WITH AWARENESS Because telcos are just starting to dabble in SDN, security is not their primary focus. "Today the main focus is about fighting the competition, recruiting more users onto their fast-growing networks and delivering faster applications to the market. Always we see that security is a secondary issue," Meyran said. Gaining real-time insights into the network is the first step in enabling a carrier to "react and call into action all of those capabilities of SDN and NFV that we've been talking about," said Barry, whose company markets network analysis adapters that are designed for installation in commercial off-the- shelf (COTS) servers. According to Barry, monitoring network and service usage in real time and detecting anomalies makes it possible to react to unexpected situations. Meyran also says security begins with real-time awareness of what is happening in the network, so deviations from normal traffic patterns can be identified. One benefit of SDN is that instead of just hosting a security solution in the network and then building logic above it, SDN enables the security solution to become part of the network. "SDN is not only about automation, ease of use, provisioning and reducing costs,but it also enables a network operator to perform operations in seconds that before would take minutes or even hours to do," Meyran said. For example, in a legacy network, DOS protection requires a carrier to build a security center and deploy hardware-based protection devices that collect network statistics. When there is a problem, the carrier diverts traffic using tunneling- -such as sending Multiprotocol Label Switching (MPLS) packets over generic routing encapsulation (GRE) tunnels--and border gateway protocol (BPG) route injection. ATTACKS CAN BE MITIGATED ON THE FLY With SDN, however, a carrier can simply gather OpenFlow statistics from SDN-enabled switches and routers, use a software- based SDN application to collect network statistics from the data plane and compare normal traffic flows to abnormal ones and, thus, identify attacks. In the event of an attack, traffic can be diverted to a mitigation device. In fact, security services can be allocated to mitigation devices on the fly, no matter where they are located. By using native SDN services, this approach lowers operational costs involved with traffic diversion, Meyran said. Despite progress in such approaches, there is still much to learn about SDN's security vulnerabilities as well as the ways it can be employed to actually beef up security. "In a lot of ways, SDN is still a work in progress," Hinden said. But he added that security is one issue that organizations of any size need to address "before they decide to go completely redo their networks." l "SDN is really a new way to manage network elements, and it's all based on this idea of central control." ROBERT HINDEN, CHECK POINT FELLOW AT CHECK POINT SOFTWARE "SDN is not only about automation, ease of use, provisioning and reducing costs, but it also enables a network operator to perform operations in seconds that before would take minutes or even hours to do." RON MEYRAN, DIRECTOR OF SECURITY SOLUTIONS AT NETWORK SECURITY SPECIALIST RADWARE

• Cover