Your old security model is broken — will SDN save it, or smash it completely?

starfishSometimes the blindingly obvious is just too big and close to see clearly. The recent report by the BBC that the European Union’s law enforcement agency Europol has warned people not to use public Wi-Fi for online banking and other sensitive data will have instantly sparked from many of us a response along the lines of “Well, duuuh…”

Yet many organizations, especially small and medium-sized ones, are still operating wireless access points tied directly into the trusted network. And as the equally wireless Internet of Things — or as Cisco aptly puts it, the Internet of Everything — finally takes off, the problem is set to get worse, not better.

It all points to an organizational shift with a less than snappy name: deperimeterization. Essentially, where our networks used to be inside homes, offices and organizations, so they had physical perimeters and we could control access by putting in network firewalls, locking the doors and so on, that is no longer the case. Too much now is too connected outside its home network, whether it be the CEO’s iPad, the finance director’s webmail account or her Bluetooth-enabled fridge. It is even your Wi-Fi-enabled car.

All of these things are now within reach of the baddies, and if they are connected into your trusted network, then so is everything else — and that is going to break a lot of traditional assumptions.

So now the focus must change. Instead of watching for known threats, as a firewall does, or known bad behavior, like an intrusion detection/prevention system (IDS/IPS), we need to do more. In particular we need to ask the question: if this device was compromised, would it behave differently and if so, how? Some of us already ask this of some of our IT gear — one name for this is network behaviour analysis, or NBA — but now we need to ask it of a whole lot more devices in many more places.

Wireless security is essential too. With growing workplace mobility and the recent ratification of the IEEE 802.11ac spec for high-speed Wi-Fi, even the most reticent and risk-averse organizations are starting to make the switch from all-wired to at least partly wireless. Add the revelations of widespread spying (both targeted and untargeted) by the NSA, GCHQ, DGSE, the PLA, Uncle Tom Cobley and all, and wireless security should be at the top of your agenda.

Could SDN, software defined networking, be the piece that completes the security puzzle? After all, the main reason we talk about deperimeterization is that we are used to having a static physical (or logical) network perimeter, and this is no longer automatically the case.

What we need instead is a network that can create and maintain its own perimeters, boundaries, and containment zones. A network that can change as business circumstances demand and active threats dictate. A network that is dynamic and adaptive, right down to a fine-grained level, and which separates the control and data planes — an SDN, in other words.

The security aspects and opportunities within SDN have not been played up as much as, say, the potential for greater agility, cost savings, and better management. Yet the technology offers the opportunity to create dynamic containment zones that both meet business needs and have a defensive role, even against advanced threats. In essence, it lets you do more than merely block an attack — you could instead implement honeypots, tarpits, quarantines, and more.

Of course it is easier said than done. Many if not all of the necessary security services already exist — SDNs themselves, IDS/IPS, NBA, web application firewalls, etc. — but plumbing them together in a self-organizing and optimizing way will be a non-trivial task. In effect, you are trying to recreate a biological system but with even greater levels of partitioning. It has been suggested that the model is a human body fighting infection or a cancer, but sometimes I wonder if it should really be a starfish discarding and regrowing a leg!

Administrators and network managers will also have to adapt to this new approach to security. They must learn how to set, manage, and enforce security policies that are both dynamic and appropriate at a finely granular level. They will need to know how to use SDN to direct specific traffic flows to those network-based security services — this is how the new virtual perimeter will be created. And they will need to be able to automate much of this while retaining visibility, for example via an intelligent system that reports anomalies.

That looks like a tall order, but it should give a hint of just how broadly disruptive a technology SDN is going to be. Yes, there are security risks to it but the potential advantages are bigger, and anyone ready to surf the disruptive wave should be in for an exciting ride.

Image credit: Clinton & Charles Robertson (flickr)

About the author
Bryan Betts