13 March 2017
Blogs by author: Sam Cater, Future Cyber Capabilities Specialist, BT.
The development of SDN in recent years has made it an incredibly useful technology, but it comes with an unfortunate side-effect…
How SDN works.
A software-defined network (SDN) is essentially a TCP/IP stack which is driven by a software application as opposed to the operating system’s kernel. The traditional and software-defined stacks operate simultaneously, with the traditional IPv4 network handled by the underlying OS kernel, and the software-defined networking occurring at a higher layer in the OSI stack. The SDN connection piggybacks on the traditional connectivity.
Typically, these SDNs utilise a central controller which initialises and manages the nodes in the network, orchestrating peer-to-peer connections with each other across the virtual networks.
Why these networks are so useful.
It’s amazing technology which, while not new, has been pioneered and developed heavily over the last few years — particularly with the rise of agile networks within cloud computing infrastructures. Their usefulness comes from a number of features:
◾Full encryption between all nodes (usually by default).
◾Limitless networks with huge numbers of hosts in them, and an arbitrary number of interfaces on each host.
◾An Application Programming Interface (API) exists to direct the controller’s actions. The human element of the network is removed. There is no need for people to move around datacentres plugging in cables and switches to adjust deployments. Everything is always connected and always ready. The new world of datacentre designs uses software to tell the computers to join and leave networks. This design is used as a huge enabler in AWS and Azure.
◾The point-to-point nature of SDN means any machine can connect to another, at any time.
◾It’s easy and there are already free open-source solutions (ZeroTier One being a personal favourite).
The other side of the sword.
Unfortunately, as with any new technology, there are downsides along with the upsides.
As they stand today, it’s my personal opinion that SDN is one of the biggest threats to our existing security landscape, but not because the technology is inherently vulnerable, subversive or malicious. On the contrary, I think it’s a wonderful new tool which solves so many problems in today’s connected world. The threat comes from the point-to-point encrypted nature and that arbitrary connections will make traditional firewalls and Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS) far less effective.
Since all traffic is encrypted and peer-to-peer with external and internal hosts, how can traffic be filtered and inspected? Most firewalls utilise stateful inspection of packets and once the outbound stream to the SDN controller is established, any peer-to-peer connections will come back in on the encrypted channel. This is permitted by the firewall without question due to the existing open session which was initialised in the outbound direction.
What can be done in the meantime?
SDN and a related technology — network function virtualisation — are not going to go away. It is too well refined and useful for people to simply discard or attempt to reinvent with enterprise security involved as a design construct. Instead innovation and research need to be directed towards finding a solution that can empower existing network security technology without impeding the existing progress and benefits of SDN.
A temporary solution to businesses that wish to rule out the SDN risk would be to block the domain names of known SDN providers and communication ports. However as with most modern filtering on the Internet, this can only ever be a temporary fix. Fast-flux DNS or self-hosted controllers can attempt to circumvent such restrictions.