By Davitt Potter
Sr. Engineering Manager, Cybersecurity
Out with the old, in with the new. When it comes to data center security, the old ways no longer work. So now is the time to start making a new plan with software defined security.
Since the early days of the internet, security has been a major concern for enterprise networks. But today’s movement toward software defined makes network design and security a whole new animal. And with all these changes, things could slip through the cracks and security holes may open up unnoticed.
How Network Security Used to Work
The traditional way to deal with a potential security threat was to block network access. Businesses would build a hardened outer barrier around the data center and try to identify the threats with upper-level tools that block traffic at the lower layers. So major coordination was required between the software running on top of the physical network devices.
In the past couple of years, hackers have started using new technological advances that poke holes in that barrier. They can now bypass the lower security layers and wind their way into the upper layers where data exchanges happen. As a result, today’s software defined networks are moving away from relying on the old lower level hardware.
How Network Security Works Now With Software Defined SecurityWith today’s software defined network technologies, the controller can separate the data from the traffic flow using various paths in the network without struggling with limitations from the physical hardware devices and their proprietary software applications. The data traffic moves in different patterns, too. And instead of moving from user to data center, it just moves within the data center.
In the past, 70-80% of a company’s traffic flowed over the network, and about 20-30% moved within the data center. Now, these numbers have been reversed as a result of converged architectures and virtualization. So, as you can see, things are quite different now – the threats are growing and it’s time do something quick.
What Kind of Threats Are Out There?
- External Threats – Hackers are getting more sophisticated and constantly trying to breach networks where they do not belong. In the past, firewalls, intrusion-detection/prevention systems and deep packet inspections would keep data safe. But not anymore. With SDN, new variables were introduced by running virtual connections over existing infrastructures. As a result, SDN networking infrastructure and security apps must understand encapsulated traffic and accurately inspect it, as well as de-capsulate the traffic to virtual LANs for context.
- Internal Threats – This is a growing problem that is extremely complex, because of the huge volumes of information that are constantly moving between an enterprise’s virtual machines. This data flow is moving at incredible speeds, and traditional tools often cannot keep up. But with SDNs, controllers can define the performance and behavior of a network based on the apps running on it. As a result, SDN security policies don’t need to be tied to the infrastructure; security zones can be de-coupled from the physical plane; and networks can be programmatically defined, changed, moved and decommissioned via automated rules, runbooks or certain events/system needs, such as capacity planning, business continuity/disaster recovery, etc. Internal threats are not limited to only data center machines, because infected desktops, laptops and mobile devices have already bypassed your external defenses.
7 Steps to Building an SDN Security System
- If you don’t already have a solid security policy in place, then you need to develop a deep understanding of your overall network traffic before any deployment can be successful. Ask yourself these questions: What do I want my security plan to look like? What do I need to protect? What information is the most important?
- Discover where your critical data lives. Do you know what servers it moves between and what ports, protocols, and applications are in use? Do you have this documented? If not, it’s time that you start.
- Next, you will need to build a software-based security infrastructure for your SDN network. Define your zones – database servers, web servers, internal trusted machines, guest networks – and plan a security policy for these “zones” of defense.
- Have you considered your SSL traffic? Since there isn’t anything to monitor these new exchanges, you must also upgrade your existing security system to support an open protocol. Virtual and physical monitoring is important. Intra-VM traffic needs inspection, too. This is a blind spot in many organizations.
- You must also consider enabling automated remediation security services or, at the very least, enabling systems that alert across many controllers, network infrastructure devices and security appliances. This is a major component of a mature SDN security system. Understanding VXLAN, GRE and other SDN-related protocols can be a sticking point for some deployments. These will be exposed in your planning stages.
- Find the right tool to help you set up your SDN security system and meet the needs of your business. For example, some will help you rapidly design openflow-enabled security modules. Some will prototype more complex security services. And some provide solutions for detecting advanced persistent threats, malware propagation and insider attacks. Also, leverage existing knowledge, best practices and vendor resources where possible.
- SDNs should plan for internal segmentation or “east-west” traffic mitigation, as well. Consider isolating departments via software-based firewalls or access controls. As yourself: Do the people in marketing really need to be scanning your SQL servers? Defense in depth is still a tried-and-true methodology – and SDN now makes it achievable without a complete network overhaul.
Arrow Can Get You Started With Software Defined Security
With software defined security, a business can create more sophisticated and automated security configurations with systems programmed to automatically monitor traffic patterns, identify anomalies and remediate potential problems before they occur. So, what are you waiting for?
Contact your Arrow representative today to learn how to get started with software defined security.
Last modified: September 26, 2019