The growth of cloud computing and the rise of the mobile workforce means more data is flowing beyond enterprise walls.
Not just in highly regulated industries but in every industry today, businesses have concerns about data security and privacy, as well as the ability to defend critical information from the eventuality of an attack. Critical to this work is the IT stack being able to identify, assess and adapt with less human intervention.
Software-defined networks (SDNs) can play a vital role in enabling this capability. Architecturally, they separate the command and control plane from the data plane – i.e., they separate the management function from the data-carrying function of the network. This is a breakthrough difference from traditional networks.
In traditional networks, the management function is fully distributed across many autonomous switches with varying programming capabilities, ranging from command line interfaces to proprietary APIs from multiple vendors. The fully distributed and autonomous nature of traditional networks results in increased complexity, a narrow, localized view of resources and low utilization of available links.
Historically, the traditional network mimicked the Internet architecture and the client-server computing model, solving for resiliency and “best efforts” forwarding, rather than addressing deep operational efficiency, manageability, cost, governance and security requirements for enterprise-class networks.
SDNs’ architectural approach provides the means to centrally manage the programming of the switches with dynamic and granular flows. The approach uses APIs, coupled with the added benefit of a bird’s-eye view of global network resources, to determine the best routes and to improve the utilization of all available network links.
The OpenFlow protocol standardizes the communication between the control plane and the switches residing in the data plane, providing a consistent open source and open standards approach to network management. This is critical for data security and privacy because it avoids costly proprietary implementation, simplifying the network estate and aiding in creating a framework for better network capabilities from all vendors.
SDN greatly simplifies the network estate by enabling the consolidation of network policies, governance rules and global control in a programmable model, which in turn improves the overall operational security of the network.
Improving firewall migration
One example is the operational improvement SDNs bring to perimeter security during a firewall cluster migration.
Migrating to a new firewall is challenging. It requires extensive planning and experienced resources to ensure the new firewalls are properly configured and functioning. While most of the IT effort is spent analyzing the firewall rules, understanding the semantic relationships and implementing change management in an IT Service Management framework, SDN can provide additional support.
That is because SDN is fundamentally about managing flows. An OpenFlow switch can front-end a battery of legacy firewalls, which can be programmed by an SDN controller to migrate rules incrementally in subsets to the new platform. Powered by software constructs, these newly migrated rules can be further tested, versioned and rolled back if needed.
When it comes to threat detection and prevention, an SDN combined with in-line analytics provides powerful support for identifying and remediating security risks.
Visibility fabrics with taps and collectors are challenged by their limited scope of data sampling, isolation from the control plane and their reliance on manual labor to diagnose and remediate issues. But SDNs can use analytics to identify risks and take action with preprogrammed mitigation plans that immediately take effect. Mitigation plans may include forwarding the traffic to a more specialized Intrusion Detection System (IDS), blocking or throttling suspicious traffic on a particular port, or even provisioning additional resources to deal with the threat while notifying the Security Operation Center (SOC) staff.
Using forensics capabilities to examine the history and logs of network flows, an SDN can implement infrastructure changes. And since SDN applications can also receive events from outside the network, they can integrate with other systems to realize truly integrated end-to-end security. For example, they can execute a network remediation plan or a lock-down if the physical security is breached.
Furthermore, when wired and wireless LANs are integrated into one controller, IT can establish tighter controls and more granular management over user-supplied devices. The network can, for example, easily detect jail-broken devices and prevent them from accessing the network. In addition, the SDN can find and eliminate threats by creating rules to spot suspicious patterns and act programmatically to shut down a link, quarantine a service or isolate a user. And this can be done without having to rely on operators to monitor and interpret the activity.
The very concept of automatic alerting and dynamic remediation brings a new form of agility to modern network security, shortening the critical time between detection and response. Centralized control, combined with the automation of software-defined networking, enables adaptive and automated network security that ultimately results in a security-defined routing strategy that can also be made accessible to the applications.
The ability to design the best route for each application, device and dynamic event will change how IT secures networks, applications and devices.
Read more in the white paper, Secure Software-Defined Networks Unlock Digital Information.
Rafat Shaheen is a lead global solutions executive and a member of CSC’s CTO Office. His expertise includes IT transformation, service-oriented architecture, design methodologies, IT virtualization stack, hybrid cloud architecture, DevOps and architecture design patterns. Connect with him on LinkedIn.