OpenFlow & SDN – Looking forward to SDNS: Software Defined Network Security
As facetious as the introductory premise of my Commode Computing presentation is, the main message — the automation of security capabilities up and down the stack — really is something I’m passionate about.
Ultimately, I made the point that “security” needs to be as programmatic/programmable, agile, scaleable and flexible as the workloads (and stacks) it is designed to protect. “Security” in this contexts extends well beyond the network, but the network provides such a convenient way of defining templated containers against which we can construct and enforce policies across a wide variety of deployment and delivery models.
So as I watch OpenFlow (and Software Defined Networking) mature, I’m really, really excited to recognize the potential for a slew of innovative ways we can leverage and extend this approach to networking [monitoring and enforcement] in order to achieve greater visibility, scale, agility, performance, efficacy and reduced costs associated with security. The more programmatic and instrumented the network becomes, the more capable our security options will become also.
I’m busy reading many of the research activities associated with OpenFlow security and digesting where vendors are in terms of their approach to leveraging this technology in terms of security. It may be just my perspective, but it’s a little sparse today — not disappointingly so — with a huge greenfield opportunity for really innovative stuff when paired with advancements we’re seeing in virtualization and cloud computing.
I’ll relate more of my thoughts and discoveries as time goes on. If you’ve got some cool ideas/concepts/products in this area (I don’t care who you work for,) post ’em here in the comments, please!
In the meantime, check out: www.openflow.org to get your feet wet.
Reminders to self to perform more research on (I think I’m going to do my next presentation series on this):
- AAA for messages between OpenFlow Switch and Controllers
- Flood protection for controllers
- Spoofing/MITM between switch/controllers (specifically SSL/TLS)
- Flow-through (ha!)/support of OpenFlow in virtual switches (see 1000v and Open vSwitch)
- (per above) Integration with VN-Tag (like) flow-VM (workload) tagging
- Integration of Netflow data from OpenFlow flow tables
- State/flow-table convergence for security decisions with/without cut-through given traffic steering
- Service insertion overlays for security control planes
- Integration with 802.1x (and protocol extensions such as TrustSec)
- Telemetry integration with NAC and vNAC
- Anti-DDoS implications