Security considerations for SDN/NFV

Software Defined Network (SDN) and Network Function Virtualization (NFV) have been creating paradigm shifts across major service providers.

In recent years, while these are considered disruptive to major network infrastructures operating on status quo, SDN and NFV nonetheless bring network resiliency, scalability, manageability, and, most importantly, lower long-term operational expenditures when implemented properly.

They create opportunities for innovation that engage key players from networks, security, and software to develop new controllers, APIs, networks, and technologies. However, new innovations come with associated risks and security issues

In 2012, it was widely speculated that Google implemented SDN and OpenFlow into their networks, and created their own OpenFlow-enabled switches due to the limited vendors supporting this protocol. This speculation has since gained
wide interests across many industries

To understand SDN is to look at the OSI layer where one will find similar concepts of abstraction and separation, and tiering and layering. In SDN, control and data planes are separated, centralizing the control and programmability of the network. The OpenFlow protocol is a foundational element for building SDN Solutions

On the other hand, NFV , which was formalized in 2012, relocates network functions from dedicated hardware appliances to generic servers. It was initially intended for routers, firewalls, and gateways, but can be expanded to include load balancers and other intermediary devices. Unlike SDN it does not have a specific protocol. Both SDN and NFV create open innovation by third parties, reduce capital and operation expenditures.

The following are the security considerations one should address while planning to adopt the SDN/NFV based networks.

  • Adversarial traffic flows – traffic passing through network devices, interfaces, and hosts.
  • Attacks on vulnerabilities in network devices – not updated patch and version
  • Attacks on vulnerabilities in orchestrators and administrative servers – unsecure servers, lacks security on admin profile
  • Attacks on control plane communications- single point of failures, unreliable controllers and unsecure connections
  • New risks associated with SDN/NFV implementations are identified, and are as follows:
  • Attacks on SDN controllers – unreliable software APP/SDN controller
  • Attacks on Southbound interfaces – exposed interfaces
  • Unsecure openflow traffic – unencrypted /unsecure traffic
  • Unreliable North/East-West APIs – unreliable software installed across the same broadcast domain
  • Vulnerable Programming models – unadequate security involvement in the Software Development Lifecycle

Should you have any comments to share, please post here.