Managing a new kind of complexity in software-defined networking

Kyle Wickert, worldwide strategic architect at AlgoSec, discusses how SDN changes organizations’ approaches to security policy management

Software-defined networking (SDN) has moved up the enterprise IT agenda in recent years. And it’s easy to see why – in theory, SDNs are far quicker and easier to control and alter than traditional networks. By using open protocols to apply controls from the network edge, SDNs enable network engineers to shape traffic from a single centralized console, rather than working with individual switches across the network.

In turn, this makes software-defined networks far more agile than traditional networks, with opportunities for automatic load balancing, streamlined processes, on-demand provisioning of new applications and traffic flows, resulting in a network that works much harder for the organization. So it’s no surprise that organizations are embracing SDN: a 2019 Verizon study found that 57% of respondents said they wanted to implement SDN within two years.

However, deploying SDNs can introduce new challenges, particularly related to complexity in managing network security. Let’s take a closer look at what this means.

A shift in complexity

Any organization that moves to a software-defined environment essentially moves from datacenter-focused firewalls into a model where its security policies are defined by software within its fabric. This requires a far more granular level of security policies, on a much larger scale and with far more agility, than in traditional networks. Why? Because security controls are much more diverse.

In a traditional setup, network security policy is relatively monolithic. A set of servers is protected by a perimeter firewall, filtering so-called north-south traffic that enters the network from the outside. Traditionally, east-west traffic within the datacenter itself is not subject to any filtering. This introduces security risks since malicious parties can laterally explore the environment once they have compromised a single endpoint.

By contrast, in an SDN environment, built-in firewalls are considered part of the infrastructure. It is likely that the organization will have multiple tenants, each containing a unique set of granular security policies dictating which assets can connect to which other assets within the SDN fabric. An SDN environment is likely, for example, to incorporate one contract with Cisco Application Centric Architecture (ACI), VMWare NSX distributed firewalls and so on. There is a lot of complexity to manage.

Ultimately, organizations need to identify which elements within the newly software-defined network need to connect to each other, and then create granular security policies that enforce this, introducing micro-segmentation to prevent lateral infiltration by malicious parties.

Managing micro-segmentation

There are two main security challenges associated with micro-segmentation: defining the micro-segmented zones and enforcing and maintaining the security policies that enable that micro-segmentation.

Defining micro-segmentation zones is all about understanding the assets within your environment, which databases contain the most sensitive data and therefore need to be segmented off from each other, which assets are talking to each other, and how traffic is flowing throughout the network. Crucially, all this should be contextualized in terms of business applications – in other words, you need to understand the traffic that makes business applications work. This enables you to design a micro-segmentation architecture – and the security roles to enable it – that are centered around your business-critical services. Solutions that automatically discover and map all of the traffic flows within and through a datacenter are invaluable at this point.

Then we move onto enforcement and maintenance of those rules on an ongoing basis, and this is where a security policy management solution is truly critical. All this complexity and dynamism cannot be managed manually. Each time a new business application is introduced, or an existing one removed or amended, the security policies also need to change. In a large organization, these changes could be happening on an hourly basis.

Automating the management process

Given the flexibility and rapid changes that SDN enables, the most effective way for organizations to approach managing and maintaining security policies across their network is with an automation solution that holistically supports the SDN environment and its security controls, such as the Algosec Security Management Solution.

SDN deployment is subject to the same compliance and auditing requirements as existing networks. Compliance management can be time consuming and hard to follow in a complex network environment, but the Algosec platform takes away the manual labour, providing a fully automated audit trail. Our automated solution also documents every change that is made across the network, making it easier to demonstrate compliance.

The Algosec Security Management Solution allows security teams to eliminate time-consuming, error-prone manual security processes, such as connectivity mapping, migrating, and ongoing maintenance of their environments. Our smart and easy network mapping tool takes away the hardship of getting automation up and running. This frees up teams to strategically maximise the benefits of the SDN deployment and reap its rewards of increased flexibility and enhanced network security.

Get in touch for more information on how AlgoSec can help make software-defined networking a reality.