SDN for Network Security: Panacea or Placebo?

(“In Case You Missed It Monday” is my chance to showcase something that I wrote and published in another venue, but is still relevant. This week’s post was co-written with my fellow Head-Geek Thomas LaRock, and originally appeared on TechInvest)

A lot of people—well, mainly technology vendors—have claimed software-defined networking (SDN) will revolutionise network security as we know it. According to them, SDN will usher in more rigorous, resilient protection for existing networks, bring in transformative benefits for new architectures like those built on 5G…you get the idea. But is SDN naturally more secure than traditional network architectures? And if it isn’t, what sorts of remedies will network admins need to keep their infrastructure in good health?

Works 100% of the Time…50% of the Time

The bitter truth is: SDN makes your networks more secure if and only if you use it right. In other words, the same as any defensive technology. Who would’ve thought?

SDN tends to significantly reduce the risks of security breaches caused by human error. Configuration changes from careless, unplanned actions can often open major vulnerabilities in networks. These don’t happen as often with SDN because it renders such changes less necessary, or completely unnecessary.

SDN also naturally minimises the likelihood of traffic going where it isn’t supposed to.

SDN monitors and routes traffic according to its type, rather than just source or destination, so when implemented correctly, it generally ensures packets will end up at the right place with much less likelihood of leakage or error.

That last sentence, however, holds the kicker: when implemented correctly. If SDN is designed or installed with rules that allow insecure behaviour to happen, the network won’t be secure.

In this sense, the same principles apply to both SDN and traditional hardware-based network defences. You’re only as secure as you design your network, no matter how “naturally” secure your SDN technology seems to be.

Designing Better Prevention, Speeding Up the Cure

SDN brings a lot to the table in terms of network security, but it’ll only reach its full potential if network admins and CIOs take steps to dispel any illusions about it as a cure-all for cyberthreats.

More experienced net admins should do their best to correct any misperceptions amongst their less-seasoned colleagues as well as management who might expect far more from their SDN investments than they ought to.

A lot of this comes down to storytelling: explaining how SDN works in simple terms, actively encouraging questions about the technology, and presenting alternatives like “security by design” to put the focus on critical thinking and training rather than technology.

In a similar vein, CIOs and net admins alike must continually invest in bettering their understanding of SDN—both its technical aspects and best practice techniques. The technology continues to evolve at rapid pace, requiring IT pros to stay as much on top of the literature as possible to get the most out of its routines and protocols.

Conversely, rapidly-evolving technologies also tend to witness rapidly-emerging threats and vulnerabilities. Staying up to date with SDN means less likelihood of being caught unaware.

The more CIOs can work with their SDN vendors and third-party consultants to update their knowledge base, the better prepared they’ll be for the good, the bad, and the puzzling.

Finally, avoid the hype. Conversations about SDN’s security components increasingly include two other terms: the edge and artificial intelligence (AI). Both may distract less careful net admins from where they should invest their efforts.

Emphasising edge security, for example, may result in less attention going to the central control plane of SDN security, which is far more critical to the organisation’s overall security than its endpoints.

AI, for its part, tends to be just a byword for more sophisticated machine learning algorithms rather than a truly self-adapting, self-evolving system.

And while it may seem like splitting hairs, it’s worth remembering machine learning algorithms are much less complex—and require much more intentional design—than real AI, which holds major implications for any cybersecurity strategy relying on SDN.

Not a Cure-All, Just Better Medicine

When considering SDN as part of the network security immune system, CIOs and net admins can’t afford to let enthusiastic rhetoric drown out their experience. While SDN brings various strengths to the table, it isn’t a cure-all for network vulnerabilities. And in some cases, buzzwords like AI and automation may evoke complacency in those who don’t necessarily understand the underlying tech and its limits.

Net admins should adopt SDN to improve their defensive posture. But as they do so, it’s equally important to manage expectations throughout the rest of the business, emphasise the need to include security at every stage of systems and platform design, and maintain an up-to-date knowledge of SDN by talking with vendors and third-party experts. Using SDN as prescribed, with good guidance from expert practitioners, should maximise its benefits against network pathogens—and minimise the chances of anyone overdosing on the hype.

%d bloggers like this: