Even if you do not experience the extreme cases, such as the 90% variation in traffic volume that Netflix experiences every day, or the one million new users per day growth rate of WhatsApp, virtualization is taking over your data center. Virtual instances of servers, storage, and networks all offer greater scalability, flexibility, and manageability, especially when combined with the scale and elasticity of cloud resources. But what happens with virtual security? Many aspects of security management are based on network information and behavior. This works well for virtual servers and storage, but how do you defend your enterprise infrastructure in the presence of the constant flux of a virtual, software defined network? In short, we need to automate the deployment of security like we automate the deployment of virtual machines. With software defined networks and security automation, we can realize the full potential of the virtual data center. Virtual machines can be built, secured according to the appropriate policy, and inserted into the traffic flow at the press of a button. Suspicious traffic can be redirected, and machines that may have been attacked and exploited quarantined and replaced with clean ones. I see a three step process here:
- The first step is discovering all instances of the virtual data center, querying the in-house and cloud-based systems and assigning each instance to the appropriate security policy. As new virtual machines are spawned, they trigger a security event that applies anti-virus and endpoint security, assigns virtual LAN membership, and routes it through the corresponding load balancer and firewall, IPS and other security controls as needed.
- The next step is monitoring the traffic flows, application behavior, and user activity, as we do today, looking for inconsistencies and variations that indicate a threat. Whether a risk score gets too high, or a known attack signature is detected, the affected machines are quickly flagged and quarantined so that we can learn more about the attacker.
- The final step is securing the software-defined network itself. When the network was defined by physical placement of cables and ports, attackers mostly ignored it in favor of the richer targets of servers and workstations. However, now we have software-defined networks with centralized controllers. Defending controllers is similar to any other administrative server, perhaps with greater consequences. Attacking and compromising a controller could lead to disruption or control of the entire network, so we have to watch it closely and keep duplicate controllers ready to step in.
One significant security advantage of a software-defined network is the centralization of network information. Control plane traffic between the routers, switches, and controllers carries news about the current state of the network, giving the security manager greater awareness of traffic conditions. However, this new control traffic is also a potential weak point, as we have seen with other administrative protocols such as DNS and NTP. While this control plane is typically encrypted with SSL, we still need to monitor it, watching for and responding to forged packets or traffic floods that could cripple the network’s ability to adapt. Adding software-defined networks to your virtual data center increases your flexibility and adaptability to changing conditions. Like every other new thing, they also enable new threats. As the relationship between applications and data becomes virtually separated from the physical infrastructure, effective security will be dependent on situational awareness and the ability to detect uncharacteristic behavior. Our defenses will need high levels of communication and cooperation between the various security agents and managers, and automated tools that respond to potential threats as fast as, or faster than, the attackers can adapt.