Software-defined networks (SDNs) offer great economies of scale and efficiencies in how telecommunications and enterprise networks operate. Much of the advantages offered by SDNs come from the consolidation of management functions. What takes a tremendous amount of work, including truck rolls to equipment in the field, can be done on SDNs by pushing a few buttons.
However, along with the advantages, consolidation by nature creates security concerns. Network Computing’s Tim Hollingsworth described a presentation on SDNs at the Black Hat USA conference last week in Las Vegas in which Gregory Picket of Hellfire Security explored one potential problem. Picket explained that there is a function in SDNs called Open Network Install Environment (ONIE). This is a basic, white-box switch that is used to “boot and retrieve” robust operating systems that are used to drive the SDN. In the presentation, Picket made the point that ONIE lacks authentication and encryption and therefore is potentially vulnerable.
And this is not the only security issue facing SDNs. Network World’s Jim Duffy reported last week that Cisco has issued a fix to a vulnerability in its SDN controller. This vulnerability could allow access to root commands, which is a big deal:
Access to root commands would enable an attacker to access all commands and files on the controller. With that access, the attacker can then modify the system in any way desired, including granting and revoking access permissions for other users, including root users.
The story provided more details on precisely which devices are vulnerable, though it focuses on certain incorrect access controls in the Application Centric Infrastructure, and links to a Cisco advisory. Though this specific vulnerability has been identified and fixed, the point we all need to realize is that SDNs, like all other parts of the network, are liable to security flaws and must be protected.
Brian Levy, Brocade’s CTO for Europe, the Middle East and Asia, wrote about the heightened dangers stemming from SDN centralization at VanillaPlus:
However, by centralising the control, you also create a significant attack path for malicious activity. If this control plane is compromised then the whole network infrastructure could be at risk. Protecting the control plane of an SDN infrastructure is a major concern for service providers who are looking to deploy this new technology. Centralised control architecture is by definition connected everywhere and needs to be securely isolated from the flows of user traffic in the network. The access control to the management and control plane of the infrastructure also needs to be tightly administered.
Advances in technology, such as SDNs, almost always have a flip side. The chances of hackers taking over a network that is not centrally managed (i.e., one in which control was diffuse) is far lower than it is in a centralized SDN environment. Vendors, along with the carriers and enterprises to whom they sell equipment and networks, must be vigilant.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.