We’re still in the very early days of software-defined networking, but apparently not too early to start worrying about the security implications. According to a new report from Infonetics Research, SDN and NFV (network functions virtualization) will bring about a shift in data center security investments.
“Historically, data centers have been protected by big-iron security solutions and complex webs of security appliances and load-balancing infrastructure,” said Jeff Wilson, principal analyst for security at Infonetics. “But as more providers virtualize their data centers and roll out SDNs and NFV, we anticipate a fairly significant revenue transition from hardware appliances to virtual appliances and purpose-built security solutions that interface directly with hypervisors, with SDN controllers via APIs, or orchestration platforms.”
Some of the Infonetics security factoids supporting this thesis include:
-massive interest in SDN- and NFV-compatible security solutions is expected to drive consolidation among established security players, virtualization platform vendors, and specialist vendors;
-$1.35 billion will be spent on purpose-built virtual security appliances from 2014 to 2018;
-the ported virtual security appliances segment of the data center security market grew 10% in 2013 over 2012, to $437 million;
-sales of purpose-built virtual security appliances totaled $150 million in 2013, up 44% from the prior year; and,
SDN and NFV are moving from lab to field trials, according to an earlier Infonetics survey. Of the major service providers that account for 51% of worldwide telecom capex, 29% are currently implementing SDNs, and 52% plan to evaluate SDNs by the end of 2014, and nearly every operator plans to deploy SDN (97%) or NFV (93%) in some aspect of their network at some point.
While many carriers are in the process of moving from SDN/NFV proof-of-concept projects to working with vendors in the development and ‘productization’ of software that will become the basis for commercial deployments, it won’t be until 2015 that we’ll see commercial deployments kick into motion, still most likely on a limited basis, noted Michael Howard, co-founder and principal analyst for carrier networks at Infonetics. SDN forecasts are all over the place, ranging from $3.7 billion by 2016 to as high as $35 billion by 2018, but we’ll certainly see this market take off at some time.
Which brings us back to security. A recent survey from Enterprise Strategy Group found that only 10% of organizations either have no interest or are not familiar enough with SDN to have a position; of the other 90%, 39% are in the planning and evaluation stage, 27% have begun implementations, and the remaining 24% say they’re interested but have no SDN initiatives underway. Security was at the top of the list of concerns (72%), followed by network utilization (64%), network deployment and management (62%), and network operating expense (61%).
Virtualization has been around since the early days of the mainframe and IBM’s VM (Virtual Machine) and MVS (Multiple Virtual Storage) operating systems. However, the focus has been on the compute side, with network and storage only recently being invited to the the virtualization party, and they bring their own security challenges, according to Edy Almer, VP of Products, AlgoSec, a provider of security policy management solutions.
SDN’s biggest benefits – network flexibility and management, and service provisioning speed and agility – are also its biggest security weakness, he told IT Trends & Analysis in a recent interview. “If somebody highjacks it or it goes down, you have a single point of control and it is quite dangerous.” While SDN makes things easier for administrators, it makes it easier for the attacker as well, he cautioned.
Networking’s first citizen, Cisco, who not-so-long-ago was locked into a cybersecurity death spiral, is back near the top of its game, but its security capabilities and suspect support of SDN, a major threat to its proprietary technologies, remain areas of concern. “All of the puzzle pieces are in place today or arriving soon,” said ESG’s Jon Oltsik, Senior Principal Analyst, but it still has some work ahead. To continue on the comeback trail, Cisco must: compete at the product and solution layer; play the “open” card; and deliver a real security management portal.
There are a number of approaches to SDN, and Almer said AlgoSec is very happy with Cisco’s application-centric strategy. He said it’s not “classical SDN”, but they’re doing a good job. “However, we’re not clear yet what goes into this approach, and what doesn’t.”
Last month Cisco CEO John Chambers said there’s a big showdown coming in IT pitting no-name hardware with overlaid software against purpose-built architectures that stretch from data centers to the edges of networks. He also said it would win with a combination of its ACI (Application Centric Infrastructure) platform with hardware built from a combination of third-party and Cisco-developed silicon.
“We will be the best implementer of SDN in the world,” he said. “It will not only benefit Cisco. We will lead this industry.”
According to the SDN community, there are two basic security issues:
-the centralized controller is a “potential single point of attack and failure”; and,
-the southbound interface — such as OpenFlow — between the controller and data-forwarding devices is “vulnerable to threats that could degrade the availability, performance and integrity of the network.”
“There are so many opportunities for an attacker to make changes to the whole underpinning of your network traffic behavior just by modifying your controller,” said Dave Shackleford, security consultant with Voodoo Security. “We’ve never really had that before. Even traditional network management tools didn’t give you the flexibility to dynamically change the behavior of a network on a node-by-node basis.”
There’s no doubt that SDN will play an increasingly prominent role in networking. However, while many details, i.e. standards, remain to be worked out, security could prove the most troublesome.