Syndicated

Although still in a fledgling state, software-defined networks are closer to moving into production in enterprises.

With a central controller able to configure switches across the network, it will bring a lot of power to network administrators. SDN also raises the obvious possibility of increased network security.

Maybe, a number of vendors told Ellen Messmer of NetworkWorld U.S. “In the software-defined data centre, you can put the security controls at the granular level and it’s going to happen with virtual appliances,” Rishi Bhargava, general manager and vice president for the software-defined datacentre at Intel Security Solutions. But he also says it’s yet to be defined what interoperability in security might mean for SDN, particularly in terms of the OpenStack platform for creating clouds.

Bhargava was interviewed during VMware’s VMworld conference, where his division announced an upcoming security controller for VMware’s NSX management console. The controller receives commands from NSX to allow virtual intrusion-prevention systems from Intel’s McAfee division to protect virtual machines.

Bhargava told Messmer this new approach eliminates awkward manual controls that have been used. The potential downside to this integration, though, is that if the NSX management console is unavailable for some reason, “policy couldn’t be changed,” he acknowledged.

The Intel controller, which may add support for McAfee’s Next-Generation Firewall, data-loss prevention products and MOVE AntiVirus suite for virtual environments, will be released in the fourth quarter. 


  • Greg Tennant

    SDN in enterprise implementations can significantly improve security versus traditional connection-oriented networks. SDN can establish virtual network instances for each application that eliminates shared routing resources that are exploited in propagating security breaches. SDN establishes virtual network segments from end-to-end, rather than the LAN segmentation approach that is implemented with connection oriented networks. LAN segmentation ends at the WAN connection interface in traditional networks where application traffic flows are intermingled. The complexity of ACLs and physical devices in traditional networks breeds vulnerabilities that enable lateral breach propagation from the breached segment to the payment or other network segments. This is exactly what has happened in the Target breach and the majority of other recent breaches.
    The Universal Policy Controller (UPC) used in SDN provides centralized policy enforcement that reduces the manual device specific configuration of traditional networks. This fosters fewer manual errors and more consistent policy implementations that reduce vulnerabilities.
    There are successful real world implementations of SDN by global companies such as Shell, Little Ceasers and ExxonMobil that have operated on SDN technology for several years. The leading provider of enterprise SDN services is Cybera and Virtella/NTT. Hackers can hack any network given the focus, time and resources, but even if an SDN segment is breached, the breach is contained to the breached segment. Traditional network approaches to segmentation have failed in the real world as witnessed by the over 600 breaches in 2013 and the continued parade of breaches this year.
    For security reasons alone, SDN makes sense.