 | Issue: | EMEA 2014 |
| Article no.: | 15 | |
| Topic: | Can SDN Close the Security Gap Introduced by Cloud Technologies? | |
| Author: | Ron Meyran | |
| Title: | Director, Alliances Marketing | |
| Organisation: | Radware | |
| PDF size: | 433KB |
About author
Ron Meyran, Director of Alliances Marketing
Ron is an industry security specialist leading the product marketing activities of Radware’s security division. His responsibilities include: go-to-market strategy and planning, new product version visioning, analytics and media education, and the support of key project activities for worldwide customers in both the enterprise and carrier markets.
A security and SDN specialist, Ron is also a frequent speaker on the conference circuit and has been invited to lecture as an expert commentator. He also writes about application and network security and the latest ways to protect companies from emerging threats.
Ron holds a B.Sc. Degree in Electrical Engineering from Ben-Gurion University and MBA from Tel Aviv University.
Article abstract
In the virtual application infrastructure the data centre becomes even more vulnerable to network DDoS attack. Applications run on virtual servers which run on a shared server infrastructure. An attack on one external application can easily affect neighbouring internal applications’ availability. Any attack on one application may put other applications at risk as they all rely on a shared infrastructure. Application DDoS, such as HTTP get flood attacks, create a high rate of HTTP transactions that look legitimate as they imitate real application usage. However, they are generated by Bot machines and not real users. Virtualization technologies enable the data centre manager to manually or automatically provision additional compute resources for the application under attack. The impact of such an application DDoS attack can be very devastating. Data centre resources are allocated to an application under attack at the expense of other critical applications.
Full Article
Introduction: Securing the virtual application infrastructure
Since the introduction of virtualization infrastructure, security has been a key concern of IT managers. How can you trust the virtualized infrastructure to strictly keep information secured? The term ‘secured’ IT managers mention is about two security services: confidentiality (avoid data leak) and integrity (completeness of information). Both of these services have been widely discussed and implemented for several years. There are a broad range of security solutions designed to secure applications in a multi-tenancy environment such as virtual firewall, virtual private network (VPN), NAT, data security, intrusion prevention systems (IPS), web application firewalls (WAF) and more.
The neglected angle: Availability
What has been neglected over the past few years is the third angle of the security triad: availability. Over the past several years application availability has been severely threatened by network attacks – mainly DoS/DDoS attacks.
Figure 1: Information Security Triangle
Network DoS/DDoS has become the most common cyber attack method (source: 2013 Cyber Attacks Trends, Hackmagedon). More than 28% of all cyber attacks in 2013 involved a DoS/DDoS attack, with an average cost of $822,000 in unplanned outage in just one year (source: 2013 Cost of Data Center Outages, Ponemon Institute, Dec. 2013).
Do not get confused with high-availability. Highly available application infrastructure is achieved by adding more [virtual] servers and server capacity to the application, traffic load balancer, bursting and disaster recovery sites. This may help absorb the excessive traffic generated by DDoS attacks. However, increasing capacity does not deal with attack detection and protection nor does it provide you visibility into attacks and malicious activities led by financially motivated attackers, hacktivists or script kiddies.
Why virtual application infrastructure is so vulnerable to cyber attacks?
Network DDoS attacks target every layer of the IT infrastructure: the network, server OS stack and application resources. Attackers are getting more sophisticated by the day, running multi-vulnerability attack campaigns against a victim that target every layer of the IT infrastructure. Over 50% of DDoS attacks reported in 2013 had five attack vectors or more.
In the virtual application infrastructure the data centre becomes even more vulnerable to network DDoS attack. Applications run on virtual servers which run on a shared server infrastructure. An attack on one external application can easily affect neighbouring internal applications’ availability. Any attack on one application may put other applications at risk as they all rely on a shared infrastructure. Application DDoS, such as HTTP get flood attacks, create a high rate of HTTP transactions that look legitimate as they imitate real application usage. However, they are generated by Bot machines and not real users. Virtualization technologies enable the data centre manager to manually or automatically provision additional compute resources for the application under attack. The impact of such an application DDoS attack can be very devastating. Data centre resources are allocated to an application under attack at the expense of other critical applications.
Legacy DDoS attack protection solutions are inadequate for virtualized data centres for several reasons:
1. Lack of multi-tenancy support which is critical for detection of attacks per tenant.
2. The network perimeter disappears – application infrastructure is distributed over multiple locations and technologies with no single point of entry to the network.
3. They are designed as physical solutions that protect physical equipment.
The cyber attack on NATO websites , linked to the Crimea tension, resulted with multiple applications shut down including the NATO email service. The NATO web site was bombarded by attacker requests causing it to slow down and work intermittently. The attack also impacted other services which were using the same shared infrastructure.
SDN – Creating application aware networks
SDN decouples the network data plane from the control plane and has positioned the network control in an upper centralised entity called the ‘network controller’. This centralised entity has the capability of both reading and programming the network elements. Programming, for example means, creating if-then rules in the network forwarding table elements. These network controllers are not application-aware by themselves. However they do have the capability to interact with services that have application information and are designed to make application aware decisions, subsequently, gaining application intelligence.
Figure 2: SDN network stack; Security applications are depicted as well.
As shown in figure 2, the interaction between the network controller and network services can be done on both the south-bound API and the north-bound API of the network controller. The southbound network controller API interacts with local, application aware, data-plane elements such as network security devices, DPI devices, L4-L7 load balancers (ADC) etc. The northbound network controller API interacts with SDN applications that by nature have wider application awareness because they receive inputs from a wider range of application-aware sources.
The SDN controller becomes a central network control point that programs the network with application rules; therefore, the network becomes an application aware network.
What is the benefit of application aware networks? It enables the data centre manager to extract more value from their network resources. More value means a lower cost network on both operation and capital expenses and, at the same time, better service for the network’s customers. Customers in this case are the business applications on the one hand and the clients/users on the other. As long as we can use network resources to increase the level of service availability to customers, then the value of the network rises.
How can SDN close the security gap?
SDN represents a shift in the mind set: you can use the programmability nature of SDN to transform the network infrastructure from its current state, in which it just hosts (as a ‘dumb’ pipe) application delivery and security services, into a smarter network that is part of the service itself.
Figure 3 represents an SDN security application that fights the availability threat – Anti-DoS App. The general purpose of the Anti-DoS app is detecting DDoS attacks and diverting suspicious traffic to scrubbing centres – all using native network services. The SDN application deploys counters inside the SDN enabled elements in the entire network, reads traffic statistics accordingly and then creates normal traffic baseline patterns in the network. The application includes an adaptive decision engine that identifies deviation from the normal patterns and once it does, an alert with the associated anomaly or deviation information is logged.
Figure-3: Anti-DoS Security App
By using the SDN Anti-DoS application, a broad range of DoS and DDoS attacks in different levels can be automatically detected. Once detection is made, the application makes sure to change the flow table rules in the switches in order to divert the suspicious portion of the traffic to the attack mitigation resources, i.e., the scrubbing centre resources. In the example shown in figure 4, the scrubbing resources include attack mitigation devices. The Anti-DoS app further analyses the traffic that goes through it and blocks the attack flows while injecting the legitimate traffic back into the network. At the same time, the mitigation devices communicate with the Anti-DoS application in order to provide more granular information about any suspicious flow it identifies, such as detected attack types, sources of the attack, attack footprint, etc. Figure 4 below shows this diversion process.
Figure-4: Traffic Diversion & Attack Mitigation
What is in it for me?
SDN is considered an innovative technology that is garnering high attention from the industry. However, it will take some time (several years) until we see data centres moving completely to SDN. It is clear that SDN will be deployed first by service providers and later by enterprises. But service providers will not move to SDN at once, deployment will begin in steps. Typical deployments will be SDN islands within the legacy data centre infrastructure. An SDN island enables data centre managers to gradually introduce and evaluate SDN solutions while keeping the risk of new technology deployment (stability, reliability, etc.) low.
Deploying SDN in your data centre is not a question of selecting the best networking technology and costs. It’s about extracting more value from your network, automating processes and simplifying your daily operations. To achieve this you need SDN applications.
Look for the SDN application
There are a handful of vendors offering SDN enabled switches and network controllers. But introducing applications into the SDN enabled network is another story entirely. This is tasked to application and security vendors. So far what I have seen is that vendors claim to integrate with SDN enabled networks by providing an API to program or configure their products. This means that a 3rd party has to introduce the SDN application if you want to fully benefit from integrating application aware services in your SDN enabled data centre.
It is the responsibility of the vendor to equip their products with a set of low cost and low footprint SDN applications that integrate with the leading SDN vendors. Otherwise the promise of SDN will fail to deliver.
