SDN Security Benefits

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:01
>> In this video, we'll focus on
00:01
the security benefits of software defined networks.
00:01
We've talked about how SDNs work,
00:01
but we didn't spend much time talking
00:01
about their security benefits.
00:01
For starters, isolation in
00:01
an SDN is a whole heck of a lot easier.
00:01
This means isolating between and within tenants.
00:01
You can apply strategies like micro-segmentation.
00:01
Or you can create two completely different networks
00:01
that use the same IP address.
00:01
By doing this, you establish IP overlapping,
00:01
and this completely prevents routing of
00:01
network traffic between resources on these two networks.
00:01
If you take this hard line strategy,
00:01
just make sure there's not going to be
00:01
a future need to integrate
00:01
the resources running on those two isolated networks.
00:01
When discussing virtual appliances,
00:01
I alluded to many of the Next-Generation Firewalls.
00:01
However, few of these solutions work
00:01
natively with software defined networks.
00:01
But the good news is large Cloud providers
00:01
have these capabilities.
00:01
For example, AWS has security groups and network ankles.
00:01
Azure has concepts of
00:01
network security groups and application security groups.
00:01
Google Cloud includes firewall rules.
00:01
These paradigms allow you to define
00:01
certain policies with respect to
00:01
the incoming and outgoing traffic
00:01
for these specific Cloud resources.
00:01
These policies are defined regardless of
00:01
location and are tied to the logical resources,
00:01
which is a good thing because they're not
00:01
bound to specific IP addresses.
00:01
In the dynamic nature of the Cloud where
00:01
things are coming and going, you're creating machines,
00:01
destroying machines on a very rapid basis,
00:01
it makes it much more manageable and maintainable.
00:01
Since these concepts are so
00:01
integrated with Cloud providers,
00:01
they work well with the orchestration APIs to
00:01
allow your granular and
00:01
dynamic management of the policies.
00:01
Keep in mind the policies themselves are
00:01
not managed within the Cloud resource.
00:01
Rather, they're logically bound to
00:01
the Cloud resource. I'll give you an example.
00:01
In a traditional sense,
00:01
you have a virtual machine and you would define
00:01
a firewall on that virtual machine.
00:01
In the Cloud paradigm,
00:01
you don't define the firewall rules
00:01
on the virtual machine.
00:01
If the virtual machine were for
00:01
some reason to be compromised,
00:01
the attacker could disable
00:01
the firewall that you've created on the virtual machine.
00:01
But when we're talking SDN native firewalls,
00:01
where you're defining these policies,
00:01
the policies are enforced at
00:01
the SDN layer completely outside of the virtual machine.
00:01
If you define some very tight rules
00:01
around outbound traffic,
00:01
ensuring that egress only goes to
00:01
specific other resources and specific URLs,
00:01
and the attacker would have somehow
00:01
compromise this machine.
00:01
Then they wanted to exfiltrate a bunch of information.
00:01
Those rules themselves, they
00:01
are managed outside the machine,
00:01
so they would continue to be enforced.
00:01
The attacker would have a lot of
00:01
problems trying to get the data
00:01
off the machine to their own
00:01
sites in their own locations.
00:01
Because the egress rules have restricted such traffic.
00:01
Decentralized control and design.
00:01
The DevOps movement places a lot
00:01
of emphasis on team autonomy,
00:01
giving smart people a clear mission and
00:01
enabling them to move forward with certain guardrails.
00:01
By decentralizing the control
00:01
of these various firewall rules,
00:01
you're preventing an organizational scenario
00:01
where you have a bottleneck and
00:01
a single firewall team that needs to review and
00:01
implement each and every change to a firewall.
00:01
SDN networks are typically
00:01
denied by default for everything.
00:01
If you don't establish a rule or policy that
00:01
explicitly allows traffic between two Cloud resources,
00:01
then the SDN is going to drop the packets.
00:01
For example, every network security group
00:01
in Azure comes with the default deny rule.
00:01
It's the lowest priority rule,
00:01
so you can override it,
00:01
but you have to make an expressed action to create
00:01
an allow rule that is at
00:01
a higher priority than the default deny rule.
00:01
It's very important you take a good look at
00:01
the firewall capabilities of
00:01
your own Cloud provider because they're
00:01
going to be highly integrated
00:01
with their own software defined
00:01
network and provide you with a lot of these advantages.
00:01
All of this isn't to say SDNs are 100 percent secure,
00:01
but they are immune from a lot
00:01
of the traditional network attacks.
00:01
As you recall, the way the packets and
00:01
Data Frames travel with an SDN,
00:01
they go straight from the source to the destination.
00:01
But techniques like packet sniffing, they don't work.
00:01
Other attacks like ARP spoofing.
00:01
This is when you tell the machine on
00:01
the network that traffic should go to a device,
00:01
that it probably shouldn't,
00:01
also aren't applicable because the SDN
00:01
manages the traffic between
00:01
the Cloud resources so tightly.
00:01
We took a deep dive into
00:01
the security benefits of software defined networks,
00:01
covered isolation being easier,
00:01
reviewed various benefits of SDN native firewalls,
00:01
and covered some of the many traditional attacks
00:01
that an SDN is immune from.
Up Next