8 security measures for SDN deployments

  • As SDN evolves, attackers look for new ways to exploit vulnerabilities.

  • Proper security measures can help businesses identify and thwart attacks.

  • Security controls -- from encryption to monitoring -- should be implemented early in SDN deployment.

Although much has been said about the ability of Software Defined Networking (SDN) to deliver better security, our current knowledge on SDN vulnerabilities, threats, and attacks is still evolving. The new systems required to carry out SDN functions may themselves become vulnerable to exploits. Malicious adversaries will inevitably attack SDN systems if a successful network compromise is achieved through such attacks.

Attacks and the SDN architecture

The SDN architecture has three planes, any of which can be targeted by attackers. These planes include:

  • The data plane composed of network devices, which determine the forwarding path for network traffic
  • The controller plane, managing the forwarding policies and instructing the network devices how to do their tasks
  • The application plane, which includes the applications requesting services from the underlying controller and data planes

Attackers can target these planes in several ways. They may steer network flows in the data plane in the attackers’ direction to access sensitive information. Adversaries could also exploit the application plane to request network services in an unauthorized fashion. At the controller plane, attackers may attempt to alter the network topology information to wreak havoc on the network.

Reducing threats early

Your organization can reduce these threats by conducting threat modeling to identify all possible threats to SDN deployments at an early design stage. The knowledge of security flaws found in other SDN systems can help in predicting attacks on SDN and developing security controls to protect SDNs.

Below are eight examples of technical security measures that should be implemented by organizations to protect SDNs:

  1. Network segmentation to separate critical SDN network areas from less critical networks
  2. Access control solutions to administer SDNs in a centralized consistent fashion
  3. Use of strong encryption protocols to protect SDN communications
  4. Security hardening of SDN systems to eliminate as many security risks as possible
  5. System integrity checking to ensure SDN systems have not been tampered with
  6. Mechanisms for trust management to guarantee trustworthiness of SDN components
  7. Use of recovery mechanisms to ensure SDN components could be recovered to their known trusted good state
  8. Security monitoring and logging to detect abnormal events

Putting additional security controls in place to protect SDNs can help improve threat prediction and protection. To learn more, visit AT&T network security.


Jennia Hizver Consulting Practice Security Researcher and Consultant AT&T About Jennia