Can SDN usher in better IT security?
- 30 August, 2014 01:02
That software-defined networking (SDN) is a coming reality is starting to gain traction in IT security circles, with some vendors arguing it could lead to a level of interoperability in security largely missing at present.
"SDN we see an as open network that gets people away from proprietary ways of defining networks," says Kurt Roemer, chief security strategist at Citrix Systems, adding in the future, networks will be defined through more open dynamic "flows" rather than more vendor-dependent, IP-based relationships. Roemer even says he anticipates that the Linux Foundation's OpenDaylight project, which is bringing vendors together to ensure openness in SDN products, could result in more secure networks.
There's the potential to "design security into the workloads and communications" under a framework that would include strong encryption, Roemer says. There's the potential for related security standards from organizations that include the IETF and Trusted Computing Group.
Others are optimistic but say it's too early to know how big an impact SDN will have on IT security.
"Will SDN help in overall security enforcement? Our view is absolutely yes," says Rishi Bhargava, general manager and vice president for the software-defined datacenter at Intel Security Solutions. "In the software-defined data center, you can put the security controls at the granular level and it's going to happen with virtual appliances." But Bhargava says it's yet to be defined what interoperability in security might mean for SDN, in terms of OpenStack. "It's too early."
In terms of virtual-machine security, this week the focus has been on VMware's NSX software-defined networking and security, as VMworld Conference in San Francisco is in full swing. Intel Security Solutions, (which includes the McAfee business acquired by Intel), announced a security controller designed to receive commands from VMware's NSX management console to allow existing McAfee virtual intrusion-prevention systems (IPS) to protect virtual machines in an NSX environment. Intel's Bhargava adds it's optimized if it's all running on Intel Xeon servers.
Bhargava points out this new approach eliminates the more awkward manual controls that have been used. The potential downside to this integration, though, is that if the NSX management console is unavailable for some reason, "policy couldn't be changed," he acknowledges. The Intel/McAfee security controller, now in beta, is expected to ship sometime in the fourth quarter.
Intel Security anticipates extending integration into VMware's NSX beyond just its IPS, adding support to the McAfee Next-Generation Firewall, data-loss prevention products and MOVE AntiVirus suite for virtual environments. Future targets include similar integration with OpenStack.
JK Lialias, director of product marketing responsible for server security, data protection and security management at McAfee, says new software connectors for OpenStack KVM and Microsoft Windows Azure cloud-computing platforms are now available to extend control of McAfee server security to the traditional McAfee management console, ePolicy Orchestrator.