Software-Defined Network Security

Software-Defined Network Security

Ahmed Demirpolat (Middle East Technical University, Turkey), Doğanalp Ergenç (Middle East Technical University, Turkey), Esref Ozturk (Middle East Technical University, Turkey), Yusuf Ayar (Middle East Technical University, Turkey) and Ertan Onur (Middle East Technical University, Turkey)
DOI: 10.4018/978-1-5225-6023-4.ch011


The future networks are expected to lead a hyper-connected society with the promise of high social and economic value. The goal is to solve today's network problems and provide satisfactory security. Thus, the future networks require a flexible infrastructure that is secure against cyberattacks. Software defined networking (SDN) can be considered as one of the building blocks of upcoming networking technologies. In this chapter, first, the limitations of today's networks are presented. Then, solutions to secure the networks with SDN components are given. This concept is referred to as “SDN for Security.” While SDN facilitates securing networks in general, it introduces additional challenges, mainly, the vulnerabilities of the SDN components such as the controller have to be addressed. Security for SDN aims at securing SDN assets and is discussed in the sequel. After reading this chapter, readers will obtain a comprehensive overview of the limitations of traditional networks, such as how SDN overcomes those limitations and the security issues thereof.
Chapter Preview


Changing business and consumer demands in technology have transformed the perspective of networking. Rather than the former person-to-person or person-to-computer interactions, with the rapidly spreading Internet of Things (IoT) and smart devices, the world has become a complete “anything-to-anything” connected network. From this perspective, connection to anything anytime and anywhere is perceived as the most basic requirement for very near future. All these paradigm changes entail quite significant improvements to adopt requirements of the future networks. For example, the key performance indicators (KPI) of 5G networks directly infer the technological exigence of the near future. These indicators include more than 1 Gbps data rate with ultimately 1ms end-to-end latency. 99% availability and reliability are also expected even in high-device density which supports nearly 10,000 per km2 (Fallgren, Spapis, Qi, Martín- Sacristán, Carrasco, … Fresia, 2016). However, it is not possible for present mobile networks to address the 1000x key performance requirements of 5G because of their limitations.

Today, the networking infrastructures are very complex and hard-to-be-operated as they reflect outdated technological requirements which belong a decade ago. They lack common control functions and interfaces and network operators have to separately configure network devices using vendor-defined commands to apply the high-level management policies (Kim & Feamster, 2013). It obliges the existing mobile networks to be structured with vendor locked-in and the dedicated hardware and software. These components implement such network functions which are not only prone to misconfiguration but also costly and require trained/expert administrators (Goransson, Black & Culver, 2016). Besides, from a security point of view, since network policies are tightly bundled to physical resources instead of services and applications, today’s solutions are strained to deploy, manage, program and scale the security throughout heterogeneous equipment from multiple vendors. To enforce consistent security policies through computing, storage, and network domains and especially across multiple data centers is very difficult. It should be noted that there is no end-to-end solution for security orchestration across data center networks today (Ahmad, Namal, Ylianttila, & Gurtov, 2015). Eventually, all those limitations significantly reduce flexibility and slow down the evolution of the infrastructure for the future networks (McBride, Cohn, Deshpande, Kaushik, Mathews, & Nathan, 2013; Liyanage, Ylianttila, & Gurtov, 2015).

Key Terms in this Chapter

OpenFlow: One of the dominant protocols used in the southbound API of SDN.

Intrusion Detection System (IDS): A network security middle-box that is either signature- or anomaly-based.

Control Plane: The networking logic that is mainly responsible for configuration of the network elements and routing in the network layer.

Security for SDN: A concept that includes security solutions aiming to secure SDN assets.

SDN for Security: A concept comprising of solutions to secure the networks with SDN’s benefits.

Software-Defined Networking (SDN): Software-based networking technique that abstracts lower-level functionality by detaching the control plane from the data plane.

Data Plane: The networking logic that basically determines suitable paths among available routing options provided from the control plane and forwards packets through the decided route.

Complete Chapter List

Search this Book: