SDN and NVF: Blessing or a Curse for DDoS Security?

After much discussion, traditional networks are finally beginning to transition to virtualized network functions and controllers. Telecoms and hosting companies are deploying Software Defined Networks (SDN) and Network Functions Virtualization (NFV) technologies as they strive for higher performance networks with increased speed and scalability. Based on its growth during 2015, financial analysts recently predicted that the global SDN market will grow by 34% each year to be worth almost seven billion USD by 2021. This will change the way networks are built, designed and managed, and enable a more unified approach to optimizing data traffic, with a shift towards more centralized controls and services.

SDN & NFV Weaknesses

When it comes to security in an SDN network, services and policies are distributed and managed from a single point, through a centralized SDN controller. This can be a curse as well as a blessing, because if the SDN controller is compromised, an attacker can quickly gain control of the entire network.

In terms of DDoS attacks, this means that an SDN controller can effectively become a weak point to be exploited by attackers. The huge spine bandwidth available in an SDN network could be rendered useless if the controller can be compromised. Even a relatively small (but well-crafted) 10GB DDoS attack could take an entire data center offline, by overwhelming the control plane with junk events and huge session density. So perhaps more so than in traditional networks, a single and relatively small DDoS attack can wreak enormous collateral damage in an SDN network.

Protect Against DDoS

To create a strong and secure environment using SDN and NFV, in-line, automatic DDoS protection hardware must be deployed at the data center edge. This is the only way to gain full visibility into a virtual network and to react to any incidents in real-time. By federating APIs between the SDN controller and DDoS defense, the ability to compromise the SDN controller can be managed, and DDoS attacks can be mitigated as they occur. In the event of a super-saturation event, the DDoS defenses can rapidly signal to DDoS resources in the cloud and contain any such attacks.

Final Thoughts

Overall, SDN and NFV offer huge advantages by delivering the critical network functions that organizations need, without the presence of specialized physical appliances. This allows organizations to reduce costs and complexity, and simultaneously enjoy improved scalability and faster deployments. But despite such advantages, these networks are also inherently vulnerable to DDoS attacks. Anyone who is deploying an SDN or NFV network must carefully consider their security solutions in order to protect their virtualized networks and data.

For more information, contact us.