By the end of the first decade of the 21st century, Cisco Systems owned 86% of the market share of the ethernet switch and router market due to its Internetworking Operating System (IOS) for switches and routers. So, at this point, many universities began to explore the idea of an open-source switch and router operating system. This experimentation was the seed for the germination of Software Defined Networking (SDN).
In traditional networking technology, all the components like switches, routers and firewalls have the data plane and control plane on the device itself. Software Defined Networking separates the control plane from the data plane. Therefore, to better understand the concept of SDN, we must first know what data and control planes are.
Data, control and management planes
- Data Plane – What function is performed.
It is also called the infrastructure layer.
It is concerned with getting a data frame or packet from an ingress (incoming) interface to an egress (outgoing) interface.
Examples of functions in the data plane are forwarding traffic, trunking, encrypting, NAT, and transfer of information from one interface to another. So, it consists of all the physical ports and interfaces.
- Control Plane – Controls How function is performed.
It is also called the control layer.
Networking devices also need to reference other data to determine how to perform a function in the data plane. This referenced data is part of the control plane.
Examples of control planes include CAM table (in switches), Routing table, NAT table, Session table, Access Control Lists in case of firewall, etc.
- Management Plane – To Monitor the devices.
It is also called the Application Layer.
A network administrator will need to manage the device. So, when the admin uses a web-based front end or an SSH console to monitor the devices, he uses the management plane.
Examples – Telnet, SSH, SNMP, RMON
Now that the difference between data and the control plane is understood, we can see how these two are separated from each other by going through the architecture of SDN.
SDN Architecture
Here, we don’t get rid of the complexity of network devices at the hardware level. Instead, developers and network engineers help us develop APIs so that software on demand can make changes to routers, switches and firewalls based on our needs.
The working and control of any network component in SDN is divided into three layers: –
Application Layer: This consists of all the business applications. We can send commands to the SDN controller and monitor network devices from here. The type of API used here is called North Bound. An example of this is RESTful API.
Control Layer: It consists of the SDN controller. The Network Operating System is installed in the SDN controller. It interacts with the operating system installed on all the network devices. When we say that the control plane is separated from the data plane, we mean that we have this separate SDN controller, which was not available in traditional networking. Earlier, the OS was available only on network devices. So, when the network administrator wanted to make changes on multiple devices, they had to do so individually. The SDN controller is used to push configuration changes to all the network devices simultaneously. It does so by utilizing SouthBound APIs like OpenFlow.
We can add extra SDN controllers for redundancy to avoid a single point of failure. These controllers communicate with each other using east-west APIs.
Forwarding Layer: This consists of networking devices like switches, routers and firewalls (Data Plane). Packet forwarding takes place here.
SDN uses APIs, whereas traditional networking uses a Command Line Interface (CLI) to configure devices.
Advantages of SDN
1. Centralized Control: Simultaneous control of multiple network devices is possible here.
2. Intent-Based Networking: In traditional networking, we depended on routing tables, CAM tables or similar tables for the flow of data. But now, we can determine the flow of data and packets from the controller itself. Due to this, business intent is translated to networking with ease.
3. High-speed router and switch configuration change: In traditional networking, the administrator had to push the changes to each device individually if any configuration changes were required in network devices. This process took time. The SDN controller, with its global network view, can make automated, real-time adjustments using APIs, enabling faster and more efficient configuration.
4. Open-source switch and router Operating Systems and white box hardware are also available (along with propriety solutions).
5. Automation: Changes in the location of services may prompt a change in the network. However, we can set policies and configurations on the SDN controller such that our remote routers and switches know exactly how to reach that service.
6. Visibility: End-to-end visibility is available for configuring, managing and monitoring our devices.
Role of SDN to Enhance SOAR (Security Orchestration Automation and Response)
SDN can significantly enhance the capability of Security Orchestration, Automation, and Response beyond imagination to shape a truly dynamic responsive security infrastructure. Here is how SDN improves SOAR: –
Programmable Network Control: SDN’s programmable nature enables SOAR platforms to alter network resource configurations rapidly. Upon detection, the SOAR system can use SDN to instantly change the configuration of the network to effectively isolate the compromised segments of the network or redirect suspicious traffic for analysis.
Improved Network Visibility: The centralized control plane in SDN architectures provides a comprehensive view of the network. In turn, SOAR platforms can take this better visibility to their advantage to acquire more accurate and timely information about network states, traffic patterns, and possible security-related incidents.
Simplified Integration of Security Tools: Integration of security tools within the ecosystem of SOAR is quite easy, since SDN allows the network infrastructure to be abstracted from applications. It further allows the deployment of security functions as virtual network functions and makes scaling and management of security services easier to implement.
Accelerated Incident Response: SDN further enhances the speed and efficiency of incident response orchestrated through the SOAR platforms. With the control of network flows, SDN can accelerate the traffic to be redirected for forensic analysis, isolate the affected systems, or apply security patches throughout the network.
Sandboxing and Testing: SDN has made network virtualization possible, thus giving the SOAR platforms the ability to create isolated environments for testing and validating security responses before production deployment, hence reducing false positives with assurance that automated responses do not disrupt critical operations.
Better Threat Intelligence Sharing: SDN offers great agility in sharing threat indicators throughout the network. The SOAR platforms can therefore better orchestrate incident response across different organizations or network domains, enhancing collaborative defense mechanisms.
Dynamic Resource Allocation: SDN allows the SOAR to allocate network resources based on security needs dynamically. In the case of an attack, the SOAR may instantly utilize SDN to expand bandwidth to security tools or to redirect resources for mitigation efforts.
Better Security Policies: It is the programmability in SDN that really empowers far more advanced and granular security policies. This may deploy context-sensitive security through SOAR platforms to adapt network behavior to suit the user’s identity, device type, or application requirements.
Automated Policy Enforcement: With SDN integration, SOAR can automatically enforce security policies across the network. This maintains consistency in the implementation of security and removes errors associated with human-orchestrated policy enforcement.
Better Logging and Forensics: Centralized control in SDN allows much better logging in the network. In-depth logging by SDN can be utilized by SOAR for enhanced forensic analysis. It helps to reconstruct the events during and even after a security incident.
Enhanced Compliance Management: Compliance management is enhanced by the integration of SOAR into SDN. This is because SOAR can orchestrate compliance policies to automatically enforce proper isolation and protection of sensitive data via the network segmentation and access controls afforded by SDN.
SDN-related technologies serve to improve the overall security stance of organizations. It can be used to implement various security-related safeguards such as network segmentation, traffic monitoring and analysis, access control, automated security response, and zero-trust network implementation, among many others.
Though SDN began with the idea of creating switch and router operating systems, it has evolved into an indispensable part of networking and network security. Moreover, in this era of cloud computing, several use cases of Software Defined Networking such as SD-WAN and SD-Access have come up.
All this shows the ever-increasing importance of Software Defined Networking and how it is fueling significant changes in the networking and cybersecurity landscape.
