Open source SDN could be scary. Especially after Heartbleed, Shellshock and
the recent FREAK scare, people are understandably leery of the security of
open source. There is a bit of a mystique that opening up the software
programmable interface to anyone that wants to come in and code makes the code
vulnerable and open to manipulations.
But in reality, an open programming model, like the one being embraced by the
Open Networking Foundation (ONF), is actually more secure, particularly in the
context of SDN. SDN provides one the ability to recognize and pin point a
problem quickly and then quarantine and apply measures to address it. In a
threat environment that’s constantly changing, one needs a network that
can evolve as fixes are made and also stay ahead of conceivable future
threats.
Increased visibility into the code base also makes it easier to address
issues. While it will be ignorant to say that there isn’t a potential
for problems like those associated with FREAK and other vulnerabilities,
it’s difficult for me to believe that these were deliberately
architected into the software without anyone noticing. We all know that one of
the key advantages of open source is that someone is always watching the code
and keeping everyone honest. Instead, I believe that these vulnerabilities
were simply an oversight that the bad guys found and exploited.
On the contrary, when a hole is exploited in a fixed system, it’s a lot
harder to address the problem. It’s hard to update the embedded
software, so if a problem arises, there really isn’t a quick way to
stop it. Because SDN infrastructure is not fixed in time, there’s
increased flexibility to fight attacks. As an example, it wasn’t too
long ago that the U.S. and Chinese government were trading accusations about
whether one had built deliberate backdoors into the networking equipment being
bought by the other. While the truth of these accusations is a discussion for
another time, the bare facts are that in a traditional network, this sort of
deviousness is very possible.
In a flexible and programmable SDN network, on the other hand, one can break
the linkage between the software and hardware vendors. One can run whatever
software one wants, choosing the amount of visibility one wants to offer into
the software and how much one trusts that software to not have built-in
backdoors. Or one could even go into the software itself to close any
vulnerabilities one might find.
SDN holds a huge potential to increase network security. Due to its open,
flexible, programmable nature, it may not seem secure on its surface, but
beneath that façade is the ability to find and close security
vulnerabilities quickly and easily, particularly when compared to traditional,
fixed networks.