Software Defined Networking (SDN) is a new paradigm of designing networks. SDN is based on the idea of decoupling the control plane from the data plane, introducing a logically centralized control with open interfaces, and providing an API on abstractions of the network elements to program their forwarding behavior. SDN opens new opportunities for telecommunications and network operators as well as enterprise networks by providing effective means for fast infrastructure provisioning and dynamic reconfiguration of networks. However, SDN also poses new challenges and threats as it introduces new components to the network (APIs, applications, controller) and thus more complexity.
SDN security has a twofold meaning: Security by SDN, i.e. increasing the overall network security of a system using SDN, and Security for SDN, i.e., ensuring the secure implementation and operation of the SDN infrastructure itself. A key issue is the security of the SDN controller as it is the “brain” of the network. Any successful attack at the controller can harm the whole network. This is the reason why I conducted (while working at Huawei) some research on how to design (and practically build) a secure SDN controller. The result is what I call the "Diamond Approach for SDN Security": it basically consists of six core design principles for building a secure SDN controller architecture. Ordered as a polyhedron around the controller, these principles mind the shape of a diamond shielding the controller, hence the name.
Threat Analysis for the SDN Architecture
Ana Danping, Makan Pourzandi, Sandra-Scott Hayward, Haibin Song, Marcel Winandy, Dacheng Zhang.
Open Network Foundation (ONF), TR-530, July 2016.