Open source SDN could be scary. Especially after Heartbleed, Shellshock and the recent FREAK scare, people are understandably leery of the security of open source. There is a bit of a mystique that opening up the software programmable interface to anyone that wants to come in and code makes the code vulnerable and open to manipulations.
But in reality, an open programming model, like the one being embraced by the Open Networking Foundation (ONF), is actually more secure, particularly in the context of SDN. SDN provides one the ability to recognize and pin point a problem quickly and then quarantine and apply measures to address it. In a threat environment that’s constantly changing, one needs a network that can evolve as fixes are made and also stay ahead of conceivable future threats.
Increased visibility into the code base also makes it easier to address issues. While it will be ignorant to say that there isn’t a potential for problems like those associated with FREAK and other vulnerabilities, it’s difficult for me to believe that these were deliberately architected into the software without anyone noticing. We all know that one of the key advantages of open source is that someone is always watching the code and keeping everyone honest. Instead, I believe that these vulnerabilities were simply an oversight that the bad guys found and exploited.
On the contrary, when a hole is exploited in a fixed system, it’s a lot harder to address the problem. It’s hard to update the embedded software, so if a problem arises, there really isn’t a quick way to stop it. Because SDN infrastructure is not fixed in time, there’s increased flexibility to fight attacks. As an example, it wasn’t too long ago that the U.S. and Chinese government were trading accusations about whether one had built deliberate backdoors into the networking equipment being bought by the other. While the truth of these accusations is a discussion for another time, the bare facts are that in a traditional network, this sort of deviousness is very possible.
In a flexible and programmable SDN network, on the other hand, one can break the linkage between the software and hardware vendors. One can run whatever software one wants, choosing the amount of visibility one wants to offer into the software and how much one trusts that software to not have built-in backdoors. Or one could even go into the software itself to close any vulnerabilities one might find.
SDN holds a huge potential to increase network security. Due to its open, flexible, programmable nature, it may not seem secure on its surface, but beneath that façade is the ability to find and close security vulnerabilities quickly and easily, particularly when compared to traditional, fixed networks.