Security by SDN - Software-Defined Networking

With Software-Defined Networking, companies are able to organize their networks more efficiently by controlling programmable network components via software. Several enterprises already apply SDN in their networks and data centers to simplify network management, increase flexibility, and hence reduce costs. W ith OrchSec (Orchestrator for Security Applications) Fraunhofer SIT has developed an innovative and multifunctional SDN-based network security solution. Utilizing features and advantages of SDN, OrchSec comes as a customizable security entity providing a higher level of network security compared to what can be achieved in conventional networks.

Especially large enterprises are typically affected by the burden that components such as switches and routers can be configured in classical networks only manually via uncomfortable management interfaces. This complicates the flexible designing of larger networks drastically. Also, centralized network attack recognition is not feasible, and neither is dynamic attack mitigation, for example through the automatic reorganization of particular network segments.

SDN: Flexible centralized network control

Network virtualization allows manufacturers of modern SDN network components to provide their customers with a unified configuration management and an automated centralized control of the overall network. The concept is based on separating the control plane from the data plane: while discrete components such as routers, switches, etc. are required only to forward the data packets, a central SDN controller takes control of all network functions and device configurations.

Effective network security based on SDN

SDN offers a global overview on the network, which enables companies to react to attacks more effectively. The security solution OrchSec developed by Fraunhofer SIT utilizes selective advantages and features of SDN to recognize and successfully avert such attacks at an early stage, even in complex networks. When Orchsec recognizes a network attack, it instantly takes effective countermeasures. In this manner, several typical attacks will be blocked, such as ARP Spoofing, Distributed Denial of Service (DDoS), DNS Amplification and Slow-Read attacks.

Customizable security apps

Fraunhofer SIT offers manufacturers of SDN components the opportunity to integrate a customized OrchSec version into their products. For this OrchSec will be integrated into the controller and monitoring architecture of the respective SDN. The Fraunhofer SIT solution is based on a modular concept that makes customized network security possible: Individual security applications (apps) that are modularly brought alive within the respective network by the use of OrchSec. The apps can be developed, configured, and combined individually according to each customer‘s requirements. In doing so the security functions of the respective network will be customized and kept up-to-date.

Practical testing of OrchSec in daily business has already started.