Is software defined security changing security in modern applications? – By Aditya Abeysinghe
Software defined security
Software defined security (SDS) virtualizes security functions in a security network and abstracts it from hardware. It is not possible to virtualize every security aspect and hardware is necessary for some security functions in a system. Network functions including firewalls, intrusion detection, and access controls can be used in virtual networking with software defined networking and then added for SDS. Therefore, SDS has changed the use of security in networks by transitioning from traditional hardware to software-based components.
Why transition to SDS?
Network segmentation is used in networks to divide networks into sections so that one network section could separate from other sections. This reduces issues when one or more machines or virtual machines get attacked. When networks are segmented and when one section is attacked the other sections could operate without being attacked. The traditional method of network segmentation includes placing switches and routers and joining sections using them. However, with attackers using more complex methods, simply having a rigid hardware-based method to segment network devices is often hard. SDS could enable network segments to be changed within less time using network-based functions. This could help easy management of networks with less effort and reduce impact of attacks.
Remote or offsite working is a popular method of working that is widely used currently. Traditional network security was used only within onsite and was hard to be used offsite. Offsite connectivity was established using a private network or using a dedicated network. However, managing the security of all remotely connected users is not feasible using hardware-based security. SDS can be used to monitor networks with a central management and monitoring system virtually. With virtual remote monitoring, attacks could be notified and minimized within less time and with minimal impact for other users.
SDS also can be used to reduce management and operational expenses for managing physical hardware by using virtualized functions. With virtualized functions, hardware can be virtually managed and scaled when resources need to be added or removed. Most hardware is expensive to be installed and often have other costs for maintenance. Also, time to maintenance, installation and expertise in controlling hardware is often a drawback of using hardware for managing network security.
Issues with NFV and SDN
Software defined networking (SDN) and network function virtualization (NFV) is the base of SDS. While both of these have enabled SDS to be adaptable and adoptable, issues with these often cause SDS to be not used in systems. A common issue with NFV is that it is often too complex to be integrated. The usual technique of adding security to a network include adding vendor network hardware and then network with other hardware. Most technical experts in businesses have not used a software-based networking solution to integrate with hardware. Thus, using SDS which uses NFV is hard for such businesses.
Virtual network functions are often tightly connected with other functions which causes these hard to be used for automation. Networks are often hard to change from a hardware-based networking solution because virtualized functions have less openness on how they could be automated and configured. As functional-based security is based on technologies including virtualized machines, they are difficult to be managed in a network due to automatic management of functions and services when compared to hardware device-based security.
Image courtesy: https://www.classcentral.com/
