Ensuring security for networks of the future
Today’s company networks comprise hundreds of devices: routers for directing data packets to the right receiver, firewall components for protecting internal networks from the outside world and network switches. Such networks are extremely inflexible because every component, every router and every switch can carry out only the task it was manufactured for. If the network has to be expanded, the company has to integrate new routers, firewalls or switches and then program them by hand. That’s why experts worldwide have been working on flexible networks of the future for the last five years or so, developing what is known as software-defined networking (SDN). It presents one disadvantage, however: it is susceptible to hacker attacks.
Researchers from the Fraunhofer Institute for Applied and Integrated Security AISEC in Garching, near Munich, have been working on how to make SDN secure and how SDN and all related components can be monitored.
One of these components is visualisation software, which displays the network’s individual components and depicts in real time how the various applications are communicating with the controller. “We can show how software influences the behaviour of different components using the controller or, in the case of an attack, how it disrupts them,” said Christian Banse, a security expert at AISEC.
But how exactly does SDN work, and why is it so vulnerable to attack? “In the future, the plan is for a central control unit to tell the many network components what to do. To put it simply, routers, firewalls and switches lose their individual intelligence - they only follow orders from the controller,” said Banse. This makes a network much more flexible, because the controller can allocate completely new tasks to a router or switch that were not intended when the component was manufactured. Plus, the tedious task of manually configuring components during installation is eliminated because components no longer need to be assigned to a specific place in the network - the controller simply uses them as needed at the moment.
Manufacturers have begun offering the first routers and switches that are SDN-compatible and have the necessary flexibility. “With all the hype surrounding the new adaptability made possible by a central control unit, SDN security has been neglected,” warned Banse. “That’s why we’re developing solutions to make SDN more secure from the outset, before such systems become firmly established.” In the future, networks will be controlled solely by a central controller - Banse sees this as a problem, because it might provide the perfect loophole for attackers to access the entire network. “On top of that, a whole set of new applications are being developed for SDN - for instance, for firewall components or routing,” said Banse. “We have to make sure that these applications are reliable.” It would be disastrous if, for example, outsiders were able to gain access to the company network using software installed accessing the controller.
That’s why Banse and his colleagues started off by analysing the interaction of all SDN components to identify vulnerabilities. “You have to precisely define how deep into the network a new application is allowed to go, for example. Otherwise the stability and security of the network is not guaranteed.” So far, there are no sufficient security standards for communication among individual SDN components, but AISEC researchers are lobbying hard for an international standard. In addition to their visualisation solution, Banse and his team are also developing technical means for preventing unauthorised applications or malware from gaining access to SDN systems. They are developing ways to monitor if an app really carries out only the task for which it was intended. If it performs unplanned or undesirable activities, ie, malware, it is rejected and blocked by the system.
HMS Networks Anybus Defender industrial network security appliances
The Anybus Defender series provides a firewall to protect operational technology (OT) networks.
Rosemount 802 wireless multi-discrete I/O transmitter
The Rosemount 802 has eight discrete I/O channels, each one configurable as an input or an...
IDEC SX8R bus coupler module
The IDEC SX8R bus coupler module is designed to facilitate flexible control signal connectivity.