From the Spring 2016 Issue

Automating Cybersecurity Using Software-Defined Networking

Chris Christou
| Booz | Allen | Hamilton

Michael Lundberg
| Booz | Allen | Hamilton


A key enabler of these malicious attacks is system and network misconfiguration, which remains a major cause of information technology (IT) infrastructure vulnerabilities.

 Large-scale cyber-attacks continue to make headlines around the world. While data breaches can have catastrophic and costly consequences, hackers can also cause havoc by interrupting organization operations through distributed denial-of-service (DDoS) attacks.

The number one threat against service provider (SP) customers is DDoS attacks, according to Arbor Networks’ 2016 “Worldwide Infrastructure Security Report.” Most DDoS attacks are short in duration, but frequent and can be damaging in multiple ways. They are used to not only disrupt an organization’s business, but also as a diversion while perpetrators infiltrate other areas of the network. Arbor Network reports that while 86% of attacks last less than 30 minutes, 37% of respondents stated that they are being attacked 50 or more times a month. 36% of respondents reported that it takes 10 minutes or more to mitigate the attack, and that downtime brings a tangible business expense. Roughly 45% of enterprise, government, and education organizations indicated that internet downtime cost the organization $1,000 or more a minute, with 14% incurring costs of over $5,000 per minute.1

A key enabler of these malicious attacks is system and network misconfiguration, which remains a major cause of information technology (IT) infrastructure vulnerabilities. IT misconfigurations include incorrect address assignments, unnecessary open firewall ports, unpatched servers, and other commonly fixable configuration details. To run more reliable IT infrastructures, organizations need better tools and mechanisms that can help reduce human errors and decrease the time it takes to restore capabilities.

Advantages of Software-Defined Networking

Software-defined networking (SDN) is an emerging technology that can help address these challenges. As operators seek to enhance network protection, SDN avoids misconfiguration issues by automating security provisioning and reducing the time to restore system functionality after an attack. At its core, SDN abstracts and centralizes network configuration and management functionality. It also makes the network programmable by allowing external applications to drive its behavior. These applications can automate and simplify the configuration of network devices, making the network more reliable and easier to diagnose.

The term SDN and its initial concepts emerged out of academia.2 However, abstracting and centralizing network functions is not new. Starting in the mid-90s, several service providers began implementing advanced network management suites to automate network operations with the intention of reducing costs.

SDN is typically viewed as a three-level architecture, centered on an SDN controller that controls and manages network devices (e.g., routers, switches, firewalls, intrusion detection systems).  At the lower level, network devices communicate to the controller using application programmable interfaces (APIs), allowing the controller to reconfigure each device and collect state and status information. Applications operate at the top level of the SDN architecture as the brains of the network, defining the policies that the SDN controller encodes and pushes to infrastructure devices.

Applications are not limited to making decisions based on information collected from lower-level network devices by the SDN controller. Inputs can be received from cloud orchestration tools, order management systems, security information and event management (SIEM) tools, identity management systems, etc. Applications can consume inputs from one or more sources, determine if a change is needed within the network, and then communicate those changes to the SDN controller, which then pushes out the necessary configuration information to the appropriate networking devices.  Over the last few years, several industry organizations have defined standards and developed SDN controllers to seek ways to inject new SDN-based technologies into enterprise and provider networks:

Starting in the mid-90s, several service providers began implementing advanced network management suites to automate network operations with the  intention of reducing costs.

  • OpenDaylight (ODL) is a community-based, open-source project dedicated to developing one of the leading SDN controllers in the industry. Key contributors to the project include Cisco, Brocade, and others. Many vendors, such as Cisco and Brocade, offer their own branded ODL controller as part of their portfolio.
  • The OpenContrail project has developed an open source-based SDN controller. Similar to ODL, the OpenContrail controller provides management and control of the networking infrastructure. The project has also developed a vRouter to operate in a virtualized environment. Juniper Networks is a key contributor to OpenContrail and offers its own Contrail SDN controller.
  • The Open Networking Foundation (ONF), an industry organization focused on advancing SDN adoption, has defined the OpenFlow standard. OpenFlow enables an SDN controller to directly control and configure how a switch/router forwards traffic. OpenFlow has been implemented within academia and research networks, but has not yet gained widespread adoption in production networks. ODL supports OpenFlow, among other protocols.
  • The Internet Engineering Task Force (IETF) has defined several relevant protocols that are being used in support of SDN. For example, the IETF defined the network configuration (NETCONF) protocol, which allows a controller to get, edit, copy, and delete the configuration files of network devices. To accompany NETCONF, the IETF is also standardizing the Yet ANother Generation (YANG) data-modeling language to model configuration, state, and event monitoring data. Network vendors typically use different syntax to program/configure their devices; NETCONF/YANG allows for uniformity when controlling different types of devices.

While SDN implementation is still just beginning, these new technologies and concepts can help mitigate the threats that organizations face.

Networking vendors have begun implementing open standards like OpenFlow and NETCONF/YANG, which allows network devices to be controlled by SDN controllers like ODL and Contrail. Many vendors are still in the process of adopting these protocols while others have implemented their own proprietary protocols and controllers. Although adoption is not yet widespread and there is some diversity in implementation, the advantages of SDN are real.

SDN for Cybersecurity

While SDN implementation is still just beginning, these new technologies and concepts can help mitigate the threats that organizations face.  The following use cases illustrate how SDN can play a role in solving these challenges.

Automated security provisioning and orchestration

To avoid vulnerabilities caused by misconfigurations, SDN can be used to simplify and automate network provisioning as changes occur within a business’s application and server environment. For example, cloud orchestration tools can allow customers and administrators to quickly create, move, and delete virtual machines (VMs) within their computing environment. By integrating a cloud orchestration tool with an SDN controller, the orchestration tool can communicate changes in the computing environment to the SDN controller, which then reconfigures the network to properly support changes to the VM environment automatically and reliably.  These network reconfigurations could include changing access control lists (ACLs), load balancing traffic, and creating network address translation (NAT) rules.

Automated detection and response

Reducing the response time to cyber-attacks is critical. SDN controllers can automatically deny malicious traffic flows, direct suspicious flows to network forensic tools for further inspection, or quarantine the suspect traffic. Automating these functions requires an SDN application that can collect inputs from security tools, intrusion detection systems, and/or other network monitoring devices. Once an application detects a potential threat, it notifies the SDN controller, which automatically and instantly reconfigures one or more networking devices to deny, quarantine, or further inspect the identified traffic flow(s).

Proactive defense

A third, more advanced use case involves the network becoming proactive in defending against cyber-attacks. This could involve continually reconfiguring how traffic is transported across the network, reassigning IP addresses, and/or other mechanisms to confuse potential attackers, making it more difficult for them to launch a successful attack. While this proactive approach requires further development, it is enabled by SDN automation and can reduce a whole category of exploitation tactics. By reducing exploits, this improves on the current focus of just recovering from attacks.

In the first use case above, SDN helps ensure that network configuration and security policies stay up to date as changes are made in the server environment.  Applying security configurations based on pre-defined policies can also help eliminate human error and misconfigurations.  In the second use case, SDN technologies are reducing the timeline of response to identified threats by automating the reconfiguration of the network. Cutting the response time from minutes to seconds can save organizations thousands of dollars per incident, and also reduce the risk of data exfiltration. The final use case leverages SDN to make it more difficult for hackers to infiltrate the network and launch DDoS attacks by changing the characteristics of the network and server environment on a continual basis.

Vendors have already started to implement these security automation concepts, either through an open source controller or using proprietary mechanisms. With many of these SDN-based tools now available, most organizations will start with some SDN automation while still retaining human oversight for important decisions. As detection algorithms are refined and improved, further automation will be enabled in the future, which will enhance network survivability and reduce downtime.


  1. Arbor Networks, Worldwide Infrastructure Security Report, Volume XI,, 2016
  1. Kate Greene, TR10: Software-Defined Networking,, March/April 2009.

Leave a Comment