Will Federal Agencies’ Adoption of SDN Boost Security?

Now that the General Services Administration has awarded its $50 billion Enterprise Infrastructure Solutions contract, agencies face a stark choice about how to pursue an upgrade of their network technology.

One option agencies have is to make a “like for like” transition, in which agencies would move to services under EIS that are similar to those they use now. The other path forward is “modernization,” in which agencies would jump forward technologically to solutions like software-defined networking (SDN) and 5G wireless networks.

SDN and other modern network technologies can enhance agencies’ cybersecurity posture. However, federal IT leaders need to ensure that they maintain proper controls when adopting new network infrastructure.

SDN decouples the network control plane from the data plane, enabling abstraction of resources and programmable control of network resources. That will give agencies greater flexibility to dynamically set and change network policies, including for network security.

GSA hopes that EIS will boost cybersecurity because of direct involvement from the Department of Homeland Security and the National Security Council in developing the contract.

Network Security Concerns Remain Even with SDN

State-of-the-art management solutions can help agency IT staff keep a close eye on network traffic to detect security issues before they grow into a crisis. Network mapping tools, for instance, help staff get a better handle on network security, because without access to up-to-date network diagrams and inventory lists, it’s difficult to know exactly what needs to be protected.

Content filtering is a useful technology for agencies that would like to keep certain types of objectionable materials from infiltrating their systems. Based on predetermined settings, the filter blocks content that is not acceptable for user access and viewing.

Agencies that have already transitioned to SDN need to be careful, however. Content filtering is an application layer control and may not be built into many SDN-based network refresh designs, notes Brian A. McHenry, senior security solution architect for F5 Networks.

“The vital features to look for are prepackaged integration tools for your SDN controller solution as well as open application programming interfaces to customize more advanced SDN integrations with security services,” he says.

Perhaps the biggest SDN security concern is a compromised SDN controller. “A traditional network has a control plane that is distributed across all the nodes,” observes Fred Chagnon, research director of the Info-Tech Research Group’s infrastructure practice.

Attempts to compromise the network involve injecting misinformation into this control plane to influence network behavior. “With an SDN controller, there is now a dedicated attack platform to direct such an attack,” Chagnon says. “The security of the controller itself cannot be overstated.”

For more on how your agency can secure its network, visit CDWG.com/networking.