TL:DR – No. When compared to the operation of existing networks, SDN is much more secure.
The networks of today are difficult to secure because they are highly distributed and hard to configure. Security is maintained by infrastructure security best practices where the network engineer is required to configure dozens of separate configuration items on each and every devices.
SSH keys, console ACLs, management networks, RADIUS/AAA for user authentication are just a few of the dozens of check items.
Single Point of Control Risk
The SDN controller is a single point of control that focuses risk into two to five locations (depending on SDN solution). This dramatically reduces the attack surface, improves auditability, user logging and security oversight.
A focused point of risk means that you can concentrate security on that location. Importantly, SDN means that auditing the network is dramatically simplied. Today, configurations are gathered and managed as separate or isolated devices making audit and compliance diffcult in the extreme.
Yes, SDN controller are focussed risk points but that is better than the distributed attack surface and complex configuration management of today.
SDN Design Risks
Implementing SDN does require design to address new risks like any other new technology. Generally, I take the security policy used to manage firewalls and adapt that for SDN operation.
- API and user access should be restricted
- User authorisation and logging
- controller-device paths secured
- physical integrity
- secure backups AND secure recovery process defined.
- logs are archived, preferably in a log analytics system.
IT Security is About Gambling on Each Risks
You don’t put extra doors into your house to
improve safety/security, you install better doors to secure them. SDN controllers improve the overall security posture through
- better audit of network configuration for compliance
- better audit of user activities
- micro-segmentation in the network (overlay networking)
- Unified configuration of virtual and physical networks
- Single point of operation reduces security complexity by focussing security controls to smaller attack surface
The EtherealMind View
Most of IT Security is about comprehending the overall view. SDN Controller integrity is important but just one element of the overall security posture. I believe that SDN networks are far more secure as a general principle than the “every device is manually configured to be the same” of today. Even as I write that, I laughed out loud.