The telecom benefits achieved decades ago when mechanical switches were replaced with electronic switching provide a wonderful glimpse into the massive advances enterprise users can expect from virtualized computing based on software defined network (SDN) technology. As large ISPs make investments in API-rich core functions, the possibility arises for a new cyber security marketplace to emerge, based on the native service chaining inherent in an open network core. AT&T is at the forefront in this revolution to virtual networking, and is leading the industry in advancing SDN as a business enabler. I had the opportunity recently to sit down with my long-time colleague and close friend, Bill O'Hern from AT&T, to get his take on how SDN and network virtualization will influence cyber security protections in the coming years.
EA: Bill, is there an easy way to explain software defined networking (SDN) to security experts and managers who might not have been exposed to the concept?
BO: Ed, I know you are well aware that software defined networking is based on the idea that software control provides more flexibility in network management than hardware. This goes for both the data center, where managers are replacing top-of-rack switches with SDN controllers, as well as for local and wide area network infrastructure support, such as we build here at AT&T. You can think of an SDN controller as being a centralized, software component that collects control plane functions into one element, rather than the more complex, distributed arrangement that exists today.
EA: Does an SDN controller include provision for security inherently, or does this have to be added on?
BO: It depends on the design, the product, and the application environment. In simple SDN deployments, say, in a small data center, a virtual operating system supporting SDN might include all the features required for protection. In larger environments, however, such as AT&T’s emerging virtual backbone, the protections have to be designed both within, and as add-on functions. This is partly why we decided recently to open-source our SDN controller, which was previously developed under proprietary conditions. By making the controller open, we create incentives for vendors – and this includes security vendors – to develop solutions that plug into our platform.
EA: Do you worry about the security implications of your controller being open source? Will that allow bad guys to find code vulnerabilities?
BO: We think it will do the opposite, and will improve the code through additional attention and scrutiny. Let’s face it, any prominent tier one ISP is going to receive a high level of scrutiny from the security community anyway. So the decision to open source was made in the spirit of both helping the overall global networking ecosystem, as well as encouraging security researchers to work with us as we try to provide flexible, on-demand global computing and networking for enterprise and consumers around the world.
EA: Do you run a bug bounty program? And if so, how is it going?
BO: We have been operating a bug bounty program for several years at AT&T, and it’s been a wonderful experience. Security researchers in the very beginning were not always sure how bug bounties worked, and sometimes we would sometimes get input that had little to do with security or vulnerabilities. But now that the practice is so well regarded in the industry, the input we receive is valuable and appreciated.
EA: Back on the issue of SDN, how much integration has been done in the AT&T core to integrate these new virtual security protections with emerging mobile security requirements?
BO: The two go hand in hand. Take threat intelligence, for example. In the earliest days when AT&T literally invented the idea of a real-time ISP-based feed of indicators from traffic, the intelligence was based on traditional networking such as PCs and servers connected to wired networks via IP addresses and ports. Now, however, by operating a unified backbone for both wired and wireless traffic, and by introducing the flexibility of SDN virtualization, we can adjust our intelligence to focus on a wider variety of endpoint issues, including mobility.
EA: Do you think DDOS attacks will shift to SDN?
BO: I think the DDOS attacks will certainly adjust for the new architecture, just as they have done for so many years. The difference now, however, is that where hardware has clear physical boundaries and capacities that can be targeted by attackers, software is more flexible. Furthermore, virtualization introduces the possibility that a DDOS attack can actually be absorbed by creating dynamic protection in the form of new virtual machine infrastructure, provisioned during the attack, and then de-provisioned after.
EA: Bill, you’ve been doing cyber security for decades. What are the trends that keep you up at night?
BO: I worry, like so many other CSOs and CISOs, that the offense is just getting so good. It doesn’t help that nation states are in the game now as well. Where it was once considered tough to stop hackers from defacing a Website, now those problems seem like child’s play. The new concerns are focused on preventing critical infrastructure attacks that can have negative consequences. Our team at AT&T gets up every day with a renewed desire and determination to help prevent such things from ever occurring.