To the average netizen, the Internet starts and ends with their favorite web browser. Whether that is Google, Yahoo, Microsoft Edge or a host of other popular web browsers available, they each deliver data in a matter of milliseconds, leaving the user oblivious to the journey that the data traveled. Underneath the screen, however, a bigger picture is at play.
Networks spanning the globe interconnect together in an almost science fiction-like web to deliver data from one part of the world to another. These networks were initially built with the thought of connectivity and sharing, but times are changing, and enterprises today value security more than all else. In a world where the terms of zero-trust and least privilege are increasingly gaining popularity day-by-day, most enterprise networks are forced to ask the question: How can we ensure access to only the required resources for the user?
Traditionally, the answer to this question was, to put it bluntly, hard. Network administrators needed to do the following:
- Map out and visualize the complete enterprise network topology
- Identify where each set of endpoints with the same group policy connect to the network
- Segment these endpoints based on business interests by creating subnets/VLANs
- Create complex access control lists (ACLs) on networking devices to enforce these policies
- Deploy the ACLs by manually applying the configuration on each networking device
As you can likely tell, each of these tasks are tedious at best and painstakingly difficult at worst. As the world matured, some tasks of network administration got easier, but this was countered by increasing demands of the network. For example, with many enterprises pursuing hybrid cloud models and work-from-home capabilities, utilizing site-to-site or remote-access VPNs to integrate on-prem and remote environments soon became a must. This further increased not only the load on network administrators, but also the load on each networking device.
The traditional networking model highlights a distributed control-plane, meaning that each networking device in the enterprise has to perform central processing unit-intensive tasks.
SDN as the modern solution
The principles of Software-Defined Networking (SDN) redefine, in many ways, the answer to building policy-based networks. In essence, SDN decouples the control plane from the data plane to create a centralized control-plane architecture. Sounds terrific, but what does this mean?
The 3 SDN planes
Each network architecture consists of three planes. The three planes (or components of a network) are the data plane, control plane and the management plane.
- Data plane: the plane that refers to how a networking device does the physical forwarding of the packets/frames which it comes across
- Control plane: the plane that builds rules for the data plane by running routing protocols, establishing VPN tunnels, etc.
- Management plane: the plane that enables network administration to configure and manage network devices
What this means for networks
A centralized control plane typically shows itself through the use of a device called a controller that can be either a physical or virtual appliance. Rather than each of the networking devices running their own distributed processes, the controller handles all of this for them. Given the simple example of routes in a network, the controller would have a view of the entire network and then would push the corresponding configuration required to each router for connectivity to be established. This would effectively create a centralized source of intelligence for the entire network.
SDN and security
The true value of this SDN, however, comes to light when one looks at SDN through the lens of security. To segment different groups of endpoints, only the SDN controller needs to be configured with policies, and the controller will translate and push the configuration to the rest of the networking devices accordingly. Essentially, the use of an SDN controller enables configuration of the network with business interests in mind rather than mundane and tedious IP addressing schemes as before.
Additional benefits
Implementing a centralized intelligence to the network offers a multitude of other benefits as well, such as:
- Automatic updates of devices
- Reduced CPU usage for networking devices
- Faster processing for networking devices
- Easier network administration
- Efficiency of quarantining
- Granular security control
We are now in the middle of a new age of technology, one that will inspire generations to come and forever change how we use the internet. Although controller-based networking is a big part of SDN, it is only a part of what can be done through the use of software inside of networks. I encourage you all to discover more about this amazing technology.
Editor’s note: See more networking resources from ISACA, including a Networking and Infrastructure Fundamentals Online Course, here.