Welcome!

Related Topics: SDN Journal, Java IoT, Microservices Expo, Microsoft Cloud, Containers Expo Blog, Cloud Security

SDN Journal: Blog Feed Post

SDN and Security: Network versus Applications

As attackers move up the stack, so must defenders

That attackers are moving "up the stack", toward the application layer, should be no surprise. Increasingly, network layer attacks are a distraction; a means to engage security professionals attention while the real target - an application - is attacked. Even when this is not the case, the tendency to attack at the application layers is increasing because honestly it's cheaper in terms of resources to take out an application using application layer attacks than it is to do so at the network layers. Sure, an attacker might not be able to completely eradicate a company's presence from the Internet, but it can take out critical applications that make it appear as if they've disappeared, which has pretty much the intended effect - costly downtime due to loss of revenue, brand damages, and probably a few blown aneurisms due to stress.

Don't take my word for it, though. Here's a sampling of warnings and predictions from around the industry:

“An increasing number of application-layer attacks, which older DDoS detection and mitigation infrastructure can’t identify and block, are forcing companies to make new investments in DDoS solutions.”1

"The challenge with application-layer attacks is to distinguish human traffic from bot traffic, so DDoS mitigation providers often use browser fingerprinting techniques like cookie tests and JavaScript tests to determine if requests actually come from real browsers. Launching DDoS attacks from hidden, but real browser instances running on infected computers makes this type of detection very hard.

“We’ve been seeing more and more usage of application-layer attacks during the last year,” Gaffan said, adding that evasion techniques are also adopted rapidly."2

"In a report titled, “Arming Financial and E-Commerce Services Against Top 2013 Cyberthreats,” Gartner forecasts that 25% of ALL DDoS attacks in 2013 will be application-based."3

The inevitably of application layer attacks on your very own applications is why it's increasingly important to understand the difference between network security and application security. The two are not the same, and they require very different solutions.

Increasingly, it is posited that SDN is well-suited to answer the ever presence and growing challenge attackers present to security ops. Given its dynamic and software-defined (separated control plane) nature, that makes sense - when we're talking about the network, at least.

SDN and Security
It is important - very important - to remember that SDN architectures, by design, only provide the visibility and control required to implement security at the lower order layers of the network stack. Specifically, layers 2-4. That's data link, IP, and TCP (and sometimes UDP) for the uninitiated.

Note that nowhere in that list is "application" mentioned. The application layer is way up at the top - at layer 7 - and in 64% of applications4 that means HTTP.

Interestingly, there's nothing stopping an SDN "application" from inserting itself into the SDN controller (via the northbound API) and providing application layer security by acting as a full proxy and inspecting every single packet. Well, nothing except for scalability and performance of the SDN controller, which was not designed to be a part of the active data path. The architecture was designed to focus on the network, on forwarding packets and managing flows, not inspecting application layer transport protocols and the data it carries. But that's exactly what's necessary to provide the kind of application layer defenses required in this brave, new application attack-based environment. Inspection of payloads, not packets. Evaluation of clients, not connections.

network-versus-application-security

This is not to say that an overarching SDN architecture can't provide for both network and application layer security.  An integrated solution comprising both network and application-layer elements will ultimately provide the comprehensive top-to-bottom (of the stack) security desperately needed to defend against attackers. What you won't see are SDN applications that provide true application-layer security. For that, you'll need focused data path elements and, most likely, an application service management and orchestration component to control those elements. The application service management  and orchestration component then integrates with the SDN controller (control plane) and executes via service chaining (data plane) to enable defense of the entire network - and applications.

sdn-big-picture

What's most important to remember is that network security is not application security. Whether you're trying to figure out how SDN is going to fit into the larger information security architecture or just trying to prepare for the next wave of attacks, evaluate your readiness for both types of security measures and policies.

1. Application-layer attacks sparking new investments in DDoS solutions

2.  Application-layer DDoS attacks are becoming increasingly sophisticated

3. Gartner: Application Layer DDoS Attacks to Increase in 2013

4. Based on F5 iHealth statistics from 55,270 BIG-IP systems (Aug 2013)

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

Latest Stories
In his general session at 18th Cloud Expo, Lee Atchison, Principal Cloud Architect and Advocate at New Relic, discussed cloud as a ‘better data center’ and how it adds new capacity (faster) and improves application availability (redundancy). The cloud is a ‘Dynamic Tool for Dynamic Apps’ and resource allocation is an integral part of your application architecture, so use only the resources you need and allocate /de-allocate resources on the fly.
What happens when the different parts of a vehicle become smarter than the vehicle itself? As we move toward the era of smart everything, hundreds of entities in a vehicle that communicate with each other, the vehicle and external systems create a need for identity orchestration so that all entities work as a conglomerate. Much like an orchestra without a conductor, without the ability to secure, control, and connect the link between a vehicle’s head unit, devices, and systems and to manage the ...
Apache Hadoop is a key technology for gaining business insights from your Big Data, but the penetration into enterprises is shockingly low. In fact, Apache Hadoop and Big Data proponents recognize that this technology has not yet achieved its game-changing business potential. In his session at 19th Cloud Expo, John Mertic, director of program management for ODPi at The Linux Foundation, will explain why this is, how we can work together as an open data community to increase adoption, and the i...
If you had a chance to enter on the ground level of the largest e-commerce market in the world – would you? China is the world’s most populated country with the second largest economy and the world’s fastest growing market. It is estimated that by 2018 the Chinese market will be reaching over $30 billion in gaming revenue alone. Admittedly for a foreign company, doing business in China can be challenging. Often changing laws, administrative regulations and the often inscrutable Chinese Interne...
Let’s face it, embracing new storage technologies, capabilities and upgrading to new hardware often adds complexity and increases costs. In his session at 18th Cloud Expo, Seth Oxenhorn, Vice President of Business Development & Alliances at FalconStor, discussed how a truly heterogeneous software-defined storage approach can add value to legacy platforms and heterogeneous environments. The result reduces complexity, significantly lowers cost, and provides IT organizations with improved efficienc...
Cloud computing is being adopted in one form or another by 94% of enterprises today. Tens of billions of new devices are being connected to The Internet of Things. And Big Data is driving this bus. An exponential increase is expected in the amount of information being processed, managed, analyzed, and acted upon by enterprise IT. This amazing is not part of some distant future - it is happening today. One report shows a 650% increase in enterprise data by 2020. Other estimates are even higher....
As ridesharing competitors and enhanced services increase, notable changes are occurring in the transportation model. Despite the cost-effective means and flexibility of ridesharing, both drivers and users will need to be aware of the connected environment and how it will impact the ridesharing experience. In his session at @ThingsExpo, Timothy Evavold, Executive Director Automotive at Covisint, will discuss key challenges and solutions to powering a ride sharing and/or multimodal model in the a...
DevOps at Cloud Expo – being held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Am...
SYS-CON Events announced today that CDS Global Cloud, an Infrastructure as a Service provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. CDS Global Cloud is an IaaS (Infrastructure as a Service) provider specializing in solutions for e-commerce, internet gaming, online education and other internet applications. With a growing number of data centers and network points around the world, ...
SYS-CON Events announced today that LeaseWeb USA, a cloud Infrastructure-as-a-Service (IaaS) provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. LeaseWeb is one of the world's largest hosting brands. The company helps customers define, develop and deploy IT infrastructure tailored to their exact business needs, by combining various kinds cloud solutions.
Big Data has been changing the world. IoT fuels the further transformation recently. How are Big Data and IoT related? In his session at @BigDataExpo, Tony Shan, a renowned visionary and thought leader, will explore the interplay of Big Data and IoT. He will anatomize Big Data and IoT separately in terms of what, which, why, where, when, who, how and how much. He will then analyze the relationship between IoT and Big Data, specifically the drilldown of how the 4Vs of Big Data (Volume, Variety,...
19th Cloud Expo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterpri...
WebRTC is bringing significant change to the communications landscape that will bridge the worlds of web and telephony, making the Internet the new standard for communications. Cloud9 took the road less traveled and used WebRTC to create a downloadable enterprise-grade communications platform that is changing the communication dynamic in the financial sector. In his session at @ThingsExpo, Leo Papadopoulos, CTO of Cloud9, discussed the importance of WebRTC and how it enables companies to focus...
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devices - comp...
For basic one-to-one voice or video calling solutions, WebRTC has proven to be a very powerful technology. Although WebRTC’s core functionality is to provide secure, real-time p2p media streaming, leveraging native platform features and server-side components brings up new communication capabilities for web and native mobile applications, allowing for advanced multi-user use cases such as video broadcasting, conferencing, and media recording.