Can SDN usher in better IT security?

Citrix security strategist is hopeful; others say too early to tell

That software-defined networking (SDN) is a coming reality is starting to gain traction in IT security circles, with some vendors arguing it could lead to a level of interoperability in security largely missing at present.

“SDN we see an as open network that gets people away from proprietary ways of defining networks,” says Kurt Roemer, chief security strategist at Citrix Systems, adding in the future, networks will be defined through more open dynamic “flows” rather than more vendor-dependent, IP-based relationships. Roemer even says he anticipates that the Linux Foundation’s OpenDaylight project, which is bringing vendors together to ensure openness in SDN products, could result in more secure networks.

There’s the potential to “design security into the workloads and communications” under a framework that would include strong encryption, Roemer says. There’s the potential for related security standards from organizations that include the IETF and Trusted Computing Group.

+ Also in NetworkWorld: 11 Tips to Prepare for SDN +

Others are optimistic but say it’s too early to know how big an impact SDN will have on IT security.

“Will SDN help in overall security enforcement? Our view is absolutely yes,” says Rishi Bhargava, general manager and vice president for the software-defined datacenter at Intel Security Solutions. “In the software-defined data center, you can put the security controls at the granular level and it’s going to happen with virtual appliances.” But Bhargava says it’s yet to be defined what interoperability in security might mean for SDN, in terms of OpenStack. “It’s too early.”

In terms of virtual-machine security, this week the focus has been on VMware’s NSX software-defined networking and security, as VMworld Conference in San Francisco is in full swing. Intel Security Solutions, (which includes the McAfee business acquired by Intel), announced a security controller designed to receive commands from VMware’s NSX management console to allow existing McAfee virtual intrusion-prevention systems (IPS) to protect virtual machines in an NSX environment. Intel’s Bhargava adds it’s optimized if it’s all running on Intel Xeon servers.

Bhargava points out this new approach eliminates the more awkward manual controls that have been used. The potential downside to this integration, though, is that if the NSX management console is unavailable for some reason, “policy couldn’t be changed,” he acknowledges. The Intel/McAfee security controller, now in beta, is expected to ship sometime in the fourth quarter.

Intel Security anticipates extending integration into VMware’s NSX beyond just its IPS, adding support to the McAfee Next-Generation Firewall, data-loss prevention products and MOVE AntiVirus suite for virtual environments. Future targets include similar integration with OpenStack.

JK Lialias, director of product marketing responsible for server security, data protection and security management at McAfee, says new software connectors for OpenStack KVM and Microsoft Windows Azure cloud-computing platforms are now available to extend control of McAfee server security to the traditional McAfee management console, ePolicy Orchestrator.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Copyright © 2014 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022