The document discusses security considerations and concerns for standardization of software defined networking. It notes computing trends driving network changes and constraints faced. Industry is said to be taking the same approach and architecture but security drivers may not be quite the same. The document discusses using a defense in depth model with baseline security models, integrity checks, and physical security. It also discusses accomplishing security without failing standards from various organizations and using a flexible security model while remembering physical security. It summarizes that a flexible approach is needed given advancing technology and existing best practices should be leveraged, but a more complex risk mitigation matrix may be required long term which will be difficult for industries to address.

1. IEEE SDN Initiative
Standardization Committee Meeting
Security Considerations & Concerns
Anton Kaska BTNE, LLC
June 23, 2015 Piscataway, NJ
1

2. What are we facing?
ONF Model
ONF SAYS:
Computing Trends are driving
network change…
1. Changing Traffic Patterns
2. Consumerization of IT
3. Rise of Cloud Services
4. Big Data=More Bandwidth
Constraints listed include:
• Complexity leads to stasis
• Inability to scale
• Vendor Dependence
WHAT IS INDUSTRY
SAYING?
1. The same approach
2. The same architecture
3. The same security
drivers
…not quite

3. Not a new challenge we are facing
3
Defense in Depth with specifics for
Software Defined Networking
 Baseline Security Models
 Integrity Checks
 Brewer-Nash Model?
 Physical Security

4. How do we accomplish and not fail (PCI,
ETSI, IEEE, etc?
4
BSI-Standard 100-2:IT-
Grundschutz Vorgehensweise
3 GPP
TS 33.210TS Network Domain Security
TS 33.310 Authentication Framework
TS 33.401 Security Architecture

5. A Flexible Model
5
Remember Physical Security

6. Summary
• Multiple attempts at security Standards but focused on verticals,
size, business models, point technologies, etc.
• Using security as it has been practically applied, as a historical
illustration
• we will not meet the challenges sufficiently
• there are many examples to glean knowledge from.
• A flexible approach is required.
• Given the speed with which technology advances, leveraging existing
best practices and solutions that have proven themselves (Defense in
Depth Theory, Chinese Walls, etc.) will provide acceptable and
practical levels of mitigation that are implementable with tolerable
financial and political cost.
• A more complex matrixes approach leveraging industry specific
and/or business requirement based risk mitigation is likely a
requirement when viewed long term
• This is in my opinion the harder nut to crack for the industries as a whole
(and organizations such as IEEE)
6