FORT MEADE, Md. - The National Security Agency (NSA) has released the Cybersecurity Information Sheet (CSI), “Managing Risk from Software Defined Networking Controllers.” The report provides recommendations to help National Security Systems (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators mitigate the risks associated with software driven network management solutions, such as Software Defined Networking Controllers (SDNC).
SDNCs allow enterprises to configure networking and security policies and control access to applications from a centralized location. SDNCs enable dynamically pushing configurations out to network devices within the Software Defined Networking (SDN) environment, greatly reducing the number of separate devices an administrator must access to keep them updated. If these functions are compromised by malicious cyber actors, they can access the SDNC and perform management functions as if they were a legitimate administrator. SDNCs provide beneficial centralized enterprise network management, but such centralized management makes them a high priority target for adversaries.
“SDNCs are packaged solutions for using a single point to manage the entire network,” Ryan Larson, the NSA Technical Director for System Threats and Vulnerability Analysis. “Although convenient for network administrators, they can become a single point of failure and a high priority target for malicious cyber actors if not secured properly.”
The CSI indicates that a typical SDNC communicates across two separate types of network flows, one for managing the SDNC and the other for configuring network devices. For both flows, the network traffic contains authentication and configuration information which could be vulnerable to man-in-the-middle techniques or passive viewing if the information is not adequately protected.
The CSI mentions potential attack surfaces and threats that can enable misconfigurations and further malicious activities, such as accessing sensitive configuration and authentication data.
SDNC environments require additional oversight to prevent both malicious activity and unintentional changes to the network. NSA recommends network administrators implement the mitigations listed in the report, including the following:
-
Control access to the management interface
-
Secure sensitive information in network traffic
-
Protect critical data at rest inside the controller
-
Limit device configuration to the authorized SDNC only
-
Do not let unknown devices join the SDN environment
-
Control access to SDNC APIs
Read the full report here.
Visit our full library for more cybersecurity information and technical guidance.
NSA Media Relations
MediaRelations@nsa.gov
443-634-0721