1 00:00:07,000 --> 00:00:08,650 - [Instructor] The Software-Defined Network, 2 00:00:08,650 --> 00:00:10,300 or SDN architecture, 3 00:00:10,300 --> 00:00:12,610 provides a lot of different benefits 4 00:00:12,610 --> 00:00:15,120 as you learn in previous lessons. 5 00:00:15,120 --> 00:00:18,240 But also, there are several threats 6 00:00:18,240 --> 00:00:20,254 against SDN solutions. 7 00:00:20,254 --> 00:00:25,020 And this includes things like a malicious threat actor 8 00:00:25,020 --> 00:00:27,780 installing a rogue controller, 9 00:00:27,780 --> 00:00:29,270 or a malicious controller, 10 00:00:29,270 --> 00:00:30,870 to send malicious instructions 11 00:00:30,870 --> 00:00:35,790 to the underlying SDN devices and SDN services. 12 00:00:35,790 --> 00:00:38,244 Now you also have man-in-the-middle attacks 13 00:00:38,244 --> 00:00:40,350 for communication between the controllers 14 00:00:40,350 --> 00:00:44,220 and the SDN devices to change the instructions sent 15 00:00:44,220 --> 00:00:45,210 by the controller. 16 00:00:45,210 --> 00:00:47,520 Those are a little bit more challenging 17 00:00:47,520 --> 00:00:51,010 for an attacker, but they can still be possible. 18 00:00:51,010 --> 00:00:53,020 Now, other vulnerabilities can also be used 19 00:00:53,020 --> 00:00:55,140 to launch the denial service attacks 20 00:00:55,140 --> 00:00:57,970 to the SDM devices or to change the data path 21 00:00:57,970 --> 00:01:01,230 to get access to sensitive information. 22 00:01:01,230 --> 00:01:02,950 So you also have to understand 23 00:01:02,950 --> 00:01:05,860 some of the mitigations for these threats 24 00:01:05,860 --> 00:01:07,090 in SDN architectures. 25 00:01:07,090 --> 00:01:10,230 First, the SDN controllers need to be placed 26 00:01:10,230 --> 00:01:12,230 at a secure location in the network, 27 00:01:12,230 --> 00:01:16,120 with very stringent access control policies. 28 00:01:16,120 --> 00:01:19,421 Also, out-of-band management needs to be used 29 00:01:19,421 --> 00:01:21,880 and deployed to establish dedicated channels 30 00:01:21,880 --> 00:01:25,780 between the controller and the SDN underlying devices 31 00:01:25,780 --> 00:01:28,810 of the network, infrastructure devices. 32 00:01:28,810 --> 00:01:30,040 Secure communication channels 33 00:01:30,040 --> 00:01:32,230 between the controller and the SDN devices. 34 00:01:32,230 --> 00:01:34,775 And especially whenever it comes to APIs, 35 00:01:34,775 --> 00:01:36,950 you need to follow, you know, 36 00:01:36,950 --> 00:01:41,530 best practices on how to enhance the security of APIs, 37 00:01:41,530 --> 00:01:46,040 apply encryption, and use, you know, modern techniques. 38 00:01:46,040 --> 00:01:47,430 And you know, of course you know, 39 00:01:47,430 --> 00:01:51,710 modern SDN solutions like the Cisco DNA Center, 40 00:01:51,710 --> 00:01:54,510 already provides all these capabilities 41 00:01:54,510 --> 00:01:56,910 and all these mitigations, you know, 42 00:01:56,910 --> 00:01:59,657 for combining against potential attacks. 43 00:01:59,657 --> 00:02:01,040 Another thing that you want to do 44 00:02:01,040 --> 00:02:03,920 is to establish trust relationships 45 00:02:03,920 --> 00:02:07,810 between the controller and the SDN devices, 46 00:02:07,810 --> 00:02:10,330 and the network will still have to cope 47 00:02:10,330 --> 00:02:11,609 with assistant threats, 48 00:02:11,609 --> 00:02:13,530 like attacks on vulnerabilities 49 00:02:13,530 --> 00:02:16,140 in the network devices and management stations. 50 00:02:16,140 --> 00:02:18,259 So that's why patch management 51 00:02:18,259 --> 00:02:21,130 and keeping up with security advisories 52 00:02:21,130 --> 00:02:24,603 is so important still in moderns days.