Overview
Software-defined networking (SDN) is an approach to IT infrastructure that abstracts networking resources into a virtualized system. This is called network virtualization. SDN separates network forwarding functions from network control functions with the goal of creating a network that is centrally manageable and programmable–also described as separating the control plane from the data plane. SDN allows an IT operations team to control network traffic in complex networking topologies through a centralized panel instead of handling each network device manually.
Benefits of a software-defined network versus traditional networking
Organizations adopt software-defined networks in reaction to the constraints of traditional infrastructures. Some of the benefits of software-defined networking include:
- Control plane and data plane separation - The control plane, responsible for making decisions about how data packets should be forwarded, is centralized and implemented in software-based controllers. The data plane, responsible for actually forwarding data packets through the network, remains in hardware-based network devices but is simplified and specialized to focus solely on packet forwarding. In traditional networking, the control plane and data plane are typically integrated within network devices such as switches, routers, and access points eliminating centralized control.
- Centralized control - Software-defined networking provides centralized control, where network policies and configurations are managed and enforced from a central controller unlike traditional networking where network policies and configurations are distributed across multiple network devices.
- Lower cost - Software-defined network infrastructures are often less expensive than their hardware counterparts because they run on commercial-off-the-shelf servers rather than expensive single-purpose appliances. They also occupy a smaller footprint since multiple functions can be run on a single server. This means that less physical hardware is needed, which allows for resource consolidation that results in less of a need for physical space, power, and overall reductions in cost.
- Greater scalability and flexibility - Virtualizing your network infrastructure allows you to expand or contract your networking resources as you see fit—and when you need them—instead of scrambling to add another piece of proprietary hardware. Having a software-defined network puts enormous flexibility in your hands which can enable self-service provisioning of network resources.
- Programmable and automation-friendly - In software-defined networking, administrators define network policies and configurations using software-defined logic and APIs. This enables dynamic provisioning and policy-based management of network resources, facilitating rapid deployment and adaptation to changing business needs. Traditional networking often involves manual configuration and management of network devices using command-line interfaces (CLIs) or device-specific configuration tools.
- Simplified management - A software-defined network leads to an overall easier-to-operate infrastructure because it does not require highly specialized network experts to manage it.
Software-defined networking, when coupled with software-defined storage and other technologies, can comprise an approach to IT infrastructure known as hyperconvergence: a software-defined approach to everything.
Software-defined networking (SDN) and network function virtualization (NFV)
For telecommunications companies there is another kind of network abstraction called network function virtualization (NFV). Like software-defined networking, NFV abstracts network functions from hardware. NFV supports software-defined networking by providing the infrastructure on which SDN software can run. NFV gives providers the flexibility to run functions across different servers or move them around as needed when demand changes. This flexibility lets telecommunications service providers deliver services and apps faster. For example, if a customer requests a new network function, they can spin up a new virtual machine (VM) to handle that request. If the function is no longer needed, the VM can be decommissioned. This can be a low-risk way to test the value of a potential new service.
NFV and SDN can be used together, depending on what you want to accomplish—and both use commodity hardware. With NFV and SDN, you can create a network architecture that is more flexible, programmable, and uses resources efficiently.
Software-defined networking (SDN) architecture and components
The architecture of software-defined networking reflects how it shifts control and responsibility compared to traditional networking.
The control plane is responsible for making high-level decisions about how data packets should be forwarded through the network. In software-defined networking, the control plane is centralized and implemented in software, typically running on a centralized controller or network operating system. The controller communicates with network devices using a standardized protocol such as OpenFlow, NETCONF, or gRPC, and maintains a global view of the network topology and state.
The data plane, also known as the forwarding plane or forwarding element, is responsible for forwarding data packets through the network according to the instructions received from the control plane. In software-defined networking, the data plane is implemented in network devices such as switches, routers, and access points, which are referred to as forwarding elements. These devices rely on the control plane for instructions on how to forward packets and may be simplified or specialized to focus solely on packet forwarding.
Software-defined networking components
Within SDN’s architecture, several components define its process handling.
Two types of APIs (application programming interfaces) enable communication between the planes and to the larger network:
- Southbound APIs - Southbound APIs are used to communicate between the control plane and the data plane in software-defined networking architectures. These APIs allow the controller to program and configure network devices, retrieve information about the network topology and state, and receive notifications about network events such as link failures or congestion. Common southbound APIs include OpenFlow, which is widely used for communication between the controller and network switches.
- Northbound APIs - Northbound APIs are used to expose the functionality of the software-defined networking controller to higher-level network management applications and services. These APIs allow external applications to interact with the software-defined networking controller, request network services, and retrieve information about the network topology, traffic flows, and performance metrics. Northbound APIs enable programmability and automation of network management tasks and facilitate integration with orchestration systems, cloud platforms, and other management tools.
Additionally, the SDN controller is the central component of the software-defined networking architecture, responsible for implementing network control functions and coordinating communication between the control plane and the data plane. The controller provides a centralized view of the network, maintains network state information, and makes decisions about how to configure and manage network devices based on network policies and requirements. Examples of software-defined networking controllers include OpenDaylight, ONOS, and Ryu.
Network devices such as switches, routers, and access points make up the data plane of the software-defined networking architecture. These devices forward data packets according to instructions received from the controller and may support features such as flow-based forwarding, Quality of Service (QoS), and traffic engineering. In software-defined networking, network devices are often simplified and standardized to support programmability and interoperability with the controller.
Management and orchestration (MANO) - Software-defined networking architectures may also include management and orchestration systems that are responsible for provisioning, configuring, and monitoring network resources. MANO systems interact with the SDN controller through northbound APIs to automate network management tasks, optimize resource utilization, and ensure service availability and performance.
Overall, software-defined networking architecture separates network control functions from data forwarding functions, centralizes network intelligence and management in software-based controllers, and enables programmable, flexible, and scalable management of network resources through standardized APIs and interfaces.
Software-defined networking security
Software-defined networking carries several implications for security.
- Because software-defined networking uses a centralized control plane, security policy enforcement is simplified compared to a traditional networking model. SDN allows for consistent and simplified enforcement of security policies across the entire network, reducing the risk of misconfigurations.
- A centralized controller provides a comprehensive global view of network traffic, enabling more effective monitoring and quicker identification of potential threats.
- This enables real-time threat detection and mitigation as SDN can dynamically adjust network configurations, isolating affected segments or rerouting traffic to avoid compromised nodes.
- The centralized control plane can also allow for security policies and configurations to be updated across the network automatically, ensuring all devices are promptly patched and configured according to the latest security standards.
- Software-defined networking can enforce micro-segmentation, allowing for granular isolation of different network segments and reducing the attack surface by containing potential threats to specific segments.
- Centralized logging and analysis of network traffic enable better insight into network behavior, aiding in the identification of anomalous activities and potential security breaches.
- SDN easily integrates with various security tools such as intrusion detection systems (IDS), intrusion prevention systems (IPS), firewalls, and security information and event management (SIEM) systems.
Of course, software-defined networking presents its own challenges to security, most of which are related to its centralized authority. Some challenges include:
- The SDN controller is a critical component and, therefore, a potential single point of failure. Compromising the controller can lead to a loss of control over the entire network.
- The SDN controller is a high-value target for attackers. Ensuring their security is paramount to maintaining overall network security.
- Additionally, strong encryption and authentication must be used to secure communication between the controller and network devices to prevent interception, tampering, or spoofing of control messages.
- Likewise, APIs used for communication between the controller and applications (northbound) and between the controller and network devices (southbound) must be secured against unauthorized access and exploitation.
As networks mature, they naturally become more complex along with the policies they so easily implement. Maintaining consistent security policies across a dynamic and potentially large-scale SDN environment can be complex and error-prone. Ensuring that security policies do not conflict with each other and are consistently applied is another challenge.
In any network architecture, security solutions must scale with the network to handle increasing amounts of traffic and devices without introducing significant latency or performance bottlenecks. Often, the benefits of software-defined networking will outweigh its challenges as a centralized control plane creates consistency and makes security roll-outs easier.
Software-defined networking use cases
Software-defined networking (SDN) provides a flexible, programmable, and centralized approach to network management that can be applied to a variety of use cases across different industries and applications.
- In data center optimization, SDN’s network virtualization and automated network management add flexibility and reduce likelihood of errors.
- In network function virtualization (NFV), SDN can replace traditional network appliances (like firewalls and load balancers) with software running on commodity hardware, reducing costs and increasing flexibility. SDN also allows for the creation of service chains where data flows through a series of VNFs, providing a customizable path for data packets.
- In campus and enterprise networks, SDN’s centralized policy management allows for consistent security policies across the network. SDN can also dynamically adjust access controls based on user identity, device, and context, improving security and user experience.
- SDN technology can be used to optimize and manage wide-area network (WAN) connections, improving the performance and reliability of long-distance network connections. This is particularly useful for businesses with multiple branch offices.
- In cloud computing and multi-cloud integration, SDN enables seamless integration and management of multi-cloud environments, allowing organizations to utilize resources from multiple cloud providers efficiently as well as providing scalable network solutions that can grow with the needs of cloud applications.
- In IoT (Internet of Things) networks, SDN handles the massive scalability requirements, providing dynamic network configurations as new devices are added. Additionally, its centralized control allows for consistent security policies across all IoT devices, mitigating risks associated with unsecured endpoints.
- In 5G networks, SDN allows for the creation of virtual network slices, each optimized for different types of services (e.g., low latency for autonomous vehicles, high throughput for video streaming).
- For cases of disaster recovery and business continuity, SDN can automate failover processes, ensuring that network services are quickly restored in the event of a failure as well as allowing for more flexible and efficient network backup solutions, ensuring data integrity and availability during disasters.
How Red Hat can help with software-defined networking
At Red Hat, we’re greatly focused on the open hybrid cloud—a holistic view of hybrid cloud that also incorporates open practices. Red Hat's open hybrid cloud strategy is built on the technological foundation of Red Hat Enterprise Linux, Red Hat OpenShift, and Red Hat Ansible Automation Platform. Red Hat’s platforms unlock the power of the underlying infrastructure to create a consistent cloud experience across any environment, with the ability to deliver automated IT infrastructure. Red Hat is leading the way in hybrid cloud, helping thousands of companies on their modernization journeys.