| This National Security Agency (NSA) Cybersecurity Information Sheet is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cyber criminals. |
| Software Defined Networking (SDN) is a networking paradigm that enables enterprises to employ a centralized network management server to command and control network devices and control access to applications. This server is referred to as an SDN Controller (SDNC). Unlike traditional networks that require administrators to log in to each device, SDN allows administrators to scale device configuration and maintenance by only logging in to the SDNC to make changes to many devices at once. Often with little or no additional human interaction, SDN enables dynamic changes to switching and routing functions based on changing conditions detected in the network environment. Additionally, SDNCs may support integration with other servers and applications in an enterprise environment, typically via application programming interfaces (APIs). This integration can allow the SDNC to be part of an enterprise’s greater automation and orchestration effort. |
| The SDNC benefits enterprise network management due to its centralized nature, but it also brings risk and could become a high priority target for adversaries. The SDNC’s attack surface includes its management interface, the API it uses to communicate with other devices, the SDNC device itself, and the endpoints and switches that the SDNC manages. Malicious cyber actors could compromise these attack surfaces to perform management functions as if they were legitimate administrators, find sensitive configuration or authentication data, trick network devices into following a rogue SDNC’s commands, or misconfigure the SDNC or SDN environment. |
| Given the critical nature of the SDNC, it requires additional oversight to prevent both malicious activity as well as unintentional changes to the network. The purpose of this Cybersecurity Information Sheet is to describe mitigations for SDNC risks. |