UNIT V

SDN'S FUTURE AND PERSPECTIVES

SDN OPEN SOURCE
 SDN FUTURES

SDN SECURITY

SWITCHING AND LOAD BALANCER

 SDN Futures
• There is considerable active research related to SDN as well as
many novel use cases being proposed that illustrate potential new
areas where SDN can be applied or improved.
• A sample of some of the areas that promise to increase the scope
of applications of Open SDN and thus broaden the foundation of
its future.
– Managing Nontraditional Physical Layer Links
– Applying Programming Techniques to Networks
– Security Applications
– Roaming in Mobile Networks
– Traffic Engineering in Mobile Networks
– Energy Savings
– SDN-Enabled Switching Chips
 Managing Nontraditional Physical
Layer Links
• There is growing interest in using OpenFlow to control devices that have flows
but are not traditional packet switches.
• The two most promising areas involve flows over optical and wireless links. SDN
was used for offloading elephant flows onto optical devices.
• This represents one example of the general area of using OpenFlow to manage
flows over physical layers that are outside the domain of classical LANs and
WANs.
• Big data applications
– The researchers formalize the study of how to map big data applications to an OpenFlow
network.
– An elephant flow is an example of a big data application. The mechanisms is to build on
the existing Hadoop job-scheduling method to optimize how and when to schedule jobs
over the optical links.
– Such big-data jobs require more rapid and frequent updates of the flow tables on the
switches. But OpenFlow switches are capable of handling their predicted number and
frequency of flow table changes.
– At the fine granularity of flow table changes being made to route these big-data flows,
slow convergence times may be an issue for optical offload.
 Managing Nontraditional Physical Layer Links

• Wireless Backhaul
– Wireless backhaul is becoming increasingly popular. One of the
challenges in doing this is that the effective bandwidth of a wireless link
is not constant.
– OpenFlow is proposed as a mechanism to segregrate traffic from
different providers and different types into separate flows that are then
transmitted over a single shared wireless backhaul medium.
– The wireless backhaul provider may have different SLAs with each of
those operators and for each operator different levels of service.
– Since the wireless backhaul bandwidth capability itself may vary due to
environmental conditions, the process of satisfying all of the various
SLA commitments becomes far more complex and can benefit from
OpenFlow’s ability to segregate the traffic into different flows and route
or police those flows dynamically with the changing wireless conditions.
 Applying Programming Techniques to
Networks
• OpenFlow provides benefits in the richness of policies and in the fine-
grained control it offers the network programmer.
• OpenSDN provides a proper abstraction of the network that allows us to
address networking challenges more efficiently.
• The network abstraction allows other advanced programming
methodologies to be applied, including debuggers, analysis tools, network
simulation, verification tools, and others. These tools have enabled
tremendous progress in the development of software because of formal
analysis and the application of theory.
• Network Debugger (ndb)
– OpenFlow provides a way of programming the network as a single entity. If the
entire network can be viewed as a vast distributed computer, a debugger for that
computer can be provisioned.
– A network debugger (ndb) is proposed that will implement basic debugger
functionality at the packet level. It implement a full set of debugger actions,
including breakpoint, watch, backtrace, single-step, and continue.
 Applying Programming Techniques to Networks

• No Bugs in Controller Execution (NICE)

– No Bugs in Controller Execution (NICE), a tool for modeling the behavior of
OpenFlow applications to ensure their correctness, including detecting
forwarding loops and black holes.
– Advanced modeling techniques are used to create input scenarios that test all
possible execution paths within the application while taking account of
variability of the state of the network switches and links.
• Veriflow
– Although there is great appeal to checking for OpenFlow application
correctness offline and before deployment, it may be necessary or desirable to
perform real-time formal checking for correct network behavior.
– Veriflow, a system that resides between the controller and the switches and
verifies the correctness of each flow entry update before it is applied.
– One advantage of the approach is that it does not require knowledge of all the
network programs themselves, since, it verifies correctness based on
observations of flow rules as they are sent from the controller to the switches.
– One of the biggest challenges faced in this study is to keep the latency of the
correctness checks low enough to avoid becoming a bottleneck in the path
between the controller and the switches
 Security Applications

• Hiding IP Addresses
– Many network attacks are based on identifying active IP addresses in a
targeted domain. Protecting hosts by making it impossible for an
attacker to identify a host’s IP address would be an effective
countermeasure.
– Each protected host is to be assigned a virtual IP address that is the one
exposed to the outside world by DNS lookups.
– In this method, the OpenFlow controller randomly and at high
frequency assigns the virtual IP address to the protected hosts,
maintaining the temporary mapping of virtual to physical IP addresses.
– Only authorized hosts are allowed to penetrate through to the physical
IP address.
– The translation from the virtual IP address to the physical IP address
happens at an OpenFlow switch immediately adjacent to the protected
hosts.
 Security Applications

• Segregating IPSec Traffic in Mobile Networks

– Wireless providers using LTE secure the user and control data between the
base station (eNB) and their network core using IPSec tunnels. These tunnels
terminate in the core at a secured gateway (S-GW).
– There is a single IPSec tunnel encrypting all services. IPSec tunneling
carries significant overhead, and significant efficiency gains are possible if
traffic that does not require the security afforded by IPSec can be sent in the
clear.
– OpenFlow can be used to map between different traffic types and the
appropriate level of IPSec security.
– The focus is on making the mapping of individual flows to different IPSec
tunnels. The emphasis is on distinguishing those traffic types requiring
security and to only tunnel those.
– YouTube videos, social media, and software updates are examples of traffic
that does not require IPSec encryption and can thus be sent in the clear.
 Roaming in Mobile Networks
• Mobile Traffic Offload
– In the multiradio environment common for today’s mobile operators, a new
SDN application is possible in the area of mobile traffic offload.
– Mobile offload means moving a client mobile node (MN) from one RAN to
another. This might happen to shunt the traffic to a RAN where the spectrum is
more available or less expensive than the one currently used by the MN.
– Such offloading has been contemplated for some time by mobile operators, but
existing approaches have not provided the flexible, fine-grained control offered
by Open SDN.
– Based on observing flow-related criteria and the location of the MN, an
OpenFlow application can redirect the MN’s access connection from 3G to a
WiFi hotspot.
– This approach allows operators to flexibly and dynamically apply offloading
policies rather than static policies that are not able to adapt to changing
network conditions.
 Roaming in Mobile Networks
• Media-Independent Handovers
– IEEE 802.21 is an established protocol for media-independent
handovers between 802-family points of access (PoAs). Examples of
PoAs are 802.11 access points and 802.16 base stations.
– The 802.21 point of service (PoS) is responsible for the messaging to
the PoAs to accomplish either make-before-break or break-before-make
handovers (roams). A significant part of accomplishing such handovers
is to redirect the traffic flow from an MN such that it enters and exits
the network from the new PoA.
– This, combined with the fact that OpenFlow is natively media-
independent, leads to a natural overlap between the role defined for the
802.21 PoS and an OpenFlow controller.
– OpenFlow controller uses the 802.21 protocol messages to control
roaming between 802.11 access points.
Traffic Engineering in Mobile Networks
• Dynamic Assignment of Flows to Fluctuating Backhaul Links
– A downside of wireless backhaul is that the bandwidth of the wireless backhaul
is both more limited and, more important, less stable than in its wired
counterparts. Current resource management practices are static and do not
redirect load dynamically based on short-term fluctuations in wireless capacity.
– OpenFlow controller is enabled to be aware of the current available bandwidth
on the set of wireless links it is managing. It may be managing a hybrid set of
wired and wireless backhaul links.
– If OpenFlow is responsible for assigning user flows to that set of backhaul
links, that assignment can be made as a function of the SLAs specific to each
flow.
– High SLA (higher guarantees) traffic can be steered over wired links, and low
SLA traffic can be steered over a wireless link.
– If one wireless link is experiencing temporary spectrum perturbation,
OpenFlow can shunt the traffic over a currently stable wireless link.
Traffic Engineering in Mobile Networks
• Sharing Wireless Backhaul Across Multiple Operators
– The omni-Range aspect implies a unified interface to the multiple
radio access network types in the 802 family. These include 802.11
and 802.16, among others.
– The business model behind this idea is that multiple operators
offering a range of RAN technologies in a well-defined geographic
area could benefit from a common backhaul infrastructure shared by
all the operators for all the different radio technologies.
– since both OpenFlow and OmniRAN are media-independent, there is
a natural synergy in applying OpenFlow as the protocol for
controlling and configuring the various IEEE 802 nodes in this
architecture as well as using OpenFlow for its native benefits of fine-
grained control of network flows and implementation network policy.
Traffic Engineering in Mobile Networks
• An OpenFlow Switch on Every Smartphone
– Today’s smartphones generally have multiple radios. For example, it is
common to see LTE, WiFi, and 3G radios on the same mobile phone. In the
existing model, the MN chooses which radio to use based on a static algorithm.
– If multiple radios are available, it may be wise to use more than one radio
simultaneously for different data flows.
– proposal is to install an instance of OpenvSwitch (OVS) on every mobile device.
This virtual switch would direct flows over the radio most appropriate for the
type and volume of traffic as well as the current spectrum availability for the
different radio types.
– The controller for this OVS instance resides at a gateway in the 3GPP
architecture and uses its global knowledge of network state to steer flows in the
mobile phone over the most appropriate radio according to the bandwidth and
current loading of that particular radio spectrum in thattime/location.
 Energy Savings
• Data centers incur enormous OPEX costs in keeping their massive data warehouses
cooled and fully and redundantly powered.
• Companies that produce compute and storage servers now tout their energy savings.
• It is indicated that energy savings are an important area where SDN can play an
increasing role.
• ElasticTree
– One approach to applying OpenFlowto energy savings in the data center, called ElasticTree.
– If a means could be found to only power the minimum necessary subset of switches at any
moment, there is an opportunity for significant energy savings.
– The assertion is that during periods of less than peak load, OpenFlow can be used to shunt
traffic around switches that are candidates for being powered off.
– Such a system assumes an out-of-band mechanism whereby switches may be powered on
and off via the OpenFlow application. Such systems exist and are readily integrated with an
OpenFlow application.
– The authors suggest that by varying the number of powered-on switches, their system can
provide the ability to fine-tune between energy efficiency, performance, and fault tolerance.
 Energy Savings
• Dynamic Adjustment of Wireless Transmit Power Levels
– The mobile operator has the ability to vary the amount of power
consumed by the wireless links themselves by varying the
transmission power levels.
– For example, relatively lower traffic loads over a microwave
link may require less bandwidth, which may be achieved with a
lower transmission power level.
– If no traffic is flowing over a wireless link, the transmission
power may be turned off entirely.
– As with ElasticTree, the proposal is to use OpenFlow to
selectively direct traffic flows over the wireless links such that
transmission power levels may be set to globally optimal
settings.
 SDN-Enabled Switching Chips
• Efforts to build chips that are designed from the
ground up to support advanced OpenFlow capability.
• The chip in a model of a 256-core programmable
network processing unit is highly programmable and
would support the nature and size of flow tables that
will be required to exploit the features of OpenFlow
1.3.
• SDN enabled switches has to be more energy
efficient than existing switches in performing the
flow table lookups required in SDN flow processing.
FIREWALL AND ACCESS CONTROL
 Outline
• Introduction
• Firewall Environments
• Type of Firewalls
• Future of Firewalls
• Conclusion
 Introduction
• Firewalls control the flow of network traffic
• Firewalls have applicability in networks where
there is no internet connectivity
• Firewalls operate on number of layers
• Can also act as VPN gateways
• Active content filtering technologies
 Firewall Environments
• There are different types of environments
where a firewall can be implemented.
• Simple environment can be a packet filter
firewall
• Complex environments can be several
firewalls and proxies
 DMZ Environment
• Can be created out of a network connecting
two firewalls
• Boundary router filter packets protecting
server
• First firewall provide access control and
protection from server if they are hacked
DMZ ENV
 VPN
• VPN is used to provide secure network links
across networks
• VPN is constructed on top of existing network
media and protocols
• On protocol level IPsec is the first choice
• Other protocols are PPTP, L2TP
VPN
 Intranets
• An intranet is a network that employs the
same types of services, applications, and
protocols present in an Internet
implementation, without involving external
connectivity
• Intranets are typically implemented behind
firewall environments.
Intranets
 Extranets
• Extranet is usually a business-to-business
intranet
• Controlled access to remote users via some
form of authentication and encryption such as
provided by a VPN
• Extranets employ TCP/IP protocols, along with
the same standard applications and services
 Type is Firewalls
• Firewalls fall into four broad categories
• Packet filters
• Circuit level
• Application level
• Stateful multilayer
 Packet Filter
• Work at the network level of the OSI model
• Each packet is compared to a set of criteria
before it is forwarded
• Packet filtering firewalls is low cost and low
impact on network performance
Packet Filtering
 Circuit level
• Circuit level gateways work at the session layer
of the OSI model, or the TCP layer of TCP/IP
• Monitor TCP handshaking between packets to
determine whether a requested session is
legitimate.
Circuit Level
 Application Level
• Application level gateways, also called proxies,
are similar to circuit-level gateways except
that they are application specific
• Gateway that is configured to be a web proxy
will not allow any ftp, gopher, telnet or other
traffic through
Application Level
 Stateful Multilayer
• Stateful multilayer inspection firewalls
combine the aspects of the other three types
of firewalls
• They filter packets at the network layer,
determine whether session packets are
legitimate and evaluate contents of packets at
the application layer
Stateful Multilayer
General Performance
 Future of Firewalls
• Firewalls will continue to advance as the attacks on IT
infrastructure become more and more sophisticated
• More and more client and server applications are
coming with native support for proxied environments
• Firewalls that scan for viruses as they enter the
network and several firms are currently exploring this
idea, but it is not yet in wide use
 Conclusion
• It is clear that some form of security for
private networks connected to the Internet is
essential
• A firewall is an important and necessary part
of that security, but cannot be expected to
perform all the required security functions.
 Basic understanding of firewall

• IT IS A NETWORK SECURITY COMPONENT OF A

COMPUTER THAT MONITORS AND CONTROLS THE ENTRY
AND EXIT OF NETWORK TRAFFIC/DATA.
• THE FUNCTION IS TO EITHER ACCEPT OR REJECT OR DROP
THE NETWORK TRAFFIC.
• THIS FUNCTION IS EXECUTED BASED ON A DEFINED SET
OF SECURITY RULES ASSIGNED TO THE FIREWALL.
• ACCEPT: NOTHING BUT ALLOW THE DATA/TRAFFIC.
• REJECT: BLOCK THE TRAFFIC/DATA AND ACKNOWLEDGES
FOR IT WITH A REPLY.
• IT REPLIES BY CONVEYING “UNREACHABLE ERROR”.
 Basic understanding of firewall
• Drop: Blocks the traffic/data and does not
acknowledge for it(no reply).
• A Firewall basically acts as a boundary between
open internet and private organization network.
• The firewall keeps changing and getting better
because different people have been working on it
since the late 1980s to the mid-90s. Each person
added new parts and improved versions of the
firewall before it became what we use in modern
times. This means the firewall is always evolving
to become more effective and secure.
 Functions of firewall.

• Every piece of data that enters and exits the network should
go through the firewall.
• The data packets that are safely routed via firewall, there
are possibilities that the organization’s data inside their
private network remains untampered.
• A firewall keEps track of all data packets that are routed via
it making it easy for the organization to handle and monitor
the network activities.
• Firewall thoroughly examins the data packet for its
authenticity and does not alter the data.
• Blocks data from an unidentified source/network.
 Functions of firewall.

• It configures domain names and IP

addresses
• It acts as a network address translator.
• It sometimes acts as a meter for internet
usage.
 Use cases of firewall
• Firewalls are used to block Data from unidentified
sources as well as used to find vulnerable
suspicious connections.
• Parents can use firewalls to block unwanted web
contents from the rech of their children.
• An Organisation can restrict their employees from
accessing certain websites or social media using
firewall by setting up policies accordingly.
• A Nation’s government can protect its private
nations data and can avoid nation’s access to
certain websites/networks to avoid unwanted
conflicts and cyber issues.
 Working of Firewall
1. The Firewall is being initialized with default policy where either
one of the three functions of the firewall is being set with no rules.
Mostly the Default function is to drop the incoming data as default
policy is mostly used before the initialization of actual policy.
2. Actual set of rules for the firewall is being defined. There is a
separate table which is used to store the set of rules.
3. firewall matches the network traffic with he set of rules stored in
the table.
4. If the traffic data satisfies the defined set of rules then the
associated action accept is applied on the traffic to enable its
entry.
5. Vice versa happens if the traffic data does not satisfy the rules,
associate action reject is being applied on the traffic to block its
entry.
 Working of firewall
6. Sometimes there are chances when some data packets do
satisfy the set of rules but seems to have unauthorized
source address on its header which makes firewall to
instantly drop the data packet doubting its authenticity.
• Firewall deals with data traffic from these three major
transport layers namely tcp, udp and icmp.
• The source and destination address of the tcp and UDP
Data packets are examined for its authenticity and the port
numbers are examined for the purpose of the data
packets. In ICMP type codes are used instead of port
numbers.
 Types of firewalls
• Packet filtering firewall.
• Stateful inspection firewall.
• Software firewall.
• Hardware firewall.
• Application layer firewall.
• Next generation firewall.
• Proxy service firewall.
• Circuit level gateway firewall
 Packet filtering firewall
• The entry and exit of data packets are being
decided based on these parametres- Source,
destination ip addresses, protocols and ports.
• Data packets belonging to transport layer are
being monitored by this firewall and each
packet is isolated before entry.
• Here this firewall maintains a rule table for
which the defined rules are being matched or
the decision on the entry of the data traffic.
 Stateful inspection firewall
• Despite the rule table that is also present in
this type of firewall this firewall is able to
inspect the connection state of the data
traffic(packet).
• Basically connection state is a kind of a
keyword that defines the status of the packet
where some of them are LISTEN, SYN_SENT,
SYN_received, established, fin_wait.
• Packets history of states stored in separate
table is also being examined regarding filtering
decisions.
 Software firewall

• A local set up of firewall on a cloud server is

termed as software firewall.
• It is an advantage for networking
componenets with similarities.
 Hardware firewall

• Also termed as firewall of physical

appliances.
• Physical appliances do have small
computing devices and operating systems
for operational functionality of the device
where these hardware firewalls are
installed to handle the entry and exit of
Data packets.
 Application layer firewall
• This firewall has the ability to inspect data packets of all
layers in osi model.
• This firewall has the ability to inspect and findout
whether certain applications and protocols are being
misused or not.
• Basically in an established connection between two
endpoints, in modern transmission of packet switching,
the data packets are not being transmitted one by one
instead they are sent parallely according to MTU.
• Here in this firewall at any cost the Data packets is being
transmitted one by one for improved inspection.
• This reason makes this firewall to run proxy servers and
thus termed proxy firewall.
 Next generation firewall

• This firewall is equipped with multiple

security functions for deep inspection and
robust security
• This includes
– Complete application Inspection
– Ssl verification.
– Past activity verification
– Verifying protocol awareness.
 Proxy service firewall

• Firewalls deployed for filtering data packets

in application layer.
• Deployed to protect the interconnecting
networks of one particular application.
• Certainly called gateway of application’s
network.
 Circuit level gateway firewall
• Operates on session layer of osi model.
• Effortlessly allows data packets to flow
between networks.
• Biggest disadvantage is that it does not
inspect the packet for entry of data,
whereas inspects the information about the
session and the connection’s genuinity.
• Certain contents of data are really
important to check for its genuinity where
this firewall fails to do so.
 Firewall design principles

1. Developing security policy.

2. Simple solution design
3. Choosing the right device.
4. Layered defence.
5. Consider internal threats.
 Developing security policy
• Security policy is being developed to design the
set of rules for the firewall for the entry and exit
of data traffic.
• This policy also contains the function that is to
be performed during an security breach.
• This document is responsible for the restriction
of unauthorized data and plays a crucial role in
the integrity of organization’s data.
• This policy is being curated after the risk analysis
is being done with the conclusions drawn from
it.
 Simple solution design

• The set of rules to conclude the

authenticity of data traffic must be curated
as simple as possible for the firewall to
filter the traffic with ease.
• To achieve this risk analysis and research
upon new potential risks must be
frequently done so that new updates can
be fixed in the firewall to safeguard from
new threats.
 Choosing the right device
• Mostly for hardware firewalls, right device must be used to
construct the firewall as it is responsible for strong security.
• Outdated devices used for firewalls may make it vulnerable
to new security threats.
• The correct configuration while building the firewall using
devices is also important as wrong configuration may also
give chances for it to be vulnerable to security threats.
• After the devices and configuration is perfectly planned, the
product security requirements must be considered.
• Also the location of the firewall being deployed is important
according to the type of firewall and its requirements.
 Layered defence
• Multilayered defence architecture is really
important as there are different levels of
security check that is highly required for
concluding its genuinity.
• If all the levels of security check is being
configured in one single layer, and if that
layer is broken it is quite easy for the
unauthorized data packet to pass through
the firewall.
 Consider internal threats
• Firewalls must be considered to be deployed
inside an organizational network as there are
possibilities to encounter internal threats
inside an organization.
• This is crucial as members inside the
organization have easy access to internal
network devices than outsiders.
• Thus it is considered to have a strong, secure
multilayered firewall to maintain the internal
integrity of organization’s information.
 Need for design principles
• Different security requirements as each network has its
own security threats.
• The security policy paperwork will have the details of
firewall’s configuration which will help the organization
while updating the policy to safeguard from new
threat.
• All the information combined from the design
principles will give the best result in building a secure
firewall.
• The correct configuration, parameters consideration of
different security levels, its location will impact on the
performance of the firewall positively.
 Advantages of firewall
• Protection from unauthorized access.
• Protection from known malware and security threats.
• Limiting access to individuals and networks.
• All network activity can be kept stored as a record to
be monitored as this is the gateway of entry and exit.
• Considered as the best way to secure a network
according to the security demands of the
organization.
• When a larger network is being divided into smaller
network, firewalls can be easily deployed between
these segments thus creating a small attack vector
space. This results in improved security.
 Disadvantages of firewalls
• Setting up of firewalls for larger networks without segments
and organisations with huge application users is complex.
• Firewalls must be deployed at every required operating levels
and one firewall in its operationg level cannot monitor the
threats in another level when the firewall in that level is under
malfunction.
• Updates must be frequently done as the firewall has the
inability to handle new security threats.
• The network performance can be impacted by firewalls while
they are handling large data traffic.
• Sometimes due to organization demand, complex vpn features
are required for the firewalls. But firewalls unfortunaltely do
not support these complex features.
• Devices and advanced features for te firewalls might be
expensive.
USE CASES IN LEGACY NETWORKS
SECURITY
• Legacy network security refers to securing
outdated networking infrastructure, including
hardware and software, that may lack modern
security features. These systems can present
vulnerabilities due to outdated protocols, lack
of patches, and unsupported security
measures. Secure legacy networks often
requires a combination of traditional and
newer security techniques
 Challenges of Securing Legacy Networks
• Outdated Technologies:
• Legacy networks often use older hardware and software that
may not be compatible with current security tools or standards.
• Lack of Support:
• Vendors may no longer provide security updates or patches for
legacy systems, leaving them vulnerable to known exploits.
• Compatibility Issues:
• Modern security measures may not be compatible with the
architecture of legacy networks, hindering effective protection.
• Complex Integration:
• Legacy networks can be difficult to integrate with new security
technologies, making it challenging to implement modern
solutions.
Security Strategies for Legacy Networks
• Patching:
• Regularly apply available security patches and updates, even if they
are not fully supported, to address known vulnerabilities.
• Firewalls:
• Implement firewalls to control network traffic and block malicious
activity, especially for critical systems.
• Intrusion Detection/Prevention Systems (IDS/IPS):
• Use IDS/IPS to monitor network traffic for suspicious activity and
block potential attacks.
• Network Segmentation:
• Isolate legacy systems from the rest of the network to limit the
impact of a potential compromise.
• Virtual Private Networks (VPNs):
• Use VPNs to securely connect remote users to legacy systems,
especially if accessing them remotely.
• Access Control:
• Implement strict access controls based on the
principle of least privilege to restrict user access to only what is
necessary.
• Zero Trust:
• Consider implementing zero trust principles, which treat all systems as
potentially compromised and require continuous verification of access.
• Sandboxing:
• Use sandboxing to isolate and analyze suspicious files or applications,
preventing them from potentially infecting the network.
• Data Loss Prevention (DLP):
• Implement DLP measures to prevent sensitive data from leaving the
network.
• Threat Intelligence:
• Utilize threat intelligence feeds to stay informed about the latest
threats and vulnerabilities targeting legacy systems.
 Addressing Legacy Networks
• Migration:
• Consider migrating legacy systems to newer, more secure
platforms if possible, especially for critical applications.
• Upgrading:
• Upgrade legacy hardware and software to newer versions that
offer improved security features.
• Software Defined Networking (SDN) and
Network Functions Virtualization (NFV):
• Explore SDN/NFV technologies to modernize legacy networks and
improve security control.
• Automation:
• Automate security tasks, such as patching and intrusion detection,
to reduce human error and improve response times.