Effective CISSP Questions

Software-defined networking (SDN) abstracts the control over the flow of data by separating logical control rules from physical data forwarding into the control plane and the data plane. Logical control rules are programmable as software, while sophisticated data-plane functionality is virtualizable through Network function virtualization (NFV). Software-defined security (SDS) is a security model that exploits SDN/NFV to enforce network security by security software on generic servers abstracting security appliances, such as Firewall, IDS, etc. Which of the following is not true about SDN, NFV, or SDS?
A. Controllers can impose flow rules or policies on physical devices via OpenFlow.
B. Switches at the data-plane implement the spanning-tree algorithm to prevent loops.
C. Software switches through NFV can be implemented independently without SDN.
D. Firewalls on generic servers as SDN applications can communicate with controllers through APIs.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Switches at the data-plane implement the spanning-tree algorithm to prevent loops.

The spanning-tree algorithm is implemented in the control plane. SDN and NFV are complementary, so NFV can be implemented independently without SDN. 

SDN and NFV are complementary but increasingly co-dependent. While the former provides the means to dynamically control the network and the provisioning of networks as a service, the latter offers the capability to manage and orchestrate the virtualization of resources for the provisioning of network functions and their composition into higher-layer network services. (NFV in ETSI)

Software-defined networking (SDN)

The three planes coexist on a traditional network device. However, they are separated and communicating through APIs in SDN.

The Three Planes

The planes we discuss here are the three that exist on a network device: the management, control, and data planes.

  • Any functions related to managing a device, such as configuring it, happen in the management plane. Access to this plane requires use of various protocols, such as SSH, Telnet, SNMP, and SFTP. This is the most important plane in terms of securing a device because any breach on this plane will allow access to all data flowing through the device and even the ability to reroute traffic.
  • In the control plane, the device discovers its environment and builds the foundation to do its job. For example, a router uses routing protocols in the control plane to learn about the various routes. Routes allow a router to do its primary job—route packets. A switch uses protocols such as VTP and STP to learn about various paths, and that allows it to switch traffic. If the protocols in the control plane are not secured, a malicious actor may be able to inject rogue control packets and influence the path of the packets. For example, if your routing protocols are not secure, then it is possible to inject rogue routes, causing data to flow to a different device. This technique is often used in man- in-the-middle (MITM) attacks.
  • The data plane, also called the forwarding plane, is where the actual data flows. When a router receives a packet to route or a switch receives a frame to switch, it does so on the data plane. Information learned in the control plane facilitates the functions of the data plane. Typically, this is where most of the network security controls are focused. Packet filtering, protocol validation, segmentation, malicious traffic detection, distributed denial-of-service (DDoS) protection, and other security measures are utilized in this plane.

The Control Plane

The control plane is where a Cisco switch or router learns about its environment, using various protocols to talk to neighboring devices. The protocols operating on the control plane of a router are different from those of a switch.

  • A Layer 2 network can be very complex and requires various protocols to run efficiently. Of these protocols, Spanning Tree Protocol (STP) and VLAN Trunking Protocol (VTP) are the most important.
  • Layer 3 is where a router uses routing protocols such as BGP, EIGRP, and OSPF to learn about the network and create its routing table.

Source: Infrastructure Security and Segmentation


OpenFlow is a communications protocol that gives access to the forwarding plane of a network switch or router over the network.

  • OpenFlow enables network controllers to determine the path of network packets across a network of switches.
  • OpenFlow allows remote administration of a layer 3 switch’s packet forwarding tables, by adding, modifying and removing packet matching rules and actions.

Source: Wikipedia

Network function virtualization (NFV)

The European Telecommunications Standards Institute (ETSI) is a European standards organisation in the telecoms industry. They took the lead on NFV in 2012, and subsequently created the Industry specification group (ISG) to provide a forum for the industry to collaborate on establishing the required standards and supporting the implementation of network virtualisation. (STL Partners)

NFV in ETSI is founded in November 2012 by seven of the world’s leading telecoms network operators, ETSI ISG NFV became the home of the definition and consolidation for Network Functions Virtualisation (NFV) technologies. (NFV in ETSI)



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

軟體定義網絡(SDN)抽象化了對數據流的控制,它把邏輯的控制規則與實體的數據轉送分開,獨立成控制平面(control plane)和數據平面(data plane)。 邏輯控制規則可作為軟體進行編程,而復雜的數據平面功能則可通過網路功能虛擬化(NFV)技術予以虛擬化。 軟件定義的安全性(SDS)是一種安全模型,它利用SDN/NFV,並透過部署在通用伺服器上的安全軟體來抽象化實體的安全設備(例如防火牆,IDS等)以增強網路的安全性。下列關於SDN,NFV的說法不正確 或SDS?
A. 控制器(controller)可以通過OpenFlow在實體設備上施加資料流動規則或策略。
B. 在數據平面(data plane)的交換機執行生成樹算法(spanning-tree)以防止廻路(loops)。
C. 通過NFV實作的軟體式交換器可以在沒有SDN的情況下獨立實現。
D. 通用服務器上的防火牆是SDN應用程式,可以通過API與控制器進行通信。

Leave a Reply