Continuing this series of blogs on topics of SDN and flow visibility & control, I’d like to update this community on another innovative development with the Brocade Flow Optimizer application. In a previous release of this application we included support for 3rd party integration; that being, for the BRO network security platform. We have now included 3rd party integration support for firewalls; with the first partner example being Palo Alto Networks.
The use case for this solution comes from customers who require a dynamic method for white-listing qualified large flows and redirecting those flows around the firewall. This firewall can be inline or 1-armed (eg. hanging off the router). One reason customers require this type of flow redirection is to further scale out their DMZ and associated firewalls. If qualified large flows can bypass the firewall, then the firewall infrastructure receives a performance improvement since it no longer needs to process these white-listed large flows. This type of scenario could occur with most any model of firewall; no particular vendor is being identified here. Our 3rd party integration could easily be adopted for firewalls from other vendors; and we expect this to happen as we get more requests from customers.
An early use case for this type of firewall bypass solution is for what has commonly been called a “Science-DMZ” in research and education networks. ESnet originally developed this Science-DMZ architecture to improve the performance of large flow transfers. They refer to this as a “friction free” data transfer. The creation of the white-list of flows that will bypass the firewall can be done manually or it can by dynamic. If the flow endpoints (eg. 5-tuple information) are known in advance, this white-list can be input into a BFO profile, which results in an OpenFlow redirect rule being programmed into the router to redirect those flows around the firewall. If so desired, the white-list can be created dynamically based on sFlow information. Flow endpoint information plus a bandwidth threshold value can be input into a BFO profile and once a sFlow match occurs, the application then programs the OpenFlow redirect rule into the router.
The 3rd party integration being described here relies on the firewall as the decision point for the creation of the white-list of flows. That is the key differentiator with this integrated solution.
This use case starts with all flows being forwarded through the firewall, as shown in the below diagram. Note that flows in both directions must be forwarded through the firewall, since firewalls are stateful devices. This is the default “policy” in place so that all flows are processed and inspected by the firewall. The red and yellow lines show all flows in both directions being directed through the firewall. The firewall is configured to generate syslog messages that identify specific flows that it wants BFO to control.
There are two categories of flows that the firewall identifies and instructs the BFO application to control with SDN. If there is a malicious large flow that it has identified, the firewall can pass the 5-tuple parameters of that flow to BFO via a syslog message. BFO then programs the router to discard that flow on the ingress port of the border router. An example of this type of flow could be a DDoS attack. If there are specific flows the firewall identifies that no longer need to be processed by the firewall, it can pass those 5-tuple parameters to BFO via a syslog message. BFO then programs the router to redirect those flows so they no longer get forwarded to the firewall. This is depicted below with the additional green line. The obvious benefit of this type of integration is that the flow bypass is fully automated with SDN.
As previously mentioned, although the initial firewall integration is for Palo Alto firewalls, this solution can be modified to support firewalls from other vendors. Actually, this type of 3rd party integration could be for most any type of network or security appliance; it is not limited to firewalls.
This blog provides a quick update to our SDN solution using the BFO application. As usual, please ask questions or provide comments in the comment section of this blog. If you’d like to hear more about a specific SDN use case, please let me know in the comment section and I will do my best to oblige.