Service Providers

Software Defined Networks (SDN) and Security

by kfrankli on ‎06-11-2012 10:21 AM (737 Views)

Do you know the real story of Private Ryan, immortalized in the Tom Hanks movie, Saving Private Ryan? The movie is loosely based on the factual account of the Niland Brothers, specifically the youngest, Sergeant Frederick “Fritz” Niland, presumed to be the only remaining brother of four, during World War II (WWII). Fritz was sent home under the “Sole Survivor Policy”, which was implemented when all five Sullivan Brothers were killed on the same ship, the USS Juneau, earlier in WWII. Why do I bring up this story and what exactly has it to do with Security and SDN? There was a major confluence of events that caused the strategic activities leading to the deaths of both the Sullivan and Niland Brothers. Though less tragic from a human life standpoint, with the advent of SDN and its impact on every facet of networking, I believe we will witness the demise of many protocols, design methods, and, as with most upheavals, some incumbent vendors. Also, if the promises of SDN hold true, the major tenants of good security, control, visibility, and consistent policy implementation will finally be available across multi-vendor environments.

 

Perhaps, you may think I have overstated the potential impact of SDN. But, think about what is happening within in the world of networking right now. First, we have the “Consumerization of IT” with Bring your Own Device (BYOD). BYOD runs smack into the face of an important tenant of security—control, which I listed above. However, as stated in this Forester blog posting, entitled “BYOC – It’s not About Defiance. It’s About Having the Right Tools for the Job”, if you take a step back and perhaps embrace the change, you may realize new levels of value the transition has created within your organization.

 

I think it will be the same with Big Data, the second technology transformation I want to mention, which will foster a whole new genre of capabilities through the use of powerful analytic tools and solutions. “Cloud” and Server Virtualization, which allows organizations to be more agile, dynamic, and respond quickly to internal needs of users, as well as the external needs of their customers, is the third major revolutionary technology shift I see in the market. To anyone with a clue, what I have stated isn’t new, but what I think most people miss is the fact that all of these changes cannot take place without rethinking the way networks are designed, utilized, and secured. This is precisely where SDN comes into the story.

 

Yes, technologies such as Ethernet Fabrics are tremendously valuable to cloud-based architectures. Ethernet fabrics eliminate legacy protocols such as Spanning-Tree. They reduce a majority of the operational overhead that is required to manage a modern Data Center network, and frankly, they are just plain cool technology. However, I think an Ethernet Fabric alone is like a great McLaren sports car, missing a driver who can take advantage of everything the car has to offer. If you don’t believe me, take a look at a blog by my colleague Jon Hudson, entitled “Of Chocolate & Peanut Butter: SDN and Fabrics”. He prefers peanut butter and chocolate, as opposed to my car and driver analogy but, I agree with everything Jon has to say, especially if I look at things from a security standpoint.

 

An SDN-capable network, in some ways, is a security person’s dream scenario. If implemented properly, he or she can get centralized control of a multi-vendor environment, complete visibility into all traffic flows, and uniformed policy enforcement across the entire network. How cool is that? Additionally, you get the added network availability and reliability that comes about when a network infrastructure is controlled by a single configuration file or entity. I have heard that 40% of all network outages can be tied to misconfigurations.

 

So, what are the drawbacks? Well, SDN is new and with all new technology, it has to mature. What does this means for you? I would say get your hands on the technology as soon as possible. Brocade has announced controller agnostic support for OpenFlow and SDN in the next production release of its NetIron code, version 5.4. If you currently have Brocade equipment that supports this code base, you can take advantage of this technology today. I implore you; especially you security minded folks, to start thinking about the security-related applications and implications of SDN, and also, let me know your thoughts on the subject.