Currently in Migration - Jason Edelman's Old Blog
  • Home
  • About
  • Contact

Security Concerns in an OF-enabled Network

2/21/2012

1 Comment

 
Security.  It’s an interesting topic when it comes to networking within Enterprise IT.  There are those that are truly focused on an end to end view of security or just freakishly enjoy security and then those that are usually okay with just implementing a perimeter FW and maybe an IDS/IPS.  So, when it comes to your “typical” Enterprise LAN, all hosts are inherently trusted so communication between clients and servers, clients and clients, and servers and servers, is unprotected.  I will say, in 2011, I've seen this starting to change and infrastructure security is becoming even more critical for the average “mid-market” customer for various reasons, but heavily attributed to the wide adoption smart phones, tablets, and the whole “Bring Your Own Device” (BYOD) mantra being driven by the consumer.

Anyway, what does this have to do with OpenFlow/SDN?  Nothing…yet, but the question that came to me while I was in a meeting with a NYC based financial firm last week was, “How will security be perceived with running a *real* virtualized network with control plane separation happening at a controller?” 

Before I go any further, here is some background…

I was meeting with the network team discussing a basic network design that required several physical switches, but only a few ports on each were being used.  Physical separation is the norm for the customer.  Note: this is L2 only and there are no SVIs configured.  Being new to the account, I ask why we can’t collapse these.  Because they were stackable switches (and not being stacked), I also ask, well can we stack them to simplify management?  The answers were both NO, and the reasoning was simple.  The security team does not see VLANs as a reasonable way to accomplish network isolation.  However, the network team did state VRFs suffice and pass by way of the SECURITY team.  Since VRFs are a L3 technology, they aren’t a fit.  PVLANs may have worked, but it seemed as if it was a very sore subject.

Enter OpenFlow.

What if their network was virtualized by means of an OpenFlow enabled solution using a Big Switch controller (BSC).  Two weeks ago, I wrote about the demo Big Switch gave.  Like I said then, it was pretty sweet.  They created a logical switch in seconds using the BSC (hope you all like the acronym ;)).  What if the customer I’m referring to used the BSC and created several logical switches.  They would look and feel like several physical switches.  No communication between each other and they would even be riding on the same hardware.  No complex PVLANs either.  This sounds attractive and was exactly what I was thinking during the meeting.  Would this have worked?

BUT, is the “logical” or “virtual” switch secure?  Actually, I’ll rephrase that, and more importantly, “how would this be perceived by organizations that have security teams?”  One of my first career lessons was “perception is reality,” so while it may or may not be secure, what will the perception be?  I think for what I described above, this would be no issue for the “typical” Enterprise, but for those with security teams, I’m not so sure.

Based on what I’ve read, it would seem Big Switch (or any other controller vendor) is being extremely creative and doing some funky MAC-learning tricks to produce mini virtual switches. 

What do YOU think - should there be security concerns?  Remember, focus on perception.  Lastly, do the companies driving the OpenFlow/SDN industry momentum need to have targeted messaging at some point to gain the mindshare of security focused individuals/teams?

1 Comment
Fernando link
4/19/2012 11:50:16 pm

Hi!

Really liked your approach (and whole site, really). I made some tentative writings on OF/SDN a few months back, but your point about perception is very interesting.

Ultimately, I think it will boil down to what is acceptable risk and cost, either direct or indirect. There will be a period of immature implementations on switches that may lead to incidents - similar to VLAN hopping - but these things will improve. Then, the onus will be on the security side to explain why OF/SDN should NOT be used.

Will follow you more closely now... keep up the great writing!

Reply



Leave a Reply.

    Author

    Jason Edelman, Founder of Network to Code, focused on training and services for emerging network technologies. CCIE 15394.  VCDX-NV 167.


    Enter your email address:

    Delivered by FeedBurner


    Top Posts

    The Future of Networking and the Network Engineer

    OpenFlow, vPath, and SDN

    Network Virtualization vs. SDN

    Nexus 7000 FAQ

    Possibilities of OpenFlow/SDN Applications 

    Loved, Hated, but Never Ignored #OpenFlow #SDN

    Software Defined Networking: Cisco Domination to Market Education

    OpenFlow, SDN, and Meraki

    CAPWAP and OpenFlow - thinking outside the box

    Introduction to OpenFlow...for Network Engineers


    Categories

    All
    1cloudroad
    2011
    2960
    40gbe
    7000
    Arista
    Aruba
    Big Switch
    Brocade
    Capwap
    Christmas
    Cisco
    Controller
    Data Center
    Dell Force10
    Embrane
    Extreme
    Fex
    Hadoop
    Hp
    Ibm
    Isr G2
    Juniper
    Limited Lifetime Warranty
    Meraki
    Multicast
    N7k
    Nexus
    Nicira
    Ons
    Opendaylight
    Openflow
    Openstack
    Presidio
    Qsfp
    Quick Facts
    Routeflow
    Sdn
    Sdn Ecosystem
    Security
    Ucs


    Archives

    May 2015
    April 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    June 2014
    May 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    June 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011


    RSS Feed


    View my profile on LinkedIn
Photo used under Creative Commons from NASA Goddard Photo and Video