Security. It’s an interesting topic when it comes to networking within Enterprise IT. There are those that are truly focused on an end to end view of security or just freakishly enjoy security and then those that are usually okay with just implementing a perimeter FW and maybe an IDS/IPS. So, when it comes to your “typical” Enterprise LAN, all hosts are inherently trusted so communication between clients and servers, clients and clients, and servers and servers, is unprotected. I will say, in 2011, I've seen this starting to change and infrastructure security is becoming even more critical for the average “mid-market” customer for various reasons, but heavily attributed to the wide adoption smart phones, tablets, and the whole “Bring Your Own Device” (BYOD) mantra being driven by the consumer.
Anyway, what does this have to do with OpenFlow/SDN? Nothing…yet, but the question that came to me while I was in a meeting with a NYC based financial firm last week was, “How will security be perceived with running a *real* virtualized network with control plane separation happening at a controller?”
Before I go any further, here is some background…
Anyway, what does this have to do with OpenFlow/SDN? Nothing…yet, but the question that came to me while I was in a meeting with a NYC based financial firm last week was, “How will security be perceived with running a *real* virtualized network with control plane separation happening at a controller?”
Before I go any further, here is some background…
I was meeting with the network team discussing a basic network design that required several physical switches, but only a few ports on each were being used. Physical separation is the norm for the customer. Note: this is L2 only and there are no SVIs configured. Being new to the account, I ask why we can’t collapse these. Because they were stackable switches (and not being stacked), I also ask, well can we stack them to simplify management? The answers were both NO, and the reasoning was simple. The security team does not see VLANs as a reasonable way to accomplish network isolation. However, the network team did state VRFs suffice and pass by way of the SECURITY team. Since VRFs are a L3 technology, they aren’t a fit. PVLANs may have worked, but it seemed as if it was a very sore subject.
Enter OpenFlow.
What if their network was virtualized by means of an OpenFlow enabled solution using a Big Switch controller (BSC). Two weeks ago, I wrote about the demo Big Switch gave. Like I said then, it was pretty sweet. They created a logical switch in seconds using the BSC (hope you all like the acronym ;)). What if the customer I’m referring to used the BSC and created several logical switches. They would look and feel like several physical switches. No communication between each other and they would even be riding on the same hardware. No complex PVLANs either. This sounds attractive and was exactly what I was thinking during the meeting. Would this have worked?
BUT, is the “logical” or “virtual” switch secure? Actually, I’ll rephrase that, and more importantly, “how would this be perceived by organizations that have security teams?” One of my first career lessons was “perception is reality,” so while it may or may not be secure, what will the perception be? I think for what I described above, this would be no issue for the “typical” Enterprise, but for those with security teams, I’m not so sure.
Based on what I’ve read, it would seem Big Switch (or any other controller vendor) is being extremely creative and doing some funky MAC-learning tricks to produce mini virtual switches.
What do YOU think - should there be security concerns? Remember, focus on perception. Lastly, do the companies driving the OpenFlow/SDN industry momentum need to have targeted messaging at some point to gain the mindshare of security focused individuals/teams?
Enter OpenFlow.
What if their network was virtualized by means of an OpenFlow enabled solution using a Big Switch controller (BSC). Two weeks ago, I wrote about the demo Big Switch gave. Like I said then, it was pretty sweet. They created a logical switch in seconds using the BSC (hope you all like the acronym ;)). What if the customer I’m referring to used the BSC and created several logical switches. They would look and feel like several physical switches. No communication between each other and they would even be riding on the same hardware. No complex PVLANs either. This sounds attractive and was exactly what I was thinking during the meeting. Would this have worked?
BUT, is the “logical” or “virtual” switch secure? Actually, I’ll rephrase that, and more importantly, “how would this be perceived by organizations that have security teams?” One of my first career lessons was “perception is reality,” so while it may or may not be secure, what will the perception be? I think for what I described above, this would be no issue for the “typical” Enterprise, but for those with security teams, I’m not so sure.
Based on what I’ve read, it would seem Big Switch (or any other controller vendor) is being extremely creative and doing some funky MAC-learning tricks to produce mini virtual switches.
What do YOU think - should there be security concerns? Remember, focus on perception. Lastly, do the companies driving the OpenFlow/SDN industry momentum need to have targeted messaging at some point to gain the mindshare of security focused individuals/teams?
RSS Feed
