Goldman Sachs, the only Enterprise that sits on the Board of the Open Networking Foundation (ONF), had a key speaking slot at the 2013 Open Networking Summit in the “Software Defined Networking (SDN) for Enterprises” session. Steve Schwartz, global head of Telecommunications and Market Data Services at GS, gave the presentation. Highlights from this session include:
- Goldman mentioned commodity switches twice.
- Within weeks/months, they will be going into production with two (2) SDN deployments. One of them is the commonly talked about SDN application using commodity hardware as matrix switches with an app on top of a controller to direct flows; the other is to replace bump in the wire firewalls. There are several spots in the Goldman network that have FWs deployed that are costly to buy and manage. Schwartz stated that maintaining FW state is not a requirement for these areas of the network for Goldman. They’ll be using commodity switches as glorified packet filters that will require bi-directional ACLs to be configured from the controller and delivered down to the switches forwarding tables.
- It took a junior engineer just a few weeks to develop a lightweight FW application that sits on top of a SDN controller
- Floodlight was mentioned by Goldman, but not stated if it was being used for one or both applications mentioned. No surprise given the investment of GS into Big Switch Networks.
This can raise the question for Enterprises – are stateful firewalls *required* for single tenant data centers for intra-DC traffic as bandwidth requirements increase and nothing but multi-10G firewalls are available that cost 100s of thousands of dollars for environments that are already deploying 40G/100G switching infrastructure? Same actually holds true for virtual security solutions leveraging ACLs like the Cisco Virtual Security Gateway meant for intra-tenant traffic.
Nick Buraglio wrote a few months back in an article: “Think of buying an OpenFlow capable device with 40 and 100G interfaces in it as your firewall…. Port cost is very low. CAPEX is low. OPEX is also fairly low since it is just a normal piece of network hardware. “ This is an option for those customers who want big box FWs and do not want to go down the path of scale-out designs with or without Network Functions Virtualization (NFV).
We’ll see if security teams adapt and re-think requirements for statefulness in certain parts of the network and if any companies follow Goldman’s lead on SDN in the Enterprise.
Note: Goldman didn’t state they were using the commodity switches and SDN FW application in the data center.
Thanks,
Jason
Twitter: @jedelman8
RSS Feed
