SDN Openflow commercial applications – Part 1

In this blog, I will cover some commercial SDN Openflow applications available in the market now. SDN is the most overused term in the Networking industry now and there are different applications and technologies claiming as SDN.  I am going to cover SDN Openflow applications which rely on the model of switches supporting Openflow agent and a centralized controller running the control plane and programming the data path in the switches using Openflow protocol. The switches can either be virtual or physical switches. Following are the topics that I am planning to cover in this blog.

• SDN Openflow application model
• SDN Openflow applications. Following are some broad categories and examples of vendors providing the solutions in that category. This is not an exhaustive list..
  1. TAP Monitoring fabric – Bigswitch Big Tap monitoring fabric, Microsoft DEMon(Distributed Ethernet monitoring)
  2. Security – F5 Big Ddos, Bluecat DNS director,  HP Network protector, Radware Defenseflow, Guardicore Defense suite
  3. Network performance optimization and monitoring – Kemp adaptive load balancer, Realstatus hyperglance, Ecode Evolve, HP Network optimizer
  4. Data center fabric – Big switch big cloud fabric, HP VCN, NEC Programmable network fabric
• Final thoughts

In the first blog, I will cover the SDN Openflow application model and TAP monitoring fabric and Security applications. In the next blog, I will cover Network performance optimization and monitoring, Data center fabric and some final thoughts from my side.

SDN Openflow application model

Following picture from ONF illustrates the layers in Openflow application model.

• Bottom-most layer is the infrastructure layer and this can be physical switches or Virtual switches. These switches need to support Openflow agent.
• Controller layer is where the centralized control plane is run and the controller programs the data path in the switches using Openflow protocol. There are both open source and commercial implementations available for the controller. Examples of Open source controller implementations are Opendaylight, Floodlight. Examples of commercial controller implementations include Cisco’s XNC, HP’s VAN, NEC’s PFC etc.
• Openflow is a protocol specification from ONF that specifies the protocol used to program the hardware tables in the networking switches. The latest version is Openflow 1.4. More details on Openflow can be found in 1 of my previous blog.
• SDN applications can be written on top of the controller layer and it interacts to the controller using REST api. The goal here is to make it easy to write applications.

SDN Openflow applications

I have categorized the applications into the following categories:

1. TAP Monitoring fabric application
2. Security application
3. Network performance optimization and monitoring application
4. Data center fabric application

I will cover each of the categories below with examples.

TAP Monitoring fabric application

Span ports are critical for monitoring and and debug purposes in a data center. Typically, there are different groups within the same organization monitoring the same traffic and there are also different tools that the monitored traffic needs to be filtered and sent. The tools could be Wireshark, IDS etc. Previous monitoring solutions consisted of custom switches that did not give enough flexibility. Creating a monitoring fabric with Open flow switches gives maximum flexibility and also provides a scale-out design. Following are some examples:

Big switch’s Big Tap monitoring fabric

Following picture from Big switch shows the different blocks of Big Tap monitoring fabric:

• Filter layer contains different filtering mechanisms for filtering traffic.
• Service layer is used for packet modifications and the packets are handed here to Network packet brokers(NPB).
• Delivery layer hands over the filtered and serviced traffic to different tools that are interested in monitoring.
• Big Tap controller programs the monitoring fabric using Openflow.
• In Big switch solution, the monitoring fabric consists of bare metal switches that runs Big switch’s Switch light OS. Switch light OS has the Openflow agent built in.

Microsoft’s DEMON

Microsoft uses DEMon(Distributed Ethernet monitoring) system to monitor their data center. This was implemented by Microsoft. Following is a block diagram of their system.

• Monitor ports are connected to filter switches that are programmed using Openflow.
• Filter switches send the sflow data which the delivery switches handover to the monitoring tools.
• The monitored data is used for different analytics applications as well as for understanding any anomalies.

Security application

Security is a big concern in Data centers and use of SDN technology gives the capability to dynamically adapt to new threats. Openflow is used both to get useful information from the L2/L3 switches as well as to redirect/drop the traffic in case a positive threat is identified. SDN controllers work closely with Ddos application platforms in most cases. Following are some examples of SDN applications in this category.

F5’s Big Ddos umbrella

Following is a block diagram of F5’s Big Ddos umbrella application that works with HP VAN SDN controller.

• F5’s Big IP platform is a DDos application that monitors different kinds of threats and once it confirms that the threat is real, it talks to HP’S VAN SDN controller so that the traffic can be filtered out in the edge which is closer to where the data enters the network. HP VAN SDN controller programs the Open flow switches to drop the malicious traffic.
• This approach saves precious network bandwidth in the data center.

BlueCat DNS director

Following is a block diagram of BlueCat’s Big DNS director application that works with HP VAN SDN controller.

• This application is targeted towards security threats caused by BYOD.
• DNS director programs Openflow switches in the network using HP VAN SDN controller to redirect requests for non-corporate DNS servers towards BlueCat’s DNS server.
• BlueCat’s DNS server sends back proper DNS response and the requestor will not even know that the DNS request was intercepted.

HP Network protector

HP Network protector is a SDN application on top of HP VAN SDN controller which programs the Openflow switches. Its mainly targeted for BYOD scenarios in Enterprises. Some of the important features of HP Network protector are:

• Creating custom white and black filter lists
• Monitoring suspicious DNS requests
• Malicious identity detection

Radware Defenseflow

Defenseflow is a SDN application on top of SDN controller for DDoS protection. There are 2 variations.

• Defenseflow application monitors Openflow switches for suspicious network activity based on statistics collected.
• When suspicious activity is detected, Defenseflow application installs Openflow rules in the network switches to redirect traffic to DefensePro IDS.
• DefensePro IDS filters the traffic and sends it back to the destination.
• Radware’s Defenseflow supports the following controllers: Opendaylight, Cisco XNC, NEC PFC, Floodlight.

Radware has a joint solution with Mellanox where filtering of malicious traffic is done at the network adapter.

•  Mellanox NIC adapters are Openflow enabled. Radware’s Defenseflow application monitors statistics on Mellanox adapaters for suspicious activity.
• When suspicious activity is detected, Defenseflow application installs Openflow rules in the Mellanox adapters to redirect traffic to DefensePro IDS.
• DefensePro IDS filters the traffic and sends it back to the destination.
• The advantage of monitoring at the adapter level is that the suspicious flow is detected as close as possible to the VM.

Guardicore Defense suite

Guardicore’s Defensesuite application is built on top of HP VAN SDN controller. Its mainly targeted towards East-West traffic in Data center. If there is 1 malicious host that has got inside the data center somehow, that host can target all other hosts in data center and external firewalls wont be able to catch this. Most of the times, the suspicious connections gets blocked inside the data center by firewalls. Defense suite monitors these blocked connections using the SDN controller and redirects these connections to Active Honeypot server that responds to these connections. The malicious host would not know that it is talking to Honeypot. Using this approach, critical information can be collected about the malicious host and this would prevent attacks before happening. Following block diagram from Guardicore shows the modules involved.

References

• HP Networking – SDN applications
• Radware Defenseflow SDN application
• Big Switch SDN products
• NEC SDN solutions
• Real life SDN use cases from IP Space
• Microsoft DEMon

Pictures used in the above blog are from the references.