OpenFlow Can Provide Security, Too
Indiana University's chief network architect explains how he uses OpenFlow to secure, load balance, and begin to exert some sort of unified control over a 120,000-person user network.
At last week's Interop conference in Las Vegas, software defined networking (SDN) was a dominant topic. While many vendors were talking about the promise of SDN and the OpenFlow protocol that supports it, Matt Davey, chief network architect at Indiana University (IU) is actually deploying the technology to help service the needs of the 120,000 users he supports.
OpenFlow, BYOD & SDN
While OpenFlow started out as a Stanford University research project, Davey stressed that OpenFlow isn't just for research any more. For his network, he noted that the Indiana University campus has a large footprint that includes hospitals, medical labs, hotels, conference centers and police. Long before it was a business trend, Davey has been required to support BYOD, as well.
"Over 95 percent of our users have been bringing their own devices for over 20 years," Davey said.
The advantages SND brings into play for Davey, is a way to control and manage disparate networks in a way that wasn't really possible before. This is because, historically, each university department purchased their own infrastructure. Now, they have two big data centers with thousands of virtual machines(VMs), providing a consolidated infrastructure.
"We need to be able to give control of some of the network to departments, but we need a converged infrastructure," Davey said. "We now have groups that built applications on top of OpenFlow controllers and deployed them into production."
One of those applications is the intrusion prevention system (IPS) that the university uses which is based on the open source SNORT project. There was a need to scale up the IPS deployment, which involved the use of a load balancer.
"We needed basic load balancing capabilities to take all of our spam port traffic into one location and then spread that across a large number of IPS servers," Davey said. "We were able to go in on top of an open source OpenFlow controller that we built, that turns a basic top-of-rack switch into a load balancer."
As such, the network now has a 64-port 10 gigabits per second (Gbps) load balancer with a few dozen x86 servers attached to handle IPS traffic. Davey spent $20,000 in developer time to turn the switch into a load balancer using OpenFlow.
Because managing security policy across a network is a key use case for OpenFlow, Davey and his team are now looking at leveraging OpenFlow to help push rules that will mitigate attacks across the network. Davey noted that IU's security policy is all over the board with access control lists and firewalls that differ from vendor to vendor.
"We'd really like to see a system where we can define the policy with one syntax and have it pushed out to all the places that it needs to go and we think OpenFlow has a great use case there," Davey said.
Today, if you want a firewall for a building's network, you put a firewall at the head-end for the building, i.e., you put it at the 'front' or the 'head-end' of the physical network deployment.
"What I really need to do is to start virtualizing and collect up the groups of devices that are all similar, " Davey said. "Then I want to control my security policy based on what traffic flows in and out of that virtual network. That is the only way that we can scale up security policy."