Service providers and enterprises are always asking me how to insert security services into their networks. My name is Hongwen Zhang, and I’m the CEO of Wedge Networks. Wedge is the leading provider of WedgeOS — a network based deep content inspection platform that supports network services such as anti-virus, anti-spam, DPI, and URL filtering services. We speak with customers with significant internet infrastructures planned around SDN, OpenFlow, and the potential to use these technologies insert security services in their networks.
I am writing to share the experiences our company has had with OpenFlow to enable a new way of transparently inserting a network security solution like WedgeOS into the network. This is driven by customer demand to either insert new security services into existing networks either to drive new revenue and protect IP reputation (service providers) or to increase security and compliance (enterprise). Today our customers are unable to accomplish these goals because the current approaches are inflexible and unable to accept dynamic network / flow changes in a programmatic fashion. We are excited to share that Wedge has been able to successfully deploy in and take advantage of OpenFlow to transparently insert security services, such as URL Filtering and transparent in-line Anti-Virus into an existing network. –In addition to the current application offerings, we are confident that this will work with other types of L4 – L7 network security services and approaches as well. Below is a summary as to how we used OpenFlow to transparently insert network services:
We started with the premise that we could set up an OpenFlow-enabled switch (in our lab we used an HP switch– though any OpenFlow switch should work) with an OpenFlow controller (we used Floodlight for our test, though again – you can pick your own controllers) to pick out specific network flows and transparently redirect them to a Wedge appliance for security processing and reject the flow toward it’s destination without the need to re-cable the physical network. In our labs we were able to successfully re-direct HTTP and HTTPS traffic through the Wedge BeSecure for processing while leaving all other traffic untouched to insert URL filtering between an endpoint and the Internet. Now this is just one example of one type of traffic flow — though you can see the point how we can program the network to insert security services (like AV and anti-spam for email-related protocols such as SMTP, POP, and IMAP).
The conventional deployments of network-based security services, all of which being readily supported by WedgeOS, fall into several categories:
- Single simple transparent bridge which requires all protocols to go through the security device. Load-balancing a high-volume deployment is always a challenge
- Explicit proxy requiring configurations on the client which are administratively near-impossible to manage
- Proxy-caching that is transparent to the client but replaces the source IP of outgoing connections
- WCCP which requires the edge routers to support such protocol with no performance degradation
- Policy based routing which requires careful consideration of return path to prevent asymmetric routing loops, and assignment of a dedicated layer 3 subnet for the platforms running the service.
Unlike conventional methods, with SDN we can programmatically insert a wide range of customized security services into the network on a per flow basis which enables new service provider business models and create new flexible network security deployment models for enterprises to further accelerate adoption of network virtualization.
Let’s summarize how SDN and OpenFlow enables new business opportunities for service providers and enterprise though transparent network service insertion:
- Time to Market: Enables providers a quick and relatively simple meant of non-intrusive insertion of value-added security services.
- Utilization: The ability to pick up only relevant flows to direct to the security platform while leaving other flows untouched allow providers to better utilize their security platform investments
- Dynamic: We can dynamically decide which flows to direct to the platform and reconfigure on the fly
I believe that SDN creates new opportunities for service providers and enterprise to deliver new types of security services in virtualized environments. Judging from our customers feedback, we see significant interest to fast-track SDN-powered security services, such as WedgeOS. To learn more about how Wedge, how we integrate into OpenFlow environments, visit our website or download our Whitepaper: Transparent Service Insertion in SDNs Using OpenFlow
Check out more Security on SDNCentral: