SDN Software Defined Networking The Evolution of the Network

(1)

A Member of OneBeacon Insurance Group

SDN – Software Defined Networking

The Evolution of the Network

Author: Tushar Nandwana, Risk Control Technology Segment Manager Published: August 2014

”Software Defined Networking” or SDN is an emerging technology that allows for more granular control over a network’s data traffic streams. As this cutting-edge technology is expected to be adopted industry-wide within several years, understanding this technology and its importance to information technology (“IT”) functions is critical. SDN provides vast benefits to IT, and with its anticipated exponential growth, businesses are expected to increase their IT spending to incorporate this technology. To support this networking paradigm shift, new startups, as well as existing firms will enter this market to provide products and associated services to implement and manage SDN.

As an emerging technology, growth forecasts vary greatly, ranging from $3.7 billion in 2016 (IDC)¹ to $3.1 billion in 2017 (Infonetics)² to $5.41 billion in 2018 (Research and Markets)³ to a lofty $35 billion by 2018 (SDNCentral)⁴. Revenues from SDN-type products were estimated at $360 million in 2013⁵, while the number of firms specializing in SDN has gone from zero in 2009 to 225 in 2013.⁶

This paper provides an overview of SDN, including what makes it so significant, defines important associated terms, applications and uses, and reviews its benefits and risks. The goal is to enable the reader to understand this complex technology, ascertain risks and controls, and have greater confidence when prospecting or working with clients in this space.

In its simplest form, SDN can be thought of as pulling the intelligence away from your networking hardware and centralizing it. Networking hardware consists generally of routers and switches that manage the flow of data across the network. It is making the networking equipment “dumber” but then creating a centralized control management system that makes the network as a whole far more intelligent. SDN is about separating the “control plane” from the “data or forwarding plane” and then centralizing the control plane.

 Data or Forwarding Plane – Within a switch or a router, this moves or “forwards” an incoming data packet from point A to point B. This would be analogous to streets carrying vehicles where the automobile traffic represents the data traffic flow. Within the SDN framework, a router/switch would have minimal intelligence. It would be a dumb device waiting for the control plane to configure it on the fly.

 Control Plane – This is the intelligence component of the router/switch that will be centrally managed when SDN is deployed. Using the street traffic analogy, it functions as the traffic cop or street light that directs traffic (data traffic) flow. This set of management services allows IT to control and manage all of the SDN enabled

routers/switches in the network. Control can be performed manually by IT staff, based on established rules or programmatically through system awareness.

Executive Summary

What is it?

(2)

The Evolution of the Network g to the Next Taking Printing to

SDN is the next phase of virtualization and to better understand its evolutionary process, a short history lesson in virtualization is helpful. This is summarized below and also explained in this YouTube video.⁷

 Data Storage (SANS) - About 15-20 years ago, the computer was a box that held everything - the power supply, processor, hard drive data storage, memory, etc.

However, if something failed within the box, such as its power supply or hard drive, data access was unavailable and total data loss a real possibility. SANS (storage area networks) were created as one way to counter this. The hard drives were pulled out of the box and separated from the servers that controlled them. The individual drives were now in rack configurations with several dozen drives per rack. A file could be stored over multiple drives in multiple SAN racks, while centralized management software monitored, managed and indexed the data. Users access the SAN over a network to retrieve, store and delete their data without realizing that their data is being stored in multiple places. The centralized system allowed IT to balance the load on the SANs and manage backup procedures, making the system more efficient and resilient.

 Physical Servers – After data storage, the next step was the evolution of the physical server device. Historically, the operating system and all applications resided on a single physical server. However, this became highly inefficient because the servers were not always in use; in fact they were spending much of the time idle. Virtualization software was developed and enabled multiple “virtual machines” (“VMs”) to be run or “instanced”

on a single physical server. A single physical server could now host many VMs with multiple operating systems and different applications stored in these at any given time, allowing multiple users to access and efficiently use the server. A centralized software- based management system controls the creation (a.k.a. spawning) and deletion of the VM instances. They could be spawned when needed for a workflow and deleted thereafter. The operating system and applications were now independent of the physical server. In this case, intelligence associated with the physical server was removed, and the control system was centralized. Like the SAN example, this allowed IT to centrally manage racks of servers and use its resources more efficiently.

As noted in these two examples, intelligence was separated from the underlying hardware device and a centralized system was created to control it. However, networks themselves (the systems that route the data between devices) continued to get bigger, faster and better but didn’t evolve as there was no compelling reason for networks to become more efficient. However due to the recent advent of cloud-based services, a viable reason now exists. SDN is the next evolutionary step for networking.

Network routers and switches are intelligent, meaning they can be programmed to manage the flow of data – to prioritize data flow based on data type, users, application or other requirements.

Why is prioritization important? Real-time communications data flow such as VoIP phone calls, streaming movies or IP-based video (TV, security cameras) require that the data packets travels from point A to B as quickly as possible – with minimal “jitter.” Jitter is a variation in the delay present between packets in such communication. If the delay is too large, packets may be dropped and affect the clarity of the communication. Any delays would cause a disruption in the communication or viewing. Another example includes certain applications that are time-sensitive such as those dealing with real-time financial or e- commerce data. Data from such applications would have greater priority than other applications.

Evolution of Virtualization

Data Prioritization

(3)

On the other hand, file data such as emails, photos, etc. is not real time and would have less priority. These different priority levels are configured by IT into every router and switch within the network, allowing the network to operate efficiently and provide optimum service.

Data traffic flow within a network has always been important, but it became more so with the changes in traffic patterns. Data traffic has evolved from being static to being more dynamic.

 In the 90s data traffic was primarily files (email, video, application-based) and the architecture was client-server based. Data generally flowed in a north-south pattern – meaning that data traveled from the client (individual office PCs) up to a server at the data center or via the Internet and back down. There was a certain level of

homogeneity to the data and IT configured network devices to efficiently route such traffic.

 In the mid-2000s, the advent of VoIP, other IP-based data (YouTube, Skype, security) added the element of real-time traffic.

 Since 2010, with the distribution of databases across servers, use of VMs and cloudbased storage or processing, data center traffic now flows in the east-west and north- south directions. East-west means traffic between machines such as across servers/VMs in a data center or across multiple data centers. “Users are changing network traffic patterns as they push for access to corporate content and applications from any type of device (including their own), connecting from anywhere, at any time.”⁸ The significant rise in cloudbased services and big data requires more bandwidth⁹ and results in significantly more traffic. Data traffic flow now is quite dynamic and looks significantly different than data from the 1990s.

The current routers and switches were designed for static data traffic and had static network architecture. Although they are configurable, they cannot be configured

dynamically or on a real-time basis; it requires manual adjustments. With the new shift in computing workloads and data traffic, the routers and switches need the flexibility for dynamic configuration on a real-time basis. The current antiquated architecture needs to be overhauled, opening the door for SDN.

SDN is both a hardware and software solution. OpenFlow is an open communication protocol that was developed through the Open Networking Foundation (ONF) and its member companies. The physical routers and switches need to be SDN-enabled in order to work with an OpenFlow-based controller. OpenFlow-based controllers generally consist of a physical or virtual server with specialized software.

As this is an emerging technology, there are a few established providers and numerous startups – offering partial to complete SDN solutions. The established firms have an edge on the startups and it is likely that in the next few years, consolidation will occur in the SDN market, and only a few firms will emerge as key players.

Some of the established firms include familiar brands, such as Cisco, VMWare, Hewlett Packard, Juniper, IBM and others. Some startups include Nuage, PlumGRID, Midokura, Plexxi, and others. Many offer solutions using the ONF’s OpenFlow protocol while a few offer proprietary or hybrid solutions.

What does SDN look like &

Who are the players?

Static vs. Dynamic Data Traffic and Networks

(4)

Enterprises that have dynamic large data traffic flows will be the first to embrace SDN as their new networking architecture, driven by the opportunity for efficiency – both

performance and cost-based. These include data centers, cloud service providers and very large enterprises that have vast networks, and industries including banking/finance, government, telecommunications, IT services and education.

The benefits of incorporating SDN architecture for an enterprise network are substantial.

These include:

 Programmatic control enabling real time changes – The centralized control panel can be programmed to alter data traffic prioritization levels and other aspects of specific routers and switches on a real-time basis. This can be done centrally either by IT or through automatic rules set to handle these tasks. The automatic rules can centrally configure the network devices on a real-time basis, based on traffic flow and demand.

This allows for more efficient use of bandwidth, better data flow, better end-user experience, support of business needs, and a more resilient network.

 Efficiency and lower long-term costs – The centralized system allows IT to collectively configure and control the entire group or subset of routers/switches. With the prior architecture, each router has to be configured individually making it quite arduous. SDN is more efficient at utilizing bandwidth and thereby allows IT to squeeze more

performance from existing equipment, thereby reducing additional capital expenditures.

 Centralized control of multi-vendor environments – If a network device is OpenFlow- enabled it allows the SDN control software to manage all such devices regardless of vendor. IT is able to quickly deploy and configure OpenFlow enabled devices across the entire network.

 Agility and flexibility¹⁰ – SDN allows IT to easily deploy new applications and services enabling the enterprise to initiate new business processes. This can be done centrally, eliminating the need for IT reconfiguration of individual devices on the network.

 Increased network reliability and security – The centralized approach allows IT to maintain consistent policies across all network hardware. Updates can be applied readily to affected devices. They can also apply policies to individual devices, users, applications, etc.

 Data traffic management – This approach enable managing peak traffic ebbs and flows on a real-time basis.

With all technologies, there will be issues that affect how quickly it is adopted. Additionally, there are new risks created by this new technology. A few are discussed below:

 New hardware – To achieve the benefits of OpenFlow and SDN, the network hardware has to be SDN-enabled. The OpenFlow controller can manage only those devices that are OpenFlow-enabled, meaning that an organization must buy new hardware to realize the benefit of SDN. This may present a significant capital expenditure, although, it can be managed if the enterprise phases in the introduction of new networking by creating a hybrid network (SDN and non-SDN enabled) in the interim. This can be done as part of the natural network replacement cycle to replace aging equipment. The initial short- term cost can also be tempered against the long-term benefit of this system.

 Security Concerns – With all of the network controls centralized into one server, the entire network could be greatly susceptible if someone were to hack or upload malware Benefits for the Enterprise IT

Risk & Issues Key Customers & Applications

(5)

to the control plane server. IT must take great care in adequately securing this critical piece of hardware. The ONF has identified two basic SDN security issues¹¹:

o “The centralized controller emerges as a potential single point of attack and failure that must be protected from threats.” This is a highly unique threat because “traditional network management tools didn’t give you the flexibility to dynamically change the behavior of a network on a node-by-node basis.”¹² With centralized control, all of the eggs are in one basket. If a third-party gains control of the controller, they could cause havoc with much of the network. “The southbound interface between the controller and underlying networking devices (that is, OpenFlow), is vulnerable to threats that could degrade the availability, performance, and integrity of the network.” As a mitigating factor, OpenFlow does specify the use of TLS (transport layer security) which supports authentication and encryption to secure the connection between the controller and network devices. However, IT should verify authentication and encryption controls have been implemented appropriately.

o There could be a targeted DDOS attack against this dedicated controller server which prevents it from carrying out its function and impacting the underlying network. “Hackers might target controllers, switches or even virtual switches with denial-of-service attacks.”¹³

o A compromised or hijacked controller could direct data flows to an outside, third party.

 Controller failure – With a centralized controller, what happens if there is hardware failure or software corruption? What are the ramifications to the network if the controller does fail? Data traffic would continue to flow per the most recent

configuration and the network will remain viable. However, given enough time, the lack of a controller would affect traffic flow and negatively impact the network’s

performance. On the plus side, once the controller is reinitiated, the flow of data can be synchronized. ONF does recommend having more than one control server to guard specifically against such failure.

SDN is fairly new and large volume implementations are two to three years in the future.

Furthermore, there are currently various flavors of SDN (OpenFlow, proprietary and hybrid) but over time there will likely be more standardization. There are security concerns and uncertainties with SDN and these will need to be adequately addressed. However, based on the important productivity and economic benefits that SDN can provide to enterprises and IT departments, it is clearly an emerging technology with enormous potential that will see significant growth in the future. Growth in the market will result in additional vendors, including startups, entering this highly lucrative space, ultimately providing even more benefits than those anticipated at this stage.

To learn more about how OneBeacon Technology Insurance can help you manage online and other technology risks, please contact Lloyd Takata, EVP of OneBeacon Technology Insurance at ltakata@onebeacontech.com or 952.852.6028.

Contact Us Conclusion

(6)

1 Duffy, Jim (November 12, 2013). “SDDCs doubling every year.” Networkworld. Accessed May 2014. http://www.networkworld.com/community/blog/sddcs-doubling-every-year

2 Grossner, Clifford (December 9, 2013). “2014 Market size and forecast.” Infonetics.

Accessed May 2014. http://www.infonetics.com/pr/2013/Data-Center-and-SDN-Market- Highlights.asp

3 Ibid 1

4 Palmer, Matthew (April 24, 2013). “Infographic: SDN market size to reach $35billion by 2018.” SDNCentral. Accessed May 2014. http://www.sdncentral.com/infographic-sdn- market-to-reach-35b-by-2018/

5 Ibid 1

6 Ibid 4

7 YouTube Video on Introduction to SDN -

http://www.youtube.com/watch?v=2BJyIIIYU8E

8 Open Networking Foundation (April 13, 2012). “Software-Defined Networking: The New Norms for Networks.” Accessed May 2014. Page 3.

https://www.opennetworking.org/images/stories/downloads/sdn-resources/white- papers/wp-sdn-newnorm.pdf

9 Ibid 9, page 4

10 http://www.sdncentral.com/what-the-definition-of-software-defined-networking-sdn/

11 Open Networking Foundation (October 8, 2013). “SDN Security Consideration in the Data Center.” Accessed May 2014.

https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution- briefs/sb-security-data-center.pdf

12 McGillicuddy, Shamus. (February 14, 2014). “SDN security issues: How secure is the SDN stack?” TechTarget. Accessed May 2014.

http://searchsdn.techtarget.com/news/2240214438/SDN-security-issues-How-secure-is- the-SDN-stack

13 Ibid 12 References