Big Switch Networks has announced their BigSecure Architecture. This is a combination of their Big Monitoring Fabric Inline that is used to direct traffic through customized service chains and their x86 DPDK-based Service Nodes. The Service Nodes can process 40Gbps to 160Gbps per box, scaling out to a claimed 1Tbps of deep packet inspection.
Big Mon Inline
Big Monitoring Fabric is a visibility fabric competing with the likes of Gigamon and Ixia. BMF works by using commodity switches paired with a central controller to steer mirrored traffic flows from the production network to tools like a network packet broker would. There’s more to the story, but BMF itself is not our focus here.
One thing that captured my imagination in a recent chat with Big Switch is the interesting use of BMF they call Big Mon Inline. This product isn’t new, but understanding it is key to understanding BigSecure Architecture, which we’ll get to next.
Big Mon Inline works via traffic steering. Switches are programmed via a central controller to steer specific traffic flows to specific ports. If you take that idea out of the visibility fabric and place it into the context of a DMZ, you’ve got a platform that can selectively steer traffic through security tools on the way from an untrusted network to a trusted network and back.
I’ve been involved with several DMZs over the years. One security flow that I recall from days of yore was as follows.
- Untrusted network.
- Ingress router with a filtering ACL.
- Firewall monitoring flow state, also with a filtering ACL.
- IPS to negotiate TCP handshakes and perform higher level inspections.
- Load balancer with WAF, spraying traffic to a reverse proxy pool.
- Reverse proxy pool running Apache with security plug-in of the day.
- Second firewall monitoring flow state, also with a filtering ACL.
- Trusted network.
This was, of course, in an array of mixed active/active/etc. clusters or active/standby pairs, all depending on the platform in question. And it was all in-line. There were also redundant switch pairs in the mix. But conceptually, the traffic flowed in and out of each device symmetrically up and down the chain. We called it security. And we liked it.
Actually, we sort of hated it. Why? Troubleshooting was immensely complex, because each link of the chain represented a possible point of congestion or traffic loss. When there was an application outage, troubleshooting the chain was an all-hands-on-deck affair, with key players monitoring transactions each step of the way to detect where the breakdown was occurring. We had no choice but to troubleshoot the issue in this way.
Big Mon Inline changes all of that. Imagine being able to steer traffic through devices in the chain. In production. Selectively. Troubleshooting goes from choosing a transaction and following it through the chain with mirror ports and tcpdumps to checking results after steering traffic to various parts of the chain. No more hoping to catch the flow in question at the right places and then make inferences on a painful bridge call that’s been going on for hours.
Now, you can steer the flow via process of elimination through the chain, and see firm results with each topology change. Think about that. You could change — in production — a single test traffic flow to nail down a problem in an orderly fashion without ever having to move a cable or place other flows at additional risk.
I’m painting a panacea that might seem a little naive. After all, if a firewall is performing NAT, it would be hard to remove from the chain. But don’t miss the flexibility that’s available overall. Service chaining through the DMZ offers some very interesting design options.
Troubleshooting is one application that comes to my mind for Big Mon Inline, but to be clear, there are other use cases for the DMZ. BigSecure Architecture is one such use case. Building on Big Mon Inline, Big Switch has paired it with their Service Nodes, creating a terabit-scale deep packet filtering engine.
The Service Node is the x86 DPDK device that handles the fancy packet processing that can’t be done on a commodity switch. The Service Node performs functions such as de-duplication, packet slicing, packet masking, header stripping, regex matching for DPI, and netflow record generation.
The last piece of the BigSecure Architecture puzzle is integration with third party tools. This is key to understanding the value of BigSecure Architecture. Think of it this way. Big Switch is separating the security components into two elements. One element is the switching infrastructure the traffic normally flows through. The second element is the third party attack detection & mitigation tools that are off to the side.
In BigSecure architecture, traffic flows into the monitored segment. Selected traffic is sent off to tools for inspection. When a tool detects an attack, it programs the Big Mon Inline via an API exposed on the Big Mon Controller to filter traffic. Tool integration is up to the consumer and to partnerships. Big Switch has already partnered with A10 for a DDoS mitigation use case.
The view from the hot aisle.
I am fascinated by products that change the status quo, and I believe BigSecure Architecture is a potential winner. The use case is specific and targeted. Although the biggest beneficiaries will be service providers, enterprises are also likely to find BigSwitch Architecture compelling. I see the elements of flexibility, scalability, and programmability as appealing to a broad range of potential customers.
Taking a step back, Big Switch Networks has taken a clever approach to market that’s distinct from what so many startups do. Often, a startup identifies a problem and creates a one-trick pony to resolve the issue. By contrast, Big Switch created a programmable networking platform, and has carefully and deliberately built specific products on that platform that address problems in a non-disruptive way. They find a problem, consider TAM, create a product, and proceed. Smart.
This sort of problem-solving is where SDN as a technology has found its market. Find the challenge that’s difficult or impossible to solve with traditional networking approaches. Attack the problem with software and programmable infrastructure. Profit.
I’m keen to see what else BSN comes up with for 2017.