Healthy Paranoia Show 20: SDN – Heretic of Security

The known universe has been ruled by the monolithic network device.

In this time, the most precious substance in the Universe is the  ASIC.

The ASIC extends life.

The ASIC expands consciousness.

The ASIC is vital, it provides the ability to fold space. That is, travel to any part of the network.

The ASIC exists in Silicon Valley. A desolate part of the planet with vast freeways.

There is a prophecy: that merchant silicon and network virtualization will come, a messiah will lead engineers to true freedom, called SDN.

SDN is the little-death that will bring total obliteration.

Welcome all fremen (and frewomen) to the planet of Healthy Paranoia with your Bene Gesserit host, Mrs. Y. On this episode, we’ll be learning the weirding way of Software Defined Networking (SDN). Joining us is Mentat Ivan Pepelnjak from House IPspace, Space Navigator Brad Hedlund from House VMware, Baron Brent Salisbury from House Open Daylight, Ethan Banks, Supreme Bashar and Greg Ferro, Emperor of House Packetpushers. What is this enigma known as SDN? Will it be the Kwisatz Haderach of Networking? According to the Open Networking Foundation:

Software-Defined Networking (SDN) is an emerging architecture that is dynamic, manageable, cost-effective, and adaptable, making it ideal for the high-bandwidth, dynamic nature of today’s applications. This architecture decouples the network control and forwarding functions enabling the network control to become directly programmable and the underlying infrastructure to be abstracted for applications and network services. The OpenFlow™ protocol is a foundational element for building SDN solutions.

In this episode we’ll cover:

  • SDN 101 for the uninitiated
  • Benefits and impact of SDN
  • Potential use-cases in security
  • How will the infrastructure change?

Show Notes:

What is Software Defined Networking?

Open Daylight Project

OpenFlow and the Open Networking Foundation

What is a distributed firewall? by Brad Hedlund

Distributed virtual and physical routing in VMware NSX for vSphere by Brad Hedlund

Brent Salisbury’s Blog, Network Static

Packetpushers SDN content

Ivan Pepelnjak on SDN

Greg Ferro’s Openflow blog posts

Ethan Banks’ SDN blog posts

Brent’s and Greg’s OpenFlow book

Dune_SDN

Mrs. Y
Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.
Mrs. Y
Mrs. Y
  • Herr Nilsson

    Are we talking about “Data Universal Network Extensions” (DUNE)???!!!!! ;)

  • J Max

    I am listening to your show I just a basic question to ask about SDN. What happens if the SDN gets hack? My understanding is most hacks occur a lot more on the application layer.

    • http://www.healthyparanoia.net/ Mrs. Y.

      You need to apply common sense in protecting the controller. You need to apply the same security controls as you would to any other management device; isolated VLAN, ACLs, restrict admin accounts. Additionally, if the controller also presents the application API for other external devices/apps, then you’ll need to do some data security for devices in the path. There isn’t a lot out there yet, so it’s not on the radar for a lot of the good application security testers, but I’m hoping it will be soon, by raising awareness.

      • J Max

        Thanks Mrs. Y. Would like to see Application security testers have a wack at SDN & Software Define everything out their. So now we can work offensively and defensively.

        • http://www.healthyparanoia.net/ Mrs. Y.

          Then start talking about it in the security community. Or do a talk at a conference. Or start banging on OpenDaylight yourself. We need people contributing and getting attention :-).

          • J Max

            I would love to start but a hard monetary incentive would have to start taking place. Let take for example criminal organization employ black hackers and give monetary incentive. As example if we have white hacker find low non-critical to high critical level hacks we the community can reward them with Amazon gift cards or BitCoins. We continue to talk but it’s just talk. My two cents.

  • PunchMonkey

    Am I the only one that got the “SDN is an orgasm” reference?

    • http://www.healthyparanoia.net/ Mrs. Y.

      Maybe I need to watch Dune again,’cause that isn’t where I was going. But if it gets me more listeners….

  • http://northlandboy.com/ Lindsay Hill

    Good discussion, but one point struck me as odd. There was a comment along the lines of “Oh, no-one implements RBAC in vCenter, because it’s too hard”.

    This is not my experience – every environment I’ve seen in the last few years has implemented custom roles & access levels for vCenter access. This ranges from small ( <100 VMs) to reasonably large (2,000+). It was reasonably straightforward to provision, so maybe I'm missing something here? I'm wondering if the objections were political rather than technical?

  • Paul

    I finally got around to listening to this episode. I find it really odd that Greg can make so much sense about cloud and so little about firewalls. Do “enterprisey” firewalls really not contain basic connection state tracking like the Linux kernel? Every stateful firewall with which I’ve ever worked can use many packet fields to match on, and it’s more than just making sure the return IP address isn’t spoofed. So ACLs are fine on a host-based firewall where they don’t need to maintain separate state from the kernel’s, but on firewalls in the network path, their usefulness is extremely limited. Am I missing something?

7ads6x98y