How Do Network Security and Application Delivery Play in the New SDN World Order?
Software Defined Networks (SDNs) are intended to help organizations simplify changes, improve multi-tenant support and increase network utilization. These benefits are achieved by separating the network control and data planes and by extending an API to the network controller such that applications can directly program the network.
As the benefits of simplifying network operation and improving overall network utilization mature, one of the most important elements — the network services — needs to be rethought. How do network security and application delivery play in a software-defined world? Is it merely a matter of extending an API and supporting new network encapsulation models in order to become SDN ready? Or is there more to it, allowing organizations to benefit from network services in an unprecedented way by taking advantage of the central control of the network?
How does SDN add value to the network?
I see SDN as a huge opportunity for network services vendors (beyond attack mitigation and ADC) to help customers increase the value of their network and network service appliances by making them work together.
When network services and network infrastructure work together by talking with each other and handing off information that helps optimally utilize their distinct resources, instead of just “connecting to each other” as they do today, customers will pay less and will get more. Organizations will be able to load balance 20Gbps of traffic when they have a 5Gbps load balancer. But why?
The current status quo: “Static choke point”
Currently, network services are statically attached to a specific point in the network to which, based on network port capacity, only a given amount of traffic can be forwarded. Furthermore, the type of traffic that can be forwarded to this port is also highly restricted because the particular port the network service appliance connects to isn’t connected to all the networks in the datacenter. Effectively, any change pertaining to which or to how much traffic can be forwarded to the network service appliance spurs a complete network-engineering project and triggers multiple debates regarding how to seamlessly integrate the network service upgrade without introducing a single point of failure. I name the current status quo of network service attachment “static choke point” as illustrated in the following diagram:
Not only is the network configuration restrictive — constraining ongoing network service changes and assigning service to new applications — the network is not part of delivering the service whatsoever.
Three key things your SDN applications should do for you
SDN creates more value from the network and helps justify an organization’s investment in network service appliances by making network services pervasive. In doing so, SDN significantly improves the availability, security and performance of applications.
In order to achieve this, network service vendors must think outside the box (literally) and develop SDN applications that will operate alongside their appliances. These applications should be continuously negotiating and conversing with the SDN as to the best way to deliver services per flow and session.
The SDN application should be responsible for the following aspects of the network service:
- Knowing the network topology and the different ports to which network service appliances are connected, the SDN application should assign the most appropriate network service appliance to deal with certain traffic flows.
- Continuously hold state of the network service, its delivery quality and how this relates to defined policies and SLAs.
- Make decisions as to what the optimal resource for delivering the network service should be for every application session — whether it is a network service appliance or the SDN itself.
Due to the elaborate monitoring and flow management instrumentation that SDNs provide, binding an expert application, which inherits its intelligence from a subset of functionality available on a purpose-built network service appliance, makes a lot of sense. Challenges associated with the “static choke point” disappear when using the SDN application to dynamically attach the network service appliance to the network. Because the network plays a part in delivering the service, and network service resources are intelligently applied on a per session basis, network services can scale much farther and in a much more economical way.
When evaluating long-term network service investments, it’s worthwhile to ask vendors not only how you can program their equipment but also how they can blend their services to be part of an SDN network, and if they offer a true SDN-based solution that improves the utilization of your network without multiplying your investment.