Security Concerns in an OF-enabled Network

02/21/2012

1 Comment

 
Security.  It’s an interesting topic when it comes to networking within Enterprise IT.  There are those that are truly focused on an end to end view of security or just freakishly enjoy security and then those that are usually okay with just implementing a perimeter FW and maybe an IDS/IPS.  So, when it comes to your “typical” Enterprise LAN, all hosts are inherently trusted so communication between clients and servers, clients and clients, and servers and servers, is unprotected.  I will say, in 2011, I've seen this starting to change and infrastructure security is becoming even more critical for the average “mid-market” customer for various reasons, but heavily attributed to the wide adoption smart phones, tablets, and the whole “Bring Your Own Device” (BYOD) mantra being driven by the consumer.

Anyway, what does this have to do with OpenFlow/SDN?  Nothing…yet, but the question that came to me while I was in a meeting with a NYC based financial firm last week was, “How will security be perceived with running a *real* virtualized network with control plane separation happening at a controller?” 

Before I go any further, here is some background…

1 Comment
 

Loved, Hated, but Never Ignored #OpenFlow #SDN

02/07/2012

0 Comments

 
For those that aren’t aware, I was proudly in a fraternity in college and our motto was simple, “Loved, Hated, but Never Ignored,” and we wore it proudly on our fraternity t-shirts.  The same motto seems to be true for Software Defined Networks in the industry at this moment.  There is a community of folks that see the potential, but not everyone is on board, not everyone thinks it’s for real, some call it hype, some call it a technology for Cloud Providers, and some think that it was built by the academic community and that’s where it will stay for the long term, but you know what, people keep talking about it, and that’s a great thing…because you don’t want to be ignored ;).  There have been many blogs, tweets, and announcements in this space with the most recent coming from Nicira.
Add Comment
 

Quick Facts and More

02/02/2012

0 Comments

 
Facts and perspectives of the week in review.  Short and to the point.
  • Only the Nexus 32 port 10G M1 and 48 port 1/10G F2 linecards support connectivity to Fabric Extenders
  • Double Layer VPC is NOT supported when connecting a Nexus 2000 to Nexus 7000.  Each 2K must be single homed to a Nexus 7000.  Servers are then dual-homed across the Nexus 2000s.
  • Nexus F2 linecards need to be in a dedicated VDC or switch.  I’m merely the middle man relaying the message.  It does suck.
  • Cisco should stop investing in the 6500.  Invest that time and money somewhere else.
  • If trying to use GLC-SX-MM (or any 1G optic) in a Nexus 5548/5596, don’t forget to manually set the speed to 1000. By default, all ports are 10G.
  • The Cisco 4500 series switch is bad ass and should be deployed over 6500s for sure in the access layer and the majority of new mid-size Core deployments (not comparing to N7K).   
  • IP Addresses with a /16 subnet mask should not be assigned to any end host on a network.  Do you like man-made disasters?
  • Don’t buy a Nexus 5548P.  Buy the Nexus 5548UP.
  • If you need security between multi 10G interfaces, it really may be okay to use ACLs that are accelerated and processed in HW.  Verify its okay you don’t need to track state.  If you don't know, it probably is okay.
  • Even if you end up using Nexus F1 cards in your chassis with proxy L3 routing, it’s probably still 5x better performance than what you currently have. 
  • My brother Mike Edelman is going to the Super Bowl and will probably see Julian Edelman of said favored Patriots.  We are not related to Julian although he has good initials.
Add Comment