I was talking with Dave Larsen, CTO for HP Networking about SDN and future applications and he describes a security application/use case of OpenFlow/SDN for Campus Networks. HP Sentinel is an SDN Security application that combines a reputation database, HP VAN Controller and OpenFlow to build a Campus security solution. Here is a quick overview of the process and how you can mix existing security technology with OpenFlow/SDN to provide a useful campus security tool.
HP Sentinel is a SDN Application that monitors the flow creation process in the campus network. As a flow is identified, it is compared to a reputation database for IP Address and DNS names. If the lookup is positive, traffic is dropped on the campus edge switch.
The product is current in trial with selected customers, one of whom is a school that needs protect the network from malware and misuse. In the first week, the school discovered three compromised computers in the school that was hosting malware even though other tools were on the campus.
Here is how it works:
The Campus ProCurve switches are configured to support OpenFlow with a HP VAN SDN controller. The controller is linked to an “SDN app” that uses the Tipping Point reputation database from it’s IPS product. This reputation database is built from Reputation Digital Vaccine service
Step 1: A workstation has an application that initiates an IP connection to a site.
Step 2: When the IP packet is received by the switch, the flow data would not be matched against the existing flow table in the Switch since this is first time the flow has been seen. The flow would be punted to the controller.
Step 3: The controller will send the flow data to the HP Sentinel App. The VAN controller would be configured to send flow data from specific switches to the reputation database.
Step 4: The Flow is compared to IP and DNS data in the reputation database. The DNS name is important since a single IP address can hosts multiple domains. Or a very large network is ‘hidden’ behind proxy servers.
Step 5: The flow will pass/fail and signal back to the VAN controller which will then push a pass/drop OpenFlow entry into the switch.
Step 6: Optional step – send an alert that a reputation alert has been triggered. T
Points of Note
Standards, and nothing but standards. The first point I noted is that this solution is entirely standards based on OpenFlow. There are no custom protocols that other vendor solutions use.
Filtering at the Edge: the blocking is performed at the edge of the campus network where the workstation connects to the Ethernet switch.
Will work for WiFi: This solution will work for WiFi networks in the future once WiFi equipment is OpenFlow enabled.
Uses Existing Technology: This solution uses the existing switches in the customer network since many HP switches that have shipped in the last few years are OpenFlow capable with a software update.
Tipping Point and software: The Tipping Point division might be moving ahead. HP Tipping Point division continues to focus on hardware products and, to my knowledge, hasn’t yet embraced virtualization in a meaningful form. This software only solution might provide some hope that Tipping Point are beginning to embrace the cloud era.
The EtherealMind View
Many people do not understand how flexible and capable the OpenFlow protocol can be for a wide range of uses. A number of vendors are claiming the OpenFlow isn’t enough, yet I remain deeply cynical about the motives of such views. OpenFlow continues to have the largest momentum and widest industry support for SDN in the data network. The ongoing development of OVSDB will provide for new extensibility, capability and address the other issues around device management.
For now, HP Sentinel is a clear demonstration of the capabilities of OpenFlow. The HP SDN story is stronger than many understand. Existing network switches are OpenFlow capable, the HP VAN controller is stabilising and forging links with other divisions. The IMC division is providing strong linkages to manage VAN as part of the normal operations.
HP has a strong SDN story but it’s somewhat overshadowed by other companies making more noise. And the Networking team is less prominent . Here’s hoping that they can improve this in the months ahead.
I was a guest at HP Discover in Barcelona as part of Social Media outreach program.