WIXLIB

Monitoring, Managing, and Securing SDN Deployments// White PaperIntroductionMobility, cloud, and consumerization of IT are all major themesplaying out in the IT industry today—all of which are fundamentallychanging the way we think about managing IT infrastructure.Mobility is driving significant productivity gains. Users, devices andindeed applications are all mobile. Users today access theirapplications, data, and content from whatever location they are at—beit from the office or from a hotel lobby or from an airport, usingwhatever device they have at their disposal such as their laptop,smartphone or tablet, and leveraging whatever technology isavailable—from wired Ethernet, to WiFi to 3G/4G. Today applicationsalso move from server to server in the form of virtual machines—underadministrative control, or in a completely automated way using toolsthat do resource management for example. While mobility is drivingsignificant productivity gains, it is also making the IT environment verycomplex. In such a dynamic environment, it is becoming difficult todetermine whether a user, or an application, or the underlyinginfrastructure itself is performing as desired and whether the security,compliance, and audit requirements are being met.Similarly, the cloud is changing the way IT departments andconsumers alike think about compute, storage and connectivity.The cloud has changed the cost model for infrastructure from aCAPEX model to an OPEX model. Along with the shift in cost models,the cloud also introduced an elasticity of compute where resourcescan be added and eliminated on demand based on dynamic capacityrequirements. While this makes it very easy for companies to addand eliminate compute and storage resources on demand, it alsomakes it very challenging to monitor whether the end user is trulygetting a good experience, whether applications are performing asexpected, and whether adequate security measures are being putin place in the cloud.Consumerization of IT is often associated with BYOD (Bring YourOwn Device). However, it is far more impacting than that. Thefundamental expectation of IT is changing where IT is expected toembrace a consumer-like behavior. IT is expected to now supportconsumer devices on the corporate infrastructure. Along with thatconsumer applications are now running and competing for resourceson the same IT infrastructure as enterprise applications. For example,smartphones constantly synchronize consumer applications in thebackground and now users of the corporate IT infrastructure areactively using consumer applications as part of their productivitysuite. IT is expected to respond, accommodate, and indeed fullyembrace this shift with 24x7 support. Unfortunately, today IT and themanagement, monitoring, and security tools that they use are lackingthe visibility they need to be able to accurately determine the stability,the security, and the performance of this evolving environment.In the midst of all of these changes, the way networking has beenimplemented has remained fundamentally unchanged. Even thoughthe network speeds and the protocols that are used to keep thenetwork operational have evolved, the fundamental nature of thenetwork has not changed. The network today is still run as a set ofinterconnected devices each of which operate as individual entitieshaving their own local control plane and forwarding or data plane (seeFigure 1 on the next page). The control plane determines where trafficis to be sent, and the data plane takes care of forwarding the traffic atvery high speeds and progressively lower latency. Both the controlplane and the data plane today are co-resident on each networkingdevice, making the large network a complex distributed computingproblem that has to respond and react to dynamic changes at veryhigh speeds and with large traffic volumes. To compound thechallenge further, each networking component or attached device hasonly a partial view of what is going on in the network and piecingtogether the whole picture becomes a complex exercise. 2014 Gigamon. All rights reserved.1

Monitoring, Managing, and Securing SDN Deployments// White PaperFigure 1: (Left) Traditional networks with distributed control plane and data plane; (Right) In an SDN environment, the control plane is centralizedAddressing Network Complexity through SDNSDN changes the fundamental nature of networking. With SDNthe control plane or the intelligence functions of the network arecentralized on a controller. The SDN controller maintains a centralizedview of all the networking switches, and programs each switch withthe knowledge it needs to correctly forward traffic. By centralizing thecontrol plane, the SDN model provides a simplified operational modelfor large networks that are characterized by highly dynamicworkloads, user/device/application mobility, and policy drivenconnectivity (see Figure 1).A secondary effect of this approach is that by removing theintelligence out from the network appliances such as switches androuters, the software and hardware for these switches and routerscould be simplified, thereby driving down costs for the individualdevices. In fact there is a growing momentum around leveraging“white boxes” —bare metal switches/routers sourced directly frommanufacturers, along with an open-source network OS, in conjunctionwith an open source controller to put together an SDN solution.However, the promise of “white box” networking has yet to bear fruitas there are significant barriers to making the white box approach atrue working solution for mainstream deployment in the near term.The challenges range from lack of maturity of software, to lack ofinteroperability, to a DIY (Do It Yourself) type approach required tomake the solution successful. Still, the promise of the SDN model ofcentralizing the network intelligence, and the operational simplificationit can bring to complex networks holds promise.While SDN is still in its nascent stages, several different technologiesand applications of SDN are emerging. OpenFlow is one suchtechnology. OpenFlow is being standardized through the OpenNetworking Foundation (ONF) and is one example of how acentralized controller programs and manages distributed networkswitches. OpenFlow provides a standardized way to programforwarding tables in network switches based on the intelligence andapplications running on the controller. While OpenFlow provides astandardized approach for a controller to program network switches,it does not specify how the controller addresses specific challengesassociated with mobility or BYOD or other such challenges. In otherwords, OpenFlow is simply a protocol between the controller and thenetwork switches. The function of that protocol to solving networkchallenges is left to the controller and the applications residing onthat controller, and will differ from implementation to implementationand from vendor to vendor. This provides an opportunity fordifferentiation as well as innovation in this space.OpenFlow is just one embodiment of SDN. Several other technologies,mainly vendor driven, are now emerging under the SDN umbrella.Unlike OpenFlow, many of the other emerging technologies under theSDN umbrella are targeted and purpose built for solving specificproblems. One such area that is being targeted for SDN deploymentsis network virtualization. Network virtualization effectively buildsdynamic network overlays over an underlying physical networkinfrastructure and addresses key challenges around mobility andmulti-tenancy in cloud, data center, and campus environments (seeFigure 2 on the next page). These dynamic overlays create logicaltunnels between different endpoints belonging to a common logicalnetwork service, or to a tenant using some form of traffic encapsulation.A key technology that is gaining traction to address networkvirtualization is VXLAN. With VXLAN, virtual extensible overlay 2014 Gigamon. All rights reserved.2

Monitoring, Managing, and Securing SDN Deployments// White PaperFigure 2. Dynamic network overlay over an underlying physical network using a VXLAN tunnelnetworks are built using VXLAN encapsulation or tunnels. In clouddeployments these tunnels can originate and terminate within thehypervisor, making the physical network oblivious and independentof the overlay (see Figure 2). The tunnels can be dynamicallyinstantiated based on mobility events or based on spinning upcapacity in various segments of the network.While network virtualization addresses some of the challengesaround multi-tenancy and mobility, it creates a different set of issuesfrom the perspective of monitoring, management, and security. Bycreating separate logical overlays which are abstracted from thephysical underlying network, it creates two planes of troubleshooting,monitoring, and management—the physical underlay and the logicaloverlay. Both planes can be subject to security threats and breaches.Many other applications of SDN are also emerging. These include,among others, traffic engineering over WAN links, policy-basedaccess control, and centralized routing.Monitoring, Managing, and Securing in an SDN WorldWhile SDN holds the promise of operationally simplifying dynamicenvironments such as those with large volumes of traffic, mobility,and cloud deployments, SDN deployments will be characterizedby an increased need for tools that do security, performance,and user experience monitoring. There are several reasons for this.For example, separating the data and control plane could leadto synchronization issues between these two components. Thedeployment of network virtualization solutions that use encapsulationor tunneling also create separate planes for management and controlfor the overlay and underlay networks, thereby increasing the need formonitoring. These are explored in the following sections in more detail.Typically tools rely on one of three types of techniques for monitoringand management.1. SNMP style based monitoring2. Flow-based monitoring and analysis3. Packet-based monitoring and analysisSNMP style monitoring is typically used for device status monitoringas well as aggregate traffic monitoring based on counters andstatistics is an example of this. Flow-based and packet-basedtechniques rely on actual traffic information. In flow-based techniquesactual traffic is sampled, flow records are gathered from the sampledtraffic, and the flow information is then presented to the tools. Thegreater the sampling rate, the more accurate the tools analysis. Inpacket-based techniques, the actual packets are presented to thetools which may then look anywhere within the packet, for exampleusing DPI (Deep Packet Inspection) techniques to perform theiranalysis. Many Network Performance Management (NPM), security,Application Performance Management (APM), and CustomerExperience Management (CEM) tools today use either flow-basedtechniques, packet-based inspection, or even a combination thereof.With SDN, it is conceivable that the need for SNMP style monitoringof individual devices diminishes as much of the status information forthe individual devices may now be available at the centralizedcontroller. The controller may choose to export this using a varietyof different APIs. However, in an SDN world, the need for flow- andpacket-based monitoring (i.e. traffic-based monitoring) will actuallyincrease and in fact will become an integral component of the SDNdeployment. This is primarily because of two reasons.1. The need to monitor and manage the SDN deployment itself2. The need to monitor and manage the dynamic IT infrastructurethat SDN will enable 2014 Gigamon. All rights reserved.3