News

Big Switch Networks Tackles SDN Security

• By David Ramel
• 12/06/2016

Big Switch Networks Inc. today announced new security features in its software-defined networking (SDN) offerings -- including enhancements to its SDN monitoring fabric -- as part of a new BigSecure Architecture.

The company said the new security functionality can help enterprises protect their datacenters against massive distributed denial of service (DDoS) attacks that can throw more than 1 Terabit of data against networks, as happened with the recent outbreak of Mirai malware.

In view of such attacks, "It has become necessary for organizations to deploy cyber-defense mechanisms to protect against massively distributed attacks without breaking their security budget," the company said in a news release.

"Today, we are announcing the BigSecure Architecture -- a next-generation DMZ security architecture leveraging SDN fabric, best-of-breed security tools, deep packet inspection (DPI) service nodes and NFV tool farm for combating large-scale externally-originated attacks," Big Switch said in a blog post.

The BigSecure Architecture provides a security scheme that leverages the underlying network and pooled x86-based computing power to provide "an externalized elastic attack mitigation infrastructure" that can work with existing security tools.

Central to that initiative is the new Big Monitoring Fabric Release 6.0, described as "a next-generation network packet broker (NPB) that leverages SDN principles, Open Networking switches and a high-performance x86-based DPDK [Data Plane Development Kit] service node to provide feature-rich, scale-out data center monitoring at up to 50 percent lower cost than traditional NPBs."

Enterprises deploy Big Monitoring Fabric at the network edge or in a DMZ in order to connect security tools and create security service chains. It supports programmatic operations via RESTful APIs for dynamic interactions across systems, dynamic load balancing of security tools and dynamic configuration of security service chains.

As part of the new security initiative, Big Switch also introduced enhancements to its Pervasive Visibility use cases that provide cloud-native application traffic visibility through the dynamic monitoring of virtual machines (VMs), containers and public cloud environments.

"The rise of cloud-native applications, in the form of virtual machines (VMs) and containers has driven up east-west traffic within the data center, leading to tremendous visibility and security challenges," the company said. "When applications are deployed in public clouds, consistent architecture for application traffic visibility becomes necessary."

Other components of the BigSecure Architecture listed by the company include:

• Big Monitoring Fabric service node -- a high performance (40G to 160G) Intel x86 DPDK-based service node, centrally controlled and managed by the Big Mon SDN Controller, for deep-packet and flow inspection and filtering based on whitelist/blacklist of signatures for the purpose of attack mitigation. With the aid of the Big Mon Controller, it can be dynamically inserted into security service chains to guarantee front-line attack mitigation. Multiple service nodes can be deployed in a scale-out manner for Terabit filtering and mitigation.
• NFV tool farm -- a pool of x86 compute resources available for hosting security tools in the form of virtual network functions (VNFs) in order to elastically scale them for Terabit attack mitigation. Big Monitoring Fabric programmatically augments service chains as well as load balances across a large set of tool VNFs.
• Security tools -- Third-party security tools (such as A10 Networks' Threat Protection System) that detect and mitigate sophisticated attacks, leverage L2-L7 attack mitigation capabilities of the high-speed SDN fabric, service nodes and NFV tool farm, and interact programmatically with the Big Mon controller for dynamic attack mitigation.
• Open hardware -- industry-standard 10G/40G/100G Ethernet switches from Dell EMC and Edgecore Networks operating at multi-terabit bandwidth, centrally controlled and managed by the Big Monitoring Fabric controller; industry-standard x86 servers for SDN controllers, service nodes and NFV tool farm.

"Once BigSecure Architecture is instantiated, a security tool detects high-bandwidth attack and interacts with the Big Monitoring Fabric Controller via programmatic APIs to redirect incoming traffic for elastic mitigation," the company explained. "Depending on the type of attack, the Big Mon Controller activates SDN fabric and compute resources for attack mitigation, reconfigures the service chain to redirect traffic to mitigation infrastructure, and load-balances traffic across a cluster of Big Mon service nodes and NFV tool farm for scale-out performance. The combination of SDN fabric, Big Mon service nodes and NFV tool farm performs Layer-7 scans of network traffic and blocks those packets/flows that contain attack signatures."

The company said Big Monitoring Fabric Release 6.0 is now in a beta program, with general availability expected in the first quarter of next year.