Startup Tackles OpenFlow Security

Veterans of the former NetScreen have started a company targeting security for OpenFlow networks.

Which is interesting in itself, but it points out a bigger issue. The software-defined networking community is widening as businesses and entrepreneurs start considering what it will really take to implement ideals like OpenFlow. Gaps are going to be found, and -- assuming software-defined networking takes off -- that means opportunity for business.

That's part of the reason why there's such a buzz in Silicon Valley around next week's Open Networking Summit (ONS), a three-day gathering in Santa Clara, Calif., that will serve as a sequel to last fall's very well received OpenFlow symposium at Stanford. (See The Software Revolution Is Coming.)

But back to that security startup. It's called vArmour (pronounced vee-armor), and it's founded by NetScreen veterans, including Michael Shieh. He joined Juniper Networks Inc. (NYSE: JNPR) through its acquisition of NetScreen and stayed there for seven years, eventually becoming senior architect of converged services. Now he's working on providing security for OpenFlow- and OpenStack-based networks.

The issue comes up because OpenFlow would let an outside controller tell routers and switches what to do. In other words, switching patters can be altered on the fly. How can security elements such as firewalls keep up with that fluidity?

vArmour will reveal part of its answer at ONS. The startup will present a demo prepared with Big Switch Networks -- which along with Nicira is one of the startups that sprang from the initial OpenFlow research teams at Stanford. (See Oki Develops 920MHz Smart Chip.)

"All of the OpenFlow guys say the controller has all the intelligence," Shieh says. "We see it a different way. With intelligence in the data plane, your controller can make smarter decisions."

Layer by layer
vArmour is touching on a recurring theme in networking, namely, that developers augment one layer without considering the effect on the other layers, says Andre Kindness, an analyst with Forrester Research Inc.

"It's a problem that needed to be solved, and I'm glad people are looking at it," he says.

The reason is because OpenFlow is crafted to work at Layer 2. It deals in deciding where to send packet flows, and it gathers the information it needs from the first packet in the flow. Security is a different process, requiring a glance at every packet.

"If you order the forwarding plane to become dumb, you lose all that information," Shieh says.

As popular as OpenFlow has become in the past year, few people seem to be looking at this problem. Shieh hasn't heard of another OpenFlow security startup or project. Kindness says there's at least one other, also staffed by NetScreen expats.

Shieh started vArmour in January 2011 and has built it into a small staff working in Santa Clara, coincidentally just down the street from next week's ONS site. The company has gotten through one small round of funding and will be scouting for more.

He isn't saying whether Varmour's product will be an appliance or whether it will be software that goes into a switch or router. Either method could work, he says -- which might be a hint that vArmour hasn't decided which way to go yet.

The dream that OpenFlow seems to suggest is one of a network of generic, very cheap switches, with all the intelligence residing in the controller. Shieh's security points temper that idea. Most of the network could still consist of commodity switches, but you'll need Layer 4 through 7 elements in there as well.

The suggestion is that beyond OpenFlow and vArmour, there's a whole ecosystem waiting to be built around software-defined networking, assuming the idea takes off.

"The hoopla has been more vendor-based and scholastic-based," Kindness says. "OpenFlow is just a drop of what needs to be done, but it's the right direction."

For more

— Craig Matsumoto, Managing Editor, Light Reading

Pete Baldwin 12/5/2012 | 5:36:31 PM
re: Startup Tackles OpenFlow Security

We know of very few companies doing these kinds of things with OpenFlow, but there are certainly *people* doing it. My story from last fall's symposium, The Software Revolution Is Coming, opens with a guy doing load balancing: 


That idea came from a different direction -- it wasn't a load balancer *for* OpenFlow, per se -- but I'd bet there's research going on around all sorts of network aspects under OpenFlow.

I expect to see some more at the symposium next week. It sounds like every Valley company related to networking will be there. (Yes, even Cisco -- IIRC they sent more people to the last symposium than anyone else.)

redbull187 12/5/2012 | 5:35:54 PM
re: Startup Tackles OpenFlow Security

Perhaps you are just coming out of the Dark Ages - but separation of Control Plane and Data Plane is so so old news.

paolo.franzoi 12/5/2012 | 5:35:53 PM
re: Startup Tackles OpenFlow Security


If I recall the first formal documentation of the U, C and M planes was in the ISDN specifications in the early 80s.



davidlegoff 12/5/2012 | 5:35:44 PM
re: Startup Tackles OpenFlow Security

let me re-edit:

openflow opened the way for remote control plane for data plane (clear separation...).

Therefore, considering upper layers than L2 switching, pushing multicore on data plane makes sense regarding what is described initially in this post :)


Sign In