A few years ago, software-defined networking (SDN) was an esoteric concept driven by academics. Some networking vendors were intrigued but many looked at it as nothing more than a science project. Fast forward to 2013 and networking vendors are tripping over each other to pledge their SDN support and crow about their SDN strategies.
What changed? First, vendors like Arista, Brocade, and HP realized that SDN might be one of those industry tipping points that encouraged traditional Cisco customers to at least consider alternative approaches. Second, network service providers realized that SDN could help them accelerate and automate network operations tasks in a big way. Finally, VMware made the SDN market a reality when it paid a ridiculous amount of money for Nicira.
In summary, SDN is a real market experiencing rapid innovation, but it remains anchored to the supply-side of the equation, driven by engineers, trade shows, standards committees and marketing hype.
Given the maturity level of SDN, I am somewhat surprised to hear more and more vendor chatter about SDN and its relationship with cybersecurity. Don’t get me wrong – the geek in me loves to engage in this discussion as SDN has some interesting and useful security implications. For example:
- SDN could really simplify the technology around network segmentation making it easier to create end-to-end VLANs or extend network segments over distance (a la VPLS, VXLAN, etc.). This would be great for data confidentiality/integrity over the network as well as multi-tenancy.
- SDN could be used to align network flows with security services. Rather than deploying security appliances all over the network path, IT could use SDN to bring network flows to central security services. This could make the network far less complex – think of the implications for de-perimeterization for example. Buy one massive firewall and direct all internal and perimeter flows to this box over 10gb (or 40/100gb) pipes.
- SDN could be used to aggregate network flows for analysis. For example, SDN could bring all IDS/IPS data to a unified analysis engine to look at security issues across the network.
Yup, no question that SDN and network security go together like peanut butter and chocolate but isn’t it a bit early to start pushing this beyond the halls of academia? I for one think this is the case. If networking people are still learning the fundamentals of SDN, you can bet that security professionals haven’t a clue.
So why push SDN in relation to security? Because it serves the purposes of networking vendors that also own a network security business. In my humble opinion, these dual-business vendors are using SDN for offensive and defensive purposes. Offensively, networking vendors can push SDN on networking and security buyers and position themselves for wins on both ends. Defensively, SDN (likely proprietary SDN) implementation may create a barrier to entry for pure-play network security vendors.
Cisco and Juniper realize that SDN may provide an architectural advantage in the future so they are willing to invest in market education and seed planting now in hopes of a late 2014 harvest. This is especially important to these vendors given the recent network security market share growth of Fortinet, McAfee, Palo Alto Networks, and Sourcefire.
SDN may not win any short-term deals, but it certainly could influence some long-term strategic decisions. For that reason, and that reason alone, network security vendors not named Cisco or Juniper should be paying careful attention to SDN, market trends, and competitive posturing.