March 1, 2015 | Written by: Chenta Lee
Share this post:
In the first post of a series on developerWorks, my colleague and I discussed how to manually deploy the flow rules for Open vSwitch to protect virtual machines (VMs) running on a KVM hypervisor. However, the solution we proposed then is not always practical in the real world, because the assets in the cloud can and do change dynamically. There is no sufficient resource to monitor each VM and manually deploy the corresponding flow rules. For example, to handle the burst request in a cloud service, more VMs will be provisioned to share the workload. If the protection to the VM depends on the flow rule updates, how can security administrators react to the burst request on time?
To provide a realistic solution to address the dynamic nature of the cloud, a software-defined network (SDN) controller comes into the play. You can think of the SDN controller as the brain of an SDN network: it has all the knowledge of each network flow and it controls the entire network topology. In some use cases, the SDN controller can act like an L2-forwarding switch, a network router or even an application firewall. Can we teach the brain of the SDN network about the security logic discussed in my earlier post and turn it into a protector of all the switches it manages
The second post in the series, titled “Use IBM Security Network Protection in an OpenFlow-based Software-Defined Network,” shows how to write an application on a POX controller to automatically protect the VMs connecting to SDN switches. Even though POX is not the most popular SDN controller, it has a good framework for fast prototyping, so it is easy to write a similar application on other SDN controllers likes OpenDaylight and FloodLight.
You will find that it’s easy to deploy a network security solution to an SDN-ready environment. In three steps, you can secure your entire SDN network with one of the most advanced network security solutions, IBM Security Network Protection:
1. Connect IBM Security Network Protection appliance to the Open vSwitch.
2. Next, connect the Open vSwitch to the POX controller.
3. Lastly, run the network protector application on POX.
You can download the POX application here and start playing with it. In the second post of the series linked above, you can see a line-by-line explanation of the application source code, and you can even enhance it yourself! Let me know if you need any help. You can also contact me on Twitter @ChentaLee.