Like it or not, Software Defined Networking (SDN) is coming and although implementations may offer many of the benefits hyped by vendors last year, there are also a few unforeseen security and operational challenges. These SDN challenges aren’t unique – for the most part they’re the same faced by IT in general – only in the Department of Defense’s (DOD) case, they are on a larger sale than any enterprise on Earth. DOD technology experts have identified both the numerous technology and command advantages of software defined everything, and recognized the fundamental shift in network management that’s on the horizon. They are keen to take advantage of SDN, but have also identified new challenges to assuring network security with SDN’s combined data and control networks.
Why SDN for DOD networks?
The DOD supports many concurrent missions each with its own technology infrastructures, but they currently fall into two camps. For in-house or SaaS delivered solutions, SDN is generally part of the cloud or other host platform. It’s largely abstract for admins who already think of networking as software defined. For datacenter operators, the approach is mixed. VMware is broadly deployed in the DOD and their SDN solution, NSX, will provide much of the rack-level SDN needed as a natural extension of its platform. But outside the datacenter in the delivery network, SDN will provide the greatest benefit, but solutions aren’t quite there yet and they are still researching and following vendor progress.
It’s worth the investment, as SDN should reduce configuration-based service failures and provide more rapid change management. Mission support is a practical example, with seamless and automated network re-configuration of battalion-brigade networks. For other areas where datacenter cost management and service availability are primary concerns, SDN automation should reduce misconfiguration and allow a smaller admin staff to manage complex environments.
Catching Up to Accelerating Complexity
Perhaps the biggest driver for SDN in DOD operations is to address increased security vulnerabilities due to rapidly accelerating IT complexity. Complexity has already pushed the DOD, like all network operators, into a reactive mode, where we trail behind hostile operators. Whether state, corporate or even individual actors, Advanced Persistent Threats are the new norm and will only become more common and powerful. SDN holds the promise of simultaneously addressing these persistent threats while increasing command.
In theory SDN’s fabric actuation reduces misconfigurations by widely dispersed operations teams, and can affect change in seconds that currently requires minutes or even hours. It does also, however, present serious new challenges by taking human oversight out of the loop. A compromised SDN infrastructure would have unimaginable command over network operations, and poorly designed SDN configuration policies may cause misconfiguration on an incredible scale.
The DOD’s reaction to SDN has been mixed. There has been a great deal of industry hype, but in some ways vendors have primarily served as a blocking mechanism. Many seek to protect existing market-share from the true spirit of SDN: open standards-based management across vendor solutions. There is still significant churn in SDN technology, and vendor presentations, even to the same command, vary from meeting to meeting. The potential impact of failed SDN implementation cannot be overstrained, and the DOD is being quite reasonably cautious.
Beachheads for SDN
This year, we’re likely to see the first few DOD deployments of SDN in operational environments. In many cases, initial deployment will be via VMware NSX, with subsequent deployments utilizing SDN as a function of container-deployed applications and services. In many ways containers are an analog to a bundle of a virtual machine plus application definitions. In VMware, SDN has long existed in the vSwitch on each hypervisor host. With containers it’s a service of the orchestration service platform regardless of vendor.
Outside of those projects, the DOD has for some time been investigating automation interfaces in its existing comprehensive IT management monitoring systems. For example, some existing tools provide automated DISA/STIG compliance auditing and remediation. And certainly network and application monitoring will become more critical than ever as a layer of seasoned human oversight is replaced by automation.
As an American and moreover a systems geek who believes we really can change the world with technology, I’m both excited and concerned about SDN deployment in DOD. The taxpayer and manager in me knows that SDN will allow the DOD to be more nimble and manage costs. It will deliver truly new tools, not just the latest gadgets, to achieve mission success.
But the administrator in me has seen many technology failures in IT, and the awesome breadth of control that we will entrust SDN with is not like anything we’ve ever done. Compromise of these systems, or even technology failure, coupled with the loss of experienced admins in the field and the job marketplace make this a one-way trip. It’s coming, and we have to adapt, but the DOD’s mission makes it critical to do it right.
Patrick Hubbard, Head Geek, SolarWinds
Related Blog Posts
