Just as the industry is becoming more comfortable with SDNs, the NSA says it's using them too.
The embattled National Security Agency, which has been surreptitiously collecting phone records on all of us for many years as part of a secret surveillance operation, is implementing an OpenFlow SDN for its own internal operations. No mention was made whether an OpenFlow SDN also supports the agency's surveillance operations -- it's doubtful the NSA would open up on the underpinnings of its spy network.
But internally, the agency faces the same issues any large enterprise IT shop faces: do more, faster and at less cost with fewer people. And with a lot of oversight.
"When you operate in a large organization, the bureaucracy is astounding," says Bryan Larish, NSA technical director for enterprise connectivity and specialized IT services, who spoke at this week's Open Network Summit. "This is actually a really big problem. The technology, quite frankly, is the easy part. It's how do we change the culture, how do we affect this massive machinery to make a move in a new direction."
As the agency's IT department grapples with that, one thing is for sure: centralization with OpenFlow is key to its network operations. The reason for this is... wait for it... control.
"We as an enterprise need to be able to control our network," Larish says. "We need to do it predictably and efficiently if we're going to make it secure, and if we're going to be able to support mission critical workloads. OpenFlow centralized control seemed the only viable way to do this from a technical perspective. We are all in on OpenFlow."
The hook is simplicity, Larish said. OpenFlow is key to allowing the NSA to spy on every aspect of its network to know as much about it as possible, so that behavior can be understood for better performance, predictability and easier operations.
Centralized control also enables the agency to enforce new demands on the network that would otherwise be mission impossible or at least very difficult, Larish says.
"Traffic engineering is kind of the canonical example, but there's some security things that we feel are more effective this way as well," he says.
NSA is deploying an OpenFlow SDN right now in its campus and branch offices, and data centers. In the campus, OpenFlow is deployed in a small section of the network for development.
The agency maintains a database of network inventory and configuration that the SDN controllers read and then pre-program flow rules into the devices. This alleviates learning and convergence when the configuration changes... if it changes, Larish says.
"There's no more learning in the network," he says. "There's no more, if something goes down there's no more learning, there's no more convergence in the network. All the changes are intentional and we're notified about them beforehand."
Sign up for MIS Asia eNewsletters.