4. HPE SDN vision and strategy
SDN provides programmable networks that rapidly aligns to business
applications
Data center, campus
& branch automation
Open Standards
ecosystem
Reignite
innovation
Easily accessible
marketplace
Agility Alignment
Coexist with brownfield Platform for innovation
Use case-led Automation & simplicity
5. Journey to Software-defined Networking
HP & Stanford collaborate and demo OpenFlow
HP Ships 30 Million SDN-Enabled Ports
& SDN Controller
Software-defined Networking
2007
2011
2015+
Solving the problems of the
New Style of IT
SDN is Now
Security Cloud Big Data Mobility Innovation
6. Defining Software-defined Networking
Open standard-based programmatic access
to infrastructureInfrastructure
Control
Application
Separate control and data plane; abstract
control plane of many devices to one
Deliver open programmable interfaces to
orchestrate network service automation
SDNArchitecture
Source: opennetworking.org
7. Delivering the functions of an SDN architecture
Software-defined Network components
Infrastructure
Control
Application
Separate control and data plane; abstract
control plane of many devices to one
Deliver open programmable interfaces to
orchestrate network service automation
SDNArchitecture
Open standard-based programmatic access
to infrastructure
Network Device Network Device Network Device
Controller
Open Programmable Interface
Cloud
Orchestration
SDN
Applications
Open Programmable APIs
8. Virtual Application Networks SDN Controller
Infrastructure
SDNArchitecture
Programmable network aligned to business objectives
Virtual Application Networks deliver automation, agility
Virtual Cloud
Network Protector
Load Balancing
Partner Apps
Network Optimizer
ConvergedControl Design
Implementation
and Support
Services
Over 30 million ports across 50 Switches
10 Routers
VAN Network
Resource
Automation
Intelligent
ManagementCenter
VAN SDN
Manager
Management
Applications
Control
VAN Server Connect
VXLAN, NVGRE
10. Snapshot of Where We are Today
92 Members
OptimizationSecurity Orchestration
Select SDN Customers
21 SDN Apps
11. Enabling real-time threat protection across enterprise networks
HPE Network Protector – Security
• Malware/Botnet/
Spyware
Protection
• IPS as a Service
• Security Sensors
& Actions
TippingPoint
12. HP Network Protector – IPS Integration
Core
Distribution
Edge
Threat Management Center
(1M+ bad sites)
• Reputation(piratesmustdie.com) Malware
• Inspect all User traffic
Bad DNS Response
IPS
SDN Controller &
Network Protector
13. South Washington County
Network Protector SDN App
• Maintain 31-site wired and wireless network
serving over 30,000 users with 1 staff member
• Deploy in less than 1 hour
• Fraction of the cost, $200K vs $2million of
hardware
20. HPE VMware Network Virtualization (SDN) collaboration
Network virtualization solutions can run over any IP
network, but app performance/reliability and service
delivery rely on underlying physical network.
VN = logical network services
L2/3, L4-7 - connected to
workloads
21. Problem: Data Center Network Security
Perimeter-centric network security has proven
insufficient, and micro-segmentation is operationally
infeasible
Little or no
lateral controls
inside perimeter
Internet Internet
Insufficient Operationally
Infeasible
+
22. Why traditional approaches are
operationally infeasible…
Internet
Perimeter
Firewalls
• Create firewall rules before provisioning
• Update Firewall rules when move or change
• Delete firewall rules when app decommissioned
• Problem increases with more East-West traffic
+
23. VMware NSX makes micro-segmentation
possible
Internet
Security Policy
Perimeter
Firewalls
Cloud
Management
Platform
+
Editor's Notes
Bullets:
Our vision for SDN is to create a programmable network that delivers business applications quickly
To offer agility for the network
As well as alignment for the network
It has to include consistent architecture across the enterprise: DC, campus and branch
It must be built on open standards that enable an open ecosystem, so that everybody can participate – partners, customers and developers
And that open ecosystem will reignite innovation for the networking industry (new apps)
And those innovations need to be easily accessible to customers in a new marketplace that enables new business models
Virtual application networks deliver automation and agility. We are the first in the market to have a complete portfolio for each layer of SDN architecture.
Phase 1: SDN Ready
Deploy: SDN-enabled networks
Benefits :
- Investment protection
- Open Standards
- Low risk
Phase 2: Hybrid SDN (now)
Deploy: Hybrid Mode SDN Networks
Benefits:
- Application aware network
- Reduced complexity
- Non disruptive
Phase 3: Native SDN
Deploy: End-to-end SDN Networks
Benefits:
- Fully programmable
- Highly automated
- Rapid innovation
Ballarat Grammar
The Bama Companies
Deltion College
Faculty of Science and Technology - Universidade Nova de Lisboa
Istanbul Kultur University
RMIT University
South Washington County Schools
The Via Group
UBM – InteropNet
Lancaster University – SDN Symposium
J. R. SIMPLOT
LOWNDES COUNTY SCHOOL DISTRICT
DREAMWORKS ANIMATION SKG
VICTORIA & ALBERT MUSEUM
TATA CONSULTANCY SERVICES
ADRIENNE CENTER FOR THE PERFOR
STICHTING DELTION COLLEGE
BDX FÖRETAGEN AB
AL MEHBAJ TRADING EST
KUWAIT AIRWAYS CORPORATION K.S.C.
KÜLTÜR ÜNIVERSITESI
TRANS-SYSTEM INC
LEVI STRAUSS & CO.
ENTEL S.A.
UNIVERSITY OF ST.FRANCIS
WORLDCOM EXCHANGE INC
FACHHOCHSCHULE DÜSSELDORF
SMART COMMUNICATIONS, INC.
With NSX, virtual networks are programmatically created, provisioned and managed, utilizing the underlying physical network as a simple packet forwarding backplane. Network and security services in software are distributed to hypervisors and “attached” to individual VMs in accordance with networking and security policies defined for each connected application. When a VM is moved to another host, its networking and security services move with it. And when new VMs are created to scale an application, the necessary policies are dynamically applied to those VMs as well.
It’s important to understand the challenge micro-segmentation solves, because it’s one that has been know but not solvable in reality until now.
If we look at all the well publicized attacks over the last couple of years, Target, Home Depot, Sony and more they all were different from a hacker code perspective, but they all had one thing in common…once the threat got through the perimeter defense, whether through the firewall or from the inside…there was little of no lateral controls to keep the threat from moving from server to server until it found what it was looking for and started pumping out credit card numbers or other private information
Nirvana to most security teams is “micro-segmentation” or a “zero-trust” approach. However, even if your company can afford the capital expense for enough firewalls to deliver the throughput capacity required to achieve high availability micro-segmentation for East-West traffic in your data center, the operational complexity of managing changes, VM movement, policy granularity, unsustainable policy table changes across all of these firewalls quickly becomes operationally infeasible.
It’s easy to understand why traditional approaches are operationally infeasible…
When packets leave the VM they must traverse the network to be evaluated and enforced at a chokepoint firewall. That means that when the VM was provisioned, someone had to write the rules and put them into the firewall, a time consuming, error prone process that slows down application provisioning...then, if the VM ever moves, the firewall likely needs to be manually updated and if the VM is deleted, the firewall should be manually updated to remove the rules for the deleted VM.
All combine to make this operationally infeasible at scale.
So how does an SDDC approach make it feasible?
We automate everything, when a VM is provisioned, it’s security policies are provisioned with it, so that when the packet leaves the VM, it is evaluated and enforced, right at the virtual interface
Then is the VM ever moves, the rules move with it, and if the VM is ever delete, the rules are deleted with it…no human interaction, it’s all automated.