Turbo-Charged SDN Security

Several years ago, I was at a networking technology conference in Boston when a young lady came up and tapped me on the shoulder: “Mr. Chambers would like to see you in his suite,” she said. Now, if this had been any other type of event, I might have asked who Mr. Chambers was, but not here: I knew exactly who was requesting my presence – and for me, this was the geek equivalent of a high school football coach being summoned to the sidelines by Mr. Belichick.

So, I went to his suite, wondering if perhaps I’d said or done something wrong, only to be immediately calmed at the sight of my friend John Stewart, who was there with his boss. Mr. Chambers was super-gracious, and we immediately dove into the weeds on DDOS network security solutions, which is why I’d been asked to join the conversation. An hour or so later, I left, fully impressed that the famous CEO of such a major company could go deep technically.

The general nature of the conversation, as I recall, involved predicting where DDOS attacks were likely to go. The Cisco team was probably (accurately) telling their CEO that attacks were then rising to ridiculous volumes of one or two Gbps (yea, I know). And I was summoned as a corroborating witness to this alarming claim. You all know how this unfolded: Modern DDOS attacks now just glance out the window at one or two Gbps, on their way to Tbps heights.

I had all this in mind as I engaged last week during a technical dive with a cool Canadian cyber security start-up called Corsa. The company markets high-performance hardware that enables a range of network security response, enforcement, and filtering solutions for modern software-defined network (SDN) infrastructure. The Corsa offering includes support for large, scalable DDOS security solutions, with bump-in-the-wire processing in the 10 to 100 Gbps range.

Carolyn Raab, Head of Marketing for Corsa, served as my tour guide to the Corsa offering. She was kind enough to dispense with the usual cyber tutorial pablum, jumping instead into the technical discussion. I must warn you that understanding Corsa requires some experience with high-end network infrastructure. I’ll do my best to help you learn (so please read on), but also recognize that this is not like AV for your PC. It is more challenging, but also more rewarding.

“We are a network security company building high-performance hardware,” Carolyn said. “The focus areas for our Red Armor platform include automated response, network mitigation, dynamic service chaining, and DDOS protection. We operate as a layer 2 transparent network device, which has the advantage of not introducing any new attack surface. But such invisibility implies that we must essentially be the wire, which explains the need for fast hardware.”

The most prominent aspect of the Corsa security solution involves automation. The typical modern network operator has already spent many tens of millions of dollars on their existing network security infrastructure, including next-generation tools such as SIEMs. Despite this investment, two security challenges exist for modern purveyors of network infrastructure: Minimizing slow manual controls, and maximizing flexible, virtualized SDN capability.

Corsa looks to have considered these two challenges, and has organized itself based on a pair of subtle mission-related decisions: First, it is clear to me that Corsa could be described as a networking company doing cyber security, or as a cyber security company doing networking. Setting aside the heartburn this causes the less-informed, such design is precisely what is required for security to be embedded in infrastructure. Secure networking is networking.

Second, Corsa could also be described as a hardware company supporting SDN, or alternatively as an SDN company supporting hardware. Again, such subtle design is indicative of the intimacy that will remain between hardware and software in a large-scale enterprise, government, or carrier environment. Certainly, in smaller environments, the prospects for customized hardware might be bleak – but the situation is different when dealing with 100 Gbps links.

I asked Carolyn about the prospects for managed security services based on the Corsa design, and she immediately jumped (as I expected) to dynamic service chain options. In case you are less familiar, the magic of SDN lies in its virtualization. This implies that when building the usual cyber gauntlet in front of an asset, rather than stacking hardware in data center racks, SDN supports API-based chains of virtual appliances, thus resulting in a slick software-based DMZ.

I also asked Carolyn about insertion of the Corsa hardware into the usual rat’s nest of security systems in the modern carrier: “We have spent a great deal of time integrating our solution with modern cyber security tools,” she replied. “This maintains enterprise investments in SecOps.” I was then treated to an impressive display of either existing or hopeful partner logos, including tools such as NIKSUN with software fast enough to keep up with the Corsa appliance.

We spent some time during our discussion in violent agreement on the obvious suitability of the Corsa hardware for bump-in-the-wire security protection and orchestration at carrier, enterprise, and cloud peering points. If I ever worked for a major ISP (ahem), I’d certainly consider the amazing possibilities of the Corsa high-performance hardware for security policy orchestration on high capacity peering links. The add-on revenue possibilities are attractive.

For DDOS protection, Corsa has opted to peek up into L3/L4 flow for fast conventional filtering of packet volume attacks. In fact, their appliance creates the option to rapidly construct scrubbing centers for more organizations. (I guess it was only a matter of time before scrubbing development would succumb to DevOps.) The Corsa diagrams I reviewed showed integration of their hardware with third-party application level filtering solutions, which seems appropriate.

I know that many of you might be less familiar with the plumbing of larger networks, including carrier infrastructure. But it is worth taking the time (as you have if you’ve made it this far in my article) to develop a better feel for what is going on at this level. It makes you a better buyer and user of large-scale network services. But if you work each day in the exciting context of massively large networks with high capacity, then you’d be nuts not to spend time with Corsa.

Give them a call, and please let us all know what you learn.