Using SDN to secure the campusHewlett Packard EnterpriseEugene BergerHPE Aruba CTO, UK&I@Eugatwork

Cloud and Datacenter Leader

Leadership in both SMB & enterprise

networkingLeading the Mobility

and Campus Enterprise

HPE and Aruba – Better Together

HPE SDN vision and strategy

SDN provides programmable networks that rapidly aligns to business applications

Data center, campus& branch automation

Open Standards ecosystem

Reigniteinnovation

Easily accessible marketplace

Agility Alignment

Coexist with brownfield Platform for innovation

Use case-led Automation & simplicity

Journey to Software-defined Networking

HP & Stanford collaborate and demo OpenFlow

HP Ships 30 Million SDN-Enabled Ports& SDN Controller

Software-defined Networking

2007

2011

2015+Solving the problems of the New Style of IT

SDN is NowSecurity Cloud Big Data Mobility Innovation

Defining Software-defined Networking

Open standard-based programmatic access to infrastructureInfrastructure

Control

Application

Separate control and data plane; abstract control plane of many devices to one

Deliver open programmable interfaces to orchestrate network service automation

SD

N A

rchi

tect

ure

Source: opennetworking.org

Delivering the functions of an SDN architecture

Software-defined Network components

Infrastructure

Control

Application

Separate control and data plane; abstract control plane of many devices to one

Deliver open programmable interfaces to orchestrate network service automation

SD

N A

rchi

tect

ure

Open standard-based programmatic access to infrastructureNetwork Device Network Device Network Device

Controller

Open Programmable Interface

Cloud Orchestration

SDN Applications

Open Programmable APIs

Virtual Application Networks SDN Controller

Infrastructure

SD

N A

rchi

tect

ure

Programmable network aligned to business objectives

Virtual Application Networks deliver automation, agility

Virtual Cloud

Network Protector

Load Balancing

Partner Apps

Network Optimizer

ConvergedControl Design Implementation

and Support Services

Over 30 million ports across 50 Switches10 Routers

VAN Network Resource

Automation

Inte

llige

nt

Man

agem

ent C

ente

r

VAN SDN ManagerManagement

Applications

Control

VAN Server Connect

VXLAN, NVGRE

Phase 1SDN Ready

Phase 2Hybrid SDN

Phase 3Native SDN

Investment protectionOpen standardsLow risk

Application aware network Reduced complexity Non disruptive

Fully programmableHighly automated Rapid innovation

Risk-free SDN Deployment

Snapshot of Where We are Today

92 Members

Optimization Security Orchestration

Select SDN Customers

21 SDN Apps

Enabling real-time threat protection across enterprise networks

HPE Network Protector – Security

• Malware/Botnet/ Spyware Protection

• IPS as a Service

• Security Sensors

& Actions

TippingPoint

HP Network Protector – IPS Integration

Core

Distribution

Edge

Threat Management Center(1M+ bad sites)

OpenFlow (Redirect all traffic to

IPS)

• Reputation(piratesmustdie.com) Malware• Inspect all User traffic

Bad DNS Response

IPS

SDN Controller &Network Protector

South Washington County

Network Protector SDN App

• Maintain 31-site wired and wireless network serving over 30,000 users with 1 staff member

• Deploy in less than 1 hour• Fraction of the cost, $200K vs $2million of

hardware

Roseville – R&D Protector

Roseville – R&D Protector

SDN: Knowing the context vs guessing - Clearpass

Traditional Network ‘guessing’ User/Application Directed

??

Traffic ClassificationIdentity InferenceContext InferenceTelemetry

Inferred Network Policy Inferred Action

AppUser

Traffic ClassificationTelemetry

Network Policy Coordinated Action

IdentityEvent ContextService Request

CLEARPASS

SDN Customer References

SDN Customer References Brochure

18

Thank you

19CONFIDENTIAL © Copyright 2015. Aruba Networks, an HP company. All rights reserved.

Network Optimizer Customers

SDN Customer References Brochure

HPE VMware Network Virtualization (SDN) collaboration

Network virtualization solutions can run over any IP network, but app performance/reliability and service delivery rely on underlying physical network.

VN = logical network services L2/3, L4-7 - connected to workloads

Problem: Data Center Network SecurityPerimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible

Little or nolateral controls

inside perimeter

Internet Internet

Insufficient OperationallyInfeasible

+

Why traditional approaches are operationally infeasible…

Internet

Hypervisor

Physical Host

VM VM

vSwitchHypervisor

Physical Host

vSwitch

VM VM

Perimeter Firewalls

• Create firewall rules before provisioning• Update Firewall rules when move or change• Delete firewall rules when app decommissioned• Problem increases with more East-West traffic

+

VMware NSX makes micro-segmentation possible

Internet

Hypervisor

Physical Host

VM VMVM

vSwitchHypervisor

Physical Host

vSwitch

VM VMVM

Security Policy

Perimeter Firewalls

VM

CloudManagement

Platform

+