The Open Source SDN Distro That Keeps Microsoft’s WiFi Secure

426

In case you didn’t know, “Microsoft IT is big,” according to Brent Hermanson, who leads the Network Infrastructure Services group for Microsoft IT.  In a keynote presentation at OpenDaylight Summit in September, Hermanson noted that Microsoft IT has users and locations all over the globe.  Until recently, they had a legacy approach to the corporate network, but now they want to modernize the legacy. The need for corporate networks in buildings has evaporated and 70 percent of wired network ports now are unused.

Microsoft has adopted a “Wireless First” approach along with an “Internet First” approach to their IT investments.  The Wireless First approach centers on WiFi, with a driving concern for ensuring that users are more secure in a Microsoft building than at the local coffee shop given that your workload is still in the cloud. The Internet First approach leads to the key question of how to maintain QoS and ensure security.  With more and more workloads in the cloud, their new default is that everything goes to the Internet.  Their corporate intranet is used for applications, such as Skype, that require QoS and security.  This approach Hermanson noted has produced an estimated cost savings of 50 percent.  

Yet, Hermanson continued, it’s a “huge cultural change” for how they’ve built up processes that secure their data, manage their identity, and control data loss prevention. The way they view it is the corporate network becomes the IT data center and offices locations are just on the Internet. As they “aggressively, move workloads to Azure and they need to aggressively move users to an Internet optimized path.”   

Gert Vanderstraeten, Network Architect at Microsoft, did note that “not all traffic gets dumped on the Internet.” He said that Skype for Business requires QoS  and High Business Intelligence (HBI) information requires security, neither of which you will get on the Internet. Thus, the default is the Internet first with these noted exceptions, which go to the corporate WAN where they have better chance of QoS and security.

There are many ways to mark traffic, Vanderstraeten said.  A method they tried was marking based on known UDP port numbers.  This worked great until employees figured out how to spoof the port number making their traffic always a high priority. Next, they added DPI (Deep Packet Inspection). This worked even better — about 75 percent of the time — but the move to encrypting everything dampened this approach.

Dr. Bithika Khargharia, a principal solutions architect at Extreme Networks and director of product and community management at the Open Networking Foundation (ONF), then elaborated on the new approach by discussing a project called Atrium Enterprise. Atrium Enterprise is an open source SDN distribution that’s ODL-based and has an integrated unified communications and collaboration application. It runs on Atrium partner hardware according to Khargharia.

“In phase 2, what they are essentially providing is a VNF, a virtual network function” she said.  The Skype 5-Tuple information is communicated to ODL SDN Controller, which then tells this VNF that this is Skype traffic and here’s what you do with it. This function will sit behind the building’s router in what Vanderstraeten also refers to as the “Decision Point.”

Khargharia noted they are looking at the use case of Unified Communications (Skype) in the cloud serving enterprises with one or more service providers (SP)providing connectivity between them.  They are interested in an end-to-end solution where Skype for example, communicates its requirements to both the enterprise cloud and to the SP’s cloud.  In her example, the enterprise could be ODL based and the SP could be ONOS based. The requisite APIs would be SDN controller independent to allow this end-to-end signaling.