Next-Generation Firewalls for Your SDN Network

Software-defined networking (SDN) is the new buzzword of 2013, as demonstrated by the number of startups that have proliferated in this space, and vendors that are positioning themselves in this new market. If you’re considering SDN for your network, I encourage you to check out my latest SecurityWeek article, where I describe SDN components and its architectural benefits.

In short, SDN is the physical separation of control plane from the data plane, so that instead of each networking device independently forwarding packets to the next hop, the controls are centralized on “SDN controllers”.  SDN networks therefore provide flexibility, programmability and simplicity to network operations, where traffic can be steered, optimized or customized without requiring physical wiring changes.

Where does security fit in an SDN network? We believe security correspondingly needs to be more dynamic, automated and programmable as well. The good news if you have a Palo Alto Networks next-generation firewall is we already interoperate with SDN networks today. In an SDN network, SDN controllers can program our firewalls using our REST-based API, with dynamic address objects supporting dynamic redirection of traffic. While we don’t terminate or inspect VXLAN or NVGRE today, we depend on gateways like Arista switches to translate these protocols to VLANs for context. We demonstrated Arista integration as early as last year at our Ignite conference.

Have comments, or want to call out your own observations and experiences with SDN? Feel free to comment here or over at SecurityWeek.