Big Switch Networks has a really neat security feature that just happens to be part of their monitoring platform, Big Switch Monitoring. In fact, they only really have two products, but when I look at it, there are certainly more possibilities.
Lets begin with what we know…
While it’s a bit grainy because I took the screenshot from the Vimeo video, It’s not hard to undrestand whats going on here. This is a standard Internet/DMZ architecture with an inline Firewall, IPS, and Web Proxy. So whats the big deal?
- You cant mess with it.
- It’s not easy to migrate to new firewalls or new vendors equipment.
So what’s the answer? Big Switch and Big Monitoring Inline Mode. How so you ask? Service Chaining!
Now take a look at the following architecture with Big Monitoring Inline mode.
So lets address number 1.
You Can’t Mess With The Production Appliances
With service chaining in this configuration you can configure each one of these as a fail open option. Now there’s not as much concern around what’s going to happen to traffic if you have to start messing with one of these appliances.
It’s Not Easy To Migrate To New Firewalls Or New Vendors Equipment.
Migration to a new firewall or even a new firewall with a new vendor can be hard. Since you have the granularity to direct specific flows through the chain, you can easily do this by adding the new systems, directing some of the traffic over the new path, and then moving it all over later on once you know its all good. Yeah, pretty simple.
So Much More
There is so much more, and I know this is brief. You really should go watch the entire video to gain a better understanding of what you can do. Looking back on the presentation from Big Switch at NFD11 I must say I was impressed. I’m sure you’ll agree as well.