Juniper: Quick look at security strategy behind its SDN controller security

Q&A with Juniper's product development execs on the security strategy behind its software defined network Contrail controller


Chris Hoff (left), vice president of strategic planning, security business unit at Juniper Networks; photo of Jennifer Lin, senior director of product management, Juniper Networks

Juniper Networks in September made its software-defined network (SDN) controller known as Contrail generally available. Network World Senior Editor Ellen Messmer delves into the security strategy behind the Contrail controller in a discussion with Juniper's Senior Director of Product Management Jennifer Lin, and Chris Hoff, vice president of strategic planning in the security business unit at Juniper.

What would Juniper customers gain in moving to Juniper’s SDN?

Hoff: With SDN, you’re moving the control plane outside the box. When you move the control plane, you have network function virtualization. With SDN, you implement and add additional services, Layer 4 and above, to program a set of network or security devices to interact with other networks and services. In the past, we’ve stacked physical boxes on top of each other on cable. It’s fundamentally a new model.

Lin: We’re leveraging Border Gateway Protocol (BGP) as the control plane. In our SDN strategy, we try hard to abstract the network as a service. It’s to take advantage in the cloud, to spin up a new revenue-generating service in software, free from physical restraints of boxes. For example, Google, Facebook and Amazon are mostly using BGP in their data centers for highly distributed workloads.

+ MORE ON NETWORK WORLD: Juniper EVP Muglia abruptly quits

Juniper’s Contrail makes it “frenemies’ with VMware +

So what are some of the security implications in this type of SDN?

Hoff: If the control plane gives me access to all switches, all routers, all firewalls, it could wipe out everything! But the goal of SDN is better security that’s more automated and faster, a catalog of security services that can chain in ways.

Lin: The main point is they still have need for compliance and security policies, set policies for different tenant groups.

So what’s the Contrail security model?

Lin: With the Controller, we can insert service chaining, a virtual SRX. There’s the notion of the service template in the Contrail UI — firewall as a service, NAC [network access control] as a service, [anti-distributed denial of service] as a service. You create a secure instance. For a virtual firewall service, you apply an image. Before, you were locked into a physical VLAN architecture.

Hoff: Service chaining isn’t linked to software instantiation, there’s nothing precluding you service chaining to hardware. For us, this is a way of integrating software and hardware. Part of the Juniper SDN strategy is some things won’t be done in software.

So how proprietary is this?

Lin: We’ve been accused of being proprietary and closed. But we put Contrail into open source.

Hoff: We took our SDN system and open sourced it, in order to build and extend the platform.

Some of the SDN security ideas you’ve presented are similar to those from VMware, such as its NSX initiative for security. Do you regard Juniper as competing with VMware in this regard?

Lin: From an overlay perspective, they’re similar. But Juniper also announced a partnership with VMware in the last few months.

Hoff: VMware is the dominant player in virtualization for large enterprises, but operationally, they need the support in underlying switch and router capability. Juniper signed up to support NSX.

So what is the adoption of Contrail now?

Lin: About 30 customers are validating the technology.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2013 IDG Communications, Inc.