NSA uses OpenFlow for tracking... its network

Spy agency uses SDN to keep tabs on IT inventory, simplify operations

SANTA CLARA -- Just as the industry is becoming more comfortable with SDNs, the NSA says it’s using them too.

The embattled National Security Agency, which has been surreptitiously collecting phone records on all of us for many years as part of a secret surveillance operation, is implementing an OpenFlow SDN for its own internal operations. No mention was made whether an OpenFlow SDN also supports the agency’s surveillance operations – it’s doubtful the NSA would open up on the underpinnings of its spy network.

But internally, the agency faces the same issues any large enterprise IT shop faces: do more, faster and at less cost with fewer people. And with a lot of oversight.

“When you operate in a large organization, the bureaucracy is astounding,” says Bryan Larish, NSA technical director for enterprise connectivity and specialized IT services, who spoke at this week’s Open Network Summit. “This is actually a really big problem. The technology, quite frankly, is the easy part. It’s how do we change the culture, how do we affect this massive machinery to make a move in a new direction.”

+MORE ON NETWORK WORLD: 9 of 10 online accounts intercepted by NSA are not intended surveillance targets+

As the agency’s IT department grapples with that, one thing is for sure: centralization with OpenFlow is key to its network operations. The reason for this is… wait for it… control.

“We as an enterprise need to be able to control our network,” Larish says. “We need to do it predictably and efficiently if we’re going to make it secure, and if we’re going to be able to support mission critical workloads. OpenFlow centralized control seemed the only viable way to do this from a technical perspective. We are all in on OpenFlow.”

The hook is simplicity, Larish said. OpenFlow is key to allowing the NSA to spy on every aspect of its network to know as much about it as possible, so that behavior can be understood for better performance, predictability and easier operations.

Centralized control also enables the agency to enforce new demands on the network that would otherwise be mission impossible or at least very difficult, Larish says.

“Traffic engineering is kind of the canonical example, but there’s some security things that we feel are more effective this way as well,” he says.

NSA is deploying an OpenFlow SDN right now in its campus and branch offices, and data centers. In the campus, OpenFlow is deployed in a small section of the network for development.

The agency maintains a database of network inventory and configuration that the SDN controllers read and then pre-program flow rules into the devices. This alleviates learning and convergence when the configuration changes… if it changes, Larish says.

“There’s no more learning in the network,” he says. “There’s no more, if something goes down there’s no more learning, there’s no more convergence in the network. All the changes are intentional and we’re notified about them beforehand.”

The NSA is using NTT’s Ryu SDN controller. Larish says it’s a few thousand lines of Python code that’s easy to learn, understand, deploy and troubleshoot.

“We’re not just about the new technology,” Larish says. “We’re also looking at how does this change how we do business, how we operate.”

Still, bureaucracy threatens that pace of change. NSA had the OpenFlow SDN developed and ready to deploy a year ago.

“We wanted to then expand the deployments to get more lessons learned,” Larish says. “It takes eight months to order hardware. You have an entire organization where the culture, they don’t want to do something new – that’s maybe unfair. But the culture has been not to embrace change. So it’s been a year of fighting government processes and culture to actually get the technology deployed that’s been working, no problem.”

In the data center, the NSA runs some “very large” Hadoop data centers with service similar to Amazon Web Service’s S3 file storage. Similar to the campus SDN, NSA plugs a controller into an inventory database to configure the network in a predictable and deterministic way so that when something breaks it is easy to isolate it and find out why.

The NSA also has OpenStack data centers where the complexity and dynamic nature of those clouds is prompting the agency to look at commercially available products to aid in the integration task.

“In this brave new world, what role do we want as the enterprise?” Larish asks. “Do I want to be a purchaser of building blocks and do the integration myself? Or do I want to buy an end-to-end solution from somebody? The great thing from my perspective is that this new business model, this new openness, give us the opportunity to explore those trade spaces, where in the past I only had one option.”

Next up will be the NSA WAN and software-defined exchanges, peering points with other government agencies, Larish says. He’s evaluating the Open Network Foundation’s Atrium open source distribution for one of those use cases.

“This is a wonderful opportunity to implement new capabilities and change how we do business,” he says.

A big part of that is sharing experiences through communities like ONS and the Open Network User Group, Larish says. Though opening up and sharing experiences might run against the NSA’s grain, he admits.

“For me, this is an exciting thing,” Larish says. “I think it makes a lot of people at NSA nervous because for such a long time we were not very open about what we did. But in this new world, from an IT perspective, we have no business advantage, no competitive advantage – nothing but our best interests to partner with folks that are doing this.”

NSA even has a GitHub page called Open Network Operations Platform where SDN code will be published.

“I was shocked that we got this approved,” Larish said.

It signals a mindset change at the NSA.

“It’s really exciting times for us,” Larish says. “It’s really shaking things up. Our leadership has made the comment that they’ve never seen this level of enthusiasm and excitement in the enterprise IT group. We actually have new people coming in, fresh faces, fresh ideas, where if you went back two years, any person in the NSA avoided the enterprise IT group like the plague. So it’s an exciting time. I think it’s great to be in the enterprise.”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.