Customs and Border Protection would like to spin up virtual machines as needed, but could create a bottleneck. Chief Technology Officer Wolf Tombe hopes software-defined networking meets the challenge.

Agencies Warm to Software-Defined Networking

The innovative approach to network communication can ease management and lower costs.

As one of the top generators of federal revenue, U.S. Customs and Border Protection puts a heavy load on its financial management systems, particularly when it closes its books each year. "We've built for those peaks of about two months, and we're paying for that year-round," says CBP Chief Technology Officer Wolf Tombe. "That can be a very expensive proposition."

Ideally, CBP would move the system to its private cloud, which could provision new virtual machines to handle the annual uptick. "The problem is that when those new VMs are brought online, there's no network connectivity to them," explains Tombe. "I would have to manually submit a change request to get network connectivity, which often takes days, if not longer, defeating the whole purpose of elasticity built into the cloud."

Tombe hopes the power of software-defined networking (SDN) can solve that problem. With SDN, which separates the data and control planes of network systems and uses a centralized software-based controller to configure and manage the entire network, CBP could create policies that automatically boost network capacity as the demand on applications surges and return it to its lower level — and price — when utilization drops off.

"That's the goal," he says. And he plans to spend the next year and a half researching and testing SDN to make sure it meets existing network requirements for performance, security and uptime, and delivers on its promise of ­automating network deployments.

But the ability to create instant networks is just one of the benefits of SDN. Several federal agencies are exploring the technology to help streamline data centers, collaborate on Big Data projects and more.

"SDN is still very much an emerging technology. It's evolving as we speak," says Tombe. "But I think it has the potential to be of use across the government and, frankly, across industry."

What Can SDN Do?

The Interior Department is looking to SDN to help in its transition to a shared-services model by centralizing and simplifying management of its diverse, far-reaching and fast-changing networks, points out Tim Quinn, Interior's chief of program assessment and optimization in the Office of the CIO. The agency, which is in the midst of massive data center consolidation, virtualization and cloud migration projects, is also exploring SDN to allocate priority to the cloud and prevent malware.

"I don't think we've scratched the surface on what this can do for us," Quinn says. "SDN will fundamentally change how IT is delivered and utilized."

One of the biggest challenges for any organization exploring SDN is getting people to understand its potential, notes Joe Skorupa, vice president at Gartner.

"Network virtualization or automated configuration might be the first thing you need, but you shouldn't buy into something that prevents you from ever getting past that," he adds. "It's a small subset of what SDN can do."

By extracting the control plane from the data, SDN provides to management applications a more simplified picture of the network. In a traditional environment, the devices talk to one another, but there's no central controller that understands what's happening across the entire network. SDN offers that centralized view, plus remote management of physical and virtual switches and routers.

500 million The number of acres managed by the Interior Department, which is exploring SDN to help manage its networks across that territory

SOURCE: Interior Department

"There's obviously a lot of manpower involved in having to go out and physically touch routers or replace equipment," says Tombe of the shortcomings of traditional networking.

On the other hand, with SDN, the network can be as agile and scalable as the rest of the infrastructure. "It used to take two months to provision a server. Today, you can install a virtual server in a couple of hours," Skorupa explains. "It used to take two weeks to configure the network — minimum — and it still takes two weeks." SDN changes that.

It can also lead to greater innovation, Skorupa says. Because SDN moves the intelligence from the switches and routers to the controller, users don't have to wait for new features from hardware vendors because third parties can write value-added control applications independently.

The concept of a programmable network controlled from a central location can also improve availability. With traditional networks, admins must sit at consoles and type commands into individual boxes. "I don't care how good your typing is," Skorupa says, "if you've got to type in several hundred commands, your chance of getting that correct on every box ­everywhere in the data center is slim."

The potential for cost savings is another advantage, says Tombe. "One of the value propositions is the ability to be more efficient in deploying our networks — and, frankly, to save money by lowering the costs of deploying networks," he says.

Do It Yourself

The Energy Sciences Network (ESnet) is among the first federal networks to actually use SDN. It provides networking infrastructure to all Energy Department labs, sites and facilities, including those that perform open-science research, connecting scientists who generate, share and analyze ­petabytes of data.

"Network needs have increased exponentially over the years," explains Inder Monga, chief technologist and area lead for network engineering, tools and research at ESnet. "It's almost doubling every 18 months. We need to develop new ways of networking that are not human-intensive, that we can automate."

SDN technologies are still maturing, Monga admits, so using them requires creativity and an innovative philosophy. "It's a do-it-yourself kind of movement," he says. "We need to see what it is capable of."

ESnet has led that DIY push. Since 2011, it has been demonstrating tools that employ the principles of SDN. For instance, one demonstration uses OpenFlow, the communications protocol standard for SDN, for detecting and routing large data flows to the optical transport layer in order to avoid bottlenecks in the network.

Although many agencies have been monitoring ESnet's work, Monga suggests they start with small SDN projects of their own. "Get your hands dirty," he says. "You can't realize the power of the technology until you actually try it."

Interior Motives

The Interior Department sees the potential of SDN to manage its vast resources. It has 70,000 employees in 2,400 locations. Its bureaus and offices have many missions, and employees' work can change in a flash. If a wildfire breaks out, for instance, an archaeologist may turn into a line supervisor leading a crew of 20 people. As roles shift, so do the applications supporting them.

"The way we manage networks today is very dependent on IT support. With SDN, traffic could be automatically switched to a load balancer when applications see spikes in demand," Quinn explains. "I see this as unwiring yourself. You're using software to enable commodity services much more."

Quinn expects SDN to help Interior quickly provision new private networks that meet necessary quality of service requirements to expand the use of mobile technologies in remote areas. In addition, he believes the Interior Department could use SDN to remotely manage the local area networks of its 600 small offices, where fewer than a dozen employees work, eliminating the need for dedicated IT staff in those locations. SDN could also provide a more unified way for employees to connect to the network. "Imagine being routed to your data based on your identity, not your network location," says Quinn.

Finally, Interior is looking at SDN to improve network security, Quinn adds. The department currently secures the gateways of its wide area network, but with SDN, it could push out policies throughout the network to identify malware and either move it through its investigative tools or simply drop the suspect packets.

Quinn acknowledges there are challenges to implementing SDN. But, he says, "The excitement over this technology — it's like wildfire."

Khue Bui
Apr 21 2014