NIA: Saisei's FlowCommand SDN appliance secures network flows
Saisei, our latest Network Innovation Award winner, uses its FlowCommand virtual SDN appliance to control network flows and prevent individual users from hogging bandwidth.
This month's winner of SearchNetworking's Network Innovation Award is Saisei, based in Sunnyvale, Calif. The software-defined networking (SDN) startup focuses on network visibility and control, using a flow-based approach to optimize links and eliminate packet queuing. The company's flagship product -- a Linux software suite called FlowCommand -- manages, analyzes and secures network flows.
Saisei said FlowCommand, which operates on x86 processors and white box hardware, also enforces bandwidth allocation policies -- ensuring users are not consuming a disproportionate percentage of available bandwidth. Users can also prioritize criticalapplications.
To get a sense of what else FlowCommand has to offer, SearchSDN Site Editor Alissa Irei spoke with Jeff Paine, Saisei's vice president of marketing and business development.
What problem does FlowCommand address?
Jeff Paine: FlowCommand set out to address a number of problems, but primarily the radical growth of traffic. You're seeing a decreasing user experience -- we're all getting used to spinning wheels and spinning beach balls, and things slow down and Voice over IP quality drops out. It's perceived as an issue of not enough bandwidth, but in point of fact, there's almost always enough bandwidth -- it's really the behavior of how TCP/IP behaves when it's under congestion.
Fundamentally, FlowCommand is a new type of virtual edge appliance that rewrites the rules on how flows are processed -- how many flows can go through a given link, at a given time. But it also rewrites the rules for what the user expectation is going to be whenever [he or she goes] online, because you're going to get rid of stalled applications, and delays, and horrible voice quality and shaky video.
Why are we talking about flows, rather than packets?
Paine: The macro statement is: Flows are the future, and packets are the past. Packets have been dominant since the dawn of DARPA. And in unstressed conditions, the packets are fine. But it's sort of like skiing down a black diamond slope, just looking at your feet. It just goes router to router, hop to hop to hop to hop. You really have no idea where you're going; you have no idea what type of traffic it is. Should it be prioritized? Should it not be prioritized? Is it mission-critical; is it a nice-to-have? Those are all things that are opaque to the world of packets, for the most part.
So flows really give you a lot more information. You know what type of application it is, you know who the user is. You know geographically where the user is, geographically where the user is going. This is all a better way of trying to manage a lot of data through a network, rather than do it in the old, traditional, packet-only format.
Can you tell me what we're seeing when we look at the FlowCommand dashboard?
Paine: FlowCommand actually looks at over 40 specific data points, and it does that in real-time. Twenty times a second, FlowCommand looks at each individual flow, going through it for performance, for what kind of application it is, how that flow's been treated [and] its Quality of Service to this point. [FlowCommand] can actually adjust in real time, so that [each] flow goes through. We assign a guaranteed rate of performance and throughput for every single flow that's going through the process, that's going through inline.
Give me an example of where these capabilities might be used.
Paine: Let's say you've got a Data exfiltration policy in your network that says, 'We know we don't want any data going to and from China, because we don't, in the normal course of events, have any real business interests in China.' But it could be that your chairman or one of your executives is at a conference somewhere in China, and needs to log into a video conference or a board meeting. You can actually explicitly say, 'Okay, for that user in China in this application, that will go through the network, but everything else stays.' So you have that discrete level of control of policies in your network. They can be global policies; they can be based by application; they can be security policies.
Do you consider FlowCommand a security appliance?
Paine: We're not a firewall, but we do security-type things. So firewalls have great [antivirus] databases where you're looking for specific viruses, but they do nothing to help you with distributed denial-of-service attacks. Well, that's the kind of thing that we do, because we look at TCP signature recognition. So in real time, we can see a DDoS attack probe -- we can see it developing. We can recognize things like Shellshock Bash, and shut that down before it even gets to a server inside the network.
What was the thinking behind making FlowCommand available on HP's SDN app store?
Paine: In part it was just to promote the fact that we think we can add increasing levels of visibility and discrete control in an SDN environment. We don't make a controller, right? We are just an app that works with that. If you look at the standard HP setup with their controller and switches, they were probably seeing a dozen data flows going on -- which they were actually managing. That's typical of SDN; SDN in and of itself isn't a particularly high-performance play. When we plugged [FlowCommand] into that environment, [we could see] "Oh, there aren't a dozen applications, a dozen flows. There are actually about 300 in this particular one." And we can now push all that information up, and make that visible to the SDN controller. So in part, it was to get the community, the ecosystem, aware of the fact that there's this new thing called Network Performance Enforcement, which is a new type of virtual appliance. And as it turns out, we've actually got some customers off of that. So it's been a win-win from our perspective, from that result alone.
Let's talk about your customers. Are they service providers, enterprises or both?
Paine: A little bit of both. We started the company thinking this was going to be a full-on, service provider type of solution, and then we realized that the benefits that we're bringing to the market are equally valid in the enterprise side.
Who are your enterprise customers?
Paine: We have a class of customer, on the enterprise side, that somewhat acts or looks like a service provider in and of themselves. In the hospitality arena, for example: [When] you check into a hotel, you want the Wi-Fi experience in your room to not be affected by the fact that some kid with an Xbox happens to have taken the room next to you, and is sucking all the bandwidth out of the Wi-Fi system, right? So we actually can guarantee that everybody gets exactly equal access to the network, no matter how many rooms for example, are in there.
We have some customers today such as the Fort Bend County Libraries in Texas, where they get surges of activity. They get thousands of people going into these libraries, starting to stream videos, and do this and do that from within their network, and it just seizes up the network. Well, this allows them to see, for example, who are my top 25 applications? Who are my top 25 users? Where are they going? We're going to make sure everybody gets enough bandwidth [so] that their network doesn't crawl.