security-as-a-service using sdn

1

Security-as-a-Service using SDN Experiences from building large-scale service chaining applications

Carl Moberg

VP Technology

calle@tail-f.com

@cmoberg

2

Anatomy of a Service Chain

Technology Requirements

• OpenFlow for traffic steering

• Many vendors per service function

• Many protocols per service function

• Programmatic and human NB

3

Anatomy of a Service Chain

Technology Requirements

• OpenFlow for traffic steering

• Many vendors per service function

• Many protocols per service function

• Programmatic and human NB API

Service Requirements

• Full lifecycle (add, change, delete)

• Stable and service oriented model

• Vendor independent model

• Including service application state

4

Anatomy of a Service Chain

Scaling Requirements

• Thousands of customers

• Dozens of Regional POPs

• A few datacenters

• Tens of thousands of DC tenants

5

Anatomy of a Service Chain

Scaling Requirements

• Thousands of customers

• Dozens of Regional POPs

• A few datacenters

• Tens of thousands of DC tenants

Potentially tens of thousands of flow

types to be provisioned in many places

6

Focus!

Key Challenges

• Associate flows with specific L4-L7 service combinations

• Configure the L4-L7 services accordingly in each service chain

• Configure the traffic steering accordingly in each service chain

How to implement the traffic steering

(forwarding graph) in an individual

service chain is a relatively minor part of

the problem

7

Tail-f NCS: Decomposing a Service

Self-service Portal

Tail-f NCS

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

8

Tail-f NCS

Tail-f NCS: Decomposing a Service

Self-service Portal

REST

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

A provisioned security service…

9

Tail-f NCS

Tail-f NCS: Decomposing a Service

Self-service Portal

REST

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

A provisioned security service…

…results in broad re-configurations throughout distributed service chains

OpenFlow, NETCONF, CLI, REST, SNMP, etc

10

This is one Service Chain

Self-service Portal

Tail-f NCS

ADC FW NAT DPI

1. Service-oriented order comes in to create, update or delete a service chain

11

This is one Service Chain

Self-service Portal

Tail-f NCS

ADC FW NAT DPI

1. Service-oriented order comes in to create, update or delete a service chain

2. Dynamically reconfigure the forwarding rules for the specific flow

12

This is one Service Chain

Self-service Portal

Tail-f NCS

ADC FW NAT DPI

1. Service-oriented order comes in to create, update or delete a service chain

2. Dynamically reconfigure the forwarding rules for the specific flow

3. …and dynamically reconfigure the processing rules for the specific flow

13

Tail-f NCS: Moving Parts

Network Engineer

Management Applications

A A Z

B

Service and Device Manager • Maintains models, versions • Upgrade, downgrade • Built on transactions

Network Element Drivers (NEDs) • Converts normalized changes into

protocol-specific ordered sets • It’s own lifecycle

OpenFlow Controller Cluster • OpenFlow 1.0, 1.3 • Distributed with integrated

application lifecycle management • Applications (flowlets) expose

NETCONF/YANG internally

Network-wide CLI, WebUI NETCONF, REST, Java

NETCONF, CLI, REST, SNMP, etc

OF-Wire (OF-CONFIG)

Network Element Drivers OpenFlow Controller

Cluster

Device Manager

Service Manager

Tail-f Network Control System Service Models

Device Models

Flowlets

Flowlets

Flowlets

Flowlet Models

14

Come Visit our Booth