Upload File

security-as-a-service using sdn

16

Upload: open-networking-summits

Post on 18-Jul-2015

106 views

Category:

Technology


3 download

Report

Tags:

TRANSCRIPT

Page 1: Security-as-a-Service using SDN
http://opennetsummit.org/workshops/?utm_source=ONS&utm_medium=speakerdeck&utm_campaign=ONS2015
http://opennetsummit.org/conference/?utm_source=ONS&utm_medium=speakerdeck&utm_campaign=ONS2015
http://opennetsummit.org/webinars/?utm_source=ONS&utm_medium=speakerdeck&utm_campaign=ONS2015
http://archives.opennetsummit.org?utm_source=ONS&utm_medium=speakerdeck&utm_campaign=ONS2015
Page 2: Security-as-a-Service using SDN
http://opennetsummit.org/conference/?utm_source=ONS&utm_medium=speakerdeck&utm_campaign=ONS2015
http://twitter.com/opennetsummit
Page 3: Security-as-a-Service using SDN

1

Security-as-a-Service using SDN Experiences from building large-scale service chaining applications

Carl Moberg

VP Technology

[email protected]

@cmoberg

Page 4: Security-as-a-Service using SDN

2

Anatomy of a Service Chain

Technology Requirements

• OpenFlow for traffic steering

• Many vendors per service function

• Many protocols per service function

• Programmatic and human NB

Page 5: Security-as-a-Service using SDN

3

Anatomy of a Service Chain

Technology Requirements

• OpenFlow for traffic steering

• Many vendors per service function

• Many protocols per service function

• Programmatic and human NB API

Service Requirements

• Full lifecycle (add, change, delete)

• Stable and service oriented model

• Vendor independent model

• Including service application state

Page 6: Security-as-a-Service using SDN

4

Anatomy of a Service Chain

Scaling Requirements

• Thousands of customers

• Dozens of Regional POPs

• A few datacenters

• Tens of thousands of DC tenants

Page 7: Security-as-a-Service using SDN

5

Anatomy of a Service Chain

Scaling Requirements

• Thousands of customers

• Dozens of Regional POPs

• A few datacenters

• Tens of thousands of DC tenants

Potentially tens of thousands of flow

types to be provisioned in many places

Page 8: Security-as-a-Service using SDN

6

Focus!

Key Challenges

• Associate flows with specific L4-L7 service combinations

• Configure the L4-L7 services accordingly in each service chain

• Configure the traffic steering accordingly in each service chain

How to implement the traffic steering

(forwarding graph) in an individual

service chain is a relatively minor part of

the problem

Page 9: Security-as-a-Service using SDN

7

Tail-f NCS: Decomposing a Service

Self-service Portal

Tail-f NCS

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

Page 10: Security-as-a-Service using SDN

8

Tail-f NCS

Tail-f NCS: Decomposing a Service

Self-service Portal

REST

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

A provisioned security service…

Page 11: Security-as-a-Service using SDN

9

Tail-f NCS

Tail-f NCS: Decomposing a Service

Self-service Portal

REST

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

ADC FW NAT DPI

A provisioned security service…

…results in broad re-configurations throughout distributed service chains

OpenFlow, NETCONF, CLI, REST, SNMP, etc

Page 12: Security-as-a-Service using SDN

10

This is one Service Chain

Self-service Portal

Tail-f NCS

ADC FW NAT DPI

1. Service-oriented order comes in to create, update or delete a service chain

Page 13: Security-as-a-Service using SDN

11

This is one Service Chain

Self-service Portal

Tail-f NCS

ADC FW NAT DPI

1. Service-oriented order comes in to create, update or delete a service chain

2. Dynamically reconfigure the forwarding rules for the specific flow

Page 14: Security-as-a-Service using SDN

12

This is one Service Chain

Self-service Portal

Tail-f NCS

ADC FW NAT DPI

1. Service-oriented order comes in to create, update or delete a service chain

2. Dynamically reconfigure the forwarding rules for the specific flow

3. …and dynamically reconfigure the processing rules for the specific flow

Page 15: Security-as-a-Service using SDN

13

Tail-f NCS: Moving Parts

Network Engineer

Management Applications

A A Z

B

Service and Device Manager • Maintains models, versions • Upgrade, downgrade • Built on transactions

Network Element Drivers (NEDs) • Converts normalized changes into

protocol-specific ordered sets • It’s own lifecycle

OpenFlow Controller Cluster • OpenFlow 1.0, 1.3 • Distributed with integrated

application lifecycle management • Applications (flowlets) expose

NETCONF/YANG internally

Network-wide CLI, WebUI NETCONF, REST, Java

NETCONF, CLI, REST, SNMP, etc

OF-Wire (OF-CONFIG)

Network Element Drivers OpenFlow Controller

Cluster

Device Manager

Service Manager

Tail-f Network Control System Service Models

Device Models

Flowlets

Flowlets

Flowlets

Flowlet Models

Page 16: Security-as-a-Service using SDN

14

Come Visit our Booth


SDN Security - alcatron.net Live 2014 Melbourne/Cisco Live...SDN Security BRKSEC-2760 Alok Mittal Security Business Group, Cisco

SDN SECURITY EVALUATION FRAMEWORK

Strengthening SDN Security: Protocol Dialecting and

SDN-based Security Services using Interface to Network Security …cpslab.skku.edu/.../I2NSF-SDN-ICTC-2015.pdf · 2020. 6. 9. · SDN-based Security Services using Interface to Network

AUTOMATED NETWORK SECURITY WITH EXCEPTIONS USING SDN

SDN--based Security Services using I2NSFbased Security

Enhancing Network Security through Software Defined …nss.kaist.ac.kr/papers/SDNSok-ICCCN16.pdf · 2016-12-19 · security research, i.e., (i) enhancing security using SDN, and

SDN-IP Peering using BGP

Enforcing a network-wide security policy using SDN

Tech r03 Sdn Security v3

Nuage Networks: Using SDN to provide Security by Design by Christoph Torlinsky at DevSecCon 2015

SDN Security Architectures for Enterprise Networks01+27_1445+SDN...SDN Security Architectures for Enterprise Networks Ledian Xhani Betreuer: Cornelius Diekmann Seminar Innovative Internettechnologien

Bridging the Gap Between Security Tools and SDN ControllersSoftware-Defined Networking (SDN) is a promising paradigm to improve network security protections. However, current SDN-based

SDN Programming using Algorithmic Policies

Open SDN Controller Security - Cisco...Cisco Open SDN Controller 1.2 Administrator Guide 11 Open SDN Controller Security Configuring TLS Support on a Catalyst 4000 Series Switch. clock

Security Challenges and Opportunities in SDN/NFV … · Security Challenges and Opportunities in SDN/NFV Networks ... MGCF, 3G-MSC, MGW ) Mj Attacks via ... Security Challenges and

Outsmarting Network Security with SDN Teleportation

The Fortinet SDN Security Frameworki.crn.com/custom/Fortinet_LC/WP-SDN-Security-Framework...SDN Security defines a generalized security architecture framework that can be applied to

44CON & Ruxcon: SDN security

SDN Analytics & Security

A survey on emerging SDN and NFV security mechanisms for ... › publications › A_survey_on...to SDN and NFV paradigms. In [23], [24], [25], SDN-based security solutions are proposed

SDN-based Security Services using Interface to …iotlab.skku.edu/publications/international-conference/I2NSF-SDN...SDN-based Security Services using Interface to Network Security

SDN+NFV: Algorithmic and Security Challenges

Software Defined Networking (SDN) and Security€¦ · Software De˜ned Networking (SDN) and Security Software defined networking (SDN) offers several traits that are particularly

SDN - a new security paradigm?

The Fortinet SDN Security Framework - CRNi.crn.com/custom/Fortinet_LC/WP-SDN-Security-Framework...2 WHITE PAPER: THE FORTINET SDN SECURITY FRAMEWORK Introducing the SDN Security Framework

Security Foundation Requirements for SDN Controllers · This document proposes a set of fundamental security requirements for SDN controllers. The SDN controller is specified in Issue

SDN Security Considerations in the Data Center

SDN Security: Trust Models, Architecture Hardening and

SDN Security Challenges & Opportunitiespublish.illinois.edu/science-of-security-lablet/files/...2016/06/02  · SDN Security Challenges & Opportunities Anita Nikolich National Science

Scotch: Elastically Scaling up SDN Control-Plane using ...conferences2.sigcomm.org/co-next/2014/CoNEXT_papers/p403.pdf · Security issues in SDN have been studied and examined from

Open SDN Controller Security - Cisco

Secure Science DMZ using Event-Driven SDN Science DMZ using Event-Driven SDN ... Splunk as an SDN Application 8 ... Data Plane Elements Cisco Open SDN Controller

Explainable Security in SDN-Based IoT Networks

Software Defined Networking Security: Security for SDN and ...Security Issues in SDN •Why security issues? –SDN is not so mature yet –There could be some (or many) possible security