Security, Resiliency and Other Challenges

Erik LinaskGroup Editorial DirectorTMCelinask@tmcnet.comTwitter: @elinaskwww.nfvzone.com / www.sdnzone.com

Security, scalability, resiliency = Traditional Deterrents

Now, we are telling telcos they need to virtualize and “cloudify”

Security, Resiliency and Other Challenges

Glen GerhardVP, Product ManagementSansay

Nabil DamounySr. Director, Strategic MarketingNetronome

Security Concerns• Very similar unless using a cloud infrastructure

DEDICATED VM CLOUD NETWORK

Protected

Public

ISP

Resiliency Concerns

• VM can be made HA and fault tolerant– Easier and cheaper than h/w based systems– Cloud can be even more dynamic, normally not HA

INX

ROME

INX

MSX

INX INX

Route Management Plane

Session ProcessingPlane

Media Handling Plane

Master-Slave ROME

MSX MSX MSX

Resilency

• Geographic redundancy easy with both

NETWORKLICENSE

ZONE

CACLoad

Zone 1

CACLoad

Zone 2

CACLoad

Zone 3

PCI Compliance

• Very tightly controlled architecture• Cloud support possible with hybrid systems

Security & Resiliency in SDN & NFV

Nabil Damouny Sr. Director, Strategic Marketing, Netronome

Vice Chair, Market Education Committee, ONFEditor, Compute Domain, ETSI NFVnabil.damouny@netronome.com

Agenda

• Netronome … Intro• Network security services• Deploying L4-L7 services in SDN-OpenFlow• Inserting L7 intelligence in the data path• ETSI NFV – complementary to SDN• Faults & resiliency in NFV• Summary

Santa Clara

Pittsburgh

Boston

Cambridge

Johannesburg

Shenzhen

Beijing Tokyo

Company• Fabless semiconductor company Best-in-class flow processors Designed for 10/40/400G

communications designs

Product and Markets Leader in SDN-OpenFlow Leader in NFV … COTS architecture Cybersecurity Sole licensee of Intel IXP Processor IP

Intel 22nm tri-gate process 100+ Patents Worldwide Headquarters

Research and development center

Regional sales and support center

• L2-L4 forwarding– Switching– Routing– Packet forwarding– OpenFlow– Architectures optimized

to process individual packets

• L4-L7 services– Security– Load balancing– WAN optimization– Architectures optimized

to process flows and content

What Are Layer 4 through 7 Services?

Categorized by depth of Layer

4 through 7 inspection

• OpenFlow switchNo Flow Inspection

• Load balancer• Next-generation firewall• WAN optimization• Web application firewall

Partial Flow Inspection

• Test and measurement• Policing and metering• Quality of Service (QoS)• Traffic analysis

Flow Monitoring

• Anti-virus / anti-spam• Intrusion prevention system (IPS)• SSL inspection• VPN

Full Flow Inspection

13

There are 4 service categories with specific processing requirements

Suggested Deployment Models

Application LayerApplications

Control Layer

Network ControllerSDN Control Software

Infrastructure Layer

Network Device

Network Device Network Device

Layer 4-7 Services 1

3Intelligent Switch with Layer 4-7

Layer 4 through 7 Appliance2

1. Running as applications on the controller• Controller programs SDN

switch on per-flow basis Northbound APIs

Southbound API

2. Standalone network appliance• Traffic directed to appliance

either based on static policy or dynamically driven by controller

• Legacy or OF-enabled

3. Full Layer 4-7 network services running on intelligent switch• Intelligent switch becomes

L2-L7 device

14

Different deployment models to best fit service requirements, including performance and latency.

Use Case: Advanced Traffic Analysis …Embedded DPI feeds network intelligence to services on L7 device

Application flows forwarded directly to specialized service processing• Requires L4-L7 intelligence embedded directly in switches

Application Layer Applications

Control Layer

SDN Control Software

Infrastructure Layer

Network Device

Network Device Layer 4-7 Network Device

Layer 7 Network Service Device

Northbound APIs

Southbound API

Network Services

Layer 7 Network Service Device

VoIP

P2P

Video

Email

Web

Data Plane Traffic

Layer 4-7: Protocol and Application

Identification

IM

Other

Traffic Steering

Video Optimization

QoS / QoE

Analytics

GGSN

Content Filtering

15

SDN Data center … Intelligence is at the Edge

SDN Gateway• Interconnect new virtualized

networks and legacy• Focus on Gateway for Multi-tenant

Data Center -to- MPLS WAN

NFV Appliance• Open, programmable host for

virtual applications• Focus on ETSI NFV Use Cases:

– Two out of 9 pre-defined use cases• Use Case #5 - VNF as a service• Use Case #6 – Service Chaining

Examples of types of Faults

17

VNF1

Hypervisor

X86-1

VM1 VM2

Hypervisor

X86-2

VM1 VM2

Physical Network Infrastructure

Less severe impact

More severe impact

• Failure of the VNF– Application Crash, Overload condition– Tolerable if clustered topology, Service degradation

(SD) possible

• Failure of the VM– OS Crash, Resource exhaustion– Tolerable in clustered topology, SD possible

• Failure of the Hypervisor– Tolerable in clustered topology, SD

• Failure of the server– OS Crash, Resource exhaustion

– Tolerable in clustered topology, SD Possible

• Failure in the physical Infrastructure– Device power cycle/crash, Loss of Connectivity– Tolerable if infra is HA capable

VM1-OS VM2-OS VM3-OS VM4-OS

CPU

Mem

Disc

I/O

CPU

Mem

Disc

I/O

CPU

Mem

Disc

I/O

CPU

Mem

Disc

I/O

CPU

Mem

Disc

I/O

CPU

Mem

Disc

I/O

SDN-aware NFV security platforms

• Netronome offerings– Flow processors scaling to 200Gbps– FlowNICs for acceleration of standard servers– Production-ready reference platforms

SDN-aware security platforms• Features and benefits

– 216 programmable processing cores– 4 x PCIe Gen 3 to connect to x86 sockets

• 200Gbps+ throughout to standard servers

– Support >500 BIPS per 2U to apply to workloads in NFV environments • Support for high-touch security applications

– Fully SDN capable• Support for OpenFlow 1.3

– Carrier grade resiliency in COTS server architecture platforms• Numerous high-availability options

– Integrated fail-to wire– Active-passive and active-active HA modes of operationNetronome’s FlowNICs and reference platforms are ideal to solve the

security and resiliency challenges facing SDN and NFV

Looking Ahead• What are some of the obstacles for a Telco to work with ISV's in

the security area?

• How can a Telco achieve the traditional 5 9's reliability? How about high availability?

• Is it easier and less costly to design for redundancy, in NFV & SDN?

• How about Federation and the need for interoperability between carriers?

• What is the role of cloud orchestration in security & resiliency?

BACKUP

ETSI ISG NFV Structure• ISG E-E Documents (Ratified)

1. Architecture Framework2. Use Cases (9 total)3. (Business) Requirements4. Terminology

• Technical Working Groups 1. Infrastructure (INF)2. Software Architecture (SWA)3. Management & Orchestration

(MANO)4. Reliability & Availability (REL)– Performance Expert Group (PER)– Security Expert Group (SEC) SDN & NFV are complementary &

synergistic.

Source: ETSI ISG NFV

Topologies for hosting Network Functions in VMs

• Single instance topology– VNF deployed on a

single virtual machine. • Clustered or Composite

Topology– Consists of multiple VNF

Components (VNFCs)• L2/L3 connectivity

between VNF instances when multiple physical servers hosting same VNF.

Simple vs. Clustered VNFs

23

x86

VNF1 Hypervisor

x86

VM1 VM2

VNF1 VNF2

Hypervisor

x86

VM1 VM2

VNFC1

Hypervisor

x86

VM1 VM2

VNF1 VNF3VNF2

Hypervisor

X86-1

VM1 VM2

Hypervisor

X86-2

VM1 VM2

1 2 3

4 5

NFV Deployment Examples

VNFC2 VNFC1 VNFC2 VNFC3 VNFC4