tech r03 sdn security v3
TRANSCRIPT
-
7/24/2019 Tech r03 Sdn Security v3
1/41
SESSION ID: TECH0R03
Robert M. HindenCheck Point FellowCheck Point Software
SDN AND SECURITY:
Why Take Over the Hosts WhenYou Can Take Over the Network
-
7/24/2019 Tech r03 Sdn Security v3
2/41
What are the SDN Security Challenges?
Vulnerability of Central Control
Trust Model Changes
Virtualization of Network Topology
IT Organizational Changes
2
-
7/24/2019 Tech r03 Sdn Security v3
3/41
3
Presentation Outline
Software Defined Networks Overview
SDN Hype and Production Deployments
SDN Security Challenges
SDN Security Solutions
Q & A
-
7/24/2019 Tech r03 Sdn Security v3
4/41
Software Defined
Overview
-
7/24/2019 Tech r03 Sdn Security v3
5/41
SDN Basic Idea
Separation of Network Control and Data Planes Well-defined vendor-independent OpenFlow API between the tw
Operation of the network is defined in software ouof the forwarding path
a.k.a. Software Defined Network
Centralized Network Control on standard servers
5
-
7/24/2019 Tech r03 Sdn Security v3
6/41
Motivation for SDN
Creation of high-level network policies Move away from current management approaches like SNMP/C
Apply policies uniformly across Routers, Switches, Optical, Virtuetc.
Mix and match of vendors Packet Forwarding and Control planes
Hardware and Software
6
-
7/24/2019 Tech r03 Sdn Security v3
7/41
AppAppAppAppAppApp
Specialized
Operating
System
Specialized
Hardware
Specialized
Appl ications
Micropro
Open Int
LinWindows
(OS)
Open In
Mainframes to PCs
7[ Credit: Nick McKeown Making SDNs Work ]
-
7/24/2019 Tech r03 Sdn Security v3
8/41
Switches/Routers to SDN
8[ Credit: Nick McKeown Making SDNs Work ]
Specialized
Control
Plane
Specialized
Hardware
Specialized
Features
AppAppAppAppAppApp
Contro
Plane
Control
Plane
Open In
Open Int
MerchSwitching
-
7/24/2019 Tech r03 Sdn Security v3
9/41
SDN Architecture
9
Controller
Applications ApplicationsApplications
Control
Plane
DataPlane
Northbound API
Southbound API (OpenFlow)
Switch
SwitchSwitch
Switch
Switch Switch
HostHost
HostHostHost
-
7/24/2019 Tech r03 Sdn Security v3
10/41
Components
10
Application Programs Implement network specific policy
Controller Provides high-level view of Network to control programs
Deploy policy to Routers/Switches via OpenFlow
Routers/Switches Controlled by state injected by Controller
Cont
AppliApplications
ControlPlane
DataPlane
Switch
Switch
Switch HostHost
-
7/24/2019 Tech r03 Sdn Security v3
11/41
How It Works
Controller presents logical map of network toApplication Programs
Switches/Routers are Flow based Process known flows autonomously
If new flow arrives, ask Controller what to do
Controller installs new flow state in Switch/Router
Flow state consist of pairs
Controller pushes state to Switch/Routerwith OpenFlow
11
-
7/24/2019 Tech r03 Sdn Security v3
12/41
Controller
Switch
SwitchSwitch
Switch
Switch Switch
Applications ApplicationsApplications
Control
Plane
DataPlane
Northbound API
Southbound API (OpenFlow)
SDN Architecture
12
-
7/24/2019 Tech r03 Sdn Security v3
13/41
Flow Table Entry (OpenFlow 1.0)
MATCH ACTION STATS
Switch
Port
MAC
src
MAC
dst
Ethr
Type
VLAN
ID
IP
Src
IP
Dst
IP
Prot S
1. Forward packet to switch port(s)
2. Encapsulate and forward to controller
3. Drop packet4. Send to normal processing pipeline
Packet and byte counters
13
-
7/24/2019 Tech r03 Sdn Security v3
14/41
Lots of Activity
14
ONRRESEA
-
7/24/2019 Tech r03 Sdn Security v3
15/41
Impact to Current Networking
Utilizes most existing protocols
IPv4/IPv6, TCP/UDP, Ethernet, VLANS, etc.
Hosts dont change
Routing Protocols run in the Controller
Big change to management and configuration Centralized vs. current distributed
This is an incremental solution not a clean sla
15
-
7/24/2019 Tech r03 Sdn Security v3
16/41
Production SDDeployments
-
7/24/2019 Tech r03 Sdn Security v3
17/41
http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/all/117
Google OpenFlow Network
OpenFlow SDN in Googles worldwide internalInter-Data Center Network
Centralized traffic engineering service
Google built their own network switches using merchant silicoand Open Source routing software
Rumors that Facebook, Microsoft, etc. are looking at similarSDN traffic engineering deployments
http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/all/1http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/all/1http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/all/1 -
7/24/2019 Tech r03 Sdn Security v3
18/41
Other SDN Production Deployments
Data Center deployments using Nicira/VMware
Data Center / Virtualization is a very active SDN Network virtualization doesn't require SDN, but can be
There are many University / Research SDN Pro NSF is providing a lot of funding
18
-
7/24/2019 Tech r03 Sdn Security v3
19/41
SDN Hype
-
7/24/2019 Tech r03 Sdn Security v3
20/41
The Hype
20
SDN is emerging as one of the most promising and disruptive ne
technologies of recent years. It has the potential to enable netwinnovation and create choice, and thus help realize new capabili
and address persistent problems with networking. It also promis
give network operators more control of their infrastructure, allo
customization and optimization, therefore reducing overall capit
and operational costs.
Open Networking Summit, April 2012
-
7/24/2019 Tech r03 Sdn Security v3
21/41
SDN Hype
SDN is a threat to many vendors business mode
Many large vendors are describing SDN like solutionsthat will lock in customer
Proposing very complex proprietary solutions
Vendors are using SDN to describe any legacy p
that use software to control hardware
21
-
7/24/2019 Tech r03 Sdn Security v3
22/41
SDN Adoption
22
Enlightenment
Disillusionment
E
XPECTATIO
N
TIME
Technology
Trigger
Inflated Expectation
-
7/24/2019 Tech r03 Sdn Security v3
23/41
SDN Issues / Challenges
Scaling properties uncertain
Flow entries could get very, very large Flows supported by switches is still limited
Outages / Bugs Unclear how well it deals with network outages that require rerou
How do you debug software and hardware problems?
Security (the rest of the talk)
23
-
7/24/2019 Tech r03 Sdn Security v3
24/41
SDN SecurityChallenges
Vulnerability of CentralAppliApplications
-
7/24/2019 Tech r03 Sdn Security v3
25/41
Vulnerability of CentralControl
SDN Applications and Controller
have complete control of the network Controllers/Applications are built on
general purpose computing platforms
We all know all about the vulnerabilities of these platforms
If Controller or Application is compromised, the whole Netwcompromised
25
Why Take Over the Hosts When You Can Take Over the
Cont
ControlPlane
DataPlane
Switch
Switch
Switch HostHost
-
7/24/2019 Tech r03 Sdn Security v3
26/41
Effects of SDN Controller Compromise
Route flows around security
devices
Controller subverts new flows
Send traffic to compromised nodes
Man in the Middle attacks
Modify content
Insert malware
Monitor traffic
Subvert DNS response
26
-
7/24/2019 Tech r03 Sdn Security v3
27/41
Was SDN Designed for the NSA?
27
Central control makes it easyto control the whole network
SDN makes it very easy to
control where traffic flows
-
7/24/2019 Tech r03 Sdn Security v3
28/41
Current Security Model
28
Security policy enforced by physically forctraffic to f low through Security Devices
SwitchSwitch
Switch Switch
HostHost
HostHost
INTERNETSwitch
-
7/24/2019 Tech r03 Sdn Security v3
29/41
SDN Changes Security Model
29
Flow Rules control when or if traffic goes through Secu
Network Topology is now virtual
Sw
SwitchSwitch
Switch
Switch
HostHost
HostHost
Controller
Ho
INTERNET
-
7/24/2019 Tech r03 Sdn Security v3
30/41
SDNChanges the Trust Model
30
Security cannot be enforced by
physical topology
Requires complete Trust inSDN Applications and Controller
We dont understand the consequences
-
7/24/2019 Tech r03 Sdn Security v3
31/41
SDN Changes Organization Model
Today most IT organizations have a Network Group
Security Group
SDN requires a great deal of cooperationbetween these groups
All network staff will be responsiblefor Security Policy
31
-
7/24/2019 Tech r03 Sdn Security v3
32/41
SDN SecuritySolutions
It N t All B d
-
7/24/2019 Tech r03 Sdn Security v3
33/41
Its Not All Bad
Uniform SDN Security Policy
Security Everywhere
Control Security Treatment Traffic Receives
Isolate Compromised Hosts
33
U if SDN S it P li
-
7/24/2019 Tech r03 Sdn Security v3
34/41
Uniform SDN Security Policy
Security Application
Couple Security Policy to
SDN policy/rules andvalidate SDN flows against
the security policy
Ensure that Security Policyis implemented for all traffic
Maintain regulatory andcompliance requirements
34
SwitchSwitch
Switch
Switch Switch
Controller
Applications Applications
S it E h
-
7/24/2019 Tech r03 Sdn Security v3
35/41
Security Everywhere
All Routers and Switcheshave Security capabilities
Security Application can takeadvantage of this and push
rules to all network devices
35
Security Application
SwitchSwitch
Switch
Switch Switch
Controller
Applications Applications
C t l S it T t t T ffi R i
-
7/24/2019 Tech r03 Sdn Security v3
36/41
Control Security Treatment Traffic Receives
Range of Security
Control
Full Firewall
ACL style filtering
No filtering
36
SwitchSwitch
Switch
Switch
Controller
Applications Applications
I l t C i d H t
-
7/24/2019 Tech r03 Sdn Security v3
37/41
Isolate Compromised Hosts
Once compromisedhost is detected
Host can be isolated
37
SwitchSwitch
Switch
Switch
HostHost
Host
Host
Controller
-
7/24/2019 Tech r03 Sdn Security v3
38/41
Summa
Summary
-
7/24/2019 Tech r03 Sdn Security v3
39/41
Summary
SDN has a lot of promise
Many of its capabilities are very powerful
SDN Security issues are real for many organizations
Another case of build it and worry about Security later?
We will all need to get beyond the hype phase to see whand achievable
39
-
7/24/2019 Tech r03 Sdn Security v3
40/41
Q & A
-
7/24/2019 Tech r03 Sdn Security v3
41/41
Thank Y