tech r03 sdn security v3

7/24/2019 Tech r03 Sdn Security v3

1/41

SESSION ID: TECH0R03

Robert M. HindenCheck Point FellowCheck Point Software

SDN AND SECURITY:

Why Take Over the Hosts WhenYou Can Take Over the Network


2/41

What are the SDN Security Challenges?

Vulnerability of Central Control

Trust Model Changes

Virtualization of Network Topology

IT Organizational Changes

2


3/41

3

Presentation Outline

Software Defined Networks Overview

SDN Hype and Production Deployments

SDN Security Challenges

SDN Security Solutions

Q & A


4/41

Software Defined

Overview


5/41

SDN Basic Idea

Separation of Network Control and Data Planes Well-defined vendor-independent OpenFlow API between the tw

Operation of the network is defined in software ouof the forwarding path

a.k.a. Software Defined Network

Centralized Network Control on standard servers

5


6/41

Motivation for SDN

Creation of high-level network policies Move away from current management approaches like SNMP/C

Apply policies uniformly across Routers, Switches, Optical, Virtuetc.

Mix and match of vendors Packet Forwarding and Control planes

Hardware and Software

6


7/41

AppAppAppAppAppApp

Specialized

Operating

System

Specialized

Hardware

Specialized

Appl ications

Micropro

Open Int

LinWindows

(OS)

Open In

Mainframes to PCs

7[ Credit: Nick McKeown Making SDNs Work ]


8/41

Switches/Routers to SDN

8[ Credit: Nick McKeown Making SDNs Work ]

Specialized

Control

Plane

Specialized

Hardware

Specialized

Features

AppAppAppAppAppApp

Contro

Plane

Control

Plane

Open In

Open Int

MerchSwitching


9/41

SDN Architecture

9

Controller

Applications ApplicationsApplications

Control

Plane

DataPlane

Northbound API

Southbound API (OpenFlow)

Switch

SwitchSwitch

Switch

Switch Switch

HostHost

HostHostHost


10/41

Components

10

Application Programs Implement network specific policy

Controller Provides high-level view of Network to control programs

Deploy policy to Routers/Switches via OpenFlow

Routers/Switches Controlled by state injected by Controller

Cont

AppliApplications

ControlPlane

DataPlane

Switch

Switch

Switch HostHost


11/41

How It Works

Controller presents logical map of network toApplication Programs

Switches/Routers are Flow based Process known flows autonomously

If new flow arrives, ask Controller what to do

Controller installs new flow state in Switch/Router

Flow state consist of pairs

Controller pushes state to Switch/Routerwith OpenFlow

11


12/41

Controller

Switch

SwitchSwitch

Switch

Switch Switch

Applications ApplicationsApplications

Control

Plane

DataPlane

Northbound API

Southbound API (OpenFlow)

SDN Architecture

12


13/41

Flow Table Entry (OpenFlow 1.0)

MATCH ACTION STATS

Switch

Port

MAC

src

MAC

dst

Ethr

Type

VLAN

ID

IP

Src

IP

Dst

IP

Prot S

1. Forward packet to switch port(s)

2. Encapsulate and forward to controller

3. Drop packet4. Send to normal processing pipeline

Packet and byte counters

13


14/41

Lots of Activity

14

ONRRESEA


15/41

Impact to Current Networking

Utilizes most existing protocols

IPv4/IPv6, TCP/UDP, Ethernet, VLANS, etc.

Hosts dont change

Routing Protocols run in the Controller

Big change to management and configuration Centralized vs. current distributed

This is an incremental solution not a clean sla

15


16/41

Production SDDeployments


17/41

http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/all/117

Google OpenFlow Network

OpenFlow SDN in Googles worldwide internalInter-Data Center Network

Centralized traffic engineering service

Google built their own network switches using merchant silicoand Open Source routing software

Rumors that Facebook, Microsoft, etc. are looking at similarSDN traffic engineering deployments
http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/all/1http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/all/1http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/all/1


18/41

Other SDN Production Deployments

Data Center deployments using Nicira/VMware

Data Center / Virtualization is a very active SDN Network virtualization doesn't require SDN, but can be

There are many University / Research SDN Pro NSF is providing a lot of funding

18


19/41

SDN Hype


20/41

The Hype

20

SDN is emerging as one of the most promising and disruptive ne

technologies of recent years. It has the potential to enable netwinnovation and create choice, and thus help realize new capabili

and address persistent problems with networking. It also promis

give network operators more control of their infrastructure, allo

customization and optimization, therefore reducing overall capit

and operational costs.

Open Networking Summit, April 2012


21/41

SDN Hype

SDN is a threat to many vendors business mode

Many large vendors are describing SDN like solutionsthat will lock in customer

Proposing very complex proprietary solutions

Vendors are using SDN to describe any legacy p

that use software to control hardware

21


22/41

SDN Adoption

22

Enlightenment

Disillusionment

E

XPECTATIO

N

TIME

Technology

Trigger

Inflated Expectation


23/41

SDN Issues / Challenges

Scaling properties uncertain

Flow entries could get very, very large Flows supported by switches is still limited

Outages / Bugs Unclear how well it deals with network outages that require rerou

How do you debug software and hardware problems?

Security (the rest of the talk)

23


24/41

SDN SecurityChallenges

Vulnerability of CentralAppliApplications


25/41

Vulnerability of CentralControl

SDN Applications and Controller

have complete control of the network Controllers/Applications are built on

general purpose computing platforms

We all know all about the vulnerabilities of these platforms

If Controller or Application is compromised, the whole Netwcompromised

25

Why Take Over the Hosts When You Can Take Over the

Cont

ControlPlane

DataPlane

Switch

Switch

Switch HostHost


26/41

Effects of SDN Controller Compromise

Route flows around security

devices

Controller subverts new flows

Send traffic to compromised nodes

Man in the Middle attacks

Modify content

Insert malware

Monitor traffic

Subvert DNS response

26


27/41

Was SDN Designed for the NSA?

27

Central control makes it easyto control the whole network

SDN makes it very easy to

control where traffic flows


28/41

Current Security Model

28

Security policy enforced by physically forctraffic to f low through Security Devices

SwitchSwitch

Switch Switch

HostHost

HostHost

INTERNETSwitch


29/41

SDN Changes Security Model

29

Flow Rules control when or if traffic goes through Secu

Network Topology is now virtual

Sw

SwitchSwitch

Switch

Switch

HostHost

HostHost

Controller

Ho

INTERNET


30/41

SDNChanges the Trust Model

30

Security cannot be enforced by

physical topology

Requires complete Trust inSDN Applications and Controller

We dont understand the consequences


31/41

SDN Changes Organization Model

Today most IT organizations have a Network Group

Security Group

SDN requires a great deal of cooperationbetween these groups

All network staff will be responsiblefor Security Policy

31


32/41

SDN SecuritySolutions

It N t All B d


33/41

Its Not All Bad

Uniform SDN Security Policy

Security Everywhere

Control Security Treatment Traffic Receives

Isolate Compromised Hosts

33

U if SDN S it P li


34/41

Uniform SDN Security Policy

Security Application

Couple Security Policy to

SDN policy/rules andvalidate SDN flows against

the security policy

Ensure that Security Policyis implemented for all traffic

Maintain regulatory andcompliance requirements

34

SwitchSwitch

Switch

Switch Switch

Controller

Applications Applications

S it E h


35/41

Security Everywhere

All Routers and Switcheshave Security capabilities

Security Application can takeadvantage of this and push

rules to all network devices

35

Security Application

SwitchSwitch

Switch

Switch Switch

Controller


C t l S it T t t T ffi R i


36/41

Control Security Treatment Traffic Receives

Range of Security

Control

Full Firewall

ACL style filtering

No filtering

36

SwitchSwitch

Switch

Switch

Controller


I l t C i d H t


37/41

Isolate Compromised Hosts

Once compromisedhost is detected

Host can be isolated

37

SwitchSwitch

Switch

Switch

HostHost

Host

Host

Controller


38/41

Summa

Summary


39/41

Summary

SDN has a lot of promise

Many of its capabilities are very powerful

SDN Security issues are real for many organizations

Another case of build it and worry about Security later?

We will all need to get beyond the hype phase to see whand achievable

39


40/41

Q & A


41/41

Thank Y

tech r03 sdn security v3

Documents