Upload
cristiano-monteiro
View
589
Download
0
Tags:
Embed Size (px)
Citation preview
SDN and Security
August 2013
Cristiano Monteiro, Solutions Architect at HP
@crmonteir
What is SDN ?
3
Evolution of Server Architectures
Proprietary Hardware
ProprietaryOperating Systems
Proprietary Applications
Innovation!
Standard Intel x86-based systems
Standard Operating Systems(Linux, Windows, etc)
App …Standard interfaces and programming languages
Standard interfaces
App App
4
Evolution of Network Architectures
Proprietary Hardware
Proprietary OS
OS-Integrated Features
Standard “programmable” systems
RoutingMCast …QoS
Standard interfaces and control protocols
Open interfaces and programming languages
Network features (applications)
Centralized Control Plane
Innovation!
5
… In the SDN architecture, the control and data planes are
decoupled, network intelligence and state are logically
centralized and the underlying network infrastructure is
abstracted from the applications …
Open Networking Foundation on SDN
Source: opennetworking.org
SDN Architecture
7
We need a new way to talk with Network
APP
Network Infrastructure Layer
How the apps requirements are
tied to Network Level ?
• Bandwidth Resources
• Isolation
• Security etc.
Understood !!!
Security Infrastructure Layer
App Guy talks to Net and
Security Teams
8
Ability to Apply Business Logic to Network Behavior in Dynamic Fashion
HP Delivers SDN to Achieve Agility
Infrastructure
Layer
SD
NA
rch
ite
ctu
re
Control
Layer
Application
Layer
Separate control and data plane; abstract control
plane of many devices to one
Open standard-based programmatic access to
infrastructure
Deliver open programmable interfaces to
automate orchestration of network services
9
Separate control and data plane; abstract control
plane of many devices to one
Deliver open programmable interfaces to
automate orchestration of network services
Open standard-based programmatic access to
infrastructure
Deliver open programmable interfaces to
automate orchestration of network services
Ability to Apply Business Logic to Network Behavior in Dynamic Fashion
HP Delivers SDN to Achieve Agility
Separate control and data plane; abstract control
plane of many devices to one
Deliver open programmable interfaces to
automate orchestration of network services
Open standard-based programmatic access to
infrastructure Network Device Network DeviceNetwork Device
Control & Data Plane Programmable
Interface (e.g., OpenFlow)
Network ApplicationsNetwork ApplicationsSDN Applications
Business ApplicationsBusiness ApplicationsBusiness Applications
(e.g., OpenStack, CloudStack)
Cloud Orchestration
SDN Controller
Programmable Open APIs (e.g., REST)
Infrastructure
Layer
SD
NA
rch
ite
ctu
re
Control
Layer
Application
Layer
10
Openflow (e.g. SouthBound Interface)
Both fine and coarse grain flow control possible.
10
switch
controller
actionsmatch rules
Forward to IDS Tunnel Port
Rate Limit, Forward Normal
Forward Normal
TCP Port 16384
TCP Port 80 from 01:23:45:67:89:ab
* (wildcard)
11
Openstack Quantum a.k.a Neutron (E.g. Northbound
Interface)
12
A B
2
3
4
5 61
ICMP
HTTP Controller
TE - APPHTTP - path 1
ICMP - path 2
Match srcpip=A,dstip=B prot=TCP dstport 80
Action In=port 1, Out=port 3
1
2
3
Match srcpip=A,dstip=B prot=ICMP
ActionIn=port 1, Out=port 2
Applicatin Example : SDN Traffic Engineering
SDN – Security User Cases
14
Detection : Anomaly Traffic, Signatures, Customer rings...
Reaction and mitigation : Filters, Destination Filters to null
“The right dose differentiates a poison and a remedy”
Objective : Even under attack the customer should be online.
Solutions to do that are very expensive....
Ddos Mitigation
15
Ddos Mitigation - Case 1
• Sakura Internet case.
(http://www.sakura.ne.jp/)
• Ddos Mitigation
• Voltdb for accurate detection src-dst
• dRTBH with openflow
16
Ddos Mitigation – Case 2
• Sflow-RT application to detect
• Openflow to mitigate.
17
SDN - NAC /MSM Concept
NAC Today:
Agent 802.1x
Suplicant 802.1x
Authenticator 802.1x
Almost impossible multivendor solution.
Conceptual
SDN NAC App.
Switches, AP´s
should support SBI (Eg. Openflow)
Radius
SDN Nac App
quarantine
18
Repudiation Services
Core
Distribution
Edge
Repudiation
IPS/ IDS
with SDN Application
• Reputation(pingserver.info) � Malware
• Alert administrator
19
SDN Impact on Security Architecture
Scale up... The limit will be reached someday
and Single Point of Failure....
Redundancy but What about Flow table ?
Scale Out. An external device
Who will balance the load balancer ?
20
SDN Impact on Security Architecture
• Network will execute basic filtering.
• Controller combined with a SEC APP can
centralize flow table.
• NBI interface will allow new applications
came out.
• Complex tasks (e.g. DPI) can be performed
by a separated “Service Plane” .
• Cloud Security can use SDN to scale out.
21
SDN and Security a lot of opportunities...
core
Access
cloud
DC
Enterprise
Branches
Internet
DC
Security
22
What happens if a bad guy take the control of controller ?
A. Well you are in trouble but what happened if the same bad guy take the
control of a Border router in Service Provider environment today ???
What happens if a bad guy try to D.o.S the controller ?
A. Well the bad guy should have access to management network. .. You already
in trouble before the D.o.S
There are a lot of drawbacks likewise if you look for problems in the traditional
architectures you also find a lot...
SDN Drawbacks
23
Summary
SDN unlocks constrained
networks, accelerates innovation
and drives value out of networks
-
SDN Provides Abstraction of Complexity
- Lower cost of administration
- Reduce automation risk & difficulty
Network Simplification Drives Adoption
-
SDN Enhances & Enables Network Services
- Extend life and improve performance of
‘middle boxes’
- Reduce TCO of basic services
- Improve business QoE through integration of
apps & networks
Network Innovation Drives Advantage
Q&A
Thank you