SDN and Security

August 2013

Cristiano Monteiro, Solutions Architect at HP

cmonteiro@hp.com

@crmonteir

What is SDN ?

3

Evolution of Server Architectures

Proprietary Hardware

ProprietaryOperating Systems

Proprietary Applications

Innovation!

Standard Intel x86-based systems

Standard Operating Systems(Linux, Windows, etc)

App …Standard interfaces and programming languages

Standard interfaces

App App

4

Evolution of Network Architectures

Proprietary Hardware

Proprietary OS

OS-Integrated Features

Standard “programmable” systems

RoutingMCast …QoS

Standard interfaces and control protocols

Open interfaces and programming languages

Network features (applications)

Centralized Control Plane

Innovation!

5

… In the SDN architecture, the control and data planes are

decoupled, network intelligence and state are logically

centralized and the underlying network infrastructure is

abstracted from the applications …

Open Networking Foundation on SDN

Source: opennetworking.org

SDN Architecture

7

We need a new way to talk with Network

APP

Network Infrastructure Layer

How the apps requirements are

tied to Network Level ?

• Bandwidth Resources

• Isolation

• Security etc.

Understood !!!

Security Infrastructure Layer

App Guy talks to Net and

Security Teams

8

Ability to Apply Business Logic to Network Behavior in Dynamic Fashion

HP Delivers SDN to Achieve Agility

Infrastructure

Layer

SD

NA

rch

ite

ctu

re

Control

Layer

Application

Layer

Separate control and data plane; abstract control

plane of many devices to one

Open standard-based programmatic access to

infrastructure

Deliver open programmable interfaces to

automate orchestration of network services

9

Separate control and data plane; abstract control

plane of many devices to one

Deliver open programmable interfaces to

automate orchestration of network services

Open standard-based programmatic access to

infrastructure

Deliver open programmable interfaces to

automate orchestration of network services

Ability to Apply Business Logic to Network Behavior in Dynamic Fashion

HP Delivers SDN to Achieve Agility

Separate control and data plane; abstract control

plane of many devices to one

Deliver open programmable interfaces to

automate orchestration of network services

Open standard-based programmatic access to

infrastructure Network Device Network DeviceNetwork Device

Control & Data Plane Programmable

Interface (e.g., OpenFlow)

Network ApplicationsNetwork ApplicationsSDN Applications

Business ApplicationsBusiness ApplicationsBusiness Applications

(e.g., OpenStack, CloudStack)

Cloud Orchestration

SDN Controller

Programmable Open APIs (e.g., REST)

Infrastructure

Layer

SD

NA

rch

ite

ctu

re

Control

Layer

Application

Layer

10

Openflow (e.g. SouthBound Interface)

Both fine and coarse grain flow control possible.

10

switch

controller

actionsmatch rules

Forward to IDS Tunnel Port

Rate Limit, Forward Normal

Forward Normal

TCP Port 16384

TCP Port 80 from 01:23:45:67:89:ab

* (wildcard)

11

Openstack Quantum a.k.a Neutron (E.g. Northbound

Interface)

12

A B

2

3

4

5 61

ICMP

HTTP Controller

TE - APPHTTP - path 1

ICMP - path 2

Match srcpip=A,dstip=B prot=TCP dstport 80

Action In=port 1, Out=port 3

1

2

3

Match srcpip=A,dstip=B prot=ICMP

ActionIn=port 1, Out=port 2

Applicatin Example : SDN Traffic Engineering

SDN – Security User Cases

14

Detection : Anomaly Traffic, Signatures, Customer rings...

Reaction and mitigation : Filters, Destination Filters to null

“The right dose differentiates a poison and a remedy”

Objective : Even under attack the customer should be online.

Solutions to do that are very expensive....

Ddos Mitigation

15

Ddos Mitigation - Case 1

• Sakura Internet case.

(http://www.sakura.ne.jp/)

• Ddos Mitigation

• Voltdb for accurate detection src-dst

• dRTBH with openflow

16

Ddos Mitigation – Case 2

• Sflow-RT application to detect

• Openflow to mitigate.

17

SDN - NAC /MSM Concept

NAC Today:

Agent 802.1x

Suplicant 802.1x

Authenticator 802.1x

Almost impossible multivendor solution.

Conceptual

SDN NAC App.

Switches, AP´s

should support SBI (Eg. Openflow)

Radius

SDN Nac App

quarantine

18

Repudiation Services

Core

Distribution

Edge

Repudiation

IPS/ IDS

with SDN Application

• Reputation(pingserver.info) � Malware

• Alert administrator

19

SDN Impact on Security Architecture

Scale up... The limit will be reached someday

and Single Point of Failure....

Redundancy but What about Flow table ?

Scale Out. An external device

Who will balance the load balancer ?

20

SDN Impact on Security Architecture

• Network will execute basic filtering.

• Controller combined with a SEC APP can

centralize flow table.

• NBI interface will allow new applications

came out.

• Complex tasks (e.g. DPI) can be performed

by a separated “Service Plane” .

• Cloud Security can use SDN to scale out.

21

SDN and Security a lot of opportunities...

core

Access

cloud

DC

Enterprise

Branches

Internet

DC

Security

22

What happens if a bad guy take the control of controller ?

A. Well you are in trouble but what happened if the same bad guy take the

control of a Border router in Service Provider environment today ???

What happens if a bad guy try to D.o.S the controller ?

A. Well the bad guy should have access to management network. .. You already

in trouble before the D.o.S

There are a lot of drawbacks likewise if you look for problems in the traditional

architectures you also find a lot...

SDN Drawbacks

23

Summary

SDN unlocks constrained

networks, accelerates innovation

and drives value out of networks

-

SDN Provides Abstraction of Complexity

- Lower cost of administration

- Reduce automation risk & difficulty

Network Simplification Drives Adoption

-

SDN Enhances & Enables Network Services

- Extend life and improve performance of

‘middle boxes’

- Reduce TCO of basic services

- Improve business QoE through integration of

apps & networks

Network Innovation Drives Advantage

Q&A

Thank you