csv-w02 open security controller -security … id: #rsac tarun viswanathan open security controller...
TRANSCRIPT
SESSIONID:SESSIONID:
#RSAC
TarunViswanathan
OpenSecurityController- SecurityOrchestrationforOpenStack
CSV-W02
PlatformSolutionArchitectIntel
ManishDavePlatformArchitectIntel
#RSAC
NoticesandDisclaimers
Inteltechnologies’featuresandbenefitsdependonsystemconfigurationandmayrequireenabledhardware,softwareorserviceactivation.Learnmoreatintel.com,orfromtheOEMorretailer.
Nocomputersystemcanbeabsolutelysecure.
Testsdocumentperformanceofcomponentsonaparticulartest,inspecificsystems.Differencesinhardware,software,orconfigurationwillaffectactualperformance.Consultothersourcesofinformationtoevaluateperformanceasyouconsideryourpurchase. Formorecompleteinformationaboutperformanceandbenchmarkresults,visithttp://www.intel.com/performance.
Intel,theIntellogoandothersaretrademarksofIntelCorporationintheU.S.and/orothercountries.*Othernamesandbrandsmaybeclaimedasthepropertyofothers.
©2016IntelCorporation.
#RSAC
SDI—TheApplicationDefinestheSystem
The evolution to software-defined infrastructure
#RSAC
EnterpriseMultiCloudSecurityChallenges
HowcanIprovideconsistentsecurityacross amulticlouddatacenterenvironment.
OpenSecurityControlleraddressesthischallenge.
#RSAC
OpenSecurityControllerKeyDesignGoals
Centralizedsecuritypolicymanagementforamulticloudenvironment.
#RSAC
ConceptualArchitecture
#RSAC
OpenStack* Micro-SegmentationUseCase
#RSAC
OSCAPIInteractionModelPoliciesUserIntentCloudAppsApplications,UserIntent,andPolicies
Nuage VSP* Midokura*, Brocade*…NSX*SDNControllers
Virtualization Layer
PhysicalInfrastructure
ComputingHardware
Storage Layer
NetworkHardware
VirtualInfraOpenStack*
VirtualCompute
VirtualStorage
VirtualNetworkVirtualizedSecurityFunctions
CPA
DPA
SecurityFunction/ElementManagersIPSManagers
NGFWManagers
ADCManagers
OpenSecurityController
ManagerPlug-ins
VNFAgentPlug-ins
Business Logic Service Dispatcher Jobs
Engine
SDNPlug-ins
VirtualizationConnectors
SecurityFunctionsCatalog
H2Database
User Interface API
GUINBRestAPI1
RestAPIWebSockets
4 RestAPIIPC5RestAPISFCPolicy
3 RestAPIImages,deployment,notifications,authentication
2
• Policyinterface• Userintent• Applicationintent
• Lifecyclemanagement
• Deploymentspecs,auto-scalingandHA
• Authentication• Imageservices• Notificationfor
events• Rolebased
accesscontrol
• TrafficredirectionAPI• SFCpolicyAPI• Advancedvisibilityfunctionality
(example6tuplevisibility)• Dynamicpolicyupdatesandmapping
• Domain/subdomainupdatesandmapping
• Controlpathagent:provisioning,de-provisioning,heartbeats,etc.
• Datapathagent:instrumentationandrealtimestatistics
#RSAC
CustomerPoC:HealthindustryITservicesprovider
• CustomerhastoadheretoHIPAAregulatoryrequirements
• ExistingsolutionwasbasedonDCedgedevices.• Customerwantedtogettoadynamicpolicy
basedsecuritysolutionforEast-Westtrafficinspection. Commercialx86Server
CommercialSDNcontroller
(ComputeNode)RHEL7.2
(ControlNode)CommercialOpenStackNewtonDistro
OpenSecurityController
VirtualIntrusionPreventionSystem
NextGenFirewall
VirtualAppDeliveryController
#RSAC
CustomerDeploymentArchitecture
HighLatency
East-westTraffic
Future:DynamicPolicyBasedEast-WestSecurity
X86server
vIPS vADC App
TopofRackSwitch
SecuritybetweenTenantsandTiers
LatencyGoesDown
GranularControlandScalability
SDNControllerPhysicalAppliances
Current:TopologyBasedSecurityFirewall
IntrusionPreventionSystems/IntrusionDetectionSystems
ApplicationDeliveryController
TopofRackSwitch
App App App App
X86Server
East-westTraffic
SecurityFunctionManager
SecurityController
#RSAC
CustomerPoC:Largefinancialservicesprovider
Commercialx86Server
CommercialSDNcontroller
(ComputeNode)RHEL7.2
(ControlNode)CommercialOpenStackDistro
OpenSecurityController
NextGenFirewallVendor1
NextGenFirewallvendor2
• CustomerhastoadheretoPCIregulatoryrequirements
• CustomerwantedtogettoaRiskBasedautomatedsecuritypolicymanagementcapabilityfortheirOpenstackenvironment
#RSAC
CustomerdeploymentWorkflow
OneTimeSetup1. OpenstackConnector
2. CreateSecurityServicesa) PolicymanagerPlugins
forNGFW1,NGFW2
3. ConfigureSecurityServices
a) DistributedApplianceb) Deployment-
Specifications
ProtectionPolicy1. DefineGlobalRiskbased
Sec-Groups
2. AllPolicymanagersdynamicallyupdated
3. Automatedtrafficredirection viaSDNPlugin
AutomatedZero-TrustSecurityNetworkflowsautomaticallyupdatedtoredirecttraffictosecurityservicechain
SecurityAdmin
Spinsworkloadupor down
Dev-Ops
#RSAC
DEMOAutomatedSecurityServicesOrchestrationforOpenstack
#RSAC
DemoTopology
#RSAC
#RSAC
Apply:RiskBasedApproach
1. Identifyworkloadwhichneedsmicrosegmentation
2. Identifysecuritycontrolstomitigaterisks(vIPS,vNGFW,vADC)
3. AutomateSecurityControlsorchestration
#RSAC
CalltoAction
CurrentStatusPOCwithearlyadoptercustomers/SecurityVNF’sOpenSecurityControlleravailableasOpensource~Mid2017compatiblewithfewSecurityVNFandSDNvendors
CalltoActionContactustogetengagedinthecommunity:Email:[email protected] [email protected]:www.intel.com/osc