[ovnc 2013] controlling secure & software defined network for cloud infrastructure

© 2013 NAIM Networks – All rights reserved. 3 / 34

보안은어떻게?I

Software Switch Software Switch

NIC

OS #1

NIC

OS #2

NIC

OS #3

NIC

OS #1

NIC

OS #2

NIC

OS #3

IP Fabric

Compute Node #1 Compute Node #2

[VM] [VM] [VM] [VM] [VM] [VM]


지금의보안구성I


NIC

OS #1

NIC

OS #2

NIC

OS #3

NIC

OS #1

NIC

OS #2

NIC

OS #3

IP Fabric


Security [VM] [VM] [VM] [VM] [VM]


문제가없을까?I


NIC

OS #1

NIC

OS #2

NIC

OS #3

NIC

OS #1

NIC

OS #2

NIC

OS #3

IP Fabric




VM 보안제품은어려워요??I


NIC

OS #1

NIC

OS #2

NIC

OS #3

NIC

OS #1

NIC

OS #2

NIC

OS #3

IP Fabric




개선방향은없나요??I


NIC

OS #1

NIC

OS #2

NIC

OS #3

IP Fabric


[VM] [VM] [VM]

NIC

OS #1

NIC

OS #2

NIC

OS #3

[VM] [VM][VM]

Security Security


SDN을이용한유연한구현?I


NIC

OS #1

NIC

OS #2

NIC

OS #3

IP Fabric


[VM] [VM] [VM]

NIC

OS #1

NIC

OS #2

NIC

OS #3

[VM] [VM][VM]

Security Security

SDN

Controller

App App App

Security Appliance

http://www.openflow.org/

© 2013 NAIM Networks – All rights reserved.

1

2

3

4

Virtualized Environment in Cloud

Cloud Management: OpenStack

SDN Roles in Cloud Management

Case: Security (SDN + DPI)


Virtualized WorldI

Virtualization

The creation of something virtual (rather than actual) in

the computer world

Pros.

IsolationConsolidation

TestingMobility

Cons.

Concentration RiskCost

Performance PenaltyHardware Support


Virtualized World: Cloud (1)I

Server Virtualization Network Virtualization

Cloud with Virtualization

Remarkable growth on server virtualization

• Hypervisors: VMware ESXi, MS Hyper-V, Citrix XenServer, …

• Hardware support: Intel VT/VT-x/EPT, AMD-V

Supporting data center networks (large # of hosts & traffic)

• VLAN, GRE tunneling, VxLAN, …


Virtualized World: Cloud (2)I

Physicalserver

VM (tenant #1)

VM (tenant #2)

Network for tenant #1

Network for tenant #2

Virtualization

http://www.microsoftvirtualacademy.com/ - WS-B327

http://www.microsoftvirtualacademy.com/


OpenStack Intro.

OpenStack is a collection of open source software

projects used to setup and run cloud infrastructure

(e.g., compute, storage, networking).

II


Evolution of OpenStack

Six Month Cycle

Releases are timed to

correspond with the

developer summit

meeting

Currently no reliable

upgrade paths between

releases

Expect large deltas

between releases for the

next year or so as new

features and core

functionalities are added.

Release name

Release date

Included Component code names

Austin21 October 2010

Nova, Swift

Bexar3 February 2011

Nova, Glance, Swift

Cactus15 April 2011

Nova, Glance, Swift

Diablo22 September 2011

Nova, Glance, Swift

Essex5 April 2012

Nova, Glance, Swift, Horizon, Keystone

Folsom27 September 2012

Nova, Glance, Swift, Horizon, Keystone, Quantum, Cinder

Grizzly4 April 2013

Nova, Glance, Swift, Horizon, Keystone, Quantum, Cinder

Havana17 October 2013

Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer

Src.: http://en.wikipedia.org/wiki/OpenStack

II

Nova: Server virtualization mgmt.

Quantum/Neutron: Network virtualization mgmt.

http://en.wikipedia.org/wiki/OpenStack


Havana: ArchitectureII

Emphasizing the management of cloud

Celiometer: metering

Heat: orchestration


OpenStack: NovaII

Overview

The core of IaaS Management System in OpenStack

Support large-scale deployment of compute instances

Applied to NASA’s open source cloud project – Nebula

Asynchronous eventually consistent

communication

REST-based API

Hypervisor agnostic:

support for Xen ,XenServer, Hyper-V, KVM, UML and ESX is coming

Horizontally and massively scalable

Hardware agnostic:

standard hardware, RAID not required


OpenStack: NeutronII

Quick Intro

Quantum Neutron is an OpenStack project to

provide “networking as a service” between

interface devices (e.g., vNICs) managed by other

OpenStack services (e.g., nova)

Manages network virtualization

just like compute (nova) manages server virtualization

Advocates multi-tenancy

Technology-agnostic


OpenvSwitch plugin

Network Virtualization with NeutronII

Logical Network Architecture

OpenStack Neutron-related Components(OpenvSwitch plugin example)


Compute Node C2 Compute Node C3

Network NodeCompute Node C1

Br-tu

n

Br-in

t

Br-tu

n

Br-in

t

Br-tu

n

Br-in

tBr-tu

n

Br-in

t

A12

B11

B12

A21

A11

Local VLAN tags converted into GRE keys (a

nd vice versa)

DHCP

L3

Br-ex

Physical Realization

OVS Plugin – GRE Overlays

Network Virtualization with NeutronII


OpenStack with Virtualization

Realizing *-as-a-service with server & network

virtualization using OpenStack components

II

Source: Den Wendlandt – Quantum Hacket & PTL Note: “Quantum””Neutron”. ”Quantum” is now longer used


SDN Overview

Agility on Networks

Controllability of Entire Network

Centralized network management

III

[1] Van Jacobson et al, “Networking Named Content”, CoNext 2009.[2] Thomas Michael Bohnert, “SDN in the Cloud”, invited talk @ CNSM 2013.


SDN Roles in OpenStack

Centralized control of network using OpenStack

III

[1] Thomas Michael Bohnert, “SDN in the Cloud”, invited talk @ CNSM 2013.



Why OpenStack + SDN?

Finally free applications from being aware of specific

networking details (ports, IP addresses, etc.)

Reducing network management complexities

III

Orchestration(OpenStack)

Physical Machine

Virtual Machines Servers on

network infrastructure


OpenStack test bed with SDN in NAIM NetworksOpenStack


Compute Node #1

OpenVSwitch (OVS)

Compute Node #2

OpenVSwitch (OVS)

SDN Controller

[VM]

NIC

OS #1

[VM]

NIC

OS #2

[VM]

NIC

OS #3

[VM]

NIC

OS #1

[VM]

NIC

OS #2

[VM]

NIC

OS #3

Controller Node

Network Node

Neutron

OpenFlow Enabled Switch

III

SDN plugin


Overview

Current security appliancesCost: expensive

Maximum bandwidth limits

(Mostly) All the traffic is passed through the security appliances

IdeaDistributed DPIs

Managing & controlling distributed DPIs using SDN

AdvantagesAuto-scaling network resources

Service chaining

ParticipantsNAIM Networks (http://www.naimnetworks.com)

• 서영석팀장, 최영락매니저, 이정복매니저

OpenFlow Korea (http://www.openflow.or.kr) • 조충희, 임덕선

IV

http://www.naimnetworks.com/

http://www.openflow.kr/


Architecture (1)

Logical Architecture

IV

Network

Data

GatherNetwork

Data

Compare Actual State to Desired State

Analysis + Reasoning + Learning

Controller

Data ModelsData ModelsData ModelsVirtual

Machines

Cloud

Environment

OpenVSwitch+DPI

VMs

OVS+DPI

VMs

OVS+DPI


Architectural Components

Architecture (2)

OpenFlow Enabled Switch

(Physical Machine)

OVS

(Physical Machine)

OVSSDN

Controller

Security

Appliance

[VM]

OS #1

NIC

[VM]

OS #2

[VM]

OS #3

Log

Analyzer

[VM]

OS #1

[VM]

OS #2

[VM]

OS #3

syslog syslogDPI

NIC NICNIC

DPI

NICNIC

IV


Case: Demo

Scenario

Network with anomaly traffic

OVSs monitors traffic and sends flow information to

“Analyzer”

DPIs in each physical machine monitors traffic

Controllers control all of the OVSs and OpenFlow enabled

switches

Let’s see a short movie (about 2-min)!

(One-month duration for this prototype)

IV


Summary

Separated virtualization management: server virtualization & network virtualization

OpenStack was originally designed for server virtualization management, but it started to support network virtualization after the Folsom release (officially)

“OpenStack + SDN” supports better orchestration with centralized network management and abstraction from network details

We showed one security prototype that can be directly deployed to OpenStack+SDNenvironment

!

www.NAIMNetworks.com