sdn security - alcatron.net live 2014 melbourne/cisco live...sdn security brksec-2760 alok mittal...
TRANSCRIPT
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Security at the Speed of the Network
Countering threats is complex and difficult. Software Defined Networking (SDN) offers a way to respond to attacks with the speed of the network: tying together the visibility provided by the network, and the control provided by SDN, with intelligent automation. This breakout session is targeting Network and Security professionals looking for how SDN can improve their network security architecture.
Automating and Accelerating Security Through SDN
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Agenda
Introduction to Current Security Challenges
Introduction to Software Defined Networking
Bringing the two together – How SDN can help in solving security challenges
SDN Security Components
Securing SDN
4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Any Device to Any Cloud
PRIVATE CLOUD
PUBLIC CLOUD
HYBRID CLOUD
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Increased Attack
Surface APTs
Cyberware Spyware
and Rootkits Worms
2010 2000 2005 Tomorrow
The Threat Landscape is Evolving
Antivirus
(Host-
Based)
IDS/IPS
(Network
Perimeter)
Reputation (Global)
and Sandboxing
Intelligence
and Analytics
(Cloud)
Enterprise
Response
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
The Security Problem
Changing
Business Models
Dynamic
Threat Landscape
Complexity
and Fragmentation
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
The New Security Model
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect
Block
Defend
DURING
Point in Time Continuous
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Policy
Access Control
Contain
Fix
Netflow, Log, and DNS Monitoring
Content Inspection
Threat Analytics
Behaviour Anomaly Detection
BEFORE DURING AFTER
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
DURING AFTER
Manual Security Processes
BEFORE
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
SDN Automation: the Speed of the Network
Threat
Analytics
DURING AFTER
BEFORE
Visibility Control
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Introduction to Software Defined Networking (SDN)?
Many Definitions
• Openflow
• Controller
• Openstack
• Overlays
• Network virtualisation
• Automation
• APIs
• Application oriented
• Virtual Services
• Open vSwitch
• …
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Software Defined Networking (SDN)
FC 1
FC 2
FC 3
FC 4
FC 5
LC 1
LC 2
LC 3
LC 4
LC 5
LC 6
LC 7
LC 8
LC 9
LC 10
LC 11
LC 12
LC 13
LC 14
LC 15
LC 16
Spine 1
Spine 2
Spine 3
Spine 4
Spine 5
Leaf 1
Leaf 2
Leaf 3
Leaf 4
Leaf 5
Leaf 6
Leaf 7
Leaf 8
Leaf 9
Leaf 10
Leaf 11
Leaf 12
Leaf 13
Leaf 14
Leaf 15
Leaf 16
Spine
Nodes
Leaf Nodes
• Supervisor - Control
• Fabric Cards - Forwarding
• Line Cards - Services
Controller
Cisco Confidential
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Basic Definitions
What Is Software Defined Network
(SDN)?
“…In the SDN architecture, the control and data
planes are decoupled, network intelligence and
state are logically centralised, and the underlying
network infrastructure is abstracted from the
applications…”
Source: www.opennetworking.org
What is OpenStack?
Opensource software for building public
and private Clouds; includes Compute (Nova),
Networking (Quantum) and Storage (Swift)
services.
Source: www.openstack.org
What is Overlay Network?
Overlay network is created on existing network
infrastructure (physical and/or virtual) using a network
protocol. Examples of overlay network protocol are:
GRE, VPLS, OTV, LISP and VXLAN
What Is OpenFlow?
Open protocol that specifies interactions between
de-coupled control and data planes
Note: OF is not mandatory for SDN
Note: North-bound Controller APIs are vendor-specific
Note: Applicable to SDN and non-SDN networks Note: Applicable to SDN and non-SDN networks
Note: SDN is not mandatory for network programmability
nor automation
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Basic Architecture in all Models
18
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Key SDN Goals and Concepts
There is a controller than centralises network configuration and attempts to makes networks easier to provision and configure
Network intelligence and state are logically centralised, and the underlying network infrastructure is abstracted from the applications
Enables automation - to better able to respond to the changing needs of business applications and users
Examples -
Network topology changes can be made without manually reconfiguring network devices
Based on application requirements, virtual networks can be created
Security controls do not have to physically exist at a particular network location
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Network Programmability
Network
Monitoring
Bandwidth
Management
Load
Balancing
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Network Programmability
Network
Monitoring
Bandwidth
Management
Load
Balancing
SNMP
CLI
NetFlow
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Network Programmability
Network
Monitoring
Bandwidth
Management
Load
Balancing
SNMP
CLI
NetFlow
Heterogeneous devices
Inconsistent data models
:-(
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Network Programmability
Network
Monitoring
Bandwidth
Management
Load
Balancing
Programmatic
Interfaces
onePK
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Network Programmability
Network
Monitoring
Bandwidth
Management
Load
Balancing
Programmatic
Interfaces
onePK
Multiple topology models
No policy resolution
:-(
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Network Programmability
Controller
Network
Monitoring
Bandwidth
Management
Load
Balancing
Programmatic
Interface
onePK
OpenFlow
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Network Programmability
Controller
Network
Monitoring
Bandwidth
Management
Load
Balancing
Programmatic
Interface
onePK
OpenFlow
Topological awareness
Policy resolution
:-)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Cisco SDN
Solves challenging next generation customer problems in Data Centre, Access and WAN
Provide network wide abstraction
Provide Business Agility so customer can roll out new applications and services quickly and cost effectively
Automate infrastructure provisioning based on application policy profiles
Secure multi-tenancy with centralised compliance and auditing
Provide Open APIs for integration with existing systems and enabling a vast ecosystem of partners
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Cisco Controllers
Open Source
OpenFlow
onePK
Open Day Light (ODL)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Credit: The
Open DayLight
Project, Inc.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Cisco Controllers
Open Source
OpenFlow
onePK
Application Centric Infrastructure Fabric
Physical, Virtual, and Cloud
Open APIs
OpenStack
Open Day Light (ODL) Application Policy Infrastructure Controller (APIC)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Programmability Across Multiple Controllers
ODL Controller
App
APIC Controller
App
Datacentre
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Programmability Across Multiple Controllers
ODL Controller
App
APIC Controller
Threat Defence
Security Policy
App
Datacentre
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Application Centric Infrastructure Fabric
Single Point of Management
slot 1
slot 2
slot 3
slot 4
slot 5
slot 6
slot 7
slot 8
blade1
blade2
blade3
blade4
blade5
blade6
blade7
blade8
“Users” “Files”
Intelligent Fabric Flat Hardware
Accelerated Network
Logical Endpoint
Groups by Role
Flexible Insertion
Physical Fabric
Traversal
Single Pass
Firewalling with Flow-
Specific Policy
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
End Point Groups Simplify Policy
35
Web App DB
EPG 2 EPG 3 EPG 4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Service Insertion and ACI
Image from ACI at-a-glance
End Point Groups
Web App DB Internet
Contract Contract Contract
EPG 1
EPG 2 EPG 3 EPG 4
EPG 1
ASA
ACL, Inspect HTTP, etc
EPG 2 Load Balancer EPG 3 EPG 4
Credit: Sean Xun Wang
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
SP
Load
Balancer
SSL/TLS
Termination
Web App
Firewall
Simple Example - DDoS Mitigation
Cisco ONE Controller
Telemetry
DDoS Application to SDN Controller: Give me the network traffic data
“Reroute Flows”
DDoS Application to SDN Controller: I see an attack: Redirect the traffic for
this flow to a Scrubber
Enterprise
DDoS Scrubber
DDoS Detection Application
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Nexus 3000 Tap Aggregation Switch
Sensitive Data
ODL Controller
SPAN
ODL Monitor Manager
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Nexus 3000 Tap Aggregation Switch
Sensitive Data
ODL Controller
SPAN
ODL Monitor Manager
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Nexus 3000 Tap Aggregation Switch
Sensitive Data
ODL Controller
SPAN
Monitoring
Application
ODL Monitor Manager
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Nexus 3000 Tap Aggregation Switch
Sensitive Data
ODL Controller
SPAN
Monitoring
Application
ODL Monitor Manager
Filter, Replicate, or Tag Traffic
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
What SDN Promises for Security
SIMPLIFY POLICY form a trusted path
from user to application
CONVERGE INTELLIGENCE to more centralised security services
LEVERAGE THE NETWORK
FOOTPRINT to redirect traffic,
identify and block new and unknown
threats
Cisco Internal Use © 2013 Cisco and/or its affiliates. All rights reserved. 44
Trusted Path from User to Application
Simplify Network Segmentation • End-to-end VLANs
• Extend network segments over distance
Benefits • Data confidentiality
• Multi-tenancy
SIMPLIFY POLICY
Cisco Internal Use © 2013 Cisco and/or its affiliates. All rights reserved. 45
Bring Network Flows to Central Security Services
Benefits • Make the network far less complex
CONVERGE INTELLIGENCE
Cisco Internal Use © 2013 Cisco and/or its affiliates. All rights reserved. 46
Redirect Traffic for Analysis
Automatically Identify Infected hosts for quarantine and remediation
Dynamically provision network for threat protection
Benefits • Enhanced network visibility
• Dynamic threat response
LEVERAGE THE NETWORK FOOTPRINT
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
SDN Exposes Network Value
POLICY ANALYTICS Orchestration
Network
Harvest Network
Intelligence
Program for Optimised Experience
Automation Visibility Flow
Management
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Identity
Services
Engine
Containment
Service
Open
Flow onePK
Identity
Context
Manager
ODL Controller
Nexus
Catalyst 3850
pxGrid
Sensitive Data
ASA
Threat Defence
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Identity
Services
Engine
Containment
Service
Open
Flow onePK
Identity
Context
Manager
ODL Controller
Nexus
Catalyst 3850
pxGrid
Sensitive Data
ASA
Threat Defence
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Identity
Services
Engine
Containment
Service
Open
Flow onePK
Identity
Context
Manager
ODL Controller
Nexus
Catalyst 3850
pxGrid
Sensitive Data
ASA
Threat Defence
Netflow
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Identity
Services
Engine
Containment
Service
Open
Flow onePK
Identity
Context
Manager
ODL Controller
Nexus
Catalyst 3850
pxGrid
Sensitive Data
ASA
Threat Defence
SDN Control
TAG
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Identity
Services
Engine
Containment
Service
Open
Flow onePK
Identity
Context
Manager
ODL Controller
Nexus
Catalyst 3850
Sensitive Data
ASA
Threat Defence
Security Group Tag = SUSPICIOUS
pxGrid
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Identity
Services
Engine
Containment
Service
Open
Flow onePK
Identity
Context
Manager
ODL Controller
Nexus
Catalyst 3850
Sensitive Data
ASA
Threat Defence pxGrid
Inspection
SDN Control
INSPECT
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Identity
Services
Engine
Containment
Service
Open
Flow onePK
Identity
Context
Manager
ODL Controller
Nexus
Catalyst 3850
Sensitive Data
ASA
Threat Defence pxGrid
Containment
SDN Control
Contain
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Identity
Services
Engine
Containment
Service
Open
Flow onePK
Identity
Context
Manager
ODL Controller
Nexus
Catalyst 3850
Sensitive Data
ASA
Threat Defence pxGrid
SDN Control
BLOCK
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
SDN Security Components
57
Third Party
Application
Identity Security Network
Services
Service Abstraction Layer
Open
Flow ONEPK I2RS
Security
Plugin
pxGrid
SDN
Security
Infrastructure
Cisco Cloud
Threat Defence
Security
Application
SDN
Applications
Identity
Services
Engine
Network Elements
Security Elements
Virtual Machines
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Security
Application
SDN Security Components
58
Third Party
Application
Identity Security Network
Services
Service Abstraction Layer
Open
Flow ONEPK I2RS
Security
Plugin
pxGrid
SDN
Security
Infrastructure
Cisco Cloud
Threat Defence
SDN
Applications
Identity
Services
Engine
Network Elements
Security Elements
Virtual Machines
Next Generation Defence Centre, PRSM, CSM
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Network Capabilities
Threat Defence Services
59
OpenFlow onePK ASA Plugin VLAN SGT VxLAN ISE
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Network Capabilities
Threat Defence Services
60
Application View
Targeted
Blocking
Targeted
Inspection
Targeted
Rate Limiting
Targeted
Packet
Capture
Targeted
File
Capture
Targeted
Confinement
Targeted
Enforcement
OpenFlow onePK ASA Plugin VLAN SGT VxLAN ISE
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Security Services Through SDN
61
Audit
Recording
Monitoring
Inspection
Rate Limiting
DDoS Scrubbing
Quarantine
Active Web Firewall
Blocking
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Security Services Through SDN
62
Audit
Recording
Monitoring
Inspection
Rate Limiting
DDoS Scrubbing
Quarantine
Active Web Firewall
Blocking
Effective
Timely
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Security Services Through SDN
63
Audit
Recording
Monitoring
Inspection
Rate Limiting
DDoS Scrubbing
Quarantine
Active Web Firewall
Blocking
Effective
Timely Non-invasive
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Network Controller Reconciles Mitigations Against the Needs of Mission-critical Applications
64
Mitigations
from
Security
System
Application
and
Network
Requirements
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Threats to an SDN System
Controller
App 1 App 2 App 3
Spoofing Controller
to Network Element
Communication
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Threats to an SDN System
Controller
App 1 App 2 App 3
Spoofing Controller
to Network Element
Communication
Spoofing App to
Controller
Communication
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Securing SDN
Controller
App 1 App 2 App 3
Authentication
Authorisation
login attempt
failed
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Considerations
70
How automated is your telemetry capture?
How automated is your threat analysis?
Are you limited by privacy considerations?
Detection
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Considerations
71
How automated is your telemetry capture?
How automated is your threat analysis?
Are you limited by privacy considerations?
What actions are you willing to take in real time?
What actions should be one-click for a security analyst?
Detection Response
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Considerations
72
How automated is your telemetry capture?
How automated is your threat analysis?
Are you limited by privacy considerations?
What actions are you willing to take in real time?
What actions should be one-click for a security analyst?
What type of SDN can you use?
How SDN-ready is your network?
SDN security?
Detection SDN Response
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public
Complete Your Online Session Evaluation
Give us your feedback and receive a Cisco Live 2014 Polo Shirt!
Complete your Overall Event Survey and 5 Session Evaluations.
Directly from your mobile device on the Cisco Live Mobile App
By visiting the Cisco Live Mobile Site www.ciscoliveaustralia.com/mobile
Visit any Cisco Live Internet Station located throughout the venue
Polo Shirts can be collected in the World of Solutions on Friday 21 March 12:00pm - 2:00pm
Learn online with Cisco Live!
Visit us online after the conference for full access
to session videos and presentations.
www.CiscoLiveAPAC.com