Secure Science DMZ using Event-Driven SDN Tae Hwang

Technical Solutions Architect @ Cisco

2 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Typical Science DMZ Network Architecture “1.0”

I2 AL2S/AL3S Campus

Internet

SLOT1

SLOT5

SLOT3

SLOT7

SLOT2

SLOT6

SLOT4

SLOT8

!

UC S  5 108

OK FAIL OK FAIL OK FAIL OK FAIL

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

Firewall

Traffic is managed via simple ACL or Flow Rule

DTN/Servers/Storage/perfSONAR

DMZ Switch

What is the biggest challenge with this architecture?

SLOT1

SLOT5

SLOT3

SLOT7

SLOT2

SLOT6

SLOT4

SLOT8

!

UC S  5 108

OK FAIL OK FAIL OK FAIL OK FAIL

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

! ResetConsole

UCS B200 M3

3 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Science DMZ “2.0” Bypassing Campus Firewall for Large Flows

SDN Solutions Showcase, October 14-17, 2014 © 2014 Open Networking Foundation

SDNSOLUTIONSSHOWCASE

SciPass Operation - Phase 3

11

•� SciPass inserts bypass OpenFlow forwarding rules –� Traffic not sent to IDS –� Traffic not sent to Firewall

•� Throughput improves

OpenFlow Switch IDS

IDS

IDS

IDS

Network

Network

SciPass: Controller100G

100GPerfSONAR

10G

Feedback

Fire

wal

l 10G

10G

OpenFlow Switch IDS

IDS

IDS

IDS

Network

Network

SciPass: Controller100G

100GPerfSONAR

10G

Feedback

Fire

wal

l 10G

10G

OpenFlow Switch

100G

100G

SDN Solutions Showcase, October 14-17, 2014 © 2014 Open Networking Foundation

SDNSOLUTIONSSHOWCASE

SciPass Operation - Phase 2

10

•� BRO inspects traffic to find “good” science flows

•� Requests a bypass for the flows deemed “good”

OpenFlow Switch IDS

IDS

IDS

IDS

Network

Network

SciPass: Controller100G

100GPerfSONAR

10G

Feedback

Fire

wal

l 10G

10G

OpenFlow Switch IDS

IDS

IDS

IDS

Network

Network

SciPass: Controller100G

100GPerfSONAR

10G

Feedback

Fire

wal

l 10G

10G

100G

Fire

wal

l

10G

OpenFlow Switch

Fire

wal

l 10G

Fire

wal

l OpenFlow Switch

100G

OpenFlow SwitchOpenFlow SwitchOpenFlow Switch IDS

IDS

SciPass Architecture: Combined with Brocade OF Switch (typically), Bro IDS, PerfSONAR, and SciPass controller (Indiana University)

4 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Flow Detection Method

•  IPS/IDS/FW/Router – Insert whitelist/ACL to match a packet with specific header information

•  Data Transfer Node (DTN) – Get a notification from DTN that is about to start a data transfer

•  Globus – Get a notification from Globus or similar tools.

5 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

FW/IPS Bypass Methods

Option 1: Enable OpenFlow feature on Cisco OpenFlow Hybrid Switch Option 2: Use a dedicated OpenFlow Switch if the current device doesn’t support OF. Option 3: Use PBR with NXAPI. Option 4: Use VACL and Redirect with NXAPI

6 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

How to Secure Science DMZ and Campus Q. Science DMZ is directly connected to the Internet. How can we secure Science DMZ and the campus?

A. Leverage security devices to detect the threats and log threats to Event server, such as Splunk. Necessary actions against the threat are triggered by apps in the event server, actions could be Blackholeling BGP routes on routers, or applying OpenFlow rules on the OF switches, or both.

7 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Science  DMZ  Reference  Implementa3on  

Nexus 3K

Internet2/AL2S  Commodity  Internet  

DMZ  

Secure  Corporate  Networks  

High-­‐Throughput  Science  Networks  

BGP  Null  Routes  

Ac3ve  Blocking  

DTN  Compute  

Flow  No3fica3on  

•  Event Correlation •  Log Storage •  Auditing •  Analysis

Next  Genera=on  Firewall  •  Commodity:  In-­‐Line  •  Internet  2:  In-­‐Line  or  OOB  

w/Steering  

Campus  Corporate  DC   External  Services  

ASR 1K ASR 9K

Nexus 9K

ASA 5585

BGP

OpenFlow

8 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

•  Logically sits on top of COSC to provide application intelligence

•  Likely already sending events to central logging

•  Has the most informed view of the status of the network, servers, and apps.

•  Provides event correlation •  Consolidates the number of devices sending REST commands •  Correlates by severity, rate, and between events

•  Provides for auditing and reporting capabilities

•  Leverage existing skill by writing logic in Splunk search language

Splunk as an SDN Application

8

9 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Real-Time, Immediate Action: e.g. High Priority IDS Event: Block Host Immediately

Real Time With Sliding Window and Threshold:

e.g. SYN Attacks: Block host after 100 improper SYNs in 60 seconds

Scheduled with Fixed Window:

e.g. Block Timeout: Unblock host if it has not been seen in last 24 hours

Example Event Actions

9

From IDS

From FW

10 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

•  A key service in the research networking ecosystem with more than 10,000 active endpoints

•  Software-as-a-Service (SaaS) solution to manage transfers where users can direct requests to transfer or synchronize files and directories between two locations

•  Uses GridFTP to provide secure, reliable, and efficient transfer of data across wide-area distributed networks

•  GridFTP extensions provides parallelism (i.e., the use of multiple socket connections between pairs of data movers), restart markers, and data channel security.

•  GridFTP control plane provides the source and destination information for the flows it sets up

•  Effectively authenticates flows before they bypass security

Globus for Data Transfer

10

11 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Base setup depending on mode: Out-Of-Band IDS:

<priority>100</priority> <in-port>54</in-port> <output-node-connector>52</output-node-connector> <output-node-connector>25</output-node-connector>

In-Band Firewall/IPS: <priority>100</priority> <in-port>54</in-port> <output-node-connector>25</output-node-connector> <in-port>25</in-port> <output-node-connector>52</output-node-connector>

Bypass operation the same for both modes <priority>200</priority> <in-port>54</in-port> <output-node-connector>52</output-node-connector>

OpenFlow Data Flow Steering

11

Outside

Inside

Outside

Inside

FW/IPS

Out-Of-Band IDS

In-Band FW/IPS

IDS

54

52

25

54

25

52

12 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Flow start notification: Jun 10 10:53:43 localhost splunk_odl_action: log_level=INFO, action=start, flow=199.66.189.10:50368-128.55.29.41:42600, status_code=200

Flows added to Nexus 3000: Flow: 4

Match: tcp,in_port=54,nw_src=199.66.189.10,nw_dst=128.55.29.41,tp_src=50368,tp_dst=42600

Actions: output:52

Priority: 200

Flow: 5

Match: tcp,in_port=52,nw_src=128.55.29.41,nw_dst=199.66.189.10,tp_src=42600,tp_dst=50368

Actions: output:54

Priority: 200

Flow stop notification: Jun 10 10:54:51 localhost splunk_odl_action: log_level=INFO, action=stop, flow=199.66.189.10:50368-128.55.29.41:42600, status_code=200

Bypass Flows in “Tap” Switch

12

13 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Static routes added by COSC through Netconf on ASR 9000: router static

address-family ipv4 unicast

1.0.184.115/32 Null0 tag 666

1.161.169.139/32 Null0 tag 666

2.25.74.127/32 Null0 tag 666

2.50.153.67/32 Null0 tag 666

12.197.32.116/32 Null0 tag 666

Export the Null routes setting next-hop to black hole IP: route-policy as-11017-out

if tag is 666 then

set next-hop 192.0.2.1

set community (no-export) additive

pass

else

pass

endif

end-policy

Enable uRPF on WAN interface on ASR 9000: ipv4 verify unicast source reachable-via any allow-default

Route Black Hole IP to NULL 0 on other border routers:

ip route 192.0.2.1 255.255.255.255 Null0

Enable uRPF on WAN interface on ASR 1000: ip verify unicast source reachable-via any

Remotely Triggered Black Hole Routing

13

14 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Open SDN Controller Application 1 Application 2 Application 3 Application ‘n’

Network Applications Application 4

Open vSwitches

OpenFlow Enabled Devices

Cisco and 3rd Virtual and Physical Devices

REST APIs

DLux User Interface

Topology Manager

Statistics Manager FRM

OpenFlow Interface

L2 Switch AAA Service

GBP Service

OVSDB Interface

NETCONF Interface

BGPLS Interface

PCEP Interface

Host Tracker

Network Service 1

Network Service 2

Network Service 3

Network Service ‘n’

Network Service 4

3rd PARTY NETWORK SERVICE FUNCTIONS BASE NETWORK SERVICE FUNCTIONS

Model Driven Service Abstraction Layer (Plugin Manager, Capacity Abstraction, Flow Programming, Inventory, etc)

Data Plane Elements

Cisco Open SDN Controller

Platform

15 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Splunk Screenshot 1

16 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Splunk Screenshot 2

17 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Splunk Screenshot 3