securing network traffic in private clouds · • workloads migrate • new workloads spin up and...
TRANSCRIPT
.
Top of Content Box Line
Subtitle Line
Title Line
Ratinder Paul Singh Ahuja, Ph,D. CTO Network, Cloud & Content Security
Securing network traffic in Private Clouds
.
Agenda
2
SDDC Models
Key Problems
Approaches
.
Elastic, On-demand, Multi-Tenant, Self-Service, Automation, Pay-Per-use..
3
.
The evolution to software-defined infrastructure
SDI—The application defines the system
4
One application
per system
Compute application
Storage application
Network application
Traditional
Hardware
Applications DEFINE
the system
Applications
Storage Network Compute
Resource pool
Abstracting the
Data Center
One application
per virtual system
VM Manager
Applications
Abstracting
the Hardware
.
SDDC Models
5
.
Vmware NSX
6 http://www.vmware.com/in/products/nsx
.
VMware
7
October 22,
2015
.
Network
Cloud
Orchestration
Group Policy
Model
Standardized
Policy Control
Hypervisor Switch
Cisco ACI
Physical Network
• Neutron API for group policy
• Future extensions to Heat / Nova /
Horizon
• Opflex support / extensions
• Policy enforcement modules
• Service redirection
APIC Cisco ACI Fabric
Nexus
9000 (NX-OS)
OPFLEX
.
OpenStack / SDN
9
Main services
•Identity (Keystone)
•Compute (Nova)
•Image service (Glance)
•Networking (Neutron)
•Object Storage (Swift)
•Block Storage (Cinder)
•Orchestration (Heat)
•Database Service (Trove)
•Bare Metal (Ironic)
•Data processing (Sahara)
•Message service (Zaqar)
•Key management (Barbican)
•DNS (Designate)
•Shared Filesystems (Manila)
•Containers service (Magnum)
•Application catalog (Murano)
•Governance service (Congress)
•Workflow service (Mistral)
•Key-value store as a Service
(MagnetoDB)
Supporting services
•Dashboard (Horizon)
•Telemetry (Ceilometer)
•Common Libraries (Oslo)
•Deployment (TripleO)
•Command-line client
(OpenStackClient)
•Benchmark service (Rally)
•Puppet modules (PuppetOpenStack)
Neutron
.
NFV
.
ETSI NFV Reference Design
.
12
Challenges for Network Security
.
Today’s security wasn’t built for tomorrow’s data centers
SDI Requires a New Approach to Security
13
Static Physical or
Ported Virtual All Flows through All Functions
Hypervisor
VM
VM
VM
VM
VM
VM
VM
VM
VM
Complexity
Manual
Labor
RESULT
• Application deployment slowed.
• Compliance challenges.
• New threat vectors.
• Security controls and policies
disconnected.
• Inefficient architecture and performance.
Attack!
.
East-West Traffic Characteristics
14
SDI Private Cloud
Open vSwitch
KVM
Open vSwitch
KVM
Open vSwitch
KVM APP
DB
Perimeter
firewall
Network
~80% of traffic in the cloud/ Data Center
remains within
• Workloads migrate
• New Workloads spin
up and down
.
Software Defined Security Requirements
15
East / West
Traffic
Security inspection
within the perimeter
Workload
migration
Widely distributed
inspection capability
New workload
protection
Inspect new
workload traffic
immediately
Varied security
requirements
Multiple security
functions supported
.
Summary of key issues
October 22, 2015 16
Security Orchestration
Efficient Inspection
Multiple SDDCs
.
17
Security Controller
.
Hardware Infrastructure
Software Infrastructure
Automation-Integration
Virtualization
Orchestration
An exercise in abstraction: Virtual Security Controller
Virtual Security Controller
Security Management
.
Enhanced by Software Defined Security
Software Defined Infrastructure
19
Manages a pool of “orchestrateable” security services.
Security Function Virtualization Resource Pool
Orchestration and Controller
Software
Infrastructure Attributes
Database A Application B Application C Application D
Power Performance Location Thermals Utilization Security
Resource Pool
Security Controller
IPS, NGFW, AV, DLP SECURITY SANDBOX, SIEM, …
Services Delivery Association with Security Services
Security Services kept up-to-date
Database A
Application B
Service 1 Policy 1
Service 2 Policy 2
…
Tenant 1
Application C
Application D
Service 2 Policy 1
Service 3 Policy 4
Network 2
Security leverages IA Benefits
COMPUTE NETWORK STORAGE
.
Intel® Security Controller
20
Distributed
Virtual Appliances
Security
Functions
Catalog
Intel® Security Controller
Security
Management
Security
Function
Virtualization
& Automation
Virtualization
Orchestration
Data Center A
NSX
vCenter
Data Center B
Neutron
OpenStack
Data Center N
Network virt.
Compute virt.
McAfee Network
Security Manager
McAfee Security
Management Center
McAfee Physical
Security Appliances
Security
Management
• Same manager for Physical
and virtual appliances
• Abstracts security
infrastructure.
• Abstracts virtualization
infrastructure
• Injects services based on policy
• Scalable — add data centers
• Extensible — add functions
• Abstracts network and
compute
• Transparently inserts
services
• Automates provisioning,
distribution, and delivery
Virtual Security
Functions
.
Automated
functionality
Infrastructure
administrator
Separation of Duties
21
Deploys and
deletes services
Injects security
services based on
policy in workflow
Orchestrates
services
Manages
security
policies
Manages
security
appliances
Security
administrator
Virtualization
Management
SDN Controller
Intel® Security
Controller
Manages
security
groups
Software-Defined
Data Center
Security
Functions
Catalog
Security Manager Alerts &
analysis
.
Bulk, dynamic provisioning
and policy updates
Security
management
Quarantine VM
(Security Response API) Alerts
Attacks detected
& blocked
Workflow of Software Defined Security
22
VMM
VSF
VMM
VSF
VMM
VSF
McAfee Network
Security Manager Virtualization
Management
Security orchestration
Security
administrator
Infrastructure
administrator
Quarantine
Quarantine action
SDN Controller
Intel® Security
Controller
.
All network
traffic
Multi-Tenancy (e.g. MSP)
23
Tenant DARK’s
Cloud Tenant LIGHT’s
Cloud
NGFW NGFW
Tenant DARK’s
Security Group
Tenant LIGHT’s
Security Group
VSF
Orchestrator
VM Management VSF
Security
Manager
Intel®
Security
Controller
Tenant
Perspective
Must be fully
isolated
Logical
Perspective
Require IPS
inspection at edge
Practical
Perspective
Must share
resources
Air gap
Security
administrator
Infrastructure
administrator
.
Physical Security v.s. Distributed VSF
vSwitch
VM
VM
VM VM
VM
VM
vSwitch
vSwitch
VM
VM
VM VM
VM
VM
vSwitch
vSwitch
VM
VM
VM VM
VM
VM
vSwitch
vSwitch
VM
VM
VM
VM
VM
VM
vSwitch
VSF
vSwitch
VM
VM
VM
VM
VM
VM
vSwitch
VSF
vSwitch
VM
VM
VM
VM
VM
VM
vSwitch
VSF
Physical Security
Other Network
Segments
• Each VSF adds x Gbps of throughput
• Aggregate inspection throughput scales by x linearly
• Only selected VMs have traffic inspected
• Policy based on services associated
Other Network
Segments
• Physical Security supports fixed throughput (e.g. 10 Gbps)
• Scaling up needs added hardware
• All traffic passes through physical devices
• Static Policy
.
Solution Customer Benefits
25
Automated
provisioning,
distribution and
delivery of Security
inside Data Center
perimeter
Separation of duties
to enable use of
familiar tools
Policies aligned with
specific application
workloads
Dynamic scale-out of
Network Security
services
.
26
VMware Integration
.
Distributed vSwitch
NSX Service Insertion
27
NSX
NSX
NSX
NSX
VSF
Distributed
port group
NSX
tap/filter
Victim
VM
• Sensor maps group specific policy to
packet for enforcement
• Packets are redirected to services
prior to the vSwitch
• Transmitted packets resume journey
post inspection
• Only designated security group
services see packets
Non
critical VM Attacker
VM VM
. SDDC
vSwitch
V
M VM
VM
VM
VM
VM
vSwitch
VM
VM
VM
VM
VM
VM
vCenter
NSM Physical NSP
NetX NetX
V
S
A
V
S
A
NSX Controller
Security Automation Workflow (VMware)
• REST-API driven (NB orchestration)
• Provisioning
• Policy mapping
• Response Actions
Dynamic provisioning and Policy updates Security orchestration
Attack!
Security management
Attack Detected and BLOCKED
Quarantine VM
Quarantine Action
(Security
Response API)
ISC
.
29
OpenStack Integration
.
Intel Security Controller in OpenStack Environments
30
VSF 1
OpenStack
Open
Daylight VMware
NSX
KVM VMware
ESX
IA based bare metal
Mirantis
RedHat
Intel VT, TXT, CIT,
RRC, AES-NI, SGX,…
McAfee
IPS/NGFW, 3rd
party vendors, …
Intel Security Controller
Cisco
APIC Other SDN …
Application
SFV
Orchestration
SDN
Hypervisor
Silicon
Midokura,…
VSF 2 …
VSF n
Neutron
.
OpenStack Private Cloud
OpenStack Architecture
31
APP
DB
North-South
Firewall
Network
WEB
Intel® Security
Controller
McAfee Security
Appliance Manager
Open vSwitch
KVM
• Glance
• Keystone
• Rabbit MQ
• Nova Manage Deploy Redirection
Open API
SDN Controller
or Neutron
Open vSwitch
KVM
Open vSwitch
KVM
.
Forwarding Table
ISC driven traffic redirection
32
Desire All Blue VM traffic to
be inspected by IPS
policy for Blue
Security VM Manager:
Create Blue IPS
Policy
• ISC: User Creates
Security group for
Blue VMs
• ISC : User Assigns
Blue IPS policy to
Blue group
ISC: Leverages SDN
controller to redirect
traffic to the Security
VM. Blue VM packets
are tagged with proper
policy ID
Outcome All traffic to/ from Blue
VM is first inspected
by Security VM with
blue policy
SDN Agent
KVM
Intel® Security
Controller
OpenStack
Components
SDN Controller
or Neutron
VSF
Security Standard
McAfee Network
Security Manager
.
33
Security Functions NGFW, NGIPS, DLP, SWG,….
.
Network Security Portfolio
34
SIEM
Endpoint
NGFW NTBA
High
Assurance
Firewall Identity
Advanced
Threat
Defense
Email Web DLP NG IPS
GTI/ TiE
.
How Customers Benefit from Intel Security SDDC Portfolio?
35
Data center protection that
scales and provides
internal protection
Just-in-time provisioning of
security services
Automated security policy
deployment reduces
complexity in large scale
operations
.
ISC Security Implementation for VMWare NSX
vSwitch
VM
VM
VM
VM
VM
VM
vSwitch
VMware
vCenter
VMware
vCenter
McAfee NSM,
SMC, and more
VMware
NSX Manager
Intel®
Security Controller
NSX Agent
VSF
Server • IA based server running ESX
VMware
• Install vCenter Server
• Install NSX Manager
VMware setup
• Create virtual switching infrastructure
• Run NSX Host Prep on servers
Intel Security
• Import ISC VM
• Setup McAfee NSM VM
.
ISC Security Implementation for VMWare NSX
vSwitch
VM
VM
VM
VM
VM
VM
vSwitch
NSX Agent
VSF
vSwitch
VM
VM
VM
VM
VM
VM
vSwitch
NSX Agent
VSF
Inspect all traffic to/from blue
group with DB security policy ISC •Connect ISC to Managers and VMware NSX
•Create distributed security appliances
NSX
•Install Security services on desired clusters
•Create security groups
•Create security Policy
•Apply policy to security groups
NSM •Push updated signature files to DA instances
.
Workflow for Software Defined Security
39
• Connect ISC to Virtual
Infrastructure
Management
• Connect ISC to security
appliance management
• Create logical security
appliance
• Deploy security VMs to
Hosts
• Authenticate security VM
with manager
• Designate workload VM
grouping
• Tailor workload specific
security policies
• Apply security policy to
groups as desired
• VM network traffic is
inspected as designated
• Suspected malicious
traffic alerted and/or
blocked
• Possible Quarantine
action or remediation
taken
Connect Deploy Configure Analyze