.

Top of Content Box Line

Subtitle Line

Title Line

Ratinder Paul Singh Ahuja, Ph,D. CTO Network, Cloud & Content Security

Securing network traffic in Private Clouds

.

Agenda

2

SDDC Models

Key Problems

Approaches

.

Elastic, On-demand, Multi-Tenant, Self-Service, Automation, Pay-Per-use..

3

.

The evolution to software-defined infrastructure

SDI—The application defines the system

4

One application

per system

Compute application

Storage application

Network application

Traditional

Hardware

Applications DEFINE

the system

Applications

Storage Network Compute

Resource pool

Abstracting the

Data Center

One application

per virtual system

VM Manager

Applications

Abstracting

the Hardware

.

SDDC Models

5

.

Vmware NSX

6 http://www.vmware.com/in/products/nsx

.

VMware

7

October 22,

2015

.

Network

Cloud

Orchestration

Group Policy

Model

Standardized

Policy Control

Hypervisor Switch

Cisco ACI

Physical Network

• Neutron API for group policy

• Future extensions to Heat / Nova /

Horizon

• Opflex support / extensions

• Policy enforcement modules

• Service redirection

APIC Cisco ACI Fabric

Nexus

9000 (NX-OS)

OPFLEX

.

OpenStack / SDN

9

Main services

•Identity (Keystone)

•Compute (Nova)

•Image service (Glance)

•Networking (Neutron)

•Object Storage (Swift)

•Block Storage (Cinder)

•Orchestration (Heat)

•Database Service (Trove)

•Bare Metal (Ironic)

•Data processing (Sahara)

•Message service (Zaqar)

•Key management (Barbican)

•DNS (Designate)

•Shared Filesystems (Manila)

•Containers service (Magnum)

•Application catalog (Murano)

•Governance service (Congress)

•Workflow service (Mistral)

•Key-value store as a Service

(MagnetoDB)

Supporting services

•Dashboard (Horizon)

•Telemetry (Ceilometer)

•Common Libraries (Oslo)

•Deployment (TripleO)

•Command-line client

(OpenStackClient)

•Benchmark service (Rally)

•Puppet modules (PuppetOpenStack)

Neutron

.

NFV

.

ETSI NFV Reference Design

.

12

Challenges for Network Security

.

Today’s security wasn’t built for tomorrow’s data centers

SDI Requires a New Approach to Security

13

Static Physical or

Ported Virtual All Flows through All Functions

Hypervisor

VM

VM

VM

VM

VM

VM

VM

VM

VM

Complexity

Manual

Labor

RESULT

• Application deployment slowed.

• Compliance challenges.

• New threat vectors.

• Security controls and policies

disconnected.

• Inefficient architecture and performance.

Attack!

.

East-West Traffic Characteristics

14

SDI Private Cloud

Open vSwitch

KVM

Open vSwitch

KVM

Open vSwitch

KVM APP

DB

Perimeter

firewall

Network

~80% of traffic in the cloud/ Data Center

remains within

• Workloads migrate

• New Workloads spin

up and down

.

Software Defined Security Requirements

15

East / West

Traffic

Security inspection

within the perimeter

Workload

migration

Widely distributed

inspection capability

New workload

protection

Inspect new

workload traffic

immediately

Varied security

requirements

Multiple security

functions supported

.

Summary of key issues

October 22, 2015 16

Security Orchestration

Efficient Inspection

Multiple SDDCs

.

17

Security Controller

.

Hardware Infrastructure

Software Infrastructure

Automation-Integration

Virtualization

Orchestration

An exercise in abstraction: Virtual Security Controller

Virtual Security Controller

Security Management

.

Enhanced by Software Defined Security

Software Defined Infrastructure

19

Manages a pool of “orchestrateable” security services.

Security Function Virtualization Resource Pool

Orchestration and Controller

Software

Infrastructure Attributes

Database A Application B Application C Application D

Power Performance Location Thermals Utilization Security

Resource Pool

Security Controller

IPS, NGFW, AV, DLP SECURITY SANDBOX, SIEM, …

Services Delivery Association with Security Services

Security Services kept up-to-date

Database A

Application B

Service 1 Policy 1

Service 2 Policy 2

…

Tenant 1

Application C

Application D

Service 2 Policy 1

Service 3 Policy 4

Network 2

Security leverages IA Benefits

COMPUTE NETWORK STORAGE

.

Intel® Security Controller

20

Distributed

Virtual Appliances

Security

Functions

Catalog

Intel® Security Controller

Security

Management

Security

Function

Virtualization

& Automation

Virtualization

Orchestration

Data Center A

NSX

vCenter

Data Center B

Neutron

OpenStack

Data Center N

Network virt.

Compute virt.

McAfee Network

Security Manager

McAfee Security

Management Center

McAfee Physical

Security Appliances

Security

Management

• Same manager for Physical

and virtual appliances

• Abstracts security

infrastructure.

• Abstracts virtualization

infrastructure

• Injects services based on policy

• Scalable — add data centers

• Extensible — add functions

• Abstracts network and

compute

• Transparently inserts

services

• Automates provisioning,

distribution, and delivery

Virtual Security

Functions

.

Automated

functionality

Infrastructure

administrator

Separation of Duties

21

Deploys and

deletes services

Injects security

services based on

policy in workflow

Orchestrates

services

Manages

security

policies

Manages

security

appliances

Security

administrator

Virtualization

Management

SDN Controller

Intel® Security

Controller

Manages

security

groups

Software-Defined

Data Center

Security

Functions

Catalog

Security Manager Alerts &

analysis

.

Bulk, dynamic provisioning

and policy updates

Security

management

Quarantine VM

(Security Response API) Alerts

Attacks detected

& blocked

Workflow of Software Defined Security

22

VMM

VSF

VMM

VSF

VMM

VSF

McAfee Network

Security Manager Virtualization

Management

Security orchestration

Security

administrator

Infrastructure

administrator

Quarantine

Quarantine action

SDN Controller

Intel® Security

Controller

.

All network

traffic

Multi-Tenancy (e.g. MSP)

23

Tenant DARK’s

Cloud Tenant LIGHT’s

Cloud

NGFW NGFW

Tenant DARK’s

Security Group

Tenant LIGHT’s

Security Group

VSF

Orchestrator

VM Management VSF

Security

Manager

Intel®

Security

Controller

Tenant

Perspective

Must be fully

isolated

Logical

Perspective

Require IPS

inspection at edge

Practical

Perspective

Must share

resources

Air gap

Security

administrator

Infrastructure

administrator

.

Physical Security v.s. Distributed VSF

vSwitch

VM

VM

VM VM

VM

VM

vSwitch

vSwitch

VM

VM

VM VM

VM

VM

vSwitch

vSwitch

VM

VM

VM VM

VM

VM

vSwitch

vSwitch

VM

VM

VM

VM

VM

VM

vSwitch

VSF

vSwitch

VM

VM

VM

VM

VM

VM

vSwitch

VSF

vSwitch

VM

VM

VM

VM

VM

VM

vSwitch

VSF

Physical Security

Other Network

Segments

• Each VSF adds x Gbps of throughput

• Aggregate inspection throughput scales by x linearly

• Only selected VMs have traffic inspected

• Policy based on services associated

Other Network

Segments

• Physical Security supports fixed throughput (e.g. 10 Gbps)

• Scaling up needs added hardware

• All traffic passes through physical devices

• Static Policy

.

Solution Customer Benefits

25

Automated

provisioning,

distribution and

delivery of Security

inside Data Center

perimeter

Separation of duties

to enable use of

familiar tools

Policies aligned with

specific application

workloads

Dynamic scale-out of

Network Security

services

.

26

VMware Integration

.

Distributed vSwitch

NSX Service Insertion

27

NSX

NSX

NSX

NSX

VSF

Distributed

port group

NSX

tap/filter

Victim

VM

• Sensor maps group specific policy to

packet for enforcement

• Packets are redirected to services

prior to the vSwitch

• Transmitted packets resume journey

post inspection

• Only designated security group

services see packets

Non

critical VM Attacker

VM VM

. SDDC

vSwitch

V

M VM

VM

VM

VM

VM

vSwitch

VM

VM

VM

VM

VM

VM

vCenter

NSM Physical NSP

NetX NetX

V

S

A

V

S

A

NSX Controller

Security Automation Workflow (VMware)

• REST-API driven (NB orchestration)

• Provisioning

• Policy mapping

• Response Actions

Dynamic provisioning and Policy updates Security orchestration

Attack!

Security management

Attack Detected and BLOCKED

Quarantine VM

Quarantine Action

(Security

Response API)

ISC

.

29

OpenStack Integration

.

Intel Security Controller in OpenStack Environments

30

VSF 1

OpenStack

Open

Daylight VMware

NSX

KVM VMware

ESX

IA based bare metal

Mirantis

RedHat

Intel VT, TXT, CIT,

RRC, AES-NI, SGX,…

McAfee

IPS/NGFW, 3rd

party vendors, …

Intel Security Controller

Cisco

APIC Other SDN …

Application

SFV

Orchestration

SDN

Hypervisor

Silicon

Midokura,…

VSF 2 …

VSF n

Neutron

.

OpenStack Private Cloud

OpenStack Architecture

31

APP

DB

North-South

Firewall

Network

WEB

Intel® Security

Controller

McAfee Security

Appliance Manager

Open vSwitch

KVM

• Glance

• Keystone

• Rabbit MQ

• Nova Manage Deploy Redirection

Open API

SDN Controller

or Neutron

Open vSwitch

KVM

Open vSwitch

KVM

.

Forwarding Table

ISC driven traffic redirection

32

Desire All Blue VM traffic to

be inspected by IPS

policy for Blue

Security VM Manager:

Create Blue IPS

Policy

• ISC: User Creates

Security group for

Blue VMs

• ISC : User Assigns

Blue IPS policy to

Blue group

ISC: Leverages SDN

controller to redirect

traffic to the Security

VM. Blue VM packets

are tagged with proper

policy ID

Outcome All traffic to/ from Blue

VM is first inspected

by Security VM with

blue policy

SDN Agent

KVM

Intel® Security

Controller

OpenStack

Components

SDN Controller

or Neutron

VSF

Security Standard

McAfee Network

Security Manager

.

33

Security Functions NGFW, NGIPS, DLP, SWG,….

.

Network Security Portfolio

34

SIEM

Endpoint

NGFW NTBA

High

Assurance

Firewall Identity

Advanced

Threat

Defense

Email Web DLP NG IPS

GTI/ TiE

.

How Customers Benefit from Intel Security SDDC Portfolio?

35

Data center protection that

scales and provides

internal protection

Just-in-time provisioning of

security services

Automated security policy

deployment reduces

complexity in large scale

operations

.

36

http://www.intelsecurity.com/sdi

.

ISC Security Implementation for VMWare NSX

vSwitch

VM

VM

VM

VM

VM

VM

vSwitch

VMware

vCenter

VMware

vCenter

McAfee NSM,

SMC, and more

VMware

NSX Manager

Intel®

Security Controller

NSX Agent

VSF

Server • IA based server running ESX

VMware

• Install vCenter Server

• Install NSX Manager

VMware setup

• Create virtual switching infrastructure

• Run NSX Host Prep on servers

Intel Security

• Import ISC VM

• Setup McAfee NSM VM

.

ISC Security Implementation for VMWare NSX

vSwitch

VM

VM

VM

VM

VM

VM

vSwitch

NSX Agent

VSF

vSwitch

VM

VM

VM

VM

VM

VM

vSwitch

NSX Agent

VSF

Inspect all traffic to/from blue

group with DB security policy ISC •Connect ISC to Managers and VMware NSX

•Create distributed security appliances

NSX

•Install Security services on desired clusters

•Create security groups

•Create security Policy

•Apply policy to security groups

NSM •Push updated signature files to DA instances

.

Workflow for Software Defined Security

39

• Connect ISC to Virtual

Infrastructure

Management

• Connect ISC to security

appliance management

• Create logical security

appliance

• Deploy security VMs to

Hosts

• Authenticate security VM

with manager

• Designate workload VM

grouping

• Tailor workload specific

security policies

• Apply security policy to

groups as desired

• VM network traffic is

inspected as designated

• Suspected malicious

traffic alerted and/or

blocked

• Possible Quarantine

action or remediation

taken

Connect Deploy Configure Analyze