security-and-software-defined-networks (2).pdf

8/13/2019 Security-and-Software-Defined-Networks (2).pdf

1/31

1

Unravel the Enigma of Insecurity

Security and Software-Defined Networks


2/31


3/31

3

Executive Summary

Mobility and virtualization are accelerating the

transition to cloud computing

Data center components will have to be

software-defined to meet requirements for

capacity, resilience, and security

Software-defined security is the most effective

way to protect the cloud data center


tang toc

cu tru


4/31

4

Main Components of an OpenFlow Switch


Controller

Packet Pipeline

Secure

Channel

Group

Table

FlowTable FlowTable

OpenFlow Protocol

OpenFlow Device (HW or SW)

FlowTableinbound outbound

Management and Orchestrationdieu phoi


5/31

5

Management and Orchestration Layer (controller)

Data Layers (device)

Decoupled


HW

or

SW

SW

Hardware

Entities

Software

Entities

Software-defined Networking (SDN)


Hardware

Entities

Software

Entities

Hardware

Entities

Software

Entities


6/31

6

Automation APIs

Northbound (controller->user)

ORCHESTRATION

Administration UI

Horizontal integration withother element managers

Defines network

parameters and

membership Provides higher-level object

management

Southbound (controller->device)

SCALING

Packet forwarding

Programmable per flow

Maps policies to entities

Implements logical policies

Enumerates groups into

constituents


tich hop

liet ke


7/31

7

Value

Not SDN (often proprietary)

set vtp domain cisco mode server

set vlan 2 name cisco_vlan_2

set vlan 2 3/1-12

Device-based

Special purpose hardware

Unique to vendor

SDN (open system)

Hr_sharepoint allow hr_users

Pepsi deny Coke

US_agency deny China exceptpublic_web_tier

Server-based

General purpose CPU

Multi-vendor



8/31

8

Data Center Implications of SDN

Supports rapid scaling

Improved automation

Service capacity shifts automatically whereneeded

Better user experience

Commoditization of networking

thinkgeek


pho thong hoa


9/31

9

Security Its Your Choice

Fail Evolve



10/31

10

Securing Software-defined Networking

Management and Orchestration Layer

Data Layers

Hardware

Entities

Software

EntitiesSoftware

Entities

Software

Entities

Hardware

Entities

Hardware

Entities


Logical isolation

with policy-driven

automation

Audit, manage, andcontrol privileged

activities

Enforce secure

configuration andauditing


11/31

11

Infrastructure is Evolving

Software driving cloud innovation

Use of more than one platform or cloud is

practically inevitable Mobile (e.g., smartphones and tablets)

adoption increasing exponentially

Security technology must evolve


doi moi

khong the tranh khoi

ap dung cap so nhan

phat trien


12/31


13/31

13

Software-defined Security (SDS)


Management and Orchestration Layer (controller)


Decoupled


HW

or

SW

SW

Hardware

Entities

Software

EntitiesHardware

Entities

Software

EntitiesHardware

Entities

Software

Entities


14/31

14

Implications

Need to Know

Users

Software

Assets

Connections

Policies

Dont Need to Know

Vendor

IP address

Location

Virtual, physical, mobile

Wire speed



15/31

15

Risk Analysis

Exposure Increased

Automation failure

API failure

Control failure

Software failure

Human failure

Exposure Decreased

Hardware failure

Capacity failure

Availability failure

Security failure

Human failure

Small increase in risk Large decrease in risk


tiep xuc


16/31

16

Top-5 Controls

1. Inventory of SDN elements (e.g., controllers,devices, privileged users)

2. Isolation and access control for Northbound

and Southbound APIs (e.g., orchestration,administration, and configuration)

3. Auditing and change management

4. Secure configuration management5. Continuous vulnerability management and

remediation


kiem ke

khac phuc hau qua


17/31

17

SDS Systems are Evolving



18/31

18

Software-defined Security Examples

Firewall

Virtual firewalls are not a bump in the wire they are

a module inserted into the stream-path of a vNIC

NAC Network access control is not enforced within the

access layer, it is enforced in the management layer.

Configuration

Instead of requiring an agent or network scan, secureconfigurations may be checked out of band, evenwhen the asset is powered off.


thay vi


19/31

19

Advantages of Security Virtualization

Perfect inventory

Everywhere it is needed

Lower cost More automated

Simpler

Faster evolution

Cylon Hybrid: The central control for a Cylon Basestar



20/31

20

IT Business Process Re-engineering

The organization and process must adapt to increased automation andorchestration. Cross-functional teams of subject matter experts will best enable IT

to rapidly deliver secure and elastic services on-demand. Leading IT teams are

already shifting from DevOps to DevSecOps.



21/31

21

RACI for Software-Defined Security

Responsible: Firewall or Network Security personnel Define policies

Implement automation

Accountable: CIO or CISO

Approve policies Review metrics (e.g., compliance and performance )

Consulted: Infrastructure and Application Architects Provide requirements

Validate implementation

Informed: IT Audit personnel Audit automation behavior

Audit policy compliance


thong bao nhan vien

su tuan thu


22/31

22

In closing

Security virtualization will drastically improvethe protection of sensitive data while at thesame time simplifying the application of these

protective capabilities. The most effective use of security

virtualization will require changes to ITstaffing, processes, and procedures.

Security virtualization is disruptive to the waysecurity "has always been doing it.


mang tinh dot pha


23/31

23

Michael Berman

Email: xtanjx at gee mail dot com

LinkedIn: mberman

Twitter: @_mberman

Blog: Grok Security

Thank you



24/31

24

Supplemental Material


2009-2012 *MitchellLazear


25/31

25

Decoupled from Hardware

Simplifies data center resiliency and failover

Reduces upgrade costs

Enables "designed-in" security across data center

fabric Scaling enhanced due to elimination of

architectural constraints

Hardware refresh cycle and technology advanceis accelerated due to shortened engineering cycle

CPU resource pool remains uniform


loai bo

han che


26/31

26

Reproduce Network Security Model

Defense in depth

Segmentation of data

Access control

Separation of duties

1. Inventory of Authorized and

Unauthorized Devices

2. Inventory of Authorized and

Unauthorized Software

3. Secure Configurations forHardware and Software

4. Continuous Vulnerability

Assessment and Remediation

5. Malware Defenses

(source: SANS)



27/31

27

Operational Model of Compute Virtualization

Enable scaling, elasticity, mobility, and seamless disaster

recovery

Conversion of security tools into software objects and the

creation of new tools and capabilities for deployment,

automation, and recovery of security capabilities

Auto-deployment, automation, and orchestration of security

tools

The cloud compute model impacts the culture of security

within IT, requiring the transition of security professionals into

new operational roles that are more flexible and more broadly

defined.



28/31


29/31

29

Logical isolation, audit, and security

Logical isolation, rather than some form of physical segmentation, enables diverse

workloads of differing sensitivity to run anywhere.

Mixed workloads will then run most efficiently when allowed to be run within

common resource pools for CPU, Memory, Storage, and Networking.

Security virtualization must also audit and protect the management objects, tools,

and APIs that are utilized to provision, modify, or delete workloads, objects, andresources.

Logical isolation enables multi-compartment zoning of workloads with the

requisite capabilities for cross-domain security in both private or public clouds.

Policies are not required to identify layer 3 or 4 attributes. Security virtualization

enforces policies within each specific trust zone, even when this zone spans

multiple data centers.



30/31

30

Cloud performance and scale

Large-scale compute clouds are composed ofthousands to millions of entities.

Security virtualization must enable resilient andprotected operations at this scale.

This requires new security management architectures,analytics, and closed- loop controls that operate acrossmillions of protected objects in multiple locations.

Additionally, cloud performance is not just IOPS or CPUcycles, it is also the capability to elastically provision,modify, and decommission security entities ondemand.



31/31

31

Open API

Security virtualization must be integrated withprovisioning, management, and operations of thedata center.

These APIs will fit into the management stacksdeveloped for each hypervisor platform.

Vendors must be able to interoperate with acommon protocol (e.g., SCAP)

Products must support orchestration by 3rd partymanagement, workflow, and incidentmanagement systems.


security-and-software-defined-networks (2).pdf

Documents