security-and-software-defined-networks (2).pdf
TRANSCRIPT
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
1/31
1
Unravel the Enigma of Insecurity
Security and Software-Defined Networks
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
2/31
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
3/31
3
Executive Summary
Mobility and virtualization are accelerating the
transition to cloud computing
Data center components will have to be
software-defined to meet requirements for
capacity, resilience, and security
Software-defined security is the most effective
way to protect the cloud data center
Security and Software-Defined Networks
tang toc
cu tru
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
4/31
4
Main Components of an OpenFlow Switch
Security and Software-Defined Networks
Controller
Packet Pipeline
Secure
Channel
Group
Table
FlowTable FlowTable
OpenFlow Protocol
OpenFlow Device (HW or SW)
FlowTableinbound outbound
Management and Orchestrationdieu phoi
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
5/31
5
Management and Orchestration Layer (controller)
Data Layers (device)
Decoupled
Data Layers (device)
HW
or
SW
SW
Hardware
Entities
Software
Entities
Software-defined Networking (SDN)
Security and Software-Defined Networks
Hardware
Entities
Software
Entities
Hardware
Entities
Software
Entities
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
6/31
6
Automation APIs
Northbound (controller->user)
ORCHESTRATION
Administration UI
Horizontal integration withother element managers
Defines network
parameters and
membership Provides higher-level object
management
Southbound (controller->device)
SCALING
Packet forwarding
Programmable per flow
Maps policies to entities
Implements logical policies
Enumerates groups into
constituents
Security and Software-Defined Networks
tich hop
liet ke
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
7/31
7
Value
Not SDN (often proprietary)
set vtp domain cisco mode server
set vlan 2 name cisco_vlan_2
set vlan 2 3/1-12
Device-based
Special purpose hardware
Unique to vendor
SDN (open system)
Hr_sharepoint allow hr_users
Pepsi deny Coke
US_agency deny China exceptpublic_web_tier
Server-based
General purpose CPU
Multi-vendor
Security and Software-Defined Networks
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
8/31
8
Data Center Implications of SDN
Supports rapid scaling
Improved automation
Service capacity shifts automatically whereneeded
Better user experience
Commoditization of networking
thinkgeek
Security and Software-Defined Networks
pho thong hoa
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
9/31
9
Security Its Your Choice
Fail Evolve
Security and Software-Defined Networks
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
10/31
10
Securing Software-defined Networking
Management and Orchestration Layer
Data Layers
Hardware
Entities
Software
EntitiesSoftware
Entities
Software
Entities
Hardware
Entities
Hardware
Entities
Security and Software-Defined Networks
Logical isolation
with policy-driven
automation
Audit, manage, andcontrol privileged
activities
Enforce secure
configuration andauditing
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
11/31
11
Infrastructure is Evolving
Software driving cloud innovation
Use of more than one platform or cloud is
practically inevitable Mobile (e.g., smartphones and tablets)
adoption increasing exponentially
Security technology must evolve
Security and Software-Defined Networks
doi moi
khong the tranh khoi
ap dung cap so nhan
phat trien
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
12/31
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
13/31
13
Software-defined Security (SDS)
Security and Software-Defined Networks
Management and Orchestration Layer (controller)
Data Layers (device)
Decoupled
Data Layers (device)
HW
or
SW
SW
Hardware
Entities
Software
EntitiesHardware
Entities
Software
EntitiesHardware
Entities
Software
Entities
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
14/31
14
Implications
Need to Know
Users
Software
Assets
Connections
Policies
Dont Need to Know
Vendor
IP address
Location
Virtual, physical, mobile
Wire speed
Security and Software-Defined Networks
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
15/31
15
Risk Analysis
Exposure Increased
Automation failure
API failure
Control failure
Software failure
Human failure
Exposure Decreased
Hardware failure
Capacity failure
Availability failure
Security failure
Human failure
Small increase in risk Large decrease in risk
Security and Software-Defined Networks
tiep xuc
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
16/31
16
Top-5 Controls
1. Inventory of SDN elements (e.g., controllers,devices, privileged users)
2. Isolation and access control for Northbound
and Southbound APIs (e.g., orchestration,administration, and configuration)
3. Auditing and change management
4. Secure configuration management5. Continuous vulnerability management and
remediation
Security and Software-Defined Networks
kiem ke
khac phuc hau qua
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
17/31
17
SDS Systems are Evolving
Security and Software-Defined Networks
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
18/31
18
Software-defined Security Examples
Firewall
Virtual firewalls are not a bump in the wire they are
a module inserted into the stream-path of a vNIC
NAC Network access control is not enforced within the
access layer, it is enforced in the management layer.
Configuration
Instead of requiring an agent or network scan, secureconfigurations may be checked out of band, evenwhen the asset is powered off.
Security and Software-Defined Networks
thay vi
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
19/31
19
Advantages of Security Virtualization
Perfect inventory
Everywhere it is needed
Lower cost More automated
Simpler
Faster evolution
Cylon Hybrid: The central control for a Cylon Basestar
Security and Software-Defined Networks
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
20/31
20
IT Business Process Re-engineering
The organization and process must adapt to increased automation andorchestration. Cross-functional teams of subject matter experts will best enable IT
to rapidly deliver secure and elastic services on-demand. Leading IT teams are
already shifting from DevOps to DevSecOps.
Security and Software-Defined Networks
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
21/31
21
RACI for Software-Defined Security
Responsible: Firewall or Network Security personnel Define policies
Implement automation
Accountable: CIO or CISO
Approve policies Review metrics (e.g., compliance and performance )
Consulted: Infrastructure and Application Architects Provide requirements
Validate implementation
Informed: IT Audit personnel Audit automation behavior
Audit policy compliance
Security and Software-Defined Networks
thong bao nhan vien
su tuan thu
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
22/31
22
In closing
Security virtualization will drastically improvethe protection of sensitive data while at thesame time simplifying the application of these
protective capabilities. The most effective use of security
virtualization will require changes to ITstaffing, processes, and procedures.
Security virtualization is disruptive to the waysecurity "has always been doing it.
Security and Software-Defined Networks
mang tinh dot pha
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
23/31
23
Michael Berman
Email: xtanjx at gee mail dot com
LinkedIn: mberman
Twitter: @_mberman
Blog: Grok Security
Thank you
Security and Software-Defined Networks
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
24/31
24
Supplemental Material
Security and Software-Defined Networks
2009-2012 *MitchellLazear
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
25/31
25
Decoupled from Hardware
Simplifies data center resiliency and failover
Reduces upgrade costs
Enables "designed-in" security across data center
fabric Scaling enhanced due to elimination of
architectural constraints
Hardware refresh cycle and technology advanceis accelerated due to shortened engineering cycle
CPU resource pool remains uniform
Security and Software-Defined Networks
loai bo
han che
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
26/31
26
Reproduce Network Security Model
Defense in depth
Segmentation of data
Access control
Separation of duties
1. Inventory of Authorized and
Unauthorized Devices
2. Inventory of Authorized and
Unauthorized Software
3. Secure Configurations forHardware and Software
4. Continuous Vulnerability
Assessment and Remediation
5. Malware Defenses
(source: SANS)
Security and Software-Defined Networks
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
27/31
27
Operational Model of Compute Virtualization
Enable scaling, elasticity, mobility, and seamless disaster
recovery
Conversion of security tools into software objects and the
creation of new tools and capabilities for deployment,
automation, and recovery of security capabilities
Auto-deployment, automation, and orchestration of security
tools
The cloud compute model impacts the culture of security
within IT, requiring the transition of security professionals into
new operational roles that are more flexible and more broadly
defined.
Security and Software-Defined Networks
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
28/31
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
29/31
29
Logical isolation, audit, and security
Logical isolation, rather than some form of physical segmentation, enables diverse
workloads of differing sensitivity to run anywhere.
Mixed workloads will then run most efficiently when allowed to be run within
common resource pools for CPU, Memory, Storage, and Networking.
Security virtualization must also audit and protect the management objects, tools,
and APIs that are utilized to provision, modify, or delete workloads, objects, andresources.
Logical isolation enables multi-compartment zoning of workloads with the
requisite capabilities for cross-domain security in both private or public clouds.
Policies are not required to identify layer 3 or 4 attributes. Security virtualization
enforces policies within each specific trust zone, even when this zone spans
multiple data centers.
Security and Software-Defined Networks
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
30/31
30
Cloud performance and scale
Large-scale compute clouds are composed ofthousands to millions of entities.
Security virtualization must enable resilient andprotected operations at this scale.
This requires new security management architectures,analytics, and closed- loop controls that operate acrossmillions of protected objects in multiple locations.
Additionally, cloud performance is not just IOPS or CPUcycles, it is also the capability to elastically provision,modify, and decommission security entities ondemand.
Security and Software-Defined Networks
-
8/13/2019 Security-and-Software-Defined-Networks (2).pdf
31/31
31
Open API
Security virtualization must be integrated withprovisioning, management, and operations of thedata center.
These APIs will fit into the management stacksdeveloped for each hypervisor platform.
Vendors must be able to interoperate with acommon protocol (e.g., SCAP)
Products must support orchestration by 3rd partymanagement, workflow, and incidentmanagement systems.
Security and Software-Defined Networks