security defined routing_cybergamut_v1_1
DESCRIPTION
http://cybergamut.com/2014/09/technical-tuesday-28-october-2014-software-defined-networking-by-joel-king-of-world-wide-technology/TRANSCRIPT
![Page 1: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/1.jpg)
Copyright © 2014 World Wide Technology, Inc. All rights reserved.
Security-Defined Routing
Joel W. King Technical Solutions Architect Enterprise Networking Solutions Engineering and Innovations
![Page 2: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/2.jpg)
Agenda
• Background: Who, What and Why?
• Process flow – Topology Diagrams
• OpenFlow Mechanics
• Software
• Monitoring Network
• Demonstration Video
• Summary
![Page 3: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/3.jpg)
Who am I?
• Software-Defined Networking Discipline Lead at WWT
• Goal: First to Educate
• Oversee SDN solution architectures, training and education for sales engineering, demonstrations, workshops. Focus area: Network Programmability
• Previously
• NetApp E-Series Storage – Big Data
• Cisco Systems CVDs – Cisco Validated Designs
![Page 4: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/4.jpg)
Why this was developed
• World Wide Technology (wwt.com)
• Value added systems integrator and supply chain solutions provider
• Advanced Technology Center (ATC) Hands-on access to over $50M in data center, virtualization, collaboration, networking and security solutions.
• Premise: Demonstrate a Software-Defined Networking (SDN) use case
• Integrate: SDN with Cyber Analytics Reference Architecture (CARA)
![Page 5: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/5.jpg)
What is Security-Defined Routing?
• Security-Defined Routing (SDR) is a play on the term Software-Defined Networking (SDN)
• Security-Defined Routing • Uses SDN (OpenFlow) switches,
• Dynamic reprogramability of network flows.
• Normal IP packet forwarding reacts to security analytic engines
• Integrating security analytics with packet forwarding behavior
• Central Network Control dates back to AT&T’s Network Control Point in 1977.
• Why should cyber professionals care about SDN and Openflow?
http://en.wikipedia.org/wiki/2600:_The_Hacker_Quarterly
![Page 6: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/6.jpg)
Historical view of SDN
• Purist view of SDN has two characteristics (*) • Control plane is separated from
device implementing data plane, • Single control plane manages
multiple network devices • SDN / OpenFlow initial
deployments were network research at universities – (Stanford ) providing a cost effective and ‘clean slate’ network architectures.
• OpenFlow is only one instantiation of SDN principles.
• SDN is a tool to enable a higher degree of control over network devices.
Control Plane
(1) The Road to SDN: An Intellectual History of Programmable Networks
![Page 7: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/7.jpg)
What is OpenFlow?
• Open Networking Foundation (ONF) manages the standard. • Originated at Stanford University 2005 - 2009 - Martin Casado, et al. • OpenFlow- a communications protocol that gives access to the forwarding plane
of a network devices - Southbound from the SDN controller to communicate with switches.
• Flow Entry - an element in a flow table used to match and process packets a data structure of matches, actions, counters, priority, and timeout values.
Fields from Packets Match against flow entries • Ingress port • Ethernet Source | Destination Address • VLAN ID and Priority • IP Source and Destination Address
Actions
• Multiple actions can be specified • Example: output to multiple ports, drop
• IP Protocol • IP ToS bits • TCP | UDP source port • TCP | UDP destination port
![Page 8: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/8.jpg)
Basic Building Blocks: Controllers and Agents
Some network functionality is better implemented from centralized coordination of all the devices in the network domain.
• Controller – process on a server interacting with network devices using APIs / protocols.
• Agent – process on network devices implementing a specific function.
• API – allow applications external to the controller to query and change the network configuration
![Page 9: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/9.jpg)
Next Generation Firewalls
• Next-Generation Firewall Services provide more granular application usage control policies than port based firewalls.
• Advanced network security functions that are computationally intensive — and they must do so in real-time while introducing little or no latency.
• Has the Layer 3 topology changed when deploying Next-Generation Firewalls?
• Why does the Firewall function need to be in the forwarding path?
![Page 10: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/10.jpg)
Value of Separating Detection from Prevention
Separation of intrusion detection (IDS) function from the intrusion prevention (IPS) function, provides:
• Enhanced Scalability
• Seamlessly Manage Appliances
• Multiple ‟Sets of Eyes”
• Rapid Mitigation
• Consistent Policy Implementation
• Cost Effective
![Page 11: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/11.jpg)
Security-Defined Routing
SDR Solution includes the following components:
• An SDN controller
• OpenFlow switches between WAN edge routers and a corporate firewalls
• Security-Defined Routing (SDR) software developed by World Wide Technology (WWT)
• Security analytics software • Cisco Sourcefire
• RSA Security Analytics
• Open Source Snort
NEXUS-7K
Internal network Internal network SDN Controller
w/ Security-Defined Routing software
syslog
Internet
DMZ
OpenFlow switch
Monitoring Network
![Page 12: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/12.jpg)
Process Flow
![Page 13: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/13.jpg)
Security-Defined Routing
Trust Zone
DMZ
Un-Trusted Zone
![Page 14: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/14.jpg)
Trust Zone
DMZ
Un-Trusted Zone
Monitoring Network
Cisco XNC Controller
OpenFlow
Security-Defined Routing
![Page 15: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/15.jpg)
Trust Zone
DMZ
Un-Trusted Zone
Monitoring Network
Cisco XNC Controller
OpenFlow
Security-Defined Routing
![Page 16: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/16.jpg)
Trust Zone
DMZ
Un-Trusted Zone
Monitoring Network
Cisco XNC Controller
OpenFlow
Security-Defined Routing
![Page 17: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/17.jpg)
Trust Zone
DMZ
Un-Trusted Zone
Monitoring Network
Cisco XNC Controller
OpenFlow
ALERT!
Security-Defined Routing
![Page 18: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/18.jpg)
Trust Zone
DMZ
Un-Trusted Zone
Monitoring Network
Cisco XNC Controller
OpenFlow attack
Security-Defined Routing
![Page 19: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/19.jpg)
Security-Defined Routing
• Software-Defined Networking (OpenFlow) switches can be programmed to :
• Drop packets
• Replicate packets (e.g. SPAN / TAP) for monitoring
• Selectively divert traffic flows from the normal forwarding path.
• Security Analytics devices - intrusion detection system (IDS) identify malicious traffic.
• Python modules • Parses a Snort, RSA Security Analytics, Cisco Sourcefire alert (log) file
• Creates ‘firewall’ rules for the SDN controller and switch to implement
• Uses REST API to dynamically modify forwarding behavior to shunt traffic
• Offending host is blocked or routed to honeypot
![Page 20: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/20.jpg)
OpenFlow Mechanics
![Page 21: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/21.jpg)
OpenFlow - Static and Dynamic (reactive) Flows
Analytics
LLDP
ARP
IPv4
Inside Outside
Trust Zone
DMZ
Un-Trusted Zone
OpenFlow
Inside
Outside
Honey Pot
![Page 22: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/22.jpg)
OpenFlow - Static and Dynamic (reactive) Flows
Analytics
LLDP
ARP
IPv4
Inside Outside
Trust Zone
DMZ
Un-Trusted Zone
OpenFlow
Inside
Outside
IPv4 TCP 80
IPv4 TCP 443
Honey Pot to Inet
Honey Pot
Outside
Outside
Inside &
Analytics
Honey Pot
![Page 23: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/23.jpg)
OpenFlow - Static and Dynamic (reactive) Flows
Analytics
LLDP
ARP
IPv4
Inside Outside
Trust Zone
DMZ
Un-Trusted Zone
OpenFlow
Inside
Outside
IPv4 TCP 80
IPv4 TCP 443
Honey Pot to Inet
Honey Pot
Outside
Outside
Inside &
Analytics
Honey Pot
Honey Pot TCP 443
Honey Pot TCP 443 Outside Honey Pot
198.19.3.1
Or Drop
![Page 24: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/24.jpg)
Cisco Extensible Network Controller
LLDP
ARP
IPv4
IPv4 TCP 80
IPv4 TCP 443
Honey Pot to Inet
Honey Pot
Inside Outside
Outside
Outside
Inside &
Analytics
LLDP
ARP
IPv4
IPv4
IPv4 TCP 80
IPv4 TCP 443
Honey Pot
Steady State configuration
![Page 25: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/25.jpg)
Flow Removal
• OpenFlow provides for aging flows from the switch
• Each flow entry has an idle_timeout and a hard_timeout
• Switches will remove flows older than the hard_timeout
• Idle_timeout invoked if no packets match during the timer
• The Northbound REST API can be used to manually delete flows
• The demo code removes flows after a few minutes.
• Caveats
• DDoS attackes could generate more flows than the switch can handle
• Switches vary in the number of flows supported.
![Page 26: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/26.jpg)
Software
![Page 27: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/27.jpg)
Process Flow
sst.py ./log
--help
--debug
./log/alert
Snort
./rules
XNC.py module
REST API
XNC (SDN) Controller
OpenFlow
Inside Outside
TAP
parsealert.py
syslog
/var/log/syslog
![Page 28: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/28.jpg)
Log Parser
$ python parsealert.py --help
usage: parsealert.py [-h] --engine ENGINE --file FILE --command COMMAND
[--trigger TRIGGER] [--debug]
parsealert.py - Reads syslog or local files from analytic engines, calls
sst.py to push flow elements to an XNC controller.
Copyright (c) 2014 WorldWide Technology, Inc.
optional arguments:
-h, --help show this help message and exit
--engine ENGINE Specify snort, rsa or sourcefire keyword to indicate the
input file
--file FILE Input file name.
--command COMMAND Command file name in ./config directory
--trigger TRIGGER The value of the trigger, if not specified, default is
__S_
--debug When specified enables debugging
![Page 29: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/29.jpg)
C:\>python sst.py --help
usage: sst.py [-h] --cact CACT --cip CIP --cuid CUID --cpw CPW --dpid DPID
--fname FNAME --act ACT --pri PRI --et ET [--nwsrc NWSRC]
[--nwdst NWDST] [--proto PROTO] [--tpsrc TPSRC] [--tpdst TPDST]
[--iport IPORT] [--debug]
Copyright (c) 2014 World Wide Technology, Inc.
optional arguments:
-h, --help show this help message and exit
--cact CACT Controller action, (eg. PUT, DELETE, LIST) a flow element
--cip CIP Controller IP / Hostname
--cuid CUID Controller username
--cpw CPW Controller password
--dpid DPID Data Path Identifier of the OpenFlow switch
--fname FNAME Flow name, unique identifier
--act ACT Action(s) to implement, eg. DROP, OUTPUT=48
--pri PRI Flow priority, higher numbers have more precedence
--et ET Ethertype, eg. IPv4, IPv6.
--nwsrc NWSRC Source IP address
--nwdst NWDST Destination IP address
--proto PROTO Protocol, eg. tcp, udp
--tpsrc TPSRC transport protocol source port
--tpdst TPDST transport protocol destination port
--iport IPORT Ingress OpenFlow port number on the switch
--debug When specified enables debugging
Flow Pusher
![Page 30: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/30.jpg)
Snort rules file
• Define criteria for matching network traffic
• The parsealert.py module will process any alerts with “__S_” in the message
• All other alert entries are ignored
• Use the trailing string (e.g. tcp443) and IP address as the unique flow name
• Sample rules will shunt any source IP address to honeypot
• TCP ports 80 and 443 with a TOS byte of 184
• TOS 0xB8 (184) = IP Precedence 5 or DSCP Expedited Forwarding (EF)
alert tcp any any -> any 80 (tos:184; sid:1000985; msg: "__S_tcp80";)
alert tcp any any -> any 443 (tos:184; sid:1000986; msg: "__S_tcp443";)
![Page 31: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/31.jpg)
Snort alert file
• Identify entries with “__S_”
• Determine the source IP address
• Use the trailing string (e.g. tcp443) and source IP address as the unique flow name
• Create flow entry (aka: “firewall rule”) to shunt packets to honey pot
• Log action in ./log directory
[**] [1:1000986:0] __S_tcp443 [**]
[Priority: 0]
04/27-00:43:35.932503 198.19.3.1:56184 -> 198.18.4.1:443
TCP TTL:255 TOS:0xB8 ID:39797 IpLen:20 DgmLen:40
***AP**F Seq: 0x7F92F67A Ack: 0xF6474527 Win: 0x1020 TcpLen: 20
![Page 32: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/32.jpg)
Monitoring Network
![Page 33: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/33.jpg)
Monitoring Network Options
• The Monitoring Network can be build using SDN technology or traditional appliances:
• In the WWT ATC deployment we have used both:
• Ixia's Net Tool Optimizer® (NTO)
• Cisco Nexus Data Broker (Monitor Manager)
• Monitor Manager provides a REST API interface to programmatically create or modify rules and filters.
• Additional SDN Option is Big Switch Networks Big Tap™ Monitoring Fabric
![Page 34: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/34.jpg)
Monitoring Network
Monitoring Network
Cisco XNC Controller Monitor Manager
Nexus 3K
Corporate Network Internet WAN Edge
Security Onion
SDN
REST API
wireshark
![Page 35: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/35.jpg)
Demonstration
![Page 36: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/36.jpg)
Demonstration Video
• Watch the video to see how security-defined routing combines cyber analytics and SDN to protect the network:
• http://youtu.be/KvZuklmi9uU
![Page 37: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/37.jpg)
Forwarding and Replication
Intrusion Prevention
Filter and Disseminate
Analyze and Alert
Security-Defined Routing
Software
Implement Intrusion
Prevention
Lifecycle
Cisco ® Extensible
Network Controller
(XNC)
Cisco Monitor Manager or Ixia's Anue Net Tool Optimizer® (NTO)
Cisco Nexus 3000 Series Switches | Plug-in for OpenFlow
Inside Outside
![Page 38: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/38.jpg)
Solution Advantages
• Enhanced Scalability – IDS is separated from IPS: OpenFlow switch implementers tapping and IPS
• Seamlessly Manage Appliances - IDS systems can be added, removed, or upgraded, without introducing high-impact changes to the IPS service in the production network.
• Multiple ‟Sets of Eyes” - Network traffic can be easily copied to multiple intrusion detection devices.
• Rapid Mitigation – The OpenFlow switch is programmatically updated to block or shunt traffic.
• Consistent Policy Implementation - Alerts generated at one Internet gateway can trigger the same policy at all Internet gateways.
![Page 39: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/39.jpg)
• This solution is deployed at the Internet edge, expect to see similar concepts deployed inside the enterprise- BYOD
• Network provisioning and configuration will increasingly become less chassis-by-chassis more controller based
• Network resources will align with business requirements through application resource profiles and network containers.
• Brush up on your programming skills.
Looking Forward
http://marketing.wwt.com/SDNGuide_Registration.html
![Page 40: Security defined routing_cybergamut_v1_1](https://reader033.vdocuments.site/reader033/viewer/2022060200/5598c4fb1a28abb77e8b4708/html5/thumbnails/40.jpg)