SDN Security - alcatron.net Live 2014 Melbourne/Cisco Live...SDN Security BRKSEC-2760 Alok Mittal Security Business Group, Cisco

SDN Security BRKSEC-2760

Alok Mittal

Security Business Group, Cisco

© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2760 Cisco Public

Security at the Speed of the Network

Countering threats is complex and difficult. Software Defined Networking (SDN) offers a way to respond to attacks with the speed of the network: tying together the visibility provided by the network, and the control provided by SDN, with intelligent automation. This breakout session is targeting Network and Security professionals looking for how SDN can improve their network security architecture.

Automating and Accelerating Security Through SDN


Agenda

Introduction to Current Security Challenges

Introduction to Software Defined Networking

Bringing the two together – How SDN can help in solving security challenges

SDN Security Components

Securing SDN

4

Introduction to Security Challenges

5

Cisco Internal Use © 2013 Cisco and/or its affiliates. All rights reserved. 6

MOBILITY

CLOUD

THREAT


Any Device to Any Cloud

PRIVATE CLOUD

PUBLIC CLOUD

HYBRID CLOUD


Increased Attack

Surface APTs

Cyberware Spyware

and Rootkits Worms

2010 2000 2005 Tomorrow

The Threat Landscape is Evolving

Antivirus

(Host-

Based)

IDS/IPS

(Network

Perimeter)

Reputation (Global)

and Sandboxing

Intelligence

and Analytics

(Cloud)

Enterprise

Response


The Security Problem

Changing

Business Models

Dynamic

Threat Landscape

Complexity

and Fragmentation


The New Security Model

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Detect

Block

Defend

DURING

Point in Time Continuous


Policy

Access Control

Contain

Fix

Netflow, Log, and DNS Monitoring

Content Inspection

Threat Analytics

Behaviour Anomaly Detection

BEFORE DURING AFTER


DURING AFTER

Manual Security Processes

BEFORE


SDN Automation: the Speed of the Network

Threat

Analytics

DURING AFTER

BEFORE

Visibility Control

Brief Introduction to SDN

14


Introduction to Software Defined Networking (SDN)?

Many Definitions

• Openflow

• Controller

• Openstack

• Overlays

• Network virtualisation

• Automation

• APIs

• Application oriented

• Virtual Services

• Open vSwitch

• …


Software Defined Networking (SDN)

FC 1

FC 2

FC 3

FC 4

FC 5

LC 1

LC 2

LC 3

LC 4

LC 5

LC 6

LC 7

LC 8

LC 9

LC 10

LC 11

LC 12

LC 13

LC 14

LC 15

LC 16

Spine 1

Spine 2

Spine 3

Spine 4

Spine 5

Leaf 1

Leaf 2

Leaf 3

Leaf 4

Leaf 5

Leaf 6

Leaf 7

Leaf 8

Leaf 9

Leaf 10

Leaf 11

Leaf 12

Leaf 13

Leaf 14

Leaf 15

Leaf 16

Spine

Nodes

Leaf Nodes

• Supervisor - Control

• Fabric Cards - Forwarding

• Line Cards - Services

Controller

Cisco Confidential


Basic Definitions

What Is Software Defined Network

(SDN)?

“…In the SDN architecture, the control and data

planes are decoupled, network intelligence and

state are logically centralised, and the underlying

network infrastructure is abstracted from the

applications…”

Source: www.opennetworking.org

What is OpenStack?

Opensource software for building public

and private Clouds; includes Compute (Nova),

Networking (Quantum) and Storage (Swift)

services.

Source: www.openstack.org

What is Overlay Network?

Overlay network is created on existing network

infrastructure (physical and/or virtual) using a network

protocol. Examples of overlay network protocol are:

GRE, VPLS, OTV, LISP and VXLAN

What Is OpenFlow?

Open protocol that specifies interactions between

de-coupled control and data planes

Note: OF is not mandatory for SDN

Note: North-bound Controller APIs are vendor-specific

Note: Applicable to SDN and non-SDN networks Note: Applicable to SDN and non-SDN networks

Note: SDN is not mandatory for network programmability

nor automation


Basic Architecture in all Models

18


Key SDN Goals and Concepts

There is a controller than centralises network configuration and attempts to makes networks easier to provision and configure

Network intelligence and state are logically centralised, and the underlying network infrastructure is abstracted from the applications

Enables automation - to better able to respond to the changing needs of business applications and users

Examples -

Network topology changes can be made without manually reconfiguring network devices

Based on application requirements, virtual networks can be created

Security controls do not have to physically exist at a particular network location


Network Programmability

Network

Monitoring

Bandwidth

Management

Load

Balancing



Network

Monitoring

Bandwidth

Management

Load

Balancing

SNMP

CLI

NetFlow



Network

Monitoring

Bandwidth

Management

Load

Balancing

SNMP

CLI

NetFlow

Heterogeneous devices

Inconsistent data models

:-(



Network

Monitoring

Bandwidth

Management

Load

Balancing

Programmatic

Interfaces

onePK



Network

Monitoring

Bandwidth

Management

Load

Balancing

Programmatic

Interfaces

onePK

Multiple topology models

No policy resolution

:-(



Controller

Network

Monitoring

Bandwidth

Management

Load

Balancing

Programmatic

Interface

onePK

OpenFlow



Controller

Network

Monitoring

Bandwidth

Management

Load

Balancing

Programmatic

Interface

onePK

OpenFlow

Topological awareness

Policy resolution

:-)


Cisco SDN

Solves challenging next generation customer problems in Data Centre, Access and WAN

Provide network wide abstraction

Provide Business Agility so customer can roll out new applications and services quickly and cost effectively

Automate infrastructure provisioning based on application policy profiles

Secure multi-tenancy with centralised compliance and auditing

Provide Open APIs for integration with existing systems and enabling a vast ecosystem of partners


Cisco Controllers

Open Source

OpenFlow

onePK

Open Day Light (ODL)


Credit: The

Open DayLight

Project, Inc.


Cisco Controllers

Open Source

OpenFlow

onePK

Application Centric Infrastructure Fabric

Physical, Virtual, and Cloud

Open APIs

OpenStack

Open Day Light (ODL) Application Policy Infrastructure Controller (APIC)


Programmability Across Multiple Controllers

ODL Controller

App

APIC Controller

App

Datacentre


Programmability Across Multiple Controllers

ODL Controller

App

APIC Controller

Threat Defence

Security Policy

App

Datacentre

Application Centric Infrastructure

33


Application Centric Infrastructure Fabric

Single Point of Management

slot 1

slot 2

slot 3

slot 4

slot 5

slot 6

slot 7

slot 8

blade1

blade2

blade3

blade4

blade5

blade6

blade7

blade8

“Users” “Files”

Intelligent Fabric Flat Hardware

Accelerated Network

Logical Endpoint

Groups by Role

Flexible Insertion

Physical Fabric

Traversal

Single Pass

Firewalling with Flow-

Specific Policy


End Point Groups Simplify Policy

35

Web App DB

EPG 2 EPG 3 EPG 4


Service Insertion and ACI

Image from ACI at-a-glance

End Point Groups

Web App DB Internet

Contract Contract Contract

EPG 1

EPG 2 EPG 3 EPG 4

EPG 1

ASA

ACL, Inspect HTTP, etc

EPG 2 Load Balancer EPG 3 EPG 4

Credit: Sean Xun Wang

SDN and Security

37


SP

Load

Balancer

SSL/TLS

Termination

Web App

Firewall

Simple Example - DDoS Mitigation

Cisco ONE Controller

Telemetry

DDoS Application to SDN Controller: Give me the network traffic data

“Reroute Flows”

DDoS Application to SDN Controller: I see an attack: Redirect the traffic for

this flow to a Scrubber

Enterprise

DDoS Scrubber

DDoS Detection Application


Nexus 3000 Tap Aggregation Switch

Sensitive Data

ODL Controller

SPAN

ODL Monitor Manager



Sensitive Data

ODL Controller

SPAN

ODL Monitor Manager



Sensitive Data

ODL Controller

SPAN

Monitoring

Application

ODL Monitor Manager



Sensitive Data

ODL Controller

SPAN

Monitoring

Application

ODL Monitor Manager

Filter, Replicate, or Tag Traffic


What SDN Promises for Security

SIMPLIFY POLICY form a trusted path

from user to application

CONVERGE INTELLIGENCE to more centralised security services

LEVERAGE THE NETWORK

FOOTPRINT to redirect traffic,

identify and block new and unknown

threats


Trusted Path from User to Application

Simplify Network Segmentation • End-to-end VLANs

• Extend network segments over distance

Benefits • Data confidentiality

• Multi-tenancy

SIMPLIFY POLICY


Bring Network Flows to Central Security Services

Benefits • Make the network far less complex

CONVERGE INTELLIGENCE


Redirect Traffic for Analysis

Automatically Identify Infected hosts for quarantine and remediation

Dynamically provision network for threat protection

Benefits • Enhanced network visibility

• Dynamic threat response

LEVERAGE THE NETWORK FOOTPRINT


SDN Exposes Network Value

POLICY ANALYTICS Orchestration

Network

Harvest Network

Intelligence

Program for Optimised Experience

Automation Visibility Flow

Management


Identity

Services

Engine

Containment

Service

Open

Flow onePK

Identity

Context

Manager

ODL Controller

Nexus

Catalyst 3850

pxGrid

Sensitive Data

ASA

Threat Defence


Identity

Services

Engine

Containment

Service

Open

Flow onePK

Identity

Context

Manager

ODL Controller

Nexus

Catalyst 3850

pxGrid

Sensitive Data

ASA

Threat Defence


Identity

Services

Engine

Containment

Service

Open

Flow onePK

Identity

Context

Manager

ODL Controller

Nexus

Catalyst 3850

pxGrid

Sensitive Data

ASA

Threat Defence

Netflow


Identity

Services

Engine

Containment

Service

Open

Flow onePK

Identity

Context

Manager

ODL Controller

Nexus

Catalyst 3850

pxGrid

Sensitive Data

ASA

Threat Defence

SDN Control

TAG


Identity

Services

Engine

Containment

Service

Open

Flow onePK

Identity

Context

Manager

ODL Controller

Nexus

Catalyst 3850

Sensitive Data

ASA

Threat Defence

Security Group Tag = SUSPICIOUS

pxGrid


Identity

Services

Engine

Containment

Service

Open

Flow onePK

Identity

Context

Manager

ODL Controller

Nexus

Catalyst 3850

Sensitive Data

ASA

Threat Defence pxGrid

Inspection

SDN Control

INSPECT


Identity

Services

Engine

Containment

Service

Open

Flow onePK

Identity

Context

Manager

ODL Controller

Nexus

Catalyst 3850

Sensitive Data

ASA


Containment

SDN Control

Contain


Identity

Services

Engine

Containment

Service

Open

Flow onePK

Identity

Context

Manager

ODL Controller

Nexus

Catalyst 3850

Sensitive Data

ASA


SDN Control

BLOCK


56



57

Third Party

Application

Identity Security Network

Services

Service Abstraction Layer

Open

Flow ONEPK I2RS

Security

Plugin

pxGrid

SDN

Security

Infrastructure

Cisco Cloud

Threat Defence

Security

Application

SDN

Applications

Identity

Services

Engine

Network Elements

Security Elements

Virtual Machines


Security

Application


58

Third Party

Application

Identity Security Network

Services

Service Abstraction Layer

Open

Flow ONEPK I2RS

Security

Plugin

pxGrid

SDN

Security

Infrastructure

Cisco Cloud

Threat Defence

SDN

Applications

Identity

Services

Engine

Network Elements

Security Elements

Virtual Machines

Next Generation Defence Centre, PRSM, CSM


Network Capabilities

Threat Defence Services

59

OpenFlow onePK ASA Plugin VLAN SGT VxLAN ISE


Network Capabilities

Threat Defence Services

60

Application View

Targeted

Blocking

Targeted

Inspection

Targeted

Rate Limiting

Targeted

Packet

Capture

Targeted

File

Capture

Targeted

Confinement

Targeted

Enforcement

OpenFlow onePK ASA Plugin VLAN SGT VxLAN ISE


Security Services Through SDN

61

Audit

Recording

Monitoring

Inspection

Rate Limiting

DDoS Scrubbing

Quarantine

Active Web Firewall

Blocking



62

Audit

Recording

Monitoring

Inspection

Rate Limiting

DDoS Scrubbing

Quarantine

Active Web Firewall

Blocking

Effective

Timely



63

Audit

Recording

Monitoring

Inspection

Rate Limiting

DDoS Scrubbing

Quarantine

Active Web Firewall

Blocking

Effective

Timely Non-invasive


Network Controller Reconciles Mitigations Against the Needs of Mission-critical Applications

64

Mitigations

from

Security

System

Application

and

Network

Requirements

Securing SDN

65


Threats to an SDN System

Controller

App 1 App 2 App 3

Spoofing Controller

to Network Element

Communication


Threats to an SDN System

Controller

App 1 App 2 App 3

Spoofing Controller

to Network Element

Communication

Spoofing App to

Controller

Communication


Securing SDN

Controller

App 1 App 2 App 3

Authentication

Authorisation

login attempt

failed

Considerations

69


Considerations

70

How automated is your telemetry capture?

How automated is your threat analysis?

Are you limited by privacy considerations?

Detection


Considerations

71




What actions are you willing to take in real time?

What actions should be one-click for a security analyst?

Detection Response


Considerations

72




What actions are you willing to take in real time?

What actions should be one-click for a security analyst?

What type of SDN can you use?

How SDN-ready is your network?

SDN security?

Detection SDN Response

Q & A


Complete Your Online Session Evaluation

Give us your feedback and receive a Cisco Live 2014 Polo Shirt!

Complete your Overall Event Survey and 5 Session Evaluations.

Directly from your mobile device on the Cisco Live Mobile App

By visiting the Cisco Live Mobile Site www.ciscoliveaustralia.com/mobile

Visit any Cisco Live Internet Station located throughout the venue

Polo Shirts can be collected in the World of Solutions on Friday 21 March 12:00pm - 2:00pm

Learn online with Cisco Live!

Visit us online after the conference for full access

to session videos and presentations.

www.CiscoLiveAPAC.com

http://www.ciscoliveaustralia.com/mobile

http://www.ciscoliveapac.com/

SDN Security - alcatron.net Live 2014 Melbourne/Cisco Live...SDN Security BRKSEC-2760 Alok Mittal Security Business Group, Cisco

Documents