Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall

Transcription

1 Institute of Computer Science Chair of Communication Networks Prof. Dr.-Ing. P. Tran-Gia Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall comnet.informatik.uni-wuerzburg.de

2 SarDiNe Research Project Goal: Improve the security in enterprise and government networks based on SDN/NFV sardine-project.org Partners Associated Partners 2

3 Motivation External Network Internal Network 3

4 Motivation Active Standby External Network Internal Network 4

5 Motivation Active Standby External Network Internal Network 5

6 Motivation Active Standby External Network Internal Network 6

7 Motivation Active Standby External Network Internal Network 7

8 Motivation Active Standby External Network Internal Network 8

9 Motivation Active Standby External Network Internal Network 9

10 Motivation Active Standby External Network Internal Network 10

11 Motivation Active Standby External Network Internal Network Expensive hot standby 11

12 Motivation Active Standby External Network Internal Network Expensive hot standby Little internal defenses 12

13 Motivation Active Standby External Network Internal Network Expensive hot standby Little internal defenses Limited scalability 13

14 Motivation Active Standby External Network Internal Network 14

15 Motivation External Network Internal Network 15

16 Motivation External Network Internal Network 16

17 Motivation Active Active Active Active Active Active External Network Internal Network 17

18 Motivation Active Active Active Active Active Active External Network Internal Network Omni-present protection 18

19 Motivation Active Active Active Active Active Active External Network Internal Network Omni-present protection Scalable and resilient security solution 19

20 Motivation Active Active Active Active Active Active External Network Internal Network Omni-present protection Scalable and resilient security solution SDN and NFV provide the necessary means 20

21 Agenda Motivation Background Software-defined Networking (SDN) Network Function Virtualization (NFV) Omni-present SDN Firewall Fine-grained access control Scalable & resilient stateful firewalling Firewall offloading Demo Conclusion 21

22 BACKGROUND 22

23 Software-defined Networking (SDN) Key principles Separation of control and data plane Logically centralized control plane Open Interfaces Programmability Features Protocol independence Ability to dynamically adapt network parameters Granularity Elasticity Control Plane Southbound API Data Plane Use cases Cloud orchestration Network management Network security 23

24 SDN Packet Handling & Table Structure Rule Action Stats Forward packet to zero or more ports Encapsulate and forward to controller Send to normal processing pipeline Modify Fields Any extensions you add! Packet + Byte Counters Switch Port ICMPv4 Type Switch Phy Port ICMPv4 Code Meta data TCP Src ETH Dst TCP Dst ETH Src UDP Src ETH Type UDP Dst VLAN VID SCTP Src VLAN PCP SCTP Dst IP DSCP ARP OP IP ECN ARP SPA IP Proto ARP TPA IPv4 Src ARP SHA IPv4 Dst ARP THA Mask for match fields 24

25 SDN Modes of Operation Control Plane (CP) Reactive Southbound API Match Action Data Plane (DP) A *.* B CP 25

26 SDN Modes of Operation Control Plane (CP) Reactive Southbound API Match Action Data Plane (DP) A *.* B CP 26

27 SDN Modes of Operation Control Plane (CP) Reactive Southbound API Match Action Data Plane (DP) A *.* B CP 27

28 SDN Modes of Operation Control Plane (CP) Reactive Southbound API Match Action Data Plane (DP) A *.* B CP 28

29 SDN Modes of Operation Control Plane (CP) Reactive Southbound API Match Action Data Plane (DP) A *.* B CP 29

30 SDN Modes of Operation Control Plane (CP) Reactive Southbound API Match Action Data Plane (DP) *.* B CP A B 30

31 SDN Modes of Operation Control Plane (CP) Control Plane (CP) Reactive Southbound API Match Action Data Plane (DP) *.* B CP Proactive Southbound API Match Action Data Plane (DP) *.* CP A B A B 31

32 SDN Modes of Operation Control Plane (CP) Control Plane (CP) Reactive Southbound API Match Action Data Plane (DP) *.* B CP Proactive Southbound API Match Action Data Plane (DP) *.* CP A B A B 32

33 SDN Modes of Operation Control Plane (CP) Control Plane (CP) Reactive Southbound API Match Action Data Plane (DP) *.* B CP Proactive Southbound API Match Action Data Plane (DP) *.* B CP A B A B 33

34 SDN Modes of Operation Control Plane (CP) Control Plane (CP) Reactive Southbound API Match Action Data Plane (DP) *.* B CP Proactive Southbound API Match Action Data Plane (DP) *.* B CP A B A B 34

35 SDN Modes of Operation Control Plane (CP) Control Plane (CP) Reactive Southbound API Match Action Data Plane (DP) *.* B CP Proactive Southbound API Match Action Data Plane (DP) *.* B CP A B A B 35

36 Network Function Virtualization (NFV) Legacy networks are full of middle boxes Specialized hardware Deployed in the data path Limited scalability Load Balancers Network Monitoring Firewalls Traffic Shapers Network Function Virtualization Virtual applications Executed on COTS servers Cloud-ready 36

37 OMNI-PRESENT SDN FIREWALL 37

38 Fine-granular Access Control On-demand personalized virtual network BYOD scenario Strict flow isolation Minimized attack surface Technical implementation 2FA Authentication No MDM required 38

39 Shared State Scalable & Resilient Stateful Firewalling NFV-based stateful firewall Run as software in the cloud Dynamic n+1 protection Technical implementation SDN switch as load balancer State decoupled from workers SDN Controller Configuration & Health Checks FW-VNF OpenFlow FW-VNF FW-VNF SDN Switch FW-VNF Private Cloud 39

40 Firewall Offloading Dynamic firewall offloading Offload trusted flows to relief VNFs No noticeable service degradation Technical implementation Optimizer selects flows with a high performance impact Switches act as stateless packet filters Performed in the fast path at line rate 40

41 Omni-present SDN Firewall SDN Controller Network Management System Cloud Management System Internal Network AAA FW VNF SDN Switch SDN Switch Services Private Cloud 41

42 Omni-present SDN Firewall SDN Controller Network Management System Cloud Management System Internal Network AAA FW VNF SDN Switch SDN Switch Services Private Cloud 42

43 Omni-present SDN Firewall Available Services SDN Controller Network Management System Cloud Management System Internal Network AAA FW VNF SDN Switch SDN Switch Services Private Cloud 43

44 Omni-present SDN Firewall Available Services SDN Controller Network Management System Cloud Management System Internal Network AAA FW VNF SDN Switch SDN Switch Services Private Cloud 44

45 Omni-present SDN Firewall Available Services SDN Controller Network Management System Cloud Management System Internal Network AAA FW VNF FW VNF Shared State SDN Switch SDN Switch Services Private Cloud 45

46 Omni-present SDN Firewall Available Services SDN Controller Network Management System Cloud Management System Internal Network AAA FW VNF FW VNF Shared State SDN Switch SDN Switch Services Private Cloud 46

47 Demo Setup 47

48 Fine-granular Access Control Network Services Access Control SDN Controller 48

49 NFV Monitoring Virtual Network Functions 49

50 Fast Failover Firewall VNF Resiliency 50

51 Offloading of Trusted Flows Firewall VNF Offloading 51

52 CONCLUSION 52

53 Conclusion 53

54 Conclusion Advanced DDoS Mitigation Fine-granular Flow Control Scalable Security Solutions Reduced Management Efforts 54

55 Conclusion Complex Architecture Fast development rates New Technology Large Software Projects Advanced DDoS Mitigation Fine-granular Flow Control Scalable Security Solutions Reduced Management Efforts 55

56 Conclusion Complex Architecture Fast development rates New Technology Large Software Projects Advanced DDoS Mitigation Fine-granular Flow Control Scalable Security Solutions Reduced Management Efforts Both sides of the scale need to be addressed 56

57 Conclusion Complex Architecture Fast development rates New Technology Large Software Projects Advanced DDoS Mitigation Fine-granular Flow Control Scalable Security Solutions Reduced Management Efforts Both sides of the scale need to be addressed In our opinion the benefits will outweigh the challenges Tight integration of quality assurance in the deployment stage Adaptation of software testing methods to the networking domain 57

58 Sources Michael Jarschel, Thomas Zinner, Tobias Hoßfeld, Phuoc Tran-Gia, Wolfgang Kellerer, Interfaces, Attributes, and Use Cases: A Compass for SDN, IEEE Communications Magazine, 52, 2014 Gebert, S., Zinner, T., Gray, N., Durner, R., Lorenz, C., Lange, S., Demonstrating a Personalized Secure-By-Default Bring Your Own Device Solution Based on Software Defined Networking, International Teletraffic Congress (ITC 28), 2016 Lorenz, C., Hock, D., Scherer, J., Durner, R., Kellerer, W., Gebert, S., Gray, N., Zinner, T., Tran-Gia, P., An SDN/NFV-enabled Enterprise Network Architecture Offering Fine-Grained Security Policy Enforcement, IEEE Communications Magazine. 55, (2017) Gray, N., Lorenz, C., Müssig, A., Gebert, S., Zinner, T., Tran-Gia, P., A Priori State Synchronization for Fast Failover of Stateful Firewall VNFs, Workshop on Software-Defined Networking and Network Function Virtualization for Flexible Network Management, SDNFlex 2017 Pfaff B., Scherer J., Hock D., Gray N., Zinner T., Tran-Gia P., Durner R., Kellerer R., Lorenz C., SDN/NFV-enabled Security Architecture for Fine-grained Policy Enforcement and Threat Mitigation for Enterprise, ACM SIGCOMM Computer Communication Review,