SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

Transcription

1

2 SDN Security Alok Mittal Security Business Group, Cisco

3 Security at the Speed of the Network Automating and Accelerating Security Through SDN Countering threats is complex and difficult. Software Defined Networking (SDN) offers a way to respond to attacks with the speed of the network: tying together the visibility provided by the network, and the control provided by SDN, with intelligent automation. This breakout session is targeting Network and Security professionals looking for how SDN can improve their network security architecture.

4 Agenda Introduction to Current Security Challenges Introduction to Software Defined Networking Bringing the two together How SDN can help in solving security challenges SDN Security Components Securing SDN 4

5 Introduction to Security Challenges 5

6 MOBILITY CLOUD THREAT 2013 Cisco and/or its affiliates. All rights reserved. Cisco Internal Use 6

7 Any Device to Any Cloud PUBLIC CLOUD HYBRID CLOUD PRIVATE CLOUD

8 The Threat Landscape is Evolving Enterprise Response Antivirus (Host- Based) IDS/IPS (Network Perimeter) Reputation (Global) and Sandboxing Intelligence and Analytics (Cloud) Worms Spyware and Rootkits APTs Cyberware Increased Attack Surface Tomorrow

9 The Security Problem Changing Business Models Dynamic Threat Landscape Complexity and Fragmentation

10 The New Security Model Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in Time Continuous

11 BEFORE DURING AFTER Policy Access Control Netflow, Log, and DNS Monitoring Content Inspection Threat Analytics Behaviour Anomaly Detection Contain Fix

12 Manual Security Processes AFTER DURING BEFORE

13 SDN Automation: the Speed of the Network AFTER DURING Threat Analytics BEFORE Control Visibility

14 Brief Introduction to SDN 14

15 Introduction to Software Defined Networking (SDN)? Many Definitions Openflow Controller Openstack Overlays Network virtualisation Automation APIs Application oriented Virtual Services Open vswitch

16 Software Defined Networking (SDN) Controller Spine Nodes Spine FC 1 Spine FC 2 Spine FC 3 Spine FC 4 Spine FC 5 Supervisor - Control Fabric Cards - Forwarding Line Cards - Services Leaf LC 1 Leaf LC 2 Leaf LC 3 Leaf LC 4 Leaf LC 5 Leaf LC 6 Leaf LC 7 Leaf LC 8 Leaf LC 9 Leaf LC 10 Leaf LC 11 Leaf LC 12 Leaf LC 13 Leaf LC 14 Leaf LC 15 Leaf LC 16 Leaf Nodes Cisco Confidential

17 Basic Definitions What Is Software Defined Network (SDN)? In the SDN architecture, the control and data planes are decoupled, network intelligence and state are logically centralised, and the underlying network infrastructure is abstracted from the applications Note: SDN is not mandatory for network programmability nor automation Source: What is OpenStack? Opensource software for building public and private Clouds; includes Compute (Nova), Networking (Quantum) and Storage (Swift) services. Note: Applicable to SDN and non-sdn networks Source: What Is OpenFlow? Open protocol that specifies interactions between de-coupled control and data planes Note: OF is not mandatory for SDN Note: North-bound Controller APIs are vendor-specific What is Overlay Network? Overlay network is created on existing network infrastructure (physical and/or virtual) using a network protocol. Examples of overlay network protocol are: GRE, VPLS, OTV, LISP and VXLAN Note: Applicable to SDN and non-sdn networks

18 Basic Architecture in all Models 18

19 Key SDN Goals and Concepts There is a controller than centralises network configuration and attempts to makes networks easier to provision and configure Network intelligence and state are logically centralised, and the underlying network infrastructure is abstracted from the applications Enables automation - to better able to respond to the changing needs of business applications and users Examples - Network topology changes can be made without manually reconfiguring network devices Based on application requirements, virtual networks can be created Security controls do not have to physically exist at a particular network location

20 Network Programmability Network Monitoring Bandwidth Management Load Balancing

21 Network Programmability Network Monitoring Bandwidth Management Load Balancing SNMP CLI NetFlow

22 Network Programmability Network Monitoring Bandwidth Management Load Balancing SNMP CLI NetFlow Heterogeneous devices Inconsistent data models :-(

23 Network Programmability Network Monitoring Bandwidth Management Load Balancing Programmatic Interfaces onepk

24 Network Programmability Network Monitoring Bandwidth Management Load Balancing Programmatic Interfaces onepk Multiple topology models No policy resolution :-(

25 Network Programmability Network Monitoring Bandwidth Management Load Balancing Programmatic Interface Controller onepk OpenFlow

26 Network Programmability Network Monitoring Bandwidth Management Load Balancing Programmatic Interface Controller Topological awareness onepk OpenFlow Policy resolution :-)

27 Cisco SDN Solves challenging next generation customer problems in Data Centre, Access and WAN Provide network wide abstraction Provide Business Agility so customer can roll out new applications and services quickly and cost effectively Automate infrastructure provisioning based on application policy profiles Secure multi-tenancy with centralised compliance and auditing Provide Open APIs for integration with existing systems and enabling a vast ecosystem of partners

28 Cisco Controllers Open Day Light (ODL) Open Source OpenFlow onepk

29 Credit: The Open DayLight Project, Inc.

30 Cisco Controllers Open Day Light (ODL) Application Policy Infrastructure Controller (APIC) Open Source OpenFlow onepk Application Centric Infrastructure Fabric Physical, Virtual, and Cloud Open APIs OpenStack

31 Programmability Across Multiple Controllers Datacentre ODL Controller APIC Controller App App

32 Programmability Across Multiple Controllers Threat Defence Security Policy Datacentre ODL Controller APIC Controller App App

33 Application Centric Infrastructure 33

34 Application Centric Infrastructure Fabric Single Point of Management Flat Hardware Accelerated Network Intelligent Fabric Physical Fabric Traversal Flexible Insertion blade1 blade2 slot 1 blade3 slot 2 blade4 slot 3 blade5 slot 4 blade6 slot 5 blade7 slot 6 blade8 slot 7 slot 8 Single Pass Firewalling with Flow- Specific Policy Files Users Logical Endpoint Groups by Role

35 End Point Groups Simplify Policy Web App DB EPG 2 EPG 3 EPG 4 35

36 Service Insertion and ACI End Point Groups Internet EPG 1 Contract Contract Contract Web App DB EPG 2 EPG 3 EPG 4 ACL, Inspect HTTP, etc EPG 1 ASA EPG 2 Load Balancer EPG 3 EPG 4 Image from ACI at-a-glance Credit: Sean Xun Wang

37 SDN and Security 37

38 Simple Example - DDoS Mitigation DDoS Detection Application DDoS Application to SDN Controller: Give me the network traffic data DDoS Application to SDN Controller: I see an attack: Redirect the traffic for this flow to a Scrubber Cisco ONE Controller Telemetry Reroute Flows SP Load Balancer SSL/TLS Web App Termination Firewall Enterprise DDoS Scrubber

39 ODL Monitor Manager ODL Controller Nexus 3000 Tap Aggregation Switch SPAN Sensitive Data

40 ODL Monitor Manager ODL Controller Nexus 3000 Tap Aggregation Switch SPAN Sensitive Data

41 ODL Monitor Manager Monitoring Application ODL Controller Nexus 3000 Tap Aggregation Switch SPAN Sensitive Data

42 ODL Monitor Manager Monitoring Application ODL Controller Filter, Replicate, or Tag Traffic Nexus 3000 Tap Aggregation Switch SPAN Sensitive Data

43 What SDN Promises for Security SIMPLIFY POLICY form a trusted path from user to application CONVERGE INTELLIGENCE to more centralised security services LEVERAGE THE NETWORK FOOTPRINT to redirect traffic, identify and block new and unknown threats

44 SIMPLIFY POLICY Trusted Path from User to Application Simplify Network Segmentation End-to-end VLANs Extend network segments over distance Benefits Data confidentiality Multi-tenancy 2013 Cisco and/or its affiliates. All rights reserved. Cisco Internal Use 44

45 CONVERGE INTELLIGENCE Bring Network Flows to Central Security Services Benefits Make the network far less complex 2013 Cisco and/or its affiliates. All rights reserved. Cisco Internal Use 45

46 LEVERAGE THE NETWORK FOOTPRINT Redirect Traffic for Analysis Automatically Identify Infected hosts for quarantine and remediation Dynamically provision network for threat protection Benefits Enhanced network visibility Dynamic threat response 2013 Cisco and/or its affiliates. All rights reserved. Cisco Internal Use 46

47 SDN Exposes Network Value Automation Visibility Flow Management POLICY Orchestration ANALYTICS Program for Optimised Experience Harvest Network Intelligence Network

48 Threat Defence Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine Catalyst 3850 Nexus ASA Sensitive Data

49 Threat Defence Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine Catalyst 3850 Nexus ASA Sensitive Data

50 Threat Defence Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine Netflow Catalyst 3850 Nexus ASA Sensitive Data

51 TAG Threat Defence Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine SDN Control Catalyst 3850 Nexus ASA Sensitive Data

52 Threat Defence Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Security Group Tag = SUSPICIOUS Identity Services Engine Catalyst 3850 Nexus ASA Sensitive Data

53 INSPECT Threat Defence Inspection Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine SDN Control Catalyst 3850 Nexus ASA Sensitive Data

54 Contain Threat Defence Containment Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine SDN Control Catalyst 3850 Nexus ASA Sensitive Data

55 BLOCK Threat Defence Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine SDN Control Catalyst 3850 Nexus ASA Sensitive Data

56 SDN Security Components 56

57 SDN Security Components SDN Applications Cisco Cloud Threat Defence Security Application Third Party Application SDN Security Infrastructure Network Services Security Identity Service Abstraction Layer pxgrid Identity Services Engine Open Flow ONEPK I2RS Security Plugin Network Elements Security Elements Virtual Machines 57

58 SDN Security Components Next Generation Defence Centre, PRSM, CSM SDN Applications Cisco Cloud Threat Defence Security Application Third Party Application SDN Security Infrastructure Network Services Security Identity Service Abstraction Layer pxgrid Identity Services Engine Open Flow ONEPK I2RS Security Plugin Network Elements Security Elements Virtual Machines 58

59 Threat Defence Services Network Capabilities OpenFlow onepk ASA Plugin VLAN SGT VxLAN ISE 59

60 Threat Defence Services Application View Targeted Blocking Targeted Inspection Targeted Rate Limiting Targeted Packet Capture Targeted File Capture Targeted Confinement Targeted Enforcement Network Capabilities OpenFlow onepk ASA Plugin VLAN SGT VxLAN ISE 60

61 Security Services Through SDN Audit Recording Monitoring Inspection Rate Limiting DDoS Scrubbing Quarantine Active Web Firewall Blocking 61

62 Security Services Through SDN Effective Timely Audit Recording Monitoring Inspection Rate Limiting DDoS Scrubbing Quarantine Active Web Firewall Blocking 62

63 Security Services Through SDN Effective Timely Audit Recording Monitoring Inspection Rate Limiting DDoS Scrubbing Quarantine Active Web Firewall Blocking Non-invasive 63

64 Network Controller Reconciles Mitigations Against the Needs of Mission-critical Applications Mitigations from Security System Application and Network Requirements 64

65 Securing SDN 65

66 Threats to an SDN System App 1 App 2 App 3 Controller Spoofing Controller to Network Element Communication

67 Threats to an SDN System App 1 App 2 App 3 Controller Spoofing App to Controller Communication Spoofing Controller to Network Element Communication

68 Securing SDN login attempt failed App 1 App 2 App 3 Controller Authentication Authorisation

69 Considerations 69

70 Considerations Detection How automated is your telemetry capture? How automated is your threat analysis? Are you limited by privacy considerations? 70

71 Considerations Detection Response How automated is your telemetry capture? What actions are you willing to take in real time? How automated is your threat analysis? Are you limited by privacy considerations? What actions should be one-click for a security analyst? 71

72 Considerations Detection Response SDN How automated is your telemetry capture? How automated is your threat analysis? Are you limited by privacy considerations? What actions are you willing to take in real time? What actions should be one-click for a security analyst? What type of SDN can you use? How SDN-ready is your network? SDN security? 72

73 Q & A

74 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2014 Polo Shirt! Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue Polo Shirts can be collected in the World of Solutions on Friday 21 March 12:00pm - 2:00pm Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.

75