SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

Similar documents
MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

Segmentation. Threat Defense. Visibility

Cisco CloudCenter Solution with Cisco ACI: Common Use Cases

Cisco Application Centric Infrastructure

Cisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack

2018 Cisco and/or its affiliates. All rights reserved.

Cisco Nexus Data Broker

The Next Opportunity in the Data Centre

Policy Driven Data Centre with ACI

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

Pradeep Kathail Chief Software Architect Network Operating Systems Technology Group, Cisco Systems Inc.

Cisco Application Centric Infrastructure Roadshow. Wednesday, 2. April 14

Borderless Networks. Tom Schepers, Director Systems Engineering

Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC)

Cisco UCS Director and ACI Advanced Deployment Lab

Več kot SDN - SDA arhitektura v uporabniških omrežjih

Orchestrating the Cloud Infrastructure using Cisco Intelligent Automation for Cloud

Cisco SDN 解决方案 ACI 的基本概念

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

Cisco Firepower NGFW. Anticipate, block, and respond to threats

ProgrammableFlow: OpenFlow Network Fabric

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Data Center Security. Fuat KILIÇ Consulting Systems

The Need In today s fast-paced world, the growing demand to support a variety of applications across the data center and help ensure the compliance an

The Internet of Everything is changing Everything

Drive Greater Value from Your Cisco Deployment with Radware Solutions

Deploy Microsoft SQL Server 2014 on a Cisco Application Centric Infrastructure Policy Framework

Cisco Software-Defined Access

PSOACI Why ACI: An overview and a customer (BBVA) perspective. Technology Officer DC EMEAR Cisco

Intuit Application Centric ACI Deployment Case Study

DevNet Technical Breakout: Introduction to ACI Programming and APIs.

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Using Event-Driven SDN for Dynamic DDoS Mitigation

Securing Cisco s Network

Cisco Self Defending Network

Service Graph Design with Cisco Application Centric Infrastructure

Systems Engineering for Software-Defined Network Virtualisation. John Risson, Solutions Engineering Manager IP and Transport Engineering, Telstra

ACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)

Fast IT - Policy Driven Infrastructure for the Intercloud World

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

Real World ACI Deployment and Migration

Identity Based Network Access

Design and Deployment of SourceFire NGIPS and NGFWL

One Platform Kit: The Power to Innovate

Cisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Key Security Measures to Enable Next-Generation Data Center Transformation

BROCADE CLOUD-OPTIMIZED NETWORKING: THE BLUEPRINT FOR THE SOFTWARE-DEFINED NETWORK

OpenFlow: What s it Good for?

Cisco Nexus 1000V Switch for Microsoft Hyper-V

Cisco Application Centric Infrastructure (ACI) Simulator

DELL EMC VSCALE FABRIC

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Cisco pxgrid: A New Architecture for Security Platform Integration

Cisco Extensible Network Controller

Build application-centric data centers to meet modern business user needs

Cisco ACI Terminology ACI Terminology 2

Integration of Multi-Hypervisors with Application Centric Infrastructure

Cisco Tetration Analytics

ONUG SDN Federation/Operability

Solution Overview Cisco Tetration Analytics and AlgoSec: Business Application Connectivity Visibility, Policy Enforcement, and Business-Based Risk and

Sichere Applikations- dienste

Cisco Modelling Labs Lessons from a Virtual World

METAFABRIC ARCHITECTURE A SIMPLE, OPEN, AND SMART NETWORK FOR THE DATA CENTER

Quantum, network services for Openstack. Salvatore Orlando Openstack Quantum core developer

How a Programmable Network and SDN Help Solve Critical Security Infrastructure Requirements

Cisco Application Policy Infrastructure Controller Data Center Policy Model

Cisco Unified Data Center Strategy

Design Guide for Cisco ACI with Avi Vantage

Service Provider Security Architecture

Cisco Network Admission Control (NAC) Solution

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

SYMANTEC DATA CENTER SECURITY

Cisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH

Data Center and Cloud Automation

Cisco Secure Access Control

Security Overview and Cisco ACE Replacement

Service Insertion with ACI using F5 iworkflow

Micro Focus Network Operations Management Suite Supports SDN and Network Virtualization Engineering and Operations

Internet of Things. Tanja Hess Consulting Systems Engineer 2nd June 2016

VXLAN Overview: Cisco Nexus 9000 Series Switches

VMware vcloud Networking and Security Overview

Next generation branch with SD-WAN and NFV

Cisco Cyber Threat Defense Solution 1.0

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

Cisco Data Center Network Manager 5.1

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Cisco ACI Multi-Site, Release 1.1(1), Release Notes

The Transformation of Media & Broadcast Video Production to a Professional Media Network

APNIC elearning: SDN Fundamentals

Security by Default: Enabling Transformation Through Cyber Resilience

Cisco ACI App Center. One Platform, Many Applications. Overview

Cisco Software-Defined Access

ADVANCED SECURITY MECHANISMS TO PROTECT ASSETS AND NETWORKS: SOFTWARE-DEFINED SECURITY

Cisco Enterprise Cloud Suite Overview Cisco and/or its affiliates. All rights reserved.

TEN ESSENTIAL NETWORK VIRTUALIZATION DEFINITIONS

Transcription:

SDN Security Alok Mittal Security Business Group, Cisco

Security at the Speed of the Network Automating and Accelerating Security Through SDN Countering threats is complex and difficult. Software Defined Networking (SDN) offers a way to respond to attacks with the speed of the network: tying together the visibility provided by the network, and the control provided by SDN, with intelligent automation. This breakout session is targeting Network and Security professionals looking for how SDN can improve their network security architecture.

Agenda Introduction to Current Security Challenges Introduction to Software Defined Networking Bringing the two together How SDN can help in solving security challenges SDN Security Components Securing SDN 4

Introduction to Security Challenges 5

MOBILITY CLOUD THREAT 2013 Cisco and/or its affiliates. All rights reserved. Cisco Internal Use 6

Any Device to Any Cloud PUBLIC CLOUD HYBRID CLOUD PRIVATE CLOUD

The Threat Landscape is Evolving Enterprise Response Antivirus (Host- Based) IDS/IPS (Network Perimeter) Reputation (Global) and Sandboxing Intelligence and Analytics (Cloud) Worms Spyware and Rootkits APTs Cyberware Increased Attack Surface 2000 2005 2010 Tomorrow

The Security Problem Changing Business Models Dynamic Threat Landscape Complexity and Fragmentation

The New Security Model Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in Time Continuous

BEFORE DURING AFTER Policy Access Control Netflow, Log, and DNS Monitoring Content Inspection Threat Analytics Behaviour Anomaly Detection Contain Fix

Manual Security Processes AFTER DURING BEFORE

SDN Automation: the Speed of the Network AFTER DURING Threat Analytics BEFORE Control Visibility

Brief Introduction to SDN 14

Introduction to Software Defined Networking (SDN)? Many Definitions Openflow Controller Openstack Overlays Network virtualisation Automation APIs Application oriented Virtual Services Open vswitch

Software Defined Networking (SDN) Controller Spine Nodes Spine FC 1 Spine FC 2 Spine FC 3 Spine FC 4 Spine FC 5 Supervisor - Control Fabric Cards - Forwarding Line Cards - Services Leaf LC 1 Leaf LC 2 Leaf LC 3 Leaf LC 4 Leaf LC 5 Leaf LC 6 Leaf LC 7 Leaf LC 8 Leaf LC 9 Leaf LC 10 Leaf LC 11 Leaf LC 12 Leaf LC 13 Leaf LC 14 Leaf LC 15 Leaf LC 16 Leaf Nodes Cisco Confidential

Basic Definitions What Is Software Defined Network (SDN)? In the SDN architecture, the control and data planes are decoupled, network intelligence and state are logically centralised, and the underlying network infrastructure is abstracted from the applications Note: SDN is not mandatory for network programmability nor automation Source: www.opennetworking.org What is OpenStack? Opensource software for building public and private Clouds; includes Compute (Nova), Networking (Quantum) and Storage (Swift) services. Note: Applicable to SDN and non-sdn networks Source: www.openstack.org What Is OpenFlow? Open protocol that specifies interactions between de-coupled control and data planes Note: OF is not mandatory for SDN Note: North-bound Controller APIs are vendor-specific What is Overlay Network? Overlay network is created on existing network infrastructure (physical and/or virtual) using a network protocol. Examples of overlay network protocol are: GRE, VPLS, OTV, LISP and VXLAN Note: Applicable to SDN and non-sdn networks

Basic Architecture in all Models 18

Key SDN Goals and Concepts There is a controller than centralises network configuration and attempts to makes networks easier to provision and configure Network intelligence and state are logically centralised, and the underlying network infrastructure is abstracted from the applications Enables automation - to better able to respond to the changing needs of business applications and users Examples - Network topology changes can be made without manually reconfiguring network devices Based on application requirements, virtual networks can be created Security controls do not have to physically exist at a particular network location

Network Programmability Network Monitoring Bandwidth Management Load Balancing

Network Programmability Network Monitoring Bandwidth Management Load Balancing SNMP CLI NetFlow

Network Programmability Network Monitoring Bandwidth Management Load Balancing SNMP CLI NetFlow Heterogeneous devices Inconsistent data models :-(

Network Programmability Network Monitoring Bandwidth Management Load Balancing Programmatic Interfaces onepk

Network Programmability Network Monitoring Bandwidth Management Load Balancing Programmatic Interfaces onepk Multiple topology models No policy resolution :-(

Network Programmability Network Monitoring Bandwidth Management Load Balancing Programmatic Interface Controller onepk OpenFlow

Network Programmability Network Monitoring Bandwidth Management Load Balancing Programmatic Interface Controller Topological awareness onepk OpenFlow Policy resolution :-)

Cisco SDN Solves challenging next generation customer problems in Data Centre, Access and WAN Provide network wide abstraction Provide Business Agility so customer can roll out new applications and services quickly and cost effectively Automate infrastructure provisioning based on application policy profiles Secure multi-tenancy with centralised compliance and auditing Provide Open APIs for integration with existing systems and enabling a vast ecosystem of partners

Cisco Controllers Open Day Light (ODL) Open Source OpenFlow onepk

Credit: The Open DayLight Project, Inc.

Cisco Controllers Open Day Light (ODL) Application Policy Infrastructure Controller (APIC) Open Source OpenFlow onepk Application Centric Infrastructure Fabric Physical, Virtual, and Cloud Open APIs OpenStack

Programmability Across Multiple Controllers Datacentre ODL Controller APIC Controller App App

Programmability Across Multiple Controllers Threat Defence Security Policy Datacentre ODL Controller APIC Controller App App

Application Centric Infrastructure 33

Application Centric Infrastructure Fabric Single Point of Management Flat Hardware Accelerated Network Intelligent Fabric Physical Fabric Traversal Flexible Insertion blade1 blade2 slot 1 blade3 slot 2 blade4 slot 3 blade5 slot 4 blade6 slot 5 blade7 slot 6 blade8 slot 7 slot 8 Single Pass Firewalling with Flow- Specific Policy Files Users Logical Endpoint Groups by Role

End Point Groups Simplify Policy Web App DB EPG 2 EPG 3 EPG 4 35

Service Insertion and ACI End Point Groups Internet EPG 1 Contract Contract Contract Web App DB EPG 2 EPG 3 EPG 4 ACL, Inspect HTTP, etc EPG 1 ASA EPG 2 Load Balancer EPG 3 EPG 4 Image from ACI at-a-glance Credit: Sean Xun Wang

SDN and Security 37

Simple Example - DDoS Mitigation DDoS Detection Application DDoS Application to SDN Controller: Give me the network traffic data DDoS Application to SDN Controller: I see an attack: Redirect the traffic for this flow to a Scrubber Cisco ONE Controller Telemetry Reroute Flows SP Load Balancer SSL/TLS Web App Termination Firewall Enterprise DDoS Scrubber

ODL Monitor Manager ODL Controller Nexus 3000 Tap Aggregation Switch SPAN Sensitive Data

ODL Monitor Manager ODL Controller Nexus 3000 Tap Aggregation Switch SPAN Sensitive Data

ODL Monitor Manager Monitoring Application ODL Controller Nexus 3000 Tap Aggregation Switch SPAN Sensitive Data

ODL Monitor Manager Monitoring Application ODL Controller Filter, Replicate, or Tag Traffic Nexus 3000 Tap Aggregation Switch SPAN Sensitive Data

What SDN Promises for Security SIMPLIFY POLICY form a trusted path from user to application CONVERGE INTELLIGENCE to more centralised security services LEVERAGE THE NETWORK FOOTPRINT to redirect traffic, identify and block new and unknown threats

SIMPLIFY POLICY Trusted Path from User to Application Simplify Network Segmentation End-to-end VLANs Extend network segments over distance Benefits Data confidentiality Multi-tenancy 2013 Cisco and/or its affiliates. All rights reserved. Cisco Internal Use 44

CONVERGE INTELLIGENCE Bring Network Flows to Central Security Services Benefits Make the network far less complex 2013 Cisco and/or its affiliates. All rights reserved. Cisco Internal Use 45

LEVERAGE THE NETWORK FOOTPRINT Redirect Traffic for Analysis Automatically Identify Infected hosts for quarantine and remediation Dynamically provision network for threat protection Benefits Enhanced network visibility Dynamic threat response 2013 Cisco and/or its affiliates. All rights reserved. Cisco Internal Use 46

SDN Exposes Network Value Automation Visibility Flow Management POLICY Orchestration ANALYTICS Program for Optimised Experience Harvest Network Intelligence Network

Threat Defence Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine Catalyst 3850 Nexus ASA Sensitive Data

Threat Defence Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine Catalyst 3850 Nexus ASA Sensitive Data

Threat Defence Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine Netflow Catalyst 3850 Nexus ASA Sensitive Data

TAG Threat Defence Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine SDN Control Catalyst 3850 Nexus ASA Sensitive Data

Threat Defence Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Security Group Tag = SUSPICIOUS Identity Services Engine Catalyst 3850 Nexus ASA Sensitive Data

INSPECT Threat Defence Inspection Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine SDN Control Catalyst 3850 Nexus ASA Sensitive Data

Contain Threat Defence Containment Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine SDN Control Catalyst 3850 Nexus ASA Sensitive Data

BLOCK Threat Defence Containment Service Open Flow ODL Controller Identity Context Manager onepk pxgrid Identity Services Engine SDN Control Catalyst 3850 Nexus ASA Sensitive Data

SDN Security Components 56

SDN Security Components SDN Applications Cisco Cloud Threat Defence Security Application Third Party Application SDN Security Infrastructure Network Services Security Identity Service Abstraction Layer pxgrid Identity Services Engine Open Flow ONEPK I2RS Security Plugin Network Elements Security Elements Virtual Machines 57

SDN Security Components Next Generation Defence Centre, PRSM, CSM SDN Applications Cisco Cloud Threat Defence Security Application Third Party Application SDN Security Infrastructure Network Services Security Identity Service Abstraction Layer pxgrid Identity Services Engine Open Flow ONEPK I2RS Security Plugin Network Elements Security Elements Virtual Machines 58

Threat Defence Services Network Capabilities OpenFlow onepk ASA Plugin VLAN SGT VxLAN ISE 59

Threat Defence Services Application View Targeted Blocking Targeted Inspection Targeted Rate Limiting Targeted Packet Capture Targeted File Capture Targeted Confinement Targeted Enforcement Network Capabilities OpenFlow onepk ASA Plugin VLAN SGT VxLAN ISE 60

Security Services Through SDN Audit Recording Monitoring Inspection Rate Limiting DDoS Scrubbing Quarantine Active Web Firewall Blocking 61

Security Services Through SDN Effective Timely Audit Recording Monitoring Inspection Rate Limiting DDoS Scrubbing Quarantine Active Web Firewall Blocking 62

Security Services Through SDN Effective Timely Audit Recording Monitoring Inspection Rate Limiting DDoS Scrubbing Quarantine Active Web Firewall Blocking Non-invasive 63

Network Controller Reconciles Mitigations Against the Needs of Mission-critical Applications Mitigations from Security System Application and Network Requirements 64

Securing SDN 65

Threats to an SDN System App 1 App 2 App 3 Controller Spoofing Controller to Network Element Communication

Threats to an SDN System App 1 App 2 App 3 Controller Spoofing App to Controller Communication Spoofing Controller to Network Element Communication

Securing SDN login attempt failed App 1 App 2 App 3 Controller Authentication Authorisation

Considerations 69

Considerations Detection How automated is your telemetry capture? How automated is your threat analysis? Are you limited by privacy considerations? 70

Considerations Detection Response How automated is your telemetry capture? What actions are you willing to take in real time? How automated is your threat analysis? Are you limited by privacy considerations? What actions should be one-click for a security analyst? 71

Considerations Detection Response SDN How automated is your telemetry capture? How automated is your threat analysis? Are you limited by privacy considerations? What actions are you willing to take in real time? What actions should be one-click for a security analyst? What type of SDN can you use? How SDN-ready is your network? SDN security? 72

Q & A

Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2014 Polo Shirt! Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site www.ciscoliveaustralia.com/mobile Visit any Cisco Live Internet Station located throughout the venue Polo Shirts can be collected in the World of Solutions on Friday 21 March 12:00pm - 2:00pm Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. www.ciscoliveapac.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback