Sdn&security
1 like•1,369 views
SDN involves separating the network control plane from the data plane, logically centralizing network intelligence and state. This allows network applications to directly interface with and control the underlying network infrastructure through open interfaces and APIs. SDN provides opportunities to apply business logic dynamically to network behavior and automate network service orchestration through open programmable interfaces. While SDN introduces some security risks if the controller is compromised, it also enables new security applications and the ability to scale security through a separate "service plane". SDN could help address some existing security issues and drawbacks in traditional network architectures.
Sdn&security
- 1. SDNandSecurity August 2013 Cristiano Monteiro, Solutions Architect at HP [email protected] @crmonteir
- 2. What isSDN?
- 3. 3 Evolution of Server Architectures Proprietary Hardware Proprietary Operating Systems Proprietary Applications Innovation! Standard Intel x86-based systems Standard Operating Systems (Linux, Windows, etc) App … Standard interfaces and programming languages Standard interfaces App App
- 4. 4 Evolution of Network Architectures Proprietary Hardware Proprietary OS OS-Integrated Features Standard “programmable” systems RoutingMCast …QoS Standard interfaces and control protocols Open interfaces and programming languages Network features (applications) Centralized Control Plane Innovation!
- 5. 5 … In the SDN architecture, the control and data planes are decoupled, network intelligence and state are logically centralized and the underlying network infrastructure is abstracted from the applications … Open Networking Foundation on SDN Source: opennetworking.org
- 7. 7 We need a new way to talk with Network APP Network Infrastructure Layer How the apps requirements are tied to Network Level ? • Bandwidth Resources • Isolation • Security etc. Understood !!! Security Infrastructure Layer App Guy talks to Net and Security Teams
- 8. 8 Ability to Apply Business Logic to Network Behavior in Dynamic Fashion HP Delivers SDN to Achieve Agility Infrastructure Layer SDNArchitecture Control Layer Application Layer Separate control and data plane; abstract control plane of many devices to one Open standard-based programmatic access to infrastructure Deliver open programmable interfaces to automate orchestration of network services
- 9. 9 Separate control and data plane; abstract control plane of many devices to one Deliver open programmable interfaces to automate orchestration of network services Open standard-based programmatic access to infrastructure Deliver open programmable interfaces to automate orchestration of network services Ability to Apply Business Logic to Network Behavior in Dynamic Fashion HP Delivers SDN to Achieve Agility Separate control and data plane; abstract control plane of many devices to one Deliver open programmable interfaces to automate orchestration of network services Open standard-based programmatic access to infrastructure Network Device Network DeviceNetwork Device Control & Data Plane Programmable Interface (e.g., OpenFlow) Network ApplicationsNetwork ApplicationsSDN Applications Business ApplicationsBusiness ApplicationsBusiness Applications (e.g., OpenStack, CloudStack) Cloud Orchestration SDN Controller Programmable Open APIs (e.g., REST) Infrastructure Layer SDNArchitecture Control Layer Application Layer
- 10. 10 Openflow (e.g. SouthBound Interface) Both fine and coarse grain flow control possible. 10 switch controller actionsmatch rules Forward to IDS Tunnel Port Rate Limit, Forward Normal Forward Normal TCP Port 16384 TCP Port 80 from 01:23:45:67:89:ab * (wildcard)
- 11. 11 Openstack Quantum a.k.a Neutron (E.g. Northbound Interface)
- 12. 12 A B 2 3 4 5 61 ICMP HTTP Controller TE - APP HTTP - path 1 ICMP - path 2 Match srcpip=A,dstip=B prot=TCP dstport 80 Action In=port 1, Out=port 3 1 2 3 Match srcpip=A,dstip=B prot=ICMP ActionIn=port 1, Out=port 2 Applicatin Example : SDN Traffic Engineering
- 14. 14 Detection : Anomaly Traffic, Signatures, Customer rings... Reaction and mitigation : Filters, Destination Filters to null “The right dose differentiates a poison and a remedy” Objective : Even under attack the customer should be online. Solutions to do that are very expensive.... Ddos Mitigation
- 15. 15 Ddos Mitigation - Case 1 • Sakura Internet case. (http://www.sakura.ne.jp/) • Ddos Mitigation • Voltdb for accurate detection src-dst • dRTBH with openflow
- 16. 16 Ddos Mitigation – Case 2 • Sflow-RT application to detect • Openflow to mitigate.
- 17. 17 SDN - NAC /MSM Concept NAC Today: Agent 802.1x Suplicant 802.1x Authenticator 802.1x Almost impossible multivendor solution. Conceptual SDN NAC App. Switches, AP´s should support SBI (Eg. Openflow) Radius SDN Nac App quarantine
- 18. 18 Repudiation Services Core Distribution Edge Repudiation IPS/ IDS with SDN Application • Reputation(pingserver.info) Malware • Alert administrator
- 19. 19 SDN Impact on Security Architecture Scale up... The limit will be reached someday and Single Point of Failure.... Redundancy but What about Flow table ? Scale Out. An external device Who will balance the load balancer ?
- 20. 20 SDN Impact on Security Architecture • Network will execute basic filtering. • Controller combined with a SEC APP can centralize flow table. • NBI interface will allow new applications came out. • Complex tasks (e.g. DPI) can be performed by a separated “Service Plane” . • Cloud Security can use SDN to scale out.
- 21. 21 SDN and Security a lot of opportunities... core Access cloud DC Enterprise Branches Internet DC Security
- 22. 22 What happens if a bad guy take the control of controller ? A. Well you are in trouble but what happened if the same bad guy take the control of a Border router in Service Provider environment today ??? What happens if a bad guy try to D.o.S the controller ? A. Well the bad guy should have access to management network. .. You already in trouble before the D.o.S There are a lot of drawbacks likewise if you look for problems in the traditional architectures you also find a lot... SDN Drawbacks
- 23. 23 Summary SDN unlocks constrained networks, accelerates innovation and drives value out of networks - SDN Provides Abstraction of Complexity - Lower cost of administration - Reduce automation risk & difficulty Network Simplification Drives Adoption - SDN Enhances & Enables Network Services - Extend life and improve performance of ‘middle boxes’ - Reduce TCO of basic services - Improve business QoE through integration of apps & networks Network Innovation Drives Advantage
- 24. Q&A Thankyou