Security and Software Defined Networks PDF

Security and Software-Defined Networks
Unravel the Enigma of Insecurity
Michael Berman, CISSP, NSA-IAM

Husband, Dad, Hacker. Linux Kernel Engineer, Security Virtualization SME Most recently, CTO for Catbird Networks, Inc. As a humanitarian, I provide sarcasm as a free service to the needy. I also ski, play soccer, and free climb.
Security and Software-Defined Networks 2
Executive Summary
Mobility and virtualization are accelerating the transition to cloud computing Data center components will have to be software-defined to meet requirements for capacity, resilience, and security Software-defined security is the most effective way to protect the cloud data center
tang toc
cu tru
Main Components of an OpenFlow Switch

dieu phoi
Controller
Management and Orchestration
OpenFlow Protocol
Secure Channel
Group Table
inbound
Flow Table
Flow Table Packet Pipeline
Flow Table
outbound
OpenFlow Device (HW or SW)

Software-defined Networking (SDN)

Management and Orchestration Layer (controller)
SW
Decoupled
Data Layers (device)
HW or
Data Layers (device) Hardware Hardware Entities Hardware Entities Entities Software Software Entities Software Entities Entities
SW
Automation APIs
Northbound (controller->user) ORCHESTRATION Administration UI Horizontal integration with other element managers Defines network parameters and membership Provides higher-level object management
tich hop
Southbound (controller->device)
SCALING Packet forwarding Programmable per flow Maps policies to entities Implements logical policies Enumerates groups into constituents
liet ke
Value
Not SDN (often proprietary)
set vtp domain cisco mode server set vlan 2 name cisco_vlan_2 set vlan 2 3/1-12 Device-based Special purpose hardware Unique to vendor
SDN (open system)

Hr_sharepoint allow hr_users Pepsi deny Coke US_agency deny China except public_web_tier Server-based General purpose CPU Multi-vendor
Data Center Implications of SDN

Supports rapid scaling Improved automation Service capacity shifts automatically where needed Better user experience thinkgeek Commoditization of networking
pho thong hoa
Security Its Your Choice

Fail Evolve
Securing Software-defined Networking

Management and Orchestration Layer Audit, manage, and control privileged activities
Data Layers
Enforce secure configuration and auditing Software Entities
Hardware Entities Hardware Entities Hardware Entities
Software Entities
Software Entities
Logical isolation with policy-driven automation
10
Infrastructure is Evolving
Software driving cloud innovation Use of more than one platform or cloud is practically inevitable Mobile (e.g., smartphones and tablets) adoption increasing exponentially
khong the tranh khoi
ap dung doi moi
phat trien
cap so nhan
Security technology must evolve

Key Properties of Security Virtualization

Decoupled from hardware Faithful reproduction of the physical network security model in the virtual space, including security for both physical and virtual workloads Follow the operational model of compute virtualization Compatible with any hypervisor platform Logical isolation, audit, and security for workloads and control plane elements Cloud performance and scale Open API for provisioning and control
chan thuc
tai tao
co lap
kiem tra
12
Software-defined Security (SDS)

Management and Orchestration Layer (controller)
SW
Decoupled
Data Layers (device)
HW or
Data Layers (device) Hardware Hardware Entities Hardware Entities Entities Software Software Entities Software Entities Entities
SW
13
Implications
Need to Know Users Software Assets Connections Policies Dont Need to Know Vendor IP address Location Virtual, physical, mobile Wire speed
14
Risk Analysis
tiep xuc
Exposure Increased Automation failure API failure Control failure Software failure Human failure
Exposure Decreased Hardware failure Capacity failure Availability failure Security failure Human failure
Small increase in risk
Large decrease in risk

15
Top-5 Controls
kiem ke
1. Inventory of SDN elements (e.g., controllers, devices, privileged users) 2. Isolation and access control for Northbound and Southbound APIs (e.g., orchestration, administration, and configuration) 3. Auditing and change management 4. Secure configuration management 5. Continuous vulnerability management and remediation
khac phuc hau qua
16
SDS Systems are Evolving
17
Software-defined Security Examples

Firewall
Virtual firewalls are not a bump in the wire they are a module inserted into the stream-path of a vNIC
NAC
Network access control is not enforced within the access layer, it is enforced in the management layer.
Configuration
Instead of requiring an agent or network scan, secure configurations may be checked out of band, even when the asset is powered off.
thay vi
Advantages of Security Virtualization

Perfect inventory Everywhere it is needed Lower cost More automated Simpler Faster evolution
Cylon Hybrid: The central control for a Cylon Basestar
19
IT Business Process Re-engineering

The organization and process must adapt to increased automation and orchestration. Cross-functional teams of subject matter experts will best enable IT to rapidly deliver secure and elastic services on-demand. Leading IT teams are already shifting from DevOps to DevSecOps.
RACI for Software-Defined Security

Responsible: Firewall or Network Security personnel
Define policies Implement automation
Accountable: CIO or CISO

Approve policies Review metrics (e.g., compliance and performance )
Consulted: Infrastructure and Application Architects Informed: IT Audit personnel

Audit automation behavior su tuan thu Audit policy compliance
Provide requirements Validate implementation thong bao

nhan vien
In closing
Security virtualization will drastically improve the protection of sensitive data while at the same time simplifying the application of these protective capabilities. The most effective use of security virtualization will require changes to IT staffing, processes, and procedures. Security virtualization is disruptive to the way security "has always been doing it.
mang tinh dot pha
22
Thank you
Michael Berman Email: xtanjx at gee mail dot com LinkedIn: mberman Twitter: @_mberman
Blog: Grok Security
23
2009-2012 *MitchellLazear
Supplemental Material
24
Decoupled from Hardware

Simplifies data center resiliency and failover Reduces upgrade costs Enables "designed-in" security across data center fabric Scaling enhanced due to elimination of architectural constraints Hardware refresh cycle and technology advance is accelerated due to shortened engineering cycle CPU resource pool remains uniform
loai bo
han che
25
Reproduce Network Security Model

Defense in depth Segmentation of data Access control Separation of duties
1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses (source: SANS)
26
Operational Model of Compute Virtualization

Enable scaling, elasticity, mobility, and seamless disaster recovery Conversion of security tools into software objects and the creation of new tools and capabilities for deployment, automation, and recovery of security capabilities Auto-deployment, automation, and orchestration of security tools The cloud compute model impacts the culture of security within IT, requiring the transition of security professionals into new operational roles that are more flexible and more broadly defined.
Compatible with any Hypervisor

Security virtualization must be platform independent and capable of protecting workloads in any data center. While it's not clear how many platforms will be in common use, I assert that there will be at least four:
1. 2. 3. 4. VMware RHEV (KVM) HyperV Mobile (ultimately there will be more than one here)
Therefore as workloads are established on multiple platforms in multiple locations by any given entity, security virtualization must support a single security policy model across these platforms.
Logical isolation, audit, and security

Logical isolation, rather than some form of physical segmentation, enables diverse workloads of differing sensitivity to run anywhere. Mixed workloads will then run most efficiently when allowed to be run within common resource pools for CPU, Memory, Storage, and Networking. Security virtualization must also audit and protect the management objects, tools, and APIs that are utilized to provision, modify, or delete workloads, objects, and resources. Logical isolation enables multi-compartment zoning of workloads with the requisite capabilities for cross-domain security in both private or public clouds. Policies are not required to identify layer 3 or 4 attributes. Security virtualization enforces policies within each specific trust zone, even when this zone spans multiple data centers.
29
Cloud performance and scale

Large-scale compute clouds are composed of thousands to millions of entities. Security virtualization must enable resilient and protected operations at this scale. This requires new security management architectures, analytics, and closed- loop controls that operate across millions of protected objects in multiple locations. Additionally, cloud performance is not just IOPS or CPU cycles, it is also the capability to elastically provision, modify, and decommission security entities on demand.
Open API
Security virtualization must be integrated with provisioning, management, and operations of the data center. These APIs will fit into the management stacks developed for each hypervisor platform. Vendors must be able to interoperate with a common protocol (e.g., SCAP) Products must support orchestration by 3rd party management, workflow, and incident management systems.

Security and Software Defined Networks PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security and Software Defined Networks PDF

Uploaded by

Copyright:

Available Formats

Security and Software-Defined Networks

Unravel the Enigma of Insecurity

Michael Berman, CISSP, NSA-IAM