Professional Documents
Culture Documents
Executive Summary
Mobility and virtualization are accelerating the transition to cloud computing Data center components will have to be software-defined to meet requirements for capacity, resilience, and security Software-defined security is the most effective way to protect the cloud data center
tang toc
cu tru
Controller
OpenFlow Protocol
Secure Channel
Group Table
inbound
Flow Table
Flow Table
outbound
Decoupled
HW or
Data Layers (device) Hardware Hardware Entities Hardware Entities Entities Software Software Entities Software Entities Entities
Security and Software-Defined Networks
SW
Automation APIs
Northbound (controller->user) ORCHESTRATION Administration UI Horizontal integration with other element managers Defines network parameters and membership Provides higher-level object management
tich hop
Southbound (controller->device)
SCALING Packet forwarding Programmable per flow Maps policies to entities Implements logical policies Enumerates groups into constituents
liet ke
Value
Not SDN (often proprietary)
set vtp domain cisco mode server set vlan 2 name cisco_vlan_2 set vlan 2 3/1-12 Device-based Special purpose hardware Unique to vendor
Data Layers
Software Entities
Software Entities
10
Infrastructure is Evolving
Software driving cloud innovation Use of more than one platform or cloud is practically inevitable Mobile (e.g., smartphones and tablets) adoption increasing exponentially
khong the tranh khoi
ap dung doi moi
phat trien
cap so nhan
co lap
kiem tra
12
Decoupled
HW or
Data Layers (device) Hardware Hardware Entities Hardware Entities Entities Software Software Entities Software Entities Entities
Security and Software-Defined Networks
SW
13
Implications
Need to Know Users Software Assets Connections Policies Dont Need to Know Vendor IP address Location Virtual, physical, mobile Wire speed
14
Risk Analysis
tiep xuc
Exposure Increased Automation failure API failure Control failure Software failure Human failure
Exposure Decreased Hardware failure Capacity failure Availability failure Security failure Human failure
Top-5 Controls
kiem ke
1. Inventory of SDN elements (e.g., controllers, devices, privileged users) 2. Isolation and access control for Northbound and Southbound APIs (e.g., orchestration, administration, and configuration) 3. Auditing and change management 4. Secure configuration management 5. Continuous vulnerability management and remediation
khac phuc hau qua
16
17
NAC
Network access control is not enforced within the access layer, it is enforced in the management layer.
Configuration
Instead of requiring an agent or network scan, secure configurations may be checked out of band, even when the asset is powered off.
Security and Software-Defined Networks 18
thay vi
19
In closing
Security virtualization will drastically improve the protection of sensitive data while at the same time simplifying the application of these protective capabilities. The most effective use of security virtualization will require changes to IT staffing, processes, and procedures. Security virtualization is disruptive to the way security "has always been doing it.
mang tinh dot pha
22
Thank you
Michael Berman Email: xtanjx at gee mail dot com LinkedIn: mberman Twitter: @_mberman
23
2009-2012 *MitchellLazear
Supplemental Material
24
25
26
Therefore as workloads are established on multiple platforms in multiple locations by any given entity, security virtualization must support a single security policy model across these platforms.
Security and Software-Defined Networks 28
29
Open API
Security virtualization must be integrated with provisioning, management, and operations of the data center. These APIs will fit into the management stacks developed for each hypervisor platform. Vendors must be able to interoperate with a common protocol (e.g., SCAP) Products must support orchestration by 3rd party management, workflow, and incident management systems.
Security and Software-Defined Networks 31