DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile SDLC
Nuage Networks: Using SDN to provide Security by Design by Christoph Torlinsky at DevSecCon 2015
-
Upload
nuage-networks -
Category
Technology
-
view
1.916 -
download
3
Transcript of Nuage Networks: Using SDN to provide Security by Design by Christoph Torlinsky at DevSecCon 2015
Copyright2013Alcatel-Lucent.Allrightsreserved.CONFIDENTIAL-SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY–USEPURSUANTTOCOMPANYINSTRUCTIONNuageNetworks
NuageNetworks:UsingSDNtoprovideSecuritybyDesign
ChristophAndreasTorlinsky–[email protected]:@nuagenetworks
Introduc:onintowhatNuageSDNis…§ OverviewofNuageVSP–whoweare!Whatwedo!§ KeyConceptsofSDNandit’sbuildingblocks§ ReferenceArchitecturesofMicro-Segmenta[onandSecurity
§ TheNetworkasaSecureServiceforOpenStackandDocker
NuageNetworks
So=wareDefinedNetworking
Internet
Cloud Technologies Networking at scale Policy Based Solutions
ProvenbysuccesswithEnterprisesandServiceProviders
§ LeaderinSo\wareDefinedNetworkingfocusingonbestofbreed,opensolu[ons
§ Alcatel-Lucentventure(EU)
§ StartupOfficeinMountainView,CA–SiliconValley
§ nuage = Cloud in French
VPN VPN
KVM/XEN LXC/Docker
ESXi
nuagenetworks
11/30/15
3
§ ComputeisVirtualized
§ AvailableinMinutes
§ NetworkisPar[allyVirtualizedandAutomatedandSecured
§ Configura[ontakesDays/Weeks
NetworkConfigura[on
ComputeManagement
NewTenant/Applica[onRequest
Auto-instan[a[on
Compute Request completed in
Minutes Help Desk Change Control
IP Address
VLAN Address
Firewall Configuration
LAN (VLAN) Configuration
WAN (IP) Configuration
Security / QA Team
Project Coordinator
Network Change completed in days/Weeks
Challenge1:Servicevelocityishinderedbymanualnetworkprocess
00:01
CurrentAutoma:ngandSecuringtheDCNetwork
11/30/15
4
ComputeManagement
Tenant/Applica[onRequestNetworking
Security/ Compliance
Auto-instan[a[on
Compute Request completed in Minutes
00:01
IP Address
WAN interconnect
Policy/Security Zones
L2 /L3 Service AD
Network Change Completed automatically
Service chaining
Template->Instances
NuageTemplatesandRole-BasedWorkflowNewAutoma:ngandSecuringtheSDNNetwork
11/30/15
5Servicevelocityisnothinderedbymanualnetworkprocess
nuagenetworks
NuageVirtualizedServicesPlaNorm
VirtualizedServicesDirectory(VSD)• NetworkPolicyEngine–abstractscomplexity• Servicetemplatesandanaly[cs+Security
VirtualizedServicesController(VSC)• SDNController,programsthenetwork• Richrou[ngfeatureset
VirtualRou:ng&Switching(VRS)–OVSBased• Distributedswitch/router–L2-4rules• Integra[onofbaremetalassets
NuageNetworksVirtualizedServicesPlaNorm(VSP)
VRS-KHardwareGateway
VRS-E VRS-X VRS-G
Core Core Core Core
Spine Spine Spine Spine
Leaf
Leaf
Leaf
Leaf
VSD
VSCHA
OverlayVirtualNetworks/L3IPVXLANMesh
11/30/15
6
SDNInstan:a:ng+SecuringbyPolicy
Hypervisor
Hypervisor
HypervisorDC1Zone1
CloudManagementPlane
NetworkServiceControlPlane
DCGateway
VirtualizedServicesDirectory
IPNetworkDataPlane
IPDataPlane
VirtualizedServicesController
Policy
11/30/15
7
Internal/ExternalWAN
VPNService
RemoteDatacenter
IGP/BGP
Exis:ngDC
Domain
Zones
Subnets
Policies
VPNInternet
• L2-L4VPNs• ACLs,QoS,DHCP,DNS,NAT…• ServiceChaining• Sta>s>c/Repor>ng&
Isola>on
ASOFTWAREPLATFORM
SecuritychallengesaddressedbySDN§ ThecurrentstateofLegacyNetworksandSecurity§ ApplyingPolicybyDesign§ KeyConceptsofMicro-Segmenta[onandSecurityUsecases
§ AveryQuickDemo
EnterpriseITandCloudSecurityChallengesandRequirements
CloudProvider
Mul[-tenancyatScale
On-Demand
Preventmalwarespread
Detectearly,respondfastEnterprise
CurrentDataCenterNetworkSecurityApproachesAren’tSufficient
• Perimetercentric–requirestrustbetweenallappsandtenants
• Cannotenforceinternalsegmenta[onProtec[on
• Lackofvisibility/controlforeast/westdatacentertraffic• Tradi[onalapproachescannotscaleforcloudDetec[on
• Manualprocessesdelaypolicychangesandappdelivery• Costlytoremediate,manageandupdateResponse
NuageVSPAddressesCloudandEnterpriseDataCenterSecurityChallenges
Micro-Segmenta[onPreventsLateralMalwareSpreadandDataLeakage
SecureMul[-tenancyforPrivateandPublicCloud
PolicydrivenAutoma[onandComplianceEnforcement
AutomatedQuaran[neEnablesFasterIncidentResponse
Micro-Segmenta:onPreventsLateralMovementofMalware
VLAN/Subnet
App1
App2
DB2
Web1
Web2
DB1
Micro-segmenta.onwithinabroadcastdomain
Micro-Segmentation contains and isolates security breaches to smaller set of servers / fault domains
DataCenterMicro-Segmenta:onUseCasesforSDNwithNuageVSP
SecureHighValueApps
SecureAccesstoSharedServices(Backup)
Quaran[neInfectedEnd-Points
SecureVDIEnvironment
BetweenAppTiers End-pointtoBackupService InfectedEnd-PointtoSecurityServices
VDIEnd-pointtoAuthen[catedUsers
Anyothertrafficnotwhitelisted
Trafficbetweenserverend-points
Blocktraffictoserversfrominfectedend-point
BetweenVDIDesktops
NuageSDN:DeliversSecureMul:-TenancyandFlexibleNetworkSegmenta:on
• Securemul[-tenancyforprivateandpubliccloudwithoneormorevirtualisolatednetworkspertenant
• Tightintegra[onwithCMSconstructs(e.g.,OpenStackSecurityGroups)
• Flexiblesegmenta[onwithinatenantbasedonlogicalgroupingindependentofIP,VLANs
• LogicalnetworksandsegmentscanbedesignedonceandappliedacrosstenantsusingtemplatesandAPI/SDKbindingProgramma[cally!
PhysicalNetwork
VirtualNetwork1(Tenant1)
PCIZone/PolicyGroup
Non-PCIZone/PolicyGroup
VirtualNetwork2(Tenant2)
WebZone/PolicyGroup
AppZone/PolicyGroup
DBZone/PolicyGroup
SDNEnablesBeaerVisibility,ComplianceandAcceleratedThreatDetec:onwithintheDataCenter
PolicyEngine(VSD)
Controller(VSC)
DistributedRou[ngandSwitching(VRS)
ACLAllowandDenyLogs(Externalsyslogserver)
IDS/SecurityAnaly[cs
ACLLogsforComplianceandAudit
Template
Conformsto:• Connec[vity• Security• QoS• Sta[s[cs
Users(Network)
Users(Compute)
HypervisorDC1Zone1
1,000Hosts
HypervisorDC1Zone1
1,000Hosts
Config
Update
Config
NuageNetworksVSP
§ Updatesecuritypolicycentrallyindomaintemplate
§ VSDdeploysacrossallappropriateendpoints
§ Adheretoregulatorychangesacrosstheinfrastructureeasily§ Compliancewithglobalsecurity
policy§ Configura[onconsistency§ Programmermethodology§ ExternalDataSources
SDN:ComplianceEnforcementandAutoma:onusingTemplates
• Micro-segmentsbasedonlogicalgroupingusingPolicyGroups
• ReflexiveL4ACLsenforcedateachserverhostinVRSusingembeddedL4distributedfirewall
• Policysupportsworkloadmobility
• BothphysicalandvirtualL4-7securityservices(NFGW,IPS/IDSetc.)canbeinserted
• Supportformul[-hypervisors,physicalandcontainers
Micro-Segmenta:onwithAdvancedL4-7Security
Web1 Web2
App1 App2
DB1
WebPolicyGroup
AppPolicyGroup
DBPolicyGroup
NGFW
L4DFW
NuageSDN:SupportsMicro-Segmenta:onwithEmbeddedL4DistributedFirewallandL4-7SecurityInser:on
SDNdeliversquickerIncidentResponse:AutomatedQuaran:ne
SIEM/IPS
NuageVSP
NuageVSPAPItoQuaran[neInfectedServers/VMs• MoveVMtoQuaran[neZone• LeverageexternalDataSourcesandBehaviorAnaly[csforMachineLearning• Applysecuritypolicytoblockselectcommunica[ons(e.g.,C&C,FTP)
Quaran>neZoneNon-Infected/CleanZone
IDS/IPS
SecurityAlert
SecurityEvents
NuageAddressesCloudandEnterpriseDataCenterSecurityChallenges
• Reducesrisk,lowersinfrastructurecosts• Enablescloudserviceproviderstooffernetworksecurityasaservice
SecureMul[-tenancyforPrivateandPublicCloud
• EmbeddedL4distributedfirewallwithadvancedL4-7Securityserviceinser[on• Protectsanyworkload(bare-metal,physicalandvirtual–mul[-hypervisor),anynetwork
Micro-Segmenta[onPreventsLateralMalwareSpread
• Policybasedonlogicalcontextandgrouping• AutomatedprovisioningofL4securityandcomplianceenforcement
PolicybasedSecurityAutoma[onandCompliance
• APIsforintegra[onwiththreatdetec[on/SIEMsystemstoautomatequaran[ne
FasterIncidentResponsewithAutomatedQuaran[ne
AcrossVirtualMachines,OpenStack,Mesos,DockerandBareMetalsNuageVSPasaconsistentSecureoverlaysolu:on
SameNetworkPolicySameAutoma[onWorkflowSameSecurityGovernance
andCompliance
VM
Hypervisor
VM
VM
VM
VM
Docker
Container
Container
Container
Container
PhysSwitch(HWVTEP)
BMBM BM
BM
21
veth-DefaultStrategy
Na:veDockerNetworking–currentchallenges…
ComputeHost
Container1 Container2
docker0 eth0veth14
eth0 eth0
veth22
172.16.42.1/16
172.16.1.2 172.16.1.3
192.168.1.2
DockerHost
OSNamespace
Container1Namespace Container2Namespace
+IptablesNAT
Limita:onsofna:veDockerNetworking§ DefaultnetworkingmodelonlyallocatesaIPaddressthatis
privatetotheDockerhost§ Sesngupusefulnetworkingusingiptablesismanualanderror-
prone§ Nobuilt-insupportformul[-hostnetworking§ Nobuilt-insupportforisola[ngcontainersbelongingtodifferent
applica[ons§ Nobuilt-insupportforexternalnetworking§ Nosupportformul[-tenancy
22
23
ComputeHost
Container1 Container2
alubr0 eth0eth-pid1 eth-pid2
172.16.1.2 172.16.1.3
192.168.1.2
DockerHost
OSNamespace
NuageVSPSDN:NetworkingforDocker
VXLAN
NuageVSPSDNNetworkingforDocker§ Overlaybasednetworksthatscalesoutacrossmul[plephysicalhostsasthe
clouddeploymentgrows§ Highperformancesolu[onthatconvergesquicklyduringpeakcontainer
ac[va[on/deac[va[onevents§ Supportsmicro-segmenta[onandisola[onacrossmul[plephysicalhosts§ Supportsmul[-tenantedenvironmentsandVXLAN§ Supportsapplica[onenvironmentsthatrequiresupportforhybridworkloads
withcontainers,VMsandBMSs§ LeverageDocker‘libnetwork’withNuage§ More:hTps://www.youtube.com/watch?v=8Wo5j2XFQhQ
24
EcosystemPartners|Extensibility&Security
Security Management&Orchestra:on
Applica:onDeliveryControllers
NuageCer[fied
CloudConsump:on
EcosystemPartnersaroundNuageVSPSDN
NetworkFlexibilityExtensibilityandSecurity
SystemIntegrator
PhysicalSwitches DPDKSwitches
NuageVSPCore+ExtensibilityFramework
ProgrammableDistributedDP(LocalBreakout)
APLaaSIntegra:on
FWK
HybridCloud
NorthboundRESTAPIs/SDKs
Arista
7850VSG
HP5930 VirtualSwitchesvSR
OSS
VNS
LBaaS
FWaaS
Openness-con:nued…haps://github.com/nuagenetworks
11/30/15
27
Successfulwith
10+Large
Financialservicesfirms
ProminentWeb-scale
ASP
Wheredidthisbringus?
11/30/15
28
11/30/1529
www.nuagenetworks.com @nuagenetworks
THANKYOULONDON!