Strengthening Data Center Security with Micro-segmentation based on Layer 7 Visibility
-
Upload
anne-lise-bullock -
Category
Internet
-
view
94 -
download
4
Transcript of Strengthening Data Center Security with Micro-segmentation based on Layer 7 Visibility
Data Center Security based on Micro-segmentation:
Protect traffic between VMs up to application level!
Nicolas Bouthors
Qosmos CTO
March 2016
Using Qosmos ixEngine to Develop L7 Classifier for Inter-VM Visibility
Implementation • L7 Classifier integrated into the hypervisor extends
vSwitch visibility from layer 1-4 all the way up to L7
• Enables vSwitch to implement firewalling rules based on application visibility up to layer 7
• Leverage OVS 2.5 and Vector Packet Processing (VPP)
Benefits
• Ready-to-use layer 7 visibility for developers of data center security products
• Continuously updated protocols and applications
• Natively integrated with new virtualized architectures and frameworks (e.g. ODL Group-Based Policy / SFC)
• Enables automated provisioning and move/add/change of policies + quarantine of infected VMs
Page 6
Virtual Machine
Virtual Machine
VM/ container
Physical Server / Host
Hypervisor
vSwitch (L1-4)
Your Classifier embedding
ixEngine
Group-Based
Policy
or Your Own
Policy Tools
Strengthening SDDC Security with Qosmos
The challenge
• Perimeter security technologies such as firewalls and IDS/IPS are not built for securing east-
west traffic within the data center
• If a malware penetrates the outer security perimeter, it can launch further attacks inside a
vulnerable data center, in particular between VMs
Strengthening the solution with Qosmos
• DC security can be strengthened with micro-segmentation, which is based on real-time
understanding of east-west traffic between VMs and tomorrow between containers
• Qosmos ixEngine is integrated inside the hypervisor/container host to extend vSwitch visibility
from layer 1-4 all the way up to layer 7
• The vSwitch strengthens access control rules between VMs based on application traffic.
Page 7
Protect traffic between VMs up to application level!
L7 Classifier for Virtual Switch
Page 9
Implementation principle
VM VM VM VM
Hypervisor
L7 Classifier
Principles
• L7 Classifier can be built based on Qosmos ixEngine, the leading
DPI engine library on the market
• Classifies flows up to layer 7 and extracts metadata at the
hypervisor level
• Integrates with any virtual switch to provide detailed, real-time
traffic intelligence
• Deployed as a Linux application
• Integrated with Open Virtual Switch (OVS 2.5) using conntrack
tools (from Netfilter framework) to apply layer-7 policy
• Configurable using CLI or OpenFlow interface
Benefits
• Enhance virtual switch/conntrack to support layer-7 rules
• Enable virtual switch users to benefit from application visibility for
multiple use cases such as steering, policy, monitoring, etc.
• Consistent DPI analysis for use across the network (such as
usage reporting to analytics function)
OpenvSwitch 2.5 version supports conntrack !
Integration within Virtual Switch
Different implementations • Open vSwitch (OVS)
• OVS Data Plane Development Kit (DPDK)
• Vector Packet Processing (VPP)
• Service Classifier
Use Cases • L7 visibility
• L7 Micro-segmentation
• SFC Service Classifier
Page 10
Open Virtual Switch: Packet Journey
Page 11
1) A new packet arrives setting up a new
flow in the conntrack table (CT).
2) Flow-specific packet is sent to
(userland) Qosmos Classifier using
the netfilterqueue APIs for further
analysis
3) After x (can be only 1) number of
packets, the flow has been classified
by Qosmos Classifier which notifies
the CT table beside and update of the
connmark (!=0) and conntrack_state
values
4) A matching action including
conntrack_state/conn_mark values
fits now the flow and an action is
taken (QoS, drop, VLAN tagging, etc.)
L7 Classifier
Open vSwitch without DPI, First Packet
Page 12
vswitch
datapath
ovs-vswitchd
client server:
• http
• ssh
• icmp
4
OF rules
Flow
cache
1 miss
update
Open vSwitch without DPI, Following Packets
Page 13
vswitch
datapath
ovs-vswitchd
client server:
• http
• ssh
• icmp
OF rules
Flow
cache
hit 1 2
Flow cache expiration
==
Back to previous case
Open vSwitch with DPI, Firsts Packets Until a Flow is Classified
Page 14
vswitch
datapath
ovs-vswitchd
client server:
• http
• ssh
• icmp
DPI flow
table
Flow cache 1 miss
OF rules
ixEngine
To
classify
7
Classif
update 5
no cache update
until completed
classification
0 s(0x336c768)/http/request/method=GET
0 s(0x336c768)/http/request/header_statusline=GET / HTTP/1.1
0 s(0x336c768)/http/request/uri_full=/
0 s(0x7f130402eca8)/base/protocol_end/family_end=Web
0 s(0x7f130402eca8)/base/protocol_end/application_end=http
0 s(0x7f130402eca8)/base/protocol_end/path_end=base.ip.tcp.http
L7
Classifier
Open vSwitch with DPI, Following Packets (flow classified) 1/2
Page 15
vswitch
datapath
ovs-vswitchd
client server:
• http
• ssh
• icmp
DPI flow
table
Flow cache 1
OF rules
ixEngine
2
HIT
L7
Classifier
Open vSwitch with DPI, Following Packets (flow classified) 2/2
=> Datapath Flow Expiration: Take Advantage of the DPI Flow Table
Page 16
vswitch
datapath
ovs-vswitchd
client server:
• http
• ssh
• icmp
DPI flow
table
Flow cache 1 miss
OF rules
ixEngine
5
Classif
completed 3
update
Then back to
former case:
datapath hit
L7
Classifier
Demo https://www.youtube.com/watch?v=jkbkvX2B_kI
**any** DPDK datapath can be extended with L7 classification
OVS DPDK
VPP
Service Classifier
Page 17
RX
dat
apat
h
TX
Flow table
steer, shape, drop…
DPI engine L7, application ID DPI engine
DPI engine DPI engine
Extend the flow table with L7 classification
9Gbps/core
Qosmos, Qosmos ixEngine, Qosmos ixMachine and Qosmos DeepFlow are trademarks or registered trademarks in France and other countries.
Other company and products name mentioned herein are the trademarks or registered trademarks of their respective owners. Copyright Qosmos
Non-contractual information. Products and services and their specifications are subject to change without prior notice
© Qosmos