The Rise of the Layer 7 Classifier, Creating Service-Awareness across Networks
-
Upload
anne-lise-bullock -
Category
Technology
-
view
136 -
download
0
Transcript of The Rise of the Layer 7 Classifier, Creating Service-Awareness across Networks
Agenda
Page 2
1. What is a L7 Classifier ?
2. L7 Classifier for Gi-LAN (SFC)
3. L7 Classifier for vCPE (SFC)
4. L7 Classifier for virtual switch (security)
5. Summary
What is a L7 Classifier?
Page 3
Service Aware
Network
Raw packet flows
Classified flows
+ metadata
L7
Classifier
What is a L7 Classifier?
Principles
• Standalone software component
• Classifies traffic flows in real time for further processing in e.g.
switches, routers, PCEF, firewall, passive probes, etc.
• Recognizes traffic up to Layer 7 using Deep Packet Inspection and
associated techniques (heuristics, statistical, behavioral, etc.)
Place in a technical architecture
• Typically located in the packet data path (can also by out-of-band)
• Built from the inception to be integrated within industry reference
frameworks, such as SFC, SDN, NFV, and Open Source
• Managed by industry reference frameworks, such as ODL SFC,
OpenStack GBP, ODL GBP
What it is NOT
• Not an Software Development Kit (SDK)
• Not a virtualized legacy product (e.g. vTDF)
Page 4
Service Aware
Network
Raw packet flows
Classified flows
with metadata
L7
Classifier
Network
Example of L7 Service Classifier for SFC in Gi LAN
IT / SDN
Services Telco / 3GPP NFV
SFC SDN
Controller
Service Function
Forwarder
SFC-aware function
(e.g. Parental Control)
SFC-aware function
(e.g. Video Opt.)
P-GW
PCRF
Incoming
traffic
NFV
Orchestrator
VNF Manager
VIM
Page 5
L7
Classifier
SFC Proxy
SFC-Unaware function
(e.g. Caching)
L7
Classifier
Example: Using ODL to Configure L7 SFC Based on L7 Classification
Page 6
In ODL Lithium you can
configure SFC based on
L7 classification
Example: L7 Classifier Managed by Adding L7 Criteria in OpenStack
(via Group Based Policy or Security Groups)
Page 7
Bit Torrent
Soon you will be able to
create policies based on
L7 application IDs
When do you Need a L7 Classifier?
For Service Function Chaining (SFC) in
Mobile Gi-LAN
To optimize services in virtual CPE (vCPE)
To strengthen security in virtualized
datacenter environments
Page 8
Agenda
Page 9
1. What is a L7 Classifier ?
2. L7 Classifier for Gi-LAN (SFC)
3. L7 Classifier for vCPE (SFC)
4. L7 Classifier for virtual switch (security)
5. Summary
Network
L7 Service Classifier for SFC in Gi LAN
IT / SDN
Services Telco / 3GPP NFV
SFC SDN
Controller
Service Function
Forwarder
SFC-aware function
(e.g. Parental Control)
SFC-aware function
(e.g. Video Opt.)
P-GW
PCRF
Incoming
traffic
NFV
Orchestrator
VNF Manager
VIM
Page 10
L7
Classifier
SFC Proxy
SFC-Unaware function
(e.g. Caching)
L7
Classifier
1. Controller configures classifier with service chaining rules based on App ID and Sub class
2. Controller configures network equipment (SFF) to ensure classifier tags are well-understood
3. Service Classifier tags the traffic (e.g. HD video tag)
4. network equipment (SFF) sends HD video into the appropriate service chain (video optimization + cache)
4
1 2
3
The L7 Classifier: Natural Integration with Open Source and Standards
Page 14
SF Forwarder
(OF-Switch)
SF Forwarder
(OF-Switch)
Orchestrator
SFC
manager
SFC instance
manager
SF Locator &
Transport Cap
SFC
SDN Controller
SFC
SDN Controller
SFC Application
Cache
QoS
VPN IPS IDS
SFC SBI (SDN NBI)
SDN SBI
OpenFlow
Extension
SDN SBI
OpenFlow
Extension
Traffic
Destination
Traffic
Source
Service Clients
SFC NBI
Non-OpenFlow Service Functions
NAT FW
L7
Classifier
OpenFlow-Enabled
Service Functions
Load
Balancer WOC
L7
Classifier
NSH headers
OpenFlow config.
of switches
Forwarding Graphs
Agenda
Page 15
1. What is a L7 Classifier ?
2. L7 Classifier for Gi-LAN (SFC)
3. L7 Classifier for vCPE (SFC)
4. L7 Classifier for virtual switch (security)
5. Summary
vCPE: Configuration with all Virtualized Functionality in the Network
Page 16
• In this example, virtual CPE runs CPE functions in virtual machines hosted
within a data center
• This deployment typically only requires a basic CPE on the customer premises
• Reduces costs and simplifies customer infrastructure (by using basic CPEs)
• Enables full automation and provisioning of virtual network services
Basic CPE
VAS/L4-L7 network services:
FW, VPN, NAT
Example of Configuration
Page 17
Basic
CPE
Data Center / CO / POP
VAS/L4-L7 network services:
FW, VPN, NAT
Access
network
ODL/SFC with L7 SFC criteria
Layer 2
element
Implementation
• All virtualized CPE functionality situated in
the network, at the PoP or in other DCs
• Enables optimization of services delivered
to premises based on subscriber and
application
• Configuration using reference
implementations such as ODL/SFC
Benefits
• Optimized service delivery to customer
premises
• All the associated benefits of vCPE
(reduced cost, service agility, easier &
faster deployment, etc.)
L7
Classifier
Other,
cloud-based
functions
L2-3 Service
Function
Forwarder
Agenda
Page 18
1. What is a L7 Classifier ?
2. L7 Classifier for Gi-LAN (SFC)
3. L7 Classifier for vCPE (SFC)
4. L7 Classifier for virtual switch (security)
5. Summary
Optimization of Cyber Security in Virtualized Environment:
Network Micro-Segmentation
Page 19
L7 Classification and FW in hypervisor
L7 Classification and FW in hypervisor
L7 Classification and FW in hypervisor
Perimeter
security
Micro-
Segmentation
FW securing outer perimeter
Typical situation today
• Perimeter protection such as firewalls and IDS/IPS
focus on north-south traffic, in/out of the data center
• Firewalls and IDS/IPS not built for securing east-
west traffic within the data center
• If a malware penetrates the outer security
perimeter, it can launch further attacks inside a
vulnerable data center.
Solution
• Use micro-segmentation to divide data center into
smaller zones which can be protected separately
• In case of a breach, the damage can quickly be
contained to a small number of compromised
devices
Optimization of Cyber Security in Virtualized Environment:
Network Micro-Segmentation
Page 20
Perimeter
security Zone
defense
Man to man
defense
Micro-
Segmentation
OK, OK, all analogies have limits…
L7 Classification and FW in hypervisor
L7 Classification and FW in hypervisor
L7 Classification and FW in hypervisor
FW securing outer perimeter
How Does it Work?
Zoom on L7 Classifier Embedded in Hypervisor
Page 21
Implementation
• Position firewall with East – West visibility inside the
hypervisor
• L7 Classifier integrated into the hypervisor strengthens
context by extending vSwitch visibility from layer 1-4 all
the way up to layer 7
• vSwitch can implement firewalling rules based on
application visibility up to layer 7
• Enables application-aware micro-segmentation of flows
Benefits
• Enables automated provisioning and move/add/change
of FW policies + quarantine of infected VMs
• Any security breach can quickly be contained to a small
number of compromised devices
Virtual Machine
Virtual Machine
Virtual Machine
Security Groups with NEW L7 fields
Physical Server / Host
Hypervisor
vSwitch (L1-4)
L7 Classifier
Agenda
Page 22
1. What is a L7 Classifier ?
2. L7 Classifier for Gi-LAN (SFC)
3. L7 Classifier for vCPE (SFC)
4. L7 Classifier for virtual switch (security)
5. Summary
Qosmos L7 Classifiers
Principles
• Standalone software components which classify 2400+ protocols
• Classify traffic flows in real time for further processing in e.g.
switches, routers, PCEF, firewall, passive probes, etc.
• Recognize traffic up to Layer 7 using Deep Packet Inspection and
associated techniques (heuristics, statistical, behavioral, etc.)
Form factors
• Service Classifier VNF for Gi-LAN or vCPE
• L7 Classifier for vSwitch
Place in a technical architecture
• Typically located in the packet data path (can also by out-of-
band)
• Built from the inception to be integrated within industry reference
frameworks, such as SFC, SDN, NFV, and Open Source
• Managed by industry reference frameworks, such as ODL SFC,
OpenStack GBP, ODL GBP
Page 23
Service Aware
Network
Raw packet flows
Classified flows
with metadata
L7
Classifier
Summary
The L7 Classifier is a new software component built from the inception to
work efficiently in SDN & NFV architectures
The L7 Classifier provides real-time Subscriber and Application
Awareness to the entire network infrastructure
The L7 Classifier is needed for key use cases: Service Chaining for Gi-LAN and vCPE
Security in datacenter environments
Page 24
Qosmos, Qosmos ixEngine, Qosmos ixMachine and Qosmos DeepFlow are trademarks or registered trademarks in France and other countries.
Other company and products name mentioned herein are the trademarks or registered trademarks of their respective owners. Copyright Qosmos
Non-contractual information. Products and services and their specifications are subject to change without prior notice
© Qosmos