Transforming the Network to Seize Business Advantage

Transcription

1 Vol.7 April 2013 Transforming the Network to Seize Business Advantage IT Security Evolves to Become Programmable - SECTION 1 Letter to IT Executives - SECTION 2 Introduction to ProgrammableFlow Software-Defined Networking - SECTION 3 Denial of Service protection in a Programmable Network - SECTION 4 Gartner: The Impact of Software-Defined Data Centers on Information Security

2 SECTION 1 Letter to IT Executives While IT has enjoyed significant innovation in the past decade in most infrastructure segments, including servers, storage and OS software, network innovation has not run a parallel course or complemented the new, highly virtualized IT environment of today. Conventional networks have grown in complexity and cost, and often serve as bottlenecks to business agility and handicaps to the cloud-enabled enterprise or solution provider. The announcement two years ago of the OpenFlow protocol marked a turning point-a disruptive network technology enabling NEC to develop and offer the first enterprise-class Software-Defined Networking solution, the NEC ProgrammableFlow Network Suite, released in May of This technology includes a centralized software controller that can program the network, separating the control plane from the data plane and managing the flow of data to hybrid and pure OpenFlow switches, creating a dynamic configuration often described as Software-Defined Networking, or SDN. NEC, as a leader in OpenFlow and SDN, is focused on offering the best-in-class SDN controller and switches, and is also proactively supporting an open source strategy. This will provide our customers alternatives based on their specific needs. Nippon Express Benefits from ProgrammableFlow figure 1 Much has been written about the automation and configuration benefits delivered by this award-winning network fabric. We have customers in production today experiencing dramatic savings in both OPEX and CAPEX. The graphs shown here in figure 1 depict the benefits an early adopter, Nippon Express, a global logistics supplier and one of the 50 largest companies in Japan, have realized. Nippon Express has used and expanded their ProgrammableFlow network since they first implemented the fabric in their back-up data center first quarter of As you can see, the customer has experienced measurable financial benefits from their implementation of 2

3 the ProgrammableFlow Network Suite, including an 80% reduction in resource usage and the elimination of outsourced programmers, no longer needed for configuration changes to their network. For Nippon Express, reconfiguring the network to respond to changes in the business formerly took 8 weeks. With ProgrammableFlow SDN in place, it now takes 10 days. We know, that provisioning a new, three-layer application can take an average of 3 working days in traditional networks. Using ProgrammableFlow SDN, as shown in figure 2, the process of bringing these new applications on board will take less than 5 minutes. But we believe the greatest benefits are yet to unfold, as customers roll out ProgrammableFlow networks with our new, RESTful northbound interface. Leveraging this interface into applications, programmers will be able to incorporate business policy and network management and control directly into the application. The resulting time savings, resource management and consistent application of business policy promises true business agility and competitive advantage. Reduces Time to Deliver Applications Time to Deliver a 3-Tier Application 3 days Conventional Network 5 minutes SDN/ ProgrammableFlow figure 2 One of the first places this L4-L7 activity is evident is with our partner, Radware, with a Denial-of-Service SDN application first demonstrated on a ProgrammableFlow network in May, 2012 at Interop Las Vegas. Radware Anti-DoS application name is DefenseFlow. The article herein describes this solution in greater detail. By integrating with NEC s programmable SDN, Radware can more rapidly provision network security resources and services. The integration is bidirectional. Radware provides applicationspecific security intelligence back to NEC that may impact network, application and security SLAs. Neil MacDonald Gartner Group Neil MacDonald of Gartner Group, in the attached research note The Impact of Software-Defined Data Centers on Information Security advises Leading edge enterprises data centers are evolving to software-defined models of IT services that are decoupled from the hardware underneath. To support these shifts, information security services must evolve to become programmable and adaptive. Neil further reports on the Radware and NEC joint SDN solution: By integrating with NEC s programmable SDN, Radware can more rapidly provision network security resources and services. The integration is bidirectional. Radware provides application-specific security intelligence back to NEC that may impact network, application and security SLAs. This Next-Generation Software-Defined Security solution is available now. Call your NEC Account Manager today to learn how you can achieve new levels of responsiveness to your business with the revolutionary OpenFlow-based ProgrammableFlow SDN. Mike Mitsch Vice President Enterprise Technology Group / IT Group NEC Corporation of America 3

4 SECTION 2 Introduction to ProgrammableFlow Software- Defined Networking Highlights of ProgrammableFlow ProgrammableFlow OpenFlow Network Fabric is a high performance, open fabric enabling enterprises to easily and cost-effectively deploy, control, monitor and manage their network infrastructure Secure multi-tenancy supports rapid, easy virtual machine migration and dramatically accelerates delivery of new applications. ProgrammableFlow SDN, featuring the first enterpriseclass OpenFlow controller, separates the network control plane from the data plane to abstract network intelligence and enable centralized management and control over both physical and virtual networks. Advanced network automation increases reliability and lowers costs. Intelligent and dynamic multipath routing is based on business policy for superior quality of service aligned with business priorities End-to-end visualization of all network flows for greater manageability, and fully redundant configuration assures reliability While the PF6800 controller is interoperable, demonstrated at Interop 2012 with multiple switches including IBM, Brocade, and Extreme Networks, NEC also offers a complete network solution including an award-winning hybrid OpenFlow switch-transitioning between conventional networks and OpenFlow, a 10GbE OpenFlow switch, and adding in 2012 the first OpenFlow-based virtual switch, the PF1000 for Microsoft Hyper-V environments. ProgrammableFlow maximizes server virtualization investments Traditional networks often act as a barrier to organizations trying to get the most from their server virtualization. ProgrammableFlow, acting as a virtual network fabric, provides seamless integration into a virtual server environment, enabling servers and VMs to be provisioned, migrated and decommissioned without requiring network reconfiguration. Network and security policies follow virtual machine migrations automatically. ProgrammableFlow Network Fabric increases the efficiency of your entire IT investment. Multipath networking uses multiple links to move traffic from a central point to a given destination. Administrators can take advantage of multiple links, as shown in figure 3, to redirect traffic to a path with more available bandwidth. This real-time network load balancing is unique to the ProgrammableFlow Controller. The multiple links can also be used to migrate traffic off specific switches to support load concentration for maintenance or power savings. 4

5 figure 3 Network Programmability for rapidly & efficiently delivering services Because OpenFlow and ProgrammableFlow decouple the data path and control path, organizations can more easily introduce changes into their network and customize it to suit their business needs. A programmable network in the future will be essential to position you for significant competitive advantage. Programmable interfaces will, as shown in figure 4, allow you to take advantage of rich development and network services that will be available. This will enable a network that is flexible enough to handle future unknowns, whether it s users of applications in support of the intelligent economy. Network Applications API ProgrammableFlow Controller Network Applications Network Applications OpenFlow Control Network Fabric figure 4 5

6 Greater Flexibility for private and public clouds ProgrammableFlow s support of multi-tenant networks, all managed from a centralized interface, provides compelling value for hosting or public cloud providers and security protection for private cloud customers. ProgrammableFlow allows multiple virtual networks, like those in figure 5, to securely share a common physical infrastructure. Because they are completely isolated and operate with different policies, each network fabric can be customized without impacting other services. NEC s Virtual Tenant Network (VTN) technology enables administrators to build multi-tenant networks that support unlimited virtual machine migration, enabling rapid scaleout of new applications, balanced workloads, and higher levels of availability. The ProgrammableFlow controller supports multi-tenancy with network path management, path health and status monitoring, and policy-based flows. Secure Virtual Tenant Network (VTN) VTN1 VTN2 PFC Physical Configuration Control figure 5 Policy Based Routing enables agility ProgrammableFlow enables the network to be fully responsive to the needs of the business: network traffic can be customized dynamically based on traffic type, including complex conditions. Examples might include managing bandwidth-intensive video based on business priorities, or ensuring key applications take priority, particularly during pivotal times. Legacy networks do not control network traffic based on business policy. With ProgrammableFlow, the final destination of a packet need not be the destination IP address but an intermediate appliance or service module such as a firewall or load balancer. Such functionalities are not available in traditional networks. With ProgrammableFlow, network restrictions do not curtail business performance and priorities. 6

7 SECTION 3 Denial of Service protection in a Programmable Network Integrated Security for Virtualized Networks A solution paper by Radware & NEC Corporation Introduction Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are assaults on a network that flood it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike single bullet intrusion attacks (such as a worm or Trojan) which cause information damage or leakage, DoS attacks disrupt the availability of network resources and can interrupt network service for a long period of time. Typical victims for DoS attacks are online businesses, carriers and service providers. DoS attacks target revenue-generating organizations by overtaxing link capacity. The security publication Dark Reading estimates damages can range from $240K per day, a figure reported by 65% of the companies surveyed, to $1M per day or more. 1 Costs could include direct and Indirect damages such as those related to business reputation, as well as increased operational expenses. The common form of DoS attacks are DDoS attacks, where hackers take advantage of bot-infected, compromised computers to launch large-scale attacks. The DoS secured Virtual Tenant Network (VTN) is a fully virtualized network solution that enables the operator to assign a virtual DoS protection service per virtual tenant network. It relies on the Radware Anti-DoS application called DefenseFlow and shared Radware s DefensePro mitigation resources that are coupled with NEC ProgrammableFlow Controller and NEC ProgrammableFlow Switches respectively. 1 Higgins, Kelly Jackson, What a DDoS can Cost, Dark Reading, May 15, Solution Architecture NEC and Radware developed an integrated SDN solution based on both vendor products to offer comprehensive and cost-effective protection against emerging DDoS attack campaigns in NEC ProgrammableFlow networks. In addition to the benefits and capabilities provided by ProgrammableFlow SDN, the DoS Secured Virtual Tenant Network (VTN) solution includes the following functions: Traffic baselines the essence of attack detection is to look for irregular trends in traffic patterns when compared to normal patterns. Attack detection an attack is detected by comparing real-time statistical information collected from tenant networks to the stored baselines, looking for traffic patterns that deviate from the norm. Traffic diversion and injection dynamically change the switching fabric so suspicious traffic is diverted to the DoS mitigation device for cleansing and then inject the clean traffic to its original destination. Attack mitigation mitigating all types of DoS & DDoS attacks using a high performing attack mitigation device that deploys cutting edge security technologies. Traffic Path Roll-over - when the solution confirms that attack traffic is non-existent, it alerts the controller to divert the traffic back to its normal path. 7

8 Virtual NEC ProgrammableFlow Controller Baselne creation Attack detection Traffic diversion Monitor Traffic Statistics Radware Anti-DoS SDN Application ProgrammableFlow Controller Control Network Path Control Customer C Application VTN C VTN B Customer B Application Customer A Application VTN A Physical NEC ProgrammableFlow Switches Attack Mitigation Radware DefensePro figure 6: DoS Secured VTN solution architecture - shielding multitenant networks, as needed on demand from DoS attacks The following Radware components, depicted in figure 6, are introduced into the NEC VTN framework to deliver DoS secured virtual tenant networks: Radware DefenseFlow responsible for DoS attack detection and conducting the track diversion and injection operation by using the ProgrammableFlow web API. Radware DefensePro performing the DoS & DDoS attack mitigation. Granular security provisioning NEC and Radware together eliminate the need for physically configuring switches in applications to provision anti-dos services. Also, this solution enables a customer to selectively pick the environments needing DoS security and even provides the flexibility to change security protection policies on demand. How it works 1. The DefenseFlow, in collaboration with the ProgrammableFlow controller, uses the OpenFlow protocol to monitor and collect packets and byte level statistics from all switches in the OpenFlow Network 2. The DefenseFlow uses the information to: a. Build the protected network traffic baselines. b. Compare real time network statistics with the stored baselines to determine abnormal traffic patterns. c. Upon anomaly detection determine if it is an attack or not. 3. Upon attack detection, the Anti-DoS Application calls the ProgrammableFlow controller to establish a traffic path that takes the suspected traffic through the DefensePro mitigation engine (path changed from [1] to [2] & [3]). 8

9 4. The DefensePro device starts immediately to clean the attack traffic using its multiple protection modules. The clean traffic only is forwarded to its destination. 5. Once the Anti-DoS Application determines the attack is over, it calls the ProgrammableFlow controller to revert the traffic path back to normal no need to divert traffic through DefensePro anymore. Fully-virtualized per-tenant Anti-DoS solution The integrated security SDN solution is a result of collaboration between NEC - delivering best of breed network virtualization and abstraction technologies; and Radware - delivering best of breed DoS & DDoS attack mitigation technologies. NEC s ProgrammableFlow Network provides VTNs a network and abstraction solution that enables business agility by aligning virtual network infrastructure with the data center virtualization trends while reducing networking costs significantly. The Anti-DoS service is a value-add service fully integrated into the ProgrammableFlow architecture. It is represented as a logical entity that is assigned per tenant network to the protected application servers. Once the DefenseFlow detects abnormal activity as an attack, it uses the ProgrammableFlow controller to divert the suspicious traffic to the DefensePro attack mitigation device to remove the attack traffic. The joint solution allows taking advantage of NEC s VTN configuration and visualization approach. The network manager can provision any VTN with a DoS protection service to select all or parts of the VTN s network objects. The Solution Advantages The Radware-NEC joint solution is the 1 st to market switch fabric infrastructure that includes an integrated DDoS protection solution. It allows the fabric itself to be secured and provision the DoS Protection service per network tenant. Shortest time to protect - By having almost near real-time packet statistics and dynamic traffic control, the solution achieves fast reaction to imminent attack traffic within seconds. High Availability - The DoS mitigation engine (DefensePro appliances) can be located in different network redundant locations in order to provide a fully redundant architecture that works in conjunction with the NEC VTNs. Scale with Traffic - Any service inserted into the network has to ensure that it can scale with ever increasing traffic volume. Diverting the suspicious traffic only to the DefensePro allows assigning multiple VTNs to the Anti-DoS service with the need to increase DefensePro capacity proportional to the aggregated traffic bandwidth of the assigned VTNs. Dynamic Service Provisioning - The DDoS attack mitigation service can be dynamically provisioned per VTN enabling operators to apply it as an on-demand service for their commercial offering. The provisioning does not require any manual configuration process and benefits from reduced complexity thanks to the abstraction of the network operations. Simplified Network Control - There are no complex requirements or additional overheads for route controls as found in other Netflow based and tunneling mechanisms. A fully Anti-DoS application integrated with ProgrammableFlow Control ensures a highly and efficiently coordinated network aware solution. Highly reduced costs the DefensePro attack mitigation device is a shared resource that is virtualized per tenant and used only when under attack. This means tremendous CapEx and OpEx savings when compared to standard inline or out-of-path DDoS mitigation solutions. In addition, using ProgrammableFlow's OpenFlow capabilities for statistics collection eliminates the need to have extra equipment as required by NetFlow based solutions. The solution provides the following unique advantages: Best DDoS protection solution - Radware s unique and field-proven DDoS protection technology together with NEC s rich experience in the server and networking markets, and its innovative first to market commercial OpenFlow products. 9

10 SECTION 4 Gartner: The Impact of Software-Defined Data Centers on Information Security Published: 16 October 2012 Analyst(s): Neil MacDonald Leading-edge enterprises' data centers are evolving to software-defined models of IT services that are decoupled from the hardware underneath. To support these shifts, information security services must evolve to become programmable and adaptive. Key Findings "Software-defined security" is the latest industry buzzword and, in reality, will involve a combination of hardware, software, APIs and automation. Security must evolve to support software-defined data centers in three areas: securing software-defined networking (SDN) initiatives, becoming SDN-aware and moving security intelligence to become softwaredefined. Security policies must shift from hardware-based attributes to logical and context-based attributes, such as applications, virtual machine (VM) identities, user or group identities, and sensitivity of content. The shift to software-defined security will favor vendors with software-based architectures that provide flexibility in where and how security policy enforcement takes place across software, hardware, virtual machines and cloud. Recommendations Enterprise security leaders: Pressure security vendors to support OpenFlow within SDN efforts and to be capable of understanding and inspecting SDN tunneling protocols. Switch to security policy architectures based on logical attributes and tags (including VM identities), and weight the ability to do this heavily as security infrastructure is replaced. Favor security vendors that open up their policy enforcement capabilities for external integration and orchestration via XML-based RESTful or JSON-based APIs, and integrate with leading cloud management platforms for orchestration. Design a security architecture that enables flexibility in the placement of policy enforcement points physical, virtual, software and cloud with a consistent architecture and policy management framework. What You Need to Know Enterprises are transforming their data centers and moving toward highly automated infrastructure support of on-demand delivery of IT services. To enable this, enterprises are decoupling IT services such as networking and storage from the hardware underneath via SDN and software-defined storage. Information security must evolve to support these initiatives, increasingly becoming software-defined, as well as to protect highly dynamic data centers and on-premises private clouds. Strategic Planning Assumptions By 2014, nine of the top 10 network security vendors will support OpenFlow. By 2017, 60% of enterprise private cloud deployments will automate the provisioning of information security controls. Analysis To speed the delivery of IT-enabled services to the business and support the shift toward cloud-based computing models, enterprises are transforming data centers into pools of dynamically allocatable compute, storage and networking resources. At the heart of this transformation is a shift to software-based management and definition of IT services (the "software-defined data center") and a decoupling from the hardware underneath for services such as compute, networking and storage. The goal is agility and speed within enterprise data centers by enabling applications to be quickly and transparently provisioned, moved and scaled as business requirements require across network segments, across data centers and potentially into the cloud without rearchitecting the network. For security, the primary goal must be to ensure that the appropriate security controls 10

11 automatically remain in place, regardless of where an application moves, whether on-premises or to public clouds, and without requiring rearchitecting security controls. The vision is not new. Software-based virtual switches in hypervisors are a proprietary (and virtual-only) precursor to software-defined networking. The evolution of the data center from virtualized workloads to private cloud infrastructure creates the same types of problems for information security. In 2010, Gartner research outlined six capabilities of information security needed to support the evolution of the data center in "From Secure Virtualization to Secure Private Clouds": 1 A set of on-demand and elastic services 2 Delivered by a programmable security infrastructure 3 Enforcing policies that are based on logical, not physical, attributes, and capable of incorporating runtime context into real-time security decisions 4 Creating adaptive trust zones that are capable of high-assurance separation of differing trust levels 5 Managed using a separately configurable security policy management and control plane 6 Supporting "federatable" security policy and identity The shift to software-defined data centers and the adoption of SDN will accelerate the need for the security capabilities above. In the short term, information security services must integrate and support this shift. Longer term, the same decoupling and shift must occur with information security services. Phase 1: Securing Software-Defined Data Centers The vision of a "software-defined data center" or "virtual data center" is one where all IT infrastructure (such as storage, networking and compute) is virtualized and delivered as a service and where the management model for these services is abstracted from being managed one box at a time to a policy-based, networkwide view. In some ways, the term "softwaredefined" is a misnomer as most IT services' intelligence has always been defined by software. The problem is that the implementation has been tied to physical infrastructure. By working with a management model that is independent of individual hardware, enterprises can configure new applications by policy to enable faster provisioning of IT services, according to business SLAs, independent of the underlying physical location of the services. This shift to software-based definitions of IT will affect all IT services delivered by hardware (networking, storage, servers and security) and can be collectively described as "SDx." SDN 1 is an example of a recent technology that is receiving a significant amount of market hype, with many networking vendors following, 2 especially those looking to use the disruption to take market share, such as HP. 3 Further, the Open Networking Foundation now has more than 70 members. 4 The hype has accelerated since VMware's reported bidding war and subsequent $1.26 billion acquisition of Nicira. The shift to SDN will involve the use of new softwarebased architectural elements (such as virtual network controllers) that must be protected, as well as the use of new protocols that must be protected and inspected (such as VXLAN). In addition, APIs to programmable infrastructure need to be protected from attack and abuse. To support Phase 1, enterprises must ensure their security infrastructure is able to: Decrypt, decode, inspect and re-encrypt, as necessary, new protocols (such as OpenFlow) and tunneling protocols (such as vcni, VXLAN, Nicira's STT and NVGRE) to provide security inspection and protection. Protect the APIs exposed by the programmable IT infrastructure for example, RESTful or JSON-based interfaces to programmable storage, network and security devices. These APIs need strong authentication and authorization, as well as protection from denial-of-service attacks, malformation, tampering and XML poisoning. Ensure trust and integrity of the communications between the controllers and the elements they control for example, authentication, authorization, and the use of digital signatures and encryption of the traffic. Enforce separation of duties at the policy orchestration consoles (typically using role-based access controls on orchestration functions) between network operations, 11

12 storage and information security as required by policy. Provide auditing, logging and monitoring of policy change events. Protect the software-based intelligent controllers, such as the controllers used in Open vswitch, 5 using a combination of network- and host-based security controls. Use encryption and digital signatures on logical objects and their associated metadata and tags as they are moved within the network, such as VMs, storage blocks and policies. Separate the security and management control plane network from the operational network to enable tighter access control restrictions. Phase 2: Integrating With the Software-Defined Infrastructure Information security controls must become aware of changes in the infrastructure around them. At its core, information security policies define connectivity what users and groups should be able to connect to which types of applications (and, likewise, which should not). Any shift to software-defined infrastructure is incomplete without the enforcement of security policy compliance in terms of connectivity. SDN defines network topology and will overlap with traditional Layer 2 and Layer 3 information security controls that define connectivity rules. Because each SDN group can have its own logical network, using routers or firewalls to enforce segmentation at Layer 3 becomes an outdated concept, since tunnel endpoints can perform the cross-subnet mapping and packet formatting. This will affect the placement of security controls and threaten basic segmentation and control services from traditional security vendors as SDN subsumes the role of creating logical separation. However, information security services perform Layer 3 to Layer 7 services that SDN will not address, such as malware inspection, application control and application firewalling the types of services that next-generation firewalls, application firewalls and secure Web gateways perform (see Note 1). Here, SDN and information security services must integrate and communicate with the network controller to: Understand which tunnels to terminate and inspect, which specific traffic streams within this to inspect, and what policies to apply to each stream. Ensure appropriate routing of network traffic streams to security policy enforcement points for inspection, and to ensure this protection is maintained as these resources move within the data center fabric. Incorporate context awareness into real-time information security decisions, such as reputation, threat context, location and time of day (see "The Future of Information Security Is Context Aware and Adaptive"). Instruct the network controller to redirect traffic, based on the security policy and current context. To enable this, enterprises should ensure that the next generation of information security services explicitly integrate with, communicate with and understand SDN. As infrastructure becomes more adaptive, information security policy enforcement must also become adaptive. For example, it could automatically reroute traffic around a quarantined VM, or automatically add an additional security control, such as intrusion prevention system (IPS) inspection, based on the context of the current threat environment. For Phase 2, ideally, the information security infrastructure would support these capabilities: Support SDN awareness and integration via protocols such as OpenFlow. Enforce context-aware security policies, such as application, identity and content awareness (see "The Future of Information Security Is Context Aware and Adaptive"). Base policies on logical, not physical, attributes. Automate and externally orchestrate policy enforcement configuration via RESTful or JSON APIs. Ensure linkages into orchestration systems, such as VMware's vcloud Director, HP's Cloud Service Automation, Citrix CloudStack, OpenStack and other emerging cloud management platforms, for automated security policy enforcement provisioning. In an earlyadopter example, Intuit reduced the time to secure a workload being provisioned from three weeks to 30 minutes. 6 12

13 Security Doesn't Have to All Move to Software (It Just Helps) A common misconception with the shift to softwaredefined security (SDSec) is that all security controls must move to software. There are cases where this makes sense, and cases where it does not. The security data plane (where packets and flows are inspected) can benefit from the processing power of hardware-based inspection. Like SDN, hardware has a role to play in SDSec, especially when high throughput is needed. However, there are cases where SDSec policy enforcement is useful, such as: To scale out (as opposed to hardware scale-up) and parallelize the enforcement of security controls. To potentially reduce the cost, as compared with the use of physical appliances (see Note 2). To speed the provisioning of security controls by making their provisioning as easy as provisioning a new VM. To enable flexible placement of security controls. For example, as most data center appliances shift to standardized hardware, the security controls may be placed onto the infrastructure platforms for example, embedded within a storage array or as a software blade in a router. Another example would be placement within the SDN controller. This was the case in the varmour Networks example, 7 where the SDSec control was placed on the Apache Floodlight OpenFlow controller, and in the case with HP, 8 where the SDSec control was placed on HP's SDN controller. To provide visibility into blind spots, such as inter-vm communications, without requiring all traffic to be routed to physical appliances. Phase 3: Evolving Into Software-Defined Security In Phase 3, information security itself will evolve to become software-defined, where, like SDN, the management model for security services is abstracted from being managed one box at a time to a policy-based, networkwide view. This enables security policies to be broadly and logically defined, such as "all Payment Card Industry (PCI)-related applications require this type of stateful inspection and this level of intrusion prevention protection," and these policies to be enforced as new PCI-related workloads are provisioned, removed, scaled out or moved without individual security appliances having to be reprogrammed. In Phase 3, these capabilities should be supported: Separation of the security management plane from the security data plane. Emergence of software-based "security controllers" 9 that optimize the protection of security flow, based on policies, bandwidth, performance and SLA requirements. Shift to managing security policies in the security management plane on a networkwide basis, not individual security policy enforcement points. Vendors providing virtual appliances at feature parity with their hardware-based counterparts to enable dynamically provisioning security controls when or where needed, as easily as a new VM is provisioned. Security policy enforcement in the security data plane to be performed in physical appliances, virtual appliances or any combination of these. The security controller makes the decision as to the number and optimal placement of security policy enforcement points, based on the current context. Bidirectional integration with other software-defined data center elements so that these become aware of the current threat environment and current attacks, and can adjust resources accordingly to ensure service levels are maintained. 10 Changes in information security skills, with a focus on aligning with the business and defining appropriate policies according to risk, not programming the security infrastructure. Like SDN, the result of SDSec is a system where the security policies can be managed holistically and enforced independent of the physical network topology, physical location of the security controls, across physical and virtual environments, and ideally as standards slowly emerge for the expression and exchange of security policy independent of the brand of the security equipment used. 13

14 Bottom Line Looking beyond the hype around "software-defined," enterprises must evolve information security to support increasingly dynamic and adaptive data centers. Even if the enterprise's virtualized data center is using only proprietary virtual switches, changes in security will be needed as applications become more mobile. If SDN initiatives are planned, information security professionals should coordinate with networking teams to securely support these initiatives, and require their security infrastructure vendors to become SDx-aware via direct protocol support and integration. Longer term, adaptive security infrastructure will become driven by models defined in software "software-defined security," providing increased protection from emerging threats and faster support of changing business and regulatory requirements. Tactical Guidelines The shift to software-defined "X" (networking, storage and security) is in its infancy. Don't overreact to the hype. Very real changes are needed in information security to support the virtualization of the data center and the shift to on-premises private cloud computing models. Use the three phases outlined in this research as a road map. Even if SDx isn't planned, require security infrastructure vendors to become virtualization-aware understanding VM tagging and virtualization events, such as live migration and integrating into virtualization management platforms. Protect the new control planes and new protocols that are introduced with software-defined data centers. Coordinate with the data center networking team on its plans for SDN specifically: Require information security vendors to protect and decode emerging tunneling protocols. Require information security vendors to implement and integrate with SDN policy communication protocols, such as OpenFlow. Plan on a phased approach to implementing softwaredefined security: Phase 1 Ensure the software-defined initiatives of other groups are properly secured. Phase 2 Look for integration between the information security infrastructure and other SDx initiatives. Phase 3 Longer term, expect further transformation of information security to become software-defined itself. The shift to SDx has the potential to generate organizational disruption. Begin to integrate server, network and storage teams, and make information security an integral part of these teams from the beginning. Recommended Reading "Addressing the Most Common Security Risks in Data Center Virtualization Projects" "From Secure Virtualization to Secure Private Clouds" "DevOpsSec: Creating the Agile Triangle" "The Future of Information Security Is Context Aware and Adaptive" "Emerging Technology Analysis: OpenFlow" "Hype Cycle for Virtualization, 2012" "Open Networking Foundation Formed; The Battle to Commoditize Network Hardware Begins" "Hype Cycle for Networking and Communications, 2012" "Model-Driven Security: Enabling a Real-Time, Adaptive Security Infrastructure" Evidence 1 "Software-Defined Networking: The New Norm for Networks," Open Networking Foundation, 13 April "In the SDN architecture, the control and data planes are decoupled, network intelligence and state are logically centralized, and the underlying network infrastructure is abstracted from the applications. As a result, enterprises and carriers gain unprecedented programmability, automation, and network control, enabling them to build highly scalable, flexible networks that readily adapt to changing business needs." 2 Many networking vendors are moving forward with SDN enablement with OpenFlow. In 2011 and 2012 at Interop and other venues, multiple vendors have demonstrated interoperable OpenFlow-based networking gear, including Extreme Networks, HP, Netgear, Pronto Networks, IBM, NEC, Juniper Networks and Citrix. Further, Big Switch Networks provides open-source firmware that helps these vendors to become OpenFlow-enabled. 3 J. Rath, "HP Launches Comprehensive SDN Portfolio," Data Center Knowledge, 3 October

15 4 Open Networking Foundation. "The Open Networking Foundation (ONF) is a non-profit consortium dedicated to the transformation of networking through the development and standardization of a unique architecture called Software- Defined Networking (SDN), which brings direct software programmability to networks worldwide. The mission of the Foundation is to commercialize and promote SDN and the underlying technologies as a disruptive approach to networking that will change how virtually every company with a network operates." 5 Open vswitch. 6 At VMworld 2012, a case study on Intuit's use of software-defined security was presented. Intuit had already moved to a "private cloud" model using a self-service user portal interface on top of a highly virtualized data center. However, while users could request a VM and have it provisioned within 30 minutes, the additional changes required for security and network infrastructure took an additional three weeks for the VM to be placed into production. To solve the problem, Intuit shifted to a model where a flat network was used to host pools of allocatable compute and storage. It used VMware's distributed virtual switch to enable an early form of a software-defined network. It used VMware's vshield App and vshield Edge for application and edge firewalling services. For the cloud management platform orchestration services, it used VMware's vcloud Director, where Intuit developed several blueprint templates that were used to automatically assign security policies to VMs as they were created. Three templates were developed one for the Web-tier workloads, one for application-tier workloads and one for database-tier workloads. Each template contained definitions (recipes) for the VM configuration, storage, access controls and network topology. As requested, VMs were deployed into a physically flat network that was automatically allocated, using a combination of SDN and software-defined security to logically carve out what customers needed, according to the policy requirements defined in the templates. 7 At the Open Networking Foundation's conference in June 2012, varmour Networks gave a demonstration of its beta OpenFlow-enabled network security offering. In the demonstration, varmour's Application Security Gateway (ASG) deep-packet-inspection-capable software was deployed as a plug-in to Apache Floodlight's OpenFlow-enabled network controller platform. As a plugin to Floodlight, the varmour ASG became part of the OpenFlow fabric. Further, by natively supporting OpenFlow, the ASG security appliance supports dynamic network topologies. In the demonstration, the ASG detected an unauthorized rogue application being sent from a Web server being monitored. As a result, the server was determined to be infected, and the ASG notified a BigSwitch controller (a network switch vendor supporting OpenFlow). The BigSwitch controller then modified the forwarding rules to place the infected server in quarantine and redirected traffic to an alternative server. This isolated the infection in real time without affecting users of the system. 8 In 2012, HP demonstrated an early release of its SDSec module, Sentinel, running as a module in its Virtual Application Networks SDN Controller. This integration has been used by the cable TV network HBO to protect users from navigating to low-reputation sites. Here, the OpenFlow-enabled HP switch receives the users' DNS query and sends the traffic to the HP Virtual Application Networks SDN Controller, based on an OpenFlow rule. Once the SDN controller receives the query, the Sentinel application service running on the SDN controller intercepts the request and checks the host name against the HP TippingPoint DVLabs Reputation Digital Vaccine (DV) reputation database. If the site has a high reputation, the query is forwarded normally across the access layer switch. If the site has a low reputation, the address is not resolved for the client, the user is prevented from accessing the threat and the action is logged with ArcSight. 10 In 2012, Radware and NEC announced a joint solution integrating Radware's Attack Mitigation System (providing denial-of-service, network behavioral analysis, IPS, reputation engine and Web application firewall protection) into NEC's ProgrammableFlow OpenFlow-based switches and controller. Combined, the integrated security and SDN capabilities deliver a network-security-aware and application-security-aware network that dynamically adapts security protection resources, based on context, such as the current threat environment and traffic volumes. By integrating with NEC's programmable SDN, Radware can more rapidly provision network security resources and services. The integration is bidirectional. Radware provides application-specific security intelligence back to NEC that may impact network, application and security SLAs. Note 1 What Types of Security Services Are Needed? Examples of the types of security services that could be provided: Separation or segmentation Basic stateful firewalling Packet inspection Flow analysis Intrusion detection Intrusion prevention Application identification Application control Identity identification Content inspection Sensitive data identification Malware detection Content detonation Content protection Encryption Tokenization Obfuscation or masking Digital signatures Certificate verification Reputation look-up services Tunnel termination Network address translation Monitoring, logging and alerting URL filtering and reputation services IP geolocation, filtering and reputation services Note 2 Example of a Software-Based Virtual Appliance An SDN pilot deployment wrote its own "security controller" application to distribute network traffic across a number of software-based Snort VMs for intrusion detection services. Even though software-based inspection is slower, by distributing and parallelizing the load, it was able to ensure inspection without performance degradation and at a lower cost, as compared with using hardware-based appliances. 9 For example, NetCitadel (currently in stealth mode) is planning a softwarebased virtual appliance that acts as a form of a security controller in early

16 Take control of your network. NEC ProgrammableFlow Network Virtualization: Enterprise-class SDN Today A more efficient and flexible network that speeds service delivery, providing: Improved network utilization and efficiencies that drive dramatic cost savings Automated network management and provisioning speed time to market Unified business and security policy applied network-wide, with granular control Backed by a 100-year history of technology innovation, NEC helps customers improve performance and solve their toughest IT challenges. See why ProgrammableFlow won Grand Prize at Interop Learn more at NEC Corporation of America. All rights reserved. NEC Corporation 7-1, Shiba 5-Chome, Minato-Ku, Tokyo , Japan Website: Contact: pflow-international@prg.jp.nec.com Companies and names of products and services shown are trademarks or registered trademarks of their respective companies. All rights reserved. Solution Force is published by NEC. Additional editorial material supplied by Gartner Inc Editorial supplied by NEC is independent of Gartner analysis and in no way should this information be construed as a Gartner endorsement of NEC products and services. Entire contents 2013 by Gartner Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.