Security Monitoring and Enforcement for the Cloud Model

Transcription

1 Security Monitoring and Enforcement for the Cloud Model Aryan TaheriMonfared June 21, 2013

2 Agenda 1 Infrastructure Architecture for a Cloud IaaS Provider Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View 2 Definition Rationality Use Cases 3 Data-intensive framework for network monitoring NV-aware Framework for Cloud Model 4 5

3 Outline Infrastructure Architecture for a Cloud IaaS Provider Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View 1 Infrastructure Architecture for a Cloud IaaS Provider Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View

4 Multiple Cells Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View

5 Single Cell Infrastructure Architecture for a Cloud IaaS Provider Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View

6 Inside a Rack Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View

7 Inside a Compute Node Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View

8 Network Logical View Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View

9 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Any Networking?

10 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Any Networking? Yes, lots of them :)

11 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Any Networking? Deployment complexity Maintenance cost Tenant s network isolation and end-to-end connectivity Tenant s traffic monitoring Security enforcement

12 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Deployment complexity and Maintenance cost Increased number of networking devices by the factor of cluster size Virtualized networking devices

13 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Tenant s traffic isolation and end-to-end connectivity VLAN tagging GRE tunnels, EoIP tunnels Namespaces in Linux networking stack

14 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Tenant s network monitoring How to distinguish between tenants traffic?

15 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Tenant s network monitoring How to distinguish between tenants traffic? VLAN IDs? GRE addresses? Namespaces?

16 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Tenant s network monitoring How to get the information in real-time?

17 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Tenant s network monitoring How to get the information in real-time? Querying: network management service? platform controller? each compute node?

18 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Security enforcement Where to put security middle boxes? How to control and federate them with the rest of platform s components?

19 Outline Infrastructure Architecture for a Cloud IaaS Provider Definition Rationality Use Cases 1 Infrastructure Architecture for a Cloud IaaS Provider 2 Definition Rationality Use Cases 3 4 5

20 Definition Rationality Use Cases

21 Definition Rationality Use Cases What is Software Defined Networking? Separation of the control plane from the data plane. Provides: more control, better guarantees, NOT necessarily simplicity Coined by Nick McKeown in 2009 E.g. Ethane, OpenFlow

22 Why do we need SDN? Definition Rationality Use Cases in today s networks No communication guarantees SDN can provides: Distributed states

23 Why do we need SDN? Definition Rationality Use Cases in today s networks No communication guarantees Individual configuration of physical devices SDN can provides: Distributed states More control

24 Why do we need SDN? Definition Rationality Use Cases in today s networks No communication guarantees Individual configuration of physical devices Tightly coupled with network-level protocol SDN can provides: Distributed states More control General forwarding model

25 What is Network Virtualization? Definition Rationality Use Cases Faithful reproduction of physical network services Decoupling the (virtual) network services from the physical network. Coexistence of multiple virtual networks on the same physical substrate. Provides operational simplification

26 SDN Use-cases Definition Rationality Use Cases Flexible virtualization platform Security services Bandwidth on Demand Applications Multipath networking for higher utilization and efficiency Network Administration Mobility

27 Outline Infrastructure Architecture for a Cloud IaaS Provider Data-intensive framework for network monitoring NV-aware Framework for Cloud Model 1 Infrastructure Architecture for a Cloud IaaS Provider 2 3 Data-intensive framework for network monitoring NV-aware Framework for Cloud Model 4 5

28 of Data-intensive framework for network monitoring NV-aware Framework for Cloud Model Data related Storing very large datasets Processing ad-hoc queries Archiving and handling long-term jobs Cloud related Multi-tenant environment with a shared pool of resource Lack of unified view of the networking devices (virtual and physical)

29 Data-intensive framework for network monitoring NV-aware Framework for Cloud Model Framework for Handling Monitoring Data Requirements: Reliable, distributed, scalable underlying storage (e.g. Apache HDFS, MooseFS, irods) Real-time data store for ad-hoc queries (e.g. Apache HBase, OpenTSDB) MapReduce framework for long-term queries (e.g. Apache Hadoop)

30 WorkFlow Infrastructure Architecture for a Cloud IaaS Provider Data-intensive framework for network monitoring NV-aware Framework for Cloud Model Collecting flow information from networking devices Initial analysis and anonymization Importing data to the real-time data store Storing indexes in a time series database

31 Data-intensive framework for network monitoring NV-aware Framework for Cloud Model Case Study: Norwegian NREN + UiS UX Traffic Dataset volume in data store: 8.9 TB Avg. number of flows per day: 22 million (Peak: 44 million) Trondheim Gateway 1 2.5e+07 2e+07 src dst srcport dstport flow netflow records 1.5e+07 1e+07 5e Time

32 Results Infrastructure Architecture for a Cloud IaaS Provider Data-intensive framework for network monitoring NV-aware Framework for Cloud Model Planned Queries Can execute queries which were not possible before e.g. Top-K host pairs query over a long time period Avg. execution time: 26 minutes for 150 days of data Ad-hoc Queries Real-time responses for: Source-Destination discovery Service discovery Exploratory queries

33 Data-intensive framework for network monitoring NV-aware Framework for Cloud Model (a) Number of operations per seconds in HBase (b) Operation latency in HBase (c) HDFS IO (d) Jobs finishing time Figure: Aryan Storage TaheriMonfared performance under different Security implementations Monitoring and Enforcement (SNS: for the Cloud Single Modelday

34 NV-aware Framework Data-intensive framework for network monitoring NV-aware Framework for Cloud Model Use SDN for building and maintaining Virtual Networks Retrieve information about provisioned resources from SDN controller Distinguish tenants activities using the retrieved information

35 Data-intensive framework for network monitoring NV-aware Framework for Cloud Model Case Study: OpenStack Deployment at UX UiS OpenFlow controller (FloodLight) communicates with networking service (Quantum) OF controller manages virtual switches Flow information (NetFlow + sflow) collected at monitoring node Monitoring node communicates with OF controller and provide per-tenant information

36 Data-intensive framework for network monitoring NV-aware Framework for Cloud Model

37 Outline 1 Infrastructure Architecture for a Cloud IaaS Provider

38

39 Outline 1 Infrastructure Architecture for a Cloud IaaS Provider

40 Inter-Domain Routing

41 References S Deployment/CampusMeeting /Stanford_OpenFlow.pdf openflow-tr flowvisor.pdf GoogleSDN.pdf sdn-use-case-multipath-tcp-at-caltech-and-cern/

42 Q?A! Thank you!