Wedge Networks: Transparent Service Insertion in SDNs Using OpenFlow



Similar documents
SSL Inspection Step-by-Step Guide. June 6, 2016

Ethernet-based Software Defined Network (SDN) Cloud Computing Research Center for Mobile Applications (CCMA), ITRI 雲 端 運 算 行 動 應 用 研 究 中 心

Radware s Attack Mitigation Solution On-line Business Protection

NETWORK FUNCTIONS VIRTUALIZATION FOR SECURITY (NFV-S)

Software Defined Networking A quantum leap for Devops?

基 於 SDN 與 可 程 式 化 硬 體 架 構 之 雲 端 網 路 系 統 交 換 器

Open SDN for Network Visibility

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Software-Defined Networking. Starla Wachsmann. University Of North Texas

SECURE WEB GATEWAY DEPLOYMENT METHODOLOGIES

FortiMail Filtering Course 221-v2.2 Course Overview

APPLICATION-AWARE ROUTING IN SOFTWARE-DEFINED NETWORKS

Networking for Caribbean Development

Stanford SDN-Based Private Cloud. Johan van Reijendam Stanford University

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Why ISPs need SDN: SDN-based Network Service Chaining and Software-defined Multicast

ViSION Status Update. Dan Savu Stefan Stancu. D. Savu - CERN openlab

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Business Cases for Brocade Software-Defined Networking Use Cases

Flow Analysis Versus Packet Analysis. What Should You Choose?

Zscaler Internet Security Frequently Asked Questions

Benchmarking the SDN controller!

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

FortiMail Filtering Course 221-v2.0. Course Overview. Course Objectives

SHARE THIS WHITEPAPER

Multiple Service Load-Balancing with OpenFlow

SDN AND SECURITY: Why Take Over the Hosts When You Can Take Over the Network

How To Switch A Layer 1 Matrix Switch On A Network On A Cloud (Network) On A Microsoft Network (Network On A Server) On An Openflow (Network-1) On The Network (Netscout) On Your Network (

Advanced Security Services with Trend Micro Deep Security and VMware NSX Platforms

Flexible SDN Transport Networks With Optical Circuit Switching

Panopticon: Incremental SDN Deployment in Enterprise Networks

Networking and High Availability

Astaro Gateway Software Applications

PLUMgrid Toolbox: Tools to Install, Operate and Monitor Your Virtual Network Infrastructure

Technical Note. ISP Protection against BlackListing. FORTIMAIL Deployment for Outbound Spam Filtering. Rev 2.2

Networking and High Availability

SOFTWARE-DEFINED NETWORKING AND OPENFLOW

Moving Beyond Proxies

Group-Based Policy for OpenStack

OpenFlow Technology Investigation Vendors Review on OpenFlow implementation

BlackRidge Technology Transport Access Control: Overview

The Software Defined Hybrid Packet Optical Datacenter Network SDN AT LIGHT SPEED TM CALIENT Technologies

OpenFlow: Load Balancing in enterprise networks using Floodlight Controller

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

Brocade One Data Center Cloud-Optimized Networks

Testing Challenges for Modern Networks Built Using SDN and OpenFlow

Software Defined Networks

Load Balancing McAfee Web Gateway. Deployment Guide

The Leading Security Suites

Software Defined Networking What is it, how does it work, and what is it good for?

Network Security through Software Defined Networking: a Survey

2. Are explicit proxy connections also affected by the ARM config?

Software-Defined Networks Powered by VellOS

OpenFlow and Software Defined Networking presented by Greg Ferro. OpenFlow Functions and Flow Tables

Simplifying Data Data Center Center Network Management Leveraging SDN SDN

VERITAS Cluster Server Traffic Director Option. Product Overview

Network Simulation Traffic, Paths and Impairment

How To Use An Iboss For Free On A Network With A Network (Networking) On A Pc Or Mac Or Ipod On A Server (For A Pnet) On An Ipon (For Free) On Your Ipon On A

Testing Software Defined Network (SDN) For Data Center and Cloud VERYX TECHNOLOGIES

Content Security Gateway Series Real-time Gateway Web Security Against Spyware and Viruses

Direct or Transparent Proxy?

NETASQ MIGRATING FROM V8 TO V9

ADVANCED SECURITY MECHANISMS TO PROTECT ASSETS AND NETWORKS: SOFTWARE-DEFINED SECURITY

Barracuda Load Balancer Administrator s Guide

Software Defined Network (SDN)

Load Balancing Sophos Web Gateway. Deployment Guide

Campus Experiences. Johan van Reijendam Stanford University

Software Defined Networking (SDN) and OpenStack. Christian Koenning

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

SOFTWARE DEFINED NETWORKING: INDUSTRY INVOLVEMENT

How To Understand The Power Of The Internet

Huawei Network Edge Security Solution

SDN Security Considerations in the Data Center. ONF Solution Brief October 8, 2013

Boosting Business Agility through Software-defined Networking

Network Agent Quick Start

Firewall Sandwich. Aleksander Kijewski Presales Engineer Dell Software Group. Dell Security Peak Performance

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

SDN/Virtualization and Cloud Computing

WAN Optimization, Web Cache, Explicit Proxy, and WCCP. FortiOS Handbook v3 for FortiOS 4.0 MR3

Cisco Wide Area Application Services (WAAS) Software Version 4.0

Load Balancing Trend Micro InterScan Web Gateway

A Look at the New Converged Data Center

FortiMail Filtering. Course for FortiMail v4.0. Course Overview

How To Orchestrate The Clouddusing Network With Andn

SDN_CDN Documentation

How To Make A Vpc More Secure With A Cloud Network Overlay (Network) On A Vlan) On An Openstack Vlan On A Server On A Network On A 2D (Vlan) (Vpn) On Your Vlan

New Virtual Application Networks Innovations Advance Software-defined Network Leadership

Next-Generation Firewalls: Critical to SMB Network Security

Software-Defined Networking for the Data Center. Dr. Peer Hasselmeyer NEC Laboratories Europe

Software-Defined Networking Architecture Framework for Multi-Tenant Enterprise Cloud Environments

Availability Digest. Redundant Load Balancing for High Availability July 2013

Software Defined Network Application in Hospital

Network Virtualization and Software-defined Networking. Chris Wright and Thomas Graf Red Hat June 14, 2013

Transcription:

Wedge Networks: EXECUTIVE SUMMARY In this paper, we will describe a novel way to insert Wedge Network s multiple content security services (such as Anti-Virus, Anti-Spam, Web Filtering, Data Loss Prevention, Advanced Persistent Threats and Mobile Security) into an existing SDN network with minimal operational impact while providing maximum security. Using SDN and OpenFlow, we show how traffic can be dynamically steered towards a transparent malware detection platform, allowing non-intrusive insertion of security services within a cloud service provider or enterprise datacenter. The SDN method has advantages over traditional methods using WCCP, policy-based routing, direct insertion or proxies. In particular, the value for cloud providers and datacenter are that this novel method is: Transparent: Non-intrusive insertion of value-added security services Efficient and high-performance: Ability to pick up only relevant flows to direct to the platform while leaving other flows untouched, and using high-performance switches with fast fabrics means no unnecessary load on routers (compared to WCCP and PBR) Dynamic and flexible: Service providers can dynamically decide which flows to direct to the platform and reconfigure on the fly as required on a per customer basis SDN provides a new way for cloud service providers and enterprise data centers to insert valuable services into the data stream. As an innovative provider of L4-7 security services, Wedge Networks has demonstrated a viable technique of transparent service insertion using SDN and OpenFlow that service providers and enterprise infrastructure teams should consider. Introduction With today s business requirements for security and flexibility while maintaining reliability and transparency, CISOs are looking for ways to improve their security capabilities without impacting user productivity or adding unnecessary complexity to their network. The constantly increasing number of malware attacks, spam, and phishing activities has organizations and service providers scrambling to find ways to secure their networks. Historically, adding security services into a user network required downtime to orchestrate a topology change while the network was reconfigured, a new security appliance inserted, and multiple content security services turned on and debugged. However, with the advent of software-defined networking (SDN) and OpenFlow-enabled switches, there is now a better way. Wedge Networks Whitepaper Page 1 of 5 September 2012

Specifically, we will be using OpenFlow to pick out specific services and direct them transparently in a manner that does not impact the underlying network, without the need to re-cable the physical network Setup The setup consists of an OpenFlow-enabled switch, a WedgeOS platform with Anti-Spam and Anti- Virus modules running and configured to listen to HTTP, HTTPS, POP3 and SMTP service ports. For our lab setup, we have chosen to use the HP 3500yl switch, with OpenFlow firmware dated February 2012. There are multiple other providers of OpenFlow-enabled switches as well including Juniper, Brocade, IBM, NEC and Pica8. The techniques used in this setup will work with any OpenFlow 1.0- compliant switch. For traffic generation, we used Spirent s Avalanche L4-7 traffic generation product as both client and server, acting as source and sink for TCP service ports 80, 110 and 25 representing HTTP, POP3 and SMTP. The following shows the topology of the setup: WedgeOS L4-7 Security Services Platform HP 3500yl switch with OpenFlow firmware Spirent Avalanche Client and Server Emulation for SMTP and HTTP Linux Server running Floodlight opensource OpenFlow controller The HP switch was connected to a server running the open-source Floodlight controller, and the rules were configured via scripts calling the RESTful interface on the Floodlight controller. We inserted the appropriate flow rules to allow the testbed baseline traffic to be run: Flows to allow ARP requests and responses to pass between the appropriate ports that need to communicate. Initially, this was between switch ports connected to the client interface and server interface of the Avalanche. Wedge Networks Whitepaper Page 2 of 5 September 2012

Allowed specific flows on the appropriate TCP ports 80, 110 and 25 to be forwarded from the client interface of the Avalanche to the server interface, setting up bi-directional flows using TCP destination and source port matches. Avalanche Client Port Avalanche Server Port TCP Port 25, 80, 110 traffic allowed using dst port and src port match on both ingress and egress flows Transparent Service Insertion Once traffic was flowing smoothly between the Avalanche client and server ports, simulating a regular datacenter network, we invoked a set of scripts that triggered the service insertion of the WedgeOS platform to inspect port 80, 110 and port 25 traffic. The WedgeOS platform was placed in transparent mode to provide minimal impact to the data stream. To achieve the service insertion, the scripts performed the following steps via the OpenFlow controller: ARP flows were redirected via the WedgeOS platform. We replaced the previous ARP flows with two pairs of new flows: one between the client interface of the Avalanche and ingress interface of the Wedge appliance and another between the egress interface of the Wedge appliance and the server interface of the Avalanche TCP port matching rules for ports 80 and 25 were pushed down to the switch, redirecting incoming flows destined for TCP ports 80 and 25 to the WedgeOS platform ingress port, and directed the same flows out of the egress port to the Avalanche server interface A set of return flows (with TCP source ports 80 and 25) were configured from the Avalanche server interface, through the WedgeOS egress port first, then the ingress port back to the Avalanche client Wedge Networks Whitepaper Page 3 of 5 September 2012

Avalanche Client Port Wedge Ingress Port TCP Port 25, 80, 110 dst port flow from Avalanche to Wedge TCP Port 25, 80, 100 src port flows from Wedge to Avalanche Wedge Egress Port Avalanche Server Port TCP Port 25, 80, 110 dst port flow from Wedge to Avalanche TCP Port 25, 80, 100 src port flows from Avalanche to Wedge Results There was no perceptible negative impact, latency or otherwise, on the traffic flows on ports 80 and 25 when the WedgeOS platform was inserted to inspect the traffic. The flows continued seamlessly while the WedgeOS inspected traffic on ports 80 and 25 as evidenced by live statistics on the WedgeOS Web GUI. This technique can be extended to directly select TCP flows into any type of transparent service infrastructure to perform security scanning and monitoring services. If large payloads were involved with executable content, there could possibly be latency introduced due to scanning services, but the key value-add of this approach is complete transparency to the data streams. Benefits of the SDN Approach Today s conventional deployments of network-based security services fall into several categories: In-line, hard-wired transparent bridge: requires direct physical connections, inflexible and forces all protocols to run through the device regardless of whether they are being scanned or not. Trying to scale requires load-balancing techniques that are complicated if not all together impossible in practical deployments. Pre-configured explicit proxy: requires configuration changes, non-transparent and does not allow quick insertion or removal of the L4-7 services. Tends to be very hard to manage. WCCP: requires edge routers to support WCCP and expensive hardware that can do this without performance or data stream impact Policy based routing (PBR): requires careful consideration of return path to prevent asymmetric routing loops, and assignment of a dedicated layer 3 subnet for the platforms running the service. Can also degrade performance on routers with additional compute. Wedge Networks Whitepaper Page 4 of 5 September 2012

The SDN approach described and tested successfully above demonstrates that using OpenFlow to insert L4-7 services can achieve the following benefits: Transparency: this approach does not require any kind of pre-configuration and can be turned on and off at will. Value-add L4-7 services can be inserted with minimal to no impact on existing topology and live data streams. Efficiency and performance: this technique provides fine-grained controls to pick up only relevant flows to direct to the services platform while leaving other flows untouched. It saves on the services platform having to process unnecessary data and the same technique can also be used to load-balance and direct specific flows to different services platforms. This allows for service differentiation and scaling much better than any traditional method. Furthermore, because OpenFlow switches have high switching bandwidth at low costs, serving even 10s of Gigabits of traffic will not present a problem. Flexibility and dynamism: the approach allows the service provider to dynamically decide which flows to direct to the platform and reconfigure on the fly. The flexibility could allow for self-service purchase of value-add services, with automated provisioning that can safely and quickly insert new services on-the-fly into production networks. In summary, SDN provides a new way for cloud service providers and enterprise data centers to insert valuable content security services such as Data Loss Prevention and mobile security in addition to the mainstays such as Anti-Virus, Anti-Spam and Web Filtering that Wedge Networks provides into the data stream. Wedge Networks has demonstrated in this innovative testbed setup that the SDN method can be transparent, efficient and highly agile and dynamic compared to existing deployment topologies. Service providers and enterprise IT infrastructure teams considering deploying new architectures within their datacenters and edge networks should evaluate an SDN-based solution around the architecture we have proven in this testbed. About Wedge Wedge Networks is the leader in real-time Content Security and Compliance solutions for enterprises and service providers. Our patented WedgeOS platform provides the next generation security infrastructure to detect, protect against, and control threats, information leaks, and allows future security functions to run on the network. At its core is our Deep Content Inspection technology, which moves beyond the application layer to allow full access to all content passing through the network in real time. It uniquely provides the most depth in scanning without compromising performance, loading clients, and remaining completely transparent to network traffic. Software systems and hardware appliances running on WedgeOS are deployed globally, delivering security protection for tens of millions of users in Fortune 500 companies, government agencies, internet service providers, and across all industry verticals. For more information, visit www.wedgenetworks.com. Wedge Networks Whitepaper Page 5 of 5 September 2012

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information