How OpenFlow-based SDN can increase network security

How OpenFlow-based SDN can increase network security Charles Ferland, IBM System Networking Representing the ONF ferland@de.ibm.com +49 151 1265 0830

Important elements The objective is to build SDN networks as secure or more than traditional network SDN networks are very different than traditional networks, hence how to protect them as well Existing security threats might not apply to SDN network, but new ones can SDN holds a huge potential to increase overall security within the networks October 2012 Representing the ONF: Charles Ferland, IBM System Networking 2

The best security is the no touch security A simple PING from one server to another requires several configuration touch point Several different manufacturers/vendors Several different functional groups Configuration touch point ROUTER v v The more manual work required, the more potential error and therefore security risks are introduce October 2012 Representing the ONF: Charles Ferland, IBM System Networking 3

The best security is the no touch security A single logical configuration touch point Network configuration is flow & application driven instead of physical ports & features Less manual configuration reduce the risk of errors, especially in a highly dynamic environment Single Config touch point ROUTER v v Single logical configuration touch point, regardless of vendors, etc. October 2012 Representing the ONF: Charles Ferland, IBM System Networking 4

In or out of band management A separate & dedicated Network can be setup for the communication between the Controller and the networking devices Low latency, lossless The management network can be a traditional network, not -aware Production traffic is not mixing with the traffic October 2012 Representing the ONF: Charles Ferland, IBM System Networking 5

IBM PNC Example Configuration An example of a network configured with IBM PNCs in a redundant manner is as follows. Interface name IBM PNC#1 Floating IP Interface name IBM PNC#2 eth0 192.168.1.1/24 192.168.1.10 eth0 192.168.1.2/24 eth2 192.168.2.1/24 192.168.2.10 eth2 192.168.2.2/24 eth4 192.168.3.1/24 192.168.3.10 eth4 192.168.3.2/24 Bond0 eth3 eth3 192.168.0.1/24 - bond1 eth5 eth5 192.168.0.2/24 Floating IP1 IBM PNC control Network IBM PNC #1 eth2 eth0 eth3 eth5 eth4 bond0 bond0 For cluster (connected directly) eth3 eth5 eth2 eth0 eth4 IBM PNC #2 Floating IP2 Floating IP3 Network for controlling OpenFlow switches October 2012 Representing the ONF: Charles Ferland, IBM System Networking 6

SDN Security in 3 acts Controller must be secure OS security Apps security Errors are a magnitude more important Protocol must be secure TLS session establishment protocol for communication Mutual authentication via certificate exchange Limited control plane messaging options Device must be secure Authentication against the controller CPU capabilities to encrypt control plane messages Slice resources for multi-tenants October 2012 Representing the ONF: Charles Ferland, IBM System Networking 7

Cloud Multi Tenancy If no flows are configure between customers, traffic can safely co-exist Customer 1 Virtual Network Customer 2 Virtual Network Customer 3 Virtual Network VM VM VM VM VM VM VM VM VM VM VM VM Customer 1 OpenFlow Controller Customer 2 OpenFlow Controller Customer 3 OpenFlow Controller October 2012 Representing the ONF: Charles Ferland, IBM System Networking 8

SDN: Smarter use of Network and Appliances SDN Controller Global topology view global link state Server/App Feedback Controller Appliance sharing let s network provider use the resources more effectively October 2012 Representing the ONF: Charles Ferland, IBM System Networking 9

Advancement route control Route control by OpenFlow (1) Efficient use of the network band by the route control on a per-flow basis (2) Improve ease of maintenance of network devices by one-sided flows Specific functions become available through the OpenFlow controller: (3) Specify which devices (such as LB and FW) the packet go through Controller (2) One sided flows (1) Flow 1 Flow 2 App 1 App 2 Server App 1 App 2 (2) Capable of maintenance (1) (3) Firewall Load balancer October 2012 Representing the ONF: Charles Ferland, IBM System Networking 10

SDN/OpenFlow SPAN and Tap Diagnostic Compliance Monitoring Auditing Parallel network for diagnostics, compliance, auditing Open, standards-based costeffective solution Move flows from SPAN or TAP to OpenFlow switches Cost-effective alternative to specialpurpose devices October 2012 Representing the ONF: Charles Ferland, IBM System Networking 11

Redirecting live traffic Record/Audit Selected & interesting traffic can be mirror to additional switch ports Dynamic rules can define the mirror traffic No TAP or similar devices needed, hence every port can be mirrored Recording or audit technology can monitor network traffic October 2012 Representing the ONF: Charles Ferland, IBM System Networking 12

IPS/IDS interaction IPS/IDS IPS/IDS software can analyze network traffic and communicate with the controller possible actions Deny communication of suspicious traffic between servers FortNOX Reflector Nets demo October 2012 Representing the ONF: Charles Ferland, IBM System Networking 13

Security : Rule conflict analysis FortNOX incorporates a live rule conflict detection engine Rule Conflict: arises when a new candidate rule enables or disables a network flow that is otherwise inversely prohibited (or allowed) by existing rules Alias set rule reduction a method detecting flow rule conflicts, even when set operations are used SEE DEMO 1 Security Constraints Enforcement [high res.mov or Youtube! ] H1 /= H4 H1 = H2 H3 = H4 October 2012 H1 H2 H3 H4 Representing the ONF: Charles Ferland, IBM System Networking Phillip Porras, Martin Fong, Vinod Yegneswaran, Mabry Tyson Computer Science Laboratory, SRI International 14

Software customization Previously closed Network Operating Systems are now open to software development Security threats can rapidly be developed and deployed across a large network infrastructure Security Application App App App App App App Operating System Specialized Packet Forwarding Hardware Network Operating System App App App Operating System Specialized Packet Forwarding Hardware App App App App App App Operating System Specialized Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Operating System Specialized Packet Forwarding Hardware Simple Packet Forwarding Hardware October 2012 Representing the ONF: Charles Ferland, IBM System Networking 15

Opening the door to applications Smart Analytics Credit card fraud Financial threats Known malicious security patterns Specialized security software can be utilized Clever analytics, trends analysis, complex security detection, etc. controller provides a common and standard based platform October 2012 Representing the ONF: Charles Ferland, IBM System Networking 16

Opening the door to applications Known security signature Since the controller can potentially see all traffic, specialized software can be loaded to recognized known security threats Messages from the controller to the data plane can intercept the security threats Virus signature, etc. October 2012 Representing the ONF: Charles Ferland, IBM System Networking 17

Application & Controller communication Web- Basic feature sets such as VTN creation and Flow info collection are available https Request OpenFlow Controller https Reply Client To enable WEB-, firewall setting and certification for SSL are required on Controller RESTful XML 1.0 and Jason Applications can securely communicate with the controller and request resources, configuration changes, etc. controller can also modify Applications behavior October 2012 Representing the ONF: Charles Ferland, IBM System Networking 18

Radware s Integration in NEC PFlow Content provided by Radware DoS Secured VTN provides: Monitoring of traffic statistics based on OpenFlow L3-L4 counters Learning normal VTN traffic baselines Detects deviation from normal traffic baselines Using P-Flow traffic diversion abilities to: Divert suspicious traffic to scrubbing center Re-inject clean traffic to original destination Back to normal after attack termination VTN C VTN B VTN A ProgrammableFlow Controller Suspicious Radware DoS attack activities detection detected app October 2012 Representing the ONF: Charles Ferland, IBM System Networking Attack Mitigation System Slide 19

Key points SDN architecture is different but no less secure than existing network infrastructure Secure messaging, isolated/protected network and redundant controller are recommended security practices OpenFlow route manipulation can deploy security devices anywhere and any time -> seriously increase your overall network infrastructure Split between the data and control plane allows a multitude of security applications to be develop October 2012 Representing the ONF: Charles Ferland, IBM System Networking 20

Questions? (and hopefully answers) October 2012 Representing the ONF: Charles Ferland, IBM System Networking 21