SDN AND SECURITY: Why Take Over the Hosts When You Can Take Over the Network



Similar documents
Software Defined Networking What is it, how does it work, and what is it good for?

COMPSCI 314: SDN: Software Defined Networking

OpenFlow Overview. Daniel Turull

OpenFlow and Onix. OpenFlow: Enabling Innovation in Campus Networks. The Problem. We also want. How to run experiments in campus networks?

Software Defined Networking

Software Defined Networking What is it, how does it work, and what is it good for?

The Internet: A Remarkable Story. Inside the Net: A Different Story. Networks are Hard to Manage. Software Defined Networking Concepts

Securing Local Area Network with OpenFlow

Ethernet-based Software Defined Network (SDN) Cloud Computing Research Center for Mobile Applications (CCMA), ITRI 雲 端 運 算 行 動 應 用 研 究 中 心

Software Defined Networks

Open Source Network: Software-Defined Networking (SDN) and OpenFlow

What is SDN? And Why Should I Care? Jim Metzler Vice President Ashton Metzler & Associates

Cloud Computing Security: What Changes with Software-Defined Networking?

Outline. Institute of Computer and Communication Network Engineering. Institute of Computer and Communication Network Engineering

Software Defined Networking

Software Defined Networking A quantum leap for Devops?

How To Understand The Power Of A Network In A Microsoft Computer System (For A Micronetworking)

Cloud Networking Disruption with Software Defined Network Virtualization. Ali Khayam

OpenFlow: History and Overview. Demo of routers

SOFTWARE-DEFINED NETWORKING AND OPENFLOW

Network Virtualization Based on Flows

Getting to know OpenFlow. Nick Rutherford Mariano Vallés

How To Understand The Power Of The Internet

Network Management: - SNMP - Software Defined networking

ONOS [Open Source SDN Network Operating System for Service Provider networks]

LTE - Can SDN paradigm be applied?

SOFTWARE DEFINED NETWORKS REALITY CHECK. DENOG5, Darmstadt, 14/11/2013 Carsten Michel

Towards Software Defined Cellular Networks

SOFTWARE-DEFINED NETWORKING AND OPENFLOW

How To Orchestrate The Clouddusing Network With Andn

OpenFlow Technology Investigation Vendors Review on OpenFlow implementation

YI-CHIH HSU & JEI-WEI ESTINET TECHNOLOGIES

Software Defined Networks (SDN)

Designing Virtual Network Security Architectures Dave Shackleford

OpenFlow: Concept and Practice. Dukhyun Chang

SDN, OpenFlow and the ONF

Ten Things to Look for in an SDN Controller

Introduction to Software Defined Networking (SDN) and how it will change the inside of your DataCentre

Software-Defined Networking for the Data Center. Dr. Peer Hasselmeyer NEC Laboratories Europe

Virtualization, SDN and NFV

Recommended IP Telephony Architecture

OpenFlow: Enabling Innovation in Campus Networks

SIMPLE NETWORKING QUESTIONS?

Using SDN-OpenFlow for High-level Services

Software Defined Networking (SDN) OpenFlow and OpenStack. Vivek Dasgupta Principal Software Maintenance Engineer Red Hat

Information- Centric Networks. Section # 13.2: Alternatives Instructor: George Xylomenos Department: Informatics

How To Make A Vpc More Secure With A Cloud Network Overlay (Network) On A Vlan) On An Openstack Vlan On A Server On A Network On A 2D (Vlan) (Vpn) On Your Vlan

OpenFlow/So+ware- defined Networks. Srini Seetharaman Clean Slate Lab Stanford University July 2010

Technical white paper. Realizing the power of SDN with HP Virtual Application Networks

Software Defined Networking and the design of OpenFlow switches

SDN/OpenFlow. Dean Pemberton Andy Linton

SOFTWARE DEFINED NETWORKING: A PATH TO PROGRAMMABLE NETWORKS. Jason Kleeh September 27, 2012

SDN and OpenFlow. Naresh Thukkani (ONF T&I Contributor) Technical Leader, Criterion Networks

Tutorial: OpenFlow in GENI

SDN/Virtualization and Cloud Computing

SDN Overview for UCAR IT meeting 19-March Presenter Steven Wallace Support by the GENI Program Office!

Software Defined Networking (SDN)

SDN. What's Software Defined Networking? Angelo Capossele

Facilitating Network Management with Software Defined Networking

Security in Software Defined Networking. Professor : Admela Jukan Supervisor : Marcel Caria Student : Siqian Zhao

Palo Alto Networks. Security Models in the Software Defined Data Center

Bringing OpenFlow s Power to Real Networks

NEC contribution to OpenDaylight: Virtual Tenant Network (VTN)

Conference. Smart Future Networks THE NEXT EVOLUTION OF THE INTERNET FROM INTERNET OF THINGS TO INTERNET OF EVERYTHING

OpenFlow & Software Defined Networking

SDN Software Defined Networks

BROCADE NETWORKING: EXPLORING SOFTWARE-DEFINED NETWORK. Gustavo Barros Systems Engineer Brocade Brasil

Software Defined Networking

A Presentation at DGI 2014 Government Cloud Computing and Data Center Conference & Expo, Washington, DC. September 18, 2014.

Business Cases for Brocade Software-Defined Networking Use Cases

LuaFlow, an open source Openflow Controller

Software Defined Networks

A Case for Overlays in DCN Virtualization Katherine Barabash, Rami Cohen, David Hadas, Vinit Jain, Renato Recio and Benny Rochwerger IBM

Software Defined Networking

SDN in the Public Cloud: Windows Azure. Albert Greenberg Partner Development Manager Windows Azure Networking

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

OpenFlow. Ihsan Ayyub Qazi. Slides use info from Nick Mckeown

Secure Networks for Process Control

How SDN will shape networking

Software Defined Network (SDN)

Network Virtualization and Application Delivery Using Software Defined Networking

An Overview of OpenFlow

Ethernet-based Software Defined Network (SDN)

Wedge Networks: Transparent Service Insertion in SDNs Using OpenFlow

Limitations of Current Networking Architecture OpenFlow Architecture

An Introduction to Software-Defined Networking (SDN) Zhang Fu

Software Defined Networking & Openflow

Security Challenges & Opportunities in Software Defined Networks (SDN)

SDN Architecture and Service Trend

Surviving the SDN Wars. Curt Beckmann Chair of Forwarding Abstractions WG, ONF and EMEA CTO

Software Defined Networking

CSCI-1680 So ware-defined Networking

Chandelle: Principles of integration wireless controller and SDN controller. Sergey Monin, Alexander Shalimov, Ruslan Smeliansky

HAWAII TECH TALK SDN. Paul Deakin Field Systems Engineer

Network Virtualization

Why Software Defined Networking (SDN)? Boyan Sotirov

Software-Defined Network (SDN) & Network Function Virtualization (NFV) Po-Ching Lin Dept. CSIE, National Chung Cheng University

Transcription:

SDN AND SECURITY: Why Take Over the s When You Can Take Over the Network SESSION ID: TECH0R03 Robert M. Hinden Check Point Fellow Check Point Software

What are the SDN Security Challenges? Vulnerability of Central Control Trust Model Changes Virtualization of Network Topology IT Organizational Changes 2

Presentation Outline Software Defined Networks Overview SDN Hype and Production Deployments SDN Security Challenges SDN Security Solutions Q & A 3

Software Defined Networks Overview

SDN Basic Idea Separation of Network Control and Data Planes Well-defined vendor-independent OpenFlow API between the two Operation of the network is defined in software outside of the forwarding path a.k.a. Software Defined Network Centralized Network Control on standard servers 5

Motivation for SDN Creation of high-level network policies Move away from current management approaches like SNMP/CLI Apply policies uniformly across Routers, es, Optical, Virtual Networks, etc. Mix and match of vendors Packet Forwarding and Control planes Hardware and Software 6

Mainframes to PCs Specialized Applications App App App App App App App App App App App Open Interface Specialized Operating System Specialized Hardware Windows (OS) Linux Open Interface Mac OS Microprocessor 7 [ Credit: Nick McKeown Making SDNs Work ]

es/routers to SDN Specialized Features App App App App App App App App App App App Open Interface Specialized Control Plane Control Plane Control Plane Control Plane Specialized Hardware Open Interface Merchant ing Chips 8 [ Credit: Nick McKeown Making SDNs Work ]

SDN Architecture Control Plane Applications Applications Northbound API Controller Applications Southbound API (OpenFlow) Data Plane 9

Components Control Plane Applications Applications Controller Applications Application Programs Implement network specific policy Data Plane Controller Provides high-level view of Network to control programs Deploy policy to Routers/es via OpenFlow Routers/es Controlled by state injected by Controller 10

How It Works Controller presents logical map of network to Application Programs es/routers are Flow based Process known flows autonomously If new flow arrives, ask Controller what to do Controller installs new flow state in /Router Flow state consist of pairs Controller pushes state to /Router with OpenFlow 11

SDN Architecture Control Plane Applications Applications Northbound API Controller Applications Southbound API (OpenFlow) Data Plane 12

Flow Table Entry (OpenFlow 1.0) MATCH ACTION STATS Port MAC src MAC dst Ethr Type VLAN ID IP Src IP Dst IP Prot TCP S port TCP D port 1. Forward packet to switch port(s) 2. Encapsulate and forward to controller 3. Drop packet 4. Send to normal processing pipeline Packet and byte counters 13

Lots of Activity ONRC RESEARCH 14

Impact to Current Networking Utilizes most existing protocols IPv4/IPv6, TCP/UDP, Ethernet, VLANS, etc. s don t change Routing Protocols run in the Controller Big change to management and configuration protocols Centralized vs. current distributed This is an incremental solution not a clean slate 15

Production SDN Deployments

Google OpenFlow Network OpenFlow SDN in Google s worldwide internal Inter-Data Center Network Centralized traffic engineering service Google built their own network switches using merchant silicon and Open Source routing software Rumors that Facebook, Microsoft, etc. are looking at similar SDN traffic engineering deployments http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/all/1 17

Other SDN Production Deployments Data Center deployments using Nicira/VMware NSX Data Center / Virtualization is a very active SDN area Network virtualization doesn't require SDN, but can be helped by it There are many University / Research SDN Projects NSF is providing a lot of funding 18

SDN Hype

The Hype SDN is emerging as one of the most promising and disruptive networking technologies of recent years. It has the potential to enable network innovation and create choice, and thus help realize new capabilities and address persistent problems with networking. It also promises to give network operators more control of their infrastructure, allowing customization and optimization, therefore reducing overall capital and operational costs. Open Networking Summit, April 2012 20

SDN Hype SDN is a threat to many vendors business models Many large vendors are describing SDN like solutions that will lock in customer Proposing very complex proprietary solutions Vendors are using SDN to describe any legacy products that use software to control hardware 21

EXPECTATION SDN Adoption Inflated Expectation Technology Trigger Enlightenment Productivity Disillusionment TIME 22

SDN Issues / Challenges Scaling properties uncertain Flow entries could get very, very large Flows supported by switches is still limited Outages / Bugs Unclear how well it deals with network outages that require rerouting How do you debug software and hardware problems? Security (the rest of the talk) 23

SDN Security Challenges

Vulnerability of Central Control Control Plane Applications Applications Controller Applications SDN Applications and Controller have complete control of the network Data Plane Controllers/Applications are built on general purpose computing platforms We all know all about the vulnerabilities of these platforms If Controller or Application is compromised, the whole Network is compromised Why Take Over the s When You Can Take Over the Network 25

Effects of SDN Controller Compromise Route flows around security devices Controller subverts new flows Send traffic to compromised nodes Man in the Middle attacks Modify content Insert malware Monitor traffic Subvert DNS responses 26

Was SDN Designed for the NSA? Central control makes it easy to control the whole network SDN makes it very easy to control where traffic flows 27

Current Security Model INTERNET Security policy enforced by physically forcing traffic to flow through Security Devices 28

SDN Changes Security Model Controller INTERNET Flow Rules control when or if traffic goes through Security Device Network Topology is now virtual 29

SDN Changes the Trust Model Security cannot be enforced by physical topology Requires complete Trust in SDN Applications and Controller We don t understand the consequences 30

SDN Changes Organization Model Today most IT organizations have a Network Group Security Group SDN requires a great deal of cooperation between these groups All network staff will be responsible for Security Policy 31

SDN Security Solutions

It s Not All Bad Uniform SDN Security Policy Security Everywhere Control Security Treatment Traffic Receives Isolate Compromised s 33

Uniform SDN Security Policy Security Application Couple Security Policy to SDN policy/rules and validate SDN flows against the security policy Applications Applications Controller Security Application Ensure that Security Policy is implemented for all traffic Maintain regulatory and compliance requirements 34

Security Everywhere Security Application All Routers and es have Security capabilities Applications Applications Controller Security Application Security Application can take advantage of this and push rules to all network devices 35

Control Security Treatment Traffic Receives Range of Security Control Full Firewall Applications Applications Controller Security Application ACL style filtering No filtering 36

Isolate Compromised s Once compromised host is detected Controller can be isolated 37

Summary

Summary SDN has a lot of promise Many of its capabilities are very powerful SDN Security issues are real for many organizations Another case of build it and worry about Security later? We will all need to get beyond the hype phase to see what is real and achievable 39

Q & A

Thank You