I 보안은 어떻게?
Compute Node #1

Compute Node #2

[VM]

[VM]

[VM]

[VM]

[VM]

[VM]

OS #1

OS #2

OS #3

OS #1

OS #2

OS #3
...
I 지금의 보안 구성
Compute Node #1

Compute Node #2

Security

[VM]

[VM]

[VM]

[VM]

[VM]

OS #1

OS #2

OS #3

OS #1

OS #2

O...
I 문제가 없을까?
Compute Node #1

Compute Node #2

Security

[VM]

[VM]

[VM]

[VM]

[VM]

OS #1

OS #2

OS #3

OS #1

OS #2

OS...
I VM 보안 제품은 어려워요??
Compute Node #1

Compute Node #2

Security

[VM]

[VM]

[VM]

[VM]

[VM]

OS #1

OS #2

OS #3

OS #1

O...
I 개선 방향은 없나요??
Compute Node #1

Compute Node #2

[VM]

[VM]

[VM]

[VM]

[VM]

[VM]

OS #1

OS #2

OS #3

OS #1

OS #2

OS...
I SDN을 이용한 유연한 구현?
Compute Node #1

Compute Node #2

[VM]
App

App

SDN

Controller

[VM]

[VM]

[VM]

[VM]

[VM]

OS #1

...
1

Virtualized Environment in Cloud

2

Cloud Management: OpenStack

3

SDN Roles in Cloud Management

4

Case: Security (...
I Virtualized World
 Virtualization
The creation of something virtual (rather than actual) in
the computer world

Pros.

...
I Virtualized World: Cloud (1)
 Cloud with Virtualization
Remarkable growth on server virtualization
• Hypervisors: VMwar...
I Virtualized World: Cloud (2)

VM
(tenant #1)

VM
(tenant #2)

Physical
server

Network
for tenant #1

Network
for tenant...
II OpenStack Intro.
 OpenStack is a collection of open source software
projects used to setup and run cloud infrastructur...
II Evolution of OpenStack
Nova: Server virtualization mgmt.

 Six Month Cycle
Releases are timed to
correspond with the
d...
II Havana: Architecture
 Emphasizing the management of cloud
Celiometer: metering
Heat: orchestration

© 2013 NAIM Networ...
II OpenStack: Nova
 Overview
The core of IaaS Management System in OpenStack
Support large-scale deployment of compute in...
II OpenStack: Neutron
 Quick Intro
Quantum Neutron is an OpenStack project to
provide “networking as a service” between
i...
II

Network Virtualization with Neutron

 OpenvSwitch plugin

Logical Network Architecture
OpenStack Neutron-related Comp...
II

Network Virtualization with Neutron

 Physical Realization
OVS Plugin – GRE Overlays

Br-ex

Br-int

DHCP
L3

Br-tun
...
II

OpenStack with Virtualization

 Realizing *-as-a-service with server & network
virtualization using OpenStack compone...
III SDN Overview
 Agility on Networks
 Controllability of Entire Network
Centralized network management

[1] Van Jacobso...
III SDN Roles in OpenStack
 Centralized control of network using OpenStack

[1] Thomas Michael Bohnert, “SDN in the Cloud...
III SDN Roles in OpenStack
 Why OpenStack + SDN?
Finally free applications from being aware of specific
networking detail...
III SDN Roles in OpenStack
 OpenStack test bed with SDN in NAIM Networks
OpenStack
Compute Node #1

Compute Node #2

Cont...
IV Overview
 Current security appliances
Cost: expensive
Maximum bandwidth limits
(Mostly) All the traffic is passed thro...
IV Architecture (1)
 Logical Architecture
Compare Actual State to Desired State
Analysis + Reasoning + Learning
Gather
Ne...
IV Architecture (2)
 Architectural Components
(Physical Machine)

(Physical Machine)

[VM]

[VM]

[VM]

[VM]

[VM]

[VM]
...
IV Case: Demo
 Scenario
Network with anomaly traffic
OVSs monitors traffic and sends flow information to
“Analyzer”
DPIs ...
! Summary
 Separated virtualization management: server
virtualization & network virtualization
 OpenStack was originally...
www.NAIMNetworks.com
[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure
[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure
[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure
[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure
[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure
[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure
Upcoming SlideShare
Loading in …5
×

[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure

592 views
431 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
592
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure

  1. 1. I 보안은 어떻게? Compute Node #1 Compute Node #2 [VM] [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 3 / 34
  2. 2. I 지금의 보안 구성 Compute Node #1 Compute Node #2 Security [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 4 / 34
  3. 3. I 문제가 없을까? Compute Node #1 Compute Node #2 Security [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 5 / 34
  4. 4. I VM 보안 제품은 어려워요?? Compute Node #1 Compute Node #2 Security [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 6 / 34
  5. 5. I 개선 방향은 없나요?? Compute Node #1 Compute Node #2 [VM] [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Security Security Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 7 / 34
  6. 6. I SDN을 이용한 유연한 구현? Compute Node #1 Compute Node #2 [VM] App App SDN Controller [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC App Security Security Software Switch Software Switch IP Fabric Security Appliance © 2013 NAIM Networks – All rights reserved. 8 / 34
  7. 7. 1 Virtualized Environment in Cloud 2 Cloud Management: OpenStack 3 SDN Roles in Cloud Management 4 Case: Security (SDN + DPI) © 2013 NAIM Networks – All rights reserved.
  8. 8. I Virtualized World  Virtualization The creation of something virtual (rather than actual) in the computer world Pros. Cons. Isolation Consolidation Testing Mobility Concentration Risk Cost Performance Penalty Hardware Support © 2013 NAIM Networks – All rights reserved. 11 / 34
  9. 9. I Virtualized World: Cloud (1)  Cloud with Virtualization Remarkable growth on server virtualization • Hypervisors: VMware ESXi, MS Hyper-V, Citrix XenServer, … • Hardware support: Intel VT/VT-x/EPT, AMD-V Supporting data center networks (large # of hosts & traffic) • VLAN, GRE tunneling, VxLAN, …  Server Virtualization  Network Virtualization © 2013 NAIM Networks – All rights reserved. 12 / 34
  10. 10. I Virtualized World: Cloud (2) VM (tenant #1) VM (tenant #2) Physical server Network for tenant #1 Network for tenant #2 Virtualization http://www.microsoftvirtualacademy.com/ - WS-B327 © 2013 NAIM Networks – All rights reserved. 13 / 34
  11. 11. II OpenStack Intro.  OpenStack is a collection of open source software projects used to setup and run cloud infrastructure (e.g., compute, storage, networking). © 2013 NAIM Networks – All rights reserved. 15 / 34
  12. 12. II Evolution of OpenStack Nova: Server virtualization mgmt.  Six Month Cycle Releases are timed to correspond with the developer summit meeting Currently no reliable upgrade paths between releases Expect large deltas between releases for the next year or so as new features and core functionalities are added. Release name Release date Included Component code names Austin 21 October 2010 Nova, Swift Bexar 3 February 2011 Nova, Glance, Swift Cactus 15 April 20 11 Nova, Glance, Swift Diablo 22 Septem ber 2011 Nova, Glance, Swift Essex 5 April 201 2 Nova, Glance, Swift, Horizon, Keyst one Folsom 27 Septem ber 2012 Nova, Glance, Swift, Horizon, Keyst one, Quantum, Cinder Grizzly 4 April 201 3 Nova, Glance, Swift, Horizon, Keyst one, Quantum, Cinder Havana 17 October 2013 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer Src.: http://en.wikipedia.org/wiki/OpenStack © 2013 NAIM Networks – All rights reserved. Quantum/Neutron : Network virtualization mgmt. 16 / 34
  13. 13. II Havana: Architecture  Emphasizing the management of cloud Celiometer: metering Heat: orchestration © 2013 NAIM Networks – All rights reserved. 17 / 34
  14. 14. II OpenStack: Nova  Overview The core of IaaS Management System in OpenStack Support large-scale deployment of compute instances Applied to NASA’s open source cloud project – Nebula REST-based API Asynchronous eventually consistent communication Horizontally and massively scalable Hypervisor agnostic: support for Xen ,XenServer, Hyper-V, KVM, UML and ESX is coming Hardware agnostic: standard hardware, RAID not required © 2013 NAIM Networks – All rights reserved. 18 / 34
  15. 15. II OpenStack: Neutron  Quick Intro Quantum Neutron is an OpenStack project to provide “networking as a service” between interface devices (e.g., vNICs) managed by other OpenStack services (e.g., nova)  Manages network virtualization just like compute (nova) manages server virtualization  Advocates multi-tenancy  Technology-agnostic © 2013 NAIM Networks – All rights reserved. 19 / 34
  16. 16. II Network Virtualization with Neutron  OpenvSwitch plugin Logical Network Architecture OpenStack Neutron-related Components (OpenvSwitch plugin example) © 2013 NAIM Networks – All rights reserved. 21 / 34
  17. 17. II Network Virtualization with Neutron  Physical Realization OVS Plugin – GRE Overlays Br-ex Br-int DHCP L3 Br-tun Br-tun Compute Node C2 Br-int Local VLAN tags conv erted into GRE keys (a nd vice versa) Br-int B1 1 Br-tun A2 1 Br-int A1 1 Network Node Br-tun Compute Node C1 B1 2 A1 2 Compute Node C3 © 2013 NAIM Networks – All rights reserved. 22 / 34
  18. 18. II OpenStack with Virtualization  Realizing *-as-a-service with server & network virtualization using OpenStack components Source: Den Wendlandt – Quantum Hacket & PTL Note: “Quantum””Neutron”. ”Quantum” is now longer used © 2013 NAIM Networks – All rights reserved. 23 / 34
  19. 19. III SDN Overview  Agility on Networks  Controllability of Entire Network Centralized network management [1] Van Jacobson et al, “Networking Named Content”, CoNext 2009. [2] Thomas Michael Bohnert, “SDN in the Cloud”, invited talk @ CNSM 2013. © 2013 NAIM Networks – All rights reserved. 25 / 34
  20. 20. III SDN Roles in OpenStack  Centralized control of network using OpenStack [1] Thomas Michael Bohnert, “SDN in the Cloud”, invited talk @ CNSM 2013. © 2013 NAIM Networks – All rights reserved. 26 / 34
  21. 21. III SDN Roles in OpenStack  Why OpenStack + SDN? Finally free applications from being aware of specific networking details (ports, IP addresses, etc.) Reducing network management complexities Orchestration (OpenStack) Physical Machine Virtual Machines Servers on network infrastructure © 2013 NAIM Networks – All rights reserved. 27 / 34
  22. 22. III SDN Roles in OpenStack  OpenStack test bed with SDN in NAIM Networks OpenStack Compute Node #1 Compute Node #2 Controller Node [VM] [VM] [VM] [VM] [VM] [VM] Network Node OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Neutron SDN plugin OpenVSwitch (OVS) OpenVSwitch (OVS) SDN Controller OpenFlow Enabled Switch © 2013 NAIM Networks – All rights reserved. 28 / 34
  23. 23. IV Overview  Current security appliances Cost: expensive Maximum bandwidth limits (Mostly) All the traffic is passed through the security appliances  Idea Distributed DPIs Managing & controlling distributed DPIs using SDN  Advantages Auto-scaling network resources Service chaining  Participants NAIM Networks (http://www.naimnetworks.com) • 서영석 팀장, 최영락 매니저, 이정복 매니저 OpenFlow Korea (http://www.openflow.or.kr) • 조충희, 임덕선 © 2013 NAIM Networks – All rights reserved. 30 / 34
  24. 24. IV Architecture (1)  Logical Architecture Compare Actual State to Desired State Analysis + Reasoning + Learning Gather Network Data Controller Network Data Cloud Environment OVS +DPI VMs OpenVSwitch+DPI OVS +DPI VMs Data Models Data Models DataVirtual Models Machines © 2013 NAIM Networks – All rights reserved. 31 / 34
  25. 25. IV Architecture (2)  Architectural Components (Physical Machine) (Physical Machine) [VM] [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC Log Analyzer NIC NIC NIC NIC NIC SDN Controller Security Appliance DPI OVS syslog DPI OVS syslog OpenFlow Enabled Switch © 2013 NAIM Networks – All rights reserved. 32 / 34
  26. 26. IV Case: Demo  Scenario Network with anomaly traffic OVSs monitors traffic and sends flow information to “Analyzer” DPIs in each physical machine monitors traffic Controllers control all of the OVSs and OpenFlow enabled switches  Let’s see a short movie (about 2-min)! (One-month duration for this prototype) © 2013 NAIM Networks – All rights reserved. 33 / 34
  27. 27. ! Summary  Separated virtualization management: server virtualization & network virtualization  OpenStack was originally designed for server virtualization management, but it started to support network virtualization after the Folsom release (officially)  “OpenStack + SDN” supports better orchestration with centralized network management and abstraction from network details  We showed one security prototype that can be directly deployed to OpenStack+SDN environment © 2013 NAIM Networks – All rights reserved. 34 / 34
  28. 28. www.NAIMNetworks.com

×