[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure

on

  • 381 views

 

Statistics

Views

Total Views
381
Views on SlideShare
380
Embed Views
1

Actions

Likes
0
Downloads
12
Comments
0

1 Embed 1

http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure Presentation Transcript

  • 1. I 보안은 어떻게? Compute Node #1 Compute Node #2 [VM] [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 3 / 34
  • 2. I 지금의 보안 구성 Compute Node #1 Compute Node #2 Security [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 4 / 34
  • 3. I 문제가 없을까? Compute Node #1 Compute Node #2 Security [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 5 / 34
  • 4. I VM 보안 제품은 어려워요?? Compute Node #1 Compute Node #2 Security [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 6 / 34
  • 5. I 개선 방향은 없나요?? Compute Node #1 Compute Node #2 [VM] [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Security Security Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 7 / 34
  • 6. I SDN을 이용한 유연한 구현? Compute Node #1 Compute Node #2 [VM] App App SDN Controller [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC App Security Security Software Switch Software Switch IP Fabric Security Appliance © 2013 NAIM Networks – All rights reserved. 8 / 34
  • 7. 1 Virtualized Environment in Cloud 2 Cloud Management: OpenStack 3 SDN Roles in Cloud Management 4 Case: Security (SDN + DPI) © 2013 NAIM Networks – All rights reserved.
  • 8. I Virtualized World  Virtualization The creation of something virtual (rather than actual) in the computer world Pros. Cons. Isolation Consolidation Testing Mobility Concentration Risk Cost Performance Penalty Hardware Support © 2013 NAIM Networks – All rights reserved. 11 / 34
  • 9. I Virtualized World: Cloud (1)  Cloud with Virtualization Remarkable growth on server virtualization • Hypervisors: VMware ESXi, MS Hyper-V, Citrix XenServer, … • Hardware support: Intel VT/VT-x/EPT, AMD-V Supporting data center networks (large # of hosts & traffic) • VLAN, GRE tunneling, VxLAN, …  Server Virtualization  Network Virtualization © 2013 NAIM Networks – All rights reserved. 12 / 34
  • 10. I Virtualized World: Cloud (2) VM (tenant #1) VM (tenant #2) Physical server Network for tenant #1 Network for tenant #2 Virtualization http://www.microsoftvirtualacademy.com/ - WS-B327 © 2013 NAIM Networks – All rights reserved. 13 / 34
  • 11. II OpenStack Intro.  OpenStack is a collection of open source software projects used to setup and run cloud infrastructure (e.g., compute, storage, networking). © 2013 NAIM Networks – All rights reserved. 15 / 34
  • 12. II Evolution of OpenStack Nova: Server virtualization mgmt.  Six Month Cycle Releases are timed to correspond with the developer summit meeting Currently no reliable upgrade paths between releases Expect large deltas between releases for the next year or so as new features and core functionalities are added. Release name Release date Included Component code names Austin 21 October 2010 Nova, Swift Bexar 3 February 2011 Nova, Glance, Swift Cactus 15 April 20 11 Nova, Glance, Swift Diablo 22 Septem ber 2011 Nova, Glance, Swift Essex 5 April 201 2 Nova, Glance, Swift, Horizon, Keyst one Folsom 27 Septem ber 2012 Nova, Glance, Swift, Horizon, Keyst one, Quantum, Cinder Grizzly 4 April 201 3 Nova, Glance, Swift, Horizon, Keyst one, Quantum, Cinder Havana 17 October 2013 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer Src.: http://en.wikipedia.org/wiki/OpenStack © 2013 NAIM Networks – All rights reserved. Quantum/Neutron : Network virtualization mgmt. 16 / 34
  • 13. II Havana: Architecture  Emphasizing the management of cloud Celiometer: metering Heat: orchestration © 2013 NAIM Networks – All rights reserved. 17 / 34
  • 14. II OpenStack: Nova  Overview The core of IaaS Management System in OpenStack Support large-scale deployment of compute instances Applied to NASA’s open source cloud project – Nebula REST-based API Asynchronous eventually consistent communication Horizontally and massively scalable Hypervisor agnostic: support for Xen ,XenServer, Hyper-V, KVM, UML and ESX is coming Hardware agnostic: standard hardware, RAID not required © 2013 NAIM Networks – All rights reserved. 18 / 34
  • 15. II OpenStack: Neutron  Quick Intro Quantum Neutron is an OpenStack project to provide “networking as a service” between interface devices (e.g., vNICs) managed by other OpenStack services (e.g., nova)  Manages network virtualization just like compute (nova) manages server virtualization  Advocates multi-tenancy  Technology-agnostic © 2013 NAIM Networks – All rights reserved. 19 / 34
  • 16. II Network Virtualization with Neutron  OpenvSwitch plugin Logical Network Architecture OpenStack Neutron-related Components (OpenvSwitch plugin example) © 2013 NAIM Networks – All rights reserved. 21 / 34
  • 17. II Network Virtualization with Neutron  Physical Realization OVS Plugin – GRE Overlays Br-ex Br-int DHCP L3 Br-tun Br-tun Compute Node C2 Br-int Local VLAN tags conv erted into GRE keys (a nd vice versa) Br-int B1 1 Br-tun A2 1 Br-int A1 1 Network Node Br-tun Compute Node C1 B1 2 A1 2 Compute Node C3 © 2013 NAIM Networks – All rights reserved. 22 / 34
  • 18. II OpenStack with Virtualization  Realizing *-as-a-service with server & network virtualization using OpenStack components Source: Den Wendlandt – Quantum Hacket & PTL Note: “Quantum””Neutron”. ”Quantum” is now longer used © 2013 NAIM Networks – All rights reserved. 23 / 34
  • 19. III SDN Overview  Agility on Networks  Controllability of Entire Network Centralized network management [1] Van Jacobson et al, “Networking Named Content”, CoNext 2009. [2] Thomas Michael Bohnert, “SDN in the Cloud”, invited talk @ CNSM 2013. © 2013 NAIM Networks – All rights reserved. 25 / 34
  • 20. III SDN Roles in OpenStack  Centralized control of network using OpenStack [1] Thomas Michael Bohnert, “SDN in the Cloud”, invited talk @ CNSM 2013. © 2013 NAIM Networks – All rights reserved. 26 / 34
  • 21. III SDN Roles in OpenStack  Why OpenStack + SDN? Finally free applications from being aware of specific networking details (ports, IP addresses, etc.) Reducing network management complexities Orchestration (OpenStack) Physical Machine Virtual Machines Servers on network infrastructure © 2013 NAIM Networks – All rights reserved. 27 / 34
  • 22. III SDN Roles in OpenStack  OpenStack test bed with SDN in NAIM Networks OpenStack Compute Node #1 Compute Node #2 Controller Node [VM] [VM] [VM] [VM] [VM] [VM] Network Node OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Neutron SDN plugin OpenVSwitch (OVS) OpenVSwitch (OVS) SDN Controller OpenFlow Enabled Switch © 2013 NAIM Networks – All rights reserved. 28 / 34
  • 23. IV Overview  Current security appliances Cost: expensive Maximum bandwidth limits (Mostly) All the traffic is passed through the security appliances  Idea Distributed DPIs Managing & controlling distributed DPIs using SDN  Advantages Auto-scaling network resources Service chaining  Participants NAIM Networks (http://www.naimnetworks.com) • 서영석 팀장, 최영락 매니저, 이정복 매니저 OpenFlow Korea (http://www.openflow.or.kr) • 조충희, 임덕선 © 2013 NAIM Networks – All rights reserved. 30 / 34
  • 24. IV Architecture (1)  Logical Architecture Compare Actual State to Desired State Analysis + Reasoning + Learning Gather Network Data Controller Network Data Cloud Environment OVS +DPI VMs OpenVSwitch+DPI OVS +DPI VMs Data Models Data Models DataVirtual Models Machines © 2013 NAIM Networks – All rights reserved. 31 / 34
  • 25. IV Architecture (2)  Architectural Components (Physical Machine) (Physical Machine) [VM] [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC Log Analyzer NIC NIC NIC NIC NIC SDN Controller Security Appliance DPI OVS syslog DPI OVS syslog OpenFlow Enabled Switch © 2013 NAIM Networks – All rights reserved. 32 / 34
  • 26. IV Case: Demo  Scenario Network with anomaly traffic OVSs monitors traffic and sends flow information to “Analyzer” DPIs in each physical machine monitors traffic Controllers control all of the OVSs and OpenFlow enabled switches  Let’s see a short movie (about 2-min)! (One-month duration for this prototype) © 2013 NAIM Networks – All rights reserved. 33 / 34
  • 27. ! Summary  Separated virtualization management: server virtualization & network virtualization  OpenStack was originally designed for server virtualization management, but it started to support network virtualization after the Folsom release (officially)  “OpenStack + SDN” supports better orchestration with centralized network management and abstraction from network details  We showed one security prototype that can be directly deployed to OpenStack+SDN environment © 2013 NAIM Networks – All rights reserved. 34 / 34
  • 28. www.NAIMNetworks.com