This document discusses the need for automation and programmability in network security as networks become more complex due to trends like cloud computing, mobility, and the Internet of Things. It outlines some of the challenges facing service providers in securing their networks and customers. It then describes different approaches service providers are taking to automate security using NFV and SDN technologies. Finally, it discusses how to secure the various components of an automated NFV architecture including the controller, infrastructure, network services, applications, management/orchestration, APIs, and communications.

2. Automation & Programmability Network Security
Khoo Boo Leng (khoo@cisco.com)
Technical Solution Architect APJ GSP Architecture

3. Digitization Is Disrupting The SP business
The world has gone mobile Traffic growth, driven by video
Rise of cloud computing Machine-to-Machine
Changing
Customer
Expectations
Ubiquitous Access
to Apps & Services
10X Mobile Traffic Growth
From 2013-2019
Changing Enterprise
Business Models
Efficiency & Capacity
Soon to
Change SP
Architectures/
Service Delivery
Emergence of the Internet of Everything
Process ThingsPeople Data
PetabytesperMonth
Other (43%, 25%)120,000
100,000
80,000
60,000
40,000
20,000
0
Internet Video (57%, 75%)
2013 2014 2015 2016 2017 2018
23% Global
CAGR 2013-
2018
Dynamic Threat Landscape
Increasing Threat Sophistication
Risks to Service Providers
and Their Customers

4. In Spite of Layers of Defense
Malware is getting
through control
based defenses
Malware
Prevention
is NOT
100%
Breach
Existing tools are
labor intensive and require
expertise
Each stage represents a separate process
silo attackers use to their advantage.
Attack Continuum
BEFORE
Discover
Enforce
Harden
AFTER
Scope
Contain
Remediate
Detect
Block
Defend
DURING

5. SP’s Are Approaching NFVi & Automation in Multiple Ways
Different solutions required to address different “Buying Centers”
Use Case Specific,
e.g.
vMS, VPC
Orchestration Led
Infrastructure Led
Use Case Led
• Bottom-up approach
• Buying Center – Network &
DC infrastructure team
• Common MANO solution for
different use cases
• Buying Center – NMS/OSS team
• Top-down approach
• Business outcome driven
• Buying Center – BU/Biz Vertical
Includes VNF-
M and NFV
Orchestrator
Hardware, VIM (OpenStack) and SDN Controller
We are leading with
vMS & Mobility
Modular offer with
NSO, ESC, CTCM
Emerging trend,
needs packaging
Infrastructure led approach
aka NFVI is gaining prominence!

6. Automation & Programmability Security Exploit
AutoSploit automates the exploitation
of remote hosts
Targets are collected automatically
as well by employing the Shodan.io API
Metasploit modules will run
programmatically comparing the name of
the module to the initial search query

7. It’s all about context
Event + network &
user context
Event + network
context
Event
Event: Attempted Privilege Gain
Target: 96.16.242.135
Event: Attempted Privilege Gain
Target: 96.16.242.135 (vulnerable)
Host OS: iPhone
Apps: Mail, Browser, Twitter
Location: Whitehouse, US
Event: Attempted Privilege Gain
Target: 96.16.242.135 (vulnerable)
Host OS: iPhone
Apps: Mail, Browswer, Twitter
Location: Whitehouse, US
User ID: dtrump
Full Name: Donald Trump
Department: Executive Office
Context has the capability of fundamentally changing the interpretation of your event data.

8. Keys Security Focus
Visibility
“See Everything”
Complete visibility of users, devices,
networks, applications, workloads
and processes
Threat protection
“Stop the Breach”
Quickly detect, block, and respond to
attacks before hackers can steal data
or disrupt operations
Segmentation
“Reduce the Attack Surface”
Prevent attackers from moving laterally
east-west with application whitelisting and
micro-segmentation

9. Gain Visibility, Intelligence, and Automation
Leverage information from other solutions to gain
complete network visibility and security analytics
Company
Host
Everything
must touch
the network
Know
every host
Access Audit
Record every
conversation
Understand
what’s normal
Posture
Get alerted to
change
Detect
Provides unique visibility into
what’s happening across your
entire network
Visibility and
Analytics
Detects anomalies and threats faster
with real-time analysis and advanced
forensics capabilities
Generates notifications
automatically when anomalies are
detected on the network
Network as a Sensor

10. Consistently Apply Policy, Control Access to Resources, &
Block Attacks
Consistently delivers security
policy across branch, campus, data
center, and cloud
Simplifies network
segmentation with a software-
defined approach
Shrinks the attack surface
by preventing lateral movement of
potential threats
TrustSec
Segmentation Policy Enforced Across the Extended Network
Switch Router VPN and
Firewall
DC Switch Wireless
Controller
Control access to network segments and resources
according to your security policy by working with ISENetwork as an Enforcer

11. The Need For Integrated Threat Defense
Integrated Management
Global & Local Threat Intelligence
Raw Data Threat Research Analytics
Network Platforms Cloud Platform Endpoint Platform
Services
DDoS | WAF | LB/ADC | Anti-Virus | SaaS Visib | DLP | FPC
FW/NGFW | NGIPS | Web | Email | Adv. Malw | Access
Shrink the Time to Detect and Contain
Shared Visibility and Context, Analytics, and Automation
Telemetry
Intelligence
SERVICES
LAYER
ANALYTICS
LAYER
ENFORCEMENT
LAYER
Behavioral Threat
Analytics
Network Behavioral
Analytics
Network Enforcement
& Malware Detection
Malware Sandboxing
(Adv. Threat Protect.)

12. Integration Through Context Sharing
CoA Triggered
ISE through pxGrid receives information
on threat
User Isolated
Change Authorization of machine
causing issue
SIEM
Firepower
Firewall
Custom
Detection
Stealthwatch
Network
Switch Router DC FW DC SwitchWireless
Network as an Enforcer ThreatSecurity Intelligence
Automatic or Initiated by IT Admin
~5 Seconds
ISE
pxGrid
Get Information
Solutions such as Vulnerability
Assessment, Firepower, Stealthwatch
detect malicious activity

13. SecuringAutomation & Programmability Network
Multiple layers of security to protect NFVi & SDN
1
2
7
3
5
4
6
1. Securing Controller
2. Securing Infrastructure
3. Securing Network Services
4. Securing Application
5. Securing Management &
Orchestration
6. Securing API
7. Securing Communication
8. Security Technologies
8

14. Securing Infrastructure
▪ Secure Operation
• Keep device OS up to date
• Monitor PSIRT and perform
bug scrub
• Centralize log collection and
monitoring
• Configuration Management
▪ Management Plane
• Use secure protocols to
manage Infrastructure: SSH,
SCP, HTTPs, SNMPv3, with
ACL to restrict access
• Control management and
monitor session with AAA
• Use encrypted local password
• Protect Console, AUX and
VTY
• Disable unused services, no
initial configuration via TFTP
▪ Control Plane
• Protect control plane: CoPP,
Routing protocol Security,
FHRP security
• ICMP redirects, icmp
unreachable, proxy arp
• Securing routing protocols:
peer authentication, route
filtering, managing resource
consumption
▪ Data Plane
• Protect data plane: DAI, IP
Source Guard, Port Security,
unicast RPF etc.
• Infrastructure ACLs, any-
spoofing ACLs, for Hardening
of devices
• Disable IP source routing
• Private VLAN

15. ▪ Application Security
• Digital Signing of Code
• Certification Process
• Resource Allocation
• Code Isolation
• Strong Typing
• AAA (PKI)
▪ Underlying platform Security
• Keep system updated apply patches & fixes
• Strong password
• Disable unnecessary protocols, Services and ports
• Authentication, Authorization and Accounting, with RBAC
• Enable host based firewall, allow only required ports
SecuringApplication, Services & Software Development Life Cycle
▪ Secure Development Lifecycle
• Threat Modeling
• Understanding and prioritizing risk
• Threat, Mitigation, Test
▪ Secure Design Principles
• Principle of Least Privilege
• Fail Safely
• Economy of Mechanism
• Avoid (in)Security by Obscurity
• Psychological Acceptability
• Defense in Depth
• Perform Static Code Analysis: Buffer Overflow, Resource Leaks, Null Pointer Deference
• Follow Secure Coding Guidelines
Cisco Secure Development Lifecycle (CSDL)

16. Securing Orchestration /Automation / Provisioning/API & Communications
• Orchestration and Automation servers should
reside on a secure management network,
protected by firewall.
• Use Authentication , Authorization and
Accounting, assign Role Base Access
Control, least privilege
• Ensure hardening of underlying platform:
Disable unused services, configure host
based firewall and allow only required ports,
Use logging and monitoring, use NTP
• Enforce strong passwords
• Use secure communication protocols
between portal, orchestrator and element
managers
• Ensure configuration and change
management is in place.
• Consider High Availability solution
• Use authentication and authorization
• Use encryption: Transport Layer Security, SSL, SSH, HTTPS
• Revocation of Access and authorization using OCSP.
• Proactively using policy or reactively as mitigation option to an
attack
• Logging of authentication and authorization
• Manageability / Scalability

17. Transport
Attack
• URL/message body
modification
• learn confidential information
Mitigation
• Use secure transport (https)
• Education
Attack
• Denial of Service
• Too many messages
• Too many connections
• Very large payloads
• Crafted inputs that can
cause system crashes
Mitigation:
• Rate limiting
• Threat Analysis of your
infrastructure
• Input validations
Infrastructure
Attacks
• Brute force
• Phishing
• Privilege escalation
Mitigation
• Strong authentication
• RBA
• Least privilege principle
• Info leakage via payload or
error messages.
• Review outbound data
(error messages, payload)
Authorization and
Authentication

18. Attack
• SQL injections
• XSS
• Buffer overflow attacks
Mitigation:
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
Input Validation

19. MnT
FMC
Controller
WWW
NGFW
2. Correlation Rules
Trigger Remediation Action
3. pxGrid EPS Action:
Quarantine + Re-Auth
1. Security Events /
IOCs Reported
i-Net
Servers
Or
End User

20. MnT
FMC
Controller
WWW
NGFW
4. Endpoint Assigned
Quarantine + CoA-Reauth
Sent
i-Net
Servers
Or
End User

21. FMC
Controller
WWW
NGFW
i-Net
Flow Collector
1. SW is Analyzing Flows from
Flow Collector
2. SW is Also Merging Identity
Data from ISE
3. Admin is Alerted of
Suspicious Behavior
4. Admin Initiates Endpoint
Quarantine
(EPS over pxGrid)
5. Endpoint
Assigned
Quarantine +
CoA-Reauth Sent
Servers
Or
End User

22. FMC
Controller
WWW
NGFW
i-Net
Flow Collector
New Traffic Rules apply to the new
state of the endpoint
6a. Could Deny Access
(ingress)
6b. Could Filter it within
network (egress)
6b. Could Filter it within
network (egress)
Servers
Or
End User

23. MnT
FMC
Threat Intelligence Integration
Controller
WWW
NGFW
2. Correlation Rules
Trigger Remediation
Action
3. pxGrid EPS Action:
Quarantine + Re-Auth
i-Net
1. Threat /
IOCs Reported
Servers
Or
End User

24. MnT
FMC
Controller
WWW
NGFW
4. Endpoint Assigned
Quarantine + CoA-Reauth Sent
i-Net
Threat Intelligence Integration
Servers
Or
End User

25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Shared intelligence
Shared contextual
awareness
Consistent policy
enforcement
Firepower Management Center
Talos
Firepower 4100 Series Firepower 9300 Platform
Visibility
Radware
DDoS
Network
analysis Email Threats
Identity &
NAC DNS FirewallURL
Summary: Advanced Intelligence & Integrated Defense

26. Validated By EANTC/Light Reading
Enterprise, Endpoints &
Sensors
Access Transport – Core & SP DC/Cloud
Leased BH
or Internet
Managementand
Orchestration
1
23 3 4
5
1
2
3
4
5
Security effectiveness
Chaining and stitching
Orchestrating in SDN and NFV
Multi-tenant
Performance, scalability, and resiliency
http://www.lightreading.com/nfv/nfv-tests-and-trials/testing-ciscos-virtualized-security-products/v/d-id/721575?