Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DTS Solution - Software Defined Security v1.0

  • Login to see the comments

  • Be the first to like this

DTS Solution - Software Defined Security v1.0

  1. 1. Software Defined Security
  2. 2. DTS Solution
  3. 3. Overview Software Defined Networking
  4. 4. SDN – Introduction SDN separates the data and control planes of the network and provides interfaces/APIs to provision services collectively in the network using external systems rather than configuring individual device. •Control Plane: •Logic for controlling forwarding behavior. •Examples: routing protocols, network, middlebox, configuration. •Data Plane: –Forward traffic according to control plane logic Examples: IP forwarding,Layer 2 switching
  5. 5. SDN - Introduction Controller Switch 1 Switch 2 Switch 3 S-1 S-2 S-3 Path to Reach Controller Packet Forwarding Path
  6. 6. Network Virtualization • Network Virtualization o Decouple the application from the underlying hardware o Representation of one or more logical network topologies on the same infrastructure. e.g, VLANs Multiple logical routers on a single platform Resource isolation in CPU, memory, bandwidth, forwarding tables,... o Customizable routing and forwarding software o Separate logical network from the infrastructure o General purpose CPUs for the control plane o Network processors and FPGAs for data plan • Network Programmability o "The first step in creating an improved future is developing the ability to envision it.“ o Implementaition: mininet (open source, Linux based)
  7. 7. Network Virtualization • SDN separates data plane and control plane • Virtual networks separate logical and physical networks • SDN can be a useful tool for implementing virtual networks
  8. 8. Network Virtualization
  9. 9. SDN - Separation ● Independent evolution and development independently of the hardware ● Control from high-level software program ● Data centers: VM migration, Layer 2 routing ● Routing: More control over decision logic ● Enterprise networks: Security applications ● Example: Data Centers (Yahoo!) ○ 20,000 servers/cluster = 400,000 VMs ■ Any-to-any, 1024 distinct inter-host links ■ Sub-second migration, guaranteed consistency ■ Solution: Program switch from a central database. Scalability: ■ Control elements responsible for many forwarding elements (often, thousands) Reliability/Security: ■ What happens when a controller fails or is compromised?
  10. 10. SDN - Opportunities ● Dynamic Access Control ● Seamless Mobility/Migration ● Centralized Network State ● Server Load Balancing ● Network Virtualization ● Usingmultiple wireless access points ● Energy efficient networking ● Adaptive traffic monitoring ● Denial of Service attack detection
  11. 11. SDN - Challenges in separation • Control and data plane separation o Scalability:Routing decisions for many routers o Reliability: Correct operation under failure o Consistency: Ensuring consistency across multiple control replicas • Hierarchy, aggregation, clever state mangement and distribution
  12. 12. SDN & Security ● The flow paradigm is ideal for security processing because it offers an end-to-end, service-oriented connectivity model that is not bound by traditional routing constraints. ● Logically centralized control allows for effective performance and threat monitoring across the entire network. ● Granular policy management can be based on application, service, organization, and geographical criteria rather than physical configuration. ● Resource-based security policies enable consolidated management of diverse devices with various threat risks, from highly secure firewalls and security appliances to access devices. ● Dynamic and flexible adjustment of security policy is provided under programmatic control. ● Flexible path management achieves rapid containment and isolation of intrusions without impacting other network users
  13. 13. SDN - Implementation ● OpenFlow: SDN and OpenFlow are often used (incorrectly) interchangeably ○ opendaylight (java) ○ NOX, POX (python implementation) ○ Beacon ● Juniper Contrail ● Cisco One
  14. 14. SDN - OpenFlow OpenStandard and OpenSource OpenFlow controller: A software which runs on a standard hardware OpenFlow enabled switch: openvswitch, hp, ibm and now juniper
  15. 15. SDN - OpenFlow
  16. 16. SDN - OpenFlow
  17. 17. SDN - OpenFlow Forwarding Decisions ● Layer 2 (srcmac,dstmac, vlans) ● Layer3 (srcip,srcport,dstip,dstport) ● Or any of the layers (even 7) ● Push,Pop MPLS labels,VLAN-IDs (v 1.3)
  18. 18. SDN - Mininet • Network virtualization tool that works on Linux • Emulate your network before going to production (multiple DP, MPLS L2,3 VPNs)
  19. 19. SDN - OVS (OpenVSwitch) o OpenSource virtual switch, can be used as control plane on real switches or between VMs same as VMware switch. o has its own controller which behaves like a hub o Can connect to a separate OpenFlow controller. o Used in mininet to emulate Network Virtualization and KVM for switching between VMs
  20. 20. SDN - OpenFlow Applications • Load balancer: A simple switch can be used for server and/or link load balancing • Packet Filter: A simple switch can be used to filter traffic. • Policy routing: