Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Nuage Networks: Using SDN to provide Security by Design by Christoph Torlinsky at DevSecCon 2015

3,882 views

Published on

As Datacenter architectures have incorporated virtualization, new application topologies, new programming constructs such as Docker Containers and increasing levels of automation, new security gaps have emerged. This workshop describes how Nuage Networks fills critical security gaps within and across datacenter. The session was held on October 22, 2015 at DevSecCon London.

Published in: Technology
  • Be the first to comment

Nuage Networks: Using SDN to provide Security by Design by Christoph Torlinsky at DevSecCon 2015

  1. 1. Copyright 2013 Alcatel-Lucent. All rights reserved. CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage Networks Nuage Networks: Using SDN to provide Security by Design Christoph Andreas Torlinsky – EMEA Technical Business Developer christoph@nuagenetworks.net twiTer:@nuagenetworks
  2. 2. Introduc:on into what Nuage SDN is… §  Overview of Nuage VSP – who we are ! What we do! §  Key Concepts of SDN and it’s building blocks §  Reference Architectures of Micro-Segmenta[on and Security §  The Network as a Secure Service for OpenStack and Docker
  3. 3. Nuage Networks So=ware Defined Networking Internet Cloud Technologies Networking at scale Policy Based Solutions Proven by success with Enterprises and Service Providers §  Leader in Soware Defined Networking focusing on best of breed, open solu[ons §  Alcatel-Lucent venture (EU) §  Startup Office in Mountain View, CA – Silicon Valley §  nuage = Cloud in French VPN VPN KVM/XEN LXC/Docker ESXi nuagenetworks 11/30/15 3
  4. 4. §  Compute is Virtualized §  Available in Minutes §  Network is Par[ally Virtualized and Automated and Secured §  Configura[on takes Days/Weeks Network Configura[on Compute Management New Tenant / Applica[on Request Auto-instan[a[on Compute Request completed in Minutes Help Desk Change Control IP Address VLAN Address Firewall Configuration LAN (VLAN) Configuration WAN (IP) Configuration Security / QA Team Project Coordinator Network Change completed in days/Weeks Challenge 1: Service velocity is hindered by manual network process 00:01 Current Automa:ng and Securing the DC Network 11/30/15 4
  5. 5. Compute Management Tenant / Applica[on Request Networking Security/ Compliance Auto-instan[a[on Compute Request completed in Minutes 00:01 IP Address WAN interconnect Policy/Security Zones L2 /L3 Service AD Network Change Completed automatically Service chaining Template->Instances Nuage Templates and Role-Based Workflow New Automa:ng and Securing the SDN Network 11/30/15 5 Service velocity is not hindered by manual network process nuagenetworks
  6. 6. Nuage Virtualized Services PlaNorm Virtualized Services Directory (VSD) •  Network Policy Engine – abstracts complexity •  Service templates and analy[cs + Security Virtualized Services Controller (VSC) •  SDN Controller, programs the network •  Rich rou[ng feature set Virtual Rou:ng & Switching (VRS) – OVS Based •  Distributed switch / router – L2-4 rules •  Integra[on of bare metal assets Nuage Networks Virtualized Services PlaNorm (VSP) VRS-K Hardware Gateway VRS-E VRS-X VRS-G Core Core Core Core Spine Spine Spine Spine Leaf Leaf Leaf Leaf VSD VSC HA Overlay Virtual Networks / L3 IP VXLAN Mesh 11/30/15 6
  7. 7. SDN Instan:a:ng + Securing by Policy Hypervisor Hypervisor Hypervisor DC1 Zone 1 Cloud Management Plane Network Service Control Plane DC Gateway Virtualized Services Directory IP Network Data Plane IP Data Plane Virtualized Services Controller Policy 11/30/15 7 Internal/External WAN VPN Service Remote Datacenter IGP/BGP Exis:ng DC Domain Zones Subnets Policies VPN Internet •  L2-L4 VPNs •  ACLs, QoS, DHCP, DNS, NAT … •  Service Chaining •  Sta>s>c/Repor>ng & Isola>on A SOFTWARE PLATFORM
  8. 8. Security challenges addressed by SDN §  The current state of Legacy Networks and Security §  Applying Policy by Design §  Key Concepts of Micro-Segmenta[on and Security Use cases §  A very Quick Demo
  9. 9. Enterprise IT and Cloud Security Challenges and Requirements Cloud Provider Mul[-tenancy at Scale On-Demand Prevent malware spread Detect early, respond fast Enterprise
  10. 10. Current Data Center Network Security Approaches Aren’t Sufficient • Perimeter centric – requires trust between all apps and tenants • Cannot enforce internal segmenta[on Protec[on • Lack of visibility/control for east/west datacenter traffic • Tradi[onal approaches cannot scale for cloud Detec[on • Manual processes delay policy changes and app delivery • Costly to remediate, manage and update Response
  11. 11. Nuage VSP Addresses Cloud and Enterprise Data Center Security Challenges Micro-Segmenta[on Prevents Lateral Malware Spread and Data Leakage Secure Mul[-tenancy for Private and Public Cloud Policy driven Automa[on and Compliance Enforcement Automated Quaran[ne Enables Faster Incident Response
  12. 12. Micro-Segmenta:on Prevents Lateral Movement of Malware VLAN / Subnet App 1 App 2 DB 2 Web 1 Web 2 DB 1 Micro-segmenta.on within a broadcast domain Micro-Segmentation contains and isolates security breaches to smaller set of servers / fault domains
  13. 13. Data Center Micro-Segmenta:on Use Cases for SDN with Nuage VSP Secure High Value Apps Secure Access to Shared Services (Backup) Quaran[ne Infected End-Points Secure VDI Environment Between App Tiers End-point to Backup Service Infected End-Point to Security Services VDI End-point to Authen[cated Users Any other traffic not whitelisted Traffic between server end- points Block traffic to servers from infected end- point Between VDI Desktops
  14. 14. Nuage SDN: Delivers Secure Mul:-Tenancy and Flexible Network Segmenta:on •  Secure mul[-tenancy for private and public cloud with one or more virtual isolated networks per tenant •  Tight integra[on with CMS constructs (e.g., OpenStack Security Groups) •  Flexible segmenta[on within a tenant based on logical grouping independent of IP, VLANs •  Logical networks and segments can be designed once and applied across tenants using templates and API / SDK binding Programma[cally ! Physical Network Virtual Network 1 (Tenant 1) PCI Zone/ Policy Group Non-PCI Zone/ Policy Group Virtual Network 2 (Tenant 2) Web Zone/ Policy Group App Zone/ Policy Group DB Zone/ Policy Group
  15. 15. SDN Enables Beaer Visibility, Compliance and Accelerated Threat Detec:on within the Data Center Policy Engine (VSD) Controller (VSC) Distributed Rou[ng and Switching (VRS) ACL Allow and Deny Logs (External syslog server) IDS / Security Analy[cs ACL Logs for Compliance and Audit
  16. 16. Template Conforms to: •  Connec[vity •  Security •  QoS •  Sta[s[cs Users (Network) Users (Compute) Hypervisor DC1 Zone 1 1,000 Hosts Hypervisor DC1 Zone 1 1,000 Hosts Config Update Config Nuage Networks VSP §  Update security policy centrally in domain template §  VSD deploys across all appropriate endpoints §  Adhere to regulatory changes across the infrastructure easily §  Compliance with global security policy §  Configura[on consistency §  Programmer methodology §  External Data Sources SDN: Compliance Enforcement and Automa:on using Templates
  17. 17. •  Micro-segments based on logical grouping using Policy Groups •  Reflexive L4 ACLs enforced at each server host in VRS using embedded L4 distributed firewall •  Policy supports workload mobility •  Both physical and virtual L4-7 security services (NFGW, IPS/IDS etc.) can be inserted •  Support for mul[-hypervisors, physical and containers Micro-Segmenta:on with Advanced L4-7 Security Web1 Web2 App1 App2 DB 1 Web Policy Group App Policy Group DB Policy Group NGFW L4 DFW Nuage SDN: Supports Micro-Segmenta:on with Embedded L4 Distributed Firewall and L4-7 Security Inser:on
  18. 18. SDN delivers quicker Incident Response: Automated Quaran:ne SIEM / IPS Nuage VSP Nuage VSP API to Quaran[ne Infected Servers/VMs •  Move VM to Quaran[ne Zone •  Leverage external Data Sources and Behavior Analy[cs for Machine Learning •  Apply security policy to block select communica[ons (e.g., C&C, FTP) Quaran>ne Zone Non-Infected/Clean Zone IDS / IPS Security Alert Security Events
  19. 19. Nuage Addresses Cloud and Enterprise Data Center Security Challenges •  Reduces risk, lowers infrastructure costs •  Enables cloud service providers to offer network security as a service Secure Mul[-tenancy for Private and Public Cloud •  Embedded L4 distributed firewall with advanced L4-7 Security service inser[on •  Protects any workload (bare-metal, physical and virtual – mul[-hypervisor), any network Micro-Segmenta[on Prevents Lateral Malware Spread •  Policy based on logical context and grouping •  Automated provisioning of L4 security and compliance enforcement Policy based Security Automa[on and Compliance •  APIs for integra[on with threat detec[on/SIEM systems to automate quaran[ne Faster Incident Response with Automated Quaran[ne
  20. 20. Across Virtual Machines, OpenStack, Mesos, Docker and Bare Metals Nuage VSP as a consistent Secure overlay solu:on Same Network Policy Same Automa[on Workflow Same Security Governance and Compliance VM Hypervisor VM VM VM VM Docker Container Container Container Container Phys Switch ( HW VTEP) BM BM BM BM
  21. 21. veth - Default Strategy Na:ve Docker Networking – current challenges… Compute Host Container 1 Container 2 docker0 eth0 veth14 eth0 eth0 veth22 172.16.42.1/16 172.16.1.2 172.16.1.3 192.168.1.2 Docker Host OS Namespace Container 1 Namespace Container 2 Namespace + Iptables NAT
  22. 22. Limita:ons of na:ve Docker Networking §  Default networking model only allocates a IP address that is private to the Docker host §  Sesng up useful networking using iptables is manual and error- prone §  No built-in support for mul[-host networking §  No built-in support for isola[ng containers belonging to different applica[ons §  No built-in support for external networking §  No support for mul[-tenancy
  23. 23. Compute Host Container 1 Container 2 alubr0 eth0 eth-pid1 eth-pid2 172.16.1.2 172.16.1.3 192.168.1.2 Docker Host OS Namespace Nuage VSP SDN : Networking for Docker VXLAN
  24. 24. Nuage VSP SDN Networking for Docker §  Overlay based networks that scales out across mul[ple physical hosts as the cloud deployment grows §  High performance solu[on that converges quickly during peak container ac[va[on/deac[va[on events §  Supports micro-segmenta[on and isola[on across mul[ple physical hosts §  Supports mul[-tenanted environments and VXLAN §  Supports applica[on environments that require support for hybrid workloads with containers, VMs and BMSs §  Leverage Docker ‘libnetwork’ with Nuage §  More: hTps://www.youtube.com/watch?v=8Wo5j2XFQhQ
  25. 25. Ecosystem Partners | Extensibility & Security Security Management & Orchestra:on Applica:on Delivery Controllers Nuage Cer[fied
  26. 26. Cloud Consump:on Ecosystem Partners around Nuage VSP SDN Network Flexibility Extensibility and Security System Integrator
  27. 27. Physical Switches DPDK Switches Nuage VSP Core + Extensibility Framework Programmable Distributed DP (Local Breakout) APLaaS Integra:on FWK Hybrid Cloud Northbound REST APIs/SDKs Arista 7850 VSG HP 5930 Virtual Switches vSR OSS VNS LBaaS FWaaS Openness - con:nued… haps://github.com/nuagenetworks 11/30/15 27
  28. 28. Successful with 10+ Large Financial services firms Prominent Web-scale ASP Where did this bring us? 11/30/15 28
  29. 29. 11/30/15 29 www.nuagenetworks.com @nuagenetworks THANK YOU LONDON!

×