네트워크 가상화 보안현황 및 보안연관성

네트워크가상화보안현황및보안연관성
안종석
(JongSeogAhn)

목적: 네트워크가상화/SDN환경에서보안을강화할수있는방안을소개하고향후관련시장에서이슈를선정할수있도록한다.
교육주제: 네트워크가상화보안현황및보안연관성(가상기반의클라우드서비스보안과SDN)
목적주제

목차
I.네트워크가상화개요
•네트워크가상화
•Software Defined Networking(SDN) 개요
•Network Functions Virtualization(NFV) 개요
II.클라우드서비스와보안
•클라우드서비스
•가상화환경의보안요소
III.소프트웨어정의보안
•SDN 기반보안
•Software Defined Security
•공개/상용기술소개

SDN
NFV
7

Type 1 Hypervisors
VMware, Xen Project, Hyper-V
Type 2 Hypervisors
KVM, VirtualBox
Containers
LXC
8

9
I.가상화란: 가상화개요

10

11

VRF 2 [EIGRP]
VRF 1 [OSPF]
10.10.10.0/30
10.10.20.0/30
10.10.20.0/30
10.10.20.0/30
12

13
I.네트워크가상화개요: SDN

14

15

16
3TEN8
6WIND
A10 Networks
Active Broadband Networks
ADVA Optical
Alcatel-Lucent/Nuage
Alibaba
Aricent
Arista Networks
Aruba Networks
AttoResearch Korea
AuvikNetworks
Baidu
Barefoot Networks
Beijing Internet Institute (BII)
Big Switch Networks
BISDN
Blue Ocean Networks
Broadcom
Brocade
BTI Systems
CentecNetworks
Ceragon
China Mobile
China Telecom
Ciena
Cisco
Citrix
Colt
Coriant
CorsaTechnology
Criterion Networks
Cyan
Dell/Force10
Deutsche Telekom
ECI Telecom
Ericsson
EstiNetTechnologies
ETRI
Extreme Networks
F5/LineRate
Facebook
FiberhomeTechnologies
FishNetSecurity
Freescale
Friesty
Fujitsu
GencoreSystems
Gigamon
Glimmerglass
Goldman Sachs
Google
Guardicore
Hitachi
HP
Huawei
IBM
Infinera
Infoblox
Intel
Institute for Information Industry
Intelligent Security Management
IntuneNetworks
IP Infusion
Itential
ITRI
Ixia
Juniper Networks
KDDI
KEMP Technologies
Konodrac
Korea Telecom
L3 Communication Systems-East
Lancope
Level3 Communications
LSI Corporation
Luxoft
Marvell
MediaTek
Mellanox
MetaswitchNetworks
Microsoft
Midokura
MRV
NAIM Networks
NCL Communication
NEC
Netgear
Netronome
NetscoutSystems
NSN
NoviFlow
NTT Communications
Oki Electric Industry Co
Optelian
Oracle
Orange
Overture Networks
PCCW Global
Pertino
Pica8
Plexxi
ProceraNetworks
Qosmos
Rackspace
Radware
Riverbed Technology
SaiseiNetworks
Samsung
Sanctum Networks
SDN Essentials
SDN Solutions
SK Telecom
Spirent
Swisscom
Tail-f Systems
TallacNetworks
Tata Communications
Tekelec
Telecom Italia
Telefónica
Telekom Malaysia
TelesoftTechnologies
Tellabs
Tencent
Thales
Tilera
Transmode
TW Telecom
UBIqube
VelloSystems
Verizon
Virtela
Vmware/Nicira
Vodafone
Wipro Limited
Xilinx
Xinguard
Xpliant
Yahoo!
ZhoneTechnologies
ZTE

Network Device
Software
ASIC
TCAM
TCAM
TCAM
TCAM
TCAM
Low-Level ASIC Interface
TCAM
TCAM
Configuration
CLI
Services
Security
Virus Protect
Snooping
Access Control
Spanning Tree
Routing
ACL
QoS
Operating System (OS)
SNMP
Web

Enabling a shift from
protocols to applications콘트롤러콘트롤러콘트롤러네트워크장비소프트웨어네트워크장비소프트웨어네트워크장비소프트웨어

Operating System (OS)
•
•
•
•
•
•제어

Database
Protocol
Program
전지(全知) 전능(全能)
•전지(全知) 하기위해필요한것은? SDN
•전능(全能) 하기위해필요한것은? Coding
LegacySDN
http://dtucker.co.uk/hack/building-a-router-with-openvswitch.html
VMware NSX (DLR)
Cisco ACI (DistributedD/G)
Nuage(VRS)
OpenStack ‘Juno’ (DVR)
Juniper OpenContrail(vRouter)
MidokuraMidonet(Logical L3 Routing)

Independent
Software Vendors
BRAS
Firewall
DPI
CDN
Tester/QoE
monitor
WAN
Acceleration
Message
Router
Radio Network
Controller
CarrierGrade NAT
Session Border
Controller
Classical Network ApplianceApproach
PE Router
SGSN/GGSN
Generic High Volume
Ethernet Switches
Generic High Volume Servers
Generic High Volume Storage
Orchestrated,
automatic
remote install
Network Functions Virtualisation Approach
hypervisors
I.네트워크가상화개요: NFV

Working Group
Architecture of the Virtualisation
Infrastructure
Steve Wright (AT&T) + Yun Chao Hu (HW)
Managing Editor: Andy Reid (BT)
Working Group
Reliability & Availability
Chair: NaseemKhan (VZ)
Vice Chair: Markus Schoeller(NEC)
Working Group
Management & Orchestration
Diego Lopez (TF) + Raquel Morera(VZ)
Working Group
Software Architecture
Fred Feisullin(Sprint) + Marie-PauleOdini(HP)
Expert Group
Security
Bob Briscoe (BT)
Expert Group
Performance & Portability
Francisco Javier Ramón Salguero(TF)
Technical Steering Committee
Chair: Technical Manager : Don Clarke (BT)
Vice Chair / Assistant Technical Manager : Diego Lopez (TF)
Programme Manager : TBA
NOC Chair (ISG Vice Chair) + WG Chairs + Expert Group Leaders + Others
Additional Expert Groups
can be convened at discretion
of Technical Steering Committee
HW = Huawei
TF = Telefonica
VZ = Verizon

OSS / BSS
EMS 2
VNF 2
EMS 3
VNF 3
EMS 1
VNF 1
VirtualisationLayer
Virtual Storage
Virtual Network
Virtual Compute
Storage
Hardware
Network
Hardware
Computing Hardware
Service, VNF & Infrastructure Description
VNF(VirtualisedNetwork Function)
Hardware Resources
Orchestrator
VNF
Managers
VirtualisedInfrastructure
Manager
Network Functions Virtualisation–Update White Paper October 15-17, 2013 at the “SDN and OpenFlow World Congress”, Frankfurt-Germany.
A Virtual Network Function (VNF) utilisesthese virtualisedresources, and may use various VMs (Virtual Compute) connected via some Virtual Networks.

I. 네트워크 가상화 개요: NFV

Distributed Registry(Strongly Consistent)
Distributed Key-Value Store
DB
Network Graph
(Eventually consistent)

---
eMail
WWW
Phone
---
---
SMTP
HTTP
RTP
---
TCP
UDP
---
IP
이더넷
PPP
---
CSMA
async
sonet
---
---
copper
fiber
radio
---

•SDN 기반보안

사용자소유
사업자소유
Infrastructure as a Service
Platform
as a Service
Software
as a Service
서비스모델
SaaS
IaaS
PaaS
클라우드계층(Cloud Layer)
데이터(Data)
인터페이스(APIs, GUIs)
애플리케이션(application)
솔루션스택(Programing languages)
운영체제(OS: Operating System)
가상머신(Virtual Machines)
가상네트워크인프라
하이퍼바이저(Hypervisors)
프로세스/메모리
데이터스토리지(DataStorage)
네트워크
물리적환경제공/ 데이터센터
사용자소유
사용자소유
사용자소유사업자소유or 공공클라우드사업자소유or공공클라우드사업자소유or공공클라우드
가상화
30

Product/
Framework
OpenStack
CloudStack
VMware
vCloud Suite
Microsoft
SCVMM
Licence
Apache 2.0
Apache 2.0
Propritary
Propritary
Primary
hypervisor
KVM
Xen
ESXI
Hyper-V
Secondary
hypervisors
Xen, Hyper-V, vSphere, LXC
KVM, Hyper-V,vSphere, LXC
-
-
Primary
language
Python
Java
Mix of
Mix of
Primary
storage type
Cluster: CEPH,GlusterFS
SAN: iSCSI, NFS
SAN:iSCSI, NFS
SAN:iSCSI, NFS, FC, FCoE
Cluster: vSAN
SAN: iSCSI,FC, FCoE
Cluster: SMB 3.0
Network Virtualization
Open vSwitch, VMwareNSX,
Arista EOS, Cisco Nexus,
Brocade , HP, Mellanox,
NEC OpenFlow Plugin,
OpenDaylight
Open vSwitch
VMware NSX,
Arista EOS, Cisco Nexus,
Brocade , HP
NVGRE virtualswitch
Multi-tenant,
Self Service Portal
Yes, Horizon
Yes
Yes
Yes, Self-Service Portal/SCVMM
HybridCloud
solutions
RackConnect allows
migrate to RackSpace
CitrixCloudPlatform
allows migration
between clouds
vCloudConnector
SCVMM allowsmigrateto Azure
Cost of
implementation
Free, add consultancy
and integration fee
Free, add consultancy
and integration fee
31

$3002 분
$10,00010 주
기업용스토리지
VLAN 네트워크
방화벽, load-balancer
침입탐지, 보안, 모니터링
가용성
현재
과거
+일
32

33
https://console.aws.amazon.com/console/home?region=ap-northeast-1

34

35

36

37

Dynamic Configuration
Detect/Authenticate
VLAN /802.1q
QoS/Rate Limit/Shape
Allow/Deny IPs
Allow/Deny protocols
VMService Provisioning
38
인증/권한
패브릭스위치
오버레이
오픈플로우

네트워크경계에서위협및공격만을차단
정책이각네트워크
세그먼트나서버의중요
어플리케이션에국한
에이전트의관리
기능으로단일물리적
서버를보호
개별서버또는네트워크의
중요취약점을패치
네트워크경계뿐만아니라VM 간의경계도위협에서보호
정책을포괄적(웹, 데이터, OS영역, DB)으로적용하며VMs 과함께이동
물리적서버에고려하는것과같이각각의VM의서버에도필요
패치, 트래킹그리고VM들의임의사용을통제
Network IPS
Server Protection
System Patching
Security Policies
39

하드웨어
하이퍼바이저
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
Worm공격
가상환경내부에서감염활동을수행
VM간무단통신
하이퍼바이저관리자
Rootkit 제어공격
40

하드웨어
하이퍼바이저
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
하드웨어
하이퍼바이저
관리서버
쉽게VM을구축
41

하드웨어
하이퍼바이저
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
42

infrastructure
network
compute
infrastructure
43

44

45

•Segmentation based on service and security requirements
Web services–portals, web-based warehouses
Applications services–ERP
Core service–DNS,DHCP, NTP, FTP, RADIUS
Data base services–MS SQL, Oracle, Sybase
•Benefit from a Service Oriented Architecture (SOA)
Zones can be hosted by different managed service providers.
Borders between application categories, or zones can be easier protected
Distribution of malware or hacker attacks is limited to one zone.
Outages, failures and administration errors are restricted to one zone only.
46

47

목차
1.네트워크가상화개요
2.클라우드서비스와보안
3.소프트웨어정의보안
•SDN 기반보안

관리/제어책임(예)
SaaS
IaaS
PaaS
PCI DSS 요구사항
데이터에대한방화벽설치/유지
모두
모두서비스사업자
벤더Default Password/보안설정변경
모두
저장데이터차단
모두
오픈/공중망사용시암호화전송
사용자
안티바이러스소프트웨어주기적업데이트
사용자
보안시스템과애플리케이션의개발/유지
모두
모두
모두
데이터접근제한업무확인
모두
모두
모두
컴퓨터접근을위한개별ID 할당
모두
모두
모두
데이터의물리적접근제한서비스사업자서비스사업자서비스사업자
네트워크자원과데이터접속모니터/추적
모두
보안시스템과프로세스의주기적테스트
모두
모든개인을위한정보보안정책유지
모두
모두
모두
49

사용자가시스템적용전에점검을도움
클라우드마이그레이션운영전략을점검
보안제어를점검
•BasicOperations Checklist
•Enterprise Operations Checklist
•Auditing Security Checklist
50

51

Checklist
Checklist
Checklist
Checklist
Checklist
Checklist
Checklist
Checklist
Checklist
Checklist
52

Version 1.0
Released: January 6, 2014
53
III. 소프트웨어 정의 보안

54
Version 1.0
Released: January 6, 2014
III. 소프트웨어 정의 보안

55
III.가상네트워크설계: 보안대책

•가상화: 리눅스나하드웨어어플라이언스에탑재한방화벽가상화
•SDN 콘트롤러호환성: 하이퍼바이저vs 오케스트레이터
•프로토콜버전: Southbound (OpenFlow vs Netconfor Something)
•콘트롤러내의App 호환: 콘트롤러에공존하는다른App 들의완성도
•목표시장을위한로드맵:1) 성능의개선, 2) 프로토콜,3) SDN 콘트롤러연동, 4) 아키텍처, CMP지원(자동확장, VPN,등등) 추가고려
가상화서버
하이퍼바이저
vSwitch
리눅스
웹서버
vNIC
리눅스
앱서버
vNIC
리눅스
DB서버
vNIC
리눅스방화벽
vNIC
vNIC
vSwitch
NIC
공개SDN Controller
Orchestration 방화벽(Controller)
vSwitch
(방화벽에이전트)
56
vSwitch
vSwitch
vSwitch
vSwitch

OpenFlow Area
Drop Actions
vSwitch/pSwitch
Data Center
3. Drop or QoSAction
2. Security Event
1. IDS/IPS 또는Snort 나Suricata
OpenFlow/SDN Controller
고려사항
OpenFlow 연동IDS 센서: 차단/제어위치는OpenFlow vSwitch/pSwitch
확장성: 복수의SDN콘트롤러연결을고려
중앙관리
가상화
복수Tenant 감지(IDSaaS)
CMP(OpenStack) 고려
Embedded SDN 환경고려
OpenFlow basedvSwitch
MAC Srce.
MAC Dest.
Srce.
IP
Dest.
IP
Source
TCP Port
Dest. TCP Port
Action
*
*
192.168.10.20
*
*
*
Drop
57

고려사항
DDoS공격차단TMS (TreatManagement System)
분산DDoS탐지센서들을관리하는게이트웨이또는외부서비스시스템을SDN 콘트롤러와연동
중앙관리
SDN 콘트롤러(감지한Target IP 주소트래픽TMS 우회명령Flow) 가상화
복수Tenant 감지
CMP 고려
MAC Srce.
MAC Dest.
Srce.
IP
Dest.
IP
Source
TCP Port
Dest. TCP Port
Action
*
*
*
192.168.10.20
80
*
Port 3
pSwitch/vSwitch
pSwitch/vSwitch
OpenFlow/SDN Controller
TMS
3.DDoS공격Target Host IP주소트래픽을TMS로플로우변경
Target Host
1.DDoS센서또는게이트웨이에서공격감지시Target Host IP주소를SDN 콘트롤러로전달
2.DDoS공격필터링한정상트래픽을전송
58

•공개SDN 콘트롤러내장보안장비(레가시환경에서TMS, IPS 등인라인모드설치가필요한기기)
•오픈가상스위치(Open vSwitch)내장의NIC or 스위치사용
•OpenFlow 프로토콜사용
•위협플로우Redirect 하여TMS로전송
서버
NIC
Open vSwitch
VM 1
IP 주소1
vNIC
VM 2
IP주소2
vNIC
VM 3
IP 주소3
vNIC
SDN/OpenFlow Controller
보안기능Application 4) 위협플로우 3) Flow 카운터기반의위협분석
인라인설치TMS 장비
IP주소2 VM 공격
Open pSwitch
59

60

61
vArmour
•2011년2명의보안솔루션전문가가$8M(약80억원)을투자받아창업
•솔루션개발진행중(스텔스모드)
특징
•보안가시성: 애플리케이션, 자산, 패킷, 접속별가시성확보
•위협탐지: 실시간탐지및가시성을통해복합위협분석탐지
•공격치료: 비지니스프로세스기반의치료정책
•정책관리및수행: 애플리케이션, 워크그룹, 테넌트간통신에대한제어
기술개요
①악성코드감염가상머신감지
②SDN 컨트롤러보고
③포워딩플레인변경
④감염된서버격리
⑤감염된서버치료
⑥감염된서버복구

62
Catbird Networks
•보안가상화전문회사(2,000년에설립)
•투자금: $1억2천만(약1조2천억)
•주요제품: 실시간가상머신모니터링
이동, 생성, 소멸, 메타데이타등
하이퍼바이저별에이전트가상머신설치하여전체하이퍼바이저모니터링Cisco ACI, VMware NSX, OpenStack등과연동
Virtual Switch
Firewall
VM1
VM2
VM3
Hypervisor
Vulnerability Scanner
IDS
Firewall Updated
Rules Audited
Monitor New VM Traffic Audit Alerts/Workflows
Scan New VM Audit Results/Workflows
New VM Added Interfaces Audited
SDS
APIs
SDS Manager
VMs Fully Visible
API Integration
Automated Control Configuration
Workflow Audit
Real-Time Compliance
환율.1$ = 1,012.20원(2014년7월7일매매기준율)

•‘heleous’ 제품군으로가상화환경에서Site-to-Site VPN 기능을가진방화벽, 로드밸런서그리고이들을관리하는SDN 콘트롤러기능제공‘ESM’(Elastic Services Manager)를제공하며, 운영중에도중단없이처리능력을향상하거나네트워크삽입을할수있다. API를사용하여프로그램이가능하며이중화기능을제공한다.
63

보안제어모델
애플리케이션
바이너리분석, 트랜잭션보안, 웹방화벽, SDLC
정보
DLP, 암호화, 데이터베이스모니터, CMF
관리
IAM, 패치관리, 구성관리, 모니터링, VA/VM, GRC
네트워크
NIDS/NIPS, 방화벽, DPI, DDoS차단, QoS, DNSSEC, OAuth
TrustedComputing
하드웨어소프트웨어API’s & RoT
Compute&Storage
호스트방화벽, HIDS/HIPS,
물리적
CCTV, Guards
준수모델
PCI
□방화벽
□코드리뷰
□WAF
□암호화
□사용자고유ID
□안티바이러스
□모니터링/IDS/IPS
□패치/취약성관리
□물리접속제어
□Two Factor Authentication
HIPAA
GLBA
SOX
클라우드모델
압축
하드웨어
Facility
통합/ 미들웨어
APIs
접속/ 전달
애플리케이션
데이터/ 메타데이터/ 컨텐츠
프레젠테이션
APIs
서비스사업자/ 벤더/ 준수의차이(RFP/Contract/인증)
Virtualization Security is NOT Cloud Security!
PaaS
SaaS
IaaS
Consulting
64

네트워크 가상화 보안현황 및 보안연관성

네트워크 가상화 보안현황 및 보안연관성

In this document

More Related Content

What's hot

Viewers also liked

Similar to 네트워크 가상화 보안현황 및 보안연관성

More from NAIM Networks, Inc.

Recently uploaded

네트워크 가상화 보안현황 및 보안연관성