Hh 2012-mberman-sds2

1Unravel the Enigma of Insecurity

Security and Software-Defined Networks

2Security and Software-Defined Networks

Michael Berman, CISSP, NSA-IAM

• Husband, Dad, Hacker. • Linux Kernel Engineer, Security Virtualization

SME• Most recently, CTO for Catbird Networks, Inc.• As a humanitarian, I provide sarcasm as a free

service to the needy.• I also ski, play soccer, and free climb.

Executive Summary

• Mobility and virtualization are accelerating the transition to cloud computing

• Data center components will have to be software-defined to meet requirements for capacity, resilience, and security

• Software-defined security is the most effective way to protect the cloud data center

Main Components of an OpenFlow Switch

Controller

Packet Pipeline

Secure Channel

Group Table

Flow Table

OpenFlow Protocol

OpenFlow Device (HW or SW)

Flow Tableinbound outbound

Management and Orchestration

Management and Orchestration Layer (controller)

Data Layers (device)

Decoupled

Hardware Entities

Software Entities

Software-defined Networking (SDN)

Hardware Entities

Software EntitiesHardware

EntitiesSoftware Entities

Automation APIs

Northbound (controller->user)• ORCHESTRATION• Administration UI• Horizontal integration with

other element managers• Defines network

parameters and membership

• Provides higher-level object management

Southbound (controller->device)

• SCALING• Packet forwarding• Programmable per flow• Maps policies to entities• Implements logical policies• Enumerates groups into

constituents

Not SDN (often proprietary)• set vtp domain cisco mode server• set vlan 2 name cisco_vlan_2• set vlan 2 3/1-12• …• Device-based• Special purpose hardware• Unique to vendor

SDN (open system)• Hr_sharepoint allow hr_users• Pepsi deny Coke• US_agency deny China except

public_web_tier• …• Server-based• General purpose CPU• Multi-vendor

Data Center Implications of SDN

• Supports rapid scaling• Improved automation• Service capacity shifts automatically where

needed• Better user experience• Commoditization of networking thinkgeek

Security … It’s Your Choice

Fail Evolve

Securing Software-defined NetworkingManagement and Orchestration LayerData Layers

Hardware Entities

Software Entities

Hardware Entities

Logical isolation with policy-driven

automation

Audit, manage, and control privileged

activities

Enforce secure configuration and

auditing

Infrastructure is Evolving

• Software driving cloud innovation• Use of more than one platform or cloud is

practically inevitable• Mobile (e.g., smartphones and tablets)

adoption increasing exponentially

Security technology must evolve

Key Properties of Security Virtualization

• Decoupled from hardware• Faithful reproduction of the physical network security

model in the virtual space, including security for both physical and virtual workloads

• Follow the operational model of compute virtualization• Compatible with any hypervisor platform• Logical isolation, audit, and security for workloads and

control plane elements• Cloud performance and scale• Open API for provisioning and control

Software-defined Security (SDS)Management and Orchestration Layer (controller)

Decoupled

Hardware Entities

Software EntitiesHardware

EntitiesSoftware EntitiesHardware

EntitiesSoftware Entities

Implications

Need to Know• Users• Software• Assets• Connections• Policies

Don’t Need to Know• Vendor• IP address• Location• Virtual, physical, mobile• Wire speed

Risk Analysis

Exposure Increased

• Automation failure• API failure• Control failure• Software failure• Human failure

Exposure Decreased

• Hardware failure• Capacity failure• Availability failure• Security failure• Human failure

Small increase in risk Large decrease in risk

Top-5 Controls

1. Inventory of SDN elements (e.g., controllers, devices, privileged users)

2. Isolation and access control for Northbound and Southbound APIs (e.g., orchestration, administration, and configuration)

3. Auditing and change management4. Secure configuration management5. Continuous vulnerability management and

remediation

SDS Systems are Evolving

Software-defined Security Examples

• Firewall– Virtual firewalls are not a “bump in the wire” they are a

module inserted into the stream-path of a vNIC• NAC– Network access control is not enforced within the

access layer, it is enforced in the management layer.• Configuration– Instead of requiring an agent or network scan, secure

configurations may be checked out of band, even when the asset is powered off.

Advantages of Security Virtualization

• Perfect inventory• Everywhere it is needed• Lower cost• More automated• Simpler• Faster evolution

Cylon Hybrid: The central control for a Cylon Basestar

IT Business Process Re-engineering

The organization and process must adapt to increased automation and orchestration. Cross-functional teams of subject matter experts will best enable IT to rapidly deliver secure and elastic services on-demand. Leading IT teams are already shifting from DevOps to DevSecOps.

RACI for Software-Defined Security• Responsible: Firewall or Network Security personnel

– Define policies– Implement automation

• Accountable: CIO or CISO– Approve policies– Review metrics (e.g., compliance and performance )

• Consulted: Infrastructure and Application Architects– Provide requirements– Validate implementation

• Informed: IT Audit personnel– Audit automation behavior– Audit policy compliance

In closing

• Security virtualization will drastically improve the protection of sensitive data while at the same time simplifying the application of these protective capabilities.

• The most effective use of security virtualization will require changes to IT staffing, processes, and procedures.

• Security virtualization is disruptive to the way security "has always been doing it.”

Michael Berman

Email: xtanjx at “gee mail” dot com

LinkedIn: mberman

Twitter: @_mberman

Blog: Grok Security

Thank you

Decoupled from Hardware

• Simplifies data center resiliency and failover • Reduces upgrade costs • Enables "designed-in" security across data center

fabric • Scaling enhanced due to elimination of

architectural constraints • Hardware refresh cycle and technology advance is

accelerated due to shortened engineering cycle • CPU resource pool remains uniform

Reproduce Network Security Model

• Defense in depth• Segmentation of data• Access control• Separation of duties

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software

4. Continuous Vulnerability Assessment and Remediation

5. Malware Defenses(source: SANS)

Operational Model of Compute Virtualization

• Enable scaling, elasticity, mobility, and seamless disaster recovery

• Conversion of security tools into software objects and the creation of new tools and capabilities for deployment, automation, and recovery of security capabilities

• Auto-deployment, automation, and orchestration of security tools

• The cloud compute model impacts the culture of security within IT, requiring the transition of security professionals into new operational roles that are more flexible and more broadly defined.

Compatible with any Hypervisor• Security virtualization must be platform independent and

capable of protecting workloads in any data center. While it's not clear how many platforms will be in common use, I assert that there will be at least four:

1. VMware2. RHEV (KVM)3. HyperV4. Mobile (ultimately there will be more than one here)

• Therefore as workloads are established on multiple platforms in multiple locations by any given entity, security virtualization must support a single security policy model across these platforms.

Logical isolation, audit, and security

• Logical isolation, rather than some form of physical segmentation, enables diverse workloads of differing sensitivity to run anywhere.

• Mixed workloads will then run most efficiently when allowed to be run within common resource pools for CPU, Memory, Storage, and Networking.

• Security virtualization must also audit and protect the management objects, tools, and APIs that are utilized to provision, modify, or delete workloads, objects, and resources.

• Logical isolation enables multi-compartment zoning of workloads with the requisite capabilities for cross-domain security in both private or public clouds.

• Policies are not required to identify layer 3 or 4 attributes. Security virtualization enforces policies within each specific trust zone, even when this zone spans multiple data centers.

Cloud performance and scale• Large-scale compute clouds are composed of thousands

to millions of entities.• Security virtualization must enable resilient and

protected operations at this scale. • This requires new security management architectures,

analytics, and closed- loop controls that operate across millions of protected objects in multiple locations.

• Additionally, cloud performance is not just IOPS or CPU cycles, it is also the capability to elastically provision, modify, and decommission security entities on demand.

Open API

• Security virtualization must be integrated with provisioning, management, and operations of the data center.

• These APIs will fit into the management stacks developed for each hypervisor platform.

• Vendors must be able to interoperate with a common protocol (e.g., SCAP)

• Products must support orchestration by 3rd party management, workflow, and incident management systems.

Hh 2012-mberman-sds2

Documents

Transcript of Hh 2012-mberman-sds2

HH Achievement

Hh 45 Kfa Hh 70t Kfa Hh 125t Kfa Hh 175t Kfa Hh 215t Kfa

Hh Slideshow

Model #s: HH-45-KFA, HH-70T-KFA, HH-125T-KFA, HH-175T-KFA ...remingtonheaters.net/...kfa_hh-70t-kfa_hh-125t-kfa_hh-175t-kfa_hh-2… · HH-125T-KFA, HH-175T-KFA, HH-215T-KFA CONSUMER:

3-Line To 8-Line Decoders/Demultiplexers (Rev. E) · 3-line to 8-line decoders/demultiplexers ... lxx xxx hhh hh hh h hll lll lhh hh hh h hll llh hl h hh hh h hll lhlhh l hh hh h

Delaware Statewide Programs for the Deaf, HH and Deaf-Blind Annual Report 2011-2012

IOLAN-TS2-SDS2-SDS2T Hardware Installation Guidecontent.etilize.com/User-Manual/1043113582.pdf · 2017-10-24 · IOLAN TS2 GR/SDS2 GR/SDS2T GR Hardware Installation Guide Updated:

Hh industries

Recognition of Cursive Roman Handwriting – Past, Present ... · optical character recognition (OCR) HH HH HH Oriental Script Roman Script HH HHH machine printed text handwritten

Limit State Definitions of the Connection Design Calculations SDS2 V7331

48593456 Sds2 How to Manual

Microsoft Word - Laborers HH 2009 through 2012 READ ONLY.doc

Hh Cpowerpoint.Company.Intro

New Tandem Accelerators for Applied Research in IFIN-HH Status of the Installation of 1 MV Tandetron Dan Gabriel Ghiţ ă IFIN-HH IWTA 2012.

Planetary Magnetospheres - CPAESS€¦ · HH H HH H Hj * HH HH H HH j? 6 HH HH H HH Y XXX XXX XXX XXX XXX XXX XXX yX I II III III0 III00 IV IV0 Figure 11: (Simpli ed) general energy

Characterizing Tukey h and hh-Distributions through L ...downloads.hindawi.com/archive/2012/980153.pdf · Figure 1: Graph of an hh-distribution based on matching the conventional

SDS2-2M SDS2-2MS SDS2-2G SDS2-2L SDS2-3M SDS2 … · Caption of the Keyboard of SDS2-2M Keys for Axis selection Entry keys for digits Entry keys for decimal point Entry key plus or

HH^H HH^^ - Penn Libraries · HH^H HH^^ v t_—^tf 3 p-

Canvas Select Plus SD - brochure.stebis.nlbrochure.stebis.nl/SDS2.pdf · SDS2/32GB SDS2/64GB SDS2/128GB SDS2/256GB SDS2/512GB 1. Speed may vary due to host hardware, software and

HH VALVES LIMITED A Presentation to :- Company Name Callum Hosie - HH Valves Limited HH VALVES LIMITED.