Post on 25-May-2020
comnet.informatik.uni-wuerzburg.de
Institute of Computer Science
Chair of Communication Networks
Prof. Dr.-Ing. P. Tran-Gia
Using SDN and NFV to Realize a Scalable
and Resilient Omni-Present Firewall
Nicholas Gray
Nicholas Gray2
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SarDiNe Research Project
Goal: Improve the security in enterprise and government
networks based on SDN/NFV
Partners
Associated Partners
sardine-project.org
Nicholas Gray3
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Nicholas Gray4
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
Nicholas Gray5
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
Nicholas Gray6
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
Nicholas Gray7
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
Nicholas Gray8
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
Nicholas Gray9
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
Nicholas Gray10
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
Nicholas Gray11
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Expensive hot standby
Active
Standby
Nicholas Gray12
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Expensive hot standby
Little internal defenses
Active
Standby
Nicholas Gray13
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Expensive hot standby
Little internal defenses
Limited scalability
Active
Standby
Nicholas Gray14
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
Nicholas Gray15
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Nicholas Gray16
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Nicholas Gray17
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active Active Active Active Active Active
Nicholas Gray18
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Omni-present protection
Active Active Active Active Active Active
Nicholas Gray19
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Omni-present protection
Scalable and resilient security solution
Active Active Active Active Active Active
Nicholas Gray20
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Omni-present protection
Scalable and resilient security solution
SDN and NFV provide the necessary means
Active Active Active Active Active Active
Nicholas Gray21
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Agenda
Motivation
Background
Software-defined Networking (SDN)
Network Function Virtualization (NFV)
Omni-present SDN Firewall
Fine-grained access control
Scalable & resilient stateful firewalling
Firewall offloading
Demo
Conclusion
Nicholas Gray22
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
BACKGROUND
Nicholas Gray23
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Software-defined Networking (SDN)
Key principles
Separation of control and data plane
Logically centralized control plane
Open Interfaces
Programmability
Features
Protocol independence
Ability to dynamically adapt network parameters
Granularity
Elasticity
Use cases
Cloud orchestration
Network management
Network security
Data Plane
Control Plane
SouthboundAPI
Nicholas Gray24
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Packet Handling & Table Structure
ActionRule Stats
Switch
Port
Switch
Phy Port
Meta
data
ETH
Dst
ETH
Src
ETH
Type
VLAN
VID
VLAN
PCP
IP
DSCP
IP
ECN
IP
Proto
IPv4
Src
IPv4
Dst
TCP
Src
TCP
Dst
UDP
Src
UDP
Dst
SCTP
Src
SCTP
Dst
ICMPv4
Type
ICMPv4
Code
ARP
OP
ARP
SPA
ARP
TPA
ARP
SHA
ARP
THA
…
…
Mask for
match
fields
• Forward packet to zero or more ports
• Encapsulate and forward to controller
• Send to normal processing pipeline
• Modify Fields
• Any extensions you add!
Packet + Byte
Counters
Nicholas Gray25
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Reactive
Nicholas Gray26
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Reactive
Nicholas Gray27
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Reactive
Nicholas Gray28
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Reactive
Nicholas Gray29
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Reactive
Nicholas Gray30
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Reactive
Nicholas Gray31
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Reactive
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Proactive
Nicholas Gray32
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Reactive
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Proactive
Nicholas Gray33
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Reactive
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Proactive
Nicholas Gray34
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Reactive
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Proactive
Nicholas Gray35
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Reactive
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Proactive
Nicholas Gray36
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Network Function Virtualization (NFV)
Firewalls
Load Balancers
Traffic Shapers
Network Monitoring
Legacy networks are full of middle boxes
Specialized hardware
Deployed in the data path
Limited scalability
Network Function Virtualization
Virtual applications
Executed on COTS servers
Cloud-ready
Nicholas Gray37
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
OMNI-PRESENT SDN
FIREWALL
Nicholas Gray38
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Fine-granular Access Control
On-demand personalized virtual network
BYOD scenario
Strict flow isolation
Minimized attack surface
Technical implementation
2FA Authentication
No MDM required
Nicholas Gray39
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Scalable & Resilient Stateful Firewalling
NFV-based stateful firewall
Run as software in the cloud
Dynamic n+1 protection
Technical implementation
SDN switch as load balancer
State decoupled from workersSDN Controller
Private Cloud
FW-VNF
Sh
are
d S
tate
FW-VNF
FW-VNF
FW-VNF
OpenFlow
SDN Switch
Configuration & Health Checks
Nicholas Gray40
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Firewall Offloading
Dynamic firewall offloading
Offload trusted flows to relief VNFs
No noticeable service degradation
Technical implementation
Optimizer selects flows with a
high performance impact
Switches act as stateless
packet filters
Performed in the fast path
at line rate
Nicholas Gray41
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Internal Network
Omni-present SDN Firewall
SDN
Controller
Network
Management
System
Cloud
Management
System
FW VNF
Private Cloud
Services
AAA
SDN Switch SDN Switch
Nicholas Gray42
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Internal Network
Omni-present SDN Firewall
SDN
Controller
Network
Management
System
Cloud
Management
System
FW VNF
Private Cloud
Services
AAA
SDN Switch SDN Switch
Nicholas Gray43
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Internal Network
Omni-present SDN Firewall
SDN
Controller
Network
Management
System
Cloud
Management
System
FW VNF
Private Cloud
Available Services
Services
AAA
SDN Switch SDN Switch
Nicholas Gray44
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Internal Network
Omni-present SDN Firewall
SDN
Controller
Network
Management
System
Cloud
Management
System
FW VNF
Private Cloud
Available Services
Services
AAA
SDN Switch SDN Switch
Nicholas Gray45
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Internal Network
Omni-present SDN Firewall
SDN
Controller
Network
Management
System
Cloud
Management
System
FW VNF
Private Cloud
FW VNF
…
Sh
are
d S
tate
Available Services
Services
AAA
SDN Switch SDN Switch
Nicholas Gray46
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Internal Network
Omni-present SDN Firewall
SDN
Controller
Network
Management
System
Cloud
Management
System
FW VNF
Private Cloud
FW VNF
…
Sh
are
d S
tate
Available Services
Services
AAA
SDN Switch SDN Switch
Nicholas Gray47
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Demo Setup
https://www.youtube.com/watch?v=e_CmcGPXJGY
Nicholas Gray48
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Network Services
Access Control
SDN Controller
Fine-granular Access Control
Nicholas Gray49
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Virtual Network
Functions
NFV Monitoring
Nicholas Gray50
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Firewall VNF
Resiliency
Fast Failover
Nicholas Gray51
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Firewall VNF
Offloading
Offloading of Trusted Flows
Nicholas Gray52
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
CONCLUSION
Nicholas Gray53
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Conclusion
Nicholas Gray54
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Conclusion
Advanced DDoS Mitigation
Fine-granular Flow Control
Scalable Security Solutions
Reduced Management Efforts
Nicholas Gray55
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Conclusion
Complex Architecture
Fast development rates
New Technology
Large Software Projects
Advanced DDoS Mitigation
Fine-granular Flow Control
Scalable Security Solutions
Reduced Management Efforts
Nicholas Gray56
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Conclusion
Both sides of the scale need to be addressed
Complex Architecture
Fast development rates
New Technology
Large Software Projects
Advanced DDoS Mitigation
Fine-granular Flow Control
Scalable Security Solutions
Reduced Management Efforts
Nicholas Gray57
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Conclusion
Both sides of the scale need to be addressed
In our opinion the benefits will outweigh the challenges
Tight integration of quality assurance in the deployment stage
Adaptation of software testing methods to the networking domain
Complex Architecture
Fast development rates
New Technology
Large Software Projects
Advanced DDoS Mitigation
Fine-granular Flow Control
Scalable Security Solutions
Reduced Management Efforts
Nicholas Gray58
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Sources
Michael Jarschel, Thomas Zinner, Tobias Hoßfeld, Phuoc Tran-Gia, Wolfgang Kellerer,
Interfaces, Attributes, and Use Cases: A Compass for SDN,
IEEE Communications Magazine, 52, 2014
Gebert, S., Zinner, T., Gray, N., Durner, R., Lorenz, C., Lange, S.,
Demonstrating a Personalized Secure-By-Default Bring Your Own Device Solution
Based on Software Defined Networking,
International Teletraffic Congress (ITC 28), 2016
Lorenz, C., Hock, D., Scherer, J., Durner, R., Kellerer, W., Gebert, S., Gray, N., Zinner, T.,
Tran-Gia, P.,
An SDN/NFV-enabled Enterprise Network Architecture Offering Fine-Grained Security
Policy Enforcement,
IEEE Communications Magazine. 55, 217 - 223 (2017)
Gray, N., Lorenz, C., Müssig, A., Gebert, S., Zinner, T., Tran-Gia, P.,
A Priori State Synchronization for Fast Failover of Stateful Firewall VNFs,
Workshop on Software-Defined Networking and Network Function Virtualization for Flexible
Network Management, SDNFlex 2017
Pfaff B., Scherer J., Hock D., Gray N., Zinner T., Tran-Gia P., Durner R., Kellerer R., Lorenz C.,
SDN/NFV-enabled Security Architecture for Fine-grained Policy Enforcement and Threat
Mitigation for Enterprise,
ACM SIGCOMM Computer Communication Review, 2017