Hh 2012-mberman-sds2
-
Upload
michael-berman -
Category
Documents
-
view
235 -
download
0
Transcript of Hh 2012-mberman-sds2
1Unravel the Enigma of Insecurity
Security and Software-Defined Networks
2Security and Software-Defined Networks
Michael Berman, CISSP, NSA-IAM
• Husband, Dad, Hacker. • Linux Kernel Engineer, Security Virtualization
SME• Most recently, CTO for Catbird Networks, Inc.• As a humanitarian, I provide sarcasm as a free
service to the needy.• I also ski, play soccer, and free climb.
3Security and Software-Defined Networks
Executive Summary
• Mobility and virtualization are accelerating the transition to cloud computing
• Data center components will have to be software-defined to meet requirements for capacity, resilience, and security
• Software-defined security is the most effective way to protect the cloud data center
4Security and Software-Defined Networks
Main Components of an OpenFlow Switch
Controller
Packet Pipeline
Secure Channel
Group Table
Flow Table
Flow Table
OpenFlow Protocol
OpenFlow Device (HW or SW)
Flow Tableinbound outbound
Management and Orchestration
5Security and Software-Defined Networks
Management and Orchestration Layer (controller)
Data Layers (device)
Decoupled
Data Layers (device)
HW
or
SW
SW
Hardware Entities
Software Entities
Software-defined Networking (SDN)
Hardware Entities
Software EntitiesHardware
EntitiesSoftware Entities
6Security and Software-Defined Networks
Automation APIs
Northbound (controller->user)• ORCHESTRATION• Administration UI• Horizontal integration with
other element managers• Defines network
parameters and membership
• Provides higher-level object management
Southbound (controller->device)
• SCALING• Packet forwarding• Programmable per flow• Maps policies to entities• Implements logical policies• Enumerates groups into
constituents
7Security and Software-Defined Networks
Value
Not SDN (often proprietary)• set vtp domain cisco mode server• set vlan 2 name cisco_vlan_2• set vlan 2 3/1-12• …• Device-based• Special purpose hardware• Unique to vendor
SDN (open system)• Hr_sharepoint allow hr_users• Pepsi deny Coke• US_agency deny China except
public_web_tier• …• Server-based• General purpose CPU• Multi-vendor
8Security and Software-Defined Networks
Data Center Implications of SDN
• Supports rapid scaling• Improved automation• Service capacity shifts automatically where
needed• Better user experience• Commoditization of networking thinkgeek
9Security and Software-Defined Networks
Security … It’s Your Choice
Fail Evolve
10Security and Software-Defined Networks
Securing Software-defined NetworkingManagement and Orchestration LayerData Layers
Hardware Entities
Software Entities
Software Entities
Software Entities
Hardware Entities
Hardware Entities
Logical isolation with policy-driven
automation
Audit, manage, and control privileged
activities
Enforce secure configuration and
auditing
11Security and Software-Defined Networks
Infrastructure is Evolving
• Software driving cloud innovation• Use of more than one platform or cloud is
practically inevitable• Mobile (e.g., smartphones and tablets)
adoption increasing exponentially
Security technology must evolve
12Security and Software-Defined Networks
Key Properties of Security Virtualization
• Decoupled from hardware• Faithful reproduction of the physical network security
model in the virtual space, including security for both physical and virtual workloads
• Follow the operational model of compute virtualization• Compatible with any hypervisor platform• Logical isolation, audit, and security for workloads and
control plane elements• Cloud performance and scale• Open API for provisioning and control
13Security and Software-Defined Networks
Software-defined Security (SDS)Management and Orchestration Layer (controller)
Data Layers (device)
Decoupled
Data Layers (device)
HW
or
SW
SW
Hardware Entities
Software EntitiesHardware
EntitiesSoftware EntitiesHardware
EntitiesSoftware Entities
14Security and Software-Defined Networks
Implications
Need to Know• Users• Software• Assets• Connections• Policies
Don’t Need to Know• Vendor• IP address• Location• Virtual, physical, mobile• Wire speed
15Security and Software-Defined Networks
Risk Analysis
Exposure Increased
• Automation failure• API failure• Control failure• Software failure• Human failure
Exposure Decreased
• Hardware failure• Capacity failure• Availability failure• Security failure• Human failure
Small increase in risk Large decrease in risk
16Security and Software-Defined Networks
Top-5 Controls
1. Inventory of SDN elements (e.g., controllers, devices, privileged users)
2. Isolation and access control for Northbound and Southbound APIs (e.g., orchestration, administration, and configuration)
3. Auditing and change management4. Secure configuration management5. Continuous vulnerability management and
remediation
17Security and Software-Defined Networks
SDS Systems are Evolving
18Security and Software-Defined Networks
Software-defined Security Examples
• Firewall– Virtual firewalls are not a “bump in the wire” they are a
module inserted into the stream-path of a vNIC• NAC– Network access control is not enforced within the
access layer, it is enforced in the management layer.• Configuration– Instead of requiring an agent or network scan, secure
configurations may be checked out of band, even when the asset is powered off.
19Security and Software-Defined Networks
Advantages of Security Virtualization
• Perfect inventory• Everywhere it is needed• Lower cost• More automated• Simpler• Faster evolution
Cylon Hybrid: The central control for a Cylon Basestar
20Security and Software-Defined Networks
IT Business Process Re-engineering
The organization and process must adapt to increased automation and orchestration. Cross-functional teams of subject matter experts will best enable IT to rapidly deliver secure and elastic services on-demand. Leading IT teams are already shifting from DevOps to DevSecOps.
21Security and Software-Defined Networks
RACI for Software-Defined Security• Responsible: Firewall or Network Security personnel
– Define policies– Implement automation
• Accountable: CIO or CISO– Approve policies– Review metrics (e.g., compliance and performance )
• Consulted: Infrastructure and Application Architects– Provide requirements– Validate implementation
• Informed: IT Audit personnel– Audit automation behavior– Audit policy compliance
22Security and Software-Defined Networks
In closing
• Security virtualization will drastically improve the protection of sensitive data while at the same time simplifying the application of these protective capabilities.
• The most effective use of security virtualization will require changes to IT staffing, processes, and procedures.
• Security virtualization is disruptive to the way security "has always been doing it.”
23Security and Software-Defined Networks
Michael Berman
Email: xtanjx at “gee mail” dot com
LinkedIn: mberman
Twitter: @_mberman
Blog: Grok Security
Thank you
24Security and Software-Defined Networks
Supplemental Material©2009-2012 *MitchellLazear
25Security and Software-Defined Networks
Decoupled from Hardware
• Simplifies data center resiliency and failover • Reduces upgrade costs • Enables "designed-in" security across data center
fabric • Scaling enhanced due to elimination of
architectural constraints • Hardware refresh cycle and technology advance is
accelerated due to shortened engineering cycle • CPU resource pool remains uniform
26Security and Software-Defined Networks
Reproduce Network Security Model
• Defense in depth• Segmentation of data• Access control• Separation of duties
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses(source: SANS)
27Security and Software-Defined Networks
Operational Model of Compute Virtualization
• Enable scaling, elasticity, mobility, and seamless disaster recovery
• Conversion of security tools into software objects and the creation of new tools and capabilities for deployment, automation, and recovery of security capabilities
• Auto-deployment, automation, and orchestration of security tools
• The cloud compute model impacts the culture of security within IT, requiring the transition of security professionals into new operational roles that are more flexible and more broadly defined.
28Security and Software-Defined Networks
Compatible with any Hypervisor• Security virtualization must be platform independent and
capable of protecting workloads in any data center. While it's not clear how many platforms will be in common use, I assert that there will be at least four:
1. VMware2. RHEV (KVM)3. HyperV4. Mobile (ultimately there will be more than one here)
• Therefore as workloads are established on multiple platforms in multiple locations by any given entity, security virtualization must support a single security policy model across these platforms.
29Security and Software-Defined Networks
Logical isolation, audit, and security
• Logical isolation, rather than some form of physical segmentation, enables diverse workloads of differing sensitivity to run anywhere.
• Mixed workloads will then run most efficiently when allowed to be run within common resource pools for CPU, Memory, Storage, and Networking.
• Security virtualization must also audit and protect the management objects, tools, and APIs that are utilized to provision, modify, or delete workloads, objects, and resources.
• Logical isolation enables multi-compartment zoning of workloads with the requisite capabilities for cross-domain security in both private or public clouds.
• Policies are not required to identify layer 3 or 4 attributes. Security virtualization enforces policies within each specific trust zone, even when this zone spans multiple data centers.
30Security and Software-Defined Networks
Cloud performance and scale• Large-scale compute clouds are composed of thousands
to millions of entities.• Security virtualization must enable resilient and
protected operations at this scale. • This requires new security management architectures,
analytics, and closed- loop controls that operate across millions of protected objects in multiple locations.
• Additionally, cloud performance is not just IOPS or CPU cycles, it is also the capability to elastically provision, modify, and decommission security entities on demand.
31Security and Software-Defined Networks
Open API
• Security virtualization must be integrated with provisioning, management, and operations of the data center.
• These APIs will fit into the management stacks developed for each hypervisor platform.
• Vendors must be able to interoperate with a common protocol (e.g., SCAP)
• Products must support orchestration by 3rd party management, workflow, and incident management systems.