Hh 2012-mberman-sds2

1Unravel the Enigma of Insecurity

Security and Software-Defined Networks

2Security and Software-Defined Networks

Michael Berman, CISSP, NSA-IAM

• Husband, Dad, Hacker. • Linux Kernel Engineer, Security Virtualization

SME• Most recently, CTO for Catbird Networks, Inc.• As a humanitarian, I provide sarcasm as a free

service to the needy.• I also ski, play soccer, and free climb.


Executive Summary

• Mobility and virtualization are accelerating the transition to cloud computing

• Data center components will have to be software-defined to meet requirements for capacity, resilience, and security

• Software-defined security is the most effective way to protect the cloud data center


Main Components of an OpenFlow Switch

Controller

Packet Pipeline

Secure Channel

Group Table

Flow Table

Flow Table

OpenFlow Protocol

OpenFlow Device (HW or SW)

Flow Tableinbound outbound

Management and Orchestration


Management and Orchestration Layer (controller)

Data Layers (device)

Decoupled


HW

or

SW

SW

Hardware Entities

Software Entities

Software-defined Networking (SDN)

Hardware Entities

Software EntitiesHardware

EntitiesSoftware Entities


Automation APIs

Northbound (controller->user)• ORCHESTRATION• Administration UI• Horizontal integration with

other element managers• Defines network

parameters and membership

• Provides higher-level object management

Southbound (controller->device)

• SCALING• Packet forwarding• Programmable per flow• Maps policies to entities• Implements logical policies• Enumerates groups into

constituents


Value

Not SDN (often proprietary)• set vtp domain cisco mode server• set vlan 2 name cisco_vlan_2• set vlan 2 3/1-12• …• Device-based• Special purpose hardware• Unique to vendor

SDN (open system)• Hr_sharepoint allow hr_users• Pepsi deny Coke• US_agency deny China except

public_web_tier• …• Server-based• General purpose CPU• Multi-vendor


Data Center Implications of SDN

• Supports rapid scaling• Improved automation• Service capacity shifts automatically where

needed• Better user experience• Commoditization of networking thinkgeek


Security … It’s Your Choice

Fail Evolve


Securing Software-defined NetworkingManagement and Orchestration LayerData Layers

Hardware Entities

Software Entities

Software Entities

Software Entities

Hardware Entities

Hardware Entities

Logical isolation with policy-driven

automation

Audit, manage, and control privileged

activities

Enforce secure configuration and

auditing


Infrastructure is Evolving

• Software driving cloud innovation• Use of more than one platform or cloud is

practically inevitable• Mobile (e.g., smartphones and tablets)

adoption increasing exponentially

Security technology must evolve


Key Properties of Security Virtualization

• Decoupled from hardware• Faithful reproduction of the physical network security

model in the virtual space, including security for both physical and virtual workloads

• Follow the operational model of compute virtualization• Compatible with any hypervisor platform• Logical isolation, audit, and security for workloads and

control plane elements• Cloud performance and scale• Open API for provisioning and control


Software-defined Security (SDS)Management and Orchestration Layer (controller)


Decoupled


HW

or

SW

SW

Hardware Entities

Software EntitiesHardware

EntitiesSoftware EntitiesHardware

EntitiesSoftware Entities


Implications

Need to Know• Users• Software• Assets• Connections• Policies

Don’t Need to Know• Vendor• IP address• Location• Virtual, physical, mobile• Wire speed


Risk Analysis

Exposure Increased

• Automation failure• API failure• Control failure• Software failure• Human failure

Exposure Decreased

• Hardware failure• Capacity failure• Availability failure• Security failure• Human failure

Small increase in risk Large decrease in risk


Top-5 Controls

1. Inventory of SDN elements (e.g., controllers, devices, privileged users)

2. Isolation and access control for Northbound and Southbound APIs (e.g., orchestration, administration, and configuration)

3. Auditing and change management4. Secure configuration management5. Continuous vulnerability management and

remediation


SDS Systems are Evolving


Software-defined Security Examples

• Firewall– Virtual firewalls are not a “bump in the wire” they are a

module inserted into the stream-path of a vNIC• NAC– Network access control is not enforced within the

access layer, it is enforced in the management layer.• Configuration– Instead of requiring an agent or network scan, secure

configurations may be checked out of band, even when the asset is powered off.


Advantages of Security Virtualization

• Perfect inventory• Everywhere it is needed• Lower cost• More automated• Simpler• Faster evolution

Cylon Hybrid: The central control for a Cylon Basestar


IT Business Process Re-engineering

The organization and process must adapt to increased automation and orchestration. Cross-functional teams of subject matter experts will best enable IT to rapidly deliver secure and elastic services on-demand. Leading IT teams are already shifting from DevOps to DevSecOps.


RACI for Software-Defined Security• Responsible: Firewall or Network Security personnel

– Define policies– Implement automation

• Accountable: CIO or CISO– Approve policies– Review metrics (e.g., compliance and performance )

• Consulted: Infrastructure and Application Architects– Provide requirements– Validate implementation

• Informed: IT Audit personnel– Audit automation behavior– Audit policy compliance


In closing

• Security virtualization will drastically improve the protection of sensitive data while at the same time simplifying the application of these protective capabilities.

• The most effective use of security virtualization will require changes to IT staffing, processes, and procedures.

• Security virtualization is disruptive to the way security "has always been doing it.”


Michael Berman

Email: xtanjx at “gee mail” dot com

LinkedIn: mberman

Twitter: @_mberman

Blog: Grok Security

Thank you


Decoupled from Hardware

• Simplifies data center resiliency and failover • Reduces upgrade costs • Enables "designed-in" security across data center

fabric • Scaling enhanced due to elimination of

architectural constraints • Hardware refresh cycle and technology advance is

accelerated due to shortened engineering cycle • CPU resource pool remains uniform


Reproduce Network Security Model

• Defense in depth• Segmentation of data• Access control• Separation of duties

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software

4. Continuous Vulnerability Assessment and Remediation

5. Malware Defenses(source: SANS)


Operational Model of Compute Virtualization

• Enable scaling, elasticity, mobility, and seamless disaster recovery

• Conversion of security tools into software objects and the creation of new tools and capabilities for deployment, automation, and recovery of security capabilities

• Auto-deployment, automation, and orchestration of security tools

• The cloud compute model impacts the culture of security within IT, requiring the transition of security professionals into new operational roles that are more flexible and more broadly defined.


Compatible with any Hypervisor• Security virtualization must be platform independent and

capable of protecting workloads in any data center. While it's not clear how many platforms will be in common use, I assert that there will be at least four:

1. VMware2. RHEV (KVM)3. HyperV4. Mobile (ultimately there will be more than one here)

• Therefore as workloads are established on multiple platforms in multiple locations by any given entity, security virtualization must support a single security policy model across these platforms.


Logical isolation, audit, and security

• Logical isolation, rather than some form of physical segmentation, enables diverse workloads of differing sensitivity to run anywhere.

• Mixed workloads will then run most efficiently when allowed to be run within common resource pools for CPU, Memory, Storage, and Networking.

• Security virtualization must also audit and protect the management objects, tools, and APIs that are utilized to provision, modify, or delete workloads, objects, and resources.

• Logical isolation enables multi-compartment zoning of workloads with the requisite capabilities for cross-domain security in both private or public clouds.

• Policies are not required to identify layer 3 or 4 attributes. Security virtualization enforces policies within each specific trust zone, even when this zone spans multiple data centers.


Cloud performance and scale• Large-scale compute clouds are composed of thousands

to millions of entities.• Security virtualization must enable resilient and

protected operations at this scale. • This requires new security management architectures,

analytics, and closed- loop controls that operate across millions of protected objects in multiple locations.

• Additionally, cloud performance is not just IOPS or CPU cycles, it is also the capability to elastically provision, modify, and decommission security entities on demand.


Open API

• Security virtualization must be integrated with provisioning, management, and operations of the data center.

• These APIs will fit into the management stacks developed for each hypervisor platform.

• Vendors must be able to interoperate with a common protocol (e.g., SCAP)

• Products must support orchestration by 3rd party management, workflow, and incident management systems.

Hh 2012-mberman-sds2

Documents

Transcript of Hh 2012-mberman-sds2