Security Advantages of Software-Defined Networking
Click here to load reader
-
Upload
priyanka-aash -
Category
Technology
-
view
349 -
download
0
Transcript of Security Advantages of Software-Defined Networking
SESSION ID:
#RSAC
Dr. Edward G. AmorosoSenior Vice President & Chief Security OfficerAT&T
Security Advantages of Software-Defined Networking
TECH-T10
#RSAC
Forwarding
Control
Forwarding
Control
Forwarding
Control
Forwarding Forwarding
Control
Forwarding
Decentralized Control(Hardware/Software)
Centralized Control(Software – SDN Controller)
Traditional SDN
Centralized SDN Control and Virtual Forwarding
Forwarding
Control
Forwarding
Control
Forwarding
Control
Fast Hardware Forwarding
Traditional
Control Control Control
Forwarding
Virtualized NetworkFunctions
Forwarding Forwarding
NFV
#RSAC
Centralized SDN Security Control
CentralizedSDN
Control
SDN Infrastructure(Simplified Forwarding
Devices)
- Data Collection- Network Info- Holistic View- Live Threat
- Forwarding Changes- Network Update- Re-routing - Live Response
SDN Security
App 1
SDN Security
App 2
. . .
SDN Control: Centralized control allows for improved security vantage pointManagement: Security managementimproves with full network visibilityApplications: SDN applications provide native security control functions Data Collection: Native collection andanalytics offer enhanced response Efficiency: SDN enables more immediate re-routing and infrastructure changes(Dynamic Enforcement)
Enterprise Security
Processes
Analogous to Traditional Mainframe Security
#RSAC
Security by Design
TraditionalRouter
Patching Response Threat
DDOS ACL Monitor
Traditional Security Overlay
ISP/Enterprise SDN/NFV Security
SDN Apps
SDN Control
Devices
Patching
Patching
Patching
Response
Response
Response
IntegratedDesign
SeparateDesign
. . .
. . .
. . .
Retrofit: Existing networks have been retrofit with security after-the-factRouters: Existing router complexity degrades response and patchingNative: SDN and NFV include nativesecurity embedded during designIntegration: Security by design in SDN results in more integrated securityComplexity: Fresh SDN and NFV designprovide opportunity for simplification(Security Designed In)
Traditional Network Security Done “After the Fact”
#RSAC
Add-On Security Protections
BusinessXYZ
SDN Controller
User Provisioning
SDN Control
API
Vendor Security
Tool
InternetThreats
XYZ Security
Vendor Security
Tool Image
SDN
Cycle Time: Reduces provisioning from weeks/months to hours/minutesAttack Response: Improves defensiveposture during live cyber attackPlanned Upgrade: Enhances defensiveposture in advance of planned needEconomics: Avoids expense of vendor hardware appliance investmentPlatform: Establishes underlying SDN base for cyber security product market
Future of Managed Security Services: On-Demand
#RSAC
Defense in Depth Architecture
BusinessXYZ
SDN Controller
User Provisioning
SDN Control
API
Vendor 1 Security
Tool
SDN
API
API
Vendor 3 Security
Tool
Vendor 1 Security
Tool Image
Vendor 2 Security
Tool Image
Vendor 3 Security
Tool Image
XYZ Security
Vendor 2 Security
ToolServiceChain
Cycle Time: Reduces provisioning from weeks/months to hours/minutesAttack Response: Provides multiple layers of cyber defenseTailoring: Allows design to includestrengths of each vendorChaining: Creates opportunity tocreate virtual security chains Platform: Abstracts hardwaredifferences between security vendors
Allows Dynamic Security Service Chaining
#RSAC
Streamlined Security Patching
SDN Patch Control App
SDN Control
ForwardingDevices Forwarding
Devices ForwardingDevices Forwarding
Devices
Hypervisor
Cloud Hardware
SDN/NFV Threat Intelligence
Common Patch Images
Greatly SimplifiedPatching Need
CentralizedEnterprise Security
PatchControl
Cycle Time: Reduces patch cycles from weeks/months to hours/minutesAutomation: SDN controllers enable automation based on intelligence Inventory: SDN/NFV infrastructure offers live inventory for common imagesValidation: Patch metrics and posture can be collected in real-timeSimplification: Simplified devices have smaller software patch surface
Allows Install of Common Patched Images
#RSAC
Improved Incident Response
Hypervisor
VM 1
VM 2
VM 3
VM 4
VM 5
Cloud Hardware
CentralizedEnterprise Incident
Response
SDN Response Control App
SDN/NFV Response Intelligence
Wipe andRestore
Swap andRestore
Common Restoration
Cycle Time: Reduces response from days/hours to minutes/secondsAutomation: SDN/NFV approach allows response based on intelligence Inventory: Virtualization enables wipe and restore response for VMsForensics: Restoration allows swap andcapture for off-line forensicsSimplification: Common hardwareenables swap and restore response
Hardware Swapped and Sent Intact to Forensics
#RSAC
Perimeter Independence
Private Cloud
VM 1
“Inside theFirewall”
Web Telework Partners
Only Allow VM 1Required Service
Current Perimeter: Enterprise perimeterweaknesses require immediate actionMicro-Perimeter: Virtualization enablesembedded cloud micro-perimeters Independence: Virtualized security worksIn both private and public cloudsAPT Attacks: Virtual micro-perimetersin the cloud are resilient against APTEquivalence: With virtual security, publicand private clouds are threat equivalent
Public Cloud
VM 2
Public andPrivate cloudshave SAME threat profile
Use of Cloud Can Exceed Existing Perimeter Security
#RSAC
DDOS Resilience
VM 1
VM 2
VM 3
InternetDDOS Attacks
VM 1’
VM 2’
VM 3’
SDN Controller
Auto-ProvisionedScale Expansion
SDN
Auto-Shift toScaled VMs
Workload
VM 1, 2, 3Under Attack(Unavailable)
VM 1’, 2’, 3’Not Under Attack(Available)
DDOS Threat: Many enterprise networks remain vulnerable to Layer 3/7 DDOSLayer 3: DDOS defenses rely on morepowerful defense than offense (Gbps)Layer 7: Application-level DDOs attackslikely to increase (per Layer 3 defenses)Expansion: Virtualization allows fordynamic, expansion under attackConsequence: Approach is similar to CDNexpansion to reduce attack consequence
Dynamic Rule and Route Modification
#RSAC
Implications for Attendees
- Application for virtual data center design- Source selection in ISP/MSP services- Design base for virtualizing micro-segments- New platform for MSSP operations- Modified set of compliance issues for security