SESSION ID:

#RSAC

Dr. Edward G. AmorosoSenior Vice President & Chief Security OfficerAT&T

Security Advantages of Software-Defined Networking

TECH-T10

#RSAC

Forwarding

Control

Forwarding

Control

Forwarding

Control

Forwarding Forwarding

Control

Forwarding

Decentralized Control(Hardware/Software)

Centralized Control(Software – SDN Controller)

Traditional SDN

Centralized SDN Control and Virtual Forwarding

Forwarding

Control

Forwarding

Control

Forwarding

Control

Fast Hardware Forwarding

Traditional

Control Control Control

Forwarding

Virtualized NetworkFunctions

Forwarding Forwarding

NFV

#RSAC

Centralized SDN Security Control

CentralizedSDN

Control

SDN Infrastructure(Simplified Forwarding

Devices)

- Data Collection- Network Info- Holistic View- Live Threat

- Forwarding Changes- Network Update- Re-routing - Live Response

SDN Security

App 1

SDN Security

App 2

. . .

SDN Control: Centralized control allows for improved security vantage pointManagement: Security managementimproves with full network visibilityApplications: SDN applications provide native security control functions Data Collection: Native collection andanalytics offer enhanced response Efficiency: SDN enables more immediate re-routing and infrastructure changes(Dynamic Enforcement)

Enterprise Security

Processes

Analogous to Traditional Mainframe Security

#RSAC

Security by Design

TraditionalRouter

Patching Response Threat

DDOS ACL Monitor

Traditional Security Overlay

ISP/Enterprise SDN/NFV Security

SDN Apps

SDN Control

Devices

Patching

Patching

Patching

Response

Response

Response

IntegratedDesign

SeparateDesign

. . .

. . .

. . .

Retrofit: Existing networks have been retrofit with security after-the-factRouters: Existing router complexity degrades response and patchingNative: SDN and NFV include nativesecurity embedded during designIntegration: Security by design in SDN results in more integrated securityComplexity: Fresh SDN and NFV designprovide opportunity for simplification(Security Designed In)

Traditional Network Security Done “After the Fact”

#RSAC

Add-On Security Protections

BusinessXYZ

SDN Controller

User Provisioning

SDN Control

API

Vendor Security

Tool

InternetThreats

XYZ Security

Vendor Security

Tool Image

SDN

Cycle Time: Reduces provisioning from weeks/months to hours/minutesAttack Response: Improves defensiveposture during live cyber attackPlanned Upgrade: Enhances defensiveposture in advance of planned needEconomics: Avoids expense of vendor hardware appliance investmentPlatform: Establishes underlying SDN base for cyber security product market

Future of Managed Security Services: On-Demand

#RSAC

Defense in Depth Architecture

BusinessXYZ

SDN Controller

User Provisioning

SDN Control

API

Vendor 1 Security

Tool

SDN

API

API

Vendor 3 Security

Tool

Vendor 1 Security

Tool Image

Vendor 2 Security

Tool Image

Vendor 3 Security

Tool Image

XYZ Security

Vendor 2 Security

ToolServiceChain

Cycle Time: Reduces provisioning from weeks/months to hours/minutesAttack Response: Provides multiple layers of cyber defenseTailoring: Allows design to includestrengths of each vendorChaining: Creates opportunity tocreate virtual security chains Platform: Abstracts hardwaredifferences between security vendors

Allows Dynamic Security Service Chaining

#RSAC

Streamlined Security Patching

SDN Patch Control App

SDN Control

ForwardingDevices Forwarding

Devices ForwardingDevices Forwarding

Devices

Hypervisor

Cloud Hardware

SDN/NFV Threat Intelligence

Common Patch Images

Greatly SimplifiedPatching Need

CentralizedEnterprise Security

PatchControl

Cycle Time: Reduces patch cycles from weeks/months to hours/minutesAutomation: SDN controllers enable automation based on intelligence Inventory: SDN/NFV infrastructure offers live inventory for common imagesValidation: Patch metrics and posture can be collected in real-timeSimplification: Simplified devices have smaller software patch surface

Allows Install of Common Patched Images

#RSAC

Improved Incident Response

Hypervisor

VM 1

VM 2

VM 3

VM 4

VM 5

Cloud Hardware

CentralizedEnterprise Incident

Response

SDN Response Control App

SDN/NFV Response Intelligence

Wipe andRestore

Swap andRestore

Common Restoration

Cycle Time: Reduces response from days/hours to minutes/secondsAutomation: SDN/NFV approach allows response based on intelligence Inventory: Virtualization enables wipe and restore response for VMsForensics: Restoration allows swap andcapture for off-line forensicsSimplification: Common hardwareenables swap and restore response

Hardware Swapped and Sent Intact to Forensics

#RSAC

Perimeter Independence

Private Cloud

VM 1

Email

“Inside theFirewall”

Web Telework Partners

Only Allow VM 1Required Service

Current Perimeter: Enterprise perimeterweaknesses require immediate actionMicro-Perimeter: Virtualization enablesembedded cloud micro-perimeters Independence: Virtualized security worksIn both private and public cloudsAPT Attacks: Virtual micro-perimetersin the cloud are resilient against APTEquivalence: With virtual security, publicand private clouds are threat equivalent

Public Cloud

VM 2

Public andPrivate cloudshave SAME threat profile

Use of Cloud Can Exceed Existing Perimeter Security

#RSAC

DDOS Resilience

VM 1

VM 2

VM 3

InternetDDOS Attacks

VM 1’

VM 2’

VM 3’

SDN Controller

Auto-ProvisionedScale Expansion

SDN

Auto-Shift toScaled VMs

Workload

VM 1, 2, 3Under Attack(Unavailable)

VM 1’, 2’, 3’Not Under Attack(Available)

DDOS Threat: Many enterprise networks remain vulnerable to Layer 3/7 DDOSLayer 3: DDOS defenses rely on morepowerful defense than offense (Gbps)Layer 7: Application-level DDOs attackslikely to increase (per Layer 3 defenses)Expansion: Virtualization allows fordynamic, expansion under attackConsequence: Approach is similar to CDNexpansion to reduce attack consequence

Dynamic Rule and Route Modification

#RSAC

Implications for Attendees

- Application for virtual data center design- Source selection in ISP/MSP services- Design base for virtualizing micro-segments- New platform for MSSP operations- Modified set of compliance issues for security