2. Michael Berman, CISSP, NSA-IAM
• Husband, Dad, Hacker.
• Linux Kernel Engineer, Security Virtualization
SME
• Most recently, CTO for Catbird Networks, Inc.
• As a humanitarian, I provide sarcasm as a free
service to the needy.
• I also ski, play soccer, and free climb.
Security and Software-Defined Networks 2
3. Executive Summary
• Mobility and virtualization are accelerating the
transition to cloud computing
• Data center components will have to be
software-defined to meet requirements for
capacity, resilience, and security
• Software-defined security is the most effective
way to protect the cloud data center
Security and Software-Defined Networks 3
4. Main Components of an OpenFlow Switch
Controller Management and Orchestration
OpenFlow Protocol
Secure Group
Channel Table
Flow Flow Flow
inbound Table Table Table outbound
Packet Pipeline
OpenFlow Device (HW or SW)
Security and Software-Defined Networks 4
5. Software-defined Networking (SDN)
Management and Orchestration Layer (controller) SW
Decoupled
Data Layers (device) HW
or
Data Layers (device) SW
Hardware Software
Hardware Software
Entities
Hardware Entities
Software
Entities Entities
Entities Entities
Security and Software-Defined Networks 5
6. Automation APIs
Northbound (controller->user) Southbound (controller->device)
• ORCHESTRATION • SCALING
• Administration UI • Packet forwarding
• Horizontal integration with • Programmable per flow
other element managers • Maps policies to entities
• Defines network • Implements logical policies
parameters and • Enumerates groups into
membership constituents
• Provides higher-level object
management
Security and Software-Defined Networks 6
7. Value
Not SDN (often proprietary) SDN (open system)
• set vtp domain cisco mode server • Hr_sharepoint allow hr_users
• set vlan 2 name cisco_vlan_2 • Pepsi deny Coke
• set vlan 2 3/1-12 • US_agency deny China except
• … public_web_tier
• Device-based • …
• Special purpose hardware • Server-based
• Unique to vendor • General purpose CPU
• Multi-vendor
Security and Software-Defined Networks 7
8. Data Center Implications of SDN
• Supports rapid scaling
• Improved automation
• Service capacity shifts automatically where
needed
• Better user experience
thinkgeek
• Commoditization of networking
Security and Software-Defined Networks 8
9. Security … It’s Your Choice
Fail Evolve
Security and Software-Defined Networks 9
10. Securing Software-defined Networking
Audit, manage, and
control privileged
Management and Orchestration Layer activities
Data Layers Enforce secure
configuration and
auditing
Software
Hardware
Entities
Entities Software
Logical isolation
Hardware Entities
with policy-driven
Entities
automation
Hardware Software
Entities Entities
Security and Software-Defined Networks 10
11. Infrastructure is Evolving
• Software driving cloud innovation
• Use of more than one platform or cloud is
practically inevitable
• Mobile (e.g., smartphones and tablets)
adoption increasing exponentially
Security technology must evolve
Security and Software-Defined Networks 11
12. Key Properties of Security
Virtualization
• Decoupled from hardware
• Faithful reproduction of the physical network security
model in the virtual space, including security for both
physical and virtual workloads
• Follow the operational model of compute virtualization
• Compatible with any hypervisor platform
• Logical isolation, audit, and security for workloads and
control plane elements
• Cloud performance and scale
• Open API for provisioning and control
Security and Software-Defined Networks 12
13. Software-defined Security (SDS)
Management and Orchestration Layer (controller) SW
Decoupled
Data Layers (device) HW
or
Data Layers (device) SW
Hardware Software
Hardware Software
Entities
Hardware Entities
Software
Entities Entities
Entities Entities
Security and Software-Defined Networks 13
14. Implications
Need to Know Don’t Need to Know
• Users • Vendor
• Software • IP address
• Assets • Location
• Connections • Virtual, physical, mobile
• Policies • Wire speed
Security and Software-Defined Networks 14
15. Risk Analysis
Exposure Increased Exposure Decreased
• Automation failure • Hardware failure
• API failure • Capacity failure
• Control failure • Availability failure
• Software failure • Security failure
• Human failure • Human failure
Small increase in risk Large decrease in risk
Security and Software-Defined Networks 15
16. Top-5 Controls
1. Inventory of SDN elements (e.g., controllers,
devices, privileged users)
2. Isolation and access control for Northbound
and Southbound APIs (e.g., orchestration,
administration, and configuration)
3. Auditing and change management
4. Secure configuration management
5. Continuous vulnerability management and
remediation
Security and Software-Defined Networks 16
17. SDS Systems are Evolving
Security and Software-Defined Networks 17
18. Software-defined Security Examples
• Firewall
– Virtual firewalls are not a “bump in the wire” they are
a module inserted into the stream-path of a vNIC
• NAC
– Network access control is not enforced within the
access layer, it is enforced in the management layer.
• Configuration
– Instead of requiring an agent or network scan, secure
configurations may be checked out of band, even
when the asset is powered off.
Security and Software-Defined Networks 18
19. Advantages of Security Virtualization
• Perfect inventory
• Everywhere it is needed
• Lower cost
• More automated
• Simpler
• Faster evolution
Cylon Hybrid: The central control for a Cylon Basestar
Security and Software-Defined Networks 19
20. IT Business Process Re-engineering
The organization and process must adapt to increased automation and
orchestration. Cross-functional teams of subject matter experts will best enable IT
to rapidly deliver secure and elastic services on-demand. Leading IT teams are
already shifting from DevOps to DevSecOps.
Security and Software-Defined Networks 20
21. RACI for Software-Defined Security
• Responsible: Firewall or Network Security personnel
– Define policies
– Implement automation
• Accountable: CIO or CISO
– Approve policies
– Review metrics (e.g., compliance and performance )
• Consulted: Infrastructure and Application Architects
– Provide requirements
– Validate implementation
• Informed: IT Audit personnel
– Audit automation behavior
– Audit policy compliance
Security and Software-Defined Networks 21
22. In closing
• Security virtualization will drastically improve
the protection of sensitive data while at the
same time simplifying the application of these
protective capabilities.
• The most effective use of security
virtualization will require changes to IT
staffing, processes, and procedures.
• Security virtualization is disruptive to the way
security "has always been doing it.”
Security and Software-Defined Networks 22
23. Thank you
Michael Berman
Email: xtanjx at “gee mail” dot com
LinkedIn: mberman
Twitter: @_mberman
Blog: Grok Security
Security and Software-Defined Networks 23
25. Decoupled from Hardware
• Simplifies data center resiliency and failover
• Reduces upgrade costs
• Enables "designed-in" security across data center
fabric
• Scaling enhanced due to elimination of
architectural constraints
• Hardware refresh cycle and technology advance
is accelerated due to shortened engineering cycle
• CPU resource pool remains uniform
Security and Software-Defined Networks 25
26. Reproduce Network Security Model
• Defense in depth 1. Inventory of Authorized and
Unauthorized Devices
• Segmentation of data 2. Inventory of Authorized and
Unauthorized Software
• Access control
3. Secure Configurations for
• Separation of duties Hardware and Software
4. Continuous Vulnerability
Assessment and Remediation
5. Malware Defenses
(source: SANS)
Security and Software-Defined Networks 26
27. Operational Model of Compute Virtualization
• Enable scaling, elasticity, mobility, and seamless disaster
recovery
• Conversion of security tools into software objects and the
creation of new tools and capabilities for deployment,
automation, and recovery of security capabilities
• Auto-deployment, automation, and orchestration of security
tools
• The cloud compute model impacts the culture of security
within IT, requiring the transition of security professionals into
new operational roles that are more flexible and more broadly
defined.
Security and Software-Defined Networks 27
28. Compatible with any Hypervisor
• Security virtualization must be platform independent
and capable of protecting workloads in any data center.
While it's not clear how many platforms will be in
common use, I assert that there will be at least four:
1. VMware
2. RHEV (KVM)
3. HyperV
4. Mobile (ultimately there will be more than one here)
• Therefore as workloads are established on multiple
platforms in multiple locations by any given entity,
security virtualization must support a single security
policy model across these platforms.
Security and Software-Defined Networks 28
29. Logical isolation, audit, and security
• Logical isolation, rather than some form of physical segmentation, enables diverse
workloads of differing sensitivity to run anywhere.
• Mixed workloads will then run most efficiently when allowed to be run within
common resource pools for CPU, Memory, Storage, and Networking.
• Security virtualization must also audit and protect the management objects, tools,
and APIs that are utilized to provision, modify, or delete workloads, objects, and
resources.
• Logical isolation enables multi-compartment zoning of workloads with the
requisite capabilities for cross-domain security in both private or public clouds.
• Policies are not required to identify layer 3 or 4 attributes. Security virtualization
enforces policies within each specific trust zone, even when this zone spans
multiple data centers.
Security and Software-Defined Networks 29
30. Cloud performance and scale
• Large-scale compute clouds are composed of
thousands to millions of entities.
• Security virtualization must enable resilient and
protected operations at this scale.
• This requires new security management architectures,
analytics, and closed- loop controls that operate across
millions of protected objects in multiple locations.
• Additionally, cloud performance is not just IOPS or CPU
cycles, it is also the capability to elastically provision,
modify, and decommission security entities on
demand.
Security and Software-Defined Networks 30
31. Open API
• Security virtualization must be integrated with
provisioning, management, and operations of the
data center.
• These APIs will fit into the management stacks
developed for each hypervisor platform.
• Vendors must be able to interoperate with a
common protocol (e.g., SCAP)
• Products must support orchestration by 3rd party
management, workflow, and incident
management systems.
Security and Software-Defined Networks 31