SlideShare una empresa de Scribd logo

Hh 2012-mberman-sds2

Descargar como PPTX, PDF
M
Michael Berman
1 de 31
Security and Software-Defined Networks Unravel the Enigma of Insecurity 1
Michael Berman, CISSP, NSA-IAM • Husband, Dad, Hacker. • Linux Kernel Engineer, Security Virtualization SME • Most recently, CTO for Catbird Networks, Inc. • As a humanitarian, I provide sarcasm as a free service to the needy. • I also ski, play soccer, and free climb. Security and Software-Defined Networks 2
Executive Summary • Mobility and virtualization are accelerating the transition to cloud computing • Data center components will have to be software-defined to meet requirements for capacity, resilience, and security • Software-defined security is the most effective way to protect the cloud data center Security and Software-Defined Networks 3
Main Components of an OpenFlow Switch Controller Management and Orchestration OpenFlow Protocol Secure Group Channel Table Flow Flow Flow inbound Table Table Table outbound Packet Pipeline OpenFlow Device (HW or SW) Security and Software-Defined Networks 4
Software-defined Networking (SDN) Management and Orchestration Layer (controller) SW Decoupled Data Layers (device) HW or Data Layers (device) SW Hardware Software Hardware Software Entities Hardware Entities Software Entities Entities Entities Entities Security and Software-Defined Networks 5
Automation APIs Northbound (controller->user) Southbound (controller->device) • ORCHESTRATION • SCALING • Administration UI • Packet forwarding • Horizontal integration with • Programmable per flow other element managers • Maps policies to entities • Defines network • Implements logical policies parameters and • Enumerates groups into membership constituents • Provides higher-level object management Security and Software-Defined Networks 6
Value Not SDN (often proprietary) SDN (open system) • set vtp domain cisco mode server • Hr_sharepoint allow hr_users • set vlan 2 name cisco_vlan_2 • Pepsi deny Coke • set vlan 2 3/1-12 • US_agency deny China except • … public_web_tier • Device-based • … • Special purpose hardware • Server-based • Unique to vendor • General purpose CPU • Multi-vendor Security and Software-Defined Networks 7
Data Center Implications of SDN • Supports rapid scaling • Improved automation • Service capacity shifts automatically where needed • Better user experience thinkgeek • Commoditization of networking Security and Software-Defined Networks 8
Security … It’s Your Choice Fail Evolve Security and Software-Defined Networks 9
Securing Software-defined Networking Audit, manage, and control privileged Management and Orchestration Layer activities Data Layers Enforce secure configuration and auditing Software Hardware Entities Entities Software Logical isolation Hardware Entities with policy-driven Entities automation Hardware Software Entities Entities Security and Software-Defined Networks 10
Infrastructure is Evolving • Software driving cloud innovation • Use of more than one platform or cloud is practically inevitable • Mobile (e.g., smartphones and tablets) adoption increasing exponentially Security technology must evolve Security and Software-Defined Networks 11
Key Properties of Security Virtualization • Decoupled from hardware • Faithful reproduction of the physical network security model in the virtual space, including security for both physical and virtual workloads • Follow the operational model of compute virtualization • Compatible with any hypervisor platform • Logical isolation, audit, and security for workloads and control plane elements • Cloud performance and scale • Open API for provisioning and control Security and Software-Defined Networks 12
Software-defined Security (SDS) Management and Orchestration Layer (controller) SW Decoupled Data Layers (device) HW or Data Layers (device) SW Hardware Software Hardware Software Entities Hardware Entities Software Entities Entities Entities Entities Security and Software-Defined Networks 13
Implications Need to Know Don’t Need to Know • Users • Vendor • Software • IP address • Assets • Location • Connections • Virtual, physical, mobile • Policies • Wire speed Security and Software-Defined Networks 14
Risk Analysis Exposure Increased Exposure Decreased • Automation failure • Hardware failure • API failure • Capacity failure • Control failure • Availability failure • Software failure • Security failure • Human failure • Human failure Small increase in risk Large decrease in risk Security and Software-Defined Networks 15
Top-5 Controls 1. Inventory of SDN elements (e.g., controllers, devices, privileged users) 2. Isolation and access control for Northbound and Southbound APIs (e.g., orchestration, administration, and configuration) 3. Auditing and change management 4. Secure configuration management 5. Continuous vulnerability management and remediation Security and Software-Defined Networks 16
SDS Systems are Evolving Security and Software-Defined Networks 17
Software-defined Security Examples • Firewall – Virtual firewalls are not a “bump in the wire” they are a module inserted into the stream-path of a vNIC • NAC – Network access control is not enforced within the access layer, it is enforced in the management layer. • Configuration – Instead of requiring an agent or network scan, secure configurations may be checked out of band, even when the asset is powered off. Security and Software-Defined Networks 18
Advantages of Security Virtualization • Perfect inventory • Everywhere it is needed • Lower cost • More automated • Simpler • Faster evolution Cylon Hybrid: The central control for a Cylon Basestar Security and Software-Defined Networks 19
IT Business Process Re-engineering The organization and process must adapt to increased automation and orchestration. Cross-functional teams of subject matter experts will best enable IT to rapidly deliver secure and elastic services on-demand. Leading IT teams are already shifting from DevOps to DevSecOps. Security and Software-Defined Networks 20
RACI for Software-Defined Security • Responsible: Firewall or Network Security personnel – Define policies – Implement automation • Accountable: CIO or CISO – Approve policies – Review metrics (e.g., compliance and performance ) • Consulted: Infrastructure and Application Architects – Provide requirements – Validate implementation • Informed: IT Audit personnel – Audit automation behavior – Audit policy compliance Security and Software-Defined Networks 21
In closing • Security virtualization will drastically improve the protection of sensitive data while at the same time simplifying the application of these protective capabilities. • The most effective use of security virtualization will require changes to IT staffing, processes, and procedures. • Security virtualization is disruptive to the way security "has always been doing it.” Security and Software-Defined Networks 22
Thank you Michael Berman Email: xtanjx at “gee mail” dot com LinkedIn: mberman Twitter: @_mberman Blog: Grok Security Security and Software-Defined Networks 23
©2009-2012 *MitchellLazear Supplemental Material Security and Software-Defined Networks 24
Decoupled from Hardware • Simplifies data center resiliency and failover • Reduces upgrade costs • Enables "designed-in" security across data center fabric • Scaling enhanced due to elimination of architectural constraints • Hardware refresh cycle and technology advance is accelerated due to shortened engineering cycle • CPU resource pool remains uniform Security and Software-Defined Networks 25
Reproduce Network Security Model • Defense in depth 1. Inventory of Authorized and Unauthorized Devices • Segmentation of data 2. Inventory of Authorized and Unauthorized Software • Access control 3. Secure Configurations for • Separation of duties Hardware and Software 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses (source: SANS) Security and Software-Defined Networks 26
Operational Model of Compute Virtualization • Enable scaling, elasticity, mobility, and seamless disaster recovery • Conversion of security tools into software objects and the creation of new tools and capabilities for deployment, automation, and recovery of security capabilities • Auto-deployment, automation, and orchestration of security tools • The cloud compute model impacts the culture of security within IT, requiring the transition of security professionals into new operational roles that are more flexible and more broadly defined. Security and Software-Defined Networks 27
Compatible with any Hypervisor • Security virtualization must be platform independent and capable of protecting workloads in any data center. While it's not clear how many platforms will be in common use, I assert that there will be at least four: 1. VMware 2. RHEV (KVM) 3. HyperV 4. Mobile (ultimately there will be more than one here) • Therefore as workloads are established on multiple platforms in multiple locations by any given entity, security virtualization must support a single security policy model across these platforms. Security and Software-Defined Networks 28
Logical isolation, audit, and security • Logical isolation, rather than some form of physical segmentation, enables diverse workloads of differing sensitivity to run anywhere. • Mixed workloads will then run most efficiently when allowed to be run within common resource pools for CPU, Memory, Storage, and Networking. • Security virtualization must also audit and protect the management objects, tools, and APIs that are utilized to provision, modify, or delete workloads, objects, and resources. • Logical isolation enables multi-compartment zoning of workloads with the requisite capabilities for cross-domain security in both private or public clouds. • Policies are not required to identify layer 3 or 4 attributes. Security virtualization enforces policies within each specific trust zone, even when this zone spans multiple data centers. Security and Software-Defined Networks 29
Cloud performance and scale • Large-scale compute clouds are composed of thousands to millions of entities. • Security virtualization must enable resilient and protected operations at this scale. • This requires new security management architectures, analytics, and closed- loop controls that operate across millions of protected objects in multiple locations. • Additionally, cloud performance is not just IOPS or CPU cycles, it is also the capability to elastically provision, modify, and decommission security entities on demand. Security and Software-Defined Networks 30
Open API • Security virtualization must be integrated with provisioning, management, and operations of the data center. • These APIs will fit into the management stacks developed for each hypervisor platform. • Vendors must be able to interoperate with a common protocol (e.g., SCAP) • Products must support orchestration by 3rd party management, workflow, and incident management systems. Security and Software-Defined Networks 31

Recomendados

Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
Novell
 
Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...
Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...
Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...
Novell
 
Novell ZENworks Overview and Futures
Novell ZENworks Overview and FuturesNovell ZENworks Overview and Futures
Novell ZENworks Overview and Futures
Novell
 
Applying Novell Identity Manager to Your Everyday Problems
Applying Novell Identity Manager to Your Everyday ProblemsApplying Novell Identity Manager to Your Everyday Problems
Applying Novell Identity Manager to Your Everyday Problems
Novell
 
Datasheet stonegate ips-allinone
Datasheet stonegate ips-allinoneDatasheet stonegate ips-allinone
Datasheet stonegate ips-allinone
Multibyte Consultoria
 
Datasheet stonegate fw-allinone
Datasheet stonegate fw-allinoneDatasheet stonegate fw-allinone
Datasheet stonegate fw-allinone
Multibyte Consultoria
 
How to Architect a Novell Sentinel Implementation
How to Architect a Novell Sentinel ImplementationHow to Architect a Novell Sentinel Implementation
How to Architect a Novell Sentinel Implementation
Novell
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Novell
 

Recomendados

Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
Novell
 
Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...
Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...
Novell SecureLogin Installation, Deployment, Lifecycle Management and Trouble...
Novell
 
Novell ZENworks Overview and Futures
Novell ZENworks Overview and FuturesNovell ZENworks Overview and Futures
Novell ZENworks Overview and Futures
Novell
 
Applying Novell Identity Manager to Your Everyday Problems
Applying Novell Identity Manager to Your Everyday ProblemsApplying Novell Identity Manager to Your Everyday Problems
Applying Novell Identity Manager to Your Everyday Problems
Novell
 
Datasheet stonegate ips-allinone
Datasheet stonegate ips-allinoneDatasheet stonegate ips-allinone
Datasheet stonegate ips-allinone
Multibyte Consultoria
 
Datasheet stonegate fw-allinone
Datasheet stonegate fw-allinoneDatasheet stonegate fw-allinone
Datasheet stonegate fw-allinone
Multibyte Consultoria
 
How to Architect a Novell Sentinel Implementation
How to Architect a Novell Sentinel ImplementationHow to Architect a Novell Sentinel Implementation
How to Architect a Novell Sentinel Implementation
Novell
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Novell
 
BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.
Michal Jarski
 
Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...
Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...
Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...
Ixia NVS Group
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Bob Rhubart
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Bob Rhubart
 
Data Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsData Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise Insights
Courtland Smith
 
Guard Era Corp Brochure 2008
Guard Era Corp Brochure 2008Guard Era Corp Brochure 2008
Guard Era Corp Brochure 2008
GuardEra Access Solutions, Inc.
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
Cisco Canada
 
Ixia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsIxia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsets
responsedatacomms
 
Simplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public CloudsSimplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public Clouds
5nine
 
Fore scout nac-datasheet
Fore scout nac-datasheetFore scout nac-datasheet
Fore scout nac-datasheet
Khoa Nguyen Hong Nguyen
 
SerbizHub Suite Technical Specifications
SerbizHub Suite Technical SpecificationsSerbizHub Suite Technical Specifications
SerbizHub Suite Technical Specifications
mood Learning
 
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
Novell
 
Air defense advanced forensics module spec sheet
Air defense advanced forensics module spec sheetAir defense advanced forensics module spec sheet
Air defense advanced forensics module spec sheet
Advantec Distribution
 
Air defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAir defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheet
Advantec Distribution
 
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
IBM Sverige
 
Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1
PROIDEA
 
Netflow analyzer- Datasheet
Netflow analyzer- DatasheetNetflow analyzer- Datasheet
Netflow analyzer- Datasheet
INSPIRIT BRASIL
 
Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...
Novell
 
An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to Compliance
Novell
 
Retail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingRetail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance Briefing
Kaseya
 
M2M_PPT 2016
M2M_PPT 2016M2M_PPT 2016
M2M_PPT 2016
Richard van der Vegt
 
Customer experience#Porter
Customer experience#PorterCustomer experience#Porter
Customer experience#Porter
Fahad Ali Syed
 

Más contenido relacionado

La actualidad más candente

Data Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsData Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise Insights
Courtland Smith
 
Ixia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsIxia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsets
responsedatacomms
 
SerbizHub Suite Technical Specifications
SerbizHub Suite Technical SpecificationsSerbizHub Suite Technical Specifications
SerbizHub Suite Technical Specifications
mood Learning
 
Air defense advanced forensics module spec sheet
Air defense advanced forensics module spec sheetAir defense advanced forensics module spec sheet
Air defense advanced forensics module spec sheet
Advantec Distribution
 
Air defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAir defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheet
Advantec Distribution
 
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
IBM Sverige
 

La actualidad más candente (20)

BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.BYOD - Ruckus way. Right way.
BYOD - Ruckus way. Right way.
 
Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...
Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...
Use Your IDS Appliance, presented by Kate Brew, Product Marketing Manager at ...
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
 
Data Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsData Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise Insights
 
Guard Era Corp Brochure 2008
Guard Era Corp Brochure 2008Guard Era Corp Brochure 2008
Guard Era Corp Brochure 2008
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
 
Ixia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsIxia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsets
 
Simplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public CloudsSimplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public Clouds
 
Fore scout nac-datasheet
Fore scout nac-datasheetFore scout nac-datasheet
Fore scout nac-datasheet
 
SerbizHub Suite Technical Specifications
SerbizHub Suite Technical SpecificationsSerbizHub Suite Technical Specifications
SerbizHub Suite Technical Specifications
 
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
 
Air defense advanced forensics module spec sheet
Air defense advanced forensics module spec sheetAir defense advanced forensics module spec sheet
Air defense advanced forensics module spec sheet
 
Air defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAir defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheet
 
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
IBM Smarter Business 2012 - BYOD: "So what?" – Enabling mobile and mixed endp...
 
Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1
 
Netflow analyzer- Datasheet
Netflow analyzer- DatasheetNetflow analyzer- Datasheet
Netflow analyzer- Datasheet
 
Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...Implementing and Proving Compliance Tactics with Novell Compliance Management...
Implementing and Proving Compliance Tactics with Novell Compliance Management...
 
An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to Compliance
 
Retail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingRetail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance Briefing
 

Destacado

Miemis abiturient
Miemis abiturientMiemis abiturient
Miemis abiturient
miemisasu
 
Refereed Publications MPT
Refereed Publications MPTRefereed Publications MPT
Refereed Publications MPT
Michael Tolocka
 
Wind Farm Site Selection
Wind Farm Site SelectionWind Farm Site Selection
Wind Farm Site Selection
Nimish Sheth
 
How 2 stay young
How 2 stay youngHow 2 stay young
How 2 stay young
Rola Daoud
 

Destacado (10)

M2M_PPT 2016
M2M_PPT 2016M2M_PPT 2016
M2M_PPT 2016
 
Customer experience#Porter
Customer experience#PorterCustomer experience#Porter
Customer experience#Porter
 
Miemis abiturient
Miemis abiturientMiemis abiturient
Miemis abiturient
 
Refereed Publications MPT
Refereed Publications MPTRefereed Publications MPT
Refereed Publications MPT
 
Ccoc 2012 assignment 2 deborah sibble
Ccoc 2012 assignment 2 deborah sibbleCcoc 2012 assignment 2 deborah sibble
Ccoc 2012 assignment 2 deborah sibble
 
For good luck / portfolio
For good luck / portfolioFor good luck / portfolio
For good luck / portfolio
 
Wind Farm Site Selection
Wind Farm Site SelectionWind Farm Site Selection
Wind Farm Site Selection
 
Food deserts in South Dakota
Food deserts in South DakotaFood deserts in South Dakota
Food deserts in South Dakota
 
Corporate PPT
Corporate PPTCorporate PPT
Corporate PPT
 
How 2 stay young
How 2 stay youngHow 2 stay young
How 2 stay young
 

Similar a Hh 2012-mberman-sds2

CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
jmical
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
Andris Soroka
 
Bright and Gray areas of Clound Computing
Bright and Gray areas of Clound ComputingBright and Gray areas of Clound Computing
Bright and Gray areas of Clound Computing
pallavikhandekar212
 
Java Everywhere. Descubra la Internet de las Cosas
Java Everywhere. Descubra la Internet de las Cosas Java Everywhere. Descubra la Internet de las Cosas
Java Everywhere. Descubra la Internet de las Cosas
GeneXus
 
Sccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estoninaSccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estonina
Microsoft Singapore
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
Sergey Gordeychik
 
Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slides
Tuan Phan
 
Nicira chef webinar-merged
Nicira chef webinar-mergedNicira chef webinar-merged
Nicira chef webinar-merged
Stathy Touloumis
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
Robert Conti Jr.
 

Similar a Hh 2012-mberman-sds2 (20)

CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
 
Intro to SDN - Part I
Intro to SDN - Part IIntro to SDN - Part I
Intro to SDN - Part I
 
Nagios Conference 2012 - Andreas Ericsson - Merlin
Nagios Conference 2012 - Andreas Ericsson - MerlinNagios Conference 2012 - Andreas Ericsson - Merlin
Nagios Conference 2012 - Andreas Ericsson - Merlin
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
Bright and Gray areas of Clound Computing
Bright and Gray areas of Clound ComputingBright and Gray areas of Clound Computing
Bright and Gray areas of Clound Computing
 
Java Everywhere. Descubra la Internet de las Cosas
Java Everywhere. Descubra la Internet de las Cosas Java Everywhere. Descubra la Internet de las Cosas
Java Everywhere. Descubra la Internet de las Cosas
 
W8 client management
W8 client managementW8 client management
W8 client management
 
TruWest
TruWestTruWest
TruWest
 
Private cloud day session 5 a solution for private cloud security
Private cloud day session 5 a solution for private cloud securityPrivate cloud day session 5 a solution for private cloud security
Private cloud day session 5 a solution for private cloud security
 
Pci Req
Pci ReqPci Req
Pci Req
 
Sccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estoninaSccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estonina
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
 
Fedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slidesFedramp developing-system-security-plan-slides
Fedramp developing-system-security-plan-slides
 
Intro to SDN - Part II
Intro to SDN - Part IIIntro to SDN - Part II
Intro to SDN - Part II
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
Nicira chef webinar-merged
Nicira chef webinar-mergedNicira chef webinar-merged
Nicira chef webinar-merged
 
G3sixty Overview
G3sixty OverviewG3sixty Overview
G3sixty Overview
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 

Hh 2012-mberman-sds2

  • 1. Security and Software-Defined Networks Unravel the Enigma of Insecurity 1
  • 2. Michael Berman, CISSP, NSA-IAM • Husband, Dad, Hacker. • Linux Kernel Engineer, Security Virtualization SME • Most recently, CTO for Catbird Networks, Inc. • As a humanitarian, I provide sarcasm as a free service to the needy. • I also ski, play soccer, and free climb. Security and Software-Defined Networks 2
  • 3. Executive Summary • Mobility and virtualization are accelerating the transition to cloud computing • Data center components will have to be software-defined to meet requirements for capacity, resilience, and security • Software-defined security is the most effective way to protect the cloud data center Security and Software-Defined Networks 3
  • 4. Main Components of an OpenFlow Switch Controller Management and Orchestration OpenFlow Protocol Secure Group Channel Table Flow Flow Flow inbound Table Table Table outbound Packet Pipeline OpenFlow Device (HW or SW) Security and Software-Defined Networks 4
  • 5. Software-defined Networking (SDN) Management and Orchestration Layer (controller) SW Decoupled Data Layers (device) HW or Data Layers (device) SW Hardware Software Hardware Software Entities Hardware Entities Software Entities Entities Entities Entities Security and Software-Defined Networks 5
  • 6. Automation APIs Northbound (controller->user) Southbound (controller->device) • ORCHESTRATION • SCALING • Administration UI • Packet forwarding • Horizontal integration with • Programmable per flow other element managers • Maps policies to entities • Defines network • Implements logical policies parameters and • Enumerates groups into membership constituents • Provides higher-level object management Security and Software-Defined Networks 6
  • 7. Value Not SDN (often proprietary) SDN (open system) • set vtp domain cisco mode server • Hr_sharepoint allow hr_users • set vlan 2 name cisco_vlan_2 • Pepsi deny Coke • set vlan 2 3/1-12 • US_agency deny China except • … public_web_tier • Device-based • … • Special purpose hardware • Server-based • Unique to vendor • General purpose CPU • Multi-vendor Security and Software-Defined Networks 7
  • 8. Data Center Implications of SDN • Supports rapid scaling • Improved automation • Service capacity shifts automatically where needed • Better user experience thinkgeek • Commoditization of networking Security and Software-Defined Networks 8
  • 9. Security … It’s Your Choice Fail Evolve Security and Software-Defined Networks 9
  • 10. Securing Software-defined Networking Audit, manage, and control privileged Management and Orchestration Layer activities Data Layers Enforce secure configuration and auditing Software Hardware Entities Entities Software Logical isolation Hardware Entities with policy-driven Entities automation Hardware Software Entities Entities Security and Software-Defined Networks 10
  • 11. Infrastructure is Evolving • Software driving cloud innovation • Use of more than one platform or cloud is practically inevitable • Mobile (e.g., smartphones and tablets) adoption increasing exponentially Security technology must evolve Security and Software-Defined Networks 11
  • 12. Key Properties of Security Virtualization • Decoupled from hardware • Faithful reproduction of the physical network security model in the virtual space, including security for both physical and virtual workloads • Follow the operational model of compute virtualization • Compatible with any hypervisor platform • Logical isolation, audit, and security for workloads and control plane elements • Cloud performance and scale • Open API for provisioning and control Security and Software-Defined Networks 12
  • 13. Software-defined Security (SDS) Management and Orchestration Layer (controller) SW Decoupled Data Layers (device) HW or Data Layers (device) SW Hardware Software Hardware Software Entities Hardware Entities Software Entities Entities Entities Entities Security and Software-Defined Networks 13
  • 14. Implications Need to Know Don’t Need to Know • Users • Vendor • Software • IP address • Assets • Location • Connections • Virtual, physical, mobile • Policies • Wire speed Security and Software-Defined Networks 14
  • 15. Risk Analysis Exposure Increased Exposure Decreased • Automation failure • Hardware failure • API failure • Capacity failure • Control failure • Availability failure • Software failure • Security failure • Human failure • Human failure Small increase in risk Large decrease in risk Security and Software-Defined Networks 15
  • 16. Top-5 Controls 1. Inventory of SDN elements (e.g., controllers, devices, privileged users) 2. Isolation and access control for Northbound and Southbound APIs (e.g., orchestration, administration, and configuration) 3. Auditing and change management 4. Secure configuration management 5. Continuous vulnerability management and remediation Security and Software-Defined Networks 16
  • 17. SDS Systems are Evolving Security and Software-Defined Networks 17
  • 18. Software-defined Security Examples • Firewall – Virtual firewalls are not a “bump in the wire” they are a module inserted into the stream-path of a vNIC • NAC – Network access control is not enforced within the access layer, it is enforced in the management layer. • Configuration – Instead of requiring an agent or network scan, secure configurations may be checked out of band, even when the asset is powered off. Security and Software-Defined Networks 18
  • 19. Advantages of Security Virtualization • Perfect inventory • Everywhere it is needed • Lower cost • More automated • Simpler • Faster evolution Cylon Hybrid: The central control for a Cylon Basestar Security and Software-Defined Networks 19
  • 20. IT Business Process Re-engineering The organization and process must adapt to increased automation and orchestration. Cross-functional teams of subject matter experts will best enable IT to rapidly deliver secure and elastic services on-demand. Leading IT teams are already shifting from DevOps to DevSecOps. Security and Software-Defined Networks 20
  • 21. RACI for Software-Defined Security • Responsible: Firewall or Network Security personnel – Define policies – Implement automation • Accountable: CIO or CISO – Approve policies – Review metrics (e.g., compliance and performance ) • Consulted: Infrastructure and Application Architects – Provide requirements – Validate implementation • Informed: IT Audit personnel – Audit automation behavior – Audit policy compliance Security and Software-Defined Networks 21
  • 22. In closing • Security virtualization will drastically improve the protection of sensitive data while at the same time simplifying the application of these protective capabilities. • The most effective use of security virtualization will require changes to IT staffing, processes, and procedures. • Security virtualization is disruptive to the way security "has always been doing it.” Security and Software-Defined Networks 22
  • 23. Thank you Michael Berman Email: xtanjx at “gee mail” dot com LinkedIn: mberman Twitter: @_mberman Blog: Grok Security Security and Software-Defined Networks 23
  • 24. ©2009-2012 *MitchellLazear Supplemental Material Security and Software-Defined Networks 24
  • 25. Decoupled from Hardware • Simplifies data center resiliency and failover • Reduces upgrade costs • Enables "designed-in" security across data center fabric • Scaling enhanced due to elimination of architectural constraints • Hardware refresh cycle and technology advance is accelerated due to shortened engineering cycle • CPU resource pool remains uniform Security and Software-Defined Networks 25
  • 26. Reproduce Network Security Model • Defense in depth 1. Inventory of Authorized and Unauthorized Devices • Segmentation of data 2. Inventory of Authorized and Unauthorized Software • Access control 3. Secure Configurations for • Separation of duties Hardware and Software 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses (source: SANS) Security and Software-Defined Networks 26
  • 27. Operational Model of Compute Virtualization • Enable scaling, elasticity, mobility, and seamless disaster recovery • Conversion of security tools into software objects and the creation of new tools and capabilities for deployment, automation, and recovery of security capabilities • Auto-deployment, automation, and orchestration of security tools • The cloud compute model impacts the culture of security within IT, requiring the transition of security professionals into new operational roles that are more flexible and more broadly defined. Security and Software-Defined Networks 27
  • 28. Compatible with any Hypervisor • Security virtualization must be platform independent and capable of protecting workloads in any data center. While it's not clear how many platforms will be in common use, I assert that there will be at least four: 1. VMware 2. RHEV (KVM) 3. HyperV 4. Mobile (ultimately there will be more than one here) • Therefore as workloads are established on multiple platforms in multiple locations by any given entity, security virtualization must support a single security policy model across these platforms. Security and Software-Defined Networks 28
  • 29. Logical isolation, audit, and security • Logical isolation, rather than some form of physical segmentation, enables diverse workloads of differing sensitivity to run anywhere. • Mixed workloads will then run most efficiently when allowed to be run within common resource pools for CPU, Memory, Storage, and Networking. • Security virtualization must also audit and protect the management objects, tools, and APIs that are utilized to provision, modify, or delete workloads, objects, and resources. • Logical isolation enables multi-compartment zoning of workloads with the requisite capabilities for cross-domain security in both private or public clouds. • Policies are not required to identify layer 3 or 4 attributes. Security virtualization enforces policies within each specific trust zone, even when this zone spans multiple data centers. Security and Software-Defined Networks 29
  • 30. Cloud performance and scale • Large-scale compute clouds are composed of thousands to millions of entities. • Security virtualization must enable resilient and protected operations at this scale. • This requires new security management architectures, analytics, and closed- loop controls that operate across millions of protected objects in multiple locations. • Additionally, cloud performance is not just IOPS or CPU cycles, it is also the capability to elastically provision, modify, and decommission security entities on demand. Security and Software-Defined Networks 30
  • 31. Open API • Security virtualization must be integrated with provisioning, management, and operations of the data center. • These APIs will fit into the management stacks developed for each hypervisor platform. • Vendors must be able to interoperate with a common protocol (e.g., SCAP) • Products must support orchestration by 3rd party management, workflow, and incident management systems. Security and Software-Defined Networks 31