1. www.dts-solution.com
Software Defined Security

2. DTS Solution

3. Overview
Software Defined Networking

4. SDN – Introduction
SDN separates the data and control planes of the network
and provides interfaces/APIs to provision services
collectively in the network using external systems rather
than configuring individual device.
•Control Plane:
•Logic for controlling forwarding behavior.
•Examples: routing protocols, network, middlebox, configuration.
•Data Plane:
–Forward traffic according to control plane logic Examples: IP forwarding,Layer 2 switching

5. SDN - Introduction
www.dts-solution.com
Controller
Switch
1
Switch
2
Switch
3
S-1 S-2 S-3
Path to Reach Controller
Packet Forwarding Path

6. Network Virtualization
• Network Virtualization
o Decouple the application from the underlying hardware
o Representation of one or more logical
network topologies on the same infrastructure. e.g, VLANs
Multiple logical routers on a single platform
Resource isolation in CPU, memory, bandwidth, forwarding tables,...
o Customizable routing and forwarding software
o Separate logical network from the infrastructure
o General purpose CPUs for the control plane
o Network processors and FPGAs for data plan
• Network Programmability
o "The first step in creating an improved future is developing the ability to envision it.“
o Implementaition: mininet (open source, Linux based)

7. Network Virtualization
• SDN separates data plane and control plane
• Virtual networks separate logical and physical networks
• SDN can be a useful tool for implementing virtual
networks

8. Network Virtualization

9. SDN - Separation
● Independent evolution and development independently of the hardware
● Control from high-level software program
● Data centers: VM migration, Layer 2 routing
● Routing: More control over decision logic
● Enterprise networks: Security applications
● Example: Data Centers (Yahoo!)
○ 20,000 servers/cluster = 400,000 VMs
■ Any-to-any, 1024 distinct inter-host links
■ Sub-second migration, guaranteed consistency
■ Solution: Program switch from a central database.
Scalability:
■ Control elements responsible for many forwarding elements (often, thousands)
Reliability/Security:
■ What happens when a controller fails or is compromised?

10. SDN - Opportunities
● Dynamic Access Control
● Seamless Mobility/Migration
● Centralized Network State
● Server Load Balancing
● Network Virtualization
● Usingmultiple wireless access points
● Energy efficient networking
● Adaptive traffic monitoring
● Denial of Service attack detection

11. SDN - Challenges in separation
• Control and data plane separation
o Scalability:Routing decisions for many routers
o Reliability: Correct operation under failure
o Consistency: Ensuring consistency across multiple control
replicas
• Hierarchy, aggregation, clever state mangement and distribution

12. SDN & Security
● The flow paradigm is ideal for security processing because it offers an end-to-end,
service-oriented connectivity model that is not bound by traditional routing
constraints.
● Logically centralized control allows for effective performance and threat monitoring
across the entire network.
● Granular policy management can be based on application, service, organization, and
geographical criteria rather than physical configuration.
● Resource-based security policies enable consolidated management of diverse devices
with various threat risks, from highly secure firewalls and security appliances to access
devices.
● Dynamic and flexible adjustment of security policy is provided under programmatic
control.
● Flexible path management achieves rapid containment and isolation of intrusions
without impacting other network users

13. SDN - Implementation
● OpenFlow: SDN and OpenFlow are often
used (incorrectly) interchangeably
○ opendaylight (java)
○ NOX, POX (python implementation)
○ Beacon
● Juniper Contrail
● Cisco One

14. SDN - OpenFlow
OpenStandard and OpenSource
OpenFlow controller:
A software which runs on a standard hardware
OpenFlow enabled switch: openvswitch, hp,
ibm and now juniper

15. SDN - OpenFlow

16. SDN - OpenFlow

17. SDN - OpenFlow
Forwarding Decisions
● Layer 2 (srcmac,dstmac, vlans)
● Layer3 (srcip,srcport,dstip,dstport)
● Or any of the layers (even 7)
● Push,Pop MPLS labels,VLAN-IDs (v 1.3)

18. SDN - Mininet
• Network virtualization tool that works on Linux
• Emulate your network before going to
production (multiple DP, MPLS L2,3 VPNs)

19. SDN - OVS (OpenVSwitch)
o OpenSource virtual switch, can be used as control plane
on real switches or between VMs same as VMware
switch.
o has its own controller which behaves like a hub
o Can connect to a separate OpenFlow controller.
o Used in mininet to emulate Network Virtualization and
KVM for switching between VMs

20. SDN - OpenFlow Applications
• Load balancer: A simple switch can be
used for server and/or link load balancing
• Packet Filter: A simple switch can be used
to filter traffic.
• Policy routing: