O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

DTS Solution - Software Defined Security v1.0

  • Entre para ver os comentários

  • Seja a primeira pessoa a gostar disto

DTS Solution - Software Defined Security v1.0

  1. 1. www.dts-solution.com Software Defined Security
  2. 2. DTS Solution
  3. 3. Overview Software Defined Networking
  4. 4. SDN – Introduction SDN separates the data and control planes of the network and provides interfaces/APIs to provision services collectively in the network using external systems rather than configuring individual device. •Control Plane: •Logic for controlling forwarding behavior. •Examples: routing protocols, network, middlebox, configuration. •Data Plane: –Forward traffic according to control plane logic Examples: IP forwarding,Layer 2 switching
  5. 5. SDN - Introduction www.dts-solution.com Controller Switch 1 Switch 2 Switch 3 S-1 S-2 S-3 Path to Reach Controller Packet Forwarding Path
  6. 6. Network Virtualization • Network Virtualization o Decouple the application from the underlying hardware o Representation of one or more logical network topologies on the same infrastructure. e.g, VLANs Multiple logical routers on a single platform Resource isolation in CPU, memory, bandwidth, forwarding tables,... o Customizable routing and forwarding software o Separate logical network from the infrastructure o General purpose CPUs for the control plane o Network processors and FPGAs for data plan • Network Programmability o "The first step in creating an improved future is developing the ability to envision it.“ o Implementaition: mininet (open source, Linux based)
  7. 7. Network Virtualization • SDN separates data plane and control plane • Virtual networks separate logical and physical networks • SDN can be a useful tool for implementing virtual networks
  8. 8. Network Virtualization
  9. 9. SDN - Separation ● Independent evolution and development independently of the hardware ● Control from high-level software program ● Data centers: VM migration, Layer 2 routing ● Routing: More control over decision logic ● Enterprise networks: Security applications ● Example: Data Centers (Yahoo!) ○ 20,000 servers/cluster = 400,000 VMs ■ Any-to-any, 1024 distinct inter-host links ■ Sub-second migration, guaranteed consistency ■ Solution: Program switch from a central database. Scalability: ■ Control elements responsible for many forwarding elements (often, thousands) Reliability/Security: ■ What happens when a controller fails or is compromised?
  10. 10. SDN - Opportunities ● Dynamic Access Control ● Seamless Mobility/Migration ● Centralized Network State ● Server Load Balancing ● Network Virtualization ● Usingmultiple wireless access points ● Energy efficient networking ● Adaptive traffic monitoring ● Denial of Service attack detection
  11. 11. SDN - Challenges in separation • Control and data plane separation o Scalability:Routing decisions for many routers o Reliability: Correct operation under failure o Consistency: Ensuring consistency across multiple control replicas • Hierarchy, aggregation, clever state mangement and distribution
  12. 12. SDN & Security ● The flow paradigm is ideal for security processing because it offers an end-to-end, service-oriented connectivity model that is not bound by traditional routing constraints. ● Logically centralized control allows for effective performance and threat monitoring across the entire network. ● Granular policy management can be based on application, service, organization, and geographical criteria rather than physical configuration. ● Resource-based security policies enable consolidated management of diverse devices with various threat risks, from highly secure firewalls and security appliances to access devices. ● Dynamic and flexible adjustment of security policy is provided under programmatic control. ● Flexible path management achieves rapid containment and isolation of intrusions without impacting other network users
  13. 13. SDN - Implementation ● OpenFlow: SDN and OpenFlow are often used (incorrectly) interchangeably ○ opendaylight (java) ○ NOX, POX (python implementation) ○ Beacon ● Juniper Contrail ● Cisco One
  14. 14. SDN - OpenFlow OpenStandard and OpenSource OpenFlow controller: A software which runs on a standard hardware OpenFlow enabled switch: openvswitch, hp, ibm and now juniper
  15. 15. SDN - OpenFlow
  16. 16. SDN - OpenFlow
  17. 17. SDN - OpenFlow Forwarding Decisions ● Layer 2 (srcmac,dstmac, vlans) ● Layer3 (srcip,srcport,dstip,dstport) ● Or any of the layers (even 7) ● Push,Pop MPLS labels,VLAN-IDs (v 1.3)
  18. 18. SDN - Mininet • Network virtualization tool that works on Linux • Emulate your network before going to production (multiple DP, MPLS L2,3 VPNs)
  19. 19. SDN - OVS (OpenVSwitch) o OpenSource virtual switch, can be used as control plane on real switches or between VMs same as VMware switch. o has its own controller which behaves like a hub o Can connect to a separate OpenFlow controller. o Used in mininet to emulate Network Virtualization and KVM for switching between VMs
  20. 20. SDN - OpenFlow Applications • Load balancer: A simple switch can be used for server and/or link load balancing • Packet Filter: A simple switch can be used to filter traffic. • Policy routing: