O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Security Advantages of Software-Defined Networking

1.135 visualizações

Publicada em

Current practices using wide-area routing over Internet infrastructure decentralize the control of how information is transferred. Software-Defined Networking (SDN) centralizes network control functions, offering more holistic network security management and allowing for dynamic divisioning, multivendor end-to-end security and reduced dependence on the traditional perimeter approach.

(Source: RSA USA 2016-San Francisco)

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Security Advantages of Software-Defined Networking

  1. 1. SESSION ID: #RSAC Dr. Edward G. Amoroso Senior Vice President & Chief Security Officer AT&T Security Advantages of Software-Defined Networking TECH-T10
  2. 2. #RSAC Forwarding Control Forwarding Control Forwarding Control Forwarding Forwarding Control Forwarding Decentralized Control (Hardware/Software) Centralized Control (Software – SDN Controller) Traditional SDN Centralized SDN Control and Virtual Forwarding Forwarding Control Forwarding Control Forwarding Control Fast Hardware Forwarding Traditional Control Control Control Forwarding Virtualized Network Functions Forwarding Forwarding NFV
  3. 3. #RSAC Centralized SDN Security Control Centralized SDN Control SDN Infrastructure (Simplified Forwarding Devices) - Data Collection - Network Info - Holistic View - Live Threat - Forwarding Changes - Network Update - Re-routing - Live Response SDN Security App 1 SDN Security App 2 . . . SDN Control: Centralized control allows for improved security vantage point Management: Security management improves with full network visibility Applications: SDN applications provide native security control functions Data Collection: Native collection and analytics offer enhanced response Efficiency: SDN enables more immediate re-routing and infrastructure changes (Dynamic Enforcement) Enterprise Security Processes Analogous to Traditional Mainframe Security
  4. 4. #RSAC Security by Design Traditional Router Patching Response Threat DDOS ACL Monitor Traditional Security Overlay ISP/Enterprise SDN/NFV Security SDN Apps SDN Control Devices Patching Patching Patching Response Response Response Integrated Design Separate Design . . . . . . . . . Retrofit: Existing networks have been retrofit with security after-the-fact Routers: Existing router complexity degrades response and patching Native: SDN and NFV include native security embedded during design Integration: Security by design in SDN results in more integrated security Complexity: Fresh SDN and NFV design provide opportunity for simplification (Security Designed In) Traditional Network Security Done “After the Fact”
  5. 5. #RSAC Add-On Security Protections Business XYZ SDN Controller User Provisioning SDN Control API Vendor Security Tool Internet Threats XYZ Security Vendor Security Tool Image SDN Cycle Time: Reduces provisioning from weeks/months to hours/minutes Attack Response: Improves defensive posture during live cyber attack Planned Upgrade: Enhances defensive posture in advance of planned need Economics: Avoids expense of vendor hardware appliance investment Platform: Establishes underlying SDN base for cyber security product market Future of Managed Security Services: On-Demand
  6. 6. #RSAC Defense in Depth Architecture Business XYZ SDN Controller User Provisioning SDN Control API Vendor 1 Security Tool SDN API API Vendor 3 Security Tool Vendor 1 Security Tool Image Vendor 2 Security Tool Image Vendor 3 Security Tool Image XYZ Security Vendor 2 Security Tool Service Chain Cycle Time: Reduces provisioning from weeks/months to hours/minutes Attack Response: Provides multiple layers of cyber defense Tailoring: Allows design to include strengths of each vendor Chaining: Creates opportunity to create virtual security chains Platform: Abstracts hardware differences between security vendors Allows Dynamic Security Service Chaining
  7. 7. #RSAC Streamlined Security Patching SDN Patch Control App SDN Control Forwarding DevicesForwarding DevicesForwarding DevicesForwarding Devices Hypervisor Cloud Hardware SDN/NFV Threat Intelligence Common Patch Images Greatly Simplified Patching Need Centralized Enterprise Security Patch Control Cycle Time: Reduces patch cycles from weeks/months to hours/minutes Automation: SDN controllers enable automation based on intelligence Inventory: SDN/NFV infrastructure offers live inventory for common images Validation: Patch metrics and posture can be collected in real-time Simplification: Simplified devices have smaller software patch surface Allows Install of Common Patched Images
  8. 8. #RSAC Improved Incident Response Hypervisor VM 1 VM 2 VM 3 VM 4 VM 5 Cloud Hardware Centralized Enterprise Incident Response SDN Response Control App SDN/NFV Response Intelligence Wipe and Restore Swap and Restore Common Restoration Cycle Time: Reduces response from days/hours to minutes/seconds Automation: SDN/NFV approach allows response based on intelligence Inventory: Virtualization enables wipe and restore response for VMs Forensics: Restoration allows swap and capture for off-line forensics Simplification: Common hardware enables swap and restore response Hardware Swapped and Sent Intact to Forensics
  9. 9. #RSAC Perimeter Independence Private Cloud VM 1 Email “Inside the Firewall” Web Telework Partners Only Allow VM 1 Required Service Current Perimeter: Enterprise perimeter weaknesses require immediate action Micro-Perimeter: Virtualization enables embedded cloud micro-perimeters Independence: Virtualized security works In both private and public clouds APT Attacks: Virtual micro-perimeters in the cloud are resilient against APT Equivalence: With virtual security, public and private clouds are threat equivalent Public Cloud VM 2 Public and Private clouds have SAME threat profile Use of Cloud Can Exceed Existing Perimeter Security
  10. 10. #RSAC DDOS Resilience VM 1 VM 2 VM 3 Internet DDOS Attacks VM 1’ VM 2’ VM 3’ SDN Controller Auto-Provisioned Scale Expansion SDN Auto-Shift to Scaled VMs Workload VM 1, 2, 3 Under Attack (Unavailable) VM 1’, 2’, 3’ Not Under Attack (Available) DDOS Threat: Many enterprise networks remain vulnerable to Layer 3/7 DDOS Layer 3: DDOS defenses rely on more powerful defense than offense (Gbps) Layer 7: Application-level DDOs attacks likely to increase (per Layer 3 defenses) Expansion: Virtualization allows for dynamic, expansion under attack Consequence: Approach is similar to CDN expansion to reduce attack consequence Dynamic Rule and Route Modification
  11. 11. #RSAC Implications for Attendees - Application for virtual data center design - Source selection in ISP/MSP services - Design base for virtualizing micro-segments - New platform for MSSP operations - Modified set of compliance issues for security

×