design patterns submitted - events.static.linuxfound.org · security design patterns for nfv....
TRANSCRIPT
![Page 1: Design Patterns submitted - events.static.linuxfound.org · Security Design Patterns for NFV. Foundational Security Applying Zero Trust* to NFV n * No More Chewy Centers: The Zero](https://reader035.vdocument.in/reader035/viewer/2022080721/5f7a919e5e130f41bf6e5621/html5/thumbnails/1.jpg)
Inherent Security Design Patterns for SDN/NFV Deployments
John McDowall
Palo Alto Networks
![Page 2: Design Patterns submitted - events.static.linuxfound.org · Security Design Patterns for NFV. Foundational Security Applying Zero Trust* to NFV n * No More Chewy Centers: The Zero](https://reader035.vdocument.in/reader035/viewer/2022080721/5f7a919e5e130f41bf6e5621/html5/thumbnails/2.jpg)
Drivers for Consumers and Providers of Cloud/NFV
Automa'on
Minimize OPEX & CAPEX
Dynamic Resources
Self-‐Service Portals
Scalability
Agility Producers Consumers
Make security easy-to-deploy by consumers
No Bottlenecks Need well-defined security posture
New Business Models
![Page 3: Design Patterns submitted - events.static.linuxfound.org · Security Design Patterns for NFV. Foundational Security Applying Zero Trust* to NFV n * No More Chewy Centers: The Zero](https://reader035.vdocument.in/reader035/viewer/2022080721/5f7a919e5e130f41bf6e5621/html5/thumbnails/3.jpg)
“….if innova+on doesn’t get ahead of the hackers, we will likely see roadblocks to rolling out new SDx applica+ons …. …. because of the fear that SDx Infrastructure cannot protect against and contain new aAacks. “
SDxCentral SDx Infrastructure Security Report 2015 Edition
![Page 4: Design Patterns submitted - events.static.linuxfound.org · Security Design Patterns for NFV. Foundational Security Applying Zero Trust* to NFV n * No More Chewy Centers: The Zero](https://reader035.vdocument.in/reader035/viewer/2022080721/5f7a919e5e130f41bf6e5621/html5/thumbnails/4.jpg)
Key Security Perspectives
The security perimeter no longer exists.
Understanding the Cyber Attack Pattern Lifecycle
How do we prevent attacks with SDN/NFV ?
![Page 5: Design Patterns submitted - events.static.linuxfound.org · Security Design Patterns for NFV. Foundational Security Applying Zero Trust* to NFV n * No More Chewy Centers: The Zero](https://reader035.vdocument.in/reader035/viewer/2022080721/5f7a919e5e130f41bf6e5621/html5/thumbnails/5.jpg)
Preventing Across the Cyber Attack* Life Cycle
Unauthorized Access Unauthorized Use
Gather Intelligence
Leverage Exploit
Execute Malware
Command & Control
Actions on the objective
Reconnaissance Weaponization & Delivery
Malware Communicates with Attacker
Exploitation Data Theft, Sabotage, Destruction
* Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D. Lockheed Martin Corporation
Breach the Perimeter 1 Deliver the Malware 2 Exfiltrate Data 4 Lateral Movement 3
![Page 6: Design Patterns submitted - events.static.linuxfound.org · Security Design Patterns for NFV. Foundational Security Applying Zero Trust* to NFV n * No More Chewy Centers: The Zero](https://reader035.vdocument.in/reader035/viewer/2022080721/5f7a919e5e130f41bf6e5621/html5/thumbnails/6.jpg)
Security Challenges with NFV
Manual Deployments Slow and error-‐
prone processes to enable security
Transient Workloads Workload lifespan is in hours, days or
weeks
Sta'c Remedia'on Lack of dynamic remediaCon measures
Malware
30,000
new malware /day
![Page 7: Design Patterns submitted - events.static.linuxfound.org · Security Design Patterns for NFV. Foundational Security Applying Zero Trust* to NFV n * No More Chewy Centers: The Zero](https://reader035.vdocument.in/reader035/viewer/2022080721/5f7a919e5e130f41bf6e5621/html5/thumbnails/7.jpg)
Security Design Patterns for NFV
![Page 8: Design Patterns submitted - events.static.linuxfound.org · Security Design Patterns for NFV. Foundational Security Applying Zero Trust* to NFV n * No More Chewy Centers: The Zero](https://reader035.vdocument.in/reader035/viewer/2022080721/5f7a919e5e130f41bf6e5621/html5/thumbnails/8.jpg)
Applying Zero Trust* to NFV
Foun
datio
nal S
ecur
ity
Desig
n P
atte
rn
* No More Chewy Centers: The Zero Trust Model of Information Security John Kindervag, Forester Research, 2014
Verify and Never Trust
Inspect and Log all Traffic
Design Network Inside-‐Out
Predefine: • User-Access Controls • Layer-7 Interactions
Build: • Security Compliance • Auditable Entities
Enable: • Fine grained kill switch • Real-time Security Updates
![Page 9: Design Patterns submitted - events.static.linuxfound.org · Security Design Patterns for NFV. Foundational Security Applying Zero Trust* to NFV n * No More Chewy Centers: The Zero](https://reader035.vdocument.in/reader035/viewer/2022080721/5f7a919e5e130f41bf6e5621/html5/thumbnails/9.jpg)
Foundation Security Blueprint
Foun
datio
nal S
ecur
ity
Desig
n Pa
ttern
• Define allowable interacCons
• Add applicaCon security paOern
• Sign-‐off by security team
• Deploy zero-‐trust applicaCon security paOern.
• Merge parameterized paOern with tenant instance
• Deny-‐All to Only-‐Allowed
• Real-‐Cme InspecCon
• Update threat paOerns, sigs et al
• Disrupt and/or block cyber aOacks
• Archive logs & policies
• Perform forensics • Generate report
Prepare Deploy Update Remove
1 2 3 4
Virtual Function Security Model Virtual Function
![Page 10: Design Patterns submitted - events.static.linuxfound.org · Security Design Patterns for NFV. Foundational Security Applying Zero Trust* to NFV n * No More Chewy Centers: The Zero](https://reader035.vdocument.in/reader035/viewer/2022080721/5f7a919e5e130f41bf6e5621/html5/thumbnails/10.jpg)
Implementation of Foundation Security Pattern
Secu
re E
ncap
sulat
ion
Desig
n Pa
ttern
Enforce zero-trust model – block all traffic until policy is applied.
Security Enforcement
Point
VM-‐A
Security Enforcement
Point
VM-‐A
Security Enforcement
Point
VM-‐A
Security Enforcement
Point
VM-‐A
1 Security Controller
Get signed “security pattern” from VM deployment Descriptor and deploy with application.
2
Get VNI/Tenant ID for instance mapping
bridge
vxlan nic
Apply policy/tenant based on tenant ID and application security pattern retrieved from deployment.
4
3
v-‐wire
v-wire NFV deployed security enforcement point.
1
Data link Control link
v-‐wire
![Page 11: Design Patterns submitted - events.static.linuxfound.org · Security Design Patterns for NFV. Foundational Security Applying Zero Trust* to NFV n * No More Chewy Centers: The Zero](https://reader035.vdocument.in/reader035/viewer/2022080721/5f7a919e5e130f41bf6e5621/html5/thumbnails/11.jpg)
Summary
• Security was one on the biggest impediments to deployment of NFV.
• Leveraging NFV to define a foundational pattern to protect application workloads.
• Application Security patterns can now be applied to the foundational pattern to implement security from the inside out
• Security is now a resource that scales with your NFV infra-structure.
11