sdn - a new security paradigm?
TRANSCRIPT
SDN a new
security paradigm ?
Lecture by Jean-Marc ANDREUNIWAN 2016
Foreword
Source: Wikipedia
This lecture is a compilation of various sources and meetings from e.g."Network Innovation through OpenFlow and SDN" by FEI HU at CRC Press
"Software Defined Networking (SDN)" by Marco Cello at DITEN at Università di Genova
"CS 490.31 Software Defined Networks" by Xenofontas Dimitropoulos at ETH Zurich
"Software Defined Networking" by Jennifer Rexford at Princeton
"OrchSec" by Kpatcha Mazabalo Bayarou at Fraunhofer SIT, Darmstadt
"Evolution dans la gestion d’infrastructure de type Cloud (SDI)" by Stéphane Mouton at Cetic Gosselies
Manufacturers: Allied Telesys, Cisco, HP, Juniper, Sophos.
Many meetings during Cebit 2016
Special thanks to our friends from the Infopole Team (Wallonia-Belgium)
SDN: Software Defined Network, definition
Source: Wikipedia
Software-defined networking (SDN) is an approach to computer networking that allows network administrators to manage network services through abstraction of higher-level functionality.
This is done by decoupling the system that makes decisions about where traffic is sent (the control plane) from the underlying systems that forward traffic to the selected destination (the data plane).
Some BUZZ: Shiny-thing Desperately Needed, $ome Dollars Now
A Short History of SDN
Source: Marco Cello DITEN
~2004: Research on new management paradigmsRCP, 4D [Princeton, CMU,….]SANE, Ethane [Stanford/Berkeley]
2008: Software-Defined Networking (SDN)NOX Network Operating System [Nicira]OpenFlow switch interface [Stanford/Nicira]
2011: Open Networking Foundation (~69 members)Board: Google, Yahoo, Verizon, DT, Microsoft, Facebook, NTTMembers: Cisco, Juniper, HP, Dell, Broadcom, IBM,…..
2013: Latest Open Networking Summit1600 attendees, Google: SDN used for their WANCommercialized, in production use (few places)
Traditional Computer Networks
Collect measurements and configure the equipment
Management plane: Human time scale
Source: Jennifer Rexford @ princeton
Legacy Network Human Middleware Can’t Scale
10,000 provisions per day
3,333 hours of effort 420 network adminsand
20 commands per changex
Source: HP
200,000 commands per day
1 minute per commandx
• Time and Resource Intensive, Not Suited for Cloud Scale
What is SDN?» SDN is a new way of looking at network infrastructure
– separates the data plane (the part that forwards packets) from the control plane (the part that decides where the packets should go)
What is SDN?
Data plane:Packet streaming Forward, filter, buffer, mark, rate-limit, and measure packets
Control plane:Distributed algorithmsTrack topology changes, compute routes, install forwarding rules
Source: alliedtelesis
» Traditionally, a lot of network control resides in the data forwarding devices (switches and routers).
» SDN puts control in devices called Controllers, which are themselves serving Applications running elsewhere
How is SDN different from what we have now?
Source: alliedtelesis
Death to the Control Plane!
• Simpler management• No need to “invert” control-plane operations
• Faster pace of innovation• Less dependence on vendors and standards
• Easier interoperability• Compatibility only in “wire” protocols
• Simpler, cheaper equipment• Minimal software
Source: Jennifer Rexford @ princeton
» The terms SDN and OpenFlow are often used interchangeably» But, OpenFlow is just a component of SDN
– A standard API for SDN controllers to communicate with network devices
Where does OpenFlow fit in?
Source: alliedtelesis
The role of OpenFlow as the standard API for controlling switches means that a large part of the network infrastructure can be standardised – one major benefit of the SDN approach
SDN architectureThis is the control/data architecture for a network running SDN
Source: alliedtelesis
OpenFlow remotely controls the forwarding table of a switch or router
• A school wishes to automate student access to special network resources• Only students attending a specific class should have access to special resources for that
lesson• E.g. color printer only for graphics students,• Less restrictive internet access for media students (YouTube access, for example)
• SDN could enable network to understand school timetable and reconfigure student network access permissions accordingly
• Changes could occur automatically between classes!• Even last minute changes to timetable could be made without disruption or stress• No I.S. staff required to implement network changes – SDN makes it all automatic!
• This is not a dream! We are already building these applications…
Enterprise SDN – example application
Source: alliedtelesis
“Secure Enterprise SDN” enables customers to focus on their business rules and applications rather than on how their network is configured. Combined with powerful management tools, this lowers operating expenses and increases business agility.
Secure Enterprise
SDN controller
OpenFlowForwarding engine
Networking protocols
GUICLI
SDN controllerControl Layer
Network deviceForwarding Layer
Man
agem
ent
OpenFlow
SNMPCLI
Stats
StatsTraps
Business intelligenceApplications
Applications Layer
Northbound API
Source: alliedtelesis
Data-Plane: Simple Packet Handling
• Simple packet-handling rules• Pattern: match packet header bits• Actions: drop, forward, modify, send to controller • Priority: disambiguate overlapping patterns• Counters: #bytes and #packets
1. src=1.2.*.*, dest=3.4.5.* drop 2. src = *.*.*.*, dest=3.4.*.* forward(2)3. src=10.1.2.3, dest=*.*.*.* send to controller
Source: Jennifer Rexford @ princeton
OpenFlow Example Controller
PC
HardwareLayer
SoftwareLayer
Flow Table
MACsrc
MACdst
IPSrc
IPDst
TCPsport
TCPdport Action
OpenFlow Client
**5.6.7.8*** port 1
port 4port 3port 2port 1
1.2.3.45.6.7.8 15Source: Xenofontas Dimitropoulos @ ETH Zurich
OpenFlow Basics
Source: Xenofontas Dimitropoulos @ ETH Zurich
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt
L4sport
L4dport
Rule Action Stats
1. Forward packet to zero or more ports2. Encapsulate and forward to controller3. Send to normal processing pipeline4. Modify Fields5. Any extensions you add!
+ mask what fields to match
Packet + byte counters
VLANpcp
IPToS
Flow Table Entries
Examples
Source: Xenofontas Dimitropoulos @ ETH Zurich
Switching
*
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt
TCPsport
TCPdport Action
* 00:1f:.. * * * * * * * port6
Flow Switching
port3
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt
TCPsport
TCPdport Action
00:20.. 00:1f.. 0800 vlan1 1.2.3.4 5.6.7.8 4 17264 80 port6
Firewall
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt
TCPsport
TCPdport Action
SwitchMatch: destination MAC addressAction: forward or flood
FirewallMatch: IP addresses and TCP/UDP port numbersAction: permit or deny
NATMatch: IP address and portAction: rewrite address and port
Examples
Source: Xenofontas Dimitropoulos @ ETH Zurich
Routing
*
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt
TCPsport
TCPdport Action
* * * * * 5.6.7.8 * * * port6
VLAN Switching
*
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt
TCPsport
TCPdport Action
* * vlan1 * * * * *port6, port7,port9
00:1f..
• Router• Match: longest
destination IP prefix• Action: forward out a link
SDN controller SESController
The Secure Software Defined networking model is already available!
Secure Enterprise SDN – is reality : Allied Telesis case
GUICLI OpenFlow v1.3
SNMPCLI
Stats
StatsTraps
Business intelligence
RESTful API
OpenFlowForwarding engine
Networking protocolsx510, x930 and DC2552XS/L3
Source: alliedtelesis
• AMF is an embedded technology within the AlliedWare Plus OS
• AMF saves valuable time and money by automating daily network management tasks:
• Making configuration changes to multiple units• Backing up configurations• Rolling out a firmware upgrade• Adding new units to the network• Recovering failed units with new units
Allied Telesis Management Framework (AMF)
Source: alliedtelesis
Easy Management- AMF in action
Centralized management
Auto-backup
Auto-recovery
Auto-provisioning
Auto-upgrade
Source: alliedtelesis
AMF virtualization
m a s t e rUP TO 60 AREAS
UP TO 120 MEMBERS
UP TO 120 MEMBERS
p u b l i c c l o u d
internet
V i r t u a lm a s t e r
Virtualcontroller
control lerm a s t e r
Source: alliedtelesis
Switch
Router
AMF Guest nodeWireless
Switch
Router
AMF Guest node
Wireless
SDN ControllerVideo/Voice Mgd
AMF MasterAMF Master
AMF Controller
AMF provides- Secure Infrastructure- Centralized Management- Auto Recovery- Zero-Touch Installation- Visual ManagementFor all Devices/Sensors
Long-term vision for AMF
Source: alliedtelesis
A Helpful AnalogyFrom Nick McKeown’s talk “Making SDN Work” at the
Open Networking Summit, April 2012
Analogy: MainFrame to PC
Source: Nick McKeown’s talk “Making SDN Work”
Vertically integratedClosed, proprietarySlow innovationSmall industry
SpecializedOperatingSystem
SpecializedHardware
AppAppAppAppAppAppAppAppAppAppApp
SpecializedApplications
HorizontalOpen interfacesRapid innovationHuge industry
Microprocessor
Open Interface
Linux MacOS
Windows(OS) or or
Open Interface
Analogy with Switches & Routers
Vertically integratedClosed, proprietarySlow innovation
AppAppAppAppAppAppAppAppAppAppApp
HorizontalOpen interfacesRapid innovation
ControlPlane
ControlPlane
ControlPlane or or
Open Interface
SpecializedControlPlane
SpecializedHardware
SpecializedFeatures
MerchantSwitching Chips
Open Interface
Source: Nick McKeown’s talk “Making SDN Work”
Other SDN Use Cases
• Energy conservation, routing, and management in data centers• Seamless use of diverse wireless networks• Network based load balancing• Traffic engineering• Slicing and scalable remote control/management of home networks • Experimentation with new approaches and protocols using selected production traffic• Run virtual shadow network for traffic analysis and re-configuration• And many more …
SDN Myths
Source: HP
A Software-defined Network is Not
Only Implementing Network Functions in
Software or on Virtual Machine
Only Programmable Proprietary APIs for Network Device or
Management System
The End of Hardware Innovation
Conclusions• SDN will change the way we will design Network Infrastructure
• Only one interface to the DATA Plane• Separation of the control and DATA• Leveraging techniques from distributed systems
• It’s a significant momentum for the research and the industry• We are moving from proprietary local to open and global architecture• Sophos goes that way, you will see ;-)
Further reading
• http://www.openflow.org/videos/• Fei Hu @ CRC Press
ISBN-13: 978-1-4665-7210-2
