sdn security: at&t [s domain 2.0 transformation software-defined networking sdn) is an approach...

1

SDN Security: AT&T’s Domain 2.0 Transformation

Presented by AT&T Chief Security Office

Rebecca Finnin

August 8th, 2016

ISACA GEEK WEEK

© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

AGENDA

Introduction to AT&T’s Domain 2.0 and ECOMP Initiatives

Security Advantages of Domain 2.0

Security Considerations with Domain 2.0

Conclusion


Introduction: AT&T’s Domain 2.0 Initiative

NFV

Network functions virtualization (NFV) is a network architecture concept that uses the technologies of IT virtualization to virtualize entire classes of network node functions into building blocks that may connect, or chain together, to create communication services.

A virtualized network function (VNF), may consist of one or more virtual machines running different software and processes, on top of standard high-volume servers, switches and storage devices, or even cloud computing infrastructure, instead of having custom hardware appliances for each network function.

SDN

Software-defined networking (SDN) is an approach to computer networking that allows network administrators to manage network services through abstraction of lower-level functionality.

This is done by decoupling or disassociating the system that makes decisions about where traffic is sent (the control plane) from the underlying systems that forward traffic to the selected destination (the data plane).

Source: Wikipedia


Engines

Orchestration Control & Scale Policy execution Monitoring Optimization Data movement &

storage Workload shaping &

placement Analytics

Models Behaviors

Resource Services & Products Process Policies & Constraints Algorithms Attributes Composition Installation Maintenance Security

Real-time delivery Self-optimizing/healing Predictable Execution Elastic scalability Access control

− Modeling, Simulation & Certification − Operation, Execution & Optimization − Regulation & Policy Compliance

Invariant Functions Consistent Performance & Dynamic Operations

Instructions

SLAs/SLOs/KPIs Diversity/Redundancy Reliability Flexible configurations Dynamic Placement

Platform

Service

Service Platform

− Customer Experience

Enhanced Control, Orchestration, Management & Policy (ECOMP) Approach


ECOMP Architecture

Run-Time Execution

ECOMP API gateway

ECOMP

Model

Order

Orchestration Data

Aggregation Inventory

Platform Deploy

Metadata

Models

Testing

Scheduler

IP Address

Mgmt.

Visualization &

Reporting

Fallout KPI Usage Capacity Ingestion

OSS

Data & Protocol

Transformation

Software LCM

License Accounting

BSS

Model

Design Time Environment

ECOMP

Portal

Design

Monitor

View / Report

Admin

User Guide

Trigger

Use

Analytics Framework

Analytics App

Analytics App

Controller Framework

Controller Controller

Data Collection Framework

Active Collector

Stream Agent

Security Framework

Security App

Security App

Analytics App

Controller

Stream Agent

Active Collector

Security App

SDKs VF

Onboarding Configure Fault Usage Telemetry Test

VNFs Applications PNFs VMs Containers

Event Mgmt.

Data Movement Logging

Run-Time Catalog

Access Control Resiliency

Platform Analytics

Platform Admin. History File Transfer / ETL


Security Advantages of Domain 2.0

• Reduce patching cycle time

• Deployment of dynamic security controls

• Streamline incident response cycle time

• Centralize control and management functions

• Scaling to absorb DDOS attacks

• Embed security controls at design time

Design Enhancements:

Real-Time Capabilities:

Performance Improvements:

Common Hardware

Hypervisor

VNF VNF VNF

Tenant 1

Tenant 2

Tenant 3

VNF VNF VNF

VNF VNF VNF


Security Advantages of Domain 2.0: Example - DDoS Attack Resiliency

Common Hardware

vEPC

Hypervisor

vS-GW vP-GW

vHSS vPCRF

vPCEF Virtualized

IMS

Internet,

Cloud Services,

Partners

Mobile Devices

(Smartphones,

M2M, IoT)

LTE

RAN

eNodeBeNodeB

eNodeB

Attacker creates botnet army by infecting many mobile devices with a ‘remote-reboot’ malware. Attacker instructs malware to reboot all devices at the same time. Excessive attach requests create malicious signaling storm.

vMME is under DDoS attack.

Orchestrator instantiates new VMs to scale vMME function and maintain higher traffic load during investigation.

vMME

vMME

3 2 1

vMME

vMME

Orchestrator


Security Advantages of Domain 2.0: Example - Dynamic Security Control

Customer Cloud

Services

SDN

Virtualized

IMS

Internet,

Cloud Services,

Partners

SGi

SDN Controller vFirewalls

vRouters

Mobile Devices

(Smartphones,

M2M, IoT)

LTE

RAN

eNodeBeNodeB

eNodeB

Malware on Mobile Devices sends malformed IP packets to customer cloud services.

SDN Controller dynamically modifies the firewall rules to thwart the attack.

Only valid traffic is forwarded.

Service Abstraction Layer

3 2

1


• Network traffic between virtualized functions may bypass traditional security controls

• Need to isolate and protect data, control and management network traffic

Architecture:

• New control requirements for resilient applications

• Increased dependency on application software

Development:

• Environment volatility requires real-time control enforcement

• Closed loop automation demands effective control design

Operations:

Security Considerations with Domain 2.0:


Hypervisor must effect VM quarantine measures and protect other tenants.

Tenant 1 is compromised via malware and attempts attacks against Tenant 2 & 3, abuse of hardware resources, exploitation of shared storage, etc.

2

1

Security Considerations with Domain 2.0: Example – VM Compromise

Common Hardware

Hypervisor

VNF VNF VNF

Tenant 1

Tenant 2

Tenant 3

VNF VNF VNF

VNF VNF VNF


A multi-tenant cloud environment must enforce adequate controls to protect Tenant 1 from impacting others. At a minimum the control structure should address access controls, infrastructure hardening, inventory management, partitioning strategies, security gateways and throttling measures.

Tenant 1 is performing development work using poorly secured VMs. Tenant 1 VMs are exposed to the internet.

2

1

Security Considerations with Domain 2.0: Example – Comingling High Risk Workloads

Common Hardware

Hypervisor

VNF VNF VNF

Tenant 1

Tenant 2

Tenant 3

VNF VNF VNF

VNF VNF VNF


Conclusion: Domain 2.0 The Network of the Future Speed • Faster provisioning and time-to-market

• Effortless customer experience

Scale • Add services on-demand, in real-time

• Big data analytics

Dynamic • Increased reliability and flexibility

• Create new products and services quickly

Cost • Reduced cost of hardware, operations, etc.

• Higher resource utilization

Security • Micro perimeters

• Enhanced security mechanisms

Accessible • Constantly connected world

• BYOD, next-gen applications, etc.


Thank You! Rebecca Finnin [email protected] http://about.att.com/innovationblog http://about.att.com/innovationblog/031716ecomp http://about.att.com/content/dam/snrdocs/ecomp.pdf


mailto:[email protected]

http://about.att.com/content/dam/snrdocs/ecomp.pdf









sdn security: at&t [s domain 2.0 transformation software-defined networking sdn) is an approach...

Documents