sdn security: at&t [s domain 2.0 transformation software-defined networking sdn) is an approach...
TRANSCRIPT
1
SDN Security: AT&T’s Domain 2.0 Transformation
Presented by AT&T Chief Security Office
Rebecca Finnin
August 8th, 2016
ISACA GEEK WEEK
© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
AGENDA
Introduction to AT&T’s Domain 2.0 and ECOMP Initiatives
Security Advantages of Domain 2.0
Security Considerations with Domain 2.0
Conclusion
© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Introduction: AT&T’s Domain 2.0 Initiative
NFV
Network functions virtualization (NFV) is a network architecture concept that uses the technologies of IT virtualization to virtualize entire classes of network node functions into building blocks that may connect, or chain together, to create communication services.
A virtualized network function (VNF), may consist of one or more virtual machines running different software and processes, on top of standard high-volume servers, switches and storage devices, or even cloud computing infrastructure, instead of having custom hardware appliances for each network function.
SDN
Software-defined networking (SDN) is an approach to computer networking that allows network administrators to manage network services through abstraction of lower-level functionality.
This is done by decoupling or disassociating the system that makes decisions about where traffic is sent (the control plane) from the underlying systems that forward traffic to the selected destination (the data plane).
Source: Wikipedia
© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Engines
Orchestration Control & Scale Policy execution Monitoring Optimization Data movement &
storage Workload shaping &
placement Analytics
Models Behaviors
Resource Services & Products Process Policies & Constraints Algorithms Attributes Composition Installation Maintenance Security
Real-time delivery Self-optimizing/healing Predictable Execution Elastic scalability Access control
− Modeling, Simulation & Certification − Operation, Execution & Optimization − Regulation & Policy Compliance
Invariant Functions Consistent Performance & Dynamic Operations
Instructions
SLAs/SLOs/KPIs Diversity/Redundancy Reliability Flexible configurations Dynamic Placement
Platform
Service
Service Platform
− Customer Experience
Enhanced Control, Orchestration, Management & Policy (ECOMP) Approach
© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ECOMP Architecture
Run-Time Execution
ECOMP API gateway
ECOMP
Model
Order
Orchestration Data
Aggregation Inventory
Platform Deploy
Metadata
Models
Testing
Scheduler
IP Address
Mgmt.
Visualization &
Reporting
Fallout KPI Usage Capacity Ingestion
OSS
Data & Protocol
Transformation
Software LCM
License Accounting
BSS
Model
Design Time Environment
ECOMP
Portal
Design
Monitor
View / Report
Admin
User Guide
Trigger
Use
Analytics Framework
Analytics App
Analytics App
Controller Framework
Controller Controller
Data Collection Framework
Active Collector
Stream Agent
Security Framework
Security App
Security App
Analytics App
Controller
Stream Agent
Active Collector
Security App
SDKs VF
Onboarding Configure Fault Usage Telemetry Test
VNFs Applications PNFs VMs Containers
Event Mgmt.
Data Movement Logging
Run-Time Catalog
Access Control Resiliency
Platform Analytics
Platform Admin. History File Transfer / ETL
© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Security Advantages of Domain 2.0
• Reduce patching cycle time
• Deployment of dynamic security controls
• Streamline incident response cycle time
• Centralize control and management functions
• Scaling to absorb DDOS attacks
• Embed security controls at design time
Design Enhancements:
Real-Time Capabilities:
Performance Improvements:
Common Hardware
Hypervisor
VNF VNF VNF
Tenant 1
Tenant 2
Tenant 3
VNF VNF VNF
VNF VNF VNF
© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Security Advantages of Domain 2.0: Example - DDoS Attack Resiliency
Common Hardware
vEPC
Hypervisor
vS-GW vP-GW
vHSS vPCRF
vPCEF Virtualized
IMS
Internet,
Cloud Services,
Partners
Mobile Devices
(Smartphones,
M2M, IoT)
LTE
RAN
eNodeBeNodeB
eNodeB
Attacker creates botnet army by infecting many mobile devices with a ‘remote-reboot’ malware. Attacker instructs malware to reboot all devices at the same time. Excessive attach requests create malicious signaling storm.
vMME is under DDoS attack.
Orchestrator instantiates new VMs to scale vMME function and maintain higher traffic load during investigation.
vMME
vMME
3 2 1
vMME
vMME
Orchestrator
© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Security Advantages of Domain 2.0: Example - Dynamic Security Control
Customer Cloud
Services
SDN
Virtualized
IMS
Internet,
Cloud Services,
Partners
SGi
SDN Controller vFirewalls
vRouters
Mobile Devices
(Smartphones,
M2M, IoT)
LTE
RAN
eNodeBeNodeB
eNodeB
Malware on Mobile Devices sends malformed IP packets to customer cloud services.
SDN Controller dynamically modifies the firewall rules to thwart the attack.
Only valid traffic is forwarded.
Service Abstraction Layer
3 2
1
© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
• Network traffic between virtualized functions may bypass traditional security controls
• Need to isolate and protect data, control and management network traffic
Architecture:
• New control requirements for resilient applications
• Increased dependency on application software
Development:
• Environment volatility requires real-time control enforcement
• Closed loop automation demands effective control design
Operations:
Security Considerations with Domain 2.0:
© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Hypervisor must effect VM quarantine measures and protect other tenants.
Tenant 1 is compromised via malware and attempts attacks against Tenant 2 & 3, abuse of hardware resources, exploitation of shared storage, etc.
2
1
Security Considerations with Domain 2.0: Example – VM Compromise
Common Hardware
Hypervisor
VNF VNF VNF
Tenant 1
Tenant 2
Tenant 3
VNF VNF VNF
VNF VNF VNF
© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
A multi-tenant cloud environment must enforce adequate controls to protect Tenant 1 from impacting others. At a minimum the control structure should address access controls, infrastructure hardening, inventory management, partitioning strategies, security gateways and throttling measures.
Tenant 1 is performing development work using poorly secured VMs. Tenant 1 VMs are exposed to the internet.
2
1
Security Considerations with Domain 2.0: Example – Comingling High Risk Workloads
Common Hardware
Hypervisor
VNF VNF VNF
Tenant 1
Tenant 2
Tenant 3
VNF VNF VNF
VNF VNF VNF
© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Conclusion: Domain 2.0 The Network of the Future Speed • Faster provisioning and time-to-market
• Effortless customer experience
Scale • Add services on-demand, in real-time
• Big data analytics
Dynamic • Increased reliability and flexibility
• Create new products and services quickly
Cost • Reduced cost of hardware, operations, etc.
• Higher resource utilization
Security • Micro perimeters
• Enhanced security mechanisms
Accessible • Constantly connected world
• BYOD, next-gen applications, etc.
© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Thank You! Rebecca Finnin [email protected] http://about.att.com/innovationblog http://about.att.com/innovationblog/031716ecomp http://about.att.com/content/dam/snrdocs/ecomp.pdf
© 2016 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.