secure science dmz using event-driven sdn science dmz using event-driven sdn ... splunk as an sdn...
TRANSCRIPT
Secure Science DMZ using Event-Driven SDN Tae Hwang
Technical Solutions Architect @ Cisco
2 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Typical Science DMZ Network Architecture “1.0”
I2 AL2S/AL3S Campus
Internet
SLOT1
SLOT5
SLOT3
SLOT7
SLOT2
SLOT6
SLOT4
SLOT8
!
UC S 5 108
OK FAIL OK FAIL OK FAIL OK FAIL
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
Firewall
Traffic is managed via simple ACL or Flow Rule
DTN/Servers/Storage/perfSONAR
DMZ Switch
What is the biggest challenge with this architecture?
SLOT1
SLOT5
SLOT3
SLOT7
SLOT2
SLOT6
SLOT4
SLOT8
!
UC S 5 108
OK FAIL OK FAIL OK FAIL OK FAIL
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
! ResetConsole
UCS B200 M3
3 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Science DMZ “2.0” Bypassing Campus Firewall for Large Flows
SDN Solutions Showcase, October 14-17, 2014 © 2014 Open Networking Foundation
SDNSOLUTIONSSHOWCASE
SciPass Operation - Phase 3
11
•� SciPass inserts bypass OpenFlow forwarding rules –� Traffic not sent to IDS –� Traffic not sent to Firewall
•� Throughput improves
OpenFlow Switch IDS
IDS
IDS
IDS
Network
Network
SciPass: Controller100G
100GPerfSONAR
10G
Feedback
Fire
wal
l 10G
10G
OpenFlow Switch IDS
IDS
IDS
IDS
Network
Network
SciPass: Controller100G
100GPerfSONAR
10G
Feedback
Fire
wal
l 10G
10G
OpenFlow Switch
100G
100G
SDN Solutions Showcase, October 14-17, 2014 © 2014 Open Networking Foundation
SDNSOLUTIONSSHOWCASE
SciPass Operation - Phase 2
10
•� BRO inspects traffic to find “good” science flows
•� Requests a bypass for the flows deemed “good”
OpenFlow Switch IDS
IDS
IDS
IDS
Network
Network
SciPass: Controller100G
100GPerfSONAR
10G
Feedback
Fire
wal
l 10G
10G
OpenFlow Switch IDS
IDS
IDS
IDS
Network
Network
SciPass: Controller100G
100GPerfSONAR
10G
Feedback
Fire
wal
l 10G
10G
100G
Fire
wal
l
10G
OpenFlow Switch
Fire
wal
l 10G
Fire
wal
l OpenFlow Switch
100G
OpenFlow SwitchOpenFlow SwitchOpenFlow Switch IDS
IDS
SciPass Architecture: Combined with Brocade OF Switch (typically), Bro IDS, PerfSONAR, and SciPass controller (Indiana University)
4 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Flow Detection Method
• IPS/IDS/FW/Router – Insert whitelist/ACL to match a packet with specific header information
• Data Transfer Node (DTN) – Get a notification from DTN that is about to start a data transfer
• Globus – Get a notification from Globus or similar tools.
5 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
FW/IPS Bypass Methods
Option 1: Enable OpenFlow feature on Cisco OpenFlow Hybrid Switch Option 2: Use a dedicated OpenFlow Switch if the current device doesn’t support OF. Option 3: Use PBR with NXAPI. Option 4: Use VACL and Redirect with NXAPI
6 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How to Secure Science DMZ and Campus Q. Science DMZ is directly connected to the Internet. How can we secure Science DMZ and the campus?
A. Leverage security devices to detect the threats and log threats to Event server, such as Splunk. Necessary actions against the threat are triggered by apps in the event server, actions could be Blackholeling BGP routes on routers, or applying OpenFlow rules on the OF switches, or both.
7 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Science DMZ Reference Implementa3on
Nexus 3K
Internet2/AL2S Commodity Internet
DMZ
Secure Corporate Networks
High-‐Throughput Science Networks
BGP Null Routes
Ac3ve Blocking
DTN Compute
Flow No3fica3on
• Event Correlation • Log Storage • Auditing • Analysis
Next Genera=on Firewall • Commodity: In-‐Line • Internet 2: In-‐Line or OOB
w/Steering
Campus Corporate DC External Services
ASR 1K ASR 9K
Nexus 9K
ASA 5585
BGP
OpenFlow
8 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Logically sits on top of COSC to provide application intelligence
• Likely already sending events to central logging
• Has the most informed view of the status of the network, servers, and apps.
• Provides event correlation • Consolidates the number of devices sending REST commands • Correlates by severity, rate, and between events
• Provides for auditing and reporting capabilities
• Leverage existing skill by writing logic in Splunk search language
Splunk as an SDN Application
8
9 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Real-Time, Immediate Action: e.g. High Priority IDS Event: Block Host Immediately
Real Time With Sliding Window and Threshold:
e.g. SYN Attacks: Block host after 100 improper SYNs in 60 seconds
Scheduled with Fixed Window:
e.g. Block Timeout: Unblock host if it has not been seen in last 24 hours
Example Event Actions
9
From IDS
From FW
10 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• A key service in the research networking ecosystem with more than 10,000 active endpoints
• Software-as-a-Service (SaaS) solution to manage transfers where users can direct requests to transfer or synchronize files and directories between two locations
• Uses GridFTP to provide secure, reliable, and efficient transfer of data across wide-area distributed networks
• GridFTP extensions provides parallelism (i.e., the use of multiple socket connections between pairs of data movers), restart markers, and data channel security.
• GridFTP control plane provides the source and destination information for the flows it sets up
• Effectively authenticates flows before they bypass security
Globus for Data Transfer
10
11 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Base setup depending on mode: Out-Of-Band IDS:
<priority>100</priority> <in-port>54</in-port> <output-node-connector>52</output-node-connector> <output-node-connector>25</output-node-connector>
In-Band Firewall/IPS: <priority>100</priority> <in-port>54</in-port> <output-node-connector>25</output-node-connector> <in-port>25</in-port> <output-node-connector>52</output-node-connector>
Bypass operation the same for both modes <priority>200</priority> <in-port>54</in-port> <output-node-connector>52</output-node-connector>
OpenFlow Data Flow Steering
11
Outside
Inside
Outside
Inside
FW/IPS
Out-Of-Band IDS
In-Band FW/IPS
IDS
54
52
25
54
25
52
12 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Flow start notification: Jun 10 10:53:43 localhost splunk_odl_action: log_level=INFO, action=start, flow=199.66.189.10:50368-128.55.29.41:42600, status_code=200
Flows added to Nexus 3000: Flow: 4
Match: tcp,in_port=54,nw_src=199.66.189.10,nw_dst=128.55.29.41,tp_src=50368,tp_dst=42600
Actions: output:52
Priority: 200
Flow: 5
Match: tcp,in_port=52,nw_src=128.55.29.41,nw_dst=199.66.189.10,tp_src=42600,tp_dst=50368
Actions: output:54
Priority: 200
Flow stop notification: Jun 10 10:54:51 localhost splunk_odl_action: log_level=INFO, action=stop, flow=199.66.189.10:50368-128.55.29.41:42600, status_code=200
Bypass Flows in “Tap” Switch
12
13 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Static routes added by COSC through Netconf on ASR 9000: router static
address-family ipv4 unicast
1.0.184.115/32 Null0 tag 666
1.161.169.139/32 Null0 tag 666
2.25.74.127/32 Null0 tag 666
2.50.153.67/32 Null0 tag 666
12.197.32.116/32 Null0 tag 666
Export the Null routes setting next-hop to black hole IP: route-policy as-11017-out
if tag is 666 then
set next-hop 192.0.2.1
set community (no-export) additive
pass
else
pass
endif
end-policy
Enable uRPF on WAN interface on ASR 9000: ipv4 verify unicast source reachable-via any allow-default
Route Black Hole IP to NULL 0 on other border routers:
ip route 192.0.2.1 255.255.255.255 Null0
Enable uRPF on WAN interface on ASR 1000: ip verify unicast source reachable-via any
Remotely Triggered Black Hole Routing
13
14 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Open SDN Controller Application 1 Application 2 Application 3 Application ‘n’
Network Applications Application 4
Open vSwitches
OpenFlow Enabled Devices
Cisco and 3rd Virtual and Physical Devices
REST APIs
DLux User Interface
Topology Manager
Statistics Manager FRM
OpenFlow Interface
L2 Switch AAA Service
GBP Service
OVSDB Interface
NETCONF Interface
BGPLS Interface
PCEP Interface
Host Tracker
Network Service 1
Network Service 2
Network Service 3
Network Service ‘n’
Network Service 4
3rd PARTY NETWORK SERVICE FUNCTIONS BASE NETWORK SERVICE FUNCTIONS
Model Driven Service Abstraction Layer (Plugin Manager, Capacity Abstraction, Flow Programming, Inventory, etc)
Data Plane Elements
Cisco Open SDN Controller
Platform
15 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Splunk Screenshot 1
16 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Splunk Screenshot 2
17 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Splunk Screenshot 3