SDN & Security: Why Take Over the Hosts When ... - RSA Conference
Recommend Documents
Cyber Security & Aviation. MASH-F01. Managing ... General Counsel & Managing Director Information. Security. TAL
Taking it all In â And Applying It to Scale ... resolve ALL potential vulnerabilities, whether reported from ..... ISO
Associate Director â Security Research and Analytics. UBS AG. SESSION ID: .... Can be resource intensive, consumes CPU
Obsessive-Compulsive. Disorder. National Institute of Mental Health. U.S.
DEPARTMENT OF HEALTH AND HUMAN SERVICES • National Institutes of
Health ...
XXXX Surpasses Gmail for Top Productivity App. XXXX is a ... Apps to Protect Your Array of Passwords. 7 ... A bookmarkle
endanger the security of ping-pong protocols. Namely, if a ping-pong protocol is secure in general then its implementation using an "ideal RSA" is also secure. 1.
SAP web servers by country (Top 20). 0%. 100%. 200%. 300%. 400%. 500%.
600%. MEXICA. CHILE ... NetWeaver ABAP URL – /sap/bc/soap/rfc. ▻ Can be ...
Base rate. â 95% detection, 10% false positives. â Is it good? Is it bad? â Key is to .... Outside view: data from
The security industry moves fast. WE SEE⦠WE HAD⦠6. 9 new startups every month. 5 new categories every six months.
data (p Ш q) x = InL (p x) | InR (q x) ... The free monad construction lifts any functorial signature p of operations t
We define malware as âmalicious softwareâ or anything that can run on an endpoint and do bad things. This includes .
Implement HP Networking wired network solutions for small and mid-market
customers ..... HP Networking Fundamentals Video Series - OSI Model, Rev.
MANAGING DAILY. SECURITY ... Reveal Challenges with the Volume of Work.
▻ Discuss ... Concepts that drive physical factories can drive IT/IS work. ▻ Lean
...
Threat information-sharing and collaboration programs help .... information exchange as a top priority for the global se
Session ID: Session Classification: Anu Puhakainen & Juha Sääskilahti. Ericsson
. Network Security Competence Hub. Mastering Security in Agile/Scrum,.
Session ID: Session Classification: Ben Rothke, CISSP CISM. Wyndham
Worldwide Corp. Building a Security Operations Center. (SOC). TECH-203.
Advanced ...
Session ID: Session Classification: Christopher Hadnagy. Social-Engineer.Com.
Human Hacking Exposed. 6 Preventative Tips. That Can. Save Your Company.
Publisher : Ideapress Publishing 2015-03-01 q. Language : ... Between the decline of modern management, the social media
Ridiculously Optimistic Future of Business Full Media Books ... Optimistic Future of Business Read online, PDF When Mill
for the Ridiculously Optimistic Future of Business Pages ... Ridiculously Optimistic Future of Business Full Online, ebo
Securosis, L.L.C. 515 E. Carefree Highway, Suite 766 Phoenix, AZ 85085 T 602-412-3051 .... provides advanced analysis ca
vendors continue to roll their stuff into VMs and AMIs that can run in public and private clouds. So they are ready to s
Android Zero Shell. ▫ Install App. ▫ Introduce Command and Control. ▫ Demo the
Zero Shell. ▫ Show App Exploitation to get additional Privs. 9 ...
Hacking Exposed: Embedded. Securing the Unsecurable. Billy Rios ... (HMI,
Management, Web). I/O communications ... “NONE of that stuff is on the Internet…
” ...
SDN & Security: Why Take Over the Hosts When ... - RSA Conference
SESSION ID: TECH0R03. Robert M. Hinden. Check Point Fellow. Check Point Software. SDN AND SECURITY: Why Take Over the Ho
SDN AND SECURITY:
Why Take Over the Hosts When You Can Take Over the Network SESSION ID: TECH0R03
Robert M. Hinden Check Point Fellow Check Point Software
What are the SDN Security Challenges? Vulnerability of Central Control
Trust Model Changes
Virtualization of Network Topology
IT Organizational Changes #RSAC
2
Presentation Outline Software Defined Networks Overview SDN Hype and Production Deployments SDN Security Challenges SDN Security Solutions Q&A #RSAC
3
Software Defined Networks
Overview
SDN Basic Idea • Separation of Network Control and Data Planes • Well-defined vendor-independent OpenFlow API between the two
• Operation of the network is defined in software outside of the forwarding path • a.k.a. Software Defined Network
• Centralized Network Control on standard servers #RSAC
5
Motivation for SDN • Creation of high-level network policies • Move away from current management approaches like SNMP/CLI • Apply policies uniformly across Routers, Switches, Optical, Virtual Networks, etc.
• Mix and match of vendors • Packet Forwarding and Control planes • Hardware and Software
#RSAC
6
Mainframes to PCs AppAppAppAppAppAppAppAppAppAppApp Specialized Applications
Open Interface
Specialized Operating System
Windows (OS)
Specialized Hardware
Linux
Mac OS
Open Interface Microprocessor
#RSAC
7
[ Credit: Nick McKeown “Making SDNs Work” ]
Switches/Routers to SDN AppAppAppAppAppAppAppAppAppAppApp Specialized Features
Open Interface
Specialized Control Plane
Control Plane
Specialized Hardware
Control Plane
Control Plane
Open Interface Merchant Switching Chips
#RSAC
8
[ Credit: Nick McKeown “Making SDNs Work” ]
SDN Architecture Applications
Control Plane
Applications
Applications
Northbound API
Controller Southbound API (OpenFlow)
Data Plane
Switch
Switch
Switch
Host
Host
Switch Switch
Switch
Host
Host
Host
Host #RSAC
9
Applications
Control Plane
Components • Application Programs
Applications
Controller Switch
Data Plane
• Implement network specific policy
Applications
Switch
Switch
Host
Host
Switch
Switch
Switch Host
Host
Host
Host
• Controller • Provides high-level view of Network to control programs • Deploy policy to Routers/Switches via OpenFlow
• Routers/Switches • Controlled by state injected by Controller
#RSAC
10
How It Works • Controller presents logical map of network to Application Programs
• Switches/Routers are Flow based • Process known flows autonomously • If new flow arrives, ask Controller what to do • Controller installs new flow state in Switch/Router • Flow state consist of pairs
• Controller pushes state to Switch/Router with OpenFlow #RSAC
11
SDN Architecture Control Plane
Applications
Applications
Applications
Northbound API
Controller Southbound API (OpenFlow)
Data Plane
Switch
Switch
Switch
Switch
Switch
Switch
#RSAC
12
Flow Table Entry (OpenFlow 1.0) MATCH Switch Port
MAC src
ACTION MAC dst
Ethr Type
STATS VLAN ID
IP Src
IP Dst
IP Prot
TCP S port
TCP D port
1. Forward packet to switch port(s) 2. Encapsulate and forward to controller 3. Drop packet 4. Send to normal processing pipeline Packet and byte counters #RSAC
13
Lots of Activity
ONRC RESEARCH
#RSAC
14
Impact to Current Networking
• Utilizes most existing protocols • IPv4/IPv6, TCP/UDP, Ethernet, VLANS, etc.
• Hosts don’t change • Routing Protocols run in the Controller • Big change to management and configuration protocols • Centralized vs. current distributed
• This is an incremental solution not a “clean slate” #RSAC
15
Production SDN Deployments
Google OpenFlow Network
• OpenFlow SDN in Google’s worldwide internal Inter-Data Center Network
• Centralized traffic engineering service • Google built their own network switches using merchant silicon and Open Source routing software
• Rumors that Facebook, Microsoft, etc. are looking at similar SDN traffic engineering deployments 17 http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/all/1
#RSAC
Other SDN Production Deployments
• Data Center deployments using Nicira/VMware NSX • Data Center / Virtualization is a very active SDN area • Network virtualization doesn't require SDN, but can be helped by it
• There are many University / Research SDN Projects • NSF is providing a lot of funding
#RSAC
18
SDN Hype
The Hype
“ SDN is emerging as one of the most promising and disruptive networking technologies of recent years. It has the potential to enable network innovation and create choice, and thus help realize new capabilities and address persistent problems with networking. It also promises to give network operators more control of their infrastructure, allowing customization and optimization, therefore reducing overall capital and operational costs. ” Open Networking Summit, April 2012
#RSAC
20
SDN Hype
• SDN is a threat to many vendors’ business models • Many large vendors are describing “SDN like” solutions that will lock in customer
• Proposing very complex proprietary solutions
• Vendors are using SDN to describe any legacy products that use software to control hardware
#RSAC
21
SDN Adoption EXPECTATION
Inflated Expectation
Technology Trigger
Enlightenment Productivity
Disillusionment
TIME #RSAC
22
SDN Issues / Challenges • Scaling properties uncertain • Flow entries could get very, very large • Flows supported by switches is still limited
• Outages / Bugs • Unclear how well it deals with network outages that require rerouting • How do you debug software and hardware problems?
• Security (the rest of the talk) #RSAC
23
SDN Security Challenges
Vulnerability of Central Control
Applications
Control Plane
Applications
Controller Switch
Data Plane
• SDN Applications and Controller have complete control of the network
Applications
Switch
Switch
Host
Host
Switch
Switch
Switch Host
Host
Host
Host
• Controllers/Applications are built on general purpose computing platforms • We all know all about the vulnerabilities of these platforms
• If Controller or Application is compromised, the whole Network is compromised
Why Take Over the Hosts When You Can Take Over the Network #RSAC
25
Effects of SDN Controller Compromise
Route flows around security devices
Modify content
Insert malware
Controller subverts new flows
Monitor traffic
Send traffic to compromised nodes
Subvert DNS responses
“Man in the Middle” attacks
……
#RSAC
26
Was SDN Designed for the NSA? Central control makes it easy to control the whole network
SDN makes it very easy to control where traffic flows
#RSAC
27
Current Security Model Switch
Switch
Switch
INTERNET Host
Switch Switch
Host
Host
Switch
Host
Host
Host
Security policy enforced by physically forcing traffic to flow through Security Devices #RSAC
28
SDN Changes Security Model Controller Switch
INTERNET
Switch
Switch
Host
Host
Switch Switch
Host
Host
Host
Host
• Flow Rules control when or if traffic goes through Security Device • Network Topology is now virtual #RSAC
29
SDN Changes the Trust Model Security cannot be enforced by physical topology Requires complete Trust in SDN Applications and Controller We don’t understand the consequences #RSAC
30
SDN Changes Organization Model
• Today most IT organizations have a • Network Group • Security Group
• SDN requires a great deal of cooperation between these groups
• All network staff will be responsible for Security Policy
#RSAC
31
SDN Security Solutions
It’s Not All Bad Uniform SDN Security Policy Security Everywhere Control Security Treatment Traffic Receives Isolate Compromised Hosts #RSAC
33
Uniform SDN Security Policy Security Application • Couple Security Policy to
Applications
SDN policy/rules and validate SDN flows against the security policy
Security Application
Controller
• Ensure that Security Policy is implemented for all traffic
Applications
Switch
Switch
Switch
• Maintain regulatory and
Switch Switch
Switch
compliance requirements
#RSAC
34
Security Everywhere Security Application
Applications
Applications
Security Application
• All Routers and Switches have Security capabilities
Controller
• Security Application can take advantage of this and push rules to all network devices
Switch
Switch
Switch
Switch Switch
Switch
#RSAC
35
Control Security Treatment Traffic Receives Applications
Applications
Range of Security Control
Security Application
Controller
• Full Firewall • ACL style filtering • No filtering
Switch Switch
Switch Switch
Switch
#RSAC
36
Isolate Compromised Hosts Controller
• Once compromised host is detected Switch
• Host can be isolated
Switch
Switch
Host
Switch Switch
Host
Host
Host
Host
Host
#RSAC
37
Summary
Summary • SDN has a lot of promise • Many of its capabilities are very powerful
• SDN Security issues are real for many organizations • Another case of build it and worry about Security later?
• We will all need to get beyond the “hype phase” to see what is real and achievable #RSAC
![Read Online PDF] When Millennials Take Over ... - Google Sites](https://m.moam.info/img/260x300/read-online-pdf-when-millennials-take-over-google-_6477d072097c474d228c7551.jpg)
![[PDF] Download When Millennials Take Over - Google Sites](https://m.moam.info/img/260x300/pdf-download-when-millennials-take-over-google-sit_64780fbc097c4737708c63ff.jpg)
