Security, Resiliency and Other Challenges Glen Gerhard
Download
Report
Transcript Security, Resiliency and Other Challenges Glen Gerhard
Security, Resiliency and Other Challenges
Erik Linask
Group Editorial Director
TMC
[email protected]
Twitter: @elinask
www.nfvzone.com / www.sdnzone.com
Security, scalability, resiliency =
Traditional Deterrents
Now, we are telling telcos they
need to virtualize and “cloudify”
Security, Resiliency and Other Challenges
Glen Gerhard
VP, Product Management
Sansay
Nabil Damouny
Sr. Director, Strategic Marketing
Netronome
Security Concerns
• Very similar unless using a cloud infrastructure
Protected
Public
ISP
DEDICATED VM
CLOUD NETWORK
Resiliency Concerns
• VM can be made HA and fault tolerant
– Easier and cheaper than h/w based systems
– Cloud can be even more dynamic, normally not HA
Route Management
Plane
Session Processing
Plane
Media Handling Plane
ROME
INX
Master-Slave
INX
MSX
ROME
INX
INX
MSX
MSX
MSX
Resilency
• Geographic redundancy easy with both
PCI Compliance
• Very tightly controlled architecture
• Cloud support possible with hybrid systems
Security & Resiliency in SDN & NFV
Nabil Damouny
Sr. Director, Strategic Marketing, Netronome
Vice Chair, Market Education Committee, ONF
Editor, Compute Domain, ETSI NFV
[email protected]
Agenda
•
•
•
•
•
•
•
Netronome … Intro
Network security services
Deploying L4-L7 services in SDN-OpenFlow
Inserting L7 intelligence in the data path
ETSI NFV – complementary to SDN
Faults & resiliency in NFV
Summary
Company
•
Fabless semiconductor company
Best-in-class flow processors
Designed for 10/40/400G
communications designs
Cambridge
Santa Clara
Product and Markets
Boston
Beijing
Tokyo
Pittsburgh
Shenzhen
Leader in SDN-OpenFlow
Leader in NFV … COTS architecture
Cybersecurity
Johannesburg
Sole licensee of Intel IXP Processor IP
Intel 22nm tri-gate process
100+ Patents
Worldwide Headquarters
Research and development center
Regional sales and support center
What Are Layer 4 through 7 Services?
• L2-L4 forwarding
–
–
–
–
–
No Flow
• OpenFlow switch
Inspection
Switching
Routing
Packet forwarding
OpenFlow
Architectures optimized
to process individual
packets
Categorized by
depth of Layer
4 through 7
inspection
• L4-L7 services
–
–
–
–
Security
Load balancing
WAN optimization
Architectures optimized
to process flows and
content
• Load balancer
Partial Flow • Next-generation firewall
Inspection • WAN optimization
• Web application firewall
• Test and measurement
Flow • Policing and metering
Monitoring • Quality of Service (QoS)
• Traffic analysis
• Anti-virus / anti-spam
Full Flow • Intrusion prevention system (IPS)
Inspection • SSL inspection
• VPN
There are 4 service categories with specific
processing requirements
13
Suggested Deployment Models
1. Running as applications on the
controller
• Controller programs SDN
switch on per-flow basis
2. Standalone network appliance
• Traffic directed to appliance
either based on static policy
or dynamically driven by
controller
• Legacy or OF-enabled
3. Full Layer 4-7 network services
running on intelligent switch
• Intelligent switch becomes
L2-L7 device
14
Application LayerApplications
Layer 4-7 Services
1
Northbound APIs
Control
Layer
Network Controller
SDN Control Software
Southbound API
2
Infrastructure
Layer
Layer 4 through 7
Appliance
Intelligent Switch with
Layer 4-7
Network Device
Network Device
Network Device
Different deployment models to best fit service
requirements, including performance and latency.
3
Use Case: Advanced Traffic Analysis …
Embedded DPI feeds network intelligence to services on L7 device
Application Layer
Applications
Northbound APIs
Video
Optimization
Web
Control
Layer
SDN Control
Software
Video
Network Services
Southbound API
Layer 7 Network
Service Device
Infrastructure
Layer
Layer 7 Network
Service Device
Data
Plane
Traffic
Layer 4-7:
Protocol and
Application
Identification
IM
Analytics
VoIP
Email
P2P
Network Device
Network Device
QoS / QoE
GGSN
Traffic
Steering
Other
Layer 4-7 Network
Device
Application flows forwarded directly to specialized service processing
• Requires L4-L7 intelligence embedded directly in switches
Content
Filtering
SDN Data center … Intelligence is at the Edge
SDN Gateway
• Interconnect new virtualized
networks and legacy
• Focus on Gateway for Multi-tenant
Data Center -to- MPLS WAN
NFV Appliance
• Open, programmable host for
virtual applications
• Focus on ETSI NFV Use Cases:
– Two out of 9 pre-defined use cases
• Use Case #5 - VNF as a service
• Use Case #6 – Service Chaining
Examples of types of Faults
• Failure of the VNF
–
–
Application Crash, Overload condition
Tolerable if clustered topology, Service degradation
Less severe impact
(SD) possible
VNF1
• Failure of the VM
–
–
VM1-OS
OS Crash, Resource exhaustion
Tolerable in clustered topology, SD possible
–
Mem
Tolerable in clustered topology, SD
–
–
VM2
I/O Mem
VM3-OS
CPU
VM4-OS
VM1
I/O
Mem
VM2
I/O Mem
More severe impact
Disc
CPU
17
Disc
X86-2
I/O
Mem
Physical Network Infrastructure
Device power cycle/crash, Loss of Connectivity
Tolerable if infra is HA capable
I/O
Hypervisor
X86-1
Mem
Disc
Disc CPU
CPU
Hypervisor
OS Crash, Resource exhaustion
Tolerable in clustered topology, SD Possible
• Failure in the physical
Infrastructure
Disc
CPU
VM1
• Failure of the server
–
–
Disc
CPU
• Failure of the Hypervisor
VM2-OS
I/O
SDN-aware NFV security platforms
• Netronome offerings
– Flow processors scaling to 200Gbps
– FlowNICs for acceleration of standard servers
– Production-ready reference platforms
SDN-aware security platforms
• Features and benefits
– 216 programmable processing cores
– 4 x PCIe Gen 3 to connect to x86 sockets
• 200Gbps+ throughout to standard servers
– Support >500 BIPS per 2U to apply to workloads in NFV environments
• Support for high-touch security applications
– Fully SDN capable
• Support for OpenFlow 1.3
– Carrier grade resiliency in COTS server architecture platforms
• Numerous high-availability options
– Integrated fail-to wire
– Active-passive and active-active HA modes of operation
Netronome’s FlowNICs and reference platforms are ideal to solve the
security and resiliency challenges facing SDN and NFV
Looking Ahead
• What are some of the obstacles for a Telco to work with
ISV's in the security area?
• How can a Telco achieve the traditional 5 9's reliability?
How about high availability?
• Is it easier and less costly to design for redundancy, in NFV
& SDN?
• How about Federation and the need for interoperability
between carriers?
• What is the role of cloud orchestration in security &
resiliency?
BACKUP
ETSI ISG NFV Structure
•
ISG E-E Documents (Ratified)
1. Architecture Framework
2. Use Cases (9 total)
3. (Business) Requirements
4. Terminology
•
Technical Working Groups
1. Infrastructure (INF)
2. Software Architecture (SWA)
3. Management & Orchestration
(MANO)
4. Reliability & Availability (REL)
– Performance Expert Group (PER)
– Security Expert Group (SEC)
Source: ETSI ISG NFV
SDN & NFV are complementary &
synergistic.
Topologies for hosting Network Functions in VMs
Simple vs. Clustered VNFs
• Single instance topology
– VNF deployed on a single
virtual machine.
• Clustered or Composite
Topology
VNF1
x86
– Consists of multiple VNF
Components (VNFCs)
• L2/L3 connectivity
between VNF instances
when multiple physical
servers hosting same
VNF.
1
VNFC1
VNFC2
VM1
VM2
Hypervisor
x86
4
VNF1
VNF2
VNF1 VNF2
VNF3
VM1
VM2
VM1
VM2
Hypervisor
Hypervisor
x86
x86
2
3
VNFC1
VNFC2
VNFC3
VNFC4
VM1
VM2
VM1
VM2
Hypervisor
Hypervisor
X86-1
X86-2
5
NFV Deployment Examples
23