Inherent Security Design Patterns for SDN/NFV Deployments

John McDowall

Palo Alto Networks

Drivers for Consumers and Providers of Cloud/NFV

Automa'on  

Minimize    OPEX  &  CAPEX  

Dynamic  Resources  

Self-­‐Service  Portals  

Scalability  

Agility  Producers Consumers

Make security easy-to-deploy by consumers

No Bottlenecks Need well-defined security posture

New  Business    Models  

“….if  innova+on  doesn’t  get  ahead  of  the  hackers,  we  will  likely  see  roadblocks  to  rolling  out  new  SDx  applica+ons  ….        ….  because  of  the  fear  that  SDx  Infrastructure  cannot  protect  against  and  contain  new  aAacks.  “    

SDxCentral SDx Infrastructure Security Report 2015 Edition

Key Security Perspectives

The security perimeter no longer exists.

Understanding the Cyber Attack Pattern Lifecycle

How do we prevent attacks with SDN/NFV ?

Preventing Across the Cyber Attack* Life Cycle

Unauthorized Access Unauthorized Use

Gather Intelligence

Leverage Exploit

Execute Malware

Command & Control

Actions on the objective

Reconnaissance Weaponization & Delivery

Malware Communicates with Attacker

Exploitation Data Theft, Sabotage, Destruction

* Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D. Lockheed Martin Corporation

Breach  the  Perimeter  1 Deliver  the  Malware  2 Exfiltrate  Data  4 Lateral  Movement  3

Security Challenges with NFV

Manual  Deployments    Slow  and  error-­‐

prone  processes  to  enable  security  

Transient  Workloads    Workload  lifespan  is  in  hours,  days  or  

weeks  

Sta'c  Remedia'on    Lack  of  dynamic  remediaCon  measures  

Malware    

30,000    

new  malware  /day  

Security Design Patterns for NFV

Applying Zero Trust* to NFV

Foun

datio

nal S

ecur

ity

Desig

n P

atte

rn

* No More Chewy Centers: The Zero Trust Model of Information Security John Kindervag, Forester Research, 2014

Verify  and  Never  Trust  

Inspect  and  Log  all  Traffic  

Design  Network  Inside-­‐Out  

Predefine: •  User-Access Controls •  Layer-7 Interactions

Build: •  Security Compliance •  Auditable Entities

Enable: •  Fine grained kill switch •  Real-time Security Updates

Foundation Security Blueprint

Foun

datio

nal S

ecur

ity

Desig

n Pa

ttern

•  Define  allowable  interacCons  

•  Add  applicaCon  security  paOern  

•  Sign-­‐off  by  security  team  

•  Deploy  zero-­‐trust  applicaCon  security  paOern.  

•  Merge  parameterized  paOern  with  tenant  instance  

•  Deny-­‐All  to  Only-­‐Allowed  

•  Real-­‐Cme  InspecCon  

•  Update  threat  paOerns,  sigs  et  al  

•  Disrupt  and/or  block  cyber  aOacks  

•  Archive  logs  &  policies  

•  Perform  forensics  •  Generate  report  

Prepare   Deploy   Update   Remove  

1 2 3 4

Virtual Function Security Model Virtual Function

Implementation of Foundation Security Pattern

Secu

re E

ncap

sulat

ion

Desig

n Pa

ttern

Enforce zero-trust model – block all traffic until policy is applied.

Security  Enforcement  

Point  

VM-­‐A  

Security  Enforcement  

Point  

VM-­‐A  

Security  Enforcement  

Point  

VM-­‐A  

Security  Enforcement  

Point  

VM-­‐A  

1 Security Controller

Get signed “security pattern” from VM deployment Descriptor and deploy with application.

2

Get VNI/Tenant ID for instance mapping

bridge

vxlan nic

Apply policy/tenant based on tenant ID and application security pattern retrieved from deployment.

4

3

v-­‐wire

 v-wire NFV deployed security enforcement point.

1

Data  link  Control  link  

v-­‐wire  

Summary

•  Security was one on the biggest impediments to deployment of NFV.

•  Leveraging NFV to define a foundational pattern to protect application workloads.

•  Application Security patterns can now be applied to the foundational pattern to implement security from the inside out

•  Security is now a resource that scales with your NFV infra-structure.

11