Upload
opnfv
View
404
Download
0
Embed Size (px)
Citation preview
Inherent Security Design Patterns for SDN/NFV Deployments
John McDowall
Palo Alto Networks
Drivers for Consumers and Providers of Cloud/NFV
Automa'on
Minimize OPEX & CAPEX
Dynamic Resources
Self-‐Service Portals
Scalability
Agility Producers Consumers
Make security easy-to-deploy by consumers
No Bottlenecks Need well-defined security posture
New Business Models
“….if innova+on doesn’t get ahead of the hackers, we will likely see roadblocks to rolling out new SDx applica+ons …. …. because of the fear that SDx Infrastructure cannot protect against and contain new aAacks. “
SDxCentral SDx Infrastructure Security Report 2015 Edition
Key Security Perspectives
The security perimeter no longer exists.
Understanding the Cyber Attack Pattern Lifecycle
How do we prevent attacks with SDN/NFV ?
Preventing Across the Cyber Attack* Life Cycle
Unauthorized Access Unauthorized Use
Gather Intelligence
Leverage Exploit
Execute Malware
Command & Control
Actions on the objective
Reconnaissance Weaponization & Delivery
Malware Communicates with Attacker
Exploitation Data Theft, Sabotage, Destruction
* Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D. Lockheed Martin Corporation
Breach the Perimeter 1 Deliver the Malware 2 Exfiltrate Data 4 Lateral Movement 3
Security Challenges with NFV
Manual Deployments Slow and error-‐
prone processes to enable security
Transient Workloads Workload lifespan is in hours, days or
weeks
Sta'c Remedia'on Lack of dynamic remediaCon measures
Malware
30,000
new malware /day
Security Design Patterns for NFV
Applying Zero Trust* to NFV
Foun
datio
nal S
ecur
ity
Desig
n P
atte
rn
* No More Chewy Centers: The Zero Trust Model of Information Security John Kindervag, Forester Research, 2014
Verify and Never Trust
Inspect and Log all Traffic
Design Network Inside-‐Out
Predefine: • User-Access Controls • Layer-7 Interactions
Build: • Security Compliance • Auditable Entities
Enable: • Fine grained kill switch • Real-time Security Updates
Foundation Security Blueprint
Foun
datio
nal S
ecur
ity
Desig
n Pa
ttern
• Define allowable interacCons
• Add applicaCon security paOern
• Sign-‐off by security team
• Deploy zero-‐trust applicaCon security paOern.
• Merge parameterized paOern with tenant instance
• Deny-‐All to Only-‐Allowed
• Real-‐Cme InspecCon
• Update threat paOerns, sigs et al
• Disrupt and/or block cyber aOacks
• Archive logs & policies
• Perform forensics • Generate report
Prepare Deploy Update Remove
1 2 3 4
Virtual Function Security Model Virtual Function
Implementation of Foundation Security Pattern
Secu
re E
ncap
sulat
ion
Desig
n Pa
ttern
Enforce zero-trust model – block all traffic until policy is applied.
Security Enforcement
Point
VM-‐A
Security Enforcement
Point
VM-‐A
Security Enforcement
Point
VM-‐A
Security Enforcement
Point
VM-‐A
1 Security Controller
Get signed “security pattern” from VM deployment Descriptor and deploy with application.
2
Get VNI/Tenant ID for instance mapping
bridge
vxlan nic
Apply policy/tenant based on tenant ID and application security pattern retrieved from deployment.
4
3
v-‐wire
v-wire NFV deployed security enforcement point.
1
Data link Control link
v-‐wire
Summary
• Security was one on the biggest impediments to deployment of NFV.
• Leveraging NFV to define a foundational pattern to protect application workloads.
• Application Security patterns can now be applied to the foundational pattern to implement security from the inside out
• Security is now a resource that scales with your NFV infra-structure.
11