Embed Size (px)
Citation preview
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Nuage Networks Security Solution Networking Field Day 12
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Agenda
Challenges
Nuage Security Solution
Demo
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Software-defined Networking and Security can help address these challenges!
Challenges with Existing Network Security Model
• Lack of visibility to east/west traffic
• Detection is hard, slow
• Complex to manage ACL lifecycle
• Service insertion is manual
• Lack of sufficient segmentation
• Limited by static network topology
Protection Detection Operations
8/16/2016
3
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Software Defined Security for Data Center, Cloud and Branch Networks
Nuage Software Defined Security Solution
Segmentation and Policy Enforcement
Security Automation
VM VM VM
Branch Networks Bare-Metal VM (Multi-hypervisor) Containers
Visibility and Security Monitoring
(Tech Preview)
NEW
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Software Defined Security for Data Center, Cloud and Branch Networks
Nuage Security Solution Features Beyond Micro-Segmentation
Micro-segmentation with L4 Distributed Stateful Firewall
Enforce L4 Ingress, Egress, Forwarding Security Policies
End-to-End Segmentation across Branch, VMs,
Containers, Bare-metal
Segmentation and Policy Enforcement
Enterprise-wide Network Security using Templates
Automated Workload Security with Service Insertion
Automated Incident Response
Security Automation
Contextual Traffic Visibility
Application Flow Mapping and Policy Generation
Real-time Actionable Alerts, ACL and Traffic Analytics
Visibility and Security Monitoring
NEW
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Policy Engine
Solution Architecture
8/16/2016 6
GUI (Policy + Insight)
3rd Party Tools (e.g., SIEM)
Analytics Engine
VM VM VM
Flow Data with Context, ACL and Traffic Stats
VRS (VM, Containers) VRS-G (Bare-metal) NSG (Branch, Cloud)
Branch Networks
Controller VSC
VSD
Bare Metal
3rd Party Tools (e.g., Orchestration)
VM (Multi-hypervisor) Containers
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Mapping Nuage Security Solution to Gartner’s Adaptive Security Framework
8/16/2016
7
Predict • Visibility and
Security Monitoring
Prevent • Segmentation and
Policy Enforcement
• Security Automation (e.g., Provisioning)
Detect • Visibility and
Security Monitoring
Respond • Security Automation (e.g. Quarantine)
• Segmentation and Policy Enforcement
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Contextual Flow Visibility and Application Flow Mapping
8/16/2016
8
Data Center Virtual Network
• Visualize traffic flows within virtual network
• Identify valid ports/protocols used by application to drive policy definition
• Validate compliance with
policy
Web
App DB
External
Network
TCP,
3306
Predict
TC
P,
8
0
Branch User TCP,
80
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Micro-Segmentation and Policy Enforcement with Security Automation
8/16/2016
9
Web
App
DB
TCP/3306
Prevent
TCP/8080
Branch User
Security Policy Definition
Application Security Policy • Ingress ACL • Egress ACL • Forwarding ACL
TCP/80 VM
Distributed L4 Security Policy Enforcement
ACL Config
ACL Config
ACL Config
Branch
Bare-metal
Containers
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Virtualized Network Security Monitoring
Real-time Actionable Alerts
Security Event Reports
ACL and Traffic Analytics
SIEM Integration
Detect
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Automate Incident Response Identify Suspect VM based on
Security analytics Alerts based on Thresholds
Response automated with dynamic policy action Insert Security Service (e.g.,
IPS/NGFW)
Quarantine VM
WEB-Tier
APP-Tier
Suspect Zone
External network
DB-Tier
VM2
VM3
VM1
Intrusion Prevention System
Respond
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Nuage Security Solution Demo
8/16/2016
12
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Demo Scenario
8/16/2016
13
Branch
NSG
VM
Virtual Network X
VM
Web, .. DB
VM
High Value App Virtual Network
Data Center
VRS
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Demo Topology and Workflow
8/16/2016
14
Branch
Web (NGINX)
App
Suspect
Shared (LDAP)
DB
Step 1: Predict • Contextual Flow Visualization • Discover Application Flows
TCP/80
TCP/8080
TCP/3306
TCP/389
Step 2: Prevent • Define Micro-Segmentation Policies • Enforce policies in L4 DFW (VRS and NSG)
Step 3: Detect • Alert and report port scan activity
Step 4: Respond • Automate Response based on Alerts • Dynamically move Web container to Suspect group
High Value App Virtual Network
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION
Nuage Networks Delivers Software-defined Security for Cloud, Data Center and Branch Networks
Segmentation
and Policy Enforcement Security Automation Visibility and Security
Monitoring
VM VM VM
Branch Bare Metal VM (Multi-hypervisor) Containers
© 2016 NOKIA. ALL RIGHTS RESERVED. NUAGE NETWORKS IS A NOKIA VENTURE.
CONFIDENTIAL - SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION 8/16/2016
16
THANK YOU
