security defined routing_cybergamut_v1_1
Post on 05-Jul-2015
213 Views
Preview:
DESCRIPTION
TRANSCRIPT
Copyright © 2014 World Wide Technology, Inc. All rights reserved.
Security-Defined Routing
Joel W. King Technical Solutions Architect Enterprise Networking Solutions Engineering and Innovations
Agenda
• Background: Who, What and Why?
• Process flow – Topology Diagrams
• OpenFlow Mechanics
• Software
• Monitoring Network
• Demonstration Video
• Summary
Who am I?
• Software-Defined Networking Discipline Lead at WWT
• Goal: First to Educate
• Oversee SDN solution architectures, training and education for sales engineering, demonstrations, workshops. Focus area: Network Programmability
• Previously
• NetApp E-Series Storage – Big Data
• Cisco Systems CVDs – Cisco Validated Designs
Why this was developed
• World Wide Technology (wwt.com)
• Value added systems integrator and supply chain solutions provider
• Advanced Technology Center (ATC) Hands-on access to over $50M in data center, virtualization, collaboration, networking and security solutions.
• Premise: Demonstrate a Software-Defined Networking (SDN) use case
• Integrate: SDN with Cyber Analytics Reference Architecture (CARA)
What is Security-Defined Routing?
• Security-Defined Routing (SDR) is a play on the term Software-Defined Networking (SDN)
• Security-Defined Routing • Uses SDN (OpenFlow) switches,
• Dynamic reprogramability of network flows.
• Normal IP packet forwarding reacts to security analytic engines
• Integrating security analytics with packet forwarding behavior
• Central Network Control dates back to AT&T’s Network Control Point in 1977.
• Why should cyber professionals care about SDN and Openflow?
http://en.wikipedia.org/wiki/2600:_The_Hacker_Quarterly
Historical view of SDN
• Purist view of SDN has two characteristics (*) • Control plane is separated from
device implementing data plane, • Single control plane manages
multiple network devices • SDN / OpenFlow initial
deployments were network research at universities – (Stanford ) providing a cost effective and ‘clean slate’ network architectures.
• OpenFlow is only one instantiation of SDN principles.
• SDN is a tool to enable a higher degree of control over network devices.
Control Plane
(1) The Road to SDN: An Intellectual History of Programmable Networks
What is OpenFlow?
• Open Networking Foundation (ONF) manages the standard. • Originated at Stanford University 2005 - 2009 - Martin Casado, et al. • OpenFlow- a communications protocol that gives access to the forwarding plane
of a network devices - Southbound from the SDN controller to communicate with switches.
• Flow Entry - an element in a flow table used to match and process packets a data structure of matches, actions, counters, priority, and timeout values.
Fields from Packets Match against flow entries • Ingress port • Ethernet Source | Destination Address • VLAN ID and Priority • IP Source and Destination Address
Actions
• Multiple actions can be specified • Example: output to multiple ports, drop
• IP Protocol • IP ToS bits • TCP | UDP source port • TCP | UDP destination port
Basic Building Blocks: Controllers and Agents
Some network functionality is better implemented from centralized coordination of all the devices in the network domain.
• Controller – process on a server interacting with network devices using APIs / protocols.
• Agent – process on network devices implementing a specific function.
• API – allow applications external to the controller to query and change the network configuration
Next Generation Firewalls
• Next-Generation Firewall Services provide more granular application usage control policies than port based firewalls.
• Advanced network security functions that are computationally intensive — and they must do so in real-time while introducing little or no latency.
• Has the Layer 3 topology changed when deploying Next-Generation Firewalls?
• Why does the Firewall function need to be in the forwarding path?
Value of Separating Detection from Prevention
Separation of intrusion detection (IDS) function from the intrusion prevention (IPS) function, provides:
• Enhanced Scalability
• Seamlessly Manage Appliances
• Multiple ‟Sets of Eyes”
• Rapid Mitigation
• Consistent Policy Implementation
• Cost Effective
Security-Defined Routing
SDR Solution includes the following components:
• An SDN controller
• OpenFlow switches between WAN edge routers and a corporate firewalls
• Security-Defined Routing (SDR) software developed by World Wide Technology (WWT)
• Security analytics software • Cisco Sourcefire
• RSA Security Analytics
• Open Source Snort
NEXUS-7K
Internal network Internal network SDN Controller
w/ Security-Defined Routing software
syslog
Internet
DMZ
OpenFlow switch
Monitoring Network
Process Flow
Security-Defined Routing
Trust Zone
DMZ
Un-Trusted Zone
Trust Zone
DMZ
Un-Trusted Zone
Monitoring Network
Cisco XNC Controller
OpenFlow
Security-Defined Routing
Trust Zone
DMZ
Un-Trusted Zone
Monitoring Network
Cisco XNC Controller
OpenFlow
Security-Defined Routing
Trust Zone
DMZ
Un-Trusted Zone
Monitoring Network
Cisco XNC Controller
OpenFlow
Security-Defined Routing
Trust Zone
DMZ
Un-Trusted Zone
Monitoring Network
Cisco XNC Controller
OpenFlow
ALERT!
Security-Defined Routing
Trust Zone
DMZ
Un-Trusted Zone
Monitoring Network
Cisco XNC Controller
OpenFlow attack
Security-Defined Routing
Security-Defined Routing
• Software-Defined Networking (OpenFlow) switches can be programmed to :
• Drop packets
• Replicate packets (e.g. SPAN / TAP) for monitoring
• Selectively divert traffic flows from the normal forwarding path.
• Security Analytics devices - intrusion detection system (IDS) identify malicious traffic.
• Python modules • Parses a Snort, RSA Security Analytics, Cisco Sourcefire alert (log) file
• Creates ‘firewall’ rules for the SDN controller and switch to implement
• Uses REST API to dynamically modify forwarding behavior to shunt traffic
• Offending host is blocked or routed to honeypot
OpenFlow Mechanics
OpenFlow - Static and Dynamic (reactive) Flows
Analytics
LLDP
ARP
IPv4
Inside Outside
Trust Zone
DMZ
Un-Trusted Zone
OpenFlow
Inside
Outside
Honey Pot
OpenFlow - Static and Dynamic (reactive) Flows
Analytics
LLDP
ARP
IPv4
Inside Outside
Trust Zone
DMZ
Un-Trusted Zone
OpenFlow
Inside
Outside
IPv4 TCP 80
IPv4 TCP 443
Honey Pot to Inet
Honey Pot
Outside
Outside
Inside &
Analytics
Honey Pot
OpenFlow - Static and Dynamic (reactive) Flows
Analytics
LLDP
ARP
IPv4
Inside Outside
Trust Zone
DMZ
Un-Trusted Zone
OpenFlow
Inside
Outside
IPv4 TCP 80
IPv4 TCP 443
Honey Pot to Inet
Honey Pot
Outside
Outside
Inside &
Analytics
Honey Pot
Honey Pot TCP 443
Honey Pot TCP 443 Outside Honey Pot
198.19.3.1
Or Drop
Cisco Extensible Network Controller
LLDP
ARP
IPv4
IPv4 TCP 80
IPv4 TCP 443
Honey Pot to Inet
Honey Pot
Inside Outside
Outside
Outside
Inside &
Analytics
LLDP
ARP
IPv4
IPv4
IPv4 TCP 80
IPv4 TCP 443
Honey Pot
Steady State configuration
Flow Removal
• OpenFlow provides for aging flows from the switch
• Each flow entry has an idle_timeout and a hard_timeout
• Switches will remove flows older than the hard_timeout
• Idle_timeout invoked if no packets match during the timer
• The Northbound REST API can be used to manually delete flows
• The demo code removes flows after a few minutes.
• Caveats
• DDoS attackes could generate more flows than the switch can handle
• Switches vary in the number of flows supported.
Software
Process Flow
sst.py ./log
--help
--debug
./log/alert
Snort
./rules
XNC.py module
REST API
XNC (SDN) Controller
OpenFlow
Inside Outside
TAP
parsealert.py
syslog
/var/log/syslog
Log Parser
$ python parsealert.py --help
usage: parsealert.py [-h] --engine ENGINE --file FILE --command COMMAND
[--trigger TRIGGER] [--debug]
parsealert.py - Reads syslog or local files from analytic engines, calls
sst.py to push flow elements to an XNC controller.
Copyright (c) 2014 WorldWide Technology, Inc.
optional arguments:
-h, --help show this help message and exit
--engine ENGINE Specify snort, rsa or sourcefire keyword to indicate the
input file
--file FILE Input file name.
--command COMMAND Command file name in ./config directory
--trigger TRIGGER The value of the trigger, if not specified, default is
__S_
--debug When specified enables debugging
C:\>python sst.py --help
usage: sst.py [-h] --cact CACT --cip CIP --cuid CUID --cpw CPW --dpid DPID
--fname FNAME --act ACT --pri PRI --et ET [--nwsrc NWSRC]
[--nwdst NWDST] [--proto PROTO] [--tpsrc TPSRC] [--tpdst TPDST]
[--iport IPORT] [--debug]
Copyright (c) 2014 World Wide Technology, Inc.
optional arguments:
-h, --help show this help message and exit
--cact CACT Controller action, (eg. PUT, DELETE, LIST) a flow element
--cip CIP Controller IP / Hostname
--cuid CUID Controller username
--cpw CPW Controller password
--dpid DPID Data Path Identifier of the OpenFlow switch
--fname FNAME Flow name, unique identifier
--act ACT Action(s) to implement, eg. DROP, OUTPUT=48
--pri PRI Flow priority, higher numbers have more precedence
--et ET Ethertype, eg. IPv4, IPv6.
--nwsrc NWSRC Source IP address
--nwdst NWDST Destination IP address
--proto PROTO Protocol, eg. tcp, udp
--tpsrc TPSRC transport protocol source port
--tpdst TPDST transport protocol destination port
--iport IPORT Ingress OpenFlow port number on the switch
--debug When specified enables debugging
Flow Pusher
Snort rules file
• Define criteria for matching network traffic
• The parsealert.py module will process any alerts with “__S_” in the message
• All other alert entries are ignored
• Use the trailing string (e.g. tcp443) and IP address as the unique flow name
• Sample rules will shunt any source IP address to honeypot
• TCP ports 80 and 443 with a TOS byte of 184
• TOS 0xB8 (184) = IP Precedence 5 or DSCP Expedited Forwarding (EF)
alert tcp any any -> any 80 (tos:184; sid:1000985; msg: "__S_tcp80";)
alert tcp any any -> any 443 (tos:184; sid:1000986; msg: "__S_tcp443";)
Snort alert file
• Identify entries with “__S_”
• Determine the source IP address
• Use the trailing string (e.g. tcp443) and source IP address as the unique flow name
• Create flow entry (aka: “firewall rule”) to shunt packets to honey pot
• Log action in ./log directory
[**] [1:1000986:0] __S_tcp443 [**]
[Priority: 0]
04/27-00:43:35.932503 198.19.3.1:56184 -> 198.18.4.1:443
TCP TTL:255 TOS:0xB8 ID:39797 IpLen:20 DgmLen:40
***AP**F Seq: 0x7F92F67A Ack: 0xF6474527 Win: 0x1020 TcpLen: 20
Monitoring Network
Monitoring Network Options
• The Monitoring Network can be build using SDN technology or traditional appliances:
• In the WWT ATC deployment we have used both:
• Ixia's Net Tool Optimizer® (NTO)
• Cisco Nexus Data Broker (Monitor Manager)
• Monitor Manager provides a REST API interface to programmatically create or modify rules and filters.
• Additional SDN Option is Big Switch Networks Big Tap™ Monitoring Fabric
Monitoring Network
Monitoring Network
Cisco XNC Controller Monitor Manager
Nexus 3K
Corporate Network Internet WAN Edge
Security Onion
SDN
REST API
wireshark
Demonstration
Demonstration Video
• Watch the video to see how security-defined routing combines cyber analytics and SDN to protect the network:
• http://youtu.be/KvZuklmi9uU
Forwarding and Replication
Intrusion Prevention
Filter and Disseminate
Analyze and Alert
Security-Defined Routing
Software
Implement Intrusion
Prevention
Lifecycle
Cisco ® Extensible
Network Controller
(XNC)
Cisco Monitor Manager or Ixia's Anue Net Tool Optimizer® (NTO)
Cisco Nexus 3000 Series Switches | Plug-in for OpenFlow
Inside Outside
Solution Advantages
• Enhanced Scalability – IDS is separated from IPS: OpenFlow switch implementers tapping and IPS
• Seamlessly Manage Appliances - IDS systems can be added, removed, or upgraded, without introducing high-impact changes to the IPS service in the production network.
• Multiple ‟Sets of Eyes” - Network traffic can be easily copied to multiple intrusion detection devices.
• Rapid Mitigation – The OpenFlow switch is programmatically updated to block or shunt traffic.
• Consistent Policy Implementation - Alerts generated at one Internet gateway can trigger the same policy at all Internet gateways.
• This solution is deployed at the Internet edge, expect to see similar concepts deployed inside the enterprise- BYOD
• Network provisioning and configuration will increasingly become less chassis-by-chassis more controller based
• Network resources will align with business requirements through application resource profiles and network containers.
• Brush up on your programming skills.
Looking Forward
http://marketing.wwt.com/SDNGuide_Registration.html
top related