protecting your sdn and nfv network from ... - telco systems · security challenges with...
TRANSCRIPT
-
Protecting Your SDN and NFV Network from Cyber Security Vulnerabilities with Full Perimeter Defense
http://www.telco.com/blog/.VbpF_ot9ttUhttps://twitter.com/telcosystemshttps://www.youtube.com/user/TelcoSystemshttps://www.facebook.com/TelcoSystemshttps://www.linkedin.com/company/telco-systems
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Telco Systems and Celare in a nutshell
Company overview
• Sister companies , subsidiary of BATM group (LSE:BVC)
• End-to-end CE 2.0, MPLS, SDN & NFV and Cyber portfolio
• Among the first to launch SDN & NFV solutions
• Multi-billion dollar install base at 300+ service provides in 50 countries
• Headquarters in the United States and Israel, international offices in LATAM, EMEA and APAC
2
Some of our customers
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
What do we do at the SDN/NFV era?
3
Carrier Grade D-NFV Solution x86 CPU Blade NFV Host Hardware Acceleration | Hardware Offload
Centralized Orchestration of D-NFV Devices Data Path Service Management VNF Lifecycle Management & Chaining SBI: Netconf & OpenFlow | NBI: SOAP
Best of Breed Application Portfolio
-
“Please rate the level of security risk posed by
the following aspects of virtualization”
# of respondents: 97
-
“Please rate the level of security risk posed by
the following aspects of virtualization”
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Telecom networks today
• Used for providing L2/L3 pipes
• Control plane is separated from data plane
• Devices run closed proprietary OS: Cisco IOS, Juniper JONOS, Telco Systems BiNOX
6
Nx10GE MPLS/Ethernet
IP/MPLS core
IP/MPLS core
10GE
End users can’t access the control plane therefore infrastructure attack is more challenging
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Tomorrow’s networks – the SDN/NFV era
SDN Software based networks
• Devices are remotely provisioned and controlled, on-demand in real-time, therefore networks are hackable via programmable devices
• Invoked by end-user in self-service or business facing representative (vs. engineering/network)
NFV Virtualize the network infrastructure:
• Telcos’ networks become “open” to IT threats
• Malware can run on any device
• DDoS attacks on network resources
7
New Dimensions of Cyber Threats
CO
Cellular
Broadband Ethernet
CPE
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Security challenges with distributed-NFV
Data Center
Controller
NFV/Cloud Computing
Compute Nodes
OpenStack is the De facto enabler for NFV
Fact: NFV expands out of the Data Center: uCPE, vCPE, MEC, …
8
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Security challenges with distributed-NFV
9
vCPE
Enterprise/CPE
Mobile Edge Computing
Distributed NFV
Controller
Compute
uCPE Compute
OpenStack Controller to Compute implements multiple interfaces over the WAN/Internet: VNC, SSH, HTTP & more
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Security challenges with distributed-NFV
10
“Over 500 pin holes had to be opened in the firewall to allow this to work”
“Openstack’s design presents too many attack vectors.”
Peter Wills, BT How NFV is different from Cloud: Using OpenStack for Distributed NFV October 2015
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Malware Remote Access VNF Specific
Malware DDoS Remote Access
NFV device – zoom in
• NFV OS is based on open building blocks: Linux, Open vSwitch, OpenStack
• User traffic flows through the data plane to the control plane and to the applications (VMs)
USERS
Linux OS
Hypervisor / vSwitch
VM#1 VM#N VM#2
11
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Telco Systems and Celare introduce:
SDN/NFV Security Infrastructure solution
12
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
NFV CyberGuard solution
SDN CONTROLLER
BIG DATA
1.Collection
4. Action
Network Probe
Network Probe
Agent on NFV Device
Agent on NFV Device
Agent on NFV Platform
2. Analytics
3. Detection
Network Probes, NFVI Agents, Big Data Analytics and SDN Controller
13
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Network-wide probes:
Probes: POP, CO, DC, vCE
Agents: NFVI
Full session reconstruction
Metadata / context extraction
Wire Speed / HW Acceleration
Network behavior
anomaly detection (NBAD),
Threat Prediction
Execute 3rd party applications
& algorithms
Big Data Recording & Indexing,
Historical network DB,
Network situational awareness
Investigation, Information discovery
& analytics
Centralized control & orchestration
Remote shut-off flows,
services,VNF, devices
Distributed bypass, reroute, redirect
Active prove deployment & collection
NFV CyberGuard solution
14
Distributed, Big-Data, Actionable
NFV CyberGuard
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
TVE – Carrier Grade Virtualization Engine
VM#N
Linux OS
Hypervisor / vSwitch
VM#1 VM#2
Secure virtual appliance
15
L2 Switch
X86/ARM
• Celare smart probe plugin to Telco TVE (Telco Virtualization Engine) inline mode
• Inspecting every flow entering the virtualization engine
• Blocking the threats/malware at: • VNFI • Carrier Ethernet switch:
• Control the L2 switch to block flows
Access
List
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Big data - conceptual architecture
16
NoSQL
Database
HDFS
OEP
Graph
Detectors Analytics Learning
Metadata
PCAP’s
Statistics
External
Configuration
Logs
Analytical
DB
System MD
Store
Information
Discovery
Reports
Ad-hoc -
Queries
Analytics
Enrichment
Insights & Alert
Enrichment
Index
Get
Network Analyst
Desktop
Applications & Services
Service Request (Start Session)
Aggregator
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Event processing engine
• Rule set can be defined easily, on demand and can be activate immediately
• Monitor streams in real-time
• Filtering - New stream filtered for specific criteria
• Pattern Matching - Notification of detected event patterns, e.g. events A, B and C occurred within 15 minute window
• In-Memory, continuous queries
CAT CATERPILLAR D 22.5 600 20080305 10:03:03:46
DO DUPONT D 41.575
3000 20080305 10:03:04:12
AA ALCOA INC D 20.125
1000 20080305 10:03:01:55
AXP AMER EXPRESS CO
D 45.875
500 20080305 10:03:02:10
BA BOEING D 77.575
800 20080305 10:03:02:78
• Runs In-Memory (not database) with continuous Queries on the data • Powerful and potentially limitless Extensibility with Data Cartridges
CAT CATERPILLAR D 22.5 600 20080305 10:03:03:46
DO DUPONT D 41.575
3000 20080305 10:03:04:12
AA ALCOA INC D 20.125
1000 20080305 10:03:01:55
AXP AMER EXPRESS CO
D 45.875
500 20080305 10:03:02:10
BA BOEING D 77.575
800 20080305 10:03:02:78
CAT CATERPILLAR D 22.5 600 20080305 10:03:03:46
DO DUPONT D 41.575
3000 20080305 10:03:04:12
AA ALCOA INC D 20.125
1000 20080305 10:03:01:55
AXP AMER EXPRESS CO
D 45.875
500 20080305 10:03:02:10
BA BOEING D 77.575
800 20080305 10:03:02:78
BA BOEING D 77.57
5
41.575
800
20080305
10:03:02:78
DO DUPONT D 41.57
5
3000 20080305
10:03:04:12
COMPLEX QUERIES
17
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Visualization & information discovery
• Solution designed to be Event driven
• Supports GEO/Maps
• Advanced graphs and filters
• Network Situational Awareness
• Facet search
18
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Graph network visualization
11/4/2015
• Intuitive visualization
• Visual filters
• Advanced search: nodes & links
• Zoom for details
• Multiple views
19
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Actionable control & protection | VNF
NFVI
vFW vCache
1. vCach VNF under Attack
vCache
2. Bypass VNF
3. Stop VNF
X
SDN CONTROLLER
20
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Actionable control & protection | VNF
NFVI
vFW vCache
1. vCach VNF under Attack
2. Bypass VNF
3. Stop VNF
4. Resume Operations
SDN CONTROLLER
21
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Actionable control & protection | Device
1. Infected Device
2. Shut-Down Services
3. Reroute
4. Shut-Down Device X
NFVI
SDN CONTROLLER
22
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
• Currently the only real comprehensive solution to protect NFV infrastructure targeted to Telecom networks
• Inspecting network traffic at the network edge & close to the end points.
• Cloud based Big Data reservoir providing the Operator global centralized view for all NFV appliances & infrastructure
• Integrated with Oracle Big Data & tools and SDN controller • Ability to block wide range of network cyber Threats
• Open API for external systems and 3rd party applications and algorithms
Solution benefits
23
-
© 2015 - Proprietary and Confidential Information of Telco Systems
| Leading the way to IT-aware networks | www.telco.com
Thank you!
mailto:[email protected]://www.telco.com/blog/.VbpF_ot9ttUhttps://twitter.com/telcosystemshttps://www.youtube.com/user/TelcoSystemshttps://www.facebook.com/TelcoSystemshttps://www.linkedin.com/company/telco-systems