protecting your sdn and nfv network from ... - telco systems · security challenges with...

Protecting Your SDN and NFV Network from Cyber Security Vulnerabilities with Full Perimeter Defense

http://www.telco.com/blog/.VbpF_ot9ttUhttps://twitter.com/telcosystemshttps://www.youtube.com/user/TelcoSystemshttps://www.facebook.com/TelcoSystemshttps://www.linkedin.com/company/telco-systems

© 2015 - Proprietary and Confidential Information of Telco Systems

| Leading the way to IT-aware networks | www.telco.com

Telco Systems and Celare in a nutshell

Company overview

• Sister companies , subsidiary of BATM group (LSE:BVC)

• End-to-end CE 2.0, MPLS, SDN & NFV and Cyber portfolio

• Among the first to launch SDN & NFV solutions

• Multi-billion dollar install base at 300+ service provides in 50 countries

• Headquarters in the United States and Israel, international offices in LATAM, EMEA and APAC

2

Some of our customers



What do we do at the SDN/NFV era?

3

Carrier Grade D-NFV Solution x86 CPU Blade NFV Host Hardware Acceleration | Hardware Offload

Centralized Orchestration of D-NFV Devices Data Path Service Management VNF Lifecycle Management & Chaining SBI: Netconf & OpenFlow | NBI: SOAP

Best of Breed Application Portfolio

“Please rate the level of security risk posed by

the following aspects of virtualization”

# of respondents: 97

“Please rate the level of security risk posed by

the following aspects of virtualization”



Telecom networks today

• Used for providing L2/L3 pipes

• Control plane is separated from data plane

• Devices run closed proprietary OS: Cisco IOS, Juniper JONOS, Telco Systems BiNOX

6

Nx10GE MPLS/Ethernet

IP/MPLS core

IP/MPLS core

10GE

End users can’t access the control plane therefore infrastructure attack is more challenging



Tomorrow’s networks – the SDN/NFV era

SDN Software based networks

• Devices are remotely provisioned and controlled, on-demand in real-time, therefore networks are hackable via programmable devices

• Invoked by end-user in self-service or business facing representative (vs. engineering/network)

NFV Virtualize the network infrastructure:

• Telcos’ networks become “open” to IT threats

• Malware can run on any device

• DDoS attacks on network resources

7

New Dimensions of Cyber Threats

CO

Cellular

Broadband Ethernet

CPE



Security challenges with distributed-NFV

Data Center

Controller

NFV/Cloud Computing

Compute Nodes

OpenStack is the De facto enabler for NFV

Fact: NFV expands out of the Data Center: uCPE, vCPE, MEC, …

8




9

vCPE

Enterprise/CPE

Mobile Edge Computing

Distributed NFV

Controller

Compute

uCPE Compute

OpenStack Controller to Compute implements multiple interfaces over the WAN/Internet: VNC, SSH, HTTP & more




10

“Over 500 pin holes had to be opened in the firewall to allow this to work”

“Openstack’s design presents too many attack vectors.”

Peter Wills, BT How NFV is different from Cloud: Using OpenStack for Distributed NFV October 2015



Malware Remote Access VNF Specific

Malware DDoS Remote Access

NFV device – zoom in

• NFV OS is based on open building blocks: Linux, Open vSwitch, OpenStack

• User traffic flows through the data plane to the control plane and to the applications (VMs)

USERS

Linux OS

Hypervisor / vSwitch

VM#1 VM#N VM#2

11



Telco Systems and Celare introduce:

SDN/NFV Security Infrastructure solution

12



NFV CyberGuard solution

SDN CONTROLLER

BIG DATA

1.Collection

4. Action

Network Probe

Network Probe

Agent on NFV Device

Agent on NFV Device

Agent on NFV Platform

2. Analytics

3. Detection

Network Probes, NFVI Agents, Big Data Analytics and SDN Controller

13



Network-wide probes:

Probes: POP, CO, DC, vCE

Agents: NFVI

Full session reconstruction

Metadata / context extraction

Wire Speed / HW Acceleration

Network behavior

anomaly detection (NBAD),

Threat Prediction

Execute 3rd party applications

& algorithms

Big Data Recording & Indexing,

Historical network DB,

Network situational awareness

Investigation, Information discovery

& analytics

Centralized control & orchestration

Remote shut-off flows,

services,VNF, devices

Distributed bypass, reroute, redirect

Active prove deployment & collection

NFV CyberGuard solution

14

Distributed, Big-Data, Actionable

NFV CyberGuard



TVE – Carrier Grade Virtualization Engine

VM#N

Linux OS

Hypervisor / vSwitch

VM#1 VM#2

Secure virtual appliance

15

L2 Switch

X86/ARM

• Celare smart probe plugin to Telco TVE (Telco Virtualization Engine) inline mode

• Inspecting every flow entering the virtualization engine

• Blocking the threats/malware at: • VNFI • Carrier Ethernet switch:

• Control the L2 switch to block flows

Access

List



Big data - conceptual architecture

16

NoSQL

Database

HDFS

OEP

Graph

Detectors Analytics Learning

Metadata

PCAP’s

Statistics

External

Configuration

Logs

Analytical

DB

System MD

Store

Information

Discovery

Reports

Ad-hoc -

Queries

Analytics

Enrichment

Insights & Alert

Enrichment

Index

Get

Network Analyst

Desktop

Applications & Services

Service Request (Start Session)

Aggregator



Event processing engine

• Rule set can be defined easily, on demand and can be activate immediately

• Monitor streams in real-time

• Filtering - New stream filtered for specific criteria

• Pattern Matching - Notification of detected event patterns, e.g. events A, B and C occurred within 15 minute window

• In-Memory, continuous queries

CAT CATERPILLAR D 22.5 600 20080305 10:03:03:46

DO DUPONT D 41.575

3000 20080305 10:03:04:12

AA ALCOA INC D 20.125

1000 20080305 10:03:01:55

AXP AMER EXPRESS CO

D 45.875

500 20080305 10:03:02:10

BA BOEING D 77.575

800 20080305 10:03:02:78

• Runs In-Memory (not database) with continuous Queries on the data • Powerful and potentially limitless Extensibility with Data Cartridges


DO DUPONT D 41.575

3000 20080305 10:03:04:12


1000 20080305 10:03:01:55

AXP AMER EXPRESS CO

D 45.875

500 20080305 10:03:02:10

BA BOEING D 77.575

800 20080305 10:03:02:78


DO DUPONT D 41.575

3000 20080305 10:03:04:12


1000 20080305 10:03:01:55

AXP AMER EXPRESS CO

D 45.875

500 20080305 10:03:02:10

BA BOEING D 77.575

800 20080305 10:03:02:78

BA BOEING D 77.57

5

41.575

800

20080305

10:03:02:78

DO DUPONT D 41.57

5

3000 20080305

10:03:04:12

COMPLEX QUERIES

17



Visualization & information discovery

• Solution designed to be Event driven

• Supports GEO/Maps

• Advanced graphs and filters

• Network Situational Awareness

• Facet search

18



Graph network visualization

11/4/2015

• Intuitive visualization

• Visual filters

• Advanced search: nodes & links

• Zoom for details

• Multiple views

19



Actionable control & protection | VNF

NFVI

vFW vCache

1. vCach VNF under Attack

vCache

2. Bypass VNF

3. Stop VNF

X

SDN CONTROLLER

20



Actionable control & protection | VNF

NFVI

vFW vCache

1. vCach VNF under Attack

2. Bypass VNF

3. Stop VNF

4. Resume Operations

SDN CONTROLLER

21



Actionable control & protection | Device

1. Infected Device

2. Shut-Down Services

3. Reroute

4. Shut-Down Device X

NFVI

SDN CONTROLLER

22



• Currently the only real comprehensive solution to protect NFV infrastructure targeted to Telecom networks

• Inspecting network traffic at the network edge & close to the end points.

• Cloud based Big Data reservoir providing the Operator global centralized view for all NFV appliances & infrastructure

• Integrated with Oracle Big Data & tools and SDN controller • Ability to block wide range of network cyber Threats

• Open API for external systems and 3rd party applications and algorithms

Solution benefits

23



Thank you!
mailto:[email protected]://www.telco.com/blog/.VbpF_ot9ttUhttps://twitter.com/telcosystemshttps://www.youtube.com/user/TelcoSystemshttps://www.facebook.com/TelcoSystemshttps://www.linkedin.com/company/telco-systems

protecting your sdn and nfv network from ... - telco systems · security challenges with...

Documents