sdn & the pursuit of building more secure datacenters€¦ · - gemalto research, 2015 “205...
TRANSCRIPT
Copyright2015Alcatel-Lucent.Allrightsreserved.
CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOWPROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
SDN&thepursuitofbuildingmoresecuredatacenters
HusseinKhazaalSr.DirectorTechnicalBD@hakhazaal
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
NuageNetworks
Mitaka
• HQinSiliconValleywithaglobalteam• ANokiaventurefocusedondatacenternetworkevolutionforthecloudera• Offersanopen,high-performance,scalableSDNsolutionthatsupportsany
workload,anywhereandoveranyphysicalinfrastructure• MemberoftheOpenStackcommunity
LibertyKiloJunoIcehouse
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
CloudServiceManagement Plane
VirtualizedServicesDirectory
VirtualRouting&Switching(VRS)• Distributedswitch/router– L2-4rules• Integrationofbaremetalassets
VirtualizedServicesController(VSC)• SDNController,programsthenetwork• RichroutingfeaturesetbasedonALU7x50
VirtualizedServicesDirectory(VSD)• NetworkPolicyEngine– abstractscomplexity• Servicetemplatesandanalytics
NuageNetworksVirtualizedServicesPlatform(VSP)
DatacenterControl Plane
VirtualizedServicesController
MP-BGP
VirtualRouting&Switching
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
HardwareGWforBareMetal
IPFabric
DatacenterData Plane
EdgeRouter
MP-BGP
NuageNetworksVSPArchitecture
C VPC
V
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
MarketTrendsDrivingNewSecurityRequirements
9/15/164
• SecurityAutomation• Multi-tenancy• SupportMobility
• Mitigatelateralspread• VisibilitytoEast/WestTraffic• FastResponse
ThreatLandscapeMovetoCloud
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
“1Billion+Recordsbreachedin2014”
- GemaltoResearch,2015
“205daysonaveragetodetectthreats”
- MandiantM-Trends,2015
“Firewallrule/ACLmanagementistime-consumingandcomplex”
- ESGITSecurityProfessionalsSurvey,2015
ChallengeswithExistingDataCenterSecurityModel
Protection Detection Operations
Lackofvisibilityforeast/westtraffic
ManualIntervention
Complex
ManualProcess
Lackofsufficientsegmentation
Limitedbystaticnetworktopology
SDNcanhelpaddressthesechallenges!
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
Protection
Detection
Operations
§ Perimetercentric– requirestrustbetweenallappsandtenants§ Cannotenforceinternalsegmentation
§ Lackofvisibility/controlforEast-Westdatacentertraffic§ Traditionalapproachescannotscaleforcloud
§ Manualprocessesdelaypolicychangesandappdelivery§ Costlytoremediate,manageandupdate
CurrentApproachesAren’tSufficient
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
Micro-Segmentationreducesriskswitha“Zero-Trust”⌑ Model
§ Benefits§ Enforcesecuritybetweenend-points
anywhere§ Restrictslateralmovementof
malware
§ UseCases§ Highvalueassetprotection§ PCIcompliance§ Restrictsharedservicesaccess§ Securingeast/westapplicationtraffic
9/15/167
Gartner,NetworkSecurityArchitecturesforVirtualizedDataCenters, Joerg Fritsch,10August2015;Figure2
⌑ Forrester,FiveStepsToAZeroTrust(ZT)Network,JohnKindervag,July27,2016
UntrustedZone Outside(South)
DMZ
TrustedZone
RestrictedZone
SQL
VoIPLaurel
App1
WWWMobile
Index
MailDB
Stuttgart
AmsterdamHardy
DB
Record
Domain
BigData
Search
Perimeter
Perimeter
Perimeter
Micro-segmentationischangingthenetworksecurityarchitecture
Protection
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
§ Securemulti-tenancy
§ Isolationbasedonvirtualnetworks
§ Logicalsegmentationusingpolicygroups
§ DistributedL4statefulfirewall
§ Supportsbare-metal,VMs,containers
Tenant1
VirtualNetwork1
(PCIDomain)
VirtualNetwork2
(NonPCIDomain)
E-commercefront-end
PolicyGroup
E-commerceback-end
PolicyGroup
WebTier/PolicyGroup
AppTier/PolicyGroup
DataTier/PolicyGroup
9/15/168
Protection
NuageVSPenablesFlexibleSegmentationforANYEnd-point
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
Automatesecurityserviceinsertionbasedonforwardingpolicy
Automatesecurityprovisioningatthetimeofworkloadinstantiation,removal
Automate enterprisewidesecurityenforcementtoensurecompliance
9/15/169
GlobalPolicyTemplate
Hypervisor
ACLConfig
NetworkSecurity
ApplicationTeam
ApplicationSpecificPolicy
Hypervisor
ACLConfig
operation
SecurityAutomationwithNuageNetworksVSP
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
VisibilityandSecurityMonitoringinVirtualNetworks
9/15/1610
• ContextualFlowVisibility
• ApplicationFlowDetection
• SecurityAlerts
• MonitoringReports
• ACLFlowLogging
• PolicybasedMirroring
Web
App DB
detection
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
11
Networkandapplication-levelmicrosegmentationwithadvancedthreatprotectionSampleUse-Case
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
PolicyEngine(VSD)
Controller(VSC)
DistributedRoutingandSwitching(VRS)
ACLAllowandDenyLogs(Externalsyslogserver)
IDS/SecurityAnalytics
ACLLogsforComplianceandAudit
BetterVisibility,Compliance&AcceleratedThreatDetection
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
SIEM/IPS
NuageVSP
NuageVSPAPItoQuarantineInfectedServers/VMs
• MoveVMtoQuarantineZone• Applysecuritypolicytoblock
selectcommunications(e.g.,C&C,FTP)
QuarantineZoneNon-Infected/CleanZone
IDS/IPS
SecurityAlert
SecurityEvents
FasterIncidentResponse[AutomatedQuarantine]
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
NuageNetworksVSPintegrationwithindustryleadingproducts
§ SecurityAutomation
§ Policybasedinsertionofphysicalorvirtualsecurityservices
§ Policybasedsecurityautomationforanyworkload
§ AdvancedSecurityControls
§ Applicationbasedmicro-segmentation
§ Advancedthreatprotection
9/15/1614
VirtualizedServicesDirectory
VirtualizedServicesController
HYPERVISOR
VirtualizedRouter/Switch
PhysicalGateway
HYPERVISOR
VirtualGateway
APIcallsEvent&PolicySynchronization
SecurityApplianceManager
PhysicalFW
vFW vFW
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
• Protectionwithbroadsecurityeco-systemintegration
• Solutionsenableadvancedmicro-segmentation,threatdetectioninsidedatacenterandautomatedquarantine
• FlexibleSecurityServiceInsertion(PhysicalorVirtualSecurityAppliances)
• InvestmentProtection(workswithexistingsecurityappliancesandoperationalmodels)
VSPBuilt-inSecurity
(Isolation,Micro-segmentation,L4
DistributedFirewall,Service
Insertion)
NGFW
AdvancedMalwareDefense
IPS
DDoSProtection
L4-7DistributedSecurity
EndpointIntegrityChecks
AdvancedSecuritySolutionsthroughPartnerIntegration
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
Demo
X
VMs&Containers
AnySecurityVendor’sFirewall
©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW
PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
NuageNetworksVSPAddressesCloudandEnterpriseDataCenterSecurityChallenges
SecureMulti-tenancyforPrivateandPublicCloud
ü Reducesrisk,lowersinfrastructurecostsü Enablescloudserviceproviderstooffernetworksecurityasaservice
Micro-SegmentationPreventsLateralMalwareSpread
PolicybasedSecurityAutomationandCompliance
FasterIncidentResponsewithAutomatedQuarantine
ü EmbeddedL4distributedfirewallwithAdv.L4-7Securityserviceinsertionü Protectsanyworkload(P,V,C),multi-hypervisor,anynetwork
ü Policybasedonlogicalcontextandgroupingü AutomatedprovisioningofL4securityandcomplianceenforcement
ü APIsforintegrationwiththreatdetection/SIEMsystemstoautomatequarantine
Copyright2015Alcatel-Lucent.Allrightsreserved.
CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOWPROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION
THANKYOU!Wanttolearnmore,visitourOpenStacksummitboothtoseelivedemosorourwebsite@www.nuagenetworks.net/partners
Gotquestions,[email protected]