security defined routing_cybergamut_v1_1

Copyright © 2014 World Wide Technology, Inc. All rights reserved.

Security-Defined Routing

Joel W. King Technical Solutions Architect Enterprise Networking Solutions Engineering and Innovations

Agenda

• Background: Who, What and Why?

• Process flow – Topology Diagrams

• OpenFlow Mechanics

• Software

• Monitoring Network

• Demonstration Video

• Summary

Who am I?

• Software-Defined Networking Discipline Lead at WWT

• Goal: First to Educate

• Oversee SDN solution architectures, training and education for sales engineering, demonstrations, workshops. Focus area: Network Programmability

• Previously

• NetApp E-Series Storage – Big Data

• Cisco Systems CVDs – Cisco Validated Designs

Why this was developed

• World Wide Technology (wwt.com)

• Value added systems integrator and supply chain solutions provider

• Advanced Technology Center (ATC) Hands-on access to over $50M in data center, virtualization, collaboration, networking and security solutions.

• Premise: Demonstrate a Software-Defined Networking (SDN) use case

• Integrate: SDN with Cyber Analytics Reference Architecture (CARA)

What is Security-Defined Routing?

• Security-Defined Routing (SDR) is a play on the term Software-Defined Networking (SDN)

• Security-Defined Routing • Uses SDN (OpenFlow) switches,

• Dynamic reprogramability of network flows.

• Normal IP packet forwarding reacts to security analytic engines

• Integrating security analytics with packet forwarding behavior

• Central Network Control dates back to AT&T’s Network Control Point in 1977.

• Why should cyber professionals care about SDN and Openflow?

http://en.wikipedia.org/wiki/2600:_The_Hacker_Quarterly

Historical view of SDN

• Purist view of SDN has two characteristics (*) • Control plane is separated from

device implementing data plane, • Single control plane manages

multiple network devices • SDN / OpenFlow initial

deployments were network research at universities – (Stanford ) providing a cost effective and ‘clean slate’ network architectures.

• OpenFlow is only one instantiation of SDN principles.

• SDN is a tool to enable a higher degree of control over network devices.

Control Plane

(1) The Road to SDN: An Intellectual History of Programmable Networks

What is OpenFlow?

• Open Networking Foundation (ONF) manages the standard. • Originated at Stanford University 2005 - 2009 - Martin Casado, et al. • OpenFlow- a communications protocol that gives access to the forwarding plane

of a network devices - Southbound from the SDN controller to communicate with switches.

• Flow Entry - an element in a flow table used to match and process packets a data structure of matches, actions, counters, priority, and timeout values.

Fields from Packets Match against flow entries • Ingress port • Ethernet Source | Destination Address • VLAN ID and Priority • IP Source and Destination Address

Actions

• Multiple actions can be specified • Example: output to multiple ports, drop

• IP Protocol • IP ToS bits • TCP | UDP source port • TCP | UDP destination port

Basic Building Blocks: Controllers and Agents

Some network functionality is better implemented from centralized coordination of all the devices in the network domain.

• Controller – process on a server interacting with network devices using APIs / protocols.

• Agent – process on network devices implementing a specific function.

• API – allow applications external to the controller to query and change the network configuration

Next Generation Firewalls

• Next-Generation Firewall Services provide more granular application usage control policies than port based firewalls.

• Advanced network security functions that are computationally intensive — and they must do so in real-time while introducing little or no latency.

• Has the Layer 3 topology changed when deploying Next-Generation Firewalls?

• Why does the Firewall function need to be in the forwarding path?

Value of Separating Detection from Prevention

Separation of intrusion detection (IDS) function from the intrusion prevention (IPS) function, provides:

• Enhanced Scalability

• Seamlessly Manage Appliances

• Multiple ‟Sets of Eyes”

• Rapid Mitigation

• Consistent Policy Implementation

• Cost Effective


SDR Solution includes the following components:

• An SDN controller

• OpenFlow switches between WAN edge routers and a corporate firewalls

• Security-Defined Routing (SDR) software developed by World Wide Technology (WWT)

• Security analytics software • Cisco Sourcefire

• RSA Security Analytics

• Open Source Snort

NEXUS-7K

Internal network Internal network SDN Controller

w/ Security-Defined Routing software

syslog

Internet

DMZ

OpenFlow switch

Monitoring Network

Process Flow


Trust Zone

DMZ

Un-Trusted Zone

Trust Zone

DMZ

Un-Trusted Zone

Monitoring Network

Cisco XNC Controller

OpenFlow


Trust Zone

DMZ

Un-Trusted Zone

Monitoring Network


OpenFlow

ALERT!


Trust Zone

DMZ

Un-Trusted Zone

Monitoring Network


OpenFlow attack



• Software-Defined Networking (OpenFlow) switches can be programmed to :

• Drop packets

• Replicate packets (e.g. SPAN / TAP) for monitoring

• Selectively divert traffic flows from the normal forwarding path.

• Security Analytics devices - intrusion detection system (IDS) identify malicious traffic.

• Python modules • Parses a Snort, RSA Security Analytics, Cisco Sourcefire alert (log) file

• Creates ‘firewall’ rules for the SDN controller and switch to implement

• Uses REST API to dynamically modify forwarding behavior to shunt traffic

• Offending host is blocked or routed to honeypot

OpenFlow Mechanics

OpenFlow - Static and Dynamic (reactive) Flows

Analytics

LLDP

ARP

IPv4

Inside Outside

Trust Zone

DMZ

Un-Trusted Zone

OpenFlow

Inside

Outside

Honey Pot


Analytics

LLDP

ARP

IPv4

Inside Outside

Trust Zone

DMZ

Un-Trusted Zone

OpenFlow

Inside

Outside

IPv4 TCP 80

IPv4 TCP 443

Honey Pot to Inet

Honey Pot

Outside

Outside

Inside &

Analytics

Honey Pot


Analytics

LLDP

ARP

IPv4

Inside Outside

Trust Zone

DMZ

Un-Trusted Zone

OpenFlow

Inside

Outside

IPv4 TCP 80

IPv4 TCP 443

Honey Pot to Inet

Honey Pot

Outside

Outside

Inside &

Analytics

Honey Pot

Honey Pot TCP 443

Honey Pot TCP 443 Outside Honey Pot

198.19.3.1

Or Drop

Cisco Extensible Network Controller

LLDP

ARP

IPv4

IPv4 TCP 80

IPv4 TCP 443

Honey Pot to Inet

Honey Pot

Inside Outside

Outside

Outside

Inside &

Analytics

LLDP

ARP

IPv4

IPv4

IPv4 TCP 80

IPv4 TCP 443

Honey Pot

Steady State configuration

Flow Removal

• OpenFlow provides for aging flows from the switch

• Each flow entry has an idle_timeout and a hard_timeout

• Switches will remove flows older than the hard_timeout

• Idle_timeout invoked if no packets match during the timer

• The Northbound REST API can be used to manually delete flows

• The demo code removes flows after a few minutes.

• Caveats

• DDoS attackes could generate more flows than the switch can handle

• Switches vary in the number of flows supported.

Software

Process Flow

sst.py ./log

--help

--debug

./log/alert

Snort

./rules

XNC.py module

REST API

XNC (SDN) Controller

OpenFlow

Inside Outside

TAP

parsealert.py

syslog

/var/log/syslog

Log Parser

$ python parsealert.py --help

usage: parsealert.py [-h] --engine ENGINE --file FILE --command COMMAND

[--trigger TRIGGER] [--debug]

parsealert.py - Reads syslog or local files from analytic engines, calls

sst.py to push flow elements to an XNC controller.

Copyright (c) 2014 WorldWide Technology, Inc.

optional arguments:

-h, --help show this help message and exit

--engine ENGINE Specify snort, rsa or sourcefire keyword to indicate the

input file

--file FILE Input file name.

--command COMMAND Command file name in ./config directory

--trigger TRIGGER The value of the trigger, if not specified, default is

__S_

--debug When specified enables debugging

C:\>python sst.py --help

usage: sst.py [-h] --cact CACT --cip CIP --cuid CUID --cpw CPW --dpid DPID

--fname FNAME --act ACT --pri PRI --et ET [--nwsrc NWSRC]

[--nwdst NWDST] [--proto PROTO] [--tpsrc TPSRC] [--tpdst TPDST]

[--iport IPORT] [--debug]

Copyright (c) 2014 World Wide Technology, Inc.

optional arguments:

-h, --help show this help message and exit

--cact CACT Controller action, (eg. PUT, DELETE, LIST) a flow element

--cip CIP Controller IP / Hostname

--cuid CUID Controller username

--cpw CPW Controller password

--dpid DPID Data Path Identifier of the OpenFlow switch

--fname FNAME Flow name, unique identifier

--act ACT Action(s) to implement, eg. DROP, OUTPUT=48

--pri PRI Flow priority, higher numbers have more precedence

--et ET Ethertype, eg. IPv4, IPv6.

--nwsrc NWSRC Source IP address

--nwdst NWDST Destination IP address

--proto PROTO Protocol, eg. tcp, udp

--tpsrc TPSRC transport protocol source port

--tpdst TPDST transport protocol destination port

--iport IPORT Ingress OpenFlow port number on the switch

--debug When specified enables debugging

Flow Pusher

Snort rules file

• Define criteria for matching network traffic

• The parsealert.py module will process any alerts with “__S_” in the message

• All other alert entries are ignored

• Use the trailing string (e.g. tcp443) and IP address as the unique flow name

• Sample rules will shunt any source IP address to honeypot

• TCP ports 80 and 443 with a TOS byte of 184

• TOS 0xB8 (184) = IP Precedence 5 or DSCP Expedited Forwarding (EF)

alert tcp any any -> any 80 (tos:184; sid:1000985; msg: "__S_tcp80";)

alert tcp any any -> any 443 (tos:184; sid:1000986; msg: "__S_tcp443";)

Snort alert file

• Identify entries with “__S_”

• Determine the source IP address

• Use the trailing string (e.g. tcp443) and source IP address as the unique flow name

• Create flow entry (aka: “firewall rule”) to shunt packets to honey pot

• Log action in ./log directory

[**] [1:1000986:0] __S_tcp443 [**]

[Priority: 0]

04/27-00:43:35.932503 198.19.3.1:56184 -> 198.18.4.1:443

TCP TTL:255 TOS:0xB8 ID:39797 IpLen:20 DgmLen:40

***AP**F Seq: 0x7F92F67A Ack: 0xF6474527 Win: 0x1020 TcpLen: 20

Monitoring Network

Monitoring Network Options

• The Monitoring Network can be build using SDN technology or traditional appliances:

• In the WWT ATC deployment we have used both:

• Ixia's Net Tool Optimizer® (NTO)

• Cisco Nexus Data Broker (Monitor Manager)

• Monitor Manager provides a REST API interface to programmatically create or modify rules and filters.

• Additional SDN Option is Big Switch Networks Big Tap™ Monitoring Fabric

http://www.ixiacom.com/products/net-tool-optimizers

http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/extensible-network-controller-xnc/data_sheet_c78-729452.html

Monitoring Network

Monitoring Network

Cisco XNC Controller Monitor Manager

Nexus 3K

Corporate Network Internet WAN Edge

Security Onion

SDN

REST API

wireshark

Demonstration

Demonstration Video

• Watch the video to see how security-defined routing combines cyber analytics and SDN to protect the network:

• http://youtu.be/KvZuklmi9uU

Forwarding and Replication

Intrusion Prevention

Filter and Disseminate

Analyze and Alert


Software

Implement Intrusion

Prevention

Lifecycle

Cisco ® Extensible

Network Controller

(XNC)

Cisco Monitor Manager or Ixia's Anue Net Tool Optimizer® (NTO)

Cisco Nexus 3000 Series Switches | Plug-in for OpenFlow

Inside Outside

Solution Advantages

• Enhanced Scalability – IDS is separated from IPS: OpenFlow switch implementers tapping and IPS

• Seamlessly Manage Appliances - IDS systems can be added, removed, or upgraded, without introducing high-impact changes to the IPS service in the production network.

• Multiple ‟Sets of Eyes” - Network traffic can be easily copied to multiple intrusion detection devices.

• Rapid Mitigation – The OpenFlow switch is programmatically updated to block or shunt traffic.

• Consistent Policy Implementation - Alerts generated at one Internet gateway can trigger the same policy at all Internet gateways.

• This solution is deployed at the Internet edge, expect to see similar concepts deployed inside the enterprise- BYOD

• Network provisioning and configuration will increasingly become less chassis-by-chassis more controller based

• Network resources will align with business requirements through application resource profiles and network containers.

• Brush up on your programming skills.

Looking Forward

http://marketing.wwt.com/SDNGuide_Registration.html