2. Agenda
•Background: Who, What and Why?
•Process flow – Topology Diagrams
•OpenFlow Mechanics
•Software
•Monitoring Network
•Demonstration Video
•Summary
3. Who am I?
•Software-Defined Networking Discipline Lead at WWT
•Goal: First to Educate
•Oversee SDN solution architectures, training and education for sales engineering, demonstrations, workshops. Focus area: Network Programmability
•Previously
•NetApp E-Series Storage – Big Data
•Cisco Systems CVDs – Cisco Validated Designs
4. Why this was developed
•World Wide Technology (wwt.com)
•Value added systems integrator and supply chain solutions provider
•Advanced Technology Center (ATC) Hands-on access to over $50M in data center, virtualization, collaboration, networking and security solutions.
•Premise: Demonstrate a Software-Defined Networking (SDN) use case
•Integrate: SDN with Cyber Analytics Reference Architecture (CARA)
5. What is Security-Defined Routing?
•Security-Defined Routing (SDR) is a play on the term Software-Defined Networking (SDN)
•Security-Defined Routing
•Uses SDN (OpenFlow) switches,
•Dynamic reprogramability of network flows.
•Normal IP packet forwarding reacts to security analytic engines
•Integrating security analytics with packet forwarding behavior
•Central Network Control dates back to AT&T’s Network Control Point in 1977.
•Why should cyber professionals care about SDN and Openflow?
http://en.wikipedia.org/wiki/2600:_The_Hacker_Quarterly
6. Historical view of SDN
• Purist view of SDN has two characteristics (*)
• Control plane is separated from
device implementing data plane,
• Single control plane manages
multiple network devices
• SDN / OpenFlow initial
deployments were network
research at universities –
(Stanford ) providing a cost
effective and ‘clean slate’
network architectures.
• OpenFlow is only one instantiation of SDN
principles.
• SDN is a tool to enable a higher degree of
control over network devices.
Control
Plane
(1) The Road to SDN: An Intellectual History of Programmable Networks
7. What is OpenFlow?
•Open Networking Foundation (ONF) manages the standard.
•Originated at Stanford University 2005 - 2009 - Martin Casado, et al.
•OpenFlow- a communications protocol that gives access to the forwarding plane of a network devices - Southbound from the SDN controller to communicate with switches.
•Flow Entry - an element in a flow table used to match and process packets a data structure of matches, actions, counters, priority, and timeout values.
Fields from Packets Match against flow entries
•Ingress port
•Ethernet Source | Destination Address
•VLAN ID and Priority
•IP Source and Destination Address
Actions
•Multiple actions can be specified
•Example: output to multiple ports, drop
•IP Protocol
•IP ToS bits
•TCP | UDP source port
•TCP | UDP destination port
8. Basic Building Blocks: Controllers and Agents
Some network functionality is better implemented from centralized coordination of all the devices in the network domain.
•Controller – process on a server interacting with network devices using APIs / protocols.
•Agent – process on network devices implementing a specific function.
•API – allow applications external to the controller to query and change the network configuration
9. Next Generation Firewalls
•Next-Generation Firewall Services provide more granular application usage control policies than port based firewalls.
•Advanced network security functions that are computationally intensive — and they must do so in real-time while introducing little or no latency.
•Has the Layer 3 topology changed when deploying Next-Generation Firewalls?
•Why does the Firewall function need to be in the forwarding path?
10. Value of Separating Detection from Prevention
Separation of intrusion detection (IDS) function from the intrusion prevention (IPS) function, provides:
•Enhanced Scalability
•Seamlessly Manage Appliances
•Multiple ‟Sets of Eyes”
•Rapid Mitigation
•Consistent Policy Implementation
•Cost Effective
11. Security-Defined Routing
SDR Solution includes the following components:
• An SDN controller
• OpenFlow switches between
WAN edge routers and a corporate firewalls
• Security-Defined Routing (SDR)
software developed by
World Wide Technology (WWT)
• Security analytics software
• Cisco Sourcefire
• RSA Security Analytics
• Open Source Snort
NEXUS-7K
Internal
network
Internal
network SDN Controller
w/ Security-Defined Routing
software
syslog
Internet
DMZ
OpenFlow
switch
Monitoring
Network
14. Trust
Zone
DMZ
Un-Trusted
Zone
Monitoring Network
Cisco XNC
Controller
OpenFlow
Security-Defined Routing
15. Trust
Zone
DMZ
Un-Trusted
Zone
Monitoring Network
Cisco XNC
Controller
OpenFlow
Security-Defined Routing
16. Trust
Zone
DMZ
Un-Trusted
Zone
Monitoring Network
Cisco XNC
Controller
OpenFlow
Security-Defined Routing
17. Trust
Zone
DMZ
Un-Trusted
Zone
Monitoring Network
Cisco XNC
Controller
OpenFlow
ALERT!
Security-Defined Routing
18. Trust
Zone
DMZ
Un-Trusted
Zone
Monitoring Network
Cisco XNC
Controller
OpenFlow
attack
Security-Defined Routing
19. Security-Defined Routing
•Software-Defined Networking (OpenFlow) switches can be programmed to :
•Drop packets
•Replicate packets (e.g. SPAN / TAP) for monitoring
•Selectively divert traffic flows from the normal forwarding path.
•Security Analytics devices - intrusion detection system (IDS) identify malicious traffic.
•Python modules
•Parses a Snort, RSA Security Analytics, Cisco Sourcefire alert (log) file
•Creates ‘firewall’ rules for the SDN controller and switch to implement
•Uses REST API to dynamically modify forwarding behavior to shunt traffic
•Offending host is blocked or routed to honeypot
21. OpenFlow - Static and Dynamic (reactive) Flows
Analytics
LLDP
ARP
IPv4
Inside Outside
Trust
Zone
DMZ
Un-Trusted
Zone
OpenFlow
Inside
Outside
Honey Pot
22. OpenFlow - Static and Dynamic (reactive) Flows
Analytics
LLDP
ARP
IPv4
Inside Outside
Trust
Zone
DMZ
Un-Trusted
Zone
OpenFlow
Inside
Outside
IPv4 TCP 80
IPv4 TCP 443
Honey Pot to Inet
Honey Pot
Outside
Outside
Inside &
Analytics
Honey Pot
23. OpenFlow - Static and Dynamic (reactive) Flows
Analytics
LLDP
ARP
IPv4
Inside Outside
Trust
Zone
DMZ
Un-Trusted
Zone
OpenFlow
Inside
Outside
IPv4 TCP 80
IPv4 TCP 443
Honey Pot to Inet
Honey Pot
Outside
Outside
Inside &
Analytics
Honey Pot
Honey Pot TCP 443
Honey Pot TCP 443
Honey Pot Outside
198.19.3.1
Or
Drop
24. Cisco Extensible Network Controller
LLDP
ARP
IPv4
IPv4 TCP 80
IPv4 TCP 443
Honey Pot to Inet
Honey Pot
Inside
Outside
Outside
Outside
Inside &
Analytics
LLDP
ARP
IPv4
IPv4
IPv4 TCP 80
IPv4 TCP 443
Honey Pot
Steady State configuration
25. Flow Removal
•OpenFlow provides for aging flows from the switch
•Each flow entry has an idle_timeout and a hard_timeout
•Switches will remove flows older than the hard_timeout
•Idle_timeout invoked if no packets match during the timer
•The Northbound REST API can be used to manually delete flows
•The demo code removes flows after a few minutes.
•Caveats
•DDoS attackes could generate more flows than the switch can handle
•Switches vary in the number of flows supported.
27. Process Flow
sst.py
./log
--help
--debug
./log/
alert
Snort
./rules
XNC.py
module
REST API
XNC (SDN)
Controller
OpenFlow
Inside Outside
TAP
parsealert.py
syslog
/var/log/syslog
28. Log Parser
$ python parsealert.py --help
usage: parsealert.py [-h] --engine ENGINE --file FILE --command COMMAND
[--trigger TRIGGER] [--debug]
parsealert.py - Reads syslog or local files from analytic engines, calls
sst.py to push flow elements to an XNC controller.
Copyright (c) 2014 WorldWide Technology, Inc.
optional arguments:
-h, --help show this help message and exit
--engine ENGINE Specify snort, rsa or sourcefire keyword to indicate the
input file
--file FILE Input file name.
--command COMMAND Command file name in ./config directory
--trigger TRIGGER The value of the trigger, if not specified, default is
__S_
--debug When specified enables debugging
29. C:>python sst.py --help
usage: sst.py [-h] --cact CACT --cip CIP --cuid CUID --cpw CPW --dpid DPID
--fname FNAME --act ACT --pri PRI --et ET [--nwsrc NWSRC]
[--nwdst NWDST] [--proto PROTO] [--tpsrc TPSRC] [--tpdst TPDST]
[--iport IPORT] [--debug]
Copyright (c) 2014 World Wide Technology, Inc.
optional arguments:
-h, --help show this help message and exit
--cact CACT Controller action, (eg. PUT, DELETE, LIST) a flow element
--cip CIP Controller IP / Hostname
--cuid CUID Controller username
--cpw CPW Controller password
--dpid DPID Data Path Identifier of the OpenFlow switch
--fname FNAME Flow name, unique identifier
--act ACT Action(s) to implement, eg. DROP, OUTPUT=48
--pri PRI Flow priority, higher numbers have more precedence
--et ET Ethertype, eg. IPv4, IPv6.
--nwsrc NWSRC Source IP address
--nwdst NWDST Destination IP address
--proto PROTO Protocol, eg. tcp, udp
--tpsrc TPSRC transport protocol source port
--tpdst TPDST transport protocol destination port
--iport IPORT Ingress OpenFlow port number on the switch
--debug When specified enables debugging
Flow Pusher
30. Snort rules file
•Define criteria for matching network traffic
•The parsealert.py module will process any alerts with “__S_” in the message
•All other alert entries are ignored
•Use the trailing string (e.g. tcp443) and IP address as the unique flow name
•Sample rules will shunt any source IP address to honeypot
•TCP ports 80 and 443 with a TOS byte of 184
•TOS 0xB8 (184) = IP Precedence 5 or DSCP Expedited Forwarding (EF)
alert tcp any any -> any 80 (tos:184; sid:1000985; msg: "__S_tcp80";)
alert tcp any any -> any 443 (tos:184; sid:1000986; msg: "__S_tcp443";)
31. Snort alert file
•Identify entries with “__S_”
•Determine the source IP address
•Use the trailing string (e.g. tcp443) and source IP address as the unique flow name
•Create flow entry (aka: “firewall rule”) to shunt packets to honey pot
•Log action in ./log directory
[**] [1:1000986:0] __S_tcp443 [**]
[Priority: 0]
04/27-00:43:35.932503 198.19.3.1:56184 -> 198.18.4.1:443
TCP TTL:255 TOS:0xB8 ID:39797 IpLen:20 DgmLen:40
***AP**F Seq: 0x7F92F67A Ack: 0xF6474527 Win: 0x1020 TcpLen: 20
33. Monitoring Network Options
•The Monitoring Network can be build using SDN technology or traditional appliances:
•In the WWT ATC deployment we have used both:
•Ixia's Net Tool Optimizer® (NTO)
•Cisco Nexus Data Broker (Monitor Manager)
•Monitor Manager provides a REST API interface to programmatically create or modify rules and filters.
•Additional SDN Option is Big Switch Networks Big Tap™ Monitoring Fabric
34. Monitoring Network
Monitoring Network
Cisco XNC
Controller
Monitor Manager
Nexus 3K
Corporate Network Internet
WAN Edge
Security Onion
SDN
REST API
wireshark
36. Demonstration Video
•Watch the video to see how security-defined routing combines cyber analytics and SDN to protect the network:
•http://youtu.be/KvZuklmi9uU
37. Forwarding
and Replication
Intrusion
Prevention
Filter and
Disseminate
Analyze and
Alert
Security-
Defined
Routing
Software
Implement
Intrusion
Prevention
Lifecycle
Cisco ®
Extensible
Network
Controller
(XNC)
Cisco Monitor Manager
or
Ixia's Anue
Net Tool Optimizer®
(NTO)
Cisco Nexus 3000 Series
Switches | Plug-in for OpenFlow
Inside Outside
38. Solution Advantages
•Enhanced Scalability – IDS is separated from IPS: OpenFlow switch implementers tapping and IPS
•Seamlessly Manage Appliances - IDS systems can be added, removed, or upgraded, without introducing high-impact changes to the IPS service in the production network.
•Multiple ‟Sets of Eyes” - Network traffic can be easily copied to multiple intrusion detection devices.
•Rapid Mitigation – The OpenFlow switch is programmatically updated to block or shunt traffic.
•Consistent Policy Implementation - Alerts generated at one Internet gateway can trigger the same policy at all Internet gateways.
39. •This solution is deployed at the Internet edge, expect to see similar concepts deployed inside the enterprise- BYOD
•Network provisioning and configuration will increasingly become less chassis-by-chassis more controller based
•Network resources will align with business requirements through application resource profiles and network containers.
•Brush up on your programming skills.
Looking Forward
http://marketing.wwt.com/SDNGuide_Registration.html