[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure

0 %
100 %
Information about [OVNC 2013] Controlling Secure & Software Defined Network for Cloud...
Technology

Published on February 23, 2014

Author: ianychoi

Source: slideshare.net

I 보안은 어떻게? Compute Node #1 Compute Node #2 [VM] [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 3 / 34

I 지금의 보안 구성 Compute Node #1 Compute Node #2 Security [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 4 / 34

I 문제가 없을까? Compute Node #1 Compute Node #2 Security [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 5 / 34

I VM 보안 제품은 어려워요?? Compute Node #1 Compute Node #2 Security [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 6 / 34

I 개선 방향은 없나요?? Compute Node #1 Compute Node #2 [VM] [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Security Security Software Switch Software Switch IP Fabric © 2013 NAIM Networks – All rights reserved. 7 / 34

I SDN을 이용한 유연한 구현? Compute Node #1 Compute Node #2 [VM] App App SDN Controller [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC App Security Security Software Switch Software Switch IP Fabric Security Appliance © 2013 NAIM Networks – All rights reserved. 8 / 34

1 Virtualized Environment in Cloud 2 Cloud Management: OpenStack 3 SDN Roles in Cloud Management 4 Case: Security (SDN + DPI) © 2013 NAIM Networks – All rights reserved.

I Virtualized World  Virtualization The creation of something virtual (rather than actual) in the computer world Pros. Cons. Isolation Consolidation Testing Mobility Concentration Risk Cost Performance Penalty Hardware Support © 2013 NAIM Networks – All rights reserved. 11 / 34

I Virtualized World: Cloud (1)  Cloud with Virtualization Remarkable growth on server virtualization • Hypervisors: VMware ESXi, MS Hyper-V, Citrix XenServer, … • Hardware support: Intel VT/VT-x/EPT, AMD-V Supporting data center networks (large # of hosts & traffic) • VLAN, GRE tunneling, VxLAN, …  Server Virtualization  Network Virtualization © 2013 NAIM Networks – All rights reserved. 12 / 34

I Virtualized World: Cloud (2) VM (tenant #1) VM (tenant #2) Physical server Network for tenant #1 Network for tenant #2 Virtualization http://www.microsoftvirtualacademy.com/ - WS-B327 © 2013 NAIM Networks – All rights reserved. 13 / 34

II OpenStack Intro.  OpenStack is a collection of open source software projects used to setup and run cloud infrastructure (e.g., compute, storage, networking). © 2013 NAIM Networks – All rights reserved. 15 / 34

II Evolution of OpenStack Nova: Server virtualization mgmt.  Six Month Cycle Releases are timed to correspond with the developer summit meeting Currently no reliable upgrade paths between releases Expect large deltas between releases for the next year or so as new features and core functionalities are added. Release name Release date Included Component code names Austin 21 October 2010 Nova, Swift Bexar 3 February 2011 Nova, Glance, Swift Cactus 15 April 20 11 Nova, Glance, Swift Diablo 22 Septem ber 2011 Nova, Glance, Swift Essex 5 April 201 2 Nova, Glance, Swift, Horizon, Keyst one Folsom 27 Septem ber 2012 Nova, Glance, Swift, Horizon, Keyst one, Quantum, Cinder Grizzly 4 April 201 3 Nova, Glance, Swift, Horizon, Keyst one, Quantum, Cinder Havana 17 October 2013 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer Src.: http://en.wikipedia.org/wiki/OpenStack © 2013 NAIM Networks – All rights reserved. Quantum/Neutron : Network virtualization mgmt. 16 / 34

II Havana: Architecture  Emphasizing the management of cloud Celiometer: metering Heat: orchestration © 2013 NAIM Networks – All rights reserved. 17 / 34

II OpenStack: Nova  Overview The core of IaaS Management System in OpenStack Support large-scale deployment of compute instances Applied to NASA’s open source cloud project – Nebula REST-based API Asynchronous eventually consistent communication Horizontally and massively scalable Hypervisor agnostic: support for Xen ,XenServer, Hyper-V, KVM, UML and ESX is coming Hardware agnostic: standard hardware, RAID not required © 2013 NAIM Networks – All rights reserved. 18 / 34

II OpenStack: Neutron  Quick Intro Quantum Neutron is an OpenStack project to provide “networking as a service” between interface devices (e.g., vNICs) managed by other OpenStack services (e.g., nova)  Manages network virtualization just like compute (nova) manages server virtualization  Advocates multi-tenancy  Technology-agnostic © 2013 NAIM Networks – All rights reserved. 19 / 34

II Network Virtualization with Neutron  OpenvSwitch plugin Logical Network Architecture OpenStack Neutron-related Components (OpenvSwitch plugin example) © 2013 NAIM Networks – All rights reserved. 21 / 34

II Network Virtualization with Neutron  Physical Realization OVS Plugin – GRE Overlays Br-ex Br-int DHCP L3 Br-tun Br-tun Compute Node C2 Br-int Local VLAN tags conv erted into GRE keys (a nd vice versa) Br-int B1 1 Br-tun A2 1 Br-int A1 1 Network Node Br-tun Compute Node C1 B1 2 A1 2 Compute Node C3 © 2013 NAIM Networks – All rights reserved. 22 / 34

II OpenStack with Virtualization  Realizing *-as-a-service with server & network virtualization using OpenStack components Source: Den Wendlandt – Quantum Hacket & PTL Note: “Quantum””Neutron”. ”Quantum” is now longer used © 2013 NAIM Networks – All rights reserved. 23 / 34

III SDN Overview  Agility on Networks  Controllability of Entire Network Centralized network management [1] Van Jacobson et al, “Networking Named Content”, CoNext 2009. [2] Thomas Michael Bohnert, “SDN in the Cloud”, invited talk @ CNSM 2013. © 2013 NAIM Networks – All rights reserved. 25 / 34

III SDN Roles in OpenStack  Centralized control of network using OpenStack [1] Thomas Michael Bohnert, “SDN in the Cloud”, invited talk @ CNSM 2013. © 2013 NAIM Networks – All rights reserved. 26 / 34

III SDN Roles in OpenStack  Why OpenStack + SDN? Finally free applications from being aware of specific networking details (ports, IP addresses, etc.) Reducing network management complexities Orchestration (OpenStack) Physical Machine Virtual Machines Servers on network infrastructure © 2013 NAIM Networks – All rights reserved. 27 / 34

III SDN Roles in OpenStack  OpenStack test bed with SDN in NAIM Networks OpenStack Compute Node #1 Compute Node #2 Controller Node [VM] [VM] [VM] [VM] [VM] [VM] Network Node OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC NIC NIC NIC NIC NIC Neutron SDN plugin OpenVSwitch (OVS) OpenVSwitch (OVS) SDN Controller OpenFlow Enabled Switch © 2013 NAIM Networks – All rights reserved. 28 / 34

IV Overview  Current security appliances Cost: expensive Maximum bandwidth limits (Mostly) All the traffic is passed through the security appliances  Idea Distributed DPIs Managing & controlling distributed DPIs using SDN  Advantages Auto-scaling network resources Service chaining  Participants NAIM Networks (http://www.naimnetworks.com) • 서영석 팀장, 최영락 매니저, 이정복 매니저 OpenFlow Korea (http://www.openflow.or.kr) • 조충희, 임덕선 © 2013 NAIM Networks – All rights reserved. 30 / 34

IV Architecture (1)  Logical Architecture Compare Actual State to Desired State Analysis + Reasoning + Learning Gather Network Data Controller Network Data Cloud Environment OVS +DPI VMs OpenVSwitch+DPI OVS +DPI VMs Data Models Data Models DataVirtual Models Machines © 2013 NAIM Networks – All rights reserved. 31 / 34

IV Architecture (2)  Architectural Components (Physical Machine) (Physical Machine) [VM] [VM] [VM] [VM] [VM] [VM] OS #1 OS #2 OS #3 OS #1 OS #2 OS #3 NIC Log Analyzer NIC NIC NIC NIC NIC SDN Controller Security Appliance DPI OVS syslog DPI OVS syslog OpenFlow Enabled Switch © 2013 NAIM Networks – All rights reserved. 32 / 34

IV Case: Demo  Scenario Network with anomaly traffic OVSs monitors traffic and sends flow information to “Analyzer” DPIs in each physical machine monitors traffic Controllers control all of the OVSs and OpenFlow enabled switches  Let’s see a short movie (about 2-min)! (One-month duration for this prototype) © 2013 NAIM Networks – All rights reserved. 33 / 34

! Summary  Separated virtualization management: server virtualization & network virtualization  OpenStack was originally designed for server virtualization management, but it started to support network virtualization after the Folsom release (officially)  “OpenStack + SDN” supports better orchestration with centralized network management and abstraction from network details  We showed one security prototype that can be directly deployed to OpenStack+SDN environment © 2013 NAIM Networks – All rights reserved. 34 / 34

www.NAIMNetworks.com

Add a comment

Related presentations

Related pages

Business white paper Deliver HP Virtual Application Networks

Software-defined networks for cloud providers ... SDN Controller Virtual switches Infrastructure ... With HP Virtual Application Networks, cloud service ...
Read more

Software-defined networking - Wikipedia, the free encyclopedia

Software-defined networking ... SDN lets network managers configure, manage, secure, ... List of SDN controller software; Network functions virtualization;
Read more

Software-defined networking solutions | Microsoft

Transform your datacenter with network virtualization and software-defined networking solutions from Microsoft.
Read more

Iotium - Secure Cloud Managed Software Defined IoT Networks

IoTium simplifies establishing and managing secure network infrastructure for Industrial IoT. ... Contact; Secure Cloud Managed Software Defined IoT Networks
Read more

Realizing the power of SDN with HP Virtual Application ...

6 HP Virtual Application Networks Public cloud providers require massive scale in order to meet the SDN Applications Virtual Cloud Network The HP Virtual ...
Read more

HP News - HP Advances Software-Defined Networks with ...

... based software-defined network ... Networks with Integrated Infrastructure, Controller and ... self-service public cloud infrastructure, ...
Read more

Software-Defined Networking (SDN) Definition - Open ...

Software-Defined Networking ... secure, and optimize network resources ... trend requires networks that are both flexible and secure. The rise of cloud ...
Read more

Network Security Considerations for SDN | SecurityWeek.Com

Network Security Considerations for SDN. ... for Securing a Software Defined Network? If cloud was the buzz ... infrastructure vendors ...
Read more

Intel Security Controller and McAfee Virtual Network ...

software-defined network ... hosted in a secure cloud with an IPS ... defined infrastructure. Intel Security Controller abstracts common security
Read more