Post on 25-Feb-2016
description
Security, Resiliency and Other Challenges
Erik LinaskGroup Editorial DirectorTMCelinask@tmcnet.comTwitter: @elinaskwww.nfvzone.com / www.sdnzone.com
Security, scalability, resiliency = Traditional Deterrents
Now, we are telling telcos they need to virtualize and “cloudify”
Security, Resiliency and Other Challenges
Glen GerhardVP, Product ManagementSansay
Nabil DamounySr. Director, Strategic MarketingNetronome
Security Concerns• Very similar unless using a cloud infrastructure
DEDICATED VM CLOUD NETWORK
Protected
Public
ISP
Resiliency Concerns
• VM can be made HA and fault tolerant– Easier and cheaper than h/w based systems– Cloud can be even more dynamic, normally not HA
INX
ROME
INX
MSX
INX INX
Route Management Plane
Session ProcessingPlane
Media Handling Plane
Master-Slave ROME
MSX MSX MSX
Resilency
• Geographic redundancy easy with both
NETWORKLICENSE
ZONE
CACLoad
Zone 1
CACLoad
Zone 2
CACLoad
Zone 3
PCI Compliance
• Very tightly controlled architecture• Cloud support possible with hybrid systems
Security & Resiliency in SDN & NFV
Nabil Damouny Sr. Director, Strategic Marketing, Netronome
Vice Chair, Market Education Committee, ONFEditor, Compute Domain, ETSI NFVnabil.damouny@netronome.com
Agenda
• Netronome … Intro• Network security services• Deploying L4-L7 services in SDN-OpenFlow• Inserting L7 intelligence in the data path• ETSI NFV – complementary to SDN• Faults & resiliency in NFV• Summary
Santa ClaraPittsburgh
BostonCambridge
Johannesburg
Shenzhen
Beijing Tokyo
Company• Fabless semiconductor company Best-in-class flow processors Designed for 10/40/400G
communications designsProduct and Markets Leader in SDN-OpenFlow Leader in NFV … COTS architecture Cybersecurity Sole licensee of Intel IXP Processor IP
Intel 22nm tri-gate process 100+ Patents Worldwide Headquarters
Research and development center
Regional sales and support center
• L2-L4 forwarding– Switching– Routing– Packet forwarding– OpenFlow– Architectures optimized
to process individual packets
• L4-L7 services– Security– Load balancing– WAN optimization– Architectures optimized
to process flows and content
What Are Layer 4 through 7 Services?
Categorized by depth of Layer
4 through 7 inspection
• OpenFlow switchNo Flow Inspection
• Load balancer• Next-generation firewall• WAN optimization• Web application firewall
Partial Flow Inspection
• Test and measurement• Policing and metering• Quality of Service (QoS)• Traffic analysis
Flow Monitoring
• Anti-virus / anti-spam• Intrusion prevention system (IPS)• SSL inspection• VPN
Full Flow Inspection
13
There are 4 service categories with specific processing requirements
Suggested Deployment Models
Application LayerApplications
Control Layer
Network ControllerSDN Control Software
Infrastructure Layer
Network Device
Network Device Network Device
Layer 4-7 Services 1
3Intelligent Switch with Layer 4-7
Layer 4 through 7 Appliance2
1. Running as applications on the controller• Controller programs SDN
switch on per-flow basis Northbound APIs
Southbound API
2. Standalone network appliance• Traffic directed to appliance
either based on static policy or dynamically driven by controller
• Legacy or OF-enabled
3. Full Layer 4-7 network services running on intelligent switch• Intelligent switch becomes
L2-L7 device
14
Different deployment models to best fit service requirements, including performance and latency.
Use Case: Advanced Traffic Analysis …Embedded DPI feeds network intelligence to services on L7 device
Application flows forwarded directly to specialized service processing• Requires L4-L7 intelligence embedded directly in switches
Application Layer Applications
Control Layer
SDN Control Software
Infrastructure Layer
Network Device
Network Device Layer 4-7 Network Device
Layer 7 Network Service Device
Northbound APIs
Southbound API
Network Services
Layer 7 Network Service Device
VoIP
P2P
Video
Web
Data Plane Traffic
Layer 4-7: Protocol and Application
Identification
IM
Other
Traffic Steering
Video Optimization
QoS / QoE
Analytics
GGSN
Content Filtering
15
SDN Data center … Intelligence is at the Edge
SDN Gateway• Interconnect new virtualized
networks and legacy• Focus on Gateway for Multi-tenant
Data Center -to- MPLS WAN
NFV Appliance• Open, programmable host for
virtual applications• Focus on ETSI NFV Use Cases:
– Two out of 9 pre-defined use cases• Use Case #5 - VNF as a service• Use Case #6 – Service Chaining
Examples of types of Faults
17
VNF1
Hypervisor
X86-1
VM1 VM2
Hypervisor
X86-2
VM1 VM2
Physical Network Infrastructure
Less severe impact
More severe impact
• Failure of the VNF– Application Crash, Overload condition– Tolerable if clustered topology, Service degradation
(SD) possible
• Failure of the VM– OS Crash, Resource exhaustion– Tolerable in clustered topology, SD possible
• Failure of the Hypervisor– Tolerable in clustered topology, SD
• Failure of the server– OS Crash, Resource exhaustion
– Tolerable in clustered topology, SD Possible
• Failure in the physical Infrastructure– Device power cycle/crash, Loss of Connectivity– Tolerable if infra is HA capable
VM1-OS VM2-OS VM3-OS VM4-OS
CPU
Mem
Disc
I/O
CPU
Mem
Disc
I/O
CPU
Mem
Disc
I/O
CPU
Mem
Disc
I/O
CPU
Mem
Disc
I/O
CPU
Mem
Disc
I/O
SDN-aware NFV security platforms
• Netronome offerings– Flow processors scaling to 200Gbps– FlowNICs for acceleration of standard servers– Production-ready reference platforms
SDN-aware security platforms• Features and benefits
– 216 programmable processing cores– 4 x PCIe Gen 3 to connect to x86 sockets
• 200Gbps+ throughout to standard servers– Support >500 BIPS per 2U to apply to workloads in NFV environments
• Support for high-touch security applications– Fully SDN capable
• Support for OpenFlow 1.3– Carrier grade resiliency in COTS server architecture platforms
• Numerous high-availability options– Integrated fail-to wire– Active-passive and active-active HA modes of operationNetronome’s FlowNICs and reference platforms are ideal to solve the
security and resiliency challenges facing SDN and NFV
Looking Ahead• What are some of the obstacles for a Telco to work with ISV's in
the security area?
• How can a Telco achieve the traditional 5 9's reliability? How about high availability?
• Is it easier and less costly to design for redundancy, in NFV & SDN?
• How about Federation and the need for interoperability between carriers?
• What is the role of cloud orchestration in security & resiliency?
BACKUP
ETSI ISG NFV Structure• ISG E-E Documents (Ratified)
1. Architecture Framework2. Use Cases (9 total)3. (Business) Requirements4. Terminology
• Technical Working Groups 1. Infrastructure (INF)2. Software Architecture (SWA)3. Management & Orchestration
(MANO)4. Reliability & Availability (REL)– Performance Expert Group (PER)– Security Expert Group (SEC) SDN & NFV are complementary &
synergistic.
Source: ETSI ISG NFV
Topologies for hosting Network Functions in VMs
• Single instance topology– VNF deployed on a
single virtual machine. • Clustered or Composite
Topology– Consists of multiple VNF
Components (VNFCs)• L2/L3 connectivity
between VNF instances when multiple physical servers hosting same VNF.
Simple vs. Clustered VNFs
23
x86
VNF1 Hypervisor
x86
VM1 VM2
VNF1 VNF2
Hypervisor
x86
VM1 VM2
VNFC1
Hypervisor
x86
VM1 VM2
VNF1 VNF3VNF2
Hypervisor
X86-1
VM1 VM2
Hypervisor
X86-2
VM1 VM2
1 2 3
4 5
NFV Deployment Examples
VNFC2 VNFC1 VNFC2 VNFC3 VNFC4