The Rise of the Layer 7 Classifier, Creating Service-Awareness across Networks

The Rise of the Layer 7 Classifier

Creating Service-Awareness across Networks

May 2015

Agenda

1. What is a L7 Classifier ?

2. L7 Classifier for Gi-LAN (SFC)

3. L7 Classifier for vCPE (SFC)

4. L7 Classifier for virtual switch (security)

5. Summary

What is a L7 Classifier?

Service Aware

Network

Raw packet flows

Classified flows

+ metadata

L7

Classifier

What is a L7 Classifier?

Principles

• Standalone software component

• Classifies traffic flows in real time for further processing in e.g.

switches, routers, PCEF, firewall, passive probes, etc.

• Recognizes traffic up to Layer 7 using Deep Packet Inspection and

associated techniques (heuristics, statistical, behavioral, etc.)

Place in a technical architecture

• Typically located in the packet data path (can also by out-of-band)

• Built from the inception to be integrated within industry reference

frameworks, such as SFC, SDN, NFV, and Open Source

• Managed by industry reference frameworks, such as ODL SFC,

OpenStack GBP, ODL GBP

What it is NOT

• Not an Software Development Kit (SDK)

• Not a virtualized legacy product (e.g. vTDF)

Service Aware

Network

Raw packet flows

Classified flows

with metadata

L7

Classifier

Network

Example of L7 Service Classifier for SFC in Gi LAN

IT / SDN

Services Telco / 3GPP NFV

SFC SDN

Controller

Service Function

Forwarder

SFC-aware function

(e.g. Parental Control)

SFC-aware function

(e.g. Video Opt.)

P-GW

PCRF

Incoming

traffic

NFV

Orchestrator

VNF Manager

VIM

L7

Classifier

SFC Proxy

SFC-Unaware function

(e.g. Caching)

L7

Classifier

Example: Using ODL to Configure L7 SFC Based on L7 Classification

In ODL Lithium you can

configure SFC based on

L7 classification

Example: L7 Classifier Managed by Adding L7 Criteria in OpenStack

(via Group Based Policy or Security Groups)

Bit Torrent

Soon you will be able to

create policies based on

L7 application IDs

When do you Need a L7 Classifier?

For Service Function Chaining (SFC) in

Mobile Gi-LAN

To optimize services in virtual CPE (vCPE)

To strengthen security in virtualized

datacenter environments

Agenda





5. Summary

Network

L7 Service Classifier for SFC in Gi LAN

IT / SDN

Services Telco / 3GPP NFV

SFC SDN

Controller

Service Function

Forwarder

SFC-aware function

(e.g. Parental Control)

SFC-aware function

(e.g. Video Opt.)

P-GW

PCRF

Incoming

traffic

NFV

Orchestrator

VNF Manager

VIM

L7

Classifier

SFC Proxy

SFC-Unaware function

(e.g. Caching)

L7

Classifier

1. Controller configures classifier with service chaining rules based on App ID and Sub class

2. Controller configures network equipment (SFF) to ensure classifier tags are well-understood

3. Service Classifier tags the traffic (e.g. HD video tag)

4. network equipment (SFF) sends HD video into the appropriate service chain (video optimization + cache)

4

1 2

3

Cost Savings Thanks to Subscriber + Application Awareness

The L7 Classifier: Natural Integration with Open Source and Standards

SF Forwarder

(OF-Switch)

SF Forwarder

(OF-Switch)

Orchestrator

SFC

manager

SFC instance

manager

SF Locator &

Transport Cap

SFC

SDN Controller

SFC

SDN Controller

SFC Application

Cache

QoS

VPN IPS IDS

SFC SBI (SDN NBI)

SDN SBI

OpenFlow

Extension

SDN SBI

OpenFlow

Extension

Traffic

Destination

Traffic

Source

Service Clients

SFC NBI

Non-OpenFlow Service Functions

NAT FW

L7

Classifier

OpenFlow-Enabled

Service Functions

Load

Balancer WOC

L7

Classifier

NSH headers

OpenFlow config.

of switches

Forwarding Graphs

Agenda





5. Summary

vCPE: Configuration with all Virtualized Functionality in the Network

• In this example, virtual CPE runs CPE functions in virtual machines hosted

within a data center

• This deployment typically only requires a basic CPE on the customer premises

• Reduces costs and simplifies customer infrastructure (by using basic CPEs)

• Enables full automation and provisioning of virtual network services

Basic CPE

VAS/L4-L7 network services:

FW, VPN, NAT

Example of Configuration

Basic

CPE

Data Center / CO / POP

VAS/L4-L7 network services:

FW, VPN, NAT

Access

network

ODL/SFC with L7 SFC criteria

Layer 2

element

Implementation

• All virtualized CPE functionality situated in

the network, at the PoP or in other DCs

• Enables optimization of services delivered

to premises based on subscriber and

application

• Configuration using reference

implementations such as ODL/SFC

Benefits

• Optimized service delivery to customer

premises

• All the associated benefits of vCPE

(reduced cost, service agility, easier &

faster deployment, etc.)

L7

Classifier

Other,

cloud-based

functions

L2-3 Service

Function

Forwarder

Agenda





5. Summary

Optimization of Cyber Security in Virtualized Environment:

Network Micro-Segmentation

L7 Classification and FW in hypervisor



Perimeter

security

Micro-

Segmentation

FW securing outer perimeter

Typical situation today

• Perimeter protection such as firewalls and IDS/IPS

focus on north-south traffic, in/out of the data center

• Firewalls and IDS/IPS not built for securing east-

west traffic within the data center

• If a malware penetrates the outer security

perimeter, it can launch further attacks inside a

vulnerable data center.

Solution

• Use micro-segmentation to divide data center into

smaller zones which can be protected separately

• In case of a breach, the damage can quickly be

contained to a small number of compromised

devices

Optimization of Cyber Security in Virtualized Environment:

Network Micro-Segmentation

Perimeter

security Zone

defense

Man to man

defense

Micro-

Segmentation

OK, OK, all analogies have limits…




FW securing outer perimeter

How Does it Work?

Zoom on L7 Classifier Embedded in Hypervisor

Implementation

• Position firewall with East – West visibility inside the

hypervisor

• L7 Classifier integrated into the hypervisor strengthens

context by extending vSwitch visibility from layer 1-4 all

the way up to layer 7

• vSwitch can implement firewalling rules based on

application visibility up to layer 7

• Enables application-aware micro-segmentation of flows

Benefits

• Enables automated provisioning and move/add/change

of FW policies + quarantine of infected VMs

• Any security breach can quickly be contained to a small

number of compromised devices

Virtual Machine

Virtual Machine

Virtual Machine

Security Groups with NEW L7 fields

Physical Server / Host

Hypervisor

vSwitch (L1-4)

L7 Classifier

Agenda





5. Summary

Qosmos L7 Classifiers

Principles

• Standalone software components which classify 2400+ protocols

• Classify traffic flows in real time for further processing in e.g.

switches, routers, PCEF, firewall, passive probes, etc.

• Recognize traffic up to Layer 7 using Deep Packet Inspection and

associated techniques (heuristics, statistical, behavioral, etc.)

Form factors

• Service Classifier VNF for Gi-LAN or vCPE

• L7 Classifier for vSwitch

Place in a technical architecture

• Typically located in the packet data path (can also by out-of-

band)

• Built from the inception to be integrated within industry reference

frameworks, such as SFC, SDN, NFV, and Open Source

• Managed by industry reference frameworks, such as ODL SFC,

OpenStack GBP, ODL GBP

Service Aware

Network

Raw packet flows

Classified flows

with metadata

L7

Classifier

Summary

The L7 Classifier is a new software component built from the inception to

work efficiently in SDN & NFV architectures

The L7 Classifier provides real-time Subscriber and Application

Awareness to the entire network infrastructure

The L7 Classifier is needed for key use cases: Service Chaining for Gi-LAN and vCPE

Security in datacenter environments

Qosmos, Qosmos ixEngine, Qosmos ixMachine and Qosmos DeepFlow are trademarks or registered trademarks in France and other countries.

Other company and products name mentioned herein are the trademarks or registered trademarks of their respective owners. Copyright Qosmos

Non-contractual information. Products and services and their specifications are subject to change without prior notice

© Qosmos

The Rise of the Layer 7 Classifier, Creating Service-Awareness across Networks

Technology

Transcript of The Rise of the Layer 7 Classifier, Creating Service-Awareness across Networks