Gartner Security and Risk Management conference – Software Defined Networking

This was an introductory talk around Software Defined Networking (SDN) and some of it’s security implications.

What is it?

  • Decoupling the control pane from the data plane and centralising logical controls
  • Communication between network devices and SDN controllers is with both open and proprietary protocols currently – no single standard..
  • SDN controller supports open interface to allow external programability of the environment

– Controller tells each node how to route, vs. current where each node makes it’s own routing decisions.

 How do I enforce network security in an SDN environment?

  • Switch as the Policy enforcement point
    • Switch tells controller it’s seen traffic with certain flow characteristics, Flow controller tells it what to do with the flow, and this information is cached in the local flow table for a specified time.  Another flow arrives and this one is not permitted, so the controller tells the switch to just drop the packets – switch effectively becomes a stageful firewall.
    • Existing controls such as DLP, Firewalls, Proxy servers etc. can all be used with SDN –
      • e.g. someone tries to connect to the internet – flow controller instructs switch to send traffic to the firewall / IPS / DLP server etc.
      • e.g. sending email – no matter where it’s going flow says first point is DLP, then firewall, then onto destination
      • This means devices no longer need to be inline – they can be anywhere on the network.  Flow controller just needs to know where to send certain traffic types!
    • Incoming flows can be treated in the same way
      • Something changes – such that it looks like DDoS – traffic can be routed to the DDoS protection device(s)

What risks does SDN introduce?

  • Risk is aggregated in the controller
    • Malicious or accidental changes could remove some or all of the security protections
  • Integrity of of the Flow Tables must be maintained
    • Switches etc must be managed from controller, not locally
  • Input from applications must be managed and prioritised
    • Application APIs are non standard
    • Who gets precedence?
      • Load balancer vs. security tools when defining traffic flows?

SDN products do exist now.

  • Standards do exist
    • OpenFlow – maintained by Open Networking Foundation
  • Network devices (early days)
    • Open vSwitch
    • Some products from Brocade, Cisco, HP, IBM
  • Controllers (limited maturity)
    • Floodlight (open source)
    • Products from Big Switch Networks, Cisco, HP, NEC, NTT Data, VMware
  • Applications (often tied to specific controllers)
    • Radware and HP produce some security applications

Recommendations;

  • Do not overreact to SDN hype
  • Combine IT disciplines when implementing SDN
    • Don’t forget security!!
  • Determine how existing control requirements can be met with SDN
  • Examine how SDN impacts separation of duties
    • Some similar issues to vitalisation
  • Discuss SDN with your existing security vendors
  • Deploy SDN in a lab or test environment
    • PoC and understand fully before deploying

 

Overall this was an informative and fast paced talk.  As per the speakers recommendations, SDN is a very interesting technology, although it is still in the emerging phase with the majority of deployments currently being in testing or academia.  I wouldn’t yet recommend it for production Datacentre deployments, but I would recommend you become familiar with it, especially if you work in the networking or security fields.

 

K

Cloud Security Alliance Congress Orlando 2012 pt5 – closing keynote

Closing Keynote – State of the Union

Chris Hoff, who is the author of the Rational Survivability blog, gave a great closing keynote covering the last few years via his previous presentation titles and content.  I can recommend reading / viewing the mentioned presentations.  This was followed by a brief overview of current issues and trends, and then coverage of upcoming / very new areas of focus we all need to be aware of.

What’s happened?

2008 – Platforms dictate capabilities (security) and operations – Read ‘The four horsemen of the virtualisation security apocalypse’

–          Monolithic security vendor virtual appliances are the virtualisation version of the UTM argument.

–          Virtualised security can seriously impact performance, resiliency and scalability

–          Replicating many highly-available security applications and network topologies in virtual switches don’t work

–          Virtualising security will not save you money.  It will cost you more.

2009 – Realities of hybrid cloud, interesting attacks, changing security models – Read – ‘The frogs who desired a king – A virtualisation and cloud computing fable set to interpretive dance’

–          Cloud is actually something to be really happy about; people who would not ordinarily think about security are doing so

–          While we’re scrambling to adapt, we’re turning over rocks and shining lights in dark crevices

–          Sure bad things will happen, but really smart people are engaging in meaningful dialogue and starting to work on solutions

–          You’ll find that much of what you have works.. Perhaps just differently; setting expectations is critical

2010 – Turtles all the way down – Read – ‘Cloudifornication – Indiscriminate information intercourse involving internet infrastructure’

–          Security becomes a question of scale

–          Attacks on and attacks using large-scale public cloud providers are coming and cloud services are already being used for $evil

–          Hybrid security solutions (and more of them) are needed

–          Service transparency, assurance and auditability is key

–          Providers have the chance to make security better.  Be transparent.

2010 – Public cloud platform dependencies will liberate of kill you – Read ‘Cloudinomicon – Idempotent infrastructure, survivable systems and the return of information centricity’

–          Not all cloud offerings are created equal or for the same reasons

–          Differentiation based upon PLATFORM: Networking security, Transparency/visibility and forensics

–          Apps in clouds can most definitely be deployed as securely or even more securely than in an enterprise

–          However this often required profound architectural, operational, technology, security and compliance model changes

–          What makes cloud platforms tick matters in the long term

 2011 – Security Automation FTW – Read ‘Commode computing – from squat pots to cloud bots – better waste management through security automation’

–          Don’t just sit there: it wont automate itself

–          Recognise, accept and move on: The DMZ design pattern is dead

–          Make use of existing / new services: you don’t have to do it all yourself

–          Demand and use programmatic interfaces from security solutions

–          Encourage networks / security wonks to use tools / learn to program / use automation

–          Squash audit inefficiency and maximise efficacy

–          DevOps and security need to make nice

–          AppSec and SDLC are huge

–          Automate data protection

2012 – Keepin it real with respect to challenges and changing landscape – Read – ‘The 7 dirty words of Cloud Security’

–          Scalability

–          Portability

–          Fungibility

–          Compliance

–          Cost

–          Manageability

–          Trust

2012 – DevOps, continual deployment, platforms –  Read – ‘Sh*t my Cloud evangelist says …Just not to my CSO’

–          [Missing] Instrumentation that is inclusive of security

–          [Missing] Intelligence and context shared between infrastructure and application layers

–          [Missing] Maturity of “Automation Mechanics” and frameworks

–          [Missing} Standard interfaces, precise syntactical representation of elemental security constructs

–          [Missing] An operational methodology that ensures and commone understanding of outcomes and ‘agile’ culture in general

–          [Missing] Sanitary application security practices

What’s happening?

–          Mobility, Internet of Things, Consumerisation

–          New application architecture and platforms (Azure, Cloud foundry, NoSQL, Cassandra, Hadoop etc.)

–          APIs – everything connected by APIs

–          DevOps – Need to understand how this works and who owns security

–          Programmatic (virtualised) Networking and SDN (Software Defined Network)

–          Advanced adversaries and tactics (APTs, organised crime, nation states, using cloud and virtualisation benefits to attack us etc.)

What’s coming?

–          Security analytics and intelligence – security data is becoming ‘big data – Volume. Velocity. Variety. Veracity.

–          AppSec Reloaded – APIs. REST. PaaS. DevOps. – On top of all the existing AppSec issues – how long has the OWASP top threats remained largely unchanged??

–          Security as a Service 2.0 – “Cloud.” SDN. Virtualised.

–          Offensive security – Cyber. Cyber. Cyber. Cyber…  Instead of just being purely defensive, do things more proactive – not necessarily actually attacking them, can mean deceiving them to honeypots / honynets, fingerprinting the attack, tracking back the connections etc. all the way up to actually striking back.

Summary;

–          Public clouds are marching onward; Platforms are maturing… Getting simpler to deploy and operate and the platform level, but have heavy impact on application architecture

–          Private clouds are getting more complex(as expected) and the use case differences between the two are obvious; more exposed infrastructure connected knobs and dials

–          Hybrid clouds are emerging, hypervisors commoditised and orchestration / provisioning systems differentiate as ecosystem and corporate interests emerge

–          Mobility (workload and consuming devices) and APIs are everywhere

–          Network models are being abstracted even further (Physical > Virtual > Overlay) and that creates more ‘simplexity’

–          Application and information ‘ETL sprawl’ is a force to be reckoned with

–          Security is getting much more interesting!

This was a great wrap up highlighting the last few years’ issues, how many of these have we really fixed?  Along with where we are now, and a nice wrap up of what’s coming up.  Are you up to speed with all the current and outstanding issues you need to be aware of?  How prepared are you and your organisation for what’s coming up?  Don’t be like the 3 monkeys.. 😉

While the picture is complex and we have loads of work to do, Chris’s last point aptly sums up why I love security and working in the security field!

Lastly, have a look at Chris’s blog; http://www.rationalsurvivability.com/blog/ which has loads of interesting content.

K