探索软件定义的新型防护体系 -...
TRANSCRIPT
© 2010 绿盟科技www.nsfocus.comnsfocus.comwww.nsfocus.comnsfocus.com
探索软件定义的新型防护体系
密级:公开使用
绿盟科技刘文懋 资深研究员 博士
Network management is pain
CLI,Serial
WEB portal
Distributed Network
Management
Perl, Expect
Distributed Compute&
Storage Management
Puppet
Hadoop,
Storm…
• SDN是未来网络的希望之路
• 安全呢?!– 能否在SDN网络中部署现有的安全产品?
– 能否使用软件定义的理念重构我们的安全解决方案?
软件定义计算、存储、网络 vs 安全
Openflow handling system
Special packet forwarding hardware
Openflow Switch
APP…
Network controller
APP APP
Openflow handling system
Special packet forwarding hardware
Openflow Switch
Openflow handling system
Special packet forwarding hardware
Openflow Switch
Openflow handling system
Special packet forwarding hardware
Openflow Switch
• Flow-level security
– Lightweight DDoS flooding attack detection using NOX/OpenFlow [2]
– Source address validation solution with OpenFlow/NOX architecture [3]
• Packet-level security
– FleXam, a flexible sampling OpenFlow extension [4]
• Architecture
– FRESCO[1]
– Defense4All in Opendaylight, radware
– …
SDN安全的相关工作
形式化的当前SDN安全架构
Network Controller
Network device
Command
Security Device
DataRequest
Security Kernel
Data
Security DeviceSecurity
Device
Data
The SDSA Architecture I
Security Controller
Network Controller
Network device
Commands
Security Device
DataRequest
StatusReportsAlerts
CommandsSec
Agent Data,Topology
Stats
DataSecurity DeviceSecurity
Device
Policies
Network App
Sec App
input inputoutput output
The SDSA Architecture II
Security ControllerNetwork Controller
Network device
Commands
Security Device
DataRequest
StatusReportsAlerts
CommandsSec
AgentData,Topology
Stats
Data Security DeviceSecurity
Device
Policies
Network App
Sec App Sec App Sec App
Secevents
commandsinput output
IaaS NV
TenantInfo
策略解析
Subject is the policy executor: a SC module, a security device, or the network
controller
Action is a verb denoting how to deal with objects: {BLOCK, CLEAN, LOG…}
Objects a collection of tenants, VMs or networks flows. Each has a unique identifier
ObjID, its type ObjType, and a compound matching expression ObjMatch.
APP策略
Security App
Security Device
Network Controller
Policy Resolver
设备规则流指令
重构安全设备
APP APP…
Operating System
Special packet forwarding hardware
Security device
APP
Security rulehandling system
Special packet forwarding hardware
SD-security device
策略
日志、告警策略规则
安全设备
判断逻辑
计算决策层
数据 数据
规则库
决策逻辑
Orchestration 控制层
反馈
知识库 信誉库 安全状态机
APP APP Portal
策略管理 安全分析
软件定义的DDoS防护
APP SA
NC
Device Manager
Event Scheduler
APP Manager
ADS
1 devicereg
3 appreg
5 subscribeflows
7 query flows
Flow Polling8 return flows
9 add return Flow event Flow
Monitor
10 broadcastflows
11 suspiciousData found
12 suspiciousdata
13 push policies
SCAgent
Policy Resolver
Flow Pusher
14 add pushPolicy event
15 broadcast policy16 sendflow commands
17 push commands
18 redirect flows
Security Controller4 add app-regevent
2 add dev-reg event
6 subscribeFlows event
Policies APPs Devices Flows
Related works:Defense4ALL
• ONS 2014 IDOL :Real-time SDN Analytics for DDoSmitigation - Broadcade
• 绿盟-NTA设备docker化后的软件定义抗DDoS防护
绿盟云监护抗拒绝服务系统凭借优质DDoS清洗
服务产品获得美国知名杂志《信息安全产品指
南》金奖
绿盟软件定义的DDoS检测原型架构
Case: 端口扫描
Scan typeLive ports
Unestablished
rateI
TCP scan 735 98.28% 4.573
TCP SYN scan 970 98.22% 6.023
Normal 3 19.15% 0.026
Table1 Normal port scan
Table2 Slow port scan
Scan typeLive ports
Unestablishe
d rateI
Slow synscan
208 11.16% 1.384
Normal 3 1.6% 0.02
Scan overhead(μs/pkt)
TCP SYN scan
TCPscan
Slow
scan
Flow monitor 0.1356 0.1620 0.0013
Snort plugin 2.00 2.02 2.34
Table3 Detection overhead
Figure 7: Cluster time consuming comparison.
Figure 6: Distributed flow processing.
𝐼 =𝑥 𝑈𝑖
𝑛𝑅+
1 − 𝑥) 𝐴𝑖
𝑛𝐶
• Garnter: Adaptive Access Control
Access control in SDN
• CSA:SDP(Perimeter)
• Checkpoint:SDP(Protection)
Case: Software defined access control in
SDN交换机
br-ex
GRE Tunnel
10.201.0.1
br-tun
br-int
外部网关
10.201.10.222
30.0.0.1
192.168.19.1
Internet NSFOCUS Intranet
CONTROLLER
传统交换机
30.0.0.30
内部网关
WAF
10.201.10.223
ADS
NF
软件定义的边界
• To the point: the five style of advanced threat defense, Lawrence Orans, Gartner
Anti-APT(Advanced persistent threat)
IPS
IPS示例
br-int br-tun br-tun br-in br-out
eth1eth2
VM1 VM2
GRE Tunnel
Data flow
Controller command(both Proactive and reactive)
L7filter+iptables
Security Controller
Video Demo:流+数据包层协同防护
WAFNIPS
Security Controller
Flows
reports
Clean dataAbnormal data
Gray data
Global Flow Knowledge
绿盟实现了先使用全局流表对所有网络设备的流做广谱分析,将异常流牵引到入侵防护设备作进一步分析,当出现异常时及时阻断。可做到检测范围和检测效率的平衡。
服务链简介I
SDN控制器
云计算控制节点
计算节点
hypervisor
VM1 VM2 VM3
vswitch 网卡
计算节点
hypervisor
vswitch
Rack交换机
安全控制平台
Openflow指令
输出网卡
输入网卡
IPS WAFADS
服务链简介II
安全控制平台SDN控制器
云计算控制节点
计算节点
hypervisor
VM1 VM2 VM3
vswitch 网卡
计算节点
hypervisor
vswitch输出网卡
输入网卡
Rack交换机
IPS WAFADS
Openflow指令
流量调度指令
Entity Database
Case: Software defined Anti-APT solution
Flow Database
IDS
TAC
Data
ReputationDatabase
RSAS
Security Controller
Video
Case:Live protection for Openstack web servers
WAF
web集群
Security Controller
SDNController
Rewrite pkgdestination to WAF
Launch instancesPush commands
WAFWAF
• 用户云端认证,快速部署、更新应用
• 实现应用容器级的隔离,增量更新
APPStore:安全交付模式的革命
Security APP Store
Security Controller
Company A
Server
APPAPP
AuthenticationPurchaseUpdate
Deploy, update
Server
APPAPP
Security Controller
Company B
Server
APPAPP
Deploy, update
Server
APPAPP