© 2010 绿盟科技www.nsfocus.comnsfocus.comwww.nsfocus.comnsfocus.com

探索软件定义的新型防护体系

密级：公开使用

绿盟科技刘文懋 资深研究员 博士

1 新型网络的安全防护体系

2 软件定义的安全防护实践

Agenda

3 学术成果

Network management is pain

CLI，Serial

WEB portal

Distributed Network

Management

Perl, Expect

Distributed Compute&

Storage Management

Puppet

Hadoop,

Storm…

• SDN是未来网络的希望之路

• 安全呢？！– 能否在SDN网络中部署现有的安全产品？

– 能否使用软件定义的理念重构我们的安全解决方案？

软件定义计算、存储、网络 vs 安全

Openflow handling system

Special packet forwarding hardware

Openflow Switch

APP…

Network controller

APP APP

Openflow handling system

Special packet forwarding hardware

Openflow Switch

Openflow handling system

Special packet forwarding hardware

Openflow Switch

Openflow handling system

Special packet forwarding hardware

Openflow Switch

• Flow-level security

– Lightweight DDoS flooding attack detection using NOX/OpenFlow [2]

– Source address validation solution with OpenFlow/NOX architecture [3]

• Packet-level security

– FleXam, a flexible sampling OpenFlow extension [4]

• Architecture

– FRESCO[1]

– Defense4All in Opendaylight, radware

– …

SDN安全的相关工作

当前SDN安全架构案例

Defense4All Fresco

形式化的当前SDN安全架构

Network Controller

Network device

Command

Security Device

DataRequest

Security Kernel

Data

Security DeviceSecurity

Device

Data

The SDSA Architecture I

Security Controller

Network Controller

Network device

Commands

Security Device

DataRequest

StatusReportsAlerts

CommandsSec

Agent Data,Topology

Stats

DataSecurity DeviceSecurity

Device

Policies

Network App

Sec App

input inputoutput output

The SDSA Architecture II

Security ControllerNetwork Controller

Network device

Commands

Security Device

DataRequest

StatusReportsAlerts

CommandsSec

AgentData,Topology

Stats

Data Security DeviceSecurity

Device

Policies

Network App

Sec App Sec App Sec App

Secevents

commandsinput output

IaaS NV

TenantInfo

The SDSA controller

策略解析

Subject is the policy executor: a SC module, a security device, or the network

controller

Action is a verb denoting how to deal with objects: {BLOCK, CLEAN, LOG…}

Objects a collection of tenants, VMs or networks flows. Each has a unique identifier

ObjID, its type ObjType, and a compound matching expression ObjMatch.

APP策略

Security App

Security Device

Network Controller

Policy Resolver

设备规则流指令

重构安全设备

APP APP…

Operating System

Special packet forwarding hardware

Security device

APP

Security rulehandling system

Special packet forwarding hardware

SD-security device

策略

日志、告警策略规则

安全设备

判断逻辑

计算决策层

数据 数据

规则库

决策逻辑

Orchestration 控制层

反馈

知识库 信誉库 安全状态机

APP APP Portal

策略管理 安全分析

1 新型网络的安全防护体系

2 软件定义的安全防护实践

Agenda

3 学术成果

软件定义的DDoS防护

APP SA

NC

Device Manager

Event Scheduler

APP Manager

ADS

1 devicereg

3 appreg

5 subscribeflows

7 query flows

Flow Polling8 return flows

9 add return Flow event Flow

Monitor

10 broadcastflows

11 suspiciousData found

12 suspiciousdata

13 push policies

SCAgent

Policy Resolver

Flow Pusher

14 add pushPolicy event

15 broadcast policy16 sendflow commands

17 push commands

18 redirect flows

Security Controller4 add app-regevent

2 add dev-reg event

6 subscribeFlows event

Policies APPs Devices Flows

• 4000 flows/s， 90% detected within 1.5s

实验结果

Related works：Defense4ALL

Related works：Defense4ALL

• ONS 2014 IDOL :Real-time SDN Analytics for DDoSmitigation - Broadcade

• 绿盟-NTA设备docker化后的软件定义抗DDoS防护

绿盟云监护抗拒绝服务系统凭借优质DDoS清洗

服务产品获得美国知名杂志《信息安全产品指

南》金奖

绿盟软件定义的DDoS检测原型架构

Case: 端口扫描

Scan typeLive ports

Unestablished

rateI

TCP scan 735 98.28% 4.573

TCP SYN scan 970 98.22% 6.023

Normal 3 19.15% 0.026

Table1 Normal port scan

Table2 Slow port scan

Scan typeLive ports

Unestablishe

d rateI

Slow synscan

208 11.16% 1.384

Normal 3 1.6% 0.02

Scan overhead（μs/pkt）

TCP SYN scan

TCPscan

Slow

scan

Flow monitor 0.1356 0.1620 0.0013

Snort plugin 2.00 2.02 2.34

Table3 Detection overhead

Figure 7: Cluster time consuming comparison.

Figure 6: Distributed flow processing.

𝐼 =𝑥 𝑈𝑖

𝑛𝑅+

1 − 𝑥) 𝐴𝑖

𝑛𝐶

• Garnter: Adaptive Access Control

Access control in SDN

• CSA:SDP(Perimeter)

• Checkpoint：SDP(Protection)

Case: Software defined access control in

SDN交换机

br-ex

GRE Tunnel

10.201.0.1

br-tun

br-int

外部网关

10.201.10.222

30.0.0.1

192.168.19.1

Internet NSFOCUS Intranet

CONTROLLER

传统交换机

30.0.0.30

内部网关

WAF

10.201.10.223

ADS

NF

软件定义的边界

“下一代威胁”来势汹汹

RSA SecruID攻击

分支HR 财务主管

特权用户

持续渗透

RSA令牌种子服务器

洛克马丁等军工企业

• 定向攻击

• 零日漏洞

• 多阶段攻击

• 高级逃逸技术

Oday

• To the point: the five style of advanced threat defense, Lawrence Orans, Gartner

Anti-APT(Advanced persistent threat)

IPS

IPS示例

br-int br-tun br-tun br-in br-out

eth1eth2

VM1 VM2

GRE Tunnel

Data flow

Controller command(both Proactive and reactive)

L7filter+iptables

Security Controller

Video Demo：流+数据包层协同防护

WAFNIPS

Security Controller

Flows

reports

Clean dataAbnormal data

Gray data

Global Flow Knowledge

绿盟实现了先使用全局流表对所有网络设备的流做广谱分析，将异常流牵引到入侵防护设备作进一步分析，当出现异常时及时阻断。可做到检测范围和检测效率的平衡。

服务链简介I

SDN控制器

云计算控制节点

计算节点

hypervisor

VM1 VM2 VM3

vswitch 网卡

计算节点

hypervisor

vswitch

Rack交换机

安全控制平台

Openflow指令

输出网卡

输入网卡

IPS WAFADS

服务链简介II

安全控制平台SDN控制器

云计算控制节点

计算节点

hypervisor

VM1 VM2 VM3

vswitch 网卡

计算节点

hypervisor

vswitch输出网卡

输入网卡

Rack交换机

IPS WAFADS

Openflow指令

流量调度指令

Demo：多种Web安全设备协同

Entity Database

Case: Software defined Anti-APT solution

Flow Database

IDS

TAC

Data

ReputationDatabase

RSAS

Security Controller

Video

Case：Live protection for Openstack web servers

WAF

web集群

Security Controller

SDNController

Rewrite pkgdestination to WAF

Launch instancesPush commands

WAFWAF

Demo：WAF VM+Openstack+SDN controller

Video

1 新型网络的安全防护体系

2 软件定义的安全防护实践

Agenda

3 附录

云杉LiveCloud+绿盟安全服务发布会

与LiveCloud的合作－WAF

与LiveCloud的合作－漏扫服务

• 基于SDN技术的恶意行为监测系统

2015全球SDN大会show case

• 用户云端认证，快速部署、更新应用

• 实现应用容器级的隔离，增量更新

APPStore：安全交付模式的革命

Security APP Store

Security Controller

Company A

Server

APPAPP

AuthenticationPurchaseUpdate

Deploy, update

Server

APPAPP

Security Controller

Company B

Server

APPAPP

Deploy, update

Server

APPAPP

APPStore

谢谢！

@marvelliuwenmao@nsfocus.com