SDN / NFV panel @ SBRC Sébastien Tandel sta@hpe.com slideshare.net/standel May 2017
Sébastien Tandel – Working within HPE Aruba CTO as a Principal Architect – Technologist with sound business knowledge – Software engineer with sound knowledge of hardware – Product focused with sound experience in all innovation waves (research & advanced development) – Lead me to drive many programs from Software-Defined Infrastructure & Intelligent Edge to Security Analytics – Contributions in several aspects of SDN / NFV since 2010 – First Software-Defined Lync demo @ ONS’13 – First Software-Defined Security demo (IPS coupled to security analytics) @ ONS’14 – First HW accelerated SFC (MAC Chaining) including legacy physical SFCs demo @ Sigcomm’16 – Distributed Software-Defined Load Balancer, IoT Universal Profiler (identification & anomaly behavior detection) views and opinions expressed are my own and does not necessarily reflect views or opinions of my employer 2
SDN & NFV Markets by 2020 $45B $12B $3.7B Facebook SDN/NFV SDN Net Income Providers Datacenter 2015 3
Gartner Hype Cycle => Customer Focused and Realist !
Research … Where should I go? I’ll tell a story about security although you can apply it as model to other use cases 5
Physical IPS appliance : 10,000 feet hardware architecture Attack Signatures Set 90% of traffic won’t go to Deep Inspection Clean & Malicious Traffic ‘hardware’ ‘software’ Deep Deep pre- 10% Packet Packet 100% traffic filtering Inspection Inspection (NPU) (CPU) Intrusion Clean Traffic Prevention System Fast (line slower slow path rate) 6
a story of decomposition : pre-filtering as micro-VNF IPS only processes Distribute pre-filtering function ~10% traffic Switch over all infrastructure (suspicious traffic) Performing Pre-Filtering ~2 Gb/s 20 Gb/s Less than 2 Gb/s Clients IPS Clean Regular traffic directly ~18 Gb/s forwarded to destination 90% traffic Destination
µ VNF changes cost/performance IPS Max Inspection Listing price US$ per Gb/s of throughput (Gb/s) (US$) inspection TPT S7500 20 500000 25000 Snort (4 proc) 2 10000 5000 pre-filtering µ VNF + Snort 20 10000 500 ü State-of-the-art Product Performance ü 50x cheaper than TippingPoint 8
1. Research in physical µ VNF usual suspects: compression, encryption Ø take away : many other opportunities 9 Confidential
Software-Defined Security: IPSaaS model Creating a Security Control plane IPSaaS app on Attack SDN Controller Signatures Set Dynamic setup of traffic redirection to IPS SFC Switch Switch with pre-filtering with pre-filtering IPS 10 Device 3 Device 2 Device 1
2. Software-Defined Security Opportunity for high-level security policies BTW, Service Function Chain still challenge 11 Confidential
Software-Defined Security: Closing the loop Making Sense of Security Events & Automate Remediation Actions Software-Defined Security Analy2cs Security SDN Controller Automated Remedia2on Ac2ons Redirect to another Security Sensor Block Device 2 security events SFC Switch Switch IPS security events 12 Device 3 Device 2 Device 1
3. Big Data applied to Security Big Data: possible to analyze all packets ? Where in the stack: Cloud, Edge? Security Analytics: how to make sense? 13 Confidential
Summary 1. High Impact: Holistic Approach to Solve Customer Headaches 2. 3 research aspects for the next 2-5 years: – Physical µ VNF ; Software-Defined Security ; Big Data applied to Security – It’s a model working for other use cases 3. From idea to market? An top-down approach Ø Cloud-first (SaaS) for fast TTM Ø Edge Computing model Ø µ VNF for better scale and cost performance – Open APIs to avoid vendor lock-in & fragmentation 14
Thank You sta@hpe.com www.slideshare.net/standel 15
Backup 16
Current Infrastructure Security Architecture Security boxes at fixed place, manually connected Edge / East-West weakly protected => BYOD, IoT Security boxes unaware of each other: No collaboration => security gaps DDoS Sensor DNS DDoS Sensor IPS Sensor Sensor NBAD NBAD DNS Sensor IPS Sensor DNS Sensor IPS Sensor DDoS NBAD Sensor 17
Software-Defined Security: a Security Control Plane to Rule them All Security Platform Engine Security Platform Engine Stream Event Directory Processing Server Security Platform Stream Event DDoS Engine Processing Sensor Security Platform Sensor Engine DNS DDoS Sensor IPS Sensor Coordination Sensor Security Platform Security NBAD Engine NBAD Events DNS Near real-time policy Sensor IPS Sensor enforcement DNS Sensor Real-time IPS Sensor DDoS NBAD Policy enforcement Sensor Signals Ex: DNS reqs
Software-Defined Security & Intelligent Edge 19 Confidential
Key Take Aways Product: Performance x Time-To-Market Very Good 100 90 80 Longer to reach market with hardware 70 (slower innovation) 60 50 40 30 20 Better performance 10 with hardware 0 Very Bad (improving scale & price) Software Hardware Product Performance Time To Market 20
Key Take Aways Product: Performance x Time-To-Market Very Good 100 90 80 70 60 software is excellent starting point 50 to test the market 40 30 20 10 How do you evolve? What may remain software? 0 Very Bad Open interfaces? Software Hardware Product Performance Time To Market 21
Recommend
More recommend
