Security Monitoring and Enforcement for the Cloud Model Aryan - - PowerPoint PPT Presentation

security monitoring and enforcement for the cloud model
SMART_READER_LITE
LIVE PREVIEW

Security Monitoring and Enforcement for the Cloud Model Aryan - - PowerPoint PPT Presentation

Apr 02, 2024 358 likes •795 views

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Security Monitoring and Enforcement for the

slide-1
SLIDE 1

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks

Security Monitoring and Enforcement for the Cloud Model

Aryan TaheriMonfared aryan.taherimonfared@uis.no June 21, 2013

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-2
SLIDE 2

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks

Agenda

1

Infrastructure Architecture for a Cloud IaaS Provider 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

2

Software Defined Networking and Network Virtualization Definition Rationality Use Cases

3

Network Monitoring Challenges Data-intensive framework for network monitoring NV-aware Framework for Cloud Model

4

Security Enforcement

5

Inter-Domain Routing for Virtualized Networks

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-3
SLIDE 3

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Outline

1

Infrastructure Architecture for a Cloud IaaS Provider 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

2

Software Defined Networking and Network Virtualization

3

Network Monitoring

4

Security Enforcement

5

Inter-Domain Routing for Virtualized Networks

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-4
SLIDE 4

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Multiple Cells

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-5
SLIDE 5

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Single Cell

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-6
SLIDE 6

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Inside a Rack

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-7
SLIDE 7

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Inside a Compute Node

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-8
SLIDE 8

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Network Logical View

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-9
SLIDE 9

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Any Networking Challenges?

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-10
SLIDE 10

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Any Networking Challenges? Yes, lots of them :)

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-11
SLIDE 11

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Any Networking Challenges? Deployment complexity Maintenance cost Tenant’s network isolation and end-to-end connectivity Tenant’s traffic monitoring Security enforcement

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-12
SLIDE 12

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Deployment complexity and Maintenance cost Increased number of networking devices by the factor of cluster size Virtualized networking devices

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-13
SLIDE 13

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Tenant’s traffic isolation and end-to-end connectivity VLAN tagging GRE tunnels, EoIP tunnels Namespaces in Linux networking stack

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-14
SLIDE 14

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Tenant’s network monitoring How to distinguish between tenants’ traffic?

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-15
SLIDE 15

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Tenant’s network monitoring How to distinguish between tenants’ traffic? VLAN IDs? GRE addresses? Namespaces?

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-16
SLIDE 16

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Tenant’s network monitoring How to get the information in real-time?

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-17
SLIDE 17

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Tenant’s network monitoring How to get the information in real-time? Querying: network management service? platform controller? each compute node?

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-18
SLIDE 18

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks 10000 Foot View 1000 Foot View Networking inside a Rack Tenant Network Logical View Challenges

Security enforcement Where to put security middle boxes? How to control and federate them with the rest of platform’s components?

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-19
SLIDE 19

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Definition Rationality Use Cases

Outline

1

Infrastructure Architecture for a Cloud IaaS Provider

2

Software Defined Networking and Network Virtualization Definition Rationality Use Cases

3

Network Monitoring

4

Security Enforcement

5

Inter-Domain Routing for Virtualized Networks

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-20
SLIDE 20

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Definition Rationality Use Cases Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-21
SLIDE 21

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Definition Rationality Use Cases

What is Software Defined Networking?

Separation of the control plane from the data plane. Provides: more control, better guarantees, NOT necessarily simplicity Coined by Nick McKeown in 2009 E.g. Ethane, OpenFlow

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-22
SLIDE 22

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Definition Rationality Use Cases

Why do we need SDN?

Challenges in today’s networks No communication guarantees SDN can provides: Distributed states

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-23
SLIDE 23

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Definition Rationality Use Cases

Why do we need SDN?

Challenges in today’s networks No communication guarantees Individual configuration of physical devices SDN can provides: Distributed states More control

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-24
SLIDE 24

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Definition Rationality Use Cases

Why do we need SDN?

Challenges in today’s networks No communication guarantees Individual configuration of physical devices Tightly coupled with network-level protocol SDN can provides: Distributed states More control General forwarding model

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-25
SLIDE 25

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Definition Rationality Use Cases

What is Network Virtualization?

Faithful reproduction of physical network services Decoupling the (virtual) network services from the physical network. Coexistence of multiple virtual networks on the same physical substrate. Provides operational simplification

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-26
SLIDE 26

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Definition Rationality Use Cases

SDN Use-cases

Flexible virtualization platform Security services Bandwidth on Demand Applications Multipath networking for higher utilization and efficiency Network Administration Mobility

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-27
SLIDE 27

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Challenges Data-intensive framework for network monitoring NV-aware Framework for Cloud Model

Outline

1

Infrastructure Architecture for a Cloud IaaS Provider

2

Software Defined Networking and Network Virtualization

3

Network Monitoring Challenges Data-intensive framework for network monitoring NV-aware Framework for Cloud Model

4

Security Enforcement

5

Inter-Domain Routing for Virtualized Networks

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-28
SLIDE 28

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Challenges Data-intensive framework for network monitoring NV-aware Framework for Cloud Model

Challenges of Network Monitoring

Data related Storing very large datasets Processing ad-hoc queries Archiving and handling long-term jobs Cloud related Multi-tenant environment with a shared pool of resource Lack of unified view of the networking devices (virtual and physical)

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-29
SLIDE 29

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Challenges Data-intensive framework for network monitoring NV-aware Framework for Cloud Model

Framework for Handling Monitoring Data

Requirements: Reliable, distributed, scalable underlying storage (e.g. Apache HDFS, MooseFS, iRODS) Real-time data store for ad-hoc queries (e.g. Apache HBase, OpenTSDB) MapReduce framework for long-term queries (e.g. Apache Hadoop)

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-30
SLIDE 30

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Challenges Data-intensive framework for network monitoring NV-aware Framework for Cloud Model

WorkFlow

Collecting flow information from networking devices Initial analysis and anonymization Importing data to the real-time data store Storing indexes in a time series database

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-31
SLIDE 31

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Challenges Data-intensive framework for network monitoring NV-aware Framework for Cloud Model

Case Study: Norwegian NREN + UiS UX Traffic

Dataset volume in data store: 8.9 TB

  • Avg. number of flows per day: 22 million (Peak: 44 million)

5e+06 1e+07 1.5e+07 2e+07 2.5e+07 2012-11-01 2012-12-01 2013-01-01 2013-02-01 2013-03-01 2013-04-01 Time Trondheim Gateway 1 src dst srcport dstport flow netflow records

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-32
SLIDE 32

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Challenges Data-intensive framework for network monitoring NV-aware Framework for Cloud Model

Results

Planned Queries Can execute queries which were not possible before e.g. Top-K host pairs query over a long time period

  • Avg. execution time: 26 minutes for 150 days of data

Ad-hoc Queries Real-time responses for: Source-Destination discovery Service discovery Exploratory queries

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-33
SLIDE 33

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Challenges Data-intensive framework for network monitoring NV-aware Framework for Cloud Model

(a) Number of operations per seconds in HBase (b) Operation latency in HBase (c) HDFS IO (d) Jobs finishing time Figure: Storage performance under different implementations (SNS: Single day processing without pre-splitting, SS: Single day processing with a uniform

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-34
SLIDE 34

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Challenges Data-intensive framework for network monitoring NV-aware Framework for Cloud Model

NV-aware Framework

Use SDN for building and maintaining Virtual Networks Retrieve information about provisioned resources from SDN controller Distinguish tenants’ activities using the retrieved information

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-35
SLIDE 35

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Challenges Data-intensive framework for network monitoring NV-aware Framework for Cloud Model

Case Study: OpenStack Deployment at UX UiS

OpenFlow controller (FloodLight) communicates with networking service (Quantum) OF controller manages virtual switches Flow information (NetFlow + sFlow) collected at monitoring node Monitoring node communicates with OF controller and provide per-tenant information

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-36
SLIDE 36

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Challenges Data-intensive framework for network monitoring NV-aware Framework for Cloud Model Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-37
SLIDE 37

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks

Outline

1

Infrastructure Architecture for a Cloud IaaS Provider

2

Software Defined Networking and Network Virtualization

3

Network Monitoring

4

Security Enforcement

5

Inter-Domain Routing for Virtualized Networks

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-38
SLIDE 38

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-39
SLIDE 39

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks

Outline

1

Infrastructure Architecture for a Cloud IaaS Provider

2

Software Defined Networking and Network Virtualization

3

Network Monitoring

4

Security Enforcement

5

Inter-Domain Routing for Virtualized Networks

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-40
SLIDE 40

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks

Inter-Domain Routing

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-41
SLIDE 41

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks

References

http://www.sciencedirect.com/science/article/pii/ S1389128609003387 http://yuba.stanford.edu/foswiki/pub/OpenFlow/ Deployment/CampusMeeting06152011/Stanford_OpenFlow.pdf http://www.sdncentral.com/sdn-use-cases/ http://www.youtube.com/user/stanfordopenflow www.stanford.edu/~nikhilh/pubs/handigol-acld10.pdf http://www.openflow.org/wk/index.php/OpenFlow_Wireless https://github.com/OPENNETWORKINGLAB/flowvisor/wiki http://www.openflow.org/downloads/technicalreports/

  • penflow-tr-2009-1-flowvisor.pdf

https://storage.cloud.google.com/networking/SDN/ GoogleSDN.pdf http://www.sdncentral.com/sdn-use-cases/ http://www.openflowhub.org/blog/blog/2012/12/03/ sdn-use-case-multipath-tcp-at-caltech-and-cern/

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model

slide-42
SLIDE 42

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks

Q?A!

Thank you!

Aryan TaheriMonfared aryan.taherimonfared@uis.no Security Monitoring and Enforcement for the Cloud Model