[OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure
-
Upload
ian-choi -
Category
Technology
-
view
292 -
download
4
Transcript of [OVNC 2013] Controlling Secure & Software Defined Network for Cloud Infrastructure
© 2013 NAIM Networks – All rights reserved. 3 / 34
보안은어떻게?I
Software Switch Software Switch
NIC
OS #1
NIC
OS #2
NIC
OS #3
NIC
OS #1
NIC
OS #2
NIC
OS #3
IP Fabric
Compute Node #1 Compute Node #2
[VM] [VM] [VM] [VM] [VM] [VM]
© 2013 NAIM Networks – All rights reserved. 4 / 34
지금의보안구성I
Software Switch Software Switch
NIC
OS #1
NIC
OS #2
NIC
OS #3
NIC
OS #1
NIC
OS #2
NIC
OS #3
IP Fabric
Compute Node #1 Compute Node #2
Security [VM] [VM] [VM] [VM] [VM]
© 2013 NAIM Networks – All rights reserved. 5 / 34
문제가없을까?I
Software Switch Software Switch
NIC
OS #1
NIC
OS #2
NIC
OS #3
NIC
OS #1
NIC
OS #2
NIC
OS #3
IP Fabric
Compute Node #1 Compute Node #2
Security [VM] [VM] [VM] [VM] [VM]
© 2013 NAIM Networks – All rights reserved. 6 / 34
VM 보안제품은어려워요??I
Software Switch Software Switch
NIC
OS #1
NIC
OS #2
NIC
OS #3
NIC
OS #1
NIC
OS #2
NIC
OS #3
IP Fabric
Compute Node #1 Compute Node #2
Security [VM] [VM] [VM] [VM] [VM]
© 2013 NAIM Networks – All rights reserved. 7 / 34
개선방향은없나요??I
Software Switch Software Switch
NIC
OS #1
NIC
OS #2
NIC
OS #3
IP Fabric
Compute Node #1 Compute Node #2
[VM] [VM] [VM]
NIC
OS #1
NIC
OS #2
NIC
OS #3
[VM] [VM][VM]
Security Security
© 2013 NAIM Networks – All rights reserved. 8 / 34
SDN을이용한유연한구현?I
Software Switch Software Switch
NIC
OS #1
NIC
OS #2
NIC
OS #3
IP Fabric
Compute Node #1 Compute Node #2
[VM] [VM] [VM]
NIC
OS #1
NIC
OS #2
NIC
OS #3
[VM] [VM][VM]
Security Security
SDN
Controller
App App App
Security Appliance
© 2013 NAIM Networks – All rights reserved.
1
2
3
4
Virtualized Environment in Cloud
Cloud Management: OpenStack
SDN Roles in Cloud Management
Case: Security (SDN + DPI)
© 2013 NAIM Networks – All rights reserved. 11 / 34
Virtualized WorldI
Virtualization
The creation of something virtual (rather than actual) in
the computer world
Pros.
IsolationConsolidation
TestingMobility
Cons.
Concentration RiskCost
Performance PenaltyHardware Support
© 2013 NAIM Networks – All rights reserved. 12 / 34
Virtualized World: Cloud (1)I
Server Virtualization Network Virtualization
Cloud with Virtualization
Remarkable growth on server virtualization
• Hypervisors: VMware ESXi, MS Hyper-V, Citrix XenServer, …
• Hardware support: Intel VT/VT-x/EPT, AMD-V
Supporting data center networks (large # of hosts & traffic)
• VLAN, GRE tunneling, VxLAN, …
© 2013 NAIM Networks – All rights reserved. 13 / 34
Virtualized World: Cloud (2)I
Physicalserver
VM (tenant #1)
VM (tenant #2)
Network for tenant #1
Network for tenant #2
Virtualization
http://www.microsoftvirtualacademy.com/ - WS-B327
© 2013 NAIM Networks – All rights reserved. 15 / 34
OpenStack Intro.
OpenStack is a collection of open source software
projects used to setup and run cloud infrastructure
(e.g., compute, storage, networking).
II
© 2013 NAIM Networks – All rights reserved. 16 / 34
Evolution of OpenStack
Six Month Cycle
Releases are timed to
correspond with the
developer summit
meeting
Currently no reliable
upgrade paths between
releases
Expect large deltas
between releases for the
next year or so as new
features and core
functionalities are added.
Release name
Release date
Included Component code names
Austin21 October 2010
Nova, Swift
Bexar3 February 2011
Nova, Glance, Swift
Cactus15 April 2011
Nova, Glance, Swift
Diablo22 September 2011
Nova, Glance, Swift
Essex5 April 2012
Nova, Glance, Swift, Horizon, Keystone
Folsom27 September 2012
Nova, Glance, Swift, Horizon, Keystone, Quantum, Cinder
Grizzly4 April 2013
Nova, Glance, Swift, Horizon, Keystone, Quantum, Cinder
Havana17 October 2013
Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer
Src.: http://en.wikipedia.org/wiki/OpenStack
II
Nova: Server virtualization mgmt.
Quantum/Neutron: Network virtualization mgmt.
© 2013 NAIM Networks – All rights reserved. 17 / 34
Havana: ArchitectureII
Emphasizing the management of cloud
Celiometer: metering
Heat: orchestration
© 2013 NAIM Networks – All rights reserved. 18 / 34
OpenStack: NovaII
Overview
The core of IaaS Management System in OpenStack
Support large-scale deployment of compute instances
Applied to NASA’s open source cloud project – Nebula
Asynchronous eventually consistent
communication
REST-based API
Hypervisor agnostic:
support for Xen ,XenServer, Hyper-V, KVM, UML and ESX is coming
Horizontally and massively scalable
Hardware agnostic:
standard hardware, RAID not required
© 2013 NAIM Networks – All rights reserved. 19 / 34
OpenStack: NeutronII
Quick Intro
Quantum Neutron is an OpenStack project to
provide “networking as a service” between
interface devices (e.g., vNICs) managed by other
OpenStack services (e.g., nova)
Manages network virtualization
just like compute (nova) manages server virtualization
Advocates multi-tenancy
Technology-agnostic
© 2013 NAIM Networks – All rights reserved. 21 / 34
OpenvSwitch plugin
Network Virtualization with NeutronII
Logical Network Architecture
OpenStack Neutron-related Components(OpenvSwitch plugin example)
© 2013 NAIM Networks – All rights reserved. 22 / 34
Compute Node C2 Compute Node C3
Network NodeCompute Node C1
Br-tu
n
Br-in
t
Br-tu
n
Br-in
t
Br-tu
n
Br-in
tBr-tu
n
Br-in
t
A12
B11
B12
A21
A11
Local VLAN tags converted into GRE keys (a
nd vice versa)
DHCP
L3
Br-ex
Physical Realization
OVS Plugin – GRE Overlays
Network Virtualization with NeutronII
© 2013 NAIM Networks – All rights reserved. 23 / 34
OpenStack with Virtualization
Realizing *-as-a-service with server & network
virtualization using OpenStack components
II
Source: Den Wendlandt – Quantum Hacket & PTL Note: “Quantum””Neutron”. ”Quantum” is now longer used
© 2013 NAIM Networks – All rights reserved. 25 / 34
SDN Overview
Agility on Networks
Controllability of Entire Network
Centralized network management
III
[1] Van Jacobson et al, “Networking Named Content”, CoNext 2009.[2] Thomas Michael Bohnert, “SDN in the Cloud”, invited talk @ CNSM 2013.
© 2013 NAIM Networks – All rights reserved. 26 / 34
SDN Roles in OpenStack
Centralized control of network using OpenStack
III
[1] Thomas Michael Bohnert, “SDN in the Cloud”, invited talk @ CNSM 2013.
© 2013 NAIM Networks – All rights reserved. 27 / 34
SDN Roles in OpenStack
Why OpenStack + SDN?
Finally free applications from being aware of specific
networking details (ports, IP addresses, etc.)
Reducing network management complexities
III
Orchestration(OpenStack)
Physical Machine
Virtual Machines Servers on
network infrastructure
© 2013 NAIM Networks – All rights reserved. 28 / 34
OpenStack test bed with SDN in NAIM NetworksOpenStack
SDN Roles in OpenStack
Compute Node #1
OpenVSwitch (OVS)
Compute Node #2
OpenVSwitch (OVS)
SDN Controller
[VM]
NIC
OS #1
[VM]
NIC
OS #2
[VM]
NIC
OS #3
[VM]
NIC
OS #1
[VM]
NIC
OS #2
[VM]
NIC
OS #3
Controller Node
Network Node
Neutron
OpenFlow Enabled Switch
III
SDN plugin
© 2013 NAIM Networks – All rights reserved. 30 / 34
Overview
Current security appliancesCost: expensive
Maximum bandwidth limits
(Mostly) All the traffic is passed through the security appliances
IdeaDistributed DPIs
Managing & controlling distributed DPIs using SDN
AdvantagesAuto-scaling network resources
Service chaining
ParticipantsNAIM Networks (http://www.naimnetworks.com)
• 서영석팀장, 최영락매니저, 이정복매니저
OpenFlow Korea (http://www.openflow.or.kr) • 조충희, 임덕선
IV
© 2013 NAIM Networks – All rights reserved. 31 / 34
Architecture (1)
Logical Architecture
IV
Network
Data
GatherNetwork
Data
Compare Actual State to Desired State
Analysis + Reasoning + Learning
Controller
Data ModelsData ModelsData ModelsVirtual
Machines
Cloud
Environment
OpenVSwitch+DPI
VMs
OVS+DPI
VMs
OVS+DPI
© 2013 NAIM Networks – All rights reserved. 32 / 34
Architectural Components
Architecture (2)
OpenFlow Enabled Switch
(Physical Machine)
OVS
(Physical Machine)
OVSSDN
Controller
Security
Appliance
[VM]
OS #1
NIC
[VM]
OS #2
[VM]
OS #3
Log
Analyzer
[VM]
OS #1
[VM]
OS #2
[VM]
OS #3
syslog syslogDPI
NIC NICNIC
DPI
NICNIC
IV
© 2013 NAIM Networks – All rights reserved. 33 / 34
Case: Demo
Scenario
Network with anomaly traffic
OVSs monitors traffic and sends flow information to
“Analyzer”
DPIs in each physical machine monitors traffic
Controllers control all of the OVSs and OpenFlow enabled
switches
Let’s see a short movie (about 2-min)!
(One-month duration for this prototype)
IV
© 2013 NAIM Networks – All rights reserved. 34 / 34
Summary
Separated virtualization management: server virtualization & network virtualization
OpenStack was originally designed for server virtualization management, but it started to support network virtualization after the Folsom release (officially)
“OpenStack + SDN” supports better orchestration with centralized network management and abstraction from network details
We showed one security prototype that can be directly deployed to OpenStack+SDNenvironment
!
www.NAIMNetworks.com