Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Chris Shenefiel.

Published byMorgan Henry Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Chris Shenefiel."— Presentation transcript:

1 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Chris Shenefiel

2 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 What is SDN Security considerations Review of SDN Security: A Survey Background of LXC, KVM/QEMU and Xen Questions

3 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Control and Data Plane resides within Physical Device

4 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 In the SDN paradigm, not all processing happens inside the same device

5 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Multiple applications sending updates to a controller Controller monitors state of network devices and updates Updates are synchronized and managed by controller Controller Data Plane Application

6 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Controller Data Plane Authenticate between applications and controllers Recommendation TLS mutual authentication between controller and switches Application

7 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Peer into flow rules on the input buffer to learn traffic routing Monitor packet delays through the data plane to infer the amount of processing done for a given packet Controller Data Plane Application

8 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Overload the switches by flooding the data communications channel Overload the switch flow table with too many entries Controller Data Plane Application

9 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Controller Data Plane Propose inserting a flow verification stage Prevents bad configurations from hitting network Can model network and test updates for damaging consequences Limitations: Most only support one controller Added overhead impacts performance VeriFlow/FlowChecker/Fl owVisor Application

10 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Controller Data Plane Policy enforcement Do configuration changes violate our information security or control policies Auditing to prove that the network configuration conforms to polices and regulations Authentication Are you really who you say you are Application

11 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Dynamically re-route traffic Contain infected networks/systems Send traffic to “middle boxes” for further analysis Continuously reconfigure network to confuse attackers (Moving Target Defense) Increase security visibility Monitor or tap any traffic on demand Detect DDoS Intrusion detection Data exfiltration

12 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Q: What benefit and liability do SDN “middle boxes” provide? Q: What areas did the authors highlight as needing further study? Q: What security issue from Table 1 would you focus on and why?

13 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Download ppt "© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Chris Shenefiel."

Similar presentations

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,

1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,
© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.

© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.
1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Next Generation Network Architectures Summary John.

1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Next Generation Network Architectures Summary John.
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.

1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.
Author: Seungwon Shin, Vinod Yegneswaran, Phillip Porras, Guofei Gu

Author: Seungwon Shin, Vinod Yegneswaran, Phillip Porras, Guofei Gu
SDN and Openflow.

SDN and Openflow.
Network Innovation using OpenFlow: A Survey

Network Innovation using OpenFlow: A Survey
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.

Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.
Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.

Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
A Survey on Interfaces to Network Security

A Survey on Interfaces to Network Security
TUNDRA The Ultimate Netflow Data Realtime Analysis Jeffrey Papen Yahoo! Inc.

TUNDRA The Ultimate Netflow Data Realtime Analysis Jeffrey Papen Yahoo! Inc.

Similar presentations

Ads by Google