SESSIONID:SESSIONID:

#RSAC

TarunViswanathan

OpenSecurityController- SecurityOrchestrationforOpenStack

CSV-W02

PlatformSolutionArchitectIntel

ManishDavePlatformArchitectIntel

#RSAC

NoticesandDisclaimers

Inteltechnologies’featuresandbenefitsdependonsystemconfigurationandmayrequireenabledhardware,softwareorserviceactivation.Learnmoreatintel.com,orfromtheOEMorretailer.

Nocomputersystemcanbeabsolutelysecure.

Testsdocumentperformanceofcomponentsonaparticulartest, inspecificsystems.Differencesinhardware,software,orconfigurationwillaffectactualperformance.Consultothersourcesofinformationtoevaluateperformanceasyouconsideryourpurchase. Formorecompleteinformationaboutperformanceandbenchmarkresults,visithttp://www.intel.com/performance.

Intel,theIntellogoandothersaretrademarksofIntelCorporationintheU.S.and/orothercountries.*Othernamesandbrandsmaybeclaimedasthepropertyofothers.

©2016IntelCorporation.

#RSAC

SDI—TheApplicationDefinestheSystem

The evolution to software-defined infrastructure

#RSAC

EnterpriseMultiCloudSecurityChallenges

HowcanIprovideconsistentsecurityacross amulticlouddatacenterenvironment.

OpenSecurityControlleraddresses thischallenge.

#RSAC

OpenSecurityControllerKeyDesignGoals

Centralizedsecuritypolicymanagementforamulticloudenvironment.

#RSAC

ConceptualArchitecture

#RSAC

OpenStack*Micro-SegmentationUseCase

#RSAC

OSCAPIInteractionModelPoliciesUserIntentCloudAppsApplications,UserIntent,andPolicies

OpenDaylight* Midokura*, Plumgrid*, Nuage NSP*, Brocade*…NSX*SDN

Controllers

Virtualization Layer

PhysicalInfrastructure

ComputingHardware

Storage Layer

NetworkHardware

VirtualInfraOpenStack*

VirtualCompute

VirtualStorage

VirtualNetworkVirtualizedSecurityFunctions

CPA

DPA

SecurityFunction/ElementManagersIPSManagers

NGFWManagers

ADCManagers

OpenSecurityController

ManagerPlug-ins

VNFAgentPlug-ins

Business Logic

Service Dispatcher

Jobs Engine

SDNPlug-ins

VirtualizationConnectors

SecurityFunctionsCatalog

H2Database

User Interface API

GUINBRestAPI1

RestAPIWebSockets

4 RestAPIIPC5RestAPISFCPolicy

3 RestAPIImages,deployment,notifications,authentication

2

• Policyinterface• Userintent• Applicationintent

• Lifecyclemanagement

• Deploymentspecs,auto-scalingandHA

• Authentication• Imageservices• Notificationfor

events• Rolebased

accesscontrol

• TrafficredirectionAPI• SFCpolicyAPI• Advancedvisibilityfunctionality

(example6tuplevisibility)

• Dynamicpolicyupdatesandmapping

• Domain/subdomainupdatesandmapping

• Controlpathagent:provisioning,de-provisioning,heartbeats,etc.

• Datapathagent:instrumentationandrealtimestatistics

#RSAC

CustomerPoC:HealthindustryITservicesprovider

• CustomerhastoadheretoHIPAAregulatoryrequirements

• Existing solutionwasbasedonDCedgedevices.• Customerwantedtogettoadynamicpolicy

basedsecuritysolution forEast-West trafficinspection. Commercialx86Server

CommercialSDNcontroller

(ComputeNode)RHEL7.2

(ControlNode)CommercialOpenStackNewtonDistro

OpenSecurityController

VirtualIntrusionPreventionSystem

NextGenFirewall

VirtualAppDeliveryController

#RSAC

CustomerDeploymentArchitecture

HighLatency

East-westTraffic

Future:DynamicPolicyBasedEast-WestSecurity

X86server

vIPS vADC App

TopofRackSwitch

SecuritybetweenTenantsandTiers

LatencyGoesDown

GranularControlandScalability

SDNControllerPhysicalAppliances

Current:TopologyBasedSecurityFirewall

IntrusionPreventionSystems/IntrusionDetectionSystems

ApplicationDeliveryController

TopofRackSwitch

App App App App

X86Server

East-westTraffic

SecurityFunctionManager

SecurityController

#RSAC

CustomerPoC:Largefinancialservicesprovider

Commercialx86Server

CommercialSDNcontroller

(ComputeNode)RHEL7.2

(ControlNode)CommercialOpenStackDistro

OpenSecurityController

NextGenFirewallVendor1

NextGenFirewallvendor2

• CustomerhastoadheretoPCIregulatoryrequirements

• CustomerwantedtogettoaRiskBasedautomated securitypolicymanagementcapability fortheirOpenstackenvironment

#RSAC

CustomerdeploymentWorkflow

OneTimeSetup1. OpenstackConnector

2. CreateSecurityServicesa) PolicymanagerPlugins

forNGFW1,NGFW2

3. ConfigureSecurityServices

a) DistributedApplianceb) Deployment-

Specifications

ProtectionPolicy1. DefineGlobalRiskbased

Sec-Groups

2. AllPolicymanagersdynamicallyupdated

3. Automatedtrafficredirection viaSDNPlugin

AutomatedZero-TrustSecurityNetworkflowsautomaticallyupdatedtoredirect traffictosecurityservice chain

SecurityAdmin

Spinsworkloadupor down

Dev-Ops

#RSAC

DEMOAutomatedSecurityServicesOrchestrationforOpenstack

#RSAC

DemoTopology

#RSAC

#RSAC

Apply:RiskBasedApproach

1. Identifyworkloadwhichneedsmicrosegmentation

2. Identifysecuritycontrolstomitigaterisks(vIPS,vNGFW,vADC)

3. AutomateSecurityControlsorchestration

#RSAC

CalltoAction

CurrentStatusPOCwithearlyadoptercustomers/SecurityVNF’sOpenSecurityControlleravailable asOpensource~Mid2017compatiblewithfewSecurityVNFand SDNvendors

CalltoActionContactustogetengaged inthecommunity:Email:manish.dave@intel.com orTarun@intel.comAdditional Information:www.intel.com/osc