security-as-a-service using sdn
TRANSCRIPT
1
Security-as-a-Service using SDN Experiences from building large-scale service chaining applications
Carl Moberg
VP Technology
@cmoberg
2
Anatomy of a Service Chain
Technology Requirements
• OpenFlow for traffic steering
• Many vendors per service function
• Many protocols per service function
• Programmatic and human NB
3
Anatomy of a Service Chain
Technology Requirements
• OpenFlow for traffic steering
• Many vendors per service function
• Many protocols per service function
• Programmatic and human NB API
Service Requirements
• Full lifecycle (add, change, delete)
• Stable and service oriented model
• Vendor independent model
• Including service application state
4
Anatomy of a Service Chain
Scaling Requirements
• Thousands of customers
• Dozens of Regional POPs
• A few datacenters
• Tens of thousands of DC tenants
5
Anatomy of a Service Chain
Scaling Requirements
• Thousands of customers
• Dozens of Regional POPs
• A few datacenters
• Tens of thousands of DC tenants
Potentially tens of thousands of flow
types to be provisioned in many places
6
Focus!
Key Challenges
• Associate flows with specific L4-L7 service combinations
• Configure the L4-L7 services accordingly in each service chain
• Configure the traffic steering accordingly in each service chain
How to implement the traffic steering
(forwarding graph) in an individual
service chain is a relatively minor part of
the problem
7
Tail-f NCS: Decomposing a Service
Self-service Portal
Tail-f NCS
ADC FW NAT DPI
ADC FW NAT DPI
ADC FW NAT DPI
ADC FW NAT DPI
ADC FW NAT DPI
ADC FW NAT DPI
8
Tail-f NCS
Tail-f NCS: Decomposing a Service
Self-service Portal
REST
ADC FW NAT DPI
ADC FW NAT DPI
ADC FW NAT DPI
ADC FW NAT DPI
ADC FW NAT DPI
ADC FW NAT DPI
A provisioned security service…
9
Tail-f NCS
Tail-f NCS: Decomposing a Service
Self-service Portal
REST
ADC FW NAT DPI
ADC FW NAT DPI
ADC FW NAT DPI
ADC FW NAT DPI
ADC FW NAT DPI
ADC FW NAT DPI
A provisioned security service…
…results in broad re-configurations throughout distributed service chains
OpenFlow, NETCONF, CLI, REST, SNMP, etc
10
This is one Service Chain
Self-service Portal
Tail-f NCS
ADC FW NAT DPI
1. Service-oriented order comes in to create, update or delete a service chain
11
This is one Service Chain
Self-service Portal
Tail-f NCS
ADC FW NAT DPI
1. Service-oriented order comes in to create, update or delete a service chain
2. Dynamically reconfigure the forwarding rules for the specific flow
12
This is one Service Chain
Self-service Portal
Tail-f NCS
ADC FW NAT DPI
1. Service-oriented order comes in to create, update or delete a service chain
2. Dynamically reconfigure the forwarding rules for the specific flow
3. …and dynamically reconfigure the processing rules for the specific flow
13
Tail-f NCS: Moving Parts
Network Engineer
Management Applications
A A Z
B
Service and Device Manager • Maintains models, versions • Upgrade, downgrade • Built on transactions
Network Element Drivers (NEDs) • Converts normalized changes into
protocol-specific ordered sets • It’s own lifecycle
OpenFlow Controller Cluster • OpenFlow 1.0, 1.3 • Distributed with integrated
application lifecycle management • Applications (flowlets) expose
NETCONF/YANG internally
Network-wide CLI, WebUI NETCONF, REST, Java
NETCONF, CLI, REST, SNMP, etc
OF-Wire (OF-CONFIG)
Network Element Drivers OpenFlow Controller
Cluster
Device Manager
Service Manager
Tail-f Network Control System Service Models
Device Models
Flowlets
Flowlets
Flowlets
Flowlet Models
14
Come Visit our Booth