using sdn and nfv to realize a scalable and …nicholas gray 39 using sdn and nfv to realize a...
TRANSCRIPT
![Page 1: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/1.jpg)
comnet.informatik.uni-wuerzburg.de
Institute of Computer Science
Chair of Communication Networks
Prof. Dr.-Ing. P. Tran-Gia
Using SDN and NFV to Realize a Scalable
and Resilient Omni-Present Firewall
Nicholas Gray
![Page 2: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/2.jpg)
Nicholas Gray2
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SarDiNe Research Project
Goal: Improve the security in enterprise and government
networks based on SDN/NFV
Partners
Associated Partners
sardine-project.org
![Page 3: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/3.jpg)
Nicholas Gray3
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
![Page 4: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/4.jpg)
Nicholas Gray4
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
![Page 5: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/5.jpg)
Nicholas Gray5
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
![Page 6: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/6.jpg)
Nicholas Gray6
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
![Page 7: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/7.jpg)
Nicholas Gray7
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
![Page 8: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/8.jpg)
Nicholas Gray8
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
![Page 9: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/9.jpg)
Nicholas Gray9
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
![Page 10: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/10.jpg)
Nicholas Gray10
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
![Page 11: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/11.jpg)
Nicholas Gray11
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Expensive hot standby
Active
Standby
![Page 12: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/12.jpg)
Nicholas Gray12
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Expensive hot standby
Little internal defenses
Active
Standby
![Page 13: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/13.jpg)
Nicholas Gray13
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Expensive hot standby
Little internal defenses
Limited scalability
Active
Standby
![Page 14: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/14.jpg)
Nicholas Gray14
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active
Standby
![Page 15: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/15.jpg)
Nicholas Gray15
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
![Page 16: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/16.jpg)
Nicholas Gray16
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
![Page 17: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/17.jpg)
Nicholas Gray17
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Active Active Active Active Active Active
![Page 18: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/18.jpg)
Nicholas Gray18
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Omni-present protection
Active Active Active Active Active Active
![Page 19: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/19.jpg)
Nicholas Gray19
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Omni-present protection
Scalable and resilient security solution
Active Active Active Active Active Active
![Page 20: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/20.jpg)
Nicholas Gray20
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Motivation
External Network Internal Network
Omni-present protection
Scalable and resilient security solution
SDN and NFV provide the necessary means
Active Active Active Active Active Active
![Page 21: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/21.jpg)
Nicholas Gray21
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Agenda
Motivation
Background
Software-defined Networking (SDN)
Network Function Virtualization (NFV)
Omni-present SDN Firewall
Fine-grained access control
Scalable & resilient stateful firewalling
Firewall offloading
Demo
Conclusion
![Page 22: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/22.jpg)
Nicholas Gray22
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
BACKGROUND
![Page 23: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/23.jpg)
Nicholas Gray23
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Software-defined Networking (SDN)
Key principles
Separation of control and data plane
Logically centralized control plane
Open Interfaces
Programmability
Features
Protocol independence
Ability to dynamically adapt network parameters
Granularity
Elasticity
Use cases
Cloud orchestration
Network management
Network security
Data Plane
Control Plane
SouthboundAPI
![Page 24: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/24.jpg)
Nicholas Gray24
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Packet Handling & Table Structure
ActionRule Stats
Switch
Port
Switch
Phy Port
Meta
data
ETH
Dst
ETH
Src
ETH
Type
VLAN
VID
VLAN
PCP
IP
DSCP
IP
ECN
IP
Proto
IPv4
Src
IPv4
Dst
TCP
Src
TCP
Dst
UDP
Src
UDP
Dst
SCTP
Src
SCTP
Dst
ICMPv4
Type
ICMPv4
Code
ARP
OP
ARP
SPA
ARP
TPA
ARP
SHA
ARP
THA
…
…
Mask for
match
fields
• Forward packet to zero or more ports
• Encapsulate and forward to controller
• Send to normal processing pipeline
• Modify Fields
• Any extensions you add!
Packet + Byte
Counters
![Page 25: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/25.jpg)
Nicholas Gray25
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Reactive
![Page 26: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/26.jpg)
Nicholas Gray26
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Reactive
![Page 27: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/27.jpg)
Nicholas Gray27
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Reactive
![Page 28: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/28.jpg)
Nicholas Gray28
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Reactive
![Page 29: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/29.jpg)
Nicholas Gray29
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Reactive
![Page 30: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/30.jpg)
Nicholas Gray30
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Reactive
![Page 31: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/31.jpg)
Nicholas Gray31
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Reactive
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Proactive
![Page 32: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/32.jpg)
Nicholas Gray32
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Reactive
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
Proactive
![Page 33: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/33.jpg)
Nicholas Gray33
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Reactive
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Proactive
![Page 34: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/34.jpg)
Nicholas Gray34
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Reactive
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Proactive
![Page 35: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/35.jpg)
Nicholas Gray35
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
SDN – Modes of Operation
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Reactive
Control Plane (CP)
Data Plane (DP)
SouthboundAPI Match Action
A
CP*.*
B
B
Proactive
![Page 36: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/36.jpg)
Nicholas Gray36
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Network Function Virtualization (NFV)
Firewalls
Load Balancers
Traffic Shapers
Network Monitoring
Legacy networks are full of middle boxes
Specialized hardware
Deployed in the data path
Limited scalability
Network Function Virtualization
Virtual applications
Executed on COTS servers
Cloud-ready
![Page 37: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/37.jpg)
Nicholas Gray37
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
OMNI-PRESENT SDN
FIREWALL
![Page 38: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/38.jpg)
Nicholas Gray38
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Fine-granular Access Control
On-demand personalized virtual network
BYOD scenario
Strict flow isolation
Minimized attack surface
Technical implementation
2FA Authentication
No MDM required
![Page 39: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/39.jpg)
Nicholas Gray39
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Scalable & Resilient Stateful Firewalling
NFV-based stateful firewall
Run as software in the cloud
Dynamic n+1 protection
Technical implementation
SDN switch as load balancer
State decoupled from workersSDN Controller
Private Cloud
FW-VNF
Sh
are
d S
tate
FW-VNF
FW-VNF
FW-VNF
OpenFlow
SDN Switch
Configuration & Health Checks
![Page 40: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/40.jpg)
Nicholas Gray40
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Firewall Offloading
Dynamic firewall offloading
Offload trusted flows to relief VNFs
No noticeable service degradation
Technical implementation
Optimizer selects flows with a
high performance impact
Switches act as stateless
packet filters
Performed in the fast path
at line rate
![Page 41: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/41.jpg)
Nicholas Gray41
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Internal Network
Omni-present SDN Firewall
SDN
Controller
Network
Management
System
Cloud
Management
System
FW VNF
Private Cloud
Services
AAA
SDN Switch SDN Switch
![Page 42: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/42.jpg)
Nicholas Gray42
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Internal Network
Omni-present SDN Firewall
SDN
Controller
Network
Management
System
Cloud
Management
System
FW VNF
Private Cloud
Services
AAA
SDN Switch SDN Switch
![Page 43: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/43.jpg)
Nicholas Gray43
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Internal Network
Omni-present SDN Firewall
SDN
Controller
Network
Management
System
Cloud
Management
System
FW VNF
Private Cloud
Available Services
Services
AAA
SDN Switch SDN Switch
![Page 44: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/44.jpg)
Nicholas Gray44
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Internal Network
Omni-present SDN Firewall
SDN
Controller
Network
Management
System
Cloud
Management
System
FW VNF
Private Cloud
Available Services
Services
AAA
SDN Switch SDN Switch
![Page 45: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/45.jpg)
Nicholas Gray45
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Internal Network
Omni-present SDN Firewall
SDN
Controller
Network
Management
System
Cloud
Management
System
FW VNF
Private Cloud
FW VNF
…
Sh
are
d S
tate
Available Services
Services
AAA
SDN Switch SDN Switch
![Page 46: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/46.jpg)
Nicholas Gray46
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Internal Network
Omni-present SDN Firewall
SDN
Controller
Network
Management
System
Cloud
Management
System
FW VNF
Private Cloud
FW VNF
…
Sh
are
d S
tate
Available Services
Services
AAA
SDN Switch SDN Switch
![Page 47: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/47.jpg)
Nicholas Gray47
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Demo Setup
https://www.youtube.com/watch?v=e_CmcGPXJGY
![Page 48: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/48.jpg)
Nicholas Gray48
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Network Services
Access Control
SDN Controller
Fine-granular Access Control
![Page 49: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/49.jpg)
Nicholas Gray49
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Virtual Network
Functions
NFV Monitoring
![Page 50: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/50.jpg)
Nicholas Gray50
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Firewall VNF
Resiliency
Fast Failover
![Page 51: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/51.jpg)
Nicholas Gray51
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Firewall VNF
Offloading
Offloading of Trusted Flows
![Page 52: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/52.jpg)
Nicholas Gray52
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
CONCLUSION
![Page 53: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/53.jpg)
Nicholas Gray53
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Conclusion
![Page 54: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/54.jpg)
Nicholas Gray54
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Conclusion
Advanced DDoS Mitigation
Fine-granular Flow Control
Scalable Security Solutions
Reduced Management Efforts
![Page 55: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/55.jpg)
Nicholas Gray55
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Conclusion
Complex Architecture
Fast development rates
New Technology
Large Software Projects
Advanced DDoS Mitigation
Fine-granular Flow Control
Scalable Security Solutions
Reduced Management Efforts
![Page 56: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/56.jpg)
Nicholas Gray56
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Conclusion
Both sides of the scale need to be addressed
Complex Architecture
Fast development rates
New Technology
Large Software Projects
Advanced DDoS Mitigation
Fine-granular Flow Control
Scalable Security Solutions
Reduced Management Efforts
![Page 57: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/57.jpg)
Nicholas Gray57
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Conclusion
Both sides of the scale need to be addressed
In our opinion the benefits will outweigh the challenges
Tight integration of quality assurance in the deployment stage
Adaptation of software testing methods to the networking domain
Complex Architecture
Fast development rates
New Technology
Large Software Projects
Advanced DDoS Mitigation
Fine-granular Flow Control
Scalable Security Solutions
Reduced Management Efforts
![Page 58: Using SDN and NFV to Realize a Scalable and …Nicholas Gray 39 Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall Scalable & Resilient Stateful Firewalling](https://reader034.vdocuments.net/reader034/viewer/2022042303/5eced83f0e2bd5210370c263/html5/thumbnails/58.jpg)
Nicholas Gray58
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Sources
Michael Jarschel, Thomas Zinner, Tobias Hoßfeld, Phuoc Tran-Gia, Wolfgang Kellerer,
Interfaces, Attributes, and Use Cases: A Compass for SDN,
IEEE Communications Magazine, 52, 2014
Gebert, S., Zinner, T., Gray, N., Durner, R., Lorenz, C., Lange, S.,
Demonstrating a Personalized Secure-By-Default Bring Your Own Device Solution
Based on Software Defined Networking,
International Teletraffic Congress (ITC 28), 2016
Lorenz, C., Hock, D., Scherer, J., Durner, R., Kellerer, W., Gebert, S., Gray, N., Zinner, T.,
Tran-Gia, P.,
An SDN/NFV-enabled Enterprise Network Architecture Offering Fine-Grained Security
Policy Enforcement,
IEEE Communications Magazine. 55, 217 - 223 (2017)
Gray, N., Lorenz, C., Müssig, A., Gebert, S., Zinner, T., Tran-Gia, P.,
A Priori State Synchronization for Fast Failover of Stateful Firewall VNFs,
Workshop on Software-Defined Networking and Network Function Virtualization for Flexible
Network Management, SDNFlex 2017
Pfaff B., Scherer J., Hock D., Gray N., Zinner T., Tran-Gia P., Durner R., Kellerer R., Lorenz C.,
SDN/NFV-enabled Security Architecture for Fine-grained Policy Enforcement and Threat
Mitigation for Enterprise,
ACM SIGCOMM Computer Communication Review, 2017