using sdn to secure the campus - networkshop44
TRANSCRIPT
Using SDN to secure the campusHewlett Packard EnterpriseEugene BergerHPE Aruba CTO, UK&I@Eugatwork
Cloud and Datacenter Leader
Leadership in both SMB & enterprise
networkingLeading the Mobility
and Campus Enterprise
HPE and Aruba – Better Together
HPE SDN vision and strategy
SDN provides programmable networks that rapidly aligns to business applications
Data center, campus& branch automation
Open Standards ecosystem
Reigniteinnovation
Easily accessible marketplace
Agility Alignment
Coexist with brownfield Platform for innovation
Use case-led Automation & simplicity
Journey to Software-defined Networking
HP & Stanford collaborate and demo OpenFlow
HP Ships 30 Million SDN-Enabled Ports& SDN Controller
Software-defined Networking
2007
2011
2015+Solving the problems of the New Style of IT
SDN is NowSecurity Cloud Big Data Mobility Innovation
Defining Software-defined Networking
Open standard-based programmatic access to infrastructureInfrastructure
Control
Application
Separate control and data plane; abstract control plane of many devices to one
Deliver open programmable interfaces to orchestrate network service automation
SD
N A
rchi
tect
ure
Source: opennetworking.org
Delivering the functions of an SDN architecture
Software-defined Network components
Infrastructure
Control
Application
Separate control and data plane; abstract control plane of many devices to one
Deliver open programmable interfaces to orchestrate network service automation
SD
N A
rchi
tect
ure
Open standard-based programmatic access to infrastructureNetwork Device Network Device Network Device
Controller
Open Programmable Interface
Cloud Orchestration
SDN Applications
Open Programmable APIs
Virtual Application Networks SDN Controller
Infrastructure
SD
N A
rchi
tect
ure
Programmable network aligned to business objectives
Virtual Application Networks deliver automation, agility
Virtual Cloud
Network Protector
Load Balancing
Partner Apps
Network Optimizer
ConvergedControl Design Implementation
and Support Services
Over 30 million ports across 50 Switches10 Routers
VAN Network Resource
Automation
Inte
llige
nt
Man
agem
ent C
ente
r
VAN SDN ManagerManagement
Applications
Control
VAN Server Connect
VXLAN, NVGRE
Phase 1SDN Ready
Phase 2Hybrid SDN
Phase 3Native SDN
Investment protectionOpen standardsLow risk
Application aware network Reduced complexity Non disruptive
Fully programmableHighly automated Rapid innovation
Risk-free SDN Deployment
Snapshot of Where We are Today
92 Members
Optimization Security Orchestration
Select SDN Customers
21 SDN Apps
Enabling real-time threat protection across enterprise networks
HPE Network Protector – Security
• Malware/Botnet/ Spyware Protection
• IPS as a Service
• Security Sensors
& Actions
TippingPoint
HP Network Protector – IPS Integration
Core
Distribution
Edge
Threat Management Center(1M+ bad sites)
OpenFlow (Redirect all traffic to
IPS)
• Reputation(piratesmustdie.com) Malware• Inspect all User traffic
Bad DNS Response
IPS
SDN Controller &Network Protector
South Washington County
Network Protector SDN App
• Maintain 31-site wired and wireless network serving over 30,000 users with 1 staff member
• Deploy in less than 1 hour• Fraction of the cost, $200K vs $2million of
hardware
Roseville – R&D Protector
Roseville – R&D Protector
SDN: Knowing the context vs guessing - Clearpass
Traditional Network ‘guessing’ User/Application Directed
??
Traffic ClassificationIdentity InferenceContext InferenceTelemetry
Inferred Network Policy Inferred Action
AppUser
Traffic ClassificationTelemetry
Network Policy Coordinated Action
IdentityEvent ContextService Request
CLEARPASS
SDN Customer References
SDN Customer References Brochure
18
Thank you
19CONFIDENTIAL © Copyright 2015. Aruba Networks, an HP company. All rights reserved.
Network Optimizer Customers
SDN Customer References Brochure
HPE VMware Network Virtualization (SDN) collaboration
Network virtualization solutions can run over any IP network, but app performance/reliability and service delivery rely on underlying physical network.
VN = logical network services L2/3, L4-7 - connected to workloads
Problem: Data Center Network SecurityPerimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Little or nolateral controls
inside perimeter
Internet Internet
Insufficient OperationallyInfeasible
+
Why traditional approaches are operationally infeasible…
Internet
Hypervisor
Physical Host
VM VM
vSwitchHypervisor
Physical Host
vSwitch
VM VM
Perimeter Firewalls
• Create firewall rules before provisioning• Update Firewall rules when move or change• Delete firewall rules when app decommissioned• Problem increases with more East-West traffic
+
VMware NSX makes micro-segmentation possible
Internet
Hypervisor
Physical Host
VM VMVM
vSwitchHypervisor
Physical Host
vSwitch
VM VMVM
Security Policy
Perimeter Firewalls
VM
CloudManagement
Platform
+