Open security controller security orchestration for openstack
1 like602 views
The document discusses the Open Security Controller (OSC) for managing security in multi-cloud environments, addressing challenges related to consistent security across various cloud setups. It highlights design goals, architecture, and deployment workflows for dynamically managing security policies, particularly in compliance with regulations like HIPAA and PCI. The OSC is set to be available as open source in mid-2017, inviting engagement from the community for collaboration and support.
Open security controller security orchestration for openstack
- 3. #RSAC SDI—The Application Defines the System The evolution to software-defined infrastructure
- 8. #RSAC OSC API Interaction Model PoliciesUser IntentCloud AppsApplications, User Intent, and Policies Nuage VSP* Midokura*, Brocade*…NSX* SDN Controllers Virtualization Layer Physical Infrastructure Computing Hardware Storage Layer Network Hardware Virtual Infra OpenStack* Virtual Compute Virtual Storage Virtual NetworkVirtualized Security Functions CPA DPA Security Function/Element Managers IPS Managers NGFW Managers ADC Managers Open Security Controller Manager Plug-ins VNF Agent Plug-ins Business Logic Service Dispatcher Jobs Engine SDN Plug-ins Virtualization Connectors Security Functions Catalog H2 Database User Interface API GUI NB Rest API1 Rest API Web Sockets 4 Rest API IPC5 Rest API SFC Policy 3 Rest API Images, deployment, notifications, authentication 2 • Policy interface • User intent • Application intent • Lifecycle management • Deployment specs, auto- scaling and HA • Authentication • Image services • Notification for events • Role based access control • Traffic redirection API • SFC policy API • Advanced visibility functionality (example 6 tuple visibility) • Dynamic policy updates and mapping • Domain/sub domain updates and mapping • Control path agent: provisioning, de- provisioning, heartbeats, etc. • Data path agent: instrumentation and real time statistics
- 9. #RSAC Customer PoC: Health industry IT services provider • Customer has to adhere to HIPAA regulatory requirements • Existing solution was based on DC edge devices. • Customer wanted to get to a dynamic policy based security solution for East-West traffic inspection. Commercial x86 Server Commercial SDN controller (Compute Node) RHEL 7.2 (Control Node) Commercial OpenStack Newton Distro Open Security Controller Virtual Intrusion Prevention System Next Gen Firewall Virtual App Delivery Controller
- 10. #RSAC Customer Deployment Architecture High Latency East-west Traffic Future: Dynamic Policy Based East-West Security X86 server vIPS vADC App Top of Rack Switch Security between Tenants and Tiers Latency Goes Down Granular Control and Scalability SDN Controller Physical Appliances Current: Topology Based Security Firewall Intrusion Prevention Systems/ Intrusion Detection Systems Application Delivery Controller Top of Rack Switch App App App App X86 Server East-west Traffic Security Function Manager Security Controller
- 12. #RSAC Customer deployment Workflow One Time Setup 1. Openstack Connector 2. Create Security Services a) Policy manager Plugins for NGFW 1, NGFW 2 3. Configure Security Services a) Distributed Appliance b) Deployment- Specifications Protection Policy 1. Define Global Risk based Sec-Groups 2. All Policy managers dynamically updated 3. Automated traffic redirection via SDN Plugin Automated Zero- Trust Security Network flows automatically updated to redirect traffic to security service chain Security Admin Spins workload up or down Dev-Ops
- 15. #RSAC
- 16. #RSAC Apply: Risk Based Approach 1. Identify workload which needs micro segmentation 2. Identify security controls to mitigate risks (vIPS, vNGFW, vADC) 3. Automate Security Controls orchestration