Using sdn to secure the campus - Networkshop44
Download as PPTX, PDF1 like2,300 views
This document discusses how Hewlett Packard Enterprise uses software-defined networking (SDN) to secure campus networks. SDN provides programmable networks that can rapidly align with business applications. HPE delivers the functions of an SDN architecture, including separating the control and data planes and providing open programmable interfaces. This allows for network service automation through virtual application networks and security applications like Network Protector, which provides malware protection and intrusion prevention. The document provides examples of customers using HPE's SDN solutions and the benefits of risk-free SDN deployment.
Using sdn to secure the campus - Networkshop44
- 1. Using SDN to secure the campus Hewlett Packard Enterprise Eugene Berger HPE Aruba CTO, UK&I @Eugatwork
- 2. Cloud and Datacenter Leader Leadership in both SMB & enterprise networking Leading the Mobility and Campus Enterprise HPE and Aruba – Better Together
- 4. HPE SDN vision and strategy SDN provides programmable networks that rapidly aligns to business applications Data center, campus & branch automation Open Standards ecosystem Reignite innovation Easily accessible marketplace Agility Alignment Coexist with brownfield Platform for innovation Use case-led Automation & simplicity
- 5. Journey to Software-defined Networking HP & Stanford collaborate and demo OpenFlow HP Ships 30 Million SDN-Enabled Ports & SDN Controller Software-defined Networking 2007 2011 2015+ Solving the problems of the New Style of IT SDN is Now Security Cloud Big Data Mobility Innovation
- 6. Defining Software-defined Networking Open standard-based programmatic access to infrastructureInfrastructure Control Application Separate control and data plane; abstract control plane of many devices to one Deliver open programmable interfaces to orchestrate network service automation SDNArchitecture Source: opennetworking.org
- 7. Delivering the functions of an SDN architecture Software-defined Network components Infrastructure Control Application Separate control and data plane; abstract control plane of many devices to one Deliver open programmable interfaces to orchestrate network service automation SDNArchitecture Open standard-based programmatic access to infrastructure Network Device Network Device Network Device Controller Open Programmable Interface Cloud Orchestration SDN Applications Open Programmable APIs
- 8. Virtual Application Networks SDN Controller Infrastructure SDNArchitecture Programmable network aligned to business objectives Virtual Application Networks deliver automation, agility Virtual Cloud Network Protector Load Balancing Partner Apps Network Optimizer ConvergedControl Design Implementation and Support Services Over 30 million ports across 50 Switches 10 Routers VAN Network Resource Automation Intelligent ManagementCenter VAN SDN Manager Management Applications Control VAN Server Connect VXLAN, NVGRE
- 10. Snapshot of Where We are Today 92 Members OptimizationSecurity Orchestration Select SDN Customers 21 SDN Apps
- 11. Enabling real-time threat protection across enterprise networks HPE Network Protector – Security • Malware/Botnet/ Spyware Protection • IPS as a Service • Security Sensors & Actions TippingPoint
- 12. HP Network Protector – IPS Integration Core Distribution Edge Threat Management Center (1M+ bad sites) • Reputation(piratesmustdie.com) Malware • Inspect all User traffic Bad DNS Response IPS SDN Controller & Network Protector
- 13. South Washington County Network Protector SDN App • Maintain 31-site wired and wireless network serving over 30,000 users with 1 staff member • Deploy in less than 1 hour • Fraction of the cost, $200K vs $2million of hardware
- 14. Roseville – R&D Protector
- 15. Roseville – R&D Protector
- 16. SDN: Knowing the context vs guessing - Clearpass Traditional Network ‘guessing’ User/Application Directed ?? Traffic Classification Identity Inference Context Inference Telemetry Inferred Network Policy Inferred Action AppUser Traffic Classification Telemetry Network Policy Coordinated Action Identity Event Context Service Request CLEARPASS
- 17. SDN Customer References SDN Customer References Brochure
- 18. Thank you 18
- 19. 19CONFIDENTIAL © Copyright 2015. Aruba Networks, an HP company. All rights reserved. Network Optimizer Customers SDN Customer References Brochure
- 20. HPE VMware Network Virtualization (SDN) collaboration Network virtualization solutions can run over any IP network, but app performance/reliability and service delivery rely on underlying physical network. VN = logical network services L2/3, L4-7 - connected to workloads
- 21. Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible Little or no lateral controls inside perimeter Internet Internet Insufficient Operationally Infeasible +
- 22. Why traditional approaches are operationally infeasible… Internet Perimeter Firewalls • Create firewall rules before provisioning • Update Firewall rules when move or change • Delete firewall rules when app decommissioned • Problem increases with more East-West traffic +
- 23. VMware NSX makes micro-segmentation possible Internet Security Policy Perimeter Firewalls Cloud Management Platform +
Editor's Notes
- #5: Bullets: Our vision for SDN is to create a programmable network that delivers business applications quickly To offer agility for the network As well as alignment for the network It has to include consistent architecture across the enterprise: DC, campus and branch It must be built on open standards that enable an open ecosystem, so that everybody can participate – partners, customers and developers And that open ecosystem will reignite innovation for the networking industry (new apps) And those innovations need to be easily accessible to customers in a new marketplace that enables new business models
- #9: Virtual application networks deliver automation and agility. We are the first in the market to have a complete portfolio for each layer of SDN architecture.
- #10: Phase 1: SDN Ready Deploy: SDN-enabled networks Benefits : - Investment protection - Open Standards - Low risk Phase 2: Hybrid SDN (now) Deploy: Hybrid Mode SDN Networks Benefits: - Application aware network - Reduced complexity - Non disruptive Phase 3: Native SDN Deploy: End-to-end SDN Networks Benefits: - Fully programmable - Highly automated - Rapid innovation
- #18: Ballarat Grammar The Bama Companies Deltion College Faculty of Science and Technology - Universidade Nova de Lisboa Istanbul Kultur University RMIT University South Washington County Schools The Via Group UBM – InteropNet Lancaster University – SDN Symposium
- #20: J. R. SIMPLOT LOWNDES COUNTY SCHOOL DISTRICT DREAMWORKS ANIMATION SKG VICTORIA & ALBERT MUSEUM TATA CONSULTANCY SERVICES ADRIENNE CENTER FOR THE PERFOR STICHTING DELTION COLLEGE BDX FÖRETAGEN AB AL MEHBAJ TRADING EST KUWAIT AIRWAYS CORPORATION K.S.C. KÜLTÜR ÜNIVERSITESI TRANS-SYSTEM INC LEVI STRAUSS & CO. ENTEL S.A. UNIVERSITY OF ST.FRANCIS WORLDCOM EXCHANGE INC FACHHOCHSCHULE DÜSSELDORF SMART COMMUNICATIONS, INC.
- #21: With NSX, virtual networks are programmatically created, provisioned and managed, utilizing the underlying physical network as a simple packet forwarding backplane. Network and security services in software are distributed to hypervisors and “attached” to individual VMs in accordance with networking and security policies defined for each connected application. When a VM is moved to another host, its networking and security services move with it. And when new VMs are created to scale an application, the necessary policies are dynamically applied to those VMs as well.
- #22: It’s important to understand the challenge micro-segmentation solves, because it’s one that has been know but not solvable in reality until now. If we look at all the well publicized attacks over the last couple of years, Target, Home Depot, Sony and more they all were different from a hacker code perspective, but they all had one thing in common…once the threat got through the perimeter defense, whether through the firewall or from the inside…there was little of no lateral controls to keep the threat from moving from server to server until it found what it was looking for and started pumping out credit card numbers or other private information Nirvana to most security teams is “micro-segmentation” or a “zero-trust” approach. However, even if your company can afford the capital expense for enough firewalls to deliver the throughput capacity required to achieve high availability micro-segmentation for East-West traffic in your data center, the operational complexity of managing changes, VM movement, policy granularity, unsustainable policy table changes across all of these firewalls quickly becomes operationally infeasible.
- #23: It’s easy to understand why traditional approaches are operationally infeasible… When packets leave the VM they must traverse the network to be evaluated and enforced at a chokepoint firewall. That means that when the VM was provisioned, someone had to write the rules and put them into the firewall, a time consuming, error prone process that slows down application provisioning...then, if the VM ever moves, the firewall likely needs to be manually updated and if the VM is deleted, the firewall should be manually updated to remove the rules for the deleted VM. All combine to make this operationally infeasible at scale.
- #24: So how does an SDDC approach make it feasible? We automate everything, when a VM is provisioned, it’s security policies are provisioned with it, so that when the packet leaves the VM, it is evaluated and enforced, right at the virtual interface Then is the VM ever moves, the rules move with it, and if the VM is ever delete, the rules are deleted with it…no human interaction, it’s all automated.