Security and Software-Defined Networks

Michael Berman

Tue, 9th October 2012

Speaker Bio 1:
Michael joined Catbird as Chief Technology Officer in October 2006, with over 20 years experience in system engineering, architecture, design and implementation of secure computing. At Catbird, Michael has been responsible for the design and requirements for Catbird vSecurity, the industry leader in security virtualization.


Max, Concise Courses:
It’s 12 p.m. eastern standard time. I have Michael Berman with us. Probably, some of you know about Michael. He’s going to be a keynote at the Hacker Halted in Miami. So if anybody’s going to the Hacker Halted, there might be an opportunity to actually meet Michael in person. So, Michael, before we get into the content, can you please tell us a little bit about yourself and your area of expertise? And then just give us a broad overview, initially, on exactly what software defined networks are.

Michael Berman:
I’ll do my best. Thanks for having me on. Basically, I’m a security guy. I’ve been doing Unix network security for now at this point, longer than I would like to admit. The last six years I was CTO at Catbird. And at Catbird we developed or they’re developing a specific set of security solutions for vitalization. In doing that development work, what I realized is that we’re in the midst of a transformation in a very significant way. And folks like VMware call this a journey to the cloud. And so if we look at that journey to the cloud, we start with server consolidation and the transformation of server workloads to a software object, where physical systems become virtual machines. Those virtual machines are software objects being executed by a hypervisor.

And part of this transformation that changed that evolution from hardware to software is also occurring with other technologies in the data center. The most significant next step being, the virtualization of networking and the transformation of networking objects, routers, switches, and other technologies into software objects. And what’s important about this transformation is that you are get getting a decoupling of the software technology from the hardware technology. And the results of this decoupling well, there are many results. Some of the significant results are an acceleration of change. So that your networks, your servers, your configuration, your architecture since it’s all now software objects, it can be reconfigured on demand. It can be reconfigured automatically. It can be elastically grown or shrunk.

And it allows for a new scale of data center deployment and operations at a speed and pace we’ve never seen before. Because now you can deploy systems at machine speed, not with sort of the physical aspect of human beings unpacking crates and racking and stacking. Now, you can have thousands of systems being deployed within minutes; and similarly, networks being deployed and networks being reconfigured at that same rate, at that same velocity. And then the next step after that is: How do we secure all of this? So everything’s a software object.

We’ve got a decoupling of the management control layers from the physical systems underneath, and a capability for reconfiguring everything on the fly. So security has to accelerate to that same pace, to that same scale. So now our security objects and I’m using the term object here because it really could be any object that we’re familiar with in the physical domain. So it could be firewalls. It could vulnerability scanners. It can be network access control components. It could be VLT, you know, name your physical security appliance, whatever your favorites are.

All of these things have to transform as well to this new regime, where pretty much everything is software. And we have to understand how to secure the management and application layers, which are decoupled from the hardware, and then provide those same security capabilities that we need in that new software defined environment.

So those capabilities now have to be oriented towards logical attributes and not physical ones. So things like IP address, MAC address, location these cannot be important to you in terms of your security policy. Your security policy has to be able to operate where your workloads are mobile, where your software networks are being reconfigured or created on the fly. Therefore, your security policy has to adapt and change automatically as the data center adapts and changes as well. So all of these things are accelerating.

We can evolve software and change software much more rapidly than we can with physical systems that we have in the data center. So this is going to cause a huge change at how fast we see new technologies getting rolled up.

Max, Concise Courses:
Sounds good to me. If we can pull up the presentation and just click through that. Of course, it’s going to be a bit of a teaser in advance of your Hacker Halted presentation; But whenever you’re ready, go for it.

Are you seeing that now?

Max, Concise Courses:
Yes, sir.

So now at the top of the slide we have this rectangle or this plane, if you will. I’m calling it the management and control layer. And that’s pretty much always been software. So if you crack open a switch from any of the big vendors or a router from any of the big vendors, inside that appliance, that piece of hardware, there’s always been this management control layer, which is software.

Those of you familiar with Cisco, that might be IOS or Nexus, JUNOS the different software operating systems that all the networking vendors provide in terms of their appliances But also inside that physical appliance, there’s a data plane, a backplane, if you will, that connects the switchboards or connects the interface in a very high performance way.

But what has happened in software defined networking, is that appliance has been broken apart. And it’s no longer necessary that the management capabilities are embedded in the same hardware, even if that hardware exists; and it may not. That is the movement of packets or the movement of data from Interface 0 to Interface 1, or Switch port 2 to Switch port 3. So what we have is that decoupling, I represent it by that purple arrow, which means you can have pieces of the router or pieces of a switch or switches distributed in the data center, acting like a single, physical entity.

But really it’s a collection of software objects running in multiple locations at the same time. And those locations don’t have to be in the same physical data center or region.

So you can have a software defined network, a vLand, if you will, or really a land, like, physical land, but now it’s all represented as a software object. And that software object can be stretched across multiple locations around the world.

That physical locality of having to be adjacent in, or adjacent in a corporate campus is no longer required. That network can be stretched across multiple locations. Many different entities are effectively affiliated or become members of that network. You know, maybe they’re assigned IKEA addresses, maybe they’re assigning some other addressing scheme. We’re not limited to IP protocol or TCP/IP.

Another cool thing about these software defined networks and really the reason they were originally developed, was that people could experiment with different kinds of networking protocols and networking capabilities. So, again, any software defined network you could have one piece of physical hardware, or many pieces of physical hardware, and then different kinds of software defined networks substantiated on that hardware layer but then creating a new software layer for TCP/IP or IPv4 IPv6, who knows. I can’t really imagine all the capabilities, but that’s the point.

All of that can be deployed, redeployed, and changed on the fly. And the entities that are connected to that network are completely fungible. Attributes can change. Location can change. You know, we talk about disaster recovery operation advantages here. So entire data centers can live migrate between locations. Or workloads can live migrate. We can make it look like nothing has changed.

So to users of this environment, to applications and processes running in these environments, there’s no hiccupping. There’s no interruption of service. Service is continuous, even though the underlying hardware may be changing all the time. And the second slide I brought up, it’s just to sort of illustrate this purpose from a security point of view. We need to and this is the red boundary that I put around the management control layer you need to protect your privileged access. You need to audit the behavior of your privileged users and processes.

Now, remember human beings are going to be less and less involved in what’s going on here. So many of these things are going to be occurring at machine driven speeds due to automation orchestration. So the security of this management has to operate in the same fashion. It has to scale in the same fashion. It has to orchestrate. It has to automate. And you have to be able to instantiate as a policy what changes you allow, what configurations you consider secure.

And then what are you going to do? How do you automate a response when those changes are out of spec or when the behavior of a management application is unauthorized? And similarly, you now have these hardware and software entities, not only distributing your data center, but potentially distributing it around the country and the world at multiple data centers.

But they’re members of a network, or they’re members of a logically segmented security zone. And again, that security zone is not defined by a physical firewall or a vLand or air gapping of copper or fiber you know, these things are all interconnected through a software object, which happens to be a network.

And we have to instantiate the security control in the same manner, so that we have the segmentation and the logical isolation between entities and between groups of these entities, zones the trust, such that we have the proper security boundaries so we can protect sensitive data. We can protect credit cards. We can protect patient health care information. You know, whatever sensitive data is in your organization, you need to be able to protect it, even though that data may not be in the four walls of your business anymore.

It may be in your private cloud at one moment and in a public cloud or shared hosting or DR site the next minute. And you need to have that capability, because you want that resilience, and you want that continuity of the operations. You want that performance. You want that elasticity. But at the same time, our security must operate in the same manner so that the security follows those workloads and the policies are always being enforced. And, of course, it has to be automated.

Questions and answers

Max, Concise Courses:
So Michael, are you offering consulting services for companies who are interested in pursuing SDM?

Michael Berman:
Well, I’m always available professionally to help out wherever I can. As a security professional, I provide consulting and advisory services whenever and wherever I’m able to. And I’m a product guy. I’m a start up guy. I expect to be in engaged in another start up real soon now; but in the meantime, or really whenever, people should feel free to reach out.

Max, Concise Courses:
Good, because it was very, very well explained. Tell me, who are the main players in this space? Who should people be following or taking a look at?

Michael Berman:
Of course, one of the big players in this space is VMware. You could say they initiated this. They certainly get credit for creating a common layer a general purpose system through ESX that is now enabling all of these technologies. Similarly we have hyperV, we have Red Hat with KVM.

All of these are platforms that are important enablers of this technology. But independently of that, we have another really what started as a research thread, you know, what I call a lab experiment, where we had folks at Stanford and elsewhere participating in open flow and software switching and other capabilities. And that turned into a company called Nicira. So what we should expect to see is other start ups entering the space. All the major networking communications factors are going to have to play in this space.

Because this is the future for how mobile devices, physical devices, virtual devices, all these different software entities and physical entities, are going to be strung together in a communications network.

And it’s the only kind of network that will support 300 million mobile phones today, and a billion smart phones next year. So we really have no choice but to embrace these technologies. And it’s going to be very disruptive to establish players who have a multibillion dollar physical client’s fee.

Max, Concise Courses:
Sounds good to me. You’re very much in the forefront with that. And I want to wish you all the luck with all of your projects going forward. Michael, we’re a quarter past. It was really, really well explained. Thank you for taking the time and brining the conversation to a level that was certainly very accessible. So thanks, Michael. Looking forward to seeing you in Miami.

Thank you.

Max, Concise Courses:
Thank you, sir. Have a great day.