Security, Resiliency and Other Challenges Erik Linask Group Editorial Director TMC elinask @tmcnet.com Twitter: @ elinas

2. Security, Resiliency and Other Challenges Erik Linask Group Editorial Director TMC elinask@tmcnet.com Twitter: @elinask www.nfvzone.com / www.sdnzone.com

3. Security, scalability, resiliency = Traditional Deterrents Now, we are telling telcos they need to virtualize and “cloudify”

4. Security, Resiliency and Other Challenges Glen Gerhard VP, Product Management Sansay Nabil Damouny Sr. Director, Strategic Marketing Netronome

6. Security Concerns • Very similar unless using a cloud infrastructure Protected Public DEDICATED VM CLOUD NETWORK

7. Resiliency Concerns • VM can be made HA and fault tolerant • Easier and cheaper than h/w based systems • Cloud can be even more dynamic, normally not HA Master-Slave Route Management Plane ROME ROME Session Processing Plane Media Handling Plane INX INX INX INX MSX MSX MSX MSX

8. Resilency • Geographic redundancy easy with both

9. PCI Compliance • Very tightly controlled architecture • Cloud support possible with hybrid systems

10. Security & Resiliency in SDN & NFV Nabil Damouny Sr. Director, Strategic Marketing, Netronome Vice Chair, Market Education Committee, ONF Editor, Compute Domain, ETSI NFV nabil.damouny@netronome.com

11. Agenda • Netronome … Intro • Network security services • Deploying L4-L7 services in SDN-OpenFlow • Inserting L7 intelligence in the data path • ETSI NFV – complementary to SDN • Faults & resiliency in NFV • Summary

12. Cambridge Boston Santa Clara Beijing Tokyo Pittsburgh Shenzhen Johannesburg Company • Fabless semiconductor company • Best-in-class flow processors • Designed for 10/40/400G communications designs Product and Markets • Leader in SDN-OpenFlow • Leader in NFV … COTS architecture • Cybersecurity • Sole licensee of Intel IXP Processor IP • Intel 22nm tri-gate process • 100+ Patents Worldwide Headquarters Research and development center Regional sales and support center

13. What Are Layer 4 through 7 Services? No Flow Inspection • OpenFlow switch • L2-L4 forwarding • Switching • Routing • Packet forwarding • OpenFlow • Architectures optimized to process individual packets • L4-L7 services • Security • Load balancing • WAN optimization • Architectures optimized to process flows and content Categorized by depth of Layer 4 through 7 inspection Partial Flow Inspection • Load balancer • Next-generation firewall • WAN optimization • Web application firewall Flow Monitoring • Test and measurement • Policing and metering • Quality of Service (QoS) • Traffic analysis Full Flow Inspection • Anti-virus / anti-spam • Intrusion prevention system (IPS) • SSL inspection • VPN There are 4 service categories with specific processing requirements

14. Suggested Deployment Models • Running as applications on the controller • Controller programs SDN switch on per-flow basis Application Layer Applications Layer 4-7 Services 1 Northbound APIs Control Layer Network Controller SDN Control Software • Standalone network appliance • Traffic directed to appliance either based on static policy or dynamically driven by controller • Legacy or OF-enabled Southbound API Infrastructure Layer Layer 4 through 7 Appliance Intelligent Switch with Layer 4-7 2 3 Network Device • Full Layer 4-7 network services running on intelligent switch • Intelligent switch becomes L2-L7 device Network Device Network Device Different deployment models to best fit service requirements, including performance and latency.

15. Use Case: Advanced Traffic Analysis …Embedded DPI feeds network intelligence to services on L7 device Application Layer Applications Northbound APIs Web Video Optimization Control Layer SDN Control Software Video Network Services QoS / QoE IM Layer 4-7: Protocol and Application Identification VoIP Analytics Other Southbound API GGSN Email Infrastructure Layer Data Plane Traffic Layer 7 Network Service Device Layer 7 Network Service Device Traffic Steering Content Filtering P2P Network Device Network Device Layer 4-7 Network Device • Application flows forwarded directly to specialized service processing • Requires L4-L7 intelligence embedded directly in switches

16. SDN Data center … Intelligence is at the Edge SDN Gateway • Interconnect new virtualized networks and legacy • Focus on Gateway for Multi-tenant Data Center -to- MPLS WAN NFV Appliance • Open, programmable host for virtual applications • Focus on ETSI NFV Use Cases: • Two out of 9 pre-defined use cases • Use Case #5 - VNF as a service • Use Case #6 – Service Chaining

17. Examples of types of Faults • Failure of the VNF • Application Crash, Overload condition • Tolerable if clustered topology, Service degradation (SD) possible • Failure of the VM • OS Crash, Resource exhaustion • Tolerable in clustered topology, SD possible • Failure of the Hypervisor • Tolerable in clustered topology, SD • Failure of the server • OS Crash, Resource exhaustion • Tolerable in clustered topology, SD Possible • Failure in the physical Infrastructure • Device power cycle/crash, Loss of Connectivity • Tolerable if infra is HA capable VNF1 Less severe impact Disc Disc Disc CPU CPU CPU VM1-OS VM2-OS VM3-OS VM4-OS I/O I/O I/O Mem Mem Mem Disc CPU I/O VM1 VM1 VM2 VM2 Mem Hypervisor Hypervisor X86-2 X86-1 Disc CPU Disc CPU I/O Mem I/O Mem Physical Network Infrastructure More severe impact

18. SDN-aware NFV security platforms • Netronome offerings • Flow processors scaling to 200Gbps • FlowNICs for acceleration of standard servers • Production-ready reference platforms

19. SDN-aware security platforms • Features and benefits • 216 programmable processing cores • 4 x PCIe Gen 3 to connect to x86 sockets • 200Gbps+ throughout to standard servers • Support >500 BIPS per 2U to apply to workloads in NFV environments • Support for high-touch security applications • Fully SDN capable • Support for OpenFlow 1.3 • Carrier grade resiliency in COTS server architecture platforms • Numerous high-availability options • Integrated fail-to wire • Active-passive and active-active HA modes of operation Netronome’sFlowNICs and reference platforms are ideal to solve the security and resiliency challenges facing SDN and NFV

20. Looking Ahead • What are some of the obstacles for a Telco to work with ISV's in the security area? • How can a Telco achieve the traditional 5 9's reliability? How about high availability? • Is it easier and less costly to design for redundancy, in NFV & SDN? • How about Federation and the need for interoperability between carriers? • What is the role of cloud orchestration in security & resiliency?

21. backup

22. ETSI ISG NFV Structure • ISG E-E Documents (Ratified) • Architecture Framework • Use Cases (9 total) • (Business) Requirements • Terminology • Technical Working Groups • Infrastructure (INF) • Software Architecture (SWA) • Management & Orchestration (MANO) • Reliability & Availability (REL) • Performance Expert Group (PER) • Security Expert Group (SEC) Source: ETSI ISG NFV SDN & NFV are complementary & synergistic.

23. Topologies for hosting Network Functions in VMs Simple vs. Clustered VNFs VNF1 VNF2 VNF1 VNF2 VNF3 VM1 VM2 VM1 VM2 • Single instance topology • VNF deployed on a single virtual machine. • Clustered or Composite Topology • Consists of multiple VNF Components (VNFCs) • L2/L3 connectivity between VNF instances when multiple physical servers hosting same VNF. Hypervisor Hypervisor x86 x86 2 3 1 VM1 VM1 VM2 VM2 VNF1 Hypervisor Hypervisor VNFC3 VNFC4 VNFC1 VNFC2 VNFC1 VNFC2 X86-2 X86-1 x86 VM1 VM2 Hypervisor x86 4 5 NFV Deployment Examples