Weitere ähnliche Inhalte
Ähnlich wie 6th SDN Interest Group Seminar - Session6 (131210) (20)
Mehr von NAIM Networks, Inc. (20)
Kürzlich hochgeladen (20)
6th SDN Interest Group Seminar - Session6 (131210)
- 3. © 2013 NAIM Networks – All rights reserved. 3 / 34
보안은 어떻게?I
Software Switch Software Switch
NIC
OS #1
NIC
OS #2
NIC
OS #3
NIC
OS #1
NIC
OS #2
NIC
OS #3
IP Fabric
Compute Node #1 Compute Node #2
[VM] [VM] [VM] [VM] [VM] [VM]
- 4. © 2013 NAIM Networks – All rights reserved. 4 / 34
지금의 보안 구성I
Software Switch Software Switch
NIC
OS #1
NIC
OS #2
NIC
OS #3
NIC
OS #1
NIC
OS #2
NIC
OS #3
IP Fabric
Compute Node #1 Compute Node #2
Security [VM] [VM] [VM] [VM] [VM]
- 5. © 2013 NAIM Networks – All rights reserved. 5 / 34
문제가 없을까?I
Software Switch Software Switch
NIC
OS #1
NIC
OS #2
NIC
OS #3
NIC
OS #1
NIC
OS #2
NIC
OS #3
IP Fabric
Compute Node #1 Compute Node #2
Security [VM] [VM] [VM] [VM] [VM]
- 6. © 2013 NAIM Networks – All rights reserved. 6 / 34
VM 보안 제품은 어려워요??I
Software Switch Software Switch
NIC
OS #1
NIC
OS #2
NIC
OS #3
NIC
OS #1
NIC
OS #2
NIC
OS #3
IP Fabric
Compute Node #1 Compute Node #2
Security [VM] [VM] [VM] [VM] [VM]
- 7. © 2013 NAIM Networks – All rights reserved. 7 / 34
개선 방향은 없나요??I
Software Switch Software Switch
NIC
OS #1
NIC
OS #2
NIC
OS #3
IP Fabric
Compute Node #1 Compute Node #2
[VM] [VM] [VM]
NIC
OS #1
NIC
OS #2
NIC
OS #3
[VM] [VM][VM]
Security Security
- 8. © 2013 NAIM Networks – All rights reserved. 8 / 34
SDN을 이용한 유연한 구현?I
Software Switch Software Switch
NIC
OS #1
NIC
OS #2
NIC
OS #3
IP Fabric
Compute Node #1 Compute Node #2
[VM] [VM] [VM]
NIC
OS #1
NIC
OS #2
NIC
OS #3
[VM] [VM][VM]
Security Security
SDN
Controller
App App App
Security Appliance
- 9. © 2013 NAIM Networks – All rights reserved.
1
2
3
4
Virtualized Environment in Cloud
Cloud Management: OpenStack
SDN Roles in Cloud Management
Case: Security (SDN + DPI)
- 11. © 2013 NAIM Networks – All rights reserved. 11 / 34
Virtualized WorldI
Virtualization
The creation of something virtual (rather than actual) in
the computer world
Pros.
Isolation
Consolidation
Testing
Mobility
Cons.
Concentration Risk
Cost
Performance Penalty
Hardware Support
- 12. © 2013 NAIM Networks – All rights reserved. 12 / 34
Virtualized World: Cloud (1)I
Server Virtualization Network Virtualization
Cloud with Virtualization
Remarkable growth on server virtualization
• Hypervisors: VMware ESXi, MS Hyper-V, Citrix XenServer, …
• Hardware support: Intel VT/VT-x/EPT, AMD-V
Supporting data center networks (large # of hosts & traffic)
• VLAN, GRE tunneling, VxLAN, …
- 13. © 2013 NAIM Networks – All rights reserved. 13 / 34
Virtualized World: Cloud (2)I
Physical
server
VM
(tenant #1)
VM
(tenant #2)
Network
for tenant #1
Network
for tenant #2
Virtualization
http://www.microsoftvirtualacademy.com/ - WS-B327
- 15. © 2013 NAIM Networks – All rights reserved. 15 / 34
OpenStack Intro.
OpenStack is a collection of open source software
projects used to setup and run cloud infrastructure
(e.g., compute, storage, networking).
II
- 16. © 2013 NAIM Networks – All rights reserved. 16 / 34
Evolution of OpenStack
Six Month Cycle
Releases are timed to
correspond with the
developer summit
meeting
Currently no reliable
upgrade paths between
releases
Expect large deltas
between releases for the
next year or so as new
features and core
functionalities are added.
Release
name
Release
date
Included Component
code names
Austin
21 October
2010
Nova, Swift
Bexar
3 February
2011
Nova, Glance, Swift
Cactus
15 April 20
11
Nova, Glance, Swift
Diablo
22 Septem
ber 2011
Nova, Glance, Swift
Essex
5 April 201
2
Nova, Glance, Swift, Horizon, Keyst
one
Folsom
27 Septem
ber 2012
Nova, Glance, Swift, Horizon, Keyst
one, Quantum, Cinder
Grizzly
4 April 201
3
Nova, Glance, Swift, Horizon, Keyst
one, Quantum, Cinder
Havana
17 October
2013
Nova, Glance, Swift, Horizon,
Keystone, Neutron, Cinder, Heat,
Ceilometer
Src.: http://en.wikipedia.org/wiki/OpenStack
II
Nova: Server virtualization mgmt.
Quantum/Neutron
: Network virtualization mgmt.
- 17. © 2013 NAIM Networks – All rights reserved. 17 / 34
Havana: ArchitectureII
Emphasizing the management of cloud
Celiometer: metering
Heat: orchestration
- 18. © 2013 NAIM Networks – All rights reserved. 18 / 34
OpenStack: NovaII
Overview
The core of IaaS Management System in OpenStack
Support large-scale deployment of compute instances
Applied to NASA’s open source cloud project – Nebula
Asynchronous
eventually consistent
communication
REST-based
API
Hypervisor agnostic:
support for Xen ,XenServer, Hyper-V,
KVM, UML and ESX is coming
Horizontally and
massively
scalable
Hardware agnostic:
standard hardware, RAID not
required
- 19. © 2013 NAIM Networks – All rights reserved. 19 / 34
OpenStack: NeutronII
Quick Intro
Quantum Neutron is an OpenStack project to
provide “networking as a service” between
interface devices (e.g., vNICs) managed by other
OpenStack services (e.g., nova)
Manages network virtualization
just like compute (nova) manages server virtualization
Advocates multi-tenancy
Technology-agnostic
- 20. © 2013 NAIM Networks – All rights reserved. 21 / 34
OpenvSwitch plugin
Network Virtualization with NeutronII
Logical Network Architecture
OpenStack Neutron-related Components
(OpenvSwitch plugin example)
- 21. © 2013 NAIM Networks – All rights reserved. 22 / 34
Compute Node C2 Compute Node C3
Network NodeCompute Node C1Br-tun
Br-int
Br-tun
Br-int
Br-tun
Br-int
Br-tun
Br-int
A1
2
B1
1
B1
2
A2
1
A1
1
Local VLAN tags conv
erted into GRE keys (a
nd vice versa)
DHCP
L3
Br-ex
Physical Realization
OVS Plugin – GRE Overlays
Network Virtualization with NeutronII
- 22. © 2013 NAIM Networks – All rights reserved. 23 / 34
OpenStack with Virtualization
Realizing *-as-a-service with server & network
virtualization using OpenStack components
II
Source: Den Wendlandt – Quantum Hacket & PTL Note: “Quantum””Neutron”. ”Quantum” is now longer used
- 24. © 2013 NAIM Networks – All rights reserved. 25 / 34
SDN Overview
Agility on Networks
Controllability of Entire Network
Centralized network management
III
[1] Van Jacobson et al, “Networking Named Content”, CoNext 2009.
[2] Thomas Michael Bohnert, “SDN in the Cloud”, invited talk @ CNSM 2013.
- 25. © 2013 NAIM Networks – All rights reserved. 26 / 34
SDN Roles in OpenStack
Centralized control of network using OpenStack
III
[1] Thomas Michael Bohnert, “SDN in the Cloud”, invited talk @ CNSM 2013.
- 26. © 2013 NAIM Networks – All rights reserved. 27 / 34
SDN Roles in OpenStack
Why OpenStack + SDN?
Finally free applications from being aware of specific
networking details (ports, IP addresses, etc.)
Reducing network management complexities
III
Orchestration
(OpenStack)
Physical Machine
Virtual
Machines Servers on
network infrastructure
- 27. © 2013 NAIM Networks – All rights reserved. 28 / 34
OpenStack test bed with SDN in NAIM Networks
OpenStack
SDN Roles in OpenStack
Compute Node #1
OpenVSwitch (OVS)
Compute Node #2
OpenVSwitch (OVS)
SDN
Controller
[VM]
NIC
OS #1
[VM]
NIC
OS #2
[VM]
NIC
OS #3
[VM]
NIC
OS #1
[VM]
NIC
OS #2
[VM]
NIC
OS #3
Controller
Node
Network Node
Neutron
OpenFlow Enabled Switch
III
SDN plugin
- 29. © 2013 NAIM Networks – All rights reserved. 30 / 34
Overview
Current security appliances
Cost: expensive
Maximum bandwidth limits
(Mostly) All the traffic is passed through the security appliances
Idea
Distributed DPIs
Managing & controlling distributed DPIs using SDN
Advantages
Auto-scaling network resources
Service chaining
Participants
NAIM Networks (http://www.naimnetworks.com)
• 서영석 팀장, 최영락 매니저, 이정복 매니저
OpenFlow Korea (http://www.openflow.or.kr)
• 조충희, 임덕선
IV
- 30. © 2013 NAIM Networks – All rights reserved. 31 / 34
Architecture (1)
Logical Architecture
IV
Network
Data
Gather
Network
Data
Compare Actual State to Desired State
Analysis + Reasoning + Learning
Controller
Data Models
Data Models
Data ModelsVirtual
Machines
Cloud
Environment
OpenVSwitch+DPI
VMs
OVS
+DPI
VMs
OVS
+DPI
- 31. © 2013 NAIM Networks – All rights reserved. 32 / 34
Architectural Components
Architecture (2)
OpenFlow Enabled Switch
(Physical Machine)
OVS
(Physical Machine)
OVS
SDN
Controller
Security
Appliance
[VM]
OS #1
NIC
[VM]
OS #2
[VM]
OS #3
Log
Analyzer
[VM]
OS #1
[VM]
OS #2
[VM]
OS #3
syslog syslogDPI
NIC NICNIC
DPI
NICNIC
IV
- 32. © 2013 NAIM Networks – All rights reserved. 33 / 34
Case: Demo
Scenario
Network with anomaly traffic
OVSs monitors traffic and sends flow information to
“Analyzer”
DPIs in each physical machine monitors traffic
Controllers control all of the OVSs and OpenFlow enabled
switches
Let’s see a short movie (about 2-min)!
(One-month duration for this prototype)
IV
- 33. © 2013 NAIM Networks – All rights reserved. 34 / 34
Summary
Separated virtualization management: server
virtualization & network virtualization
OpenStack was originally designed for server
virtualization management, but it started to
support network virtualization after the Folsom
release (officially)
“OpenStack + SDN” supports better
orchestration with centralized network
management and abstraction from network
details
We showed one security prototype that can be
directly deployed to OpenStack+SDN
environment
!