Openlab Technical Workshop 2016 Adam Krajewski ITCSCE 08122016 Agenda Project recap Brocade Flow Optimizer software Project goals CERN contributions to BFO software SDNenabled IDS at CERN ID: 590999
Download Presentation The PPT/PDF document "Brocade Flow Optimizer" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Brocade Flow Optimizer
Openlab Technical Workshop 2016Adam KrajewskiIT-CS-CE
08/12/2016Slide2
Agenda
Project recapBrocade Flow Optimizer softwareProject goalsCERN contributions to BFO software
SDN-enabled IDS at CERN
Future plans
07/12/2016
Adam Krajewski – CERN
openlab
2Slide3
Brocade Flow Optimizer
SDN application developed by BrocadeProvides insight into the network traffic and enables flow steeringDynamic programming of network devices’ forwarding engines with OpenFlow
UI + REST API
07/12/2016
Adam Krajewski – CERN
openlab
3Slide4
Project overview
Collaboration between CERN and BrocadeStarted in June 2015Initial goal:Enhance and generalize the Brocade Flow Optimizer (BFO)
architecture
Current goals
:Adapt BFO to build an intelligent network traffic steering system answering CERN’s needs
Define use cases and requirements for them:Intrusion Detection System (
IDS) mirroringFirewall load-balancingAdvanced policy-based routing engineImplement necessary features
Enhance BFO software architecture
07/12/2016
Adam Krajewski – CERN
openlab
4Slide5
CERN contributions to BFO
Fully integrated within Brocade’s BFO development teamInvolvement in agile sprints
Daily stand-ups
CERN’s contributions to BFO software releases
~40 JIRA issues resolved
4 feature ownershipsFunctional specification -> development -> SQA testing
Three official releases in 2016IDS use case enabled by CERN’s contribution
07/12/2016
Adam Krajewski – CERN
openlab
5Slide6
IDS at CERN
CERN uses an Intrusion Detection System to scan the network traffic for possible security threatsThe current setup has limited scaling capabilitiesTraffic volume at the network boundaries grows continuously
A new setup is required
Scale-out capabilities
Programmability to implement additional features
07/12/2016
Adam Krajewski – CERN
openlab
6
CERN
InternetSlide7
Planned setup
The traffic mirrored at the CERN firewall is distributed across a pool of 16 servers, each running the Bro open-source network monitorRequired features:
Symmetrical load-balancing
Traffic shunting - filtering out TCP data packets belonging to trusted flows
Selective mirroring – mirroring suspicious traffic to a dedicated server for detailed
analysisLeverage SDN
concept – BFO playing a key role
07/12/2016
Adam Krajewski – CERN
openlab
7
IDS 1
LAG
LAG
MIRRORED TRAFFIC
...
IDS
2
IDS 3
IDS 4
Brocade MLXe-16
IDS x
BroSlide8
Full setup and status
07/12/2016Adam Krajewski – CERN openlab
8
BRO
LAG
BFO
…
PCAP
IDS
1
IDS 2
IDS 3
IDS x
LAG
MIRRORED
TRAFFIC
Leverage BFO for dynamic flow programming
Selective mirroring and traffic shunting triggered from Bro by leveraging the BFO’s plugin for Bro
Prototype setup deployed in the CERN Computer Centre
Testing on-going
Promising perspective of production deploymentSlide9
Future plans
Finalize IDS prototype validation and proceed with deploymentOpenFlow-based load-balancing in the IDS setup
Improve current static load-balancing with a flexible, software-based solution
Further enhancements to support other use cases
Invest more effort into making the BFO architecture extensible
07/12/2016
Adam Krajewski – CERN
openlab
9