Chapter 3: Software-Defined Networking Security and Network Programmability PDF

# Chapter 3: Software-Defined Networking Security and Network Programmability This chapter covers the following topics: * Software-Defined Networking (SDN) and SDN Security * Network Programmability ## Introduction This chapter starts with an introduction to SDN and various SDN Security concepts such as centralized policy management and micro-segmentation. The chapter also introduces SDN solutions such as Cisco ACI and modern networking environments like Cisco DNA. You will also learn about network overlays and what they attempt to solve. The second part of this chapter provides a general overview of network programmability and how networks are being managed via modern application programming interfaces (APIs). This chapter also contains references to help enhance your learning. ## Exam Objectives Covered The following SCOR 350-701 exam objectives are part of what is covered in this chapter: * **Domain 1: Security Concepts** * **1.7** Explain northbound and southbound APIs in the SDN architecture. * **1.8** Explain DNA Center (DNAC) APIs for network provisioning, optimization, monitoring, and troubleshooting ## "Do I Know This Already?" Quiz This quiz is designed to help you gauge your current knowledge of the topics covered in this chapter. If you are uncertain about your answers, it is recommended to read the entire chapter. | Foundation Topics Section | Questions | |-------------------------------------------------------------|-----------| | Software-Defined Networking (SDN) and SDN Security | 1-5 | | Introduction to Network Programmability | 6-10 | The answers to this quiz can be found in Appendix A. ## Caution The primary goal of this self-assessment is to evaluate your mastery of the topics covered in this chapter. Please do not guess the answer to any question you are unsure about. Marking a question incorrect when you are unsure of the answer will help ensure your self-assessment is accurate. ## Self-Assessment Questions 1. **Which of the following are three different "planes" in traditional networking?** * The management, control, and data planes * The authorization, authentication, and accountability planes * The authentication, control, and data planes * *None of these answers are correct.* 2. **Which of the following is true about Cisco ACI?** * Spine nodes interconnect leaf devices, and they can also be used to establish connections from a Cisco ACI pod to an IP network or to interconnect multiple Cisco ACI pods. * Leaf switches provide the Virtual Extensible LAN (VXLAN) tunnel endpoint (VTEP) function. * The APIC manages the distributed policy repository responsible for the definition and deployment of the policy-based configuration of the Cisco ACI infrastructure. * *All of these answers are correct.* 3. **Which of the following is used to create network overlays?** * SDN-Lane * VXLAN * VXWAN * *None of these answers are correct.* 4. **Which of the following is an identifier or a tag that represents a logical segment?** * VXLAN Network Identifier (VNID) * VXLAN Segment Identifier (VSID) * ACI Network Identifier (ANID) * Application Policy Infrastructure Controller (APIC) 5. **Which of the following is network traffic between servers (virtual servers or physical servers), containers, and so on?** * East-west traffic * North-south traffic * Micro-segmentation * Network overlays 6. **Which of the following is an HTTP status code message range related to successful HTTP transactions?** * Messages in the 100 range * *Messages in the 200 range* * Messages in the 400 range * Messages in the 500 range 7. **Which of the following is a Python package that can be used to interact with REST APIs?** * argparse * *requests* * rest_api_pkg * None of these answers are correct. 8. **Which of the following is a type of API that exclusively uses XML?** * APIC * REST * *SOAP* * GraphQL 9. **Which of the following is a modern framework of API documentation and is now the basis of the OpenAPI Specification (OAS)?** * SOAP * REST * *Swagger* * WSDL 10. **Which of the following can be used to retrieve a network device configuration?** * RESTCONF * NETCONF * SNMP * *All of these answers are correct.* ## Foundation Topics ### Software-Defined Networking (SDN) and SDN Security Over the past decade, there have been numerous, significant changes and shifts in networking technologies. This is largely due to the increased demand for modern applications in a diverse range of environments, including both physical and cloud-based environments. This complexity has also introduced security challenges, including network configuration errors that may result in network downtime and security breaches. As a result, networking functions including routing, optimization, security, and so on have also changed. Next-generation hardware and software components must support the rapid introduction of new, modern technologies and solutions. Network infrastructure solutions must keep pace with the changing business environment and support modern capabilities that help drive simplification within modern networks. These key elements are the driving force behind software-defined networking (SDN). SDN was initially created to decouple the control function from the forwarding functions in networking equipment. The goal is to centrally manage and configure the hardware via software in order to facilitate forwarding. ### Traditional Networking Planes In traditional networking, three distinct planes or elements work in concert to enable network devices to operate: 1. **The Management Plane** - This plane is responsible for configuration and monitoring. This is typically done via the traditional CLI or GUI. One important caveat is to remember that each vendor has its own proprietary way to configure devices. 2. **The Control Plane** - This plane is responsible for managing the Layer 2 and Layer 3 protocols. This includes Layer 2 protocols such as spanning tree protocol, and Layer 3 protocols such as OSPF, RIP, BGP, and so on. 3. **The Data Plane** - This plane is responsible for forwarding data from one interface to another within the network. This occurs entirely within the hardware. Traditionally, the control plane was always separated from the data plane. There was no single place to configure and manage the entire network. Each device managed its own configuration and data. ### So what's different with SDN? The SDN approach introduces the notion of a *centralized controller*. This controller has a comprehensive view of the entire network. This controller uses common management protocols to configure the network infrastructure devices. SDN controllers can also calculate reachability information from many systems and push routes in the switches. This model reflects a significant shift from a distributed, "semi-intelligent brain" approach to a centralized and "intelligent brain" approach. ### Introduction to the Cisco ACI Solution Cisco ACI (Application Centric Infrastructure) is a network automation solution designed to streamline and simplify the process of configuring and managing modern networks. ACI enables a highly flexible and scalable approach to managing complex network policies. This solution leverages a leaf-and-spine topology where each leaf switch connects to every spine switch in the network. There is no interconnection between leaf switches or spine switches. Leaf switches are responsible for connecting to traditional Ethernet devices such as servers, firewalls, and routers. Leaf switches are typically located at the edge of the fabric. Leaf switches also provide the VXLAN tunnel endpoint or VTEP function. VXLAN is a virtualization technology that provides network segmentation and encapsulation of Layer 2 Ethernet frames within UDP packets. Spine switches connect to all leaf switches in the network. There is a central controller in Cisco ACI called the APIC (Application Policy Infrastructure Controller) that acts as the "brain" of the Cisco ACI solution. The APIC is responsible for managing the distributed policy repository that handles policy-based configuration of Cisco ACI. The APIC also manages topology and inventory information for all devices within the Cisco ACI pod. ### VXLAN and Network Overlays Modern networks and data centers require advanced features such as load balancing, scalability, elasticity, and faster convergence. The overlay network model is a common solution that addresses these requirements. An overlay network allows traffic to be encapsulated and tunneled over an underlying Layer 3 network. This solution enables the separation of network traffic into different segments or "tenants" while still supporting communication between these segments. Several IP tunneling mechanisms are available to implement overlay networks. Some of the key technologies include: * **VXLAN (Virtual Extensible LAN)** - VXLAN encapsulates Layer 2 Ethernet frames within UDP packets. * **NVGRE (Network Virtualization using Generic Routing Encapsulation)** - NVGRE encapsulates Layer 2 Ethernet frames within GRE packets. * **STT (Stateless Transport Tunneling)** - STT encapsulates Layer 2 Ethernet frames within TCP packets. * **GENEVE (Generic Network Virtualization Encapsulation)** - GENEVE allows for carrier-grade, highly flexible encapsulation of Layer 2 Ethernet frames within IP packets. The main difference between these protocols lies in the type of IP frame used. VXLAN uses UDP, STT uses TCP, and GENEVE utilizes any supported IP protocol. ### Micro-Segmentation Traditionally, network segmentation was implemented using VLANs and subnets. This approach often led to complexities because segmentation was restricted to VLAN boundaries within a single data center. However, the rise of virtual environments, cloud, and modern application deployments led to new challenges. Applications now need to move freely and seamlessly between servers for load balancing, performance, and high availability reasons. They must also be able to communicate across different data centers and even different cloud environments. Implementing traditional segmentation using VLANS does not effectively address these new trends. Micro-segmentation is the solution to these challenges. Micro-segmentation takes a finer-grained approach to controlling network traffic. Policies are implemented at individual VM or container levels, regardless of VLAN or subnet. Micro-segmentation solutions utilize a "zero-trust" model. This means that no application can communicate with another application or user without an explicitly defined policy. ### Open-Source Initiatives Several open-source projects are working to offer micro-segmentation and other advanced network capabilities. Some key examples include: * **OpenStack Neutron** - Neutron is the networking component of OpenStack, an open-source cloud computing platform. Neutron provides networking-as-a-service within cloud environments. * **Open vSwitch (OVS)** - OVS is an open-source, virtual switch implemented within hypervisors. It provides a virtualized networking layer for SDN and cloud environments. * **Open Virtual Network (OVN)** - OVN is a virtualized-network solution built for increased scalability and performance within SDN. * **OpenDaylight (ODL)** - ODL is an open-source SDN controller platform that allows you to manage multiple vendors and devices on a single platform. * **Open Platform for Network Function Virtualization (OPNFV)** - OPNFV is an open-source platform that fosters the development and adoption of NFV technologies. * **Contiv** - Contiv is an open-source project offering a policy-based, micro-segmentation solution for containers. It includes service discovery and routing capabilities to optimize containerized environments. ## More About Network Function Virtualization NFV (Network Function Virtualization) is a key technology that addresses the need for virtualization of network functions. It enables the implementation of network services such as firewalls, load balancers, and intrusion detection systems as VMs (Virtual Machines). NFV allows you to deploy and manage these virtualized network nodes in a flexible, scalable, and cost-effective way. This flexibility helps address the limitations of traditional virtualization, allowing you to readily deploy and manage network services in various cloud environments. A key component of NFV is the OPNFV (Open Platform for Network Function Virtualization). OPNFV aims to provide a standardized, open-source base infrastructure for running virtual network functions. The following components form the foundation of a typical NFV infrastructure.: 1. **Hypervisor** - The hypervisor acts as the underlying virtualization platform, which enables the execution of virtual routers, switches, and firewalls within physical servers. It allows for the simultaneous operation of multiple VMs. 2. **Virtual Forwarder** - The virtual forwarder connects individual, virtual instances to the network. 3. **Network Controller** - The network controller manages and controls virtual forwarders within the physical network. 4. **VM Manager** - The VM manager manages the various network-based virtual machines. ## NFV MANO (Management and Orchestration) NFV introduces a new paradigm for managing networks. NFV MANO, a standardization effort under the ETSI (European Telecommunications Standards Institute), provides a framework for orchestrating and managing NFV infrastructure. NFV MANO is designed to support the flexible onboarding of network components. NFV MANO consists of three key functional components: 1. **NFV Orchestrator** - The NFV orchestrator manages the creation and orchestration of new network services and virtual network functions, such as virtual firewalls, load balancers, and IPS/IDS. It covers lifecycle management, resource management, and authentication and validation of virtual network functions. 2. **VNF Manager** - The VNF manager manages the lifecycle of virtual appliances, including configuration and event reporting. 3. **Virtualized Infrastructure Manager (VIM)** - The VIM manages the compute, storage, and network resources for the NFV infrastructure. ## Contiv Contiv is an open-source network solution designed to introduce microservices and policy-based services in containerized environments. Contiv provides a higher level of networking abstraction. It utilizes several built-in features such as service discovery and service routing functions. Contiv offers a variety of benefits including: * **Unified Service Discovery** * **Service Routing Capabilities** ## ThousandEyes Integration ThousandEyes is a leading, cloud-based network intelligence SaaS platform that partners with Cisco to offer enhanced visibility and monitoring capabilities. ThousandEyes integration into Cisco Nexus 9000 series data center switches powered by NX-OS/Data Center Network Manager and Cisco ACI fabrics provides a comprehensive solution that enhances network visibility and control, ThousandEyes offers several key benefits: * **Global network performance monitoring** * **Comprehensive network insights** * **Troubleshooting and optimization** * **Enhanced network security** ThousandEyes provides a range of tests to assess BGP routing, DNS resolution, browser response times, network pathing and connectivity, routing status, and VoIP streaming quality. ## Cisco Digital Network Architecture (DNA) Cisco DNA is a comprehensive, intent-based networking solution. It provides automation and assurance services for various networking environments including campus, WAN, and branch networks. Cisco DNA's foundation is a robust, open, and extensible platform that integrates policy, automation, and analytics capabilities. The heart of Cisco DNA is the Cisco DNA Center (DNAC). DNAC acts as a centralized management control center that leverages comprehensive dashboards and APIs to manage the network. Cisco DNA Center can be integrated with external network and security services, including the Cisco ISE (Identity Services Engine). ## Cisco DNA Policies Cisco DNA Center provides a range of policies to effectively manage network access and security. Some key policy types include: * **Group-based Access Control Policies** - These policies use groups to make granular access control decisions. * **IP-based Access Control Policies** - These policies apply access controls based on specific IP addresses. * **Application Access Control Policies** - These policies make decisions based on the types of applications used. * **Traffic Copy Policies** - These policies enable the copying of network traffic to a specific destination for monitoring and troubleshooting. ## Cisco DNA Center Assurance Solution The Cisco DNA Center Assurance Solution provides comprehensive and detailed network visibility. This solution includes the ability to visualize network health, gather historical and real-time insights, and leverage predictive analytics. It is designed to reduce the amount of time spent troubleshooting network issues. ## Cisco DNA Center APIs Cisco DNA Center APIs allow you to access key functionality from the Cisco DNA Center. These APIs enable you to automate network management, implement custom solutions, and integrate with third-party applications. Cisco DNA Center provides two key API types: 1. **Intent APIs** - Intent APIs offer a policy-based approach to managing the Cisco DNA Center platform. It allows you to focus on desired outcomes rather than dealing with low-level configurations and mechanisms. 2. **Integration APIs** - These APIs enable you to integrate Cisco DNA Center with third-party devices and applications. Cisco DNA Center also provides an SDK to enable integration with non-Cisco devices. ## Cisco DNA Security Solution Cisco DNA Security Solution has various products and features that help protect your network from cybersecurity threats. Some key components include: * **ETA (Encrypted Traffic Analytics)** - ETA allows you to detect security threats within encrypted traffic without needing to decrypt the packets. It utilizes machine learning and other advanced techniques. * **Cisco Secure Network Analytics (formerly known as Stealthwatch)** - Cisco Secure Network Analytics provides extensive network visibility and security analytics. It enables you to quickly identify and address security threats. ## Cisco DNA Multivendor Support Cisco DNA Center extends its reach to support non-Cisco networking devices. This is achieved through an SDK that enables the creation of device packages specifically designed for third-party devices. Cisco DNA Center then leverages these device packages to communicate with third-party devices through their southbound interfaces. These southbound interfaces utilize various standard protocols, including CLI (Command-Line Interface), SNMP (Simple Network Management Protocol), and NETCONF (Network Configuration Protocol), to interact directly with network devices. ## Introduction to Network Programmability The use of APIs for network programmability is becoming increasingly common in modern network environments. APIs enable you to automate tasks, eliminate manual work, and streamline workflows. Several programming languages are popular for network programmability. Python is a widely adopted choice because of its simplicity, flexibility, and powerful libraries. ## Modern Programming Languages and Tools JavaScript, Python, Go, Swift, and various other modern programming languages provide a powerful set of tools for network programmability. Python is particularly popular as it offers a gentle learning curve and a robust set of libraries. ## Getting Started with APIs APIs have become essential in modern application development. They offer a standardized way to interact with applications and services. Several key methods or technologies underpin modern APIs. Some of the popular choices include: * **SOAP (Simple Object Access Protocol)** - This protocol is a standards-based approach to web services used for communication between applications and services. SOAP predominantly uses XML for its API services and is governed by XSD (XML Schema Definition) documents. * **REST (Representational State Transfer)** - REST is a modern and increasingly popular API standard. It offers a more simplified approach compared to SOAP and utilizes JSON (JavaScript Object Notation) for data exchange. * **GraphQL** - GraphQL is a query language commonly used for APIs in mobile apps and online dashboards. It provides flexibility and enhanced developer tools. ## REST APIs REST (Representational State Transfer) APIs have become increasingly ubiquitous in modern applications. They allow applications to access and interact with services via standard HTTP requests. ## YANG Models YANG (Yet Another Next Generation) is a data modeling language used to define the configuration and operational data of network devices. YANG models are specifically designed for the NETCONF and RESTCONF protocols. A network management application typically acts as the client, requesting data from the network device (server) based on the YANG API contract. The YANG model used by a network device is often referred to as a schema, defining the structure and content of messages exchanged between the client and server. YANG offers flexibility and extensibility. You can create new YANG modules while leveraging previously defined data hierarchies and relationships. ## NETCONF NETCONF is a network configuration protocol designed to overcome the limitations of previous network management protocols such as SNMP. It establishes a secure, reliable, and standardized method for managing and configuring network devices. A NETCONF client typically acts as a network management application, while a NETCONF server represents the network device being managed. NETCONF sessions consist of a series of messages exchanged between the client and server. These messages are transmitted over SSH (Secure Shell), using a standard TCP port of 830. This port can often be configured to different port settings. NETCONF messages can be categorized as RPC (Remote Procedure Call) or RPC-reply messages. RPCs are issued by the client to the server to request aspecific operation. The server responds with an RPC-reply, indicating whether the request was successful or not. ## RESTCONF RESTCONF provides a REST-based approach to network configuration. It offers several advantages over NETCONF, including: * **Simpler Communication** - RESTCONF utilizes the standard HTTP methods for communication. * **Stateless Server** - It eliminates the need for session establishment and client state management. RESTCONF allows for immediate execution of client requests. ## Exam Preparation Tasks To adequately prepare for the exam, take a comprehensive look at all the key topics presented in this chapter. Review the self-assessment questions and practice the exercise questions provided in the document. You can also make use of the additional exam simulation questions found in the Pearson Test Prep Software Online. ## Define Key Terms Ensure you are familiar with the following key terms: * **REST (Representational State Transfer)** * **SOAP (Simple Object Access Protocol)** * **Contiv** * **NFV (Network Function Virtualization)** * **Neutron** * **Open vSwitch** * **OpenDaylight (ODL)** * **YANG (Yet Another Next Generation)** * **NETCONF (Network Configuration Protocol)** * **RESTCONF** ## Review Questions 1. **The RESTCONF interface is built around a small number of standardized requests. Which of the following are requests supported by RESTCONF?** * GET * PUT * PATCH * *All of these answers are correct.* 2. **NETCONF messages are encoded in a(n) __________ structure defined by the NETCONF standard.** * JSON * *XML* * OWASP * RESTCONF 3. **Which of the following is a Cisco resource where you can learn about network programmability and obtain sample code?** * APIC * ACI * *DevNet* * NETCONF 4. **A YANG-based server publishes a set of YANG modules, which taken together form the system's __________ .** * YANG model * NETCONF model * RESTCONF model * gRPC model 5. **Which of the following HTTP methods sends data to the server typically used in HTML forms and API requests?** * POST * GET * TRACE * PUT 6. **Which of the following is a solution that allows you to detect security threats in encrypted traffic without decrypting the packets?** * ETA * Cisco Secure Email (formerly known as ESA) * Cisco Secure Web Appliance (formerly known as WSA) * None of these answers are correct. 7. **Which of the following is an open-source project that allows you to deploy micro-segmentation policy-based services in container environments?** * OVS * *Contiv* * ODL * All of these answers are correct. 8. **NFV nodes such as virtual routers and firewalls need which of the following components as an underlying infrastructure?** * A hypervisor * A virtual forwarder to connect individual instances * A network controller * *All of these answers are correct* 9. **There have been multiple IP tunneling mechanisms introduced throughout the years. Which of the following are examples of IP tunneling mechanisms?** * VXLAN * SST * NVGRE * *All of these answers are correct.* 10. **Which of the following is true about SDN?** * SDN provides numerous benefits in the management plane. These benefits are in both physical switches and virtual switches. * SDN changed a few things in the management, control, and data planes. However, the big change was in the control and data planes in software-based switches and routers (including virtual switches inside of hypervisors). * SDN is now widely adopted in data centers. * *All of these answers are correct.*

Chapter 3: Software-Defined Networking Security and Network Programmability PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue