Advancements in software-defined networking (SDN) allow virtualized security controls within a virtual layer 2 (media link) network. A service chain defines what controls traffic must pass through before being delivered to the service. For example, a web service would have a service chain requiring the traffic pass through a DDoS filter, WAF, load balancing, and IDS/IPS before being delivered to the web server. Historically this has been done at layer 3 (IP), requiring IP address changes as chain components are added or removed. Implementing this within a virtual network at layer 2, chains can be dynamically updated without requiring any IP changes. Implementing these chains within layer 2 reduces complexity and network overhead.
John Studarus and Cynthia Thomas demonstrate how traffic can be service-chained through multiple security functions (WAF, DDoS filter, IDS/IPS) without the overhead and complexity of layer 3 networking using virtualization and software-defined networking (SDN). John and Cynthia walk you through configuring and modifying layer 2 service chains with open source cloud security tools to flow traffic through all the required security functions in order to monitor and block malicious traffic originating from a network of virtual machines.
This tutorial is run completely on open source software. You’ll be provided with an OpenStack cloud and security functions to protect a virtualized web application. The course virtual machines are running CirrOS and CentOS Linux. You’ll also use a number of open source security tools, including Snort, tcpdump, Squid, and ModSecurity.
John Studarus is technical risk, compliance, and security advisor at JHL Consulting. John has more than 20 years of software product development across the finance, high tech, government and healthcare industries, which has included working with internal and external technical teams, business partners, customer, internal compliance and legal to lead the product direction of large-scale cloud-based solutions. John’s areas of focus include software and product development, security best practices, compliance and cloud computing, and operational security and technical risk management and auditing. Previously, he led development of security dashboards and portals for use within DISA and the US Department of State and software and product management for AT&T, Leidos, and Akamai.
Cynthia Thomas is a member of the systems engineering team at Midokura, where she focuses on emerging technologies in network virtualization to address evolving application requirements. Cynthia’s background in networking hardware spans from telecommunications to data center, campus, and enterprise solutions. Cynthia holds an MSc in engineering from Queen’s University as well as a number of professional certifications, including Alcatel-Lucent Network Routing Specialist II (NRS II), Brocade Certified Ethernet Fabric Professional (BCEFP), Brocade Certified IP Network Professional (BCNP), and VMware Technical Sales Professional (VTSP) 5.
©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org