WGU - Software Defined Networking - D415

Network Functions Virtualization (NFV)

Moved network functions from stand-alone appliances to software running on any server, reducing the time-to-market for products.

Software-Defined Networks (SDN)

This architecture decouples the network control and forwarding functions enabling the network control to become directly programmable and the underlying infrastructure to be abstracted for applications and network services.

NFV Components

Virtual Network Functions (VNFs)

Network Functions Virtualization Infrastructure (NFVI)

NFV Management and Orchestration (NFV-MANO)

NFV Management and Orchestration (NFV-MANO)

Consists of all functional blocks, data repositories, reference points, and interfaces that are used for managing and orchestrating VNFs and the NFVI.

Network Functions Virtualization Infrastructure (NFVI)

Is the entirety of the hardware and software components that build the environment where VNFs are deployed.

Virtual Network Functions (VNFs)

Are the software implementations of network functions.

Open Platform for NFV (OPNFV)

Created by the Linux Foundation in 2014 and is a collaborative open-source platform that seeks to develop NFV and shape its evolution.

OpenStack

An open-source cloud computing platform that has high market penetration that includes a collection of interoperable modules that are used to orchestrate large pools of compute, storage, and networking resources.

Nova

OpenStack compute module, is used to create and delete compute instances as required.

Glance

OpenStack module that synchronizes and maintains VM images across the com pute cluster.

Keystone

Module that provides authentication for accessing all OpenStack services.

Cinder

OpenStack module that provides block storage used as storage volumes for VMs.

Swift

OpenStack module that provides object storage that is used to store large amounts of static data in a cluster.

Neutron

or networking, OpenStack module that allows the different compute instances and storage nodes to communicate with each other.

Horizon

OpenStack module provides a GUI dashboard, and is by far the most widely deployed management module.

Heat

OpenStack module that helps expedite orchestration of applications across multiple compute instances by using templates.

Celiometer

OpenStack module that monitors the NFVI and helps identify bottlenecks and resource optimization opportunities.

Ironic

OpenStack module that is a provisioning tool for baremetal installation of compute capabilities instead of VMs in OpenStack.

Congress

OpenStack module that is a policy management framework for the OpenStack environment.

Designate

OpenStack module that is used to point applications in the OpenStack environment to a trusted DNS source.

Barbican

OpenStack module that works with Keystone authentication to manage internal application security by behaving as a key manager.

Murano

OpenStack module that provides a white list repository of applications.

Trove

OpenStack module that provides a distributed database service and enables users to deploy relational and non-relational database engines.

Sahara

OpenStack module formerly called Savanna, provides big data services by providing Elastic MapReduce and ability to provision Hadoop.

Manila

Openstack module that provides Network Area Storage (NAS) solutions for an OpenStack deployment.

Zaqar

OpenStack module that provides a multi-tenant cloud messaging service.

Magnum

OpenStack module that is an umbrella project that provides containerization assistance. This module is still in development.

Dynamic Host Configuration Protocol (DHCP)

A network management protocol used to dynamically assign an Internet Protocol (IP) address to any device, or node, on a network so they can communicate using IP.

UDP port number 67

Destination port of a DHCP server

UDP port number 68

Destination port of a DHCP client

ioctl interface

Linux Bridge Configuration offers an interface that can be used to create and destroy bridges in the operating system, and it can also add network interfaces and remove existing network interfaces to / from the bridge.

sysfs-based interface

Linux Bridge Configuration allows the management of bridge and bridge port specific parameters.

Virtual Network

a mapping of the entire or subset of networking resources to a specific protocol layer.

Network Virtualization (NV)

Defined by the ability to create logical, virtual networks that are decoupled from the underlying network hardware to ensure the network can better integrate with and support increasingly virtual environments.

Two most common forms of NVs

Protocol-based virtual networks

Virtual networks that are based on virtual devices

Virtual Private Networks (VPNs)

protocol-based virtual networks usually built on tunneling protocols, which consists of multiple remote end-points (typically routers, VPN gateways of software clients) joined by some sort of tunnel over another network, usually a third-party net work.

Virtual LANs (VLANs)

Protocol-based virtual networks that are logical local area networks (LANs) based on physical LANs

Virtual Private LAN Services (VPLS)

A specific type of Multipoint VPN that is divided into Trans parent LAN Services (TLS) and Ethernet Virtual Connection Services.

Virtualization

Refers to the act of creating a virtual (rather than actual) version of something, including virtual computer hardware platforms, storage devices, and computer network resources.

Replication

To create multiple instances of the resource

Isolation

To separate the uses which clients make of the underlying resources

Overlay network

It describes a computer network that is built on top of another network.

Virtual Network Embedding (VNE) problem

How to optimally allocate virtual networks and their associated networking resources.

hub

a physical-layer device where a frame is passed along or broadcast to every one of its ports. It does not matter that the frame is only destined for one port.

switch

Responsible for connecting several network links to each other, creating a Local Area Network (LAN).

a data-link layer device that keeps a record of the MAC addresses of all the devices connected to it and with this information it can identify which system is sitting on which port. As the result, when a frame is received, it knows exactly which port to send the frame to, without significantly increasing network response times.

bridge

A device that separates two or more network segments within one logical network.

Open vSwitch (OVS)

A multi-layer software switch licensed under the open source Apache 2 license.

Linux bridge

A native function on Linux kernel with layer-2 capabilities, which can be considered as an Ethernet Hub

OpenFlow

Allows a controller to add, remove, update, monitor, and obtain statistics on flow tables and their flows, as well as to divert selected packets to the controller and to inject packets from the controller into the switch.

L2TP (Layer 2 Tunneling Protocol)

a tunneling protocol used to support VPNs or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself. Rather, it relies on an encryption protocol that it passes within the tunnel to provide privacy.

PPP (Point-to-Point Protocol)

A data link (layer 2) protocol used to establish a direct connection between two nodes. It connects two routers directly without any host or any other networking device in between. It can provide connection authentication, transmission encryption, and compression.

VXLAN (Virtual Extensible LAN)

Network virtualization technology that attempts to improve the scalability problems associated with large cloud computing deployments. It uses a VLAN-like encapsulation technique to encapsulate layer 2 Ethernet frames within layer 4 UDP packets

Generic Routing Encapsulation (GRE)

A communication protocol used to establish a direct, point-to-point connection between network nodes. Being a simple and effective method of transporting data over a public network, such as the Internet, it lets two peers share data they will not be able to share over the public network itself.

SSL (Secure Socket Layer)

A standard security technology for estab lishing an encrypted link between a server and a client - typically a web server (website) and a browser, or a mail server and a mail client (e.g., Outlook) by encrypting data above the transport layer.

IPSec

A network protocol suite that authenticates and encrypts the packets of data sent over a network at the IP layer. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys for use during the session.

IEEE 802.1Q

A protocol for carrying VLAN traffic on Ethernet.

Maximum Transmission Unit (MTU)

The size of the largest block of data that can be sent as a single unit.

Southbound Interface (SBI)

Allows the controller to communicate, interact and manage the forwarding elements.

East / Westbound interfaces

Are meant for communication between groups or federations of controllers.

Northbound Interface (NBI)

Enables applications in the application layer to program the controllers by making abstract data models and other functionalities available to them.

Unified control plane of an SDN

Consists of one or more SDN con trollers that use open APIs to exert control over the underlying vSwitches or forwarding devices.

Data plane in SDN

Tasked with enabling the transfer of data from the sender to the receiver(s).

OpenFlow

Defined by the ONF, is a protocol between the control and forwarding layers of an SDN architecture, and is by far the most widespread implementation of SDN.

SDN Controllers

The brains of the SDN operation that lies between the data plane devices on one end, and high level applications on the other. Takes the responsibility of establishing every flow in the network by installing flow entries on switch devices.

NOX

Was among the fi rst publicly available OpenFlow controller.

OpenDaylight (ODL)

An open-source SDN controller that has been available since 2014. It is a modular multi-protocol SDN control ler that is widely deployed in the industry.

Open Virtual Switch (OVS)

Open-source implementation of a distributed programmable virtual multi-layer switch. Generally consist of flow tables, with each flow entry having match conditions and associated actions. Communicates with the controller using a secure channel, and generally uses the OpenFlow protocol.

Routing Control Platform (RCP)

Proposed in for the provisioning of inter-domain routing over a BGP network. Routing is done as a separate entity. Control from physically distributed entities in a domain is logically centralized in a control plane.

SoftRouter

Presented with the aim of separation of control and forwarding elements called Control Element (CE) and Forwarding Element (FE), respectively. The control functionality is provided by using a centralized server, i.e., a CE that might be many hops away from the FE.

RouteFlow

Project initially named as QuagFlow, which aimed to provide IP routing as Router-as-a-Service in a virtualized environment. Considered the basic architecture to control routing in SDNs.

Virtual Router System (VRS)

Virtual router instances communicate with a Point-Of-Presence (POP) and follow a star topology, in which a single core node is connected to Customer Edge Gateways (CEG) linked through Intermediate Nodes (INs).

Vulnerability

A weakness or gap in a security system that can be either exploited by attackers or caused by malfunctioning system components.

Threat

The possibility of exploration of vulnerabilities that can lead to something bad happening, and it emphasizes the qualitative of potential damages due to explored vulnerabilities.

Attack

An action triggered by deploying an attacking method, when a vulnerability is exploited to actually realize a threat.

Risk

The quantifiable likelihood of loss due to a realized threat, and it emphasizes the quantitative of potential damages.

The source of attacks

Two types of attackers based on their origins called inside attacker (or insider) and outside attacker (or out sider).

The method of attacks

There are two types of attack methods based on the intention of the attacker called passive attacks and active attacks.

The target of attacks

The objective of attackers to try to compromise.

The consequence of attacks

Describes outcomes by successfully deploying an attack. It is a multi-faceted consequence.

Defense in depth

Also known as Castle Approach is the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.

Defense in depth framework

The first layer is a prevention mechanism that stops attacks from getting into the networking system.

The second layer is detection and response mechanisms that watch activities on systems and networks to detect attacks and repair the damage

The third layer is attack-resilient technologies that enable the core elements, or, the most valuable systems, on the network to survive attacks and continue to function.

Cyber Kill Chain

Adopts the concept of a procedural step-by-step attacking method consisting of target identification, force dispatch to target, decision and order to attack the target, and finally the destruction of the target.

Reconnaissance

The attacker gathers information on the target before the actual attack starts.

Weaponization

Cyber attackers do not interact with the intended victim, instead they create their attack.

Delivery

Transmission of the attack to the intended victim(s).

Exploitation

This implies actual detonation of the attack, such as the exploit running on the system.

Installation

The attacker may install malware on the victim.

Command & Control (C&C)

This implies that once a system is compromised and / or infected, the system has to call home.

Actions on Objectives

Once the cyber attackers establish access to the organization, they then execute actions to achieve their objectives / goal.

Network mapping

The study of the connectivity of networks at the layer 3 on a TCP / IP network.

Vulnerability scanning

An inspection of the potential points of exploit on a computer or network to identify security holes.

Penetration testing

Attempts to identify insecure business processes, insecure system settings, or other weaknesses.

Frewall (FW)

A component or set of components that restricts access between a protected network and the Internet, or between other sets of networks.

Host

A computer system attached to a network.

Network Address Translation (NAT)

A procedure by which a router changes data in packets to modify the network addresses. This allows a router to conceal the addresses of network hosts on one side of it.

Perimeter network

A network added between a protected network and an external network in order to provide an additional layer of security. A perimeter network is sometimes called a DMZ.

Proxy

A program that deals with external servers on behalf of internal clients

Intrusion Prevention System (IPS)

a network security / threat prevention technology that examines network traffic flows to detect and prevent vulner ability exploits.

Intrusion Detection System (IDS)

a network security technology originally built for detecting vulnerability exploits against a target application or computer.

host-based logging

This approach minimizes the network traffic by transfer ring logs into a centralized log server; however, it incurs significant manage ment overhead to retrieve logging data from individual hosts.