Data Center Security

1,966 views

Published on

Over the last 5 years, Data Centers, your most important asset, have evolved massively. The pace of change continues to ramp with new Architectures, Virtualization, Fabrics and Clouds. How do you evolve your data centers and ensure they are secure, and prove they are secure, for compliance and audit? Using a practical and pragmatic approach, we will present and demonstrate how Cisco can help you tackle your security challenges, leveraging the intelligent network infrastructure and the broadest security portfolio in the industry (ASA5585, ASA SM, ASA 1000v, VSG and TrustSec with ISE).

Published in: Technology, Education
2 Comments
4 Likes
Statistics
Notes
No Downloads
Views
Total views
1,966
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
2
Likes
4
Embeds 0
No embeds

No notes for slide

Data Center Security

  1. 1. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Connect 11© 2013 Cisco and/or its affiliates. All rights reserved.Toronto, CanadaMay 30, 2013Data Centre SecurityBest Practices and AchitectureMason Harris, CCIE #5916Solutions ArchitectAdvanced Technology Team
  2. 2. Agenda• Today’s DC Architecture• Threat Prevention• Threat Visibility• Virtualized Security• Validated Architectures• Summary
  3. 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 3DC Architecure:Building Blocks
  4. 4. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 4© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 4Data Center SecurityBuilding an Efficient DC Fabric to Scale4• Scaling the Network Fabric - Virtual Device Context (VDC)Nexus 7000 VDC – Virtual Device Contexts• Flexible separation/distribution of hardware resources and softwarecomponents• Complete data plane and control plane separation• Complete software fault isolation• Securely delineated administrative contexts• Each physical interface can only be active in one VDCLayer 2 Protocols Layer 3 ProtocolsVLANPVLANOSPFBGPEIGRPGLBPHSRPIGMPUDLDCDP802.1XSTPLACP PIMCTS SNMP……VDC 1Layer 3 ProtocolsOSPFBGPEIGRPGLBPHSRPIGMPPIM SNMP…VDC 2Layer 2 ProtocolsVLANPVLANUDLDCDP802.1XSTPLACP CTS…VDCs
  5. 5. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 5© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 5Data Center SecurityvPC PeersvPC PeersMCEC5• Allow a single device to use a port channel across twoupstream switches (aka MCEC)• Eliminate STP blocked ports• Simplify L2 Paths by supporting loopfree non-blockingconcurrent L2 paths• Dual-homed server operate in active-active mode• Provide fast convergence upon link/device failureVirtual PortChannels• Scaling the Fabric – Virtual Port Channel vPC)Logical Topology with vPCAggregationAccessAggregationAccessMCEC! Enable vpc on the switchdc11-5020-1(config)# feature vpc! Check the feature statusdc11-5020-1(config)# show feature | include vpcvpc 1 enabled
  6. 6. The Security Practicioner’s Challange• How to integrate security in a dynamic network (the DC)• Loss of traditional L2 and L3 boundaries• Other technologies like VXLAN, OTV and Vmotion extend thenetwork topology• How do stateful inspection devices handle assymetric flows?• Where can I get flow visibility if there isn’t a network “edge”?• DC is rapidly changing, security services difficult to keep up
  7. 7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 7Threat Prevention:Firewall and IPS
  8. 8. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 8© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 8Data Center SecurityWhy Deploy a Firewall in the DC?• Firewalls provide a stateful inspection point for access control• Can be either a physical appliance or virtual appliance• Frequently positioned between VRFs or VDC for granular control andvisibility• Throughput is one consideration, but connection count is just asimportant due to applications and their services• Provide user and application visibility as well as flow based services• Virtual firewalls are an option where physical appliances can’t exist orrapid expansion of virtual services8
  9. 9. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 9© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 9Data Center SecurityPhysical Firewalls: Service Modules and Appliances• Cisco currently only has one service module firewall, the ASA SM for theCatalyst 6500-E• SM firewalls have no physical interfaces and rely entirely on the existingswitching infrastructure for packet flow• It uses VLANs to redirect which packets are inspected or bypassed• Uses same code base as physical appliances ASA firewalls9
  10. 10. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 10© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 10Data Center SecurityPhysical Firewalls: ASA 5585 Appliances10• 2U chassis with dual power supplies on each blade• Can be deplyed as two firewalls or a firewall and services blade• 4 10G ports on 2 high end firewall blades, expansion card for more 10G ports• BreakingPoint Test Results: http://blogs.ixiacom.com/ixia-blog/cisco-asa-live-validation-with-breakingpoint-firestorm-ctm/• Miercom report here: http://www.miercom.com/2011/06/cisco-asa-5585-x-vs-juniper-srx3600/
  11. 11. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 11© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 11Data Center SecurityVirtualized Firewalls and Virtual Firewalls• Two types: multi-context mode and virtual firewalls• Multi-context mode was originally designed for SMT (Secure Multi Tenant)deployments and is a licensed feature• Virtual firewalls are software-only firewalls running in a hypervisor• Cisco has two virtual firewalls: the Virtual Security Gateway (VSG) and theASA1000V• Both require the Nexus 1000V distributed virtual switch and an “Advanced” license• Virtual firewalls can be deployed rapidly with typical orchestration tools, etc. butthere is an added layer of operational complexity• Virtual firewalls are heavily dependent on available RAM and CPU on the hostserver• We’ll cover virtual firewalls shortly11
  12. 12. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 12© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 12Data Center Security4 Virtualized Firewalls - Common Configuration12• Firewalls can be in tranparent or routed mode or both (mixed mode 9.0+)• Physical links are typically trunks but could be physical interfaces• Contexts in routed mode can share VLANs, but not in transparent modeVLAN 10 VLAN 20 VLAN 30 VLAN 40VLAN 11 VLAN 21 VLAN 31 VLAN 41VFW1VFW2VFW3VFW4
  13. 13. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 13© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 13Data Center SecurityWhat is a Transparent mode Firewall?13• Transparent Firewall (L2) mode provides an option in traditional L3environments where existing services can’t be sent through the firewall• Very popular architecture in data center environments• In L2 mode:• Routing protocols can establish adjacencies through the firewall• Protocols such as HSRP, VRRP, GLBP can pass• Multicast streams can traverse the firewall• Non-IP traffic can be allowed (IPX, MPLS, BPDUs)• Allows for three forwarding interfaces, inside and outside and DMZ• NO dynamic routing protocol support or VPN support (sourced from ASA)• Specific design requirements, reference Configuration Guide for details
  14. 14. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 14© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 14Data Center SecurityHow Does Transparent Mode Work?• Firewall functions like a bridge (“bump in the wire”) at L2, only ARP packetspass without an explicit ACL• Still can use traditional ACLs on the firewall• Does not forward Cisco Discovery Protocol (CDP)• Same subnet exists on all interfaces in the bridge-group• Different VLANs on inside and outside interfaces• In addition to Extended ACLs, use an EtherType ACL to restrict or allow L2protocols
  15. 15. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 15© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 15Data Center Security10.1.1.0 /24 – vlan 1010.1.1.0 /24 – vlan 20BVI 1: 10.1.1.100 /24firewall transparenthostname ciscoasa!interface GigabitEthernet0/0vlan 20nameif outsidesecurity-level 0bridge-group 1!interface GigabitEthernet0/1vlan 10nameif insidesecurity-level 100bridge-group 1!interface BVI1ip address 10.1.1.100 255.255.255.0Transparent Mode Configuration (2 interfaces shown)Bridge-group1Up to 4 interfaces are permitted per bridge-group
  16. 16. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 16© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 16Data Center SecurityData Center: ASA L2 FW – Design #1• ASAs in transparent mode with upstream L3 gateway• Server gateway on outside of firewall• Firewall is L2 adjacent and in path to hosts• Segmentation through VLAN assignmentVlan 10(Inside)vlan 20 VIP: 10.1.1.254L3 SwitchHosts: 10.1.1.1-9910.1.1.x /24Vlan 20(Outside)ASA HA PairBVI: 10.1.1.100VirtualHosts
  17. 17. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 17© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 17Data Center SecurityData Center: ASA L2 FW – Design #2VDC-OutOutside InsideVDC-InHSRP VIP: 10.1.1.254Single L2 DomainFirewalls for Intra-VDC Traffic• ASA in either L2 or L3 mode, L2 is optimal in most cases• Add VRFs on Cat 6500 or Nexus 7K for segmentation• Server gateway inside of firewall• Minimizes firewall failures, route around failures if neededVirtualHostsvlan 20vlan xvlan y10.199.199.210.199.199.1
  18. 18. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 18© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 18Data Center SecurityN7k1-VDC-2Aggregationvrf1 vrf2ASA L2 FW – Design #3• Transparent (L2) firewall services are“sandwiched” between Nexus VDCs• Allows for other services (IPS, LB, etc) to belayered in as needed• ASAs can be virtualized to for 1x1 mappingto VRFs• Useful for topologies that require a FWbetween aggregation and core• Downside is that most/all traffic destined forCore traverses FW; possible bottleneck, etc.• Firewalls could be L2 or L3N7k1-VDC-1Corevrf1 vrf2Firewalls for Inter-VDC Traffic
  19. 19. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 19© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 19Data Center SecurityInterface Redundancy: Port Channels19• Port channel support was added to theASA in 8.4 (2011)• Best practice: Utilize Link AggregationControl Protocol (LACP) where possible• LACP dynamically adds and removes (ifnecessary) links to the port channelbundle• Up to 8 active links and 8 standby linksare supported in the channel• Link aggregation benefit• Best practice in the DC is to use VirtualPort Channelsinterface TenGigabitEthernet0/8channel-group 40 mode activeno nameifno security-level!interface TenGigabitEthernet0/9channel-group 40 mode activeno nameifno security-level!interface Port-channel40nameif insideip add 10.1.1.2 255.255.255.0ActivelynegotiateLACP withswitch
  20. 20. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 20© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 20Data Center Security‘Show port-channel summary on ASAFlags: D – down P - bundled in port-channelI - stand-alone s – suspendedH - Hot-standby (LACP only)U - in use N - not in use, no aggregation/nameifM - not in use, no aggregation due to minimum links not metw - waiting to be aggregatedNumber of channel-groups in use: 1Group Port-channel Protocol Span-cluster Ports------+-------------+---------+------------+---------------------------40 Po40(U) LACP No Te0/8(P) Te0/9(P)20
  21. 21. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 21© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 21Data Center SecurityVirtual Port Channels (VPC) and the ASA21• Virtual Port Channels (VPC) are port channels whereboth links are actively forwarding traffic• Only two uplinks• VPC was created to solve two inherent networkproblems: Spanning-tree recalculation times andunused capacity in redundant L2 uplinks (due to STPblocks)• No additional config required on ASA• Supported in Nexus devices• VPC Design Guide:http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-00_Agg_Dsgn_Config_DG.pdf Nexus 5K/7KsASA
  22. 22. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 22Firewall Clustering
  23. 23. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 23© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 23Data Center SecurityASA Clustering Design Guidelines• Up to 8 ASAs are supported in a cluster (minimum of two) and all must be thesame model and DRAM (only flash memory can differ)• All cluster units must share same software except during upgrade (e.g. 9.0(0)1to 9.0(0)3)• Approximate maximum cluster throughput is ~ 70% of combined throughput andconnections of units in the cluster• Cluster elects one master that syncs configuration with other members• Supported in both routed (L3) and transparent (L2) firewall modes• Requires at least one cluster control interface on ASA for cluster control plane –this is analogous to state and failover link in A/S today• Cluster control links must be sized properly to accept a load that is equal to orgreater than the cluster throughput23
  24. 24. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 24© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 24Data Center SecurityClustering Best Practices – Control Plane24• Cluster control links must be sizedaccordingly (e.g.10GE interfaces)• Recommended to use a local port-channelon each ASA for link redundancy andaggregation• Do NOT use a spanned port-channel forcluster control links• Could also use ASA interface redundancywhich supports up to 8 pairs of interfaces inan active-passive modeManagementNetworkCluster ControlLinksM0/0M0/0M0/0M0/0
  25. 25. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 25© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 25Data Center SecurityClustering Best Practices – Cat 6K Data Plane25InsideSwitchOutsideSwitch• ASA clustering relies upon stateless loadbalancing from an external mechanism• Recommended method is to use a L2spanned port-channel to a switch foringress and egress connections• BP is to use a symmetrical hashingalgorithm like src-dest IP (the default)• Could also use Policy Based Routing (PBR)or Equal Cost Multi-Path (ECMP); use bothwith Object Tracking L3 only• Cat 6K VSS is supported with ASAclustering• Spanned port-channel will not come upuntil clustering is enabled!“Spanned” Port-Channels
  26. 26. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 26© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 26Data Center SecurityClustering Best Practices – Nexus 7K Data Plane26Nexus 7K• Nexus 7K data center offers advantageswith clustering due to VPC feature• All ASAs are dual homed to each 7K• VPC ensures that a single link failure willhave zero packet loss• Enhancements to LACP such that ASAcluster appears as one logical firewall torest of network• Port channel provides packet forwarding• ASAs in L2 or L3 modeNexus 7K
  27. 27. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 27© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 27Data Center SecurityTCP Session: Symmetric Traffic Flow• State replication from Owner to Director, also serves as failover message to provideredundancy should Owner fail• Director is selected per connection using consistent hashing algorithm• Director will act as backup should Owner failInsideNetworkOutsideNetworkOwnerSYNClientServerSYN/ACKSYN/ACKSYNMember1. StateupdateDirector
  28. 28. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 28© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 28Data Center SecurityTCP Session: Asymmetric Traffic Flow• Forwarder receives packet that it did not originate, queries Director• Packet is forwarded via cluster control link to Owner who then forwards on tooriginating client and all subsequent packets are forwarded to Owner with no lookup• This step is eliminated if the Owner can be derived via syn-cookiesInsideNetworkOutsideNetworkOwnerDirectorSYNClientServerSYN/ACK1. StateupdateSYN/ACKSYNForwarder2. Who isOwner?3. OwnerLocation
  29. 29. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 29© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 29Data Center SecurityFW+IPS Clustering with ASA 5585 Chassis• Clustering is supported 5585s which alsosupport IPS module on top slot• Leverage ASA Clustering technology for :• Traffic load-balancing• Traffic Symmetry• High availability• Caveats• Every module is managed individually• No “Cluster” event correlationClusterControlLink
  30. 30. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 30Threat Visibility:NetFlow
  31. 31. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 31© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 31Data Center SecurityNetFlow Security Use Cases• Detecting Persistent Threats• Identify Botnet Command and Control Activity• Detect Network Reconaissance• Track Internal Malware Proliferation• Check for Data Loss (DLP)
  32. 32. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 32© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 32Data Center SecurityNetflow Overview• Netflow was created by Cisco over 30 years ago as a flow accounting tool• If packet capture is like a wiretap then NetFlow is like a phone bill• We can learn a lot from studying the phone bill!• Today many devices support line rate Netflow (Catalyst family 15.0) while the Nexus7K supports “Flexible” Netflow• ASA firewall has supported NSEL (Netflow Secure Event Logging) for many years• NSEL has three options: Track flows as they are built, torn down, updated or denied• Many vendors take in NetFlow data--Lancope, Arbor, Plixer are a few• Cisco OEM’s Lancope’s StealthWatch as Cybersecurity Threat Defense (CTD)32
  33. 33. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 33© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 33Data Center SecurityFlow Is Defined By Seven Unique KeysNetFlow EnabledDeviceTraffic•Input Interface•TOS byte (DSCP)•Layer 3 protocol•Destination port•Source port•Destination IP address•Source IP address•Input Interface•TOS byte (DSCP)•Layer 3 protocol•Destination port•Source port•Destination IP address•Source IP addressCreate a flow from the packetattributes…152811000Address, ports…Bytes/packetPacketsFlow Information…152811000Address, ports…Bytes/packetPacketsFlow InformationNetFlow CacheInspectPacketNetFlowExport PacketsReporting• Inspect a packet’s 7 key fields and identify the values• If the set of key field values is unique, create a new flow record or cache entry• When the flow terminates, export the flow to the collection/analysis system
  34. 34. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 34© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 34Data Center SecurityCyber Threat Defense Solution Components34Cisco NetworkStealthWatchFlowCollectorStealthWatchManagementConsoleNetFlowUsers/DevicesCiscoISENetFlowStealthWatchFlowReplicatorOthertools/collectorshttpshttpsNBAR NSELNGA (NetFlow GeneratingAppliance)
  35. 35. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 35© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 35Data Center SecurityCisco CTD Solution: Attack Detection withoutSignatures High Concern Index indicates asignificant number of suspicious eventsthat deviate from established baselinesHost Groups Host CI CI% Alarms AlertsDesktops 10.10.101.118 338,137,280 112,712% High Concern index Ping, Ping_Scan, TCP_ScanMonitor and baseline activity for a host and within host groups.
  36. 36. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 36© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 36Data Center Security1. Infected host opensconnection frominsideDetecting Command and Control36DevicesManagementStealthWatchFlowCollectorStealthWatchManagementConsoleCisco ISE3. Infrastructure generates a record ofthe communication using NetFlow5. Contextual informationadded to NetFlow analysis6. Concern Index increasedHost Lock Violation alarm triggered2. Commands are sentin return trafficNetFlow Capable4. Collection and analysisof NetFlow dataInternal Network
  37. 37. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 37© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 37Data Center SecurityDetecting Command and Control37Alarm indicatingcommunication with knownBotNet ControllersIP AddressSource usernamePolicy thattriggeredalarmPolicy StartActiveTimeAlarms Source Source HostGroupsSourceUser NameTarget Target HostGroupInsideHostsJan 27,2012Host LockViolation10.35.88.171 Remote VPN Bob ZeusServer.com Zeus BotNetControllers
  38. 38. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 38Virtualized SecurityNexus 1000V
  39. 39. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 39© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 39Data Center SecurityCommon Virtualization Concerns39• Policy Enforcement• Applied at physical server—not the individual VM• Impossible to enforce policy for VMs in motion• Operations and Management• Lack of VM visibility, accountability, and consistency• Difficult management model and inability to effectively troubleshoot• Roles and Responsibilities• Muddled ownership as server admin must configurevirtual network• Organizational redundancy creates compliance challenges• Machine Segmentation• Server and application isolation on same physical server• No separation between compliant and non-compliant systems HypervisorRoles andResponsibilitiesIsolation andSegmentationManagementand Monitoring
  40. 40. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 40© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 40Data Center SecurityVirtualization Security Concerns40• Operations and Management• Lack of VM visibility, accountability, and consistency• Difficult management model and inability to effectivelytroubleshoot vm issues• Machine Segmentation• Server and application isolation on same physical server• No separation between compliant and non-compliant systems• Lack of visibility• Unified policy requires a little more thought…and workHypervisorInitial InfectionSecondaryInfectionHypervisorTertiaryInfection
  41. 41. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 41© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 41Data Center SecurityWhat are North-South and East-West Flows?• North-South (N-S) flows aretypically flows to and from Accesslayer to Aggregation Layer andCore• East-West (E-W) flows typicallystay either within a zone orbetween zones and often server toserver traffic41Web AppAccessAggregationCoreDatabaseEast - WestNorth-SouthVirtualHostsVirtualHostsVirtualHosts
  42. 42. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 42© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 42Data Center Security42Nexus 1000V Architecture42Hypervisor Hypervisor HypervisorModular Switch…Linecard-NSupervisor-1Supervisor-2Linecard-1Linecard-2BackPlaneVEM-NVEM-1 VEM-2VSM1VSM2NetworkAdminVirtual ApplianceVirtual Supervisor Module (VSM) CLI interface into the Nexus 1000V Leverages NX-OS Controls multiple VEMs as a single networkdevice Not in data path!Virtual Ethernet Module (VEM) Replaces Vmware DVS Enables advanced switching capability on thehypervisor Provides each VM with dedicated “switch ports”ServerAdminServerAdminServerAdmin
  43. 43. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 43© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 43Data Center SecurityNexus 1000V Architecture43port-profile type vethernet ASA1000V-1_Insideswitchport mode accessswitchport access vlan 210no shutdownstate enabledport-profile type vethernet ASA1000V-Outsidevmware port-groupswitchport access vlan 211switchport mode accessno shutdownstate enabledNexus 1000V supports:• ACLs• Quality of Service (QoS)• PVLANs• Port channels• SPAN ports
  44. 44. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 44© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 44Data Center SecurityWhat is Vpath?• vPath is the forwarding “brains” built into the Virtual Ethernet Module (VEM) of the Nexus1000V• It is an encapsulation that tags flows based upon attributes• It has two main functions:• Intelligent traffic steering• Offload processing from virtual service nodes (VSN) to VEM• vPath allows processing to be offloaded to Hypervisor for performance• Currently only supported on VMWare today with future support for Hyper-V and others• vPath is cornerstone for Cisco’s VSN delivery
  45. 45. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 45Virtualized SecurityFirewalls
  46. 46. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 46© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 46Data Center SecurityCentralized or Decentralized Firewalls or Both?• Centralized firewalls are the traditional approachto virtualized host security• Often a transitional architecture• Firewalls in the core, aggregation or edge?• Big challenge is scalability• Usually the limiting factor is connections notbandwidth• How to handle a requirement for L2 separation ofhosts?• How to address virtual host mobility?46VirtualHostsVirtualHostsPhysicalHosts
  47. 47. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 47© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 47Data Center SecurityCisco’s Virtual Firewalls: VSG and ASA1000V• Cisco has two virtual firewalls: the ASA 1000V and the Virtual Security Gateway (VSG)• Each runs as a virtual machine in VMWare (future HyperV support)• Both are managed via Virtual Network Management Center (VNMC)• Both are licensed per CPU socket• They are complementary to each other and require the Nexus 1000V Distributed VirtualSwitch and utilize a new forwarding plane, vPath47Virtual Security Gateway ASA 1000V
  48. 48. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 48© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 48Data Center SecurityWhat is the ASA1000V Cloud Firewall?• ASA1000V is a software-only version of an ASAappliance—an edge firewall• Runs ASA codebase in a virtual machine in L3 modeonly• Supports S2S IPSEC VPN (not RA VPN)• Can be deployed in active/standby HA• Subset of physical ASA features are supported, checkdocs for specifics (no multimode, no L2FW, etc)• Management via ASDM or VNMC but not both• Not a replacement for physical appliance!48VirtualHostsVirtualHostsVirtualHosts4 interfaces: inside, outside,failover and management
  49. 49. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 49© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 49Data Center SecurityASA 1000V Deployment: Public Cloud49Hosts Hosts HostsCloud Service ProviderCompany AVM 1VM 2VM 3VM 4ASA 1000VPhysical ASAon PremiseSite-to-SiteIPSEC VPNVM 5VM 6VM 7VM 8• Company A has moved to virtualized cloudbased servers• Requires connectivity between existing hosts(physical or virtual)• ASA 1000V acts as default gateway to cloudservers, DHCP services etc• S2S IPSEC VPN tunnel connects existinginfrastructure to cloud• Other VPN devices can establish S2S tunnelswith ASA1000V• No RA VPN support (AnyConnect)
  50. 50. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 50© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 50Data Center SecurityASA 1000V Deployment with NAT50Hosts Hosts HostsCloud Service ProviderCompany A - PRODVM 1VM 2VM 3VM 4ASA 1000VPhysical ASAon PremiseSite-to-SiteIPSEC VPNVM 5VM 6VM 7VM 8Company A - DEVVM 1VM 2VM 3VM 4VM 5VM 6VM 7VM 8• Company A clones cloud servers for Productionand Development services• ASA 1000V can provide dynamic and staticNAT as neededNAT x-yASA 1000V
  51. 51. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 51© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 51Data Center SecurityASA 1000V Deployment: Internal Private Cloud51Zone 1 Zone 2 Zone 3VM 1VM 2VM 3VM 4VFW 1VM 5VM 6VM 7VM 8VFW 2 VFW 3• Today multi context mode on ASA is used to providefirewall inspection for multi tenant and multi zoneenvironments• Trunks are typically used to transport zone and tenanttraffic• Challenge of E-W scale requires more firewallresources• ASA 1000V provides edge firewall and can scalealongside E-W buildout• Each tenant or zone gets one or more ASA 1000V• Provides NAT and DHCP services for scaleVzone 1 Vzone 2Multi Context Mode ASA
  52. 52. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 52© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 52Data Center SecurityWhat is the Virtual Security Gateway?• VSG is a L2 firewall that runs as a virtual machine“bump in the wire”• Similar to L2 transparent FW mode of ASA• It provides stateful inspection between L2 adjacenthosts (same subnet or VLAN)• It can use VMware attributes for policy• Provides benefits of L2 separation for East-Westtraffic flows• One or more VSGs are deployed per tenant52VirtualHostsVirtualHostsVirtualHosts
  53. 53. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 53© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 53Data Center SecurityVM Attributes Used by VSG (Partial List)Name Meaning Sourcevm.name Name of this VM vCentervm.host-name Name of this ESX-host vCentervm.os-fullname Name of guest OS vCentervm.vapp-name Name of the associatedvAppvCentervm.cluster-name Name of the cluster vCentervm.portprofile-name Name of the port-profile Port-profile
  54. 54. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 54© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 54Data Center SecurityASA1000V and VSG – 3 Tier Server Zone54Web Zone Database ApplicationVM 1VM 2VM 3VM 4VM 1VM 2VM 3VM 4VM 1VM 2VM 3VM 4NAT poolASA1000V Policy:Block any externalweb access to DBserversASA1000VPolicy: Allowonly tcp/80 toWeb ZoneVSG: Only permit Web Zoneto access DB ZoneVSG: Permit App Zone toaccess Web Zone but not DBTenant1Tenant1Web client
  55. 55. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 55© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 55Data Center SecurityASA1000V and VSG ComparedASA1000V (Edge) Virtual Security GatewayL3 routed mode only L2 mode (transparent)Static routes only No routingDHCP server and client support No DHCP supportSupports site-to-site IPSEC No IPSEC supportManaged by ASDM and VNMC Managed by VNMC onlyUses ASA code, CLI, SSH Minimal config via CLI, SSH55
  56. 56. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 56Virtualized SecurityCloud Services Router
  57. 57. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 57© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 57Data Center Security57External Cloud Networking Challenges• ChallengesInconsistent VPN ConfigurationIncompatible IP addressingIncomplete network services• Extending Enterprise WAN to External CloudsDifferent management toolsNo WAN optimization optionsInability to prioritize trafficBranchISRBranchISRBranchISRDataCenter ASRPublic CloudVPC/vDCVPC/vDC
  58. 58. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 58© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 58Data Center SecurityCSR 1000v• Cisco IOS XE Software in Virtual Form-factor• Cisco IOS XE Cloud Edition• Selected feature set of Cisco IOS XE• Virtual Route Processor (RP)• Virtual Forwarding Processor (FP)• Virtual Private Cloud/Data CenterGateway• Optimized for single tenant use cases• Agnostic to Other InfrastructureElements• Hypervisor agnostic• Virtual switch agnostic• Server agnosticServerHypervisorVirtual SwitchVPC/vDCOSAppCSR 1000vOSApp
  59. 59. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 59© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 59Data Center SecurityUse Case: Secure VPN Gateway• Scalable, Dynamic, and Consistent Connectivity to External CloudCSR1000vBranchISRWANRouterDistributionand ToRSwitchesServersDCASRCSR1000vCloud Provider Data CenterBranchISREnterpriseChallenges• Inconsistent security• High network latency• Limited scalabilitySolutions• IPSec VPN, DMVPN,EZVPN, FlexVPN• Routing and addressing• Firewall, ACLs, AAABenefits• Direct, secure access• Scalable, reliable VPN• Operational simplicityInternet
  60. 60. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 60© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 60Data Center SecurityUse Case: Traffic Control and Management• Comprehensive Networking Services Gateway in External CloudCSR1000vWANRouterDistributionand ToRSwitchesServersCSR1000vCloud Provider Data CenterEnterpriseOptimized TCP connectionChallenges• Response time of apps• Application prioritization• Connectivity resiliencySolutions• AppNav for WAAS• QoS prioritization• HSRP VPN resiliencyBenefits• Single point of control• Rich portfolio of serviceand network featuresvWAASHSRPBranchISRWAASBranchISRWAASDCASRWAASWAN
  61. 61. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 61TrustSec in the DCSecurity Group Tags
  62. 62. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 62© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 62Data Center Security62Security Group Based Access ControlSGACL• Security Group Based Access Control allows customers:• To keep existing logical design• To change / apply policy from central management server• To distribute policy enforcement to switches, routers and Firewalls802.1X/MAB/Web AuthHR Database (SGT=4)IT Server (SGT=10)I’m a contractorMy group is IT AdminContractor& IT AdminSGT = 10SGT = 10= SGT capable device
  63. 63. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 63© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 63Data Center SecurityHow SGT/SGA Scales Policy Control• TrustSec tags every packet from identified sources with an “SGT” Security Group Tag. TheTag shows which group the identified user belongs to.• SGTs identify logical groups of users and/or servers sharing similar sets of privileges orroles• SGTs are 16-Bits (2-bytes) supporting up to 64K (65536) logical groupsIndividualsSampleLogical Security GroupsContractorEmployeePartnerGuestUnknownSampleLogical Security GroupsIndividual ServersData CenterSensitiveCompanyConfidentialNDAConfidentialGeneral AccessIn this simple examplesource entities arereduced from 46 to 4In this simple exampledestination entities arereduced from 60 to 4Example Access Policy SimplificationBefore - 46 (source IPs) x 60 (dest IPs) x 4 TCP/UDP Port Permissions = 11040 ACE/ACLsAfter - 4 (source SGTs) x 4 (dest SGs) x 4 TCP/UDP Port Permissions = 64 SGACLsTaggedTrafficevaluatedagainst SG-ACL onEgress
  64. 64. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 64© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 64Data Center SecurityWhy Security Group Tags?64Source: Ken HookTraditional Discretionary AccessControlIndividuals ResourcesServer 1PermissionsServer 2Server 3Challenges• Leads to ACE explosion(# of sources) X (# of Destinations) X (# of permissions) = #ACEs• IP-address based ACLs are challenging- Changes in addressing schemes- Use of DHCP- Proliferation of Wireless LAN devices• Assumes relatively static placement of users/resourcesTrustSec SGT Addresses these challenges via:• Security Group Tags (SGT) provide a level of abstraction, reducing theACL/ACE proliferation dramatically• Simplified Policy Definition – Security Groups are logical and TopologyIndependent• Portable Policy – Security Groups allows for mobility of users and resourcesaccess-list 101 permit tcp S1/32 D1/32 eq httpaccess-list 101 permit tcp S1/32 D1/32 eq httpsaccess-list 101 permit tcp S1/32 D2/32 eq ftpaccess-list 101 permit tcp S1/32 D2/32 eq httpaccess-list 101 permit tcp S1/32 D2/32 eq httpsaccess-list 101 permit tcp S1/32 D2/32 eq ftpaccess-list 101 permit udp S1/32 D1/32 gt 1023access-list 101 permit udp S1/32 D2/32 gt 1023Access List for S1IndividualsResourcesSecurity GroupsPartnersEmployeeContractorInternetConfidentialSpecialProjectsAuthz RulesAuthz RulesAuthz RulesAuthz RulesSecurity GroupsSource DestinationGuest/UnknownPrint / CopyEmployeeOutside USAccess RulesAccess RulesSource 1
  65. 65. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 65© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 65Data Center Security65How To Create SGT PolicyDoctor (SGT 7)IT Admin (SGT 5)IT Portal(SGT 4)Public Portal(SGT 8)Internal Portal(SGT 9)Patient Record DB(SGT 10)DestinationSGTSourceSGTWeb Web No AccessWebFile ShareWebSSHRDPFile ShareWebSSHRDPFile ShareFull AccessSSHRDPFile Sharepermit tcp dst eq 443permit tcp dst eq 80permit tcp dst eq 22permit tcp dst eq 3389permit tcp dst eq 135permit tcp dst eq 136permit tcp dst eq 137permit tcp dst eq 138permit tcp des eq 139deny ipIT Maintenance ACL
  66. 66. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 66Secure Data CenterValidated Architectures
  67. 67. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 67© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 67Data Center SecurityWhy Validation Matters• We test to validate that certains systems coexist and function as expected• Testing also exposes weaknesses to a given design or architecture• Results are documented and shared to customers, partners and other entitites• Customer facing labs like Customer Proof of Concept (CPOC) and ECATS(Enhanced Customer Aligned Testing Service)• Internal labs like the Virtualized Multiservice Data Center (VMDC) lab onCisco’s campus in Research Triangle Park, NC http://www.cisco.com/go/vmdc• VMDC mission is to build a reference architecture for secure, scalable cloudand traditional DCs• Latest architecture version is 3.01
  68. 68. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 68© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 68Data Center SecurityvPC Peer-linkvPC9 vPC107k-1AGG-VDC7k-2AGG-VDC7k-1Core-VDC7k-2Core-VDC(L2 Boundary)VMNIC #3 VMNIC #2VMNIC #3VMNIC#2vPC11vPC111vPC66 vPC67Secure DC Architecture 1.0• Virtual Device Contexts (VDC) used tocreate virtual core and aggregation layer• Each ASA firewall is connected toaggregation switch over a dedicated vPCdomain• Each firewall is deployed in transparentmode. Offers easiest integration withexisting addressing and flows andadditional services (load balancing, etc).• Server gateway location is critical designdecision• ASAs can be in A/S or A/A
  69. 69. sCore 3 Core 4CongoAGG 1VDC 2NigeriaAGG 2VDC 2OTV OTVASA4Core 1 Core 2AGG 1 AGG 2OTV OTVASA1 ASA2 ASA3OTVData Center 1 Data Center 220.3.1.0/24 .2.1Core 3OTV 320.4.1.0/24.2.1Core 4OTV 420.1.1.0/24 .2.1Core 1OTV 120.2.1.0/24.2.1Core 2OTV 2OTV Site VLAN 700vPC 10 vPC 11OTV Site VLAN 700vPC 25 vPC 26MasterSecure DC Architecture 2.0 with Firewall ClusteringClustering over OTV
  70. 70. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 70© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 70Data Center SecurityHelpful Reference Links• VPC Design Guide: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-00_Agg_Dsgn_Config_DG.pdf• Virtual Multi-Tenant Data Center (2013) (VMDC) 3.01 Validated Designhttp://www.cisco.com/en/US/partner/docs/solutions/Enterprise/Data_Center/VMDC/3.0.1/DG/VMDC_3.0.1_DG.html• Virtual Security Gateway (VSG) Deployment Guidehttp://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11208/deployment_guide_c07-647435.html• TrustSec 2.0 Design and Implementation Guidehttp://www.cisco.com/en/US/partner/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html• TAC Security Podcast http://www.cisco.com/en/US/solutions/ns170/tac/security_tac_podcasts.html• ASA IPv6 Config Guide http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/route_ipv6_neighbor.html70
  71. 71. Complete Your Paper“Session Evaluation”Give us your feedback and you could win1 of 2 fabulous prizes in a random draw.Complete and return your paperevaluation form to the room attendantas you leave this session.Winners will be announced today.You must be present to win!..visit them at BOOTH# 100
  72. 72. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 72Thank you.
  73. 73. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 73AppendixAdditional Slides
  74. 74. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 74© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 74Data Center SecurityOverlay Transport Virtualization (OTV)74OVOverlay - A solution that is independent of theinfrastructure technology and services, flexibleover various inter-connect facilitiesTransport - Transporting services for layer 2 andlayer 3 Ethernet and IP trafficVirtualization - Provides virtual stateless multi-access connections, which can be furtherpartitioned into VPNs, VRFs, VLANsTOTV delivers a virtual L2 transport over any L3 Infrastructure
  75. 75. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 75© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 75Data Center SecurityTransportInfrastructureOTV OTV OTV OTVMAC 1  MAC 3Layer 2Lookup5MAC 1  MAC 3Layer 2Lookup1 Encap2Decap4MAC 1  MAC 3WestSiteMAC 1MAC 3EastSite1. Layer 2 lookup on the destination MAC. MAC 3 isreachable through IP B2. The Edge Device encapsulates the frame3. The transport delivers the packet to the EdgeDevice on site East4. The Edge Device on site East receives anddecapsulates the packet5. Layer 2 lookup on the original frame. MAC 3 is alocal MAC6. The frame is delivered to the destination36IP A IP BMAC TABLEVLAN MAC IF100 MAC 1 Eth 2100 MAC 2 Eth 1100 MAC 3 IP B100 MAC 4 IP BMAC TABLEVLAN MAC IF100 MAC 1 IP A100 MAC 2 IP A100 MAC 3 Eth 3100 MAC 4 Eth 4IP A  IP BMAC 1  MAC 3IP A  IP BMAC 1  MAC 3OTV75• Extending Layer 2
  76. 76. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 76© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 76Data Center SecurityFabricPath Terminology76• Interface connected to anotherFabricPath device• Sends/receives traffic with FabricPathheader• Does not run spanning tree• Does not perform MAC learning!• Exchanges topology info through L2ISIS adjacency• Forwarding based on ‘Switch ID Table’CE Edge PortsFP Core PortsSpine SwitchLeaf SwitchClassical Ethernet (CE)S10 S20 S30 S40S100 S200 S3001/1 1/2FabricPath (FP)S100  S300A  BA B• Interface connected to traditionalnetwork device• Sends/receives traffic in standard802.3 Ethernet frame format• Participates in STP domain• Forwarding based on MAC table
  77. 77. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 77© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 77Data Center SecurityASA Service Policy Selects Virtual SensorASA service policy can select traffic based on incominginterface, source/destination etc and direct different flows todifferent virtual sensors.It is possible to mix IDS and IPS Virtual Sensor so critical trafficwill not be impacted by Sensor
  78. 78. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 78© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2013 78Data Center SecurityMulti-Sensor Environment with Cisco Security Manager 4.4• Add all sensors into CSM• Cleared a shared Policy and PolicyBundle• Assign the Policy Bundle to all clustermembers• Tune the Policy Bundle• “Submit and Deploy” to apply tunedconfiguration to all members• Deep technical overview here:http://www.cisco.com/web/learning/le21/le39/docs/tdw_167_prezo.pdf

×