Your SlideShare is downloading. ×

Security and Virtualization in the Data Center

3,546

Published on

This presentation will discuss, effectively integrating security, core Data Center fabric technologies and features, secutiry as part of the core design, designs to enforce micro segmentation in the …

This presentation will discuss, effectively integrating security, core Data Center fabric technologies and features, secutiry as part of the core design, designs to enforce micro segmentation in the data center, enforce separation of duties in virtualized and cloud environments and security to enforce continuous compliance.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,546
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
264
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Security and Virtualizationin the Data Center
  • 2. Speaker information• Contact information: – David Anderson – Solutions Architect – Borderless Security team – US – E-mail: dma1@cisco.com• Focus areas: – Data Center Security – Virtualization – Secure Mobility – Security Design – Compliance (PCI, Federal)
  • 3. Takeaways• To effectively integrate security must understand the core data center fabric technologies and features: VDC, vPC, VRF, server virtualization, traffic flows• Security as part of the core design• Designs to enforce microsegmentation in the data center• Enforce separation of duties in virtualized and cloud environments• Security to enforce continuous compliance
  • 4. Secure Data Center Data Center Primer Secure Data Center Components Secure Data Center Design Fundamentals Secure Data Center Design Details
  • 5. Data CenterPrimer:Terms andTechnology
  • 6. Cisco Datacenter Terms Primer Know the lingo • VDC – Virtual Device Context • VPC – Virtual Port Channel • VSS & MEC – Virtual Switching System & Multi-chassis Ether-channel • VSL & Peer Link – Virtual Switch Link • ECMP – Equal cost Multi-Path • VSD – Virtual Service Domain • VBS – Virtual Blade Switching • VRF – Virtual Routing & Forwarding • FabricPath
  • 7. Data Center ArchitectureApplication Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Fabric-Hosted Storage Virtualization Virtual Device Contexts Internet IP-NGN Service Profiles Port Profiles & VN- Virtual Machine Link Application Control Optimization (SLB+) Port Profiles & VN- Partners Link Service Control Fibre Channel Forwarding Fabric Extension
  • 8. Secure Data Center ArchitectureApplication Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Firewall Services Fabric-Hosted Storage Virtualization Intrusion Detection Virtual Device Contexts Internet Storage Media Secure Domain Encryption Routing IP-NGN Service Profiles Port Profiles & VN- Port Profiles & Link VN-Link Virtual Machine Optimization Virtual Firewall Edge and VM Partners Fibre Channel Forwarding Fabric Extension Line-Rate NetFlow Application Control (SLB+) Service Control Virtual Contexts for FW & SLB
  • 9. Data Center Security Challenges
  • 10. Security Threats & Considerations  Denial of Service i.e. (Google, Twitter, Facebook)  APT – Targeted Attacks / Nation State Attacks  Data Protection for Privacy and Data Compliance  Application Exploits (SQL Injection)  Malware / Botnets  Mobile Malicious Code  Virtualization Concerns
  • 11. Secure the Platform Add Security ServicesNetwork security best practices  VRF, VLAN, Access control Lists• Network device hardening• Defense in Depth  Stateful Network Firewalls• AAA  Intrusion Detection and Prevention• NetFlow• Separation of duties and least privileges  Web firewallsVirtualization specifics  Load Balancers• Follow hypervisor hardening recommendations  SSL Offloading• Access Controls (production vs. management)• Secure and harden Guest OS  Virtual security appliances• Segmentation  Management and Visibility tools
  • 12. Data Center Security Components:What’s in our toolbox
  • 13. Physical and Virtual Service Nodes Redirect VM traffic via VLANs to Apply hypervisor-based1 external (physical) appliances 2 network services Web App Database Web App Database Server Server Server Server Server Server Hypervisor Hypervisor VLANs VSN Virtual Contexts VSN Virtual Service Nodes Traditional Service Nodes
  • 14. Physical Firewalls ASA Services Module Web App Database Server Server Server Hypervisor VLANs ASA 5585 Appliance Virtual Contexts Traditional Service Nodes
  • 15. Features in ASA FirewallsEtherChannel ASA supports Link Aggregation Control Protocol (LACP), an IEEE 802.3ad standard Each port-channel supports up to 8 active and 8 standby links Supported methods of aggregation: Active, Passive & On EtherChannel ports are treated just like physical and logical interfaces on ASA• ASA can tie-in directly to vPC (Nexus 7000) or VSS (6500) enabled switchUp to 32 interfaces per Virtual Context (formerly 2) – - 4 Interfaces per bridge group 8 bridge groups per Virtual Context
  • 16. Catalyst 6500 VSS and Nexus 7000 vPC • Dual Active Forwarding Paths VSS • Loop-Free Design vPC VSL peer link MCEC MCEC vPC vPC EC EC EC EC Active Standby Active StandbyPresentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  • 17. ASA Integration with vPC & VSS vPC VSS peer link VSL MCEC MCEC vPC vPC EC EC EC EC Active Standby Active Standby Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  • 18. Virtualization Concerns • Policy Enforcement –Applied at physical server—not the individual VM –Impossible to enforce policy for VMs in motion • Operations and Management –Lack of VM visibility, accountability, and consistency –Difficult management model and inability to effectively troubleshoot • Roles and Responsibilities –Muddled ownership as server admin must configure virtual network Web App DB –Organizational redundancy creates compliance challengesServer Server Server Hypervisor • Machine Segmentation VLANs –Server and application isolation on same physical server Virtual Contexts –No separation between compliant and non-compliant systems…
  • 19. Virtualization & Virtual Service Nodes Virtual Security Gateway Web App Database Server Server Server Zone based intra-tenant segmentation of VMs Hypervisor Nexus 1000V ASA 1000V VSN VSN Ingress/Egress multi- Virtual Service Nodes tenant edge deployment
  • 20. Cisco‘s Virtual Security Architecture Orchestration / Cloud Portals Virtual Network Management Center Extending existing operational workflows to virtualized environments VSG ASA 1000V Extending network services to virtualized environments Extending networking to virtualized environments Nexus 1000V vPath
  • 21. vPath— The intelligent virtual network• vPath is intelligence build into Virtual Ethernet Module (VEM) of Nexus 1000V (1.4 and above)• vPath has two main functions: a. Intelligent Traffic Steering b. Offload processing via Fastpath from virtual Service Nodes to VEM• Dynamic Security Policy Provisioning (via security profile)• Leveraging vPath enhances the service performance by moving the processing to Hypervisor vPath Nexus 1000V-VEM
  • 22. vPath: Fast Path Switching for Virtualization VM VM VM VNMC VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM 4 Nexus 1000V vPath Distributed Virtual Switch 3 Decision Caching ASA VSG 2 1000V 1 Initial Packet Flow Access Control Flow (policy evaluation)
  • 23. Cisco Virtual Security Gateway Context aware Security VM context aware rules Zone based Virtual Controls Establish zones of trust Security Dynamic, Agile Policies follow vMotion Gateway (VSG) Best-in-class Architecture Efficient, Fast, Scale-out SW Non-DisruptiveVirtual Network Operations Security team manages security Management Policy Based Central mgmt, scalable deployment, Center Administration multi-tenancy Designed for (VNMC) Automation XML API, security profiles
  • 24. Virtual Security Gateway • Context based rule engine, where ACLs can be expressed using any combination of network (5-tuple), custom and VM attributes. It’s extensible so other types of context/attributes can be added in future • No need to deploy on every physical server (this is due to 1000V vPath intelligence) • Hence can be deployed on a dedicated server, or hosted on a Nexus 1010 appliance • Performance optimization via enforcement off-load to 1000V vPath • High availability
  • 25. ASA 1000v• Runs same OS as ASA appliance and blade• Maintains ASA Stateful Inspection Engines Tenant A VDC Tenant B VDC vApp• IPSEC site-to-site VPN VSG VSG VSG vApp• Collaborative Security Model VSG VSG for intra-tenant secure zones Virtual ASA Virtual ASA vPath Virtual ASA for tenant edge controls Nexus 1000V vSphere• Integration with Nexus 1000V & vPath
  • 26. Nexus 1000V Port ProfilesPort Profile –> Port Group port-profile vm180 vCenter API vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown state enabled interface Vethernet9 inherit port-profile vm180 interface Vethernet10 inherit port-profile vm180Support Commands Include: Port management  Port-channel VLAN  ACL PVLAN  Netflow Port Security QoS
  • 27. Security Policy to Port Profile
  • 28. Design Fundamentals
  • 29. Secure Data Center• Network security can be mapped and applied to both the physical and virtual DC networks• Zones can be used to provide data centric security policy enforcement• Steer VM traffic to Firewall Context• Segment pools of blade resources per Zone• Segment Network traffic w/in the Zone –System Traffic –VM Traffic –Management Traffic• Lockdown elements w/in a Zone• Unique policies and traffic decisions can be applied to each zone creating very flexible designs• Foundation for secure private cloud
  • 30. Understand Network and Application Flows• Understand how the applications are deployed and accessed both internally and externally• Understand the North-South, East-West flow patterns• Adjacency of services to servers is important. Adding services to existing flow patterns minimizes packet gymnastics!• Again, design with the maximum amount of high availability: know your failover and failback times, traffic paths during failover scenarios Web App DB Web App DB Server Server server Server Server server Web Client Web-zone Application-zone Database-zone Only Permit Web Only Permit Application servers access to servers access to Database Application servers servers
  • 31. Important• Careful attention should be given to where the server‘s default gateway resides• Can be disruptive to introduce changes to where the gateway resides. Non-greenfield designs require flexibility for deploying new services. Ex. From switch to service appliance• Service introduction ie. Firewall, Web security, load balancing, can all have an impact on data center traffic flows• Design with the maximum amount of high availability: know your failover and failback times, traffic paths during failover scenarios• Multicast support considerations for L2 vs L3 services
  • 32. Traditional North-South Traffic Flow Internet Control Aggregation • Ingress and Egress traffic is from each ASA zone is routed and filtered appropriately w/ IPS • Physical firewall, IPS, etc deployed for each zoneAccess: • Physical devices for each zoneTop of Rack Zone A sometimes required but can be expensive B Zone Zone C solution vApp vApp vSphere vSphere
  • 33. Network Virtualization and Zones Acme Co. - Control Traffic and Apply Policy per Zone• Zones used to provide data centric security policy enforcement Unique policies and traffic decisions applied to each• Physical network security zone mapped per zone – VRF, Virtual Context• Lockdown elements in Zone Steer VM traffic to Firewall Context Segment Network traffic in the Zone Segment pools of -System Traffic blade resources -VM Traffic Virtual Switch per Zone Virtual Switch -Management Traffic vSphere vSphere 34
  • 34. North-South Traffic with Network Virtualization Internet Physical ASA Aggregation VLAN 10 VLAN 20192.168.10.1 VRF 192.168.20.1 ASA Virtual Context (Layer 2) Access Zone A Zone B Zone C vApp vApp vSphere vSphere
  • 35. Microsegmenation: Per Zone, Per VM, Per vNIC Aggregation VLAN 10 VLAN 20 IPSEC Virtual ASA Virtual ASA Zone B Zone CZone A • Stateful filtering for VDC Tenant B VDC ingress/egress for Zone. vApp Near East: VSG VSG • VM segmentation based on VSG vApp VM attributes or ACL vPath • Zone to zone can be Nexus 1000V encrypted via IPSEC vPath Demonstrable segmentation Nexus 1000V vSphere and encryption for vSphere virtualization compliance
  • 36. Segmentation of Production and Non-ProductionTraffic VMkernal VSG vEth vEth vEth vEth Mgmt Storage vPath Production Nexus 1000V ASA 1000V VMNIC 1 VMNIC 2 VMNIC 3 VMNIC 4 Management Network Production Network Production vCenter VNMC Storage Network
  • 37. Visibility: Monitor VM to VM Traffic Aggregation ID:2 ERSPAN DST Intrusion Detection NetFlow Analyzer ID:1 NetFlowNexus 1000V supports SPAN• NetFlow v9• ERSPAN/SPAN monitor session 1 type erspan- Zone B Zone C source• Permit protocol type description N1k ERSPAN – session 1 header “0x88BE” for monitor session 3 type erspan- VDC VDC destination vApp ERSPAN GRE description N1k ERSPAN to NAM• ERSPAN does not VSG VSG support fragmentation vApp monitor session 2 type erspan-source• 1000V requires Netflow description N1k ERSPAN –session 2 source interface monitor session 4 type erspan- vPath destination Defaults to Mgmt0 description N1k ERSPAN to IDS1 Nexus 1000V vSphere
  • 38. Virtualization & Compliance:PCI DSS 2.0 Guidance• PCI security requirements apply to all ‗system components.‘  All virtual components in scope• System components are defined as: – Any network component, server, or application that  All virtual communications is included in or connected to the cardholder data and data flows must be identified and environment. documented – Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual  Virtualized environment must maintain applications/desktops, and hypervisors. proper segmentation• The cardholder data environment is that part of the network that possesses cardholder data or sensitive  Must meet intent of all 12 PCI authentication data. requirements• Adequate network segmentation, which isolates VMkernal systems that store, process, or transmit cardholder VSG data from those that do not, may reduce the scope of vEth vEth vEth vEth Mgmt Storage the cardholder data environment. Production vPath Nexus 1000V Source PCI DSS 2.0 ASA 1000V VMNIC 1 VMNIC 2 VMNIC 3 VMNIC 4
  • 39. Design Details
  • 40. Secure Data Center Reference Architecture• 2x Nexus 7010s with VDCs (Core and Aggregation) (NX-OS 5.1(3))• 2x Nexus 5Ks for top of rack• 2x ASA 5585-60 with IPS• 2x 6500-E with ASA-SMs• 2x Virtual Security Gateway (VSG) in HA mode• 2x Nexus 1000V with redundant VSMs• Identity Services Engine (ISE) for 802.1x user AAA• Standard VMWare ESXi Infrastructure with multiple service domains (Active Directory, DNS, VDI, etc)
  • 41. Traditional Model• Services are Aggregated at the Distribution Layer L3• Single or Multi-Tenant zone based Routed segmentation L2 Boundary Core L2 Boundary• Virtual Context create security zones from the DC edge to the Virtual Machine• VRF->Firewall->VLAN->Virtual Switch->Virtual Firewall->vNIC->VM• EtherChannel and vPC provide loop-free Layer 2 environment• Visibility and control for vm-to-vm flows
  • 42. ASA Details v201 - Outside v205 – Service-Out BVI-1 BVI-2 10.1.204.199 10.1.200.199 [Po1.204] [Po1.200] [Po1.201] [Po1.205] v200 – Inside v204 – Service-Inchannel-group 1 mode passive 5585-1 5585-2 Twain Voltaire vPC10 vPC9 7k-1 7k-2 AGG- AGG- VDC VDC Port Channel Load-Balancing Configuration: channel-group 1 mode active System: src-dst ip
  • 43. Secure Service Pod Model• Services Pod centralizes security services L3• Traffic forwarded via service-specific Routed VLANs Core L2 Boundary• Modules (Cat 6500) and appliances L2 Boundary supported• Highly scalable module design 1/ 7• Single or Multi-Tenant zone based segmentation• Security zones from the DC edge to the Virtual Machine
  • 44. Nexus 7000 & Cat 6500 Channel GroupModes Nexus 7000 Nexus 7000 Channel-Group 1 mode active 7k-1 7k-2 Channel-Group 2 mode active AGG-VDC AGG-VDC vPC2 vPC1 6506-1 6506-2Catalyst 6500 ASA-SM WestJet ASA-SM Airbus Catalyst 6500Channel-Group 1 mode on Channel-Group 2 mode on ASA SM ASA SM
  • 45. ASA SM Layer 2 and 3 v221 - Outsideinterface BVI2 ASA SM description bvi for 221 and 220 ip address 10.1.221.199 255.255.255.0 v220 – Inside
  • 46. ASA SM Details interface Vlan221 interface Vlan221 mac-address mac-address b414.89e1.2222 b414.89e1.3333 ip address ip address 10.1.221.252/24 10.1.221.253/24 hsrp 21 hsrp 21 preempt preempt priority 105 priority 100 ip 10.1.221.254 ip 10.1.221.254 interface port-channel1 switchport interface port-channel2 switchport mode trunk 7k-1 7k-2 switchport AGG-VDC AGG-VDC vpc 1 switchport mode trunk vPC2 vpc 2 vPC1 BVI2 6506-1 6506-2 ASA-SM ASA-SM ip address WestJet Airbus 10.1.221.199 ASA SM ASA SMinterface Vlan220 nameif inside bridge-group 2 security-level 100! failover lan interface Failover Vlan44interface Vlan221 failover link State Vlan45 nameif outside failover interface ip Failover 10.90.44.1 255.255.255.0 standby 10.90.44.2 bridge-group 2 failover interface ip State 10.90.45.1 255.255.255.0 standby 10.90.45.2199 security-level 0
  • 47. Server Gateway Outside of Firewall:Design #1 ASA HA pair in transparent mode with SVI on Aggregation VDC. Server gateway on outside of firewall Aggregation VDC v201 - Outside v200 – Inside GW: 10.1.200.254Layer 3 Layer 2 Simple design. Firewall part of layer 2 failure domain.
  • 48. ASA in the Data Center: Design #2 Firewall Between Inter-VDC Traffic VRF VRFCore VDC North Aggregation ASA HA Pair 1 South VDC v200 VRF GW: VRF ASA HA Pair 2 VRF 10.1.200.254 North South • Transparent (L2) firewall services are • Useful for topologies that require a FW ―sandwiched‖ between Nexus VDCs between aggregation and core • Allows for other services (IPS, LB, etc) to • Downside is that most/all traffic destined be layered in as needed for Core traverses FW; possible • ASAs can be virtualized to for 1x1 mapping bottleneck, etc to VRFs
  • 49. Design Details and Benefits • Zone based differentiation, building blocks with VLANs and VRFs Inter-VM firewalling via VSG/ASA 1000V Intra-zone firewalling via both VSG/ASA 1000V and ASA/ASA-SM Inter-zone firewalling via ASA 1000V, ASA, or ASA-SM
  • 50. Server Access and VM Network Details To Agg switch To Agg switch 1/1 1/2 1/2 1/1 PortChannel111 1/17 1/17 1/18 1/18 5k-1 5k-2 Inara 1/12 Jayne 1/11 1/11 1/12 VMNIC VMNIC VMNIC VMNIC #3 #2 #3 #2 ESX1 ESX2 ESX Host 1 vEth vEth vEth vEth ESX Host 2 192.168.100.199 192.168.100.198 VNMC VSG-2 192.168.100.20 192.168.100.31 Domain 90 VSG-1 VSM-2 192.168.100.30 HR Finance HR Finance 192.168.100.51 VSM-1 Server #1 Server #2 Server #2 Server #1 Domain 1 192.168.100.50 10.1.200.50 10.1.200.101 10.1.200.5 10.1.200.100 1
  • 51. Deny HR to Finance VMNIC VMNIC VMNIC VMNIC #3 #2 #3 #2 ESX1 ESX2 vEth vEth vEth vEth VSM-2 HR Finance 192.168.100.51 Server #2 Server #1 Domain 1 HR Finance Server 10.1.200.5 10.1.200.100 Server #1 #2 1 10.1.200.50 10.1.200.101
  • 52. Policy Hierarchy
  • 53. VNMC Policy: Deny HR to Finance Requests
  • 54. Policy Summary on VSGNexus 1000V VSG
  • 55. Syslog from VSG
  • 56. Adding Identity and AccessControl Services :ISE and TrustSec
  • 57. ISE Traffic Flow SXP IP Address 10.1.204.126 = SGT 5 ISE RADIUS (Access Request) EAPOL (dot1x) 10.1.204.126 RADIUS (Access Accept, SGT = 5) 6506 10.1.204.254 SG ACL Matrix IP Address to SGT Mapping HR Nexus 7000 Server #1 Core VDC 10.1.200.254 10.1.200.50 Nexus 7000 Agg VDC ASAFinance ✓ Finance VSG Finance Server #1Finance HR 10.1.200.100
  • 58. ISE Configuration Highlights ISE
  • 59. ISE Authentication 6506-2-airbus#sho authen sess int g3/1 Interface: GigabitEthernet3/1 MAC Address: 0027.0e15.578e IP Address: 10.1.204.126 User-Name: finance1 Status: Authz Success Domain: DATA Oper host mode: multi-auth Catalyst Oper control dir: both Authorized By: Authentication Server 6500 Vlan Policy: N/A SGT: 0005-0 Session timeout: N/A Idle timeout: N/A ISE Common Session ID: 0A01CC950000000D0EDFC178 Acct Session ID: 0x0000001E Handle: 0xC500000D Runnable methods list: Method State mab Failed over dot1x Authc Success
  • 60. Driving Simplicity:Data Center Design – Resourcesfrom Cisco
  • 61. Validated Design Guides A Cisco Competitive Differentiator• Cisco Validated Designs are recommended, validated, end-to- end designs for next-generation networks.• The validated designs are tested and fully documented to help ensure faster, more reliable, and more predictable customer deployments.• 3 types of guides •Design Guides – comprehensive design/implementation •Application Deployment Guides - Third-party applications •System Assurance Guides - intensive, ongoing system assurance test programs targeted at major network architectures or technologies.
  • 62. Cisco Validated Designs for the DC•CVD > SAFE•http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.pdf•CVD >Virtualized Multi-Tenant Data Center(VMDC)•http://www.cisco.com/en/US/partner/docs/solutio ASA 5585-Xns/Enterprise/Data_Center/VMDC/1.1/design.html vPC vPC VSS•CVD > Secure Multi Tennant CVD SERVICES Catalyst•http://www.cisco.com/en/US/solutions/ns340/ns4 6500 Firewall ACE ESA14/ns742/ns743/ns1050/landing_dcVDDC.html NAM IPS WSA Centralized Security and Application Service Modules and Appliances can be applied per zone
  • 63. Cisco Secure Internet Edge Network Foundation Protection Infrastructure Security features are enabled to protect device, traffic Data Center plane, and control plane. Device virtualization provides control, data, and Data Center Core management plane segmentation. TrustSec VDC Consistent enforcement of security policies Data Center Nexus 7018 Nexus 7018 with Security Group ACL, and to control SAN Distribution access to resources based on user identity and group membership.Link level data v integrity and confidentiality with standard encryption. vPC vPC VSS vPC vPC vPC vPC vPC vPC Nexus SERVICES 5000 Series Unified Catalyst Computing 6500 ASA ACE Nexus Nexus 7000 System Virtual Service 2100 Nexus IPS Series NAM Nodes Series 1000VZone Zone Multi-Zone Centralized Security and Application 10Gig Server Rack 10Gig Server Rack Unified Compute Service Modules and Appliances can be applied per zoneStateful Packet Network Intrusion Server Load Web and Email Access Edge Security Flow Based Traffic AnalysisFiltering Prevention Balancing Security ACL, Dynamic ARP NAM virtual blade. Traffic analysisAdditional Application IPS/IDS: provides Masks servers and Security and filtering Inspection, DHCP Snooping, and reporting, ApplicationFirewall Services for traffic analysis and applications and for Web and Email IP Source Guard, Port performance monitoring. VM-levelServer Farm zone forensics provides scaling applications Security, Private VLANs, QoS interface statistics
  • 64. Q&A #CiscoPlusCA
  • 65. We value your feedback.Please be sure to complete the Evaluation Form for this session. Access today‘s presentations at cisco.com/ca/plus Follow @CiscoCanada and join the #CiscoPlusCA conversation

×