• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Defending the data center
 

Defending the data center

on

  • 294 views

Defending the data center

Defending the data center
Wed 21st Nov 3:00pm - 3:40pm

Statistics

Views

Total Views
294
Views on SlideShare
294
Embed Views
0

Actions

Likes
0
Downloads
9
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • IPv4: <br /> IPv4 checksum IPv4 checksum is verified for frames without options and frames with options. <br /> IP header length minimum The IPv4 header length (IHL) should be greater than or equal to 5, and less than or equal to the IPv4 Total Length. <br /> Ethernet Frame length minimum The Ethernet frame length should be greater than or equal to the IPv4 Total Length plus (14 + 4) octets, where the 4 is due to the CRC-32. <br /> Fragment length maximum The IPv4 payload length + (IPv4 Fragment Offset * 8) should be less than or equal to 65536 bytes. <br /> Unexpected fragment If the IPv4 DF flag is active, then the Fragment Offset should be 0 <br /> IP version The version field should be 4 for an IPv4 Ethernet type. <br /> UDP length maximum The UDP length should be less than or equal to the IPv4 payload length. <br /> TCP length maximum The (TCP Data Offset * 4) should be less than or equal to the IPv4 payload length, and the TCP Data Offset should be greater than or equal to 5. <br /> TCP tiny fragment If the IPv4 Fragment Offset is 0 and the IPv4 Protocol is TCP, the IPv4 payload length should be greater than or equal to a programmable minimum value. The programmable minimum value default is 16. <br /> Broadcast Source IP Address Source IP address is 255.255.255.255   <br /> Reserved IP Addresses Source IP address or destination IP address is 127.x.x.x. <br /> Identical IP Destination and IP Source Addresses Source IP address == Destination IP address, and they are not 0.0.0.0. <br /> Destination IP Address is zero   <br /> Source IP is a Class D Address Source IP address belongs to this range: 224.0.0.0 - 239.255.255.255 <br /> Source IP or Destination IP is a class E Source IP address or Destination IP address belong to this range: 240.0.0.0 - 255.255.255.255 <br /> IPv6: <br /> Ethernet version 2 Frame length minimum The Ethernet frame length should be greater than or equal to the IPv6 layer length, plus IPv6 payload length, plus (14 + 4) octets, where the 4 is due to the CRC-32. <br /> Fragment length maximum The (IPv6 Payload Length - IPv6 Extension Header Bytes) + (Fragment Offset * 8) should be less than or equal to 65536 bytes. <br /> IP version The version field should be 6 for an IPv6 Ethernet type. <br /> UDP length maximum The UDP length should be less than or equal to the IPv6 Payload Length. <br /> TCP length maximum The (TCP Data Offset * 4) should be less than or equal to the IPv6 Payload Length, and the TCP Data Offset should be greater than or equal to 5. <br /> TCP tiny fragmentIf the IPv6 fragment offset is 0 and the IPv6 protocol is TCP, the IPv6 payload length, should be greater than or equal to a programmable minimum value. The programmable minimum value default is 16. <br />
  • Transcript: <br /> So these documents are out and available to all of you. The Service Chassis Design Guide and the Nexus 7000 Guide are both posted on CCO underneath the Data Center Design Zone. The VSS Guide is currently only available on the ESE internal bock-bock site. We&apos;re actually waiting until we can released sort of parallel design guidance regarding VPC that is similar to the types of topologies that we can release or types of topologies that we can build with VSS before we publish the VSS Guide out on CCO. <br />

Defending the data center Defending the data center Presentation Transcript

  • In the Headlines…Security Is Still Very Relevant BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1
  • Where Are We Now?  Securing virtualized environments is a big concern  We are still early in virtualization adoption  Two forms of virtualization we are discussing. Both apply to the Data Center Server virtualization Device virtualization  Security requirements shouldn’t change with virtualization BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2
  • Data Center Terms Data Center Core Aggregation/ Distribution Services Data Center Aggregation Layer Data Center Services Layer Top of Rack/End of Row Access Layer Virtual Infrastructure Virtual Access VMVMVM VM BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public VM VM 3
  • Data Center Security Challenges  Virtualization  Applications  Data Loss  Compliance  Availability BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4
  • Addressing the Challenges Data Center Core Network Foundation Protection Infrastructure Security features are enabled to protect device, traffic plane, and control plane. Device virtualization provides control, data, and management plane segmentation Stateful Packet Filtering Initial filter for all DC ingress and egress traffic. Virtual Context allow correlation to Nexus VDC. Data Center Aggregation Layer Network Intrusion Prevention IPS/IDS: provides traffic analysis and forensics Stateful Packet Filtering Additional Firewall Services for Server Farm specific protection Flow Based Traffic Analysis Network Analysis for traffic monitoring and data analysis Data Center Services Layer Server Load Balancing Server Load Balancing masks servers and applications XML based Application Control XML Gateway to protect and optimize Web-based services Application Firewall Application Firewall mitigates XSS, HTTP, SQL, XML based attacks Security Management •Visibility •Even Correlation HIPS, Firewalls, IPS, Netflow, Syslog •Forensics •Anomaly Detection •Compliance CS-MARS BRKSEC-2205 Enhanced Layer 2 Security Access List, Dynamic ARP Inspection, DHCP Snooping, IP Source Guard, Port Security, Private VLANs, QoS Access Layer Layer 2 Flow Monitoring NetFlow, ERSPAN, SPAN Virtual Access VMVMVM VM VM CSM © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public VM Endpoint security Host intrusion prevention protect server against zero day attacks 5
  • Data Center: Aggregation BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6
  • Device Virtualization: Nexus 7000 Virtual Device Contexts  Up to 4 separate virtual switches from a single physical chassis with common supervisor module(s)  Separate control plane instances and management/CLI for each virtual switch  Interfaces only belong to one of the active VDCs in the chassis, external connectivity required to pass traffic between VDCs of the same switch BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public VDCs 8
  • Aggregation Layer with VDCs 10.8.0.x/24 RID:8.8.8.1 .1 .1 .2 Cat6k .2 RID:3.3.3.1 Outside Virtual Device Context .1 (SVI 3) 10.8.3.x/24 10.8.162.3/24 10.8.152.3/24 Po99 N7k1-VDC1 Inside Virtual Device Context 10.8.162.5 vrf1 RID:4.4.4.1 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public .2 RID:3.3.3.2 10.8.162.2/24 10.8.152.2/24 N7k2-VDC1 10.8.152.5 10.8.152.6 10.8.162.6 vrf2 RID:5.5.5.1 vrf2 RID:5.5.5.2 vrf1 RID:4.4.4.2 N7k1-VDC2 BRKSEC-2205 (SVI 3) .2 .1 10.8.2.x/24 Cat6k RID:8.8.8.2 Po99 N7k2-VDC2 9
  • Control and Segmentation  Control Routing Propagation 10.8.0.x/24 RID:8.8.8.1 .1 OSPF Area 0 Cat6k .2  Traffic between VDCs must be routed or bridged via external RID:3.3.3.1 .1 (SVI 3) 10.8.3.x/24 10.8.162.3/24 10.8.152.3/24  Access controlled to inside and outside contexts Cat6k (SVI 3) .2 RID:8.8.8.2 .1 .2 RID:3.3.3.2 10.8.162.2/24 10.8.152.2/24 N7k2-VDC1 OSPF NSSA Area 81 vrf1 RID:4.4.4.1 10.8.152.5 10.8.152.6 10.8.162.6 vrf2 RID:5.5.5.1 vrf2 RID:5.5.5.2 vrf1 RID:4.4.4.2 N7k1-VDC2 © 2009 Cisco Systems, Inc. All rights reserved. Po99 N7k1-VDC1 10.8.162.5 BRKSEC-2205 .2 10.8.2.x/24  Example: inject only default route to internal VDC .1 Cisco Public Po99 N7k2-VDC2 10
  • Aggregation Security Features  CoPP Protect the supervisor from DoS attacks preventing outages. Prevent Layer 2 broadcast storms and irrelevant traffic redirections to CPU  Broadcast Suppression Protects the data center against broadcast storms at the port level that pose risks to bandwidth availability  Packet Sanity Checks Forwarding engine performs extensive checks on IPv4 and IPv6 packet headers to protect the network from illegal packets.  LinkSec Wire-rate link-layer cryptography is provided at all ports. Packets are encrypted on egress and decrypted on ingress so they are clear inside the device. BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11
  • Control Plane Policing (CoPP)  The Control-Plane is critical to network operation. DoS attack targeting the Control-Plane can be devastating to the network stability and availability leading to business-impacting network outages  A Denial of Service (DoS) attack to Control/Management Plane, which can be perpetrated either inadvertently or maliciously, typically involves high rates of traffic that result in excessive CPU utilization Nexus 7000  CoPP is a hardware-based feature that protects the Supervisor from DoS attacks  It achieves this by controlling the rate at which packets are allowed to reach the Supervisor Control Plane Layer 2 Protocols Layer 3 Protocols VLAN PVLAN STP LACP © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public OSPF BGP EIGRP PIM GLBP HSRP IGMP SNMP … … Supervisor Logic Representation of the Fabric Modules FE Linecard BRKSEC-2205 UDLD CDP 802.1X CTS Transit Packets Transit Packets FE Linecard 12
  • Control Plane Policing (CoPP) Nexus 7000  NX-OS provides a default policy that can be set when the system is first brought up.  One of the following CoPP policy options can be chosen from of the initial setup script: Strict: ~11Kpps CIR Moderate: the PIR is 25% higher than the CIR of the strict default policy Lenient: the PIR is 50% higher than the CIR of the strict default policy None: no control plane policy is applied  If the initial configuration script is skipped, NX-OS will apply the strict policy. Obviously the policy can be later tuned/modified.  CoPP supports IPv4, IPv6, ARP and MAC ACLs and it is able to match on packets generating exceptions and redirections  The rate in the policy-map can be configured as packet per second (pps), however the statistics will still be shown in bytes per second (bps) BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13
  • Control Plane Policing (CoPP)  The CoPP supports the same QoS statistics as any other interface  It will show the stats of the class forming the service policy for every Forwarding Engine  An interesting feature, in terms of stats, is the possibility to see the hits for each ACE in the ACL matched by the class-map. This helps narrowing down the origin of the attack. Just remember to enable the stats in the ACL: DC3(config)# ip access-list my-acl DC3(config-ip-acl)# deny udp any any DC3(config-ip-acl)# permit ip any any DC3(config-ip-acl)# statistics BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 14
  • Broadcast Suppression  High volumes of broadcast traffic can impact bandwidth availability and impact network performance – so a way to limit this traffic type is required  Traffic Storm Control allows controlled amount of “storm” traffic to be forwarded out a target port as a percentage of the total bandwidth of the port  The switch monitors outgoing “storm” traffic at 1 second intervals comparing the volume of storm traffic with the configured level that this port can forward  Traffic in excess of the configured limit is dropped  The suppression mechanism is the same on both 1G and 10G linecards  Double digit granularity DC3# config t DC3(config)# int e 2/24 DC3(config-if)# storm-control broadcast level 25.16 BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15
  • Packet Sanity Checks  Nexus Forwarding Engine performs Sanity checks on the header fields of IPv4 packets.  Nexus Packet Sanity checks protect the network and the system from “illegal” packets.  The IP sanity checks are enabled by default and can be individually disabled. The packets failing the Sanity checks will be dropped and a counter will be kept. Nexus(config)# platform ipv4 verify Nexus# show hardware forwarding ip verify Checks on IPv4 packets: IPv4 IDS Checks Status Pkt -----------------------------+---------+-----address source broadcast Enabled 0 IPv4 checksum IP header length minimum Ethernet Frame length minimum Fragment length maximum Unexpected fragment IP version UDP length maximum TCP length maximum TCP tiny fragment Broadcast Source IP Address Reserved IP Addresses Identical IP Dst & Src Address Destination IP Address is zero Source IP is a Class D Address Class E Src or Dst IP © 2009 Cisco Systems, Inc. All rights reserved. 0 address destination zero Enabled 0 address identical Enabled 0 address source reserved Enabled 0 address class-e Disabled 0 checksum Enabled 0 protocol Cisco Public Enabled Enabled 0 fragment BRKSEC-2205 address source multicast Enabled 0 16
  • Nexus ACLs Key Points Verify-Commit programming paradigm for better usability and manageability Atomic configuration update with no traffic interruption for continuous operations Selective hardware programming for better scalability and resources utilization ACL syntax improvements for better usability and manageability: • Slash notation for IP addresses • No standard/extended and named/numbered ACLs Support for Object groups, Time-ranges and Re-sequencing ACL-based Features: RACLs, VACLs, PACLs and PBR... ACLs Matching: Layer2, Layer3 and Layer4 header fields (using IPv4, ARP and MAC access lists) BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17
  • Additional Nexus 7000 Tidbits  Virtualization support AAA configuration and operation are local to the VDC. AAA authentication methods for the console login only apply to the default VDC. AAA accounting log is on per VDC basis  Role Based Access Four default roles Network-admin Permission to create/delete/assign resources to VDC. Can create other roles and users. Network-operator Permission to run show command across all VDCs. VDC-admin Permission to manage a VDC, create other VDC roles and users for that VDC. VDC-operator Local to a VDC and has show command privilege BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18
  • Data Center: Security Services (and Others) BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19
  • Security Services Data Center Core Data Center Services Layer Access Layer Virtual Access VM VMVM VM BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. VM Cisco Public VM 20
  • Security Service Integration  Deploy security services and appliances as transparently as possible. Maintain predictable traffic flows to ensure availability Need to think about scalability of current infrastructure when planning designs.  Create Security Zones based on Trust  Minimal impact to allowed functions while maintaining Enforcement, Isolation, Visibility  Business model, compliance, applications, can all drive policy  One model does not fit all but there are some design guidelines we can provide BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 21
  • Security Services SVI-161 hsrp.1 10.8.162.3 15 161 ASA1 16 2 ASA1 SVI-151 10.8.152.3 162 ACE Po99 1 ASA2 SVI-151 hsrp.1 10.8.152.2 ASA2 15 2 N7k1-VDC2 190 SVI-161 10.8.162.2 hsrp.7 vrf1 164 10.8.162.5 N7k2-VDC2 hsrp.7 Po99 vrf2 vrf2 10.8.152.5 10.8.152.6 vrf1 10.8.162.6 ACE2 WAF IPS BRKSEC-2205 WAF IPS © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 22
  • ASA Physical Connections  Redundant physical chassis provide virtual platform  Physical interfaces allocated to independent VDCs  Fault tolerance and state VLANs leverage VDC2 Po99 Nexus 7000 ASA 5580-1 Eth3/1 Nexus 7000 Eth2/1 Eth2/1 VLAN 172 ASA 5580-2 VLAN 172 VLAN 171 Eth3/0 Eth3/1 Po99 Eth2/3 VLAN 171 Eth2/3 Eth3/0 VLAN 172 – State VLAN VLAN 171 – Failover VLAN BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 23
  • Security Services Transparent Services Are “Sandwiched” between Nexus VDCs  ASA Stateful Firewall ASA1 SVI-161 hsrp.1 10.8.162.3 161 Virtual Contexts 16 Transparent mode 2 ASA2  ACE LB SVI-151 10.8.152.3 Transparent mode  Web Application Firewall WAF Firewall farm N7k1-VDC2 190  Network IPS/IDS ACE Inline or promiscuous IPS 16 163,164 BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. 162 Cisco Public 4 hsrp.7 vrf1 10.8.162.5 vrf2 10.8.152.5 SS1 24
  • Examples BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25
  • Virtual Context on ASA for ORACLE DB Protection N7k1-VDC2 162 16 3 ACE1 164 hsrp.1 10.8.141.3 hsrp.1 10.8.141.2 Po99 vrf1 vrf1 141 E2/38 SS1 N7k2-VDC2 ACE2 141 E2/37 E2/37 E2/38 163,164 SS2 163,164 IPS2 IPS1 ASA1-vc3 ASA2-vc3 E3/2 E3/2 E3/3 E3/3 142 142 Oracle DB Bond142: 10.8.141.151 BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 26
  • Example of Server to Database access through virtual firewall context. N7k1-VDC2 STP root hsrp.1 N7k2-VDC2 Po99 vrf1 vrf1 VLAN 141 E2/38 VLAN 141 E2/37 E2/37 E2/38 Srv-A ASA1-vc3 ASA2-vc3 VLAN 142 VLAN 142 Oracle DB Bond142: 10.8.141.151 BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 27
  • WAF Incidents Showing Attack BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 28
  • WAF Event Viewer Attack Details BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 29
  • Using ACE and WAF to Maintain Real Client IP Address as Source in Server Logs BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
  • Server Logging  Session persistence maybe maintained via HTTP header insertion  ACE LB and Web Application Firewall support this functionality BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 31
  • Access Layer BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 32
  • Data Center Physical Access Layer  The physical data center access layer is fairly well understood.  The features and design options at this layer have evolved through the use of virtualization  Security features for the access layer have been available and deployed for quite some time  A few highlights for the physical access layer before we look at Virtual Access… BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 33
  • Data Center Access Data Center Core Data Center Aggregation Layer Data Center Services Layer Data Center Access Layer Access Layer Virtual Access VMVMVM VM BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. VM Cisco Public VM 34
  • Security Considerations  In many cases server tiers/clusters are separated by VLANs  Servers are often Layer 2 adjacent  Must allow for mobility DR Maintenance  Security is key in maintaining availability of servers and applications connected here. BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 35
  • Make Use of Switch Security Features  Anti-spoofing features Dynamioc ARP Inspection, IP Source Guard, DHCP Snooping  STP protection (BPDU Guard)  QoS  Broadcast Packet Suppression  PVLANs  Access Lists  SPAN, ERSPAN, NetFlow BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 36
  • Virtual Access and Security BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 37
  • Server Virtualization Virtual Ethernet (vnet) Adapters Uplink Ports Uplink Ports Physical Adapters Benefits of Virtualization  Power savings  Consolidation of resources  Server portability  Application failover BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 38
  • Server Virtualization  Hypervisors: Type 1 or Type 2 Type 1 hypervisors as shown below are built into a pre-hardened host. There is no distinct boundary between the host operating system and the hypervisor. Type 2 hypervisors as shown below are installed as separate software on top of the existing host operating system  Primary role of the host OS or hypervisor is to work with the VMM to coordinate access to the physical host system's hardware resources (CPU, Device Drivers, etc)  Theoretically the hypervisor should have fewer security vulnerabilities because it runs minimal services and contains only essential code BUT maintaining security updates is still important! BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 39
  • Server Virtualization Security Concerns  Secure Hypervisor Mitigate risk towards the hypervisor an attacker gaining unauthorized access to the hypervisor and taking control of the physical server and related virtual servers  Rogue VMs Has a guest operating system been compromised? Virtual Server Mobility vnet adapters  Inter-VM traffic visibility and security Uplink Ports Traffic between two virtual machines can flow across the bus inside the hosting physical server and not be required to be switched on an external network where traditional tools can be used Physical Adapters VMware “virtual switch” lacks security features available in Cisco switching platforms  Shared File system between VMs VMFS and VMotion Consolidated SANs or NAS attached storage BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 40
  • Securing the Hypervisor… !!  Hypervisor has access to all resources !! Manages all system resources !! Manages LAN & SAN access vnet adapters Uplink Ports Physical Adapters !!  vSwitch lacks “standard” network functions No visibility into VM-to-VM traffic on a port group No visibility into VM-to-Hypervisor calls BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 41
  • Virtual Machine LAN Security DMZ Web Server Application Servers Database Server  Be aware of security affinities Would you place all your applications on the same VLAN? !! !! !! vnet adapters Uplink Ports  Recommendation: Do not consolidate servers with unlike security affinities onto a single VLAN Physical Adapters BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved.  Challenging troubleshooting & monitoring environment Cisco Public 42
  • Virtual Machine VMotion Security ESX Cluster .11 .12  VMotion enables workload mobility & Disaster Recovery .13 vnet adapters vnet adapters Uplink Ports Physical Adapters Uplink Ports Physical Adapters Permit .11 <-> .12 Deny .11 <-> .13 Deny .12 <-> .13  Increases server utilization efficiency by balancing workloads between servers  VMs can move between ESX cluster members with the same configuration X Port-groups, VLANs, etc  Inconsistent security policies enforcement and visibility Policies applied at the server port or VLAN cannot be consistently applied  Vmotion traffic sent in clear text. Take precautions for isolating BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 43
  • Virtual Machine Exploits  Several Theoretical Exploits Gain Control of the Hypervisor Exploiting vMotion  Reconnaissance: Virtual Machine Detection VME artifacts Malware that detects virtual machines Tools: (The Red Pill, Scoopy & Doo, VMDetect, etc) Virtual machine-based root kits Theoretical attacks are interesting but lets focus on the simple things that cover 99% of the issues. Most people don’t even have the simple items covered! Lets worry about this before we worry about theoretical Hypervisor attacks. BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 44
  • Things to Ponder…  Traditional Security Problems Unchanged  Security Policies still need to be enforced  Virtualization introduces some new flavors Hypervisor is a new layer of privileged software Potential loss of separation of duties Limited visibility into inter-VM traffic  So What’s the Secret Ingredient? BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 45
  • There Is NO Secret Ingredient! Security best practices still apply! If you would not do it on a non-virtualized server, you probably should not do it on a virtualized server. But we can address the virtualization concerns… BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 46
  • Merging Physical to Virtual Infrastructure Physical Access Switch BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Integrated Nexus 1000V Virtual Switch Cisco Public 47
  • Virtual Access Fabric: Nexus 1000V N7k1-VDC2 Po 71 N7k2-VDC2 72 Po DC-5020-1 DC-5020-2 VSS-ACC Trunking Uplinks Po151 ESX4 vSwitch Nexus VSM BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Po1 Po2 Po3 APC w/ src-mac hash Nexus VEMs Cisco Public 48
  • Nexus 1000V Key Features  Includes Key Cisco Network and Security features  Addressing Issues for: VM Isolation Separation of Duties VM Visibility BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 49
  • Separation of Duties: Network and Server Teams Port Profiles  A network feature macro  Example: Features are configured under a port profile once and can be inherited by access ports  Familiar IOS look and feel for network teams to configure virtual infrastructure BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public port-profile vm180 port-profile vm180 vmware port-group pg180 vmware port-group pg180 switchport mode access switchport mode access switchport access vlan 180 switchport access vlan 180 ipip flow monitor ESE-flow input flow monitor ESE-flow input ipip flow monitor ESE-flow output flow monitor ESE-flow output no shutdown no shutdown state enabled state enabled interface Vethernet9 Promiscuous Vethernet9 interface inherit port-profile vm180 Port inherit port-profile vm180 interface Vethernet10 interface Vethernet10 inherit port-profile vm180 inherit port-profile vm180 10.10.30.30 10.10.10.10 10.10.20.20 50
  • Separation of Duties: Network and Server Teams 1. Nexus 1000V automatically enables port groups in Virtual Center via API 2. Server Admin uses Virtual Center to assign vnic policy from available port groups 3. Nexus 1000V automatically enables VM connectivity at VM power-on Workflow remains unchanged BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 52
  • VMotion 1. Virtual Center kicks off a VMotion (manual/DRS) & notifies Nexus 1000V 2. During VM replication, Nexus 1000V copies VM port state to new host 3. Once VMotion completes, port on new ESX host is brought up & VM’s MAC address is announced to the network Mobile Properties Include: VMotion   Interface state and counters  Flow statistics  Remote port mirror session vnet adapters vnet adapters Uplink Ports Uplink Ports Physical Adapters BRKSEC-2205 Port policy Physical Adapters © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 53
  • VM Isolation: Cisco Private VLANs  Private VLANs provide layer 2 isolation for hosts in the same subnet  Traditional Cisco PVLANs are supported: Isolated & Community ports Promiscuous Port  Physical Infrastructure is PVLAN aware. You can carry PVLAN to physical devices ie: FWSM Isolated VLAN BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Community VLAN 54
  • VM Isolation and Traffic Control 10.10.10.1 10.10.20.20  Port ACLs  Limit VM to VM traffic flows  Enforce the way you enforce between physical servers today Promiscuous Port  Use in conjunction with VLANs, PVLANs dcvsm(config)# ip access-list deny-vm-to-vm-traffic dcvsm(config-acl)# deny ip host 10.10.10.10 host 10.10.20.20 dcvsm(config-acl)# permit ip any any 10.10.10.10 BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10.10.20.20 55
  • Isolating Production and Management Traffic  Isolate management traffic from production 192.168.20.0 dcvsm(config)# ip access-list deny-vm-traffic-toservice console dcvsm(config-acl)# deny ip 10.10.0.0 192.168.20.0 dcvsm(config-acl)# permit ip any any  Enforce physical separation and virtual separation Promiscuous Port 10.10.10.10 BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10.10.20.20 56
  • Anti-Spoofing ip arp inspection vlan 180 ip arp inspection vlan 180 !! ip arp inspection filter staticIP vlan 180 ip arp inspection filter staticIP vlan 180 arp access-list staticIP arp access-list staticIP permit ip host 10.10.10.10 mac host permit ip host 10.10.10.10 mac host 00:50:56:87:18:2d 00:50:56:87:18:2d permit ip host 10.10.20.20 mac host permit ip host 10.10.20.20 mac host 00:50:56:87:18:3d 00:50:56:87:18:3d permit ip host 10.10.30.30 mac host permit ip host 10.10.30.30 mac host 00:50:56:87:18:4d 00:50:56:87:18:4d !! errdisable recovery cause arp-inspection errdisable recovery cause arp-inspection errdisable recovery interval 120 errdisable recovery interval 120 Promiscuous! ! Port switchport access vlan 180 switchport access vlan 180 switchport mode access switchport mode access ip arp inspection limit rate 100 ip arp inspection limit rate 100  Protection against man-in-the middle attacks  Dynamic ARP Inspection, DHCP Snooping, IP Source Guard 10.10.30.30 BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10.10.10.10 10.10.20.20 57
  • VM to VM Visibility ERSPAN  ERSPAN source requires use of ERSPAN destination Only one IP address associated with the ERSPAN source/destination per switch  ERSPAN ID provides segmentation ERSPAN DST ID:2 ID:1 IDS1 Network Analysis Module Services  Permit protocol type header “0x88BE” for ERSPAN GRE  ERSPAN frame considerations: ERSPAN does not support fragmentation Appends 50 Byte header to frame Default 1500 MTU allows for 1468 byte frames Max frame size supported 9,202 bytes BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 59
  • ERSPAN Nexus 1000 Configuration Nexus 1000 Configuration port-profile erspan port-profile erspan capability l3control capability l3control vmware port-group vmware port-group switchport access vlan 3000 switchport access vlan 3000 no shutdown no shutdown system vlan 3000 system vlan 3000 state enabled state enabled !! monitor session 11 type erspan-source monitor session type erspan-source description -- to SS1 NAM via VLAN 3000 description to SS1 NAM via VLAN 3000 source interface Vethernet8 both source interface Vethernet8 both destination ip 10.8.33.4 destination ip 10.8.33.4 erspan-id 11 erspan-id ip ttl 64 ip ttl 64 ip prec 00 ip prec ip dscp 00 ip dscp mtu 1500 mtu 1500 no shut no shut monitor session 22 type erspan-source monitor session type erspan-source description -- to SS1 IDS1 via VLAN 3000 description to SS1 IDS1 via VLAN 3000 source interface Vethernet8 both source interface Vethernet8 both destination ip 10.8.33.4 destination ip 10.8.33.4 erspan-id 22 erspan-id ip ttl 64 ip ttl 64 ip prec 00 ip prec ip dscp 00 ip dscp mtu 1500 mtu 1500 no shut no shut BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 60
  • ERSPAN – IDS and NAM  Comprehensive view of VM traffic via ERSPAN to two network analysis devices simultaneously  NAM and IDS provide clarity. In this example, port scan of VM detected on IDS and visible on NAM BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 61
  • Example: Using ERSPAN to IDS for VM to VM Traffic ERSPAN DST IP: 10.8.33.4 ID:2 ID:1 IDS1 Network Analysis Module Services BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. 10.8.180.230 Cisco Public 10.8.180.234 62
  • VM to VM Visibility NetFlow  N1k requires Netflow source interface Out-of-Band NetFlow Collector In-Band NetFlow Collector Defaults to Mgmt0 Support v9 format BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 63
  • NetFlow  Maximum of one flow monitor per interface per direction is permitted flow exporter exporttest description exportv9 destination <IP ADDRESS> use-vrf management  Maximum of two flow exporters per monitor are permitted  Port profiles afford easy deployment transport udp 3000 source mgmt0 version 9 template data timeout 1200 option exporter-stats timeout 1200 flow monitor NAMTest description default flow to NAM record netflow-original exporter exporttest timeout inactive 600 timeout active 1800 cache size 15000 port-profile vm180 vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor NAMTest input ip flow monitor NAMTest output BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 64
  • VM Guest OS Protection CSA Management Center SDEE Host Posture & Quarantine Events Network IPS Host Posture & Event Information Host IPS and Integration with Network IPS  A host is quarantined manually by a Cisco Security Agent MC administrator or rule-generated by global correlation  Quarantine events include the reason for the quarantine the protocol associated with a rule violation (TCP, UDP, or ICMP), an indicator on whether a rule-based violation was associated with an established TCP connection or a UDP session the IP address of the host to be quarantined. Protect the Endpoint Cisco Security Agent Host IPS BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 65
  • Remember…  Security best practices still apply  Limit Data Flow to other servers and resources  Do not use non-persistent disks  Harden the Host OS, Hypervisor, & Guest OS  Use AV, maintain patches and updates  Consider using a HIPS solution BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 66
  • Takeaways  Device Virtualization Scale use of network and security components Flexible integration options Can get complicated…plan accordingly  Server Virtualization Secure virtual machine environment Use features to maintain visibility Ensure Separation of Duties is maintained Don’t do what you wouldn’t do on a physical machine BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 67
  • Key Threats Mitigated BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 68
  • Additional Resources  Data Center Design Zone http://www.cisco.com/go/designzone BRKSEC-2205 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 69