Your SlideShare is downloading. ×
0
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Designing Secure Cisco Data Centers
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Designing Secure Cisco Data Centers

4,072

Published on

Published in: Technology, Education
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,072
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
462
Comments
0
Likes
7
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Михаил Кадер,mkader@cisco.comsecurity-request@cisco.com © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 2. Cisco Validated Designs Deliver ResultsData Center / Secure Data Center CVD – www.cisco.com/go/vmdc“59% of organizations lack the lab resources or test environments to validate vendor claims for themselves.” —SANS Institute “Organizations clearly lack well-defined standards, processes, and resources for determining the resiliency of their critical network devices and systems.... Need methodical resiliency validation using a combo of real traffic, heavy load and security attacks.” —SANS and TOGAG © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 3. Setting the Foundation for the Secure Designs© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  • 4. Architecture Traditional Data Center ArchitectureItems of note:- Both Physical Network Fabric and Virtualization components are represented- Well defined DC Edge (layer 3) providing connectivity and security services to/from DC and Internet/Extranet- DMZ network (physical or virtual workload) on DC edge that could securely leverage physical workloads or virtual workloads- DC Core is Routed (OSPF, BGP, EIGRP) with ECMP- DC Aggregation layer contains Physical Security Services allowing the creation of internal zones / trust enclaves without crossing core (East-West) and crossing core (North-South) only when required- Various End-of-Row/Top-of-Rack options represented between Aggregation and Compute/Access Layer- Virtual Security services represented with Nexus 1000v © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  • 5. Traditional Secure Data Center Design – Basic and Simplified Data Center 1. 1 1 Physical Network Fabric – 1 1 2 2 -Creates the shared physical infrastructure for moving packets within the Physical Network Virtual Fabric & Data Center (North, South, East and West) Fabric Compute -Leverages the DC-Class Technologies of Cisco Nexus Switching A A External DC Edge – (External Zoning) A External DC Virtual -Boundary between the Data Center and the rest of the corporate Edge Workloads network (or Internet) (North-South) B Internal DC Zones – Stateful Internal separation B B -Allows Secure Zones or Trust Enclaves to be established within the DC Internal DC Zoning Virtual Services Network Fabric, establishing secure separation via External DC Zones or other Internal DC Zones (North-South) -Should inherently take advantage of the optimized network infrastructure without violating proper Data Center Design objectives High-Availability / Zero Downtime Scalability / Massive Workload Processing Survivability / Redundancy Low Latency / No Packet Loss Asymmetric Traffic Flows © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 6. Traditional Secure Data Center Design – Basic and Simplified Data Center 1. 22 Virtual Fabric and Compute– 1 1 2 2 -Creates the shared virtual infrastructure for moving packets within the Physical Network Virtual Fabric & Virtualized Data Center Fabric Compute -Leverages Virtualization & Compute Technologies of Cisco Nexus / Unified Compute System (UCS) and Virtualization Software e.g. A A External DC ‘Secure’ VMWare, Citrix, etc. Virtual Edge Workloads A Secure Virtual Workloads - -Securing the sum of the requests made by users and applications of a B B ‘virtual system’ Virtual Internal DC Security -Typically defined as a self-contained unit: an integrated stack consisting Zoning Services of application, middleware, database, and operating system devoted to a specific computing task B Virtual Security Services - -The Virtual services defined to successfully secure and optimize a Virtual Workload - Virtual Firewalls, Virtual Routing, Network Management, Virtual Load Balancers, Cloud Interconnect, VPN, etc. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 7. Architecture Secure DC: Traditional Use Cases1 Secure Internal Zone From External Zone Secure Data in a Compliance Scenario [PCI, FISMA, HIPAA, etc.] 2 Internet VDC1 CTX1 DMZ CTX2 VDC2 Cisco VXI vPC vPC Campus / Data Center3 Secure Application Tiers 4 Secure Multi-Tenancy Extranet Front-End (Presentation) Vendor CTX1 CTX1 CTX2 Partner Web Tier (business logic) CTX2 vPC DB Tier (data access) © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 8. Architecture Secure DC: Evolving Deployment Use Cases VDC1 VDC21 Traditional (Physical) DC vPC VMDC 2 Virtual DC Custom DC IPsec/SSL 5 Virtual Private Cloud 3 Virtual Desktop Internet Cisco VXI PaaS 6 Public Cloud 4 Internal Private Cloud SaaS Physical Virtual Private Cloud Public Cloud © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 9. Architecture The Evolving Data Center Architecture Aggregation Layer Data Center Core • Workload is localized to the Aggregation Block Layer • Centralized point for ingress and egress data center flows Layer 3 • Can be demarcation point for L2 and L3 • Services can be scaled as data center grows Layer 2 DC Aggregation Services Layer (option) Layer • Additional services location for server farm specific protection / optimization • Services localized to the applications running on the DC Service Layer servers connected to the physical pod – SLB, Monitors, etc. • Offloads port utilization from Aggregation Layer DC Access Layer Virtual Network & Access • Physical and virtual form factor for server connectivity Storage Virtual UCS • Top of rack provides port density for server connections Access • Merging point between physical and virtual networks Data security Virtual Firewall Port security authenticate & Real-time authentication, access control Monitoring QoS features Firewall Rules Goal #1: Understand the current approach (De-Couple the Elements of the Design) Goal #2: Understand the options we have to build a more efficient architecture (Re-assemble the elements into a more flexible design) © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  • 10. Architecture The Evolving Data Center Architecture Adding Layered Security Services Data Center Edge• Physical Delineation for all ingress and egress into the ‘CORE’ of the DC – Traditional Security Models apply to North-South Protection Aggregation Layer• Initial filter for all ingress and egress to DC services & compute - “North-South” protection• Stateful filtering and logging for all ingress and egress traffic flows• Physical appliances can be virtualized and applied to server enclaves Services Layer (option)• Additional services location for server farm specific protection and other potential zones Virtual Network & Access Storage Virtual UCS Access• Virtual firewall, zone/enclave based filtering• IP-Based Access Control Lists Data security Virtual Firewall Port security authenticate & Real-time authentication,• VM attribute-based policies – Should Follow VM access control Monitoring QoS features Firewall Rules• “East-West” protection © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  • 11. VDC and VPC Designs© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 12. Traditional Secure DC Design – Network Fabric Best Practices Data Center 1 1. 1 Physical Network Fabric – 1 1 2 -Leverage the full capacity of the Cisco Nexus Switching infrastructure Physical Network Virtual Fabric & -Security is pervasive, and while it has been known to ‘reduce Fabric Compute convenience’; decreasing required network functionality is unacceptable. A A External DC Edge – (External Zoning) A External DC Virtual -Leverage Edge connectivity (routing) Edge Workloads -Provide Edge Security (Firewall at minimum) -Layer 3 Firewalling (with or without NAT) may be used successfully B B -IPS and Next Generation Systems can add additional visibility and Internal DC Virtual Zoning Services protection -If very high-speed firewalling / federations, etc. are desired at the DC edge, ASR1K can deliver up to 100Gbps FW with Stateful HA -Path diversity into the datacenter if you can. Stateless with Federation to authenticate to the app, Stateful with Federation for compliance B Internal DC Zones – Stateful Internal separation -Keep routing on the Routers (Firewalls implemented transparently) -Leverage vPC/vPC+ and/or FabricPath technology to maximize DC traffic flow capability -All flows are expected to be asymmetric, therefore zone design should support this -No additional Packet-Loss penalties should be introduced -Zero-downtime Firewall upgrades should be supported -Survivability/HA on the Firewall / IPS devices is critical © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 13. ConnectivityBuilding an Efficient DC Fabric to ScaleScaling the Network Fabric - Virtual Device Context (VDC) VDC 1 Layer 2 Protocols Layer 3 Protocols VLAN UDLD OSPF GLBP PVLAN CDP BGP HSRP STP 802.1X EIGRP IGMP LACP CTS PIM SNMP VDCs … … VDC 2 Layer 2 Protocols Layer 3 Protocols VLAN UDLD OSPF GLBP PVLAN CDP BGP HSRP STP 802.1X EIGRP IGMP LACP CTS PIM SNMP … …Nexus 7000 VDC – Virtual Device Context (up to 8 VDCs plus 1 Management VDC – SUP2E w/ NXOS 6.04/6.1) Flexible separation/distribution of hardware resources and software components Complete data plane and control plane separation Complete software fault isolation Securely delineated administrative contexts Each physical interface can only be active in one VDC © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  • 14. ConnectivityUsing VDCs for Vertical ConsolidationOne of the most common uses of VDCs• Allows Consolidation of Core, Aggregation while maintaining network hierarchy• No reduction in port count or links but fewer physical switches ‒ Copper Twinax cables (CX-1) provide a low cost 10G interconnect option Core Core Core Agg Agg Agg Access © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 15. ConnectivityUsing VDCs for Internet Edge/DMZ/Core Option to meet multiple needs – XL VDC, DMZ and Core Maintains security model with logical separation Internet Internet Edge(XL) Internet Internet Edge Edge(XL) (XL) Firewalls for Intra or Inter-VDC DMZ DMZ DMZ Traffic Flows Core Core Core © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 16. ConnectivityVDC Security Certification VDC separation is industry certified ‘Leak-proof Security Mechanism’ NSS Labs for PCI Compliant Environments – http://www.nsslabs.com FIPS 140-2 http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf Common Criteria Evaluation and Validation Scheme – Certification #10349 - http://www.niap-ccevs.org/st/vid10349/ © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  • 17. ConnectivityUsing VDCs for PCI Compliance Segmentation• Maintains compliant security model with physical separation ‒ FW and IPS at the boundary of the CDE zone as required by PCI-DSS 2.0 Internet Internet Edge(XL) Internet Internet Edge Edge(XL) (XL) PCI PCI PCI Core Core Core © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 18. ConnectivityBuilding an Efficient DC Fabric to Scale Logical Topology without vPCScaling the Network Fabric – Virtual Port Channel vPC) Aggregation• Allow a single device to use a port channel across two upstream switches (aka MCEC)• Eliminate STP blocked ports Access• Simplify L2 Paths by supporting loopfree non-blocking concurrent L2 paths• Dual-homed server operate in active-active mode• Provide fast convergence upon link/device failure Logical Topology with vPC vPC Peers ! Enable vpc on the switch Aggregation dc11-5020-1(config)# feature vpc MCEC ! Check the feature status dc11-5020-1(config)# show feature | include vpc vpc 1 enabled vPC Peers Access MCEC © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  • 19. ConnectivityWhat is a Virtual Port Channel (vPC)? • vPC is a Port-channeling concept extending link aggregation to two separate physical switches • vPC allows a single device to use a port channel across two neighbor switches (vPC peers) • vPC Peer link is used to synchronize state between vPC peer devices, must be 10GE • Eliminates STP blocked ports/STP delays/Calculations and uses all available uplink bandwidth (active/active) ‒ Does not actually turn off STP – FabricPath does this • Supported in NX-OS switches only • Recommended to always use LACP for dynamic LAG VPC PEER LINK • vPC Design & Best Practices Guide: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830- 00_Agg_Dsgn_Config_DG.pdf 19 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 20. ConnectivityWhy use vPC? – Multi-Chassis Etherchannel (MEC) No Port Channel: Single-Chassis LACP Port STP Allows only one active link Channel: vPC Multi-Chassis LACP Port Sub-optimal flows and resource Both links active but no Channel: usage device redundancy (single Both links active, optimal switch) redundancy, all links active LACP Load Balance LACP Load Balance src- src-dst-IP (hash) dst-IP (hash) VPC PEER LINK 20 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 21. ConnectivityVPC with Multiple ASAs – A/S or A/A Failover • Part of CVD architecture since in July 2011 • vPC ensures zero packet loss in the event of a link failure to the ASA channel 32 firewall, a firewall failure, a switch failure, VDC reset, or vPC peer- State and Failover links link loss ‒ Works with both A/S and A/A failover (and with ASA 9x Clustering) • Allows ASA to participate in necessary DC redundancy technologies with expected flow asymmetry • ASA is only DC Firewall on market that can simultaneously: 1. Run standards-based LACP for Dynamic LAG to Nexus vPC/vPC+ or Cat6K VSS with proper bundling semantics N7K VPC 40 N7K VPC 41 no traffic black holes or loss of state due to expected flow asymmetry / out-of-order packets VPC PEER LINK 2. Supports all of the same LACP load balancing hash values as the switch fabric(s) [def. = src-dst IP] 3. Able to support dynamic LAG (LACP) in all modes: Routed / Transparent / Multi-context / Mixed-context(s) / Clustering 4. Successfully handles the expected flow asymmetry and out-of-order packets from Multiple chassis simultaneously 21 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 22. ConnectivityASA Connecting to Nexus with vPC (basic) interface Ethernet4/1 switchport mode trunk channel-group 40 mode active no shutdown ! interface Ethernet4/2 VPC PEER LINK switchport mode trunk North Zone channel-group 40 mode active no shutdown VLAN 200 ! interface port-channel4 0 N7K VPC 40 switchport interface TenGigabitEthernet0/6 switchport mode trunk channel-group 32 mode active vss-id 1 switchport trunk allowed vlan 1,200,201 vpc 40 no nameif Trunks ! no security-level VPC vpc domain 10 ! role priority 50 interface TenGigabitEthernet0/7 peer-keepalive dest 10.1.1.2 source 10.1.1.1 vrf channel-group 32 mode active vss-id 2 ASA channel 32 VLAN 200 vpc-mgmt no nameif Outside peer-gateway no security-level ! interface BVI1 ip address 172.16.25.86 255.255.255.0 VLAN 201 ! Inside interface Port-channel32 no nameif no security-level ! South Zone Note: interface Port-channel32.201 VLAN 201 mac-address 3232.1111.3232 vlan 201 Example shows only one side of config: N7K1 and ASA1. nameif inside Full configuration would be assumed. bridge-group 1 security-level 100 ! ASA connected to Nexus with vPC and establishing an interface Port-channel32.200 internal DC zone pair between VL200 (N) and VL201(S). mac-address 3232.1a1a.3232 vlan 200 ASA is deployed using transparent (L2) mode in this nameif outside example to minimize network fabric modification(s) – Will bridge-group 1 security-level 0 be discussed in detail later
  • 23. ConnectivityASA Connecting to Nexus with vPC (Best Practices Shown) • ASA connected to Nexus using multiple physical interfaces on vPC DC Core / EDGE ‒ ASA can be configured to failover after a certain number of links lost (when using HA) L3 SVI VLAN200 SVI VLAN200 Aggregation Layer • Note that vPC identifiers are different FHRP VPC PEER LINK FHRP L2 for each ASA on the Nexus switch (this VLAN 200 changes with ASA clustering feature N7K VPC 40 Trunks N7K VPC 41 Outside VPC and cLACP [not yet shown]) VPC North Zone FW HA VLAN 200 ASA channel 32 VPC VPC VLAN 201 Inside VPC PEER LINK Access Layer VPC South Zone VLAN 201
  • 24. Secure Design Building Blocks© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 25. SegmentationSecurity Building Block: Segmentation• While not a security technology, segmentation has long been used as a means for grouping similar resources in order to apply specific configuration or policy• Sometimes there is a technical benefit with segmentation• An example is using VLANs to reduce the L2 broadcast domain and improve network efficiency• VRF (Virtual Routing and Forwarding) typically used for virtualizing L3 services• VDCs (Virtual Device Context) on the Nexus platforms allow multiple, independent virtualized switches inside of a single physical switch• Zones are a common term to refer to units in the data centre that share a common trait and can reduce operational complexity with both physical and virtualized hosts and services © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  • 26. SegmentationSecurity Building Block: Segmentation6 Degrees of SeparationNexus 7000 Segmentation Building Blocks Nexus 7K1. Virtual Device Context2. Virtual Routing/Forwarding (VRF) VRF-Lite can be easily used as it does not require MPLS3. VLANs4. Security Group Tags (SGT in packet) ASA5. 802.1AE MACSEC Encryption CTX1 CTX2 CTX3ASA6. Virtual Firewall Context (Virtualized Firewall) VLANx1 VLANy1 VLANz1 VLANx2 VLANy2 VLANz2 SGT SGT SGT SGT SGT SGT 802.1AE (encrypt) © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 27. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 28. SegmentationFirewall Design: Modes of Operation• Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains• Transparent Mode is where the firewall acts as a bridge functioning mostly at L2• Multi-context mode involves the use of virtual firewalls, which can be either routed or transparent mode• Mixed mode is the concept of using virtualization to combine routed and transparent mode virtual firewalls• Transparent mode firewall offers some unique benefits in the DC © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  • 29. SegmentationWhy Deploy Transparent Mode?• Existing Nexus Network Fabric does not need to be modified to employ L2 Firewall! • Simple as changing host(s) VLAN ID• Firewall does not need to run routing protocols / become a segment gateway • Firewalls are more suited to flow-based inspection (not packet forwarding like a router)• Routing protocols can establish adjacencies through the firewall• Protocols such as HSRP, VRRP, GLBP can cross the firewall• Multicast streams can traverse the firewall• Non-IP traffic can be allowed (IPX, MPLS, BPDUs)• (CVD) 9 of 10 internal zoning scenarios recommends Transparent FW (L2) deployed versus Routed Firewall (L3) © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  • 30. SegmentationFirewall - Transparent ModeL2 Firewall• Firewall functions like a bridge (“bump in the wire”) at L2, only ARP packets pass without an explicit ACL• Uses traditional ACLs on the firewall• Does not forward Cisco Discovery Protocol (CDP)• Same subnet exists on all interfaces in the bridge-group• Different VLANs on inside and outside interfaces• In addition to Extended ACLs, use an EtherType ACL to restrict or allow L2 protocols © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  • 31. Transparent Mode Configuration in the DC (2 interfaces) interface TenGigabitEthernet0/6 SVI VLAN200 172.16.25.253 SVI VLAN200 172.16.25.254 channel-group 32 mode active vss-id 1 FHRP – 172.16.25.1 FHRP – 172.16.25.1 no nameif no security-level North Zone ! VLAN 200 interface TenGigabitEthernet0/7 channel-group 32 mode active vss-id 2 no nameif no security-level ! interface BVI1 ip address 172.16.25.86 255.255.255.0 VPC ! VLAN 200 interface Port-channel32 Outside no nameif no security-level VLAN 201 ! Inside interface Port-channel32.201 VPC 172.16.25.86/24 mac-address 3232.1111.3232 vlan 201 nameif inside bridge-group 1 security-level 100 ! Trunk Allowed 1,201 South Zone interface Port-channel32.200 VLAN 201 mac-address 3232.1a1a.3232 vlan 200 nameif outside bridge-group 1 security-level 0 Server in VLAN 201
  • 32. SegmentationFirewall - Mixed Mode vFW Contexts• Mixed Mode is the concept of using virtual firewalls, some in routed mode and some in transparent (L2) mode• This is only supported on the ASA running at least v9.0 or any ASA-SM version• Up to 8 pairs of physical interfaces are supported per context• This could conceivably allow both the Edge (L3) firewall and Internal (L2) firewall to live on the same set of physical appliances mode multiple context context1 firewall transparent allocate-interface vlan99 outside allocate-interface vlan100 inside config-url disk0:/ctx1.cfg member gold context context2 allocate-interface vlan200 outside allocate-interface vlan210 inside config-url disk0:/ctx2.cfg © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 33. Physical and Virtual Internal Zoning© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 34. Example Internal Zoning for DEV – Option 1 Internal ZoningPhysical Separation Internet / ExtranetModel could provide for Application load testing. ASA A/S HA CTXIf dedicated path through Core is required,consider using a DEV vRF DC EdgeIf dedicated Edge is required, consider using DC Core VDC (Routed) DEV VRFvFW Contexts on edge ASAs or a separate(lower-end) ASA PAir BGP/OSPF DEV VRF Core DEV VRF L3 L2DEV VDC Created on Nexus 7K, attached to Prod Aggregation Layer Dev Aggregation LayerCORE VDC and supporting its own PoD VDC VDC FW CLUSTER(s)ASAs in Aggregation layer could be oriented inseveral ways. CTX CTX1- Single ASA Cluster with separate vFWContexts for the DEV zones – Would requireports on the ASA are physically connected to Virtualeach VDC Access Layer2- Separate ASA Clusters with or without vFWContexts PoD PoDCompute structure creates a mirrored serverenvironment for DEV operating on it own PoD Virtual Switch Virtual Switch Hypervisor Hypervisor PROD Compute Zone DEV Compute Zone
  • 35. Example Internal Zoning for DEV – Option 2 Internal ZoningVirtual Separation Internet / Extranet ASA A/S HA DC EdgeVirtual Separation model uses a sharedPhysical Infrastructure (Nexus) for routing andtransport DC Core VDC (Routed) BGP/OSPFASAs are used to separate DEV and PROD Coretraffic L3 L2Virtual resources can share physical Server Aggregation Layer VDCHardware and PoD. Security implementedsimilarly than to a Secure Multi Tenantenvironment FW CLUSTER Virtual Access Layer
  • 36. Internal ZoningVirtualization Security ConcernsPolicy Enforcement ‒ Applied at physical server—not the individual VM ‒ Impossible to enforce policy for VMs in motionOperations and Management ‒ Lack of VM visibility, accountability, and consistency ‒ Difficult management model and inability to effectively troubleshootRoles and Responsibilities ‒ Muddled ownership as server admin must configure virtual network ‒ Organizational redundancy creates compliance challengesMachine Segmentation ‒ Server and application isolation on same physical server ‒ No separation between compliant and non-compliant systems… © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 37. Internal Zoning Cisco Virtual Networking and Cloud Network Services Cloud Network Services Tenant A Virtualized/Cloud Imperva SecureSphere Cloud Services Network ASA 1000V Cloud Cisco Virtual Security Data Center WAF Citrix Router 1000V Analysis Module Firewall Gateway NetScaler Servers VPX vWAAS (vNAM)WAN Router Switches Zone A Zone B Physical Infrastructure vPath VXLAN Nexus 1000V Multi-Hypervisor (VMware, Microsoft*, RedHat*, Citrix*) Nexus 1000V VSG ASA 1000V vWAAS CSR 1000V vNAM Ecosystem (Dist. Virtual Switch) (Zone-based FW) (Cloud FW) (WAN Optimization) (Cloud Router) (Network Analytics) Services • Distributed switch • VM-level controls • Edge firewall, VPN • WAN optimization • Citrix NetScaler VPX • WAN L3 gateway • App Visibility (L2-L7) virtual ADC • NX-OS consistency • Zone-based FW • Protocol Inspection • Application traffic • Routing and VPN • Overlay Intelligence • Imperva Web App. FW (OTV, VXLAN, FP**) N1110: 1H CY2013 7000+ Customers Available Now Available Now Available Now 1H 2013 PoC: 1H 2013 vPath: 2H CY2013 **MSFT: 2Q CY2013; Open-source: In PoC **FP: FabricPath
  • 38. Internal ZoningManaging Virtual Networking Policy Server Network Team Security Team Team Nexus 1000V (1110/1010)  Non-disruptive operation model to maintain current workflows using Port Profiles Nexus 1000V  Maintain network security policies with isolation and segmentation via VLANs, Private VLANs, Port-based Access Lists, Cisco Integrated Security Features  Ensure visibility (VM Introspection) into virtual machine traffic flows using traditional network features such as ERSPAN and NetFlow Isolation and Management and Roles and Segmentation Monitoring Responsibilities © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 39. Internal ZoningCisco’s Virtual Security Portfolio Cisco® VSG Cisco ASA 1000V Intra-Tenant Tenant-Edge Security Security • Secures traffic between virtual • Secures the tenant edge machines within a tenant • Default gateway; Layer 3 firewall • Layer 2 and 3 firewall to secure to secure north-to-south traffic east-to-west traffic • Edge firewall capabilities including • ACLs using network attributes network attribute-based ACLs, and virtual machine attributes site-to-site VPN, NAT, DHCP, inspections, and IP audit • First-packet lookup and performance acceleration using • All packets go through the Cisco vPath ASA 1000V
  • 40. Internal ZoningSecurity for Virtualization Virtual Security Gateway Zone based intra-tenant segmentation of VMs Nexus 1000V ASA 1000V Virtual Service Nodes vPATH Nexus 1000V Hypervisor Ingress/Egress multi-tenant edge deployment vCenter Nexus 1KV VNMC Server Network Admin Security Admin Admin © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 41. Internal Zoning Microsegmenation Policy Per Zone, Per VM, Per vNIC Control ingress/egress & inter-VM traffic Firewall, ACL, VM AttributesVirtual ASA Virtual ASA Zone A Enable Dynamic Provisioning Zone B Zone C Mobility Transparent Enforcement vApp VSG Administrative Segregation VSG Server • Network • Security vApp VSG vPath Nexus 1000V vSphere vPath Nexus 1000V vSphere © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 42. Internal Zoning Physical to Virtual• Zones used define policy enforcement• Unique policies and traffic decisions applied to each zone• Physical Infrastructure mapped per zone Steer VM traffic to Firewall ‒ VRF, Virtual Context Context• Merging physical and virtual infrastructure Segment pools of blade resources per Zone Virtual Switch Virtual Switch Hypervisor Hypervisor 48 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 43. Internal ZoningvPath Intelligence: Service ChainingASA 1000V and VSG• vservice node ASA1 type asa ip address 172.31.2.11 Defining the Service Node adjacency l2 vlan 3770 on Nexus 1000V• vservice node VSG1 type vsg ip address 10.10.11.202 adjacency l3• vservice path chain-VSG-ASA Chain the Service Nodes node VSG1 profile sp-web order 10 Order is inside to outside node ASA1 profile sp-edge order 20• port-profile type vethernet Tenant-1 Enable the Service Chain org root/Tenant-1 Per Port-Profile vservice path chain-VSG-ASA © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
  • 44. Internal ZoningVirtual Firewall and Physical NetworkASA 1000V Deployment Core Aggregation 10.1.2.254 Layer 3 Protected VRF 10.1.2.254 ASA 5585 ASA 5585 Layer 3 10.1.1.254 Layer 3 Layer 2 10.1.3.254 10.1.1.252 10.1.1.253 ASA 1000V vPath vPath vPath Nexus 1000V Nexus 1000V Nexus 1000V Hypervisor Hypervisor Hypervisor Sub Zones © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  • 45. Internal ZoningMulti-Tier Application ArchitectureEdge Firewall Web Client• Tier Deployment • Multi-Tier application architectures • Application vendor often has specific recommendations on ASA 1000V how to deploy an application • Can consist of Permit Only Port Permit Only Port 22 Block all external access • Web (presentation) tier 80(HTTP) of Web Servers (SSH) to application to database servers servers • Application tier • Database tier Web App DBDB Web App • Web and Application services can be on physically separate Server Server Server Server server server servers or collapsed into single in some cases Web-zone Application-zone Database-zone • Normal flow is often client->web->application->database • No direct client to database communication Only Permit Web servers Only Permit Application servers access to Application servers access to Database servers • Servers may be clustered for high availability. Often uses layer 2 multicast protocol for state exchange © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
  • 46. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 47. CompliancePCI Compliance Design Option –Physical Separation with VDC Internet / ExtranetEdge ASAs may implement a specific context for IPSecCompliance needs or a distinct pair of ASA s may beused ASA A/S HA CTX CTX PCI VRF DC Edge SGTNexus 7K carries traffic from ASA Context acrossvRF – PCI VRF – Moves packets across routed Core DC Core VDC (Routed) PCI VRF 802.1AEto PCI Distribution VDC (encrypt) SGT VRF PCI SGT BGP/OSPFSecurity Group Access with MACSEC can be used on Core PCI VRFthe Nexus 7000 to provide hop-by-hop encryption L3 L2Dedicated ASAs (or vFW Context(s)) in Distribution Prod Aggregation Layer PCI Aggregation LayerLayer VDC invoke North-South Security Policy, VDC VDCpossibly even enforcing using the SGT (via SXP)limiting compliant access to only the PCI ZoneServers by network, service or application FW CLUSTER(s) CTX CTX SGTWithin Virtual Access Layer dedicated Server Virtualhardware is recommended for Security (compliance) Access LayerAdditional port profiles may be created and leverage PoD PoDthe Virtual Security Gateway (VSG) for East-Westzoning between VMs in the DMZASA1000v can also be used to implement a SecureIPSec VPN to another secure destination Virtual Switch Virtual Switch Hypervisor Hypervisor Production Servers Compliance Zone Servers
  • 48. Thank you.© 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 54

×