• Save
Security and Virtualization in the Data Center (2012 San Diego)

Like this? Share it with your network

Share

Security and Virtualization in the Data Center (2012 San Diego)

  • 2,725 views
Uploaded on

The evolving complexity of the data center is placing increased demand on the network and security teams to come up with inventive methods for enforcing security policies in these ever-changing......

The evolving complexity of the data center is placing increased demand on the network and security teams to come up with inventive methods for enforcing security policies in these ever-changing environments. The goal of this session is to provide participants with an understanding of features and design recommendations for integrating security into the data center environment. This session will focus on recommendations for securing next-generation data center architectures. Areas of focus include security services integration, leveraging device virtualization, and considerations and recommendations for server virtualization. Design and implementation highlights for a typical Enterprise Data Center scenario will be presented as a case study.

Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4372

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,725
On Slideshare
2,725
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Securing the Virtualized Data Center BRKSEC-2205BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 2. Abstract The evolving complexity of the data center is placing increased demand on the network and security teams to come up with inventive methods for enforcing security policies in these ever-changing environments. The goal of this session is to provide participants with an understanding of features and design recommendations for integrating security into the next-generation data center environment. Many of the topics are based on customer direction and customer deployments Areas of focus include: physical data center network security features, security services integration, security & virtualization, visibility features and tools, securing data at rest and data in motion. Additional ACME Co. projects that involve data center resources will also be covered.BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  • 3. Session Info and Housekeeping Session updated based upon previous years feedback, customer requirements, and recent customer projects. Closely tied to BRKSEC- 2021 (Firewall Architectures) There will be time left at the end for Q&A This session does not cover every aspect and every iterationBRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  • 4. Related Sessions BRKSEC – 2021 Firewall Architectures BRKSEC – 2020 Firewall Deployment BRKSEC - 1006v Network Segmentation For Security BRKSEC-2046 Cisco Trustsec and Security Group Tagging BRKSEC-2102 Securing Virtual Desktop infrastructures BRKSEC-2009 Securing Cloud Computing BRKDCT-2048 Deploying Virtual Port Channel in NXOS BRKDCT-2049 Overlay Transport Virtualization PSODCT-3861 Technologies Transforming the Data Center BRKCOM-1002 Data Center Architectures and Virtual Private Data Centers with UCSBRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  • 5. Securing the ACME Data Center Physical Data Center Network Data Center Virtual Network Visibility & Context Data in vMotion, Data at Rest User and Device Authentication BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  • 6. Security Priorities Protect Trusted Threat Visibility Systems Scalable Security Regulatory High Availability Architecture Compliance Requirements: 1. Security policy must scale to the network infrastructure 2. Must meet or exceed regulatory compliance requirements in all phases 3. Protect data center from internal and external threats 4. Security and Management for virtual network environment BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  • 7. The ACME Co. – Securing the Data Center Physical Data Center Network BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  • 8. Data Center ArchitectureApplication Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Fabric-Hosted Contexts Storage Virtualization Virtual Device Internet Contexts IP-NGN Service Profiles Port Profiles & VN- Virtual Machine Link Application Control Optimization (SLB+) Port Profiles & VN- Partners Link Service Control Fibre Channel Forwarding Fabric Extension BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  • 9. Physical and Virtual Security Nodes Redirect VM traffic via VLANs to external Apply hypervisor-based 1 (physical) appliances 2 network services Web App Database Web App Database Server Server Server Server Server Server Hypervisor Hypervisor VLANs Virtual Contexts VSN VSN Virtual Service Nodes Traditional Service Nodes BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  • 10. Secure Data Center ArchitectureApplication Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Firewall Services Fabric-Hosted Storage Virtualization Intrusion Detection Virtual Device Internet Contexts Storage Media Secure Domain Encryption Routing IP-NGN Service Profiles Port Profiles & Port Profiles & VN-Link VN-Link Virtual Machine Optimization Virtual Firewall Edge and VM Partners Fibre Channel Forwarding Fabric Extension Line-Rate NetFlow Application Control (SLB+) Service Control Virtual Contexts for FW & SLB BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  • 11. Physical Firewalls ASA Services Module Web App Database Server Server Server Hypervisor VLANs ASA 5585 Appliance Virtual Contexts Traditional Service Nodes BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  • 12. Aggregation, Services, and Default GatewayApplication Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Firewall Services Fabric-Hosted Storage Virtualization Intrusion Detection Virtual Device Internet Contexts Storage Media Secure Domain Encryption Routing IP-NGN Service Profiles Port Profiles & Port Profiles & VN-Link VN-Link Virtual Machine Optimization Virtual Firewall Edge and VM Partners Fibre Channel Forwarding Fabric Extension Line-Rate NetFlow Application Control (SLB+) Service Control Virtual Contexts for FW & SLB BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  • 13. Virtual Port Channel vPC vPC and ASA peer link peer link vPC vPC vPC vPC EC EC EC EC Active Standby Active Standby • Allow a single device to use a port channel across two upstream switches • Dual Active Forwarding Paths • Loop-Free Design/Eliminate STP blocked ports • Uses all available uplink bandwidth • Provide fast convergence upon link/device failure BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  • 14. ASA 5585 Etherchannel Integrationwith Nexus 7K/vPC Core IP2 Core •ASA* supports Link Aggregation IP1 Control Protocol (LACP), IEEE 802.3ad standard •Each port-channel supports up to 8 active and 8 standby links Active vPC Peer-link Active or S1 S2 Standby • Etherchannel ports are treated just like physical and logical interfaces on ASA • ASA 5585-X brings a Data Center- vPC vPC class FW and IPS unit to our customers S3 S4 • Because IPS is implemented as a vApp vApp vApp vApp unit with the firewall, IPS traffic flows can now be fully optimized vApp vApp© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Zone/Multi-Tennant Zone/Multi-Tennant
  • 15. ASA SM/6500 Etherchannel Integrationwith Nexus 7K/vPC Core IP2 Core IP1 6500’s repurposed as Services switch  Did not receive a great trade- Active vPC Peer-link Active or in value from Cisco Account S1 S2 Standby Manager for the existing 6500’s  •6500 supports Link Aggregation vPC vPC Control Protocol (LACP), IEEE 802.3ad standard S3 S4 •Traffic forwarded via service-specific VLANs vApp vApp vApp vApp •Each port-channel supports up to 8 vApp active and 8 standby links vApp© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Zone/Multi-Tennant Zone/Multi-Tennant
  • 16. Transparent Firewall & Bridge Group ASA Pre-8.4 ASA V8.4 vlan 10 vlan 14 vlan 1410.1.1.0 /24 - vlan 10 vlan 12 vlan 16 Management IP 10.1.1.100 …….. BVI1 BVI2 BVI8 vlan 13 vlan 17 vlan 17 vlan 11 vlan 15 vlan 15 10.1.1.0 /24 – vlan 20 Bridge Group1 Bridge Group 2 Bridge Group 8 Transparent Firewall Context 4 VLANs per bridge group 8 bridge groups per firewall or virtual context BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  • 17. ASA Appliance Connection Details v201 - Outside v205 – Service-Out BVI-2 BVI-1 10.1.204.199 10.1.200.199 [Po1.204] [Po1.200] [Po1.205] [Po1.201] v200 – Inside v204 – Service-Inchannel-group 1 mode passive 5585-1 5585-2 Twain Voltaire vPC10 vPC9 7k-1 7k-2 AGG- AGG- VDC VDC Port Channel Load-Balancing Configuration: channel-group 1 mode active System: src-dst ip BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  • 18. ASA Service Module and 6500 Details v221 - Outside interface BVI2 description bvi for 221 and 220 ip address 10.1.221.199 255.255.255.0 ASA SM v220 – Inside Nexus 7000 Nexus 7000 Channel-Group 1 mode active 7k-1 7k-2 Channel-Group 2 mode active AGG-VDC AGG-VDC vPC2 vPC1 6506-1 6506-2Catalyst 6500 ASA-SM ASA-SM Catalyst 6500 Channel-Group 2 mode onChannel-Group 1 mode on ASA SM ASA SM BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  • 19. Server Gateway Inside of Firewall Firewall Between Inter-VDC Traffic VRF North VRF SouthCore VDC Aggregation VDC ASA HA Pair 1 v200 GW: VRF North ASA HA Pair 2 VRF South 10.1.200.254 • Useful for topologies that require a FW between • Transparent (L2) firewall services are ―sandwiched‖ aggregation and core between Nexus VDCs • Downside is that most/all traffic destined for Core • Allows for other services (IPS, LB, etc) to be traverses FW; possible bottleneck, etc layered in as needed • ASAs can be virtualized to for 1x1 mapping to VRFs BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  • 20. Server Gateway Outside of Firewall: Firewall Between Server and Gateway ASA HA pair in transparent mode with VRF on Aggregation VDC. Server gateway on outside of firewall Aggregation GW: VDC 10.1.200.254 v201 - Outside v200 – InsideLayer 3 Layer 2 Simple design. Physical Connection BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
  • 21. Network Virtualization and Zones Control Traffic and Apply Policy per Zone Zones used define policy enforcement Unique policies and traffic decisions applied to each zone Physical Infrastructure mapped per zone ‒ VRF, Virtual Context Merging physical and virtual infrastructure Segment pools of blade resources Virtual Switch per Zone Virtual Switch vSphere vSphere BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
  • 22. Data Center Firewall Clustering  For future data center expansion, teams can opt to migrate from the traditional Cisco firewall Active-Standby model to a clustered model  This will allow them to have all firewalls actively forwarding and participating in inspection (unlike Active-Standby)  This is a new feature in the ASA 9.0 code which as of June 2012 has not been released yet (expected release in late July/August)  Since it involves a major change in how Cisco firewalls can be placed in the data center it is addressed in this session  Clustering is a licensed feature and only supported on the 5580 and 5585 modelsBRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
  • 23. ASA Clustering Design Guidelines Up to 8 ASAs are supported in a cluster (minimum of two) and all must be the same model and DRAM (only flash memory can differ) All cluster units must share same software except during a hitless upgrade (e.g. 9.0(0)1 to 9.0(0)3) Approximate maximum cluster throughput is ~ 70% of combined throughput and connections of units in the cluster Cluster will have one master and syncs configuration with other members Supported in both routed (L3) and transparent (L2) firewall modes Requires at least one cluster control interface for cluster control plane Cluster control links must be sized properly to accept a load that is equal to or greater than the cluster throughputBRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  • 24. ASA Clustering Best Practices – Control Plane M0/ 0  Cluster control links must be sized accordingly (e.g.10GE interfaces) M0/  Recommended to use a local port- 0 channel on each ASA for link redundancy and aggregation  Do NOT use a spanned port- M0/ 0 channel for cluster control links M0/ 0  Could also use ASA interface redundancy which supports up to 8 Cluster Management pairs of interfaces in an active- Control Links Network passive mode BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  • 25. ASA Clustering Best Practices – Data Plane  ASA clustering relies upon stateless load balancing  Could also use a load balancer if stateful LB Inside was required Outside Switch Switch  Recommended method is to use a spanned port-channel to a switch for ingress and egress connections  BP is to use a symmetrical hashing algorithm like src-dest IP (the default)  Could also use Policy Based Routing (PBR) or Equal Cost Multi-Path (ECMP); Use both with Object Tracking  Both the latter two methods are only supported in routed (L3) mode on the firewall BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  • 26. ASA Features Unsupported with Clustering SSL and IPSEC remote access VPN (Site to Site VPN is supported) Legacy VPN load balancing is not supported for S2S VPNs Aggregation Botnet Traffic Filter (BTF) Layer DHCP Client, Server and Relay VPN Load Balancing Unified Communications features WCCP ASA CX SSP Some application inspection features (see Release Notes)BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  • 27. The ACME Co. – Securing the Data Center Data Center Virtual Network BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  • 28. Securing The Virtual NetworkApplication Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Firewall Services Fabric-Hosted Storage Virtualization Intrusion Detection Virtual Device Internet Contexts Storage Media Secure Domain Encryption Routing IP-NGN Service Profiles Port Profiles & Port Profiles & VN-Link VN-Link Virtual Machine Optimization Virtual Firewall Edge and VM Partners Fibre Channel Forwarding Fabric Extension Line-Rate NetFlow Application Control (SLB+) Service Control Virtual Contexts for Delivering Policy FW & SLB BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  • 29. Primary Virtualization ConcernsSame Concerns as Most… Policy Enforcement ‒Applied at physical server—not the individual VM ‒Impossible to enforce policy for VMs in motion Operations and Management ‒Lack of VM visibility, accountability, and consistency ‒Difficult management model and inability to effectively troubleshoot Roles and Responsibilities ‒Muddled ownership as server admin must configure virtual network ‒Organizational redundancy creates compliance challenges Hypervisor Machine Segmentation ‒Server and application isolation on same physical server VLANs ‒No separation between compliant and non-compliant systems Virtual Contexts ‒Must meet regulatory compliance and audit needs BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  • 30. Security for Virtualization Virtual Security Gateway Zone based intra-tenant segmentation of VMs Nexus 1000V ASA 1000V Virtual Service Nodes vPATH Nexus 1000V Hypervisor Ingress/Egress multi-tenant edge deployment vCenter Nexus 1KV VNMC Server Network Security Admin Admin Admin BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  • 31. Establishing the Policy Footprint Nexus 1000V Security Features  L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting (TX) Switching  IGMP Snooping, QoS Marking (COS & DSCP)  Virtual Service Domain, Private VLANs w/ local PVLAN Enforcement Security   Access Control Lists (L2–4 w/ Redirect), Port Security Dynamic ARP inspection, IP Source Guard, DHCP Snooping  Automated vSwitch Config, Port Profiles, Virtual Center IntegrationProvisioning  Optimized NIC Teaming with Virtual Port Channel – Host Mode  VMotion Tracking, ERSPAN, NetFlow v.9, CDP v.2 Visibility  VM-Level Interface Statistics  Virtual Center VM Provisioning, Cisco Network Provisioning, CiscoWorksManagement  Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3) BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
  • 32. What is a Port-Profile?  A port profile is a container used to define a common set of configuration commands for multiple interfaces  Define once and apply many times  Simplifies management by storing interface configuration  Key to collaborative management of virtual networking resources  Why is it not like a template or SmartPort macro? ‒ Port-profiles are ‘live’ policies ‒ Editing an enabled profile will cause configuration changes to propagate to all interfaces using that profile (unlike a static one-time macro)* For lots more detail, reference BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000VBRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  • 33. Nexus 1000V Port Profilesport-profile type vethernet ASA1000V-1_Inside switchport mode access switchport access vlan 210 no shutdown state enabledport-profile type vethernet ASA1000V-Outside vmware port-group switchport access vlan 211 switchport mode access no shutdown state enabled Nexus 1000V supports:  ACLs  Quality of Service (QoS)  PVLANs  Port channels  SPAN ports BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
  • 34. Cisco Virtual Security Gateway Context aware Security VM context aware rulesVirtual Security Zone based Controls Establish zones of trust Gateway (VSG) Dynamic, Agile Policies follow vMotion Best-in-class Architecture Efficient, Fast, Scale-out SW Non-DisruptiveVirtual Network Operations Security team manages security Management Policy Based Central mgmt, scalable deployment, Center Administration multi-tenancy (VNMC) Designed for Automation XML API, security profiles BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
  • 35. VSG System Architecture VMVMWare VMWare Attributes Virtual NetworkvCenter vCenter SOAP/HTTPS API Management Center (VNMC) Port Profile – Security Profile Binding Security Profiles XML/HTTPS VSM VN-Service VSN VSM Agent VSG Port Profiles Packets Interactions vPath Nexus 1000V ESX Servers BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
  • 36. vPath— The intelligent virtual network vPath is intelligence build into Virtual Ethernet Module (VEM) of Nexus 1000V (1.4 and above) vPath has two main functions: a. Intelligent Traffic Steering b. Offload processing via Fastpath from virtual Service Nodes to VEM Dynamic Security Policy Provisioning (via security profile) Leveraging vPath enhances the service performance by moving the processing to Hypervisor vPath Nexus 1000V-VEM BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
  • 37. vPath and Flow Table How are entries Purged from the vPath Flow Table ?TCP RST/FIN flag and inactivity timer How is the Flow different with vMotion ?First packet from a VM after vMotion is redirected to the VSG again to create a new vPath entry in that VEM BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
  • 38. VSG Policy Model Security Policy leverages Network Attributes vCenter VM Attributes Custom Attributes Zones Security Policy is applied per Port-Profile (Port Group) BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
  • 39. Network Attributes Name Meaning Value Typesrc.net.ip-address Source IP address IP addresssrc.net.port Source Port Integerdst.net.ip-address Destination IP address IP addressdst.net.port Destination Port Integernet.protocol protocols specified in IP header (e.g. TCP, UDP) stringCustom VM Attributes Name Meaning Value Typecustom-attribute Name of user-defined attribute stringNote: This architecture provides the capability to dynamically create user defined attributes to the VMs that can be appliedto the VSG policies. BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
  • 40. vCenter VM Attributes Name Meaning Sourcevm.name Name of this VM vCentervm.host-name Name of this ESX-host vCentervm.os-fullname Name of guest OS vCentervm.vapp-name Name of the associated vApp vCentervm.cluster-name Name of the cluster vCentervm.portprofile-name Name of the port-profile Port-profile VM attribute information collected is used for enforcing security policy Security Policy Profile  Defined/Managed by VNMC  Bound to Cisco Nexus 1000V VSM port-profile BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
  • 41. Example: 3-tier Server ZonesPolicy – Content Hosting Web Client Permit Only Port 22 (SSH) to application Block all external access to database servers Permit Only Port 80(HTTP) of Web Servers servers Web App DB Web App DB server Server Server Server Server server Web-zone Application-zone Database-zone Only Permit Web servers access to Only Permit Application servers access to Application servers Database servers BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
  • 42. Example: 3-tier Server ZonesDefining Zones zone web-zone condition 1 vm.custom.app-type eq web zone application-zone condition 1 vm.custom.app-type eq application zone database-zone condition 1 vm.custom.app-type eq database Web App DB Web App DB server Server Server Server Server server Web-zone Application-zone Database-zone Only Permit Web servers Only Permit Application servers access to Application access to Database servers servers Policy – Content Hosting BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
  • 43. Example: 3-tier Server ZonesCreating Rules rule web-http-rule rule application-ssh-rule condition 1 dst.zone.name eq application-zone condition 1 dst.zone.name eq web-zone condition 2 dst.net.port eq 22 Default is set to “Deny” condition 2 dst.net.port eq 80 action 1 permit action 1 permit Permit Only Port 80(HTTP) of Web Permit Only Port 22 (SSH) to application Block all external access to Servers servers database servers Web App DB Web App DB server Server Server Server Server server Web-zone Application-zone Database-zone Only Permit Web servers Only Permit Application servers access to Application access to Database servers servers Policy – Content Hosting BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
  • 44. VN-MC Policies and Rules Configured rules and the order defines the policy BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
  • 45. Example: 3-tier Server ZonesDefining Policy policy content-host-policy rule web-http-rule order 10 rule application-ssh-rule order 20 rule web-to-application-rule order 30 rule application-to-web-rule order 40 rule application-to-database-rule order 50 rule database-to-application-rule order 60 Web App DB Web App DB server Server Server Server Server server Web-zone Application-zone Database-zone Only Permit Web servers Only Permit Application servers access to Application access to Database servers servers Policy – Content Hosting BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
  • 46. ASA 1000V: Features and CapabilitiesBuilt using ASA Infrastructure IPSec VPN (Site-to-Site) Inter-operability with VSG NAT via Service Chaining DHCP Default Gateway Support for VXLAN Static Routing Multi-tenant management Stateful Inspection via VNMC IP Audit BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
  • 47. MicrosegmentationASA 1000V & VSG - Per Zone, Per VM, Per vNIC Stateful Inspection Engines IPSEC site-to-site VPN Zone A VDC Zone B VDC vApp Collaborative Security Model VSG VSG VSG ‒ VSG for intra-tenant secure zones vApp ‒ Virtual ASA for tenant edge controls VSG ASA 1000V ASA 1000V vPath Nexus 1000V vSphere BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
  • 48. Non-Disruptive Administration Mitigate Operational Errors Between TeamsSecurity team defines security policiesNetworking team binds port-profile to VSG service profileServer Administrators (VMs) inherit the security policies from Nexus 1000V port-profileServer administrators has nothing to do other than choose port-profile vCenter Nexus 1KV VNMC Server Network Security Admin Admin Admin BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  • 49. The ACME Co. – Securing the Data Center Visibility & Context BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
  • 50. "A misconfiguration of the internal virtual network may result in a breakdown of isolation. Unless something is monitoring internal virtual-network traffic, this would not be immediately detected." - Gartner
  • 51. NetFlow Control, Context, Visibility  Technology used to characterize network operation  Can be used to answer the questions: ‒ Who’s talking to whom? NetFlow ‒ What is happening on the network? Data Center Network ‒ Where is the data going? Visibility Context Control ‒ Did someone access the payroll server? ‒ Etc… WHERE WHAT WHEN Cat 3K-X Cat 4K Cat 6K WHO HOW With Service Module Sup7E, Sup7L-E Sup2TLine-Rate NetFlow NGA BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
  • 52. Introduction to NetFlow Source NetFlow Generator Destination 1 Source IP Address NetFlow Cache Destination IP Address Source Port 2 Flow Information Packets Bytes/packetNetFlow Destination Port Address, ports... 11000 1528Key Fields Layer 3 Protocol ... TOS byte (DSCP) Input Interface 3 FlowCollector 1. Inspect a packet’s key fields and identify the values 2. If the set of key field values are unique create a cache entry 3. On termination or timeout export a flow record to the collector BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
  • 53. 1. Configure the Flow Record2. Configure the Flow Exporter3. Configure the Flow Monitor4. Configure the interface(s)BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 54. The Vision: Pervasive Threat DefenseLeveraging NetFlow, Identity, Reputation Cisco and Lancope: Threat Defense Internal Network and Borders SIO NetFlow Telemetry Threat Context Data Cisco Switches, Routers, and ASA 5500 Cisco Identity, Device, Posture, Reputation, Application BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
  • 55. Common Use Cases and Detection Examples • Who is being targeted? • Is the user a critical target? (title and what part of theThreat Context organization are they in per AD/LDAP information)Provided by: • What information does the user have access to? (NetworkCisco ISE authorization group they belong to) • What device is the traffic coming from? (coming from laptop,Reputation smartphone, etc.)Application • Has the user had security posture failures recently?Recognition (Quarantine and posture event status)(NBAR) • Are there other relevant user session events? (Access to all AAA events associated with the user) • What is the reputation of the host user is communicating with? • What application is the traffic? BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
  • 56. Example: Detecting Data Loss Data is often exfiltrated over stealthy channels ‒ Hidden inside normal communication payloads • Payload padding ‒ Encrypted over standard ports • TCP port 80, TCP port 443, etc. ‒ Standard applications and protocols (ex. SFTP, HTTP, HTTPS) Detection requires deep visibility into user and device behaviour • Historical data transfers – to establish patterns of communication • Applications – is their behaviour ―normal‖? • Time of day – why is Bob transferring data at 2:00 am? • Countries – do we really do business with North Korea?BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
  • 57. Example: Detecting Data LossCisco Cyber Threat Defense Access NetFlow Capable Catalyst NBAR Capable 3650 Infected machine opens connection Infected machine copies data Catalyst 4500 ISR Infrastructure generates NetFlow Data ASA Catalyst ISR 3750 Distribution/Core Internet Data Center Management ISR Nexus Data Catalyst Center Core 6500 StealthWatch StealthWatch ISE Services FlowCollector Management Console BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
  • 58. Example: Detecting Data LossCisco Cyber Threat Defense NetFlow Capable Catalyst NBAR Capable 3650 Access Infected machine opens connection Infected machine exfiltrates data Catalyst 4500 ISR Infrastructure generates NetFlow Data ASA Catalyst ISR 3750 Distribution/Core Internet Data Center Flow & Identity Correlation Concern Index increased Management ISR Nexus Data Catalyst Center Core 6500 StealthWatch StealthWatch ISE Services FlowCollector Management Console BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
  • 59. Pull Up Identity Into―Data Loss‖ Alarm ISE Customizable Event Detail Cisco Drill Information From Query Cisco SenderBase for Host Reputation Information Customizable Volume With Username, Auth Group, Posture, Device Profile Note Screen of Traffic Exfiltrated and % Outgoing Traffic Alarm Delivers Alerts Prioritized by Severity Level Query Cisco SenderBase for Host Reputation Information© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
  • 60. Securing the Data Center Data in vMotion, Data at Rest BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
  • 61. Protecting Virtual Machine Data on the MoveExample: Protection for vMotion vMotion traffic is sent in the clear Example: It is possible to sniff vmotion traffic capture the vmdk files and memory contents of VM Recommendation is to put vMotion in separate VLAN BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
  • 62. vMotionvMotion traffic is not encrypted Feature was listed in version 4 but was never implemented This option has been removed in vSphere 5 to avoid any confusion.  Clear access to machine files and parameters ‒ Fairly well understood – but just in case you didn’t know. BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
  • 63. Data At Rest Keeping it SecureApplication Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Firewall Services Fabric-Hosted Storage Virtualization Intrusion Detection Virtual Device Internet Contexts Storage Media Secure Domain Encryption Routing IP-NGN Service Profiles Port Profiles & Port Profiles & VN-Link VN-Link Virtual Machine Optimization Virtual Firewall Edge and VM Partners Fibre Channel Forwarding Fabric Extension Line-Rate NetFlow Application Control (SLB+) Service Control Virtual Contexts for FW & SLB BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
  • 64. SAN SecurityFabric security augments overall application & data security Data Integrity and Secrecy 1. SAN Management Access: Secure access to SAN Fabric Protocol management services Security 4 3Target Access 2. Fabric Access: secure device access to fabric Security service Cisco Target 3. Target Access: secure access to targets and Host MDS 9000 Family LUNs 2 4. SAN Protocol: secure switch-to-switch Fabric Access Security 6 Data Encryption communication protocols & privacy 1 5. IP Storage Access: secure FCIP and iSCSI services 6. Data Integrity & Privacy: Encryption of data in 5IP Storage SAN Tape/VTL transit and at rest Security Management (iSCSI/FCIP) Security Host and disk security also required BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
  • 65. SME OverviewStorage Media Encryption Application  Encrypts storage media (data at rest) Server ‒ Strong, IEEE compliant AES-256 encryption ‒ Integrated as transparent fabric service Name: XYZ SSN: 1234567890 Amount: $123,456 Status: Gold  Supports heterogeneous storage arrays, Key Management tape devices, and VTLs Center IP Encrypt  Compresses tape data  Offers secure, comprehensive key Name: XYZ @!$%!%!%!%%^& SSN: 1234567890 *&^%$#&%$#$%*!^ management Amount: $123,456 @*%$*^^^^%$@*) Status: Gold %#*@(*$%%%%#@  Allows offline media recoveryStorage Tape  Built upon FIPS level-3 systemArray Library architecture BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
  • 66. The ACME Co. – Securing the Data Center User and Device Authentication BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
  • 67. Security, Simplification, End User ExperienceInitiatives that involve the data center Broad Identity initiative for user and device access control via 802.1X Provide secure mobility (BYOD) for consumer devices (Apple IOS, Android) and provide secure mobility through enterprise policy enforcement Enhance the user experience by enabling mobile voice, video, data services BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
  • 68. ISE Traffic Flow SXP IP Address 10.1.204.126 = SGT 5 ISE RADIUS (Access Request) EAPOL (dot1x) 10.1.204.126 RADIUS (Access Accept, SGT = 5) 6506 10.1.204.254 SG ACL Matrix IP Address to SGT Mapping HR Server #1 Nexus 7000 10.1.200.50 Core VDC 10.1.200.254 Nexus 7000 Agg VDC ASAFinance ✓ Finance VSG Finance Server #1 10.1.200.100Finance HR BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
  • 69. Securing Virtual Desktop Flows Server Zones Persistent virtual workspace Records Database Application HR Portal Mobile devices are managed SGT = 30 VSG SGT = 20 before VDI access permitted Nexus 1000V ASA 1000V Create Server Zones for each HVD Zones group of virtual machines Contractor IT Admin Employee Guest Port Profiles assign VLANs, ACLs, security profiles for ASA and VSG ASA If access layer is 802.1X Network capable assign SGT NetFlow provides visibility Contractor Cisco AnyConnect Maintain compliance while Guest supporting IT consumerization BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
  • 70. BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
  • 71. Cisco Validated Designs for the DC Providing Validated Tested DesignsThe validated designs are tested and fullydocumented to help ensure faster, more reliable,and more predictable customer deployments. •CVD > SAFE •http://www.cisco.com/en/US/docs/solutions/Enterprise/Se curity/SAFE_RG/SAFE_rg.pdf ASA 5585-X •CVD >Virtualized Multi-Tenant Data Center (VMDC) vPC vPC VSS •http://www.cisco.com/en/US/partner/docs/solutions/Enter prise/Data_Center/VMDC/1.1/design.html SERVICES Catalyst 6500 Firewall ACE ESA •CVD > Secure Multi Tennant CVD •http://www.cisco.com/en/US/solutions/ns340/ns414/ns742 NAM IPS WSA /ns743/ns1050/landing_dcVDDC.html Centralized Security and Application Service Modules and Appliances can be applied per zone 73 BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 72. Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! Follow Cisco Live! using social media: ‒ Facebook: https://www.facebook.com/ciscoliveus ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIBRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
  • 73. Visit the Cisco Store for Related Titles http://theciscostores.comBRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
  • 74. Recommended ReadingBRKCOM- 2005 BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
  • 75. Recommended ReadingBRKNMS- 2005 BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
  • 76. Recommended ReadingBRKSEC- 3020 BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
  • 77. Recommended ReadingBRKVIR- 2008 BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
  • 78. Recommended ReadingTECVIR- 2002 BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
  • 79. Complete Your OnlineSession Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our Don’t forget to activate your portal) or visit one of the Internet Cisco Live Virtual account for access to stations throughout the Convention all session material, communities, and on-demand and live activities throughout Center. the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
  • 80. Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! Follow Cisco Live! using social media: ‒ Facebook: https://www.facebook.com/ciscoliveus ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIBRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
  • 81. Presentation_ID © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 82. N1K Public Resources CCO Links ‒ 1000V: www.cisco.com/go/1000v ‒ 1010: www.cisco.com/go/1010 ‒ VSG: www.cisco.com/go/vsg ‒ VNMC: www.cisco.com/go/vnmc ‒ vWAAS: www.cisco.com/go/waas ‒ NAM on 1010: http://www.cisco.com/en/US/products/ps10846/index.html (or www.cisco.com/go/nam) Deployment Guides ‒ Nexus 1000V Deployment Guide • Cheat Sheets ‒ Nexus 1000V on UCS – Best Practices ‒ Nexus 1010 Deployment Guide Nexus 1010 Configuration Cheat Sheet v.2.0 https://communities.cisco.com/docs/DOC-28188 ‒ VSG Deployment Guide White papers: Nexus 1000V w/ UCS Configuration Cheat Sheet v.1.1 https://communities.cisco.com/docs/DOC-28187 ‒ Nexus 1000V and vCloud Director ‒ N1K on UCS Best Practices More on the way…. ‒ Nexus 1000V QoS White paper (draft) ‒ VSG and vCloud Director (draft) ‒ vWAAS Technical Overview, vWAAS for Cloud-ready WAN Optimization BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
  • 83. Additional N1K Public LinksN1K Download and 60-day Eval: www.cisco.com/go/1000vdownloadN1K Product Page: www.cisco.com/go/1000vN1K Community: www.cisco.com/go/1000vcommunityN1K Twitter www.twitter.com/official_1000VN1K Webinars: www.cisco.com/go/1000vcommunityN1K Case Studies: www.tinyurl.com/n1k-casestudyN1K Whitepapers www.tinyurl.com/n1k-whitepaperN1K Deployment Guide: www.tinyurl.com/N1k-Deploy-GuideVXI Reference Implementation: www.tinyurl.com/vxiconfigguideN1K on UCS Best Practices: www.tinyurl.com/N1k-On-UCS-Deploy-Guide BRKSEC-2205 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 86