Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security and Virtualization in the Data Center


Published on

This presentation will discuss, effectively integrating security, core Data Center fabric technologies and features, secutiry as part of the core design, designs to enforce micro segmentation in the data center, enforce separation of duties in virtualized and cloud environments and security to enforce continuous compliance.

Published in: Technology

Security and Virtualization in the Data Center

  1. 1. Security and Virtualizationin the Data Center
  2. 2. Speaker information• Contact information: – David Anderson – Solutions Architect – Borderless Security team – US – E-mail:• Focus areas: – Data Center Security – Virtualization – Secure Mobility – Security Design – Compliance (PCI, Federal)
  3. 3. Takeaways• To effectively integrate security must understand the core data center fabric technologies and features: VDC, vPC, VRF, server virtualization, traffic flows• Security as part of the core design• Designs to enforce microsegmentation in the data center• Enforce separation of duties in virtualized and cloud environments• Security to enforce continuous compliance
  4. 4. Secure Data Center Data Center Primer Secure Data Center Components Secure Data Center Design Fundamentals Secure Data Center Design Details
  5. 5. Data CenterPrimer:Terms andTechnology
  6. 6. Cisco Datacenter Terms Primer Know the lingo • VDC – Virtual Device Context • VPC – Virtual Port Channel • VSS & MEC – Virtual Switching System & Multi-chassis Ether-channel • VSL & Peer Link – Virtual Switch Link • ECMP – Equal cost Multi-Path • VSD – Virtual Service Domain • VBS – Virtual Blade Switching • VRF – Virtual Routing & Forwarding • FabricPath
  7. 7. Data Center ArchitectureApplication Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Fabric-Hosted Storage Virtualization Virtual Device Contexts Internet IP-NGN Service Profiles Port Profiles & VN- Virtual Machine Link Application Control Optimization (SLB+) Port Profiles & VN- Partners Link Service Control Fibre Channel Forwarding Fabric Extension
  8. 8. Secure Data Center ArchitectureApplication Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Firewall Services Fabric-Hosted Storage Virtualization Intrusion Detection Virtual Device Contexts Internet Storage Media Secure Domain Encryption Routing IP-NGN Service Profiles Port Profiles & VN- Port Profiles & Link VN-Link Virtual Machine Optimization Virtual Firewall Edge and VM Partners Fibre Channel Forwarding Fabric Extension Line-Rate NetFlow Application Control (SLB+) Service Control Virtual Contexts for FW & SLB
  9. 9. Data Center Security Challenges
  10. 10. Security Threats & Considerations  Denial of Service i.e. (Google, Twitter, Facebook)  APT – Targeted Attacks / Nation State Attacks  Data Protection for Privacy and Data Compliance  Application Exploits (SQL Injection)  Malware / Botnets  Mobile Malicious Code  Virtualization Concerns
  11. 11. Secure the Platform Add Security ServicesNetwork security best practices  VRF, VLAN, Access control Lists• Network device hardening• Defense in Depth  Stateful Network Firewalls• AAA  Intrusion Detection and Prevention• NetFlow• Separation of duties and least privileges  Web firewallsVirtualization specifics  Load Balancers• Follow hypervisor hardening recommendations  SSL Offloading• Access Controls (production vs. management)• Secure and harden Guest OS  Virtual security appliances• Segmentation  Management and Visibility tools
  12. 12. Data Center Security Components:What’s in our toolbox
  13. 13. Physical and Virtual Service Nodes Redirect VM traffic via VLANs to Apply hypervisor-based1 external (physical) appliances 2 network services Web App Database Web App Database Server Server Server Server Server Server Hypervisor Hypervisor VLANs VSN Virtual Contexts VSN Virtual Service Nodes Traditional Service Nodes
  14. 14. Physical Firewalls ASA Services Module Web App Database Server Server Server Hypervisor VLANs ASA 5585 Appliance Virtual Contexts Traditional Service Nodes
  15. 15. Features in ASA FirewallsEtherChannel ASA supports Link Aggregation Control Protocol (LACP), an IEEE 802.3ad standard Each port-channel supports up to 8 active and 8 standby links Supported methods of aggregation: Active, Passive & On EtherChannel ports are treated just like physical and logical interfaces on ASA• ASA can tie-in directly to vPC (Nexus 7000) or VSS (6500) enabled switchUp to 32 interfaces per Virtual Context (formerly 2) – - 4 Interfaces per bridge group 8 bridge groups per Virtual Context
  16. 16. Catalyst 6500 VSS and Nexus 7000 vPC • Dual Active Forwarding Paths VSS • Loop-Free Design vPC VSL peer link MCEC MCEC vPC vPC EC EC EC EC Active Standby Active StandbyPresentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  17. 17. ASA Integration with vPC & VSS vPC VSS peer link VSL MCEC MCEC vPC vPC EC EC EC EC Active Standby Active Standby Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  18. 18. Virtualization Concerns • Policy Enforcement –Applied at physical server—not the individual VM –Impossible to enforce policy for VMs in motion • Operations and Management –Lack of VM visibility, accountability, and consistency –Difficult management model and inability to effectively troubleshoot • Roles and Responsibilities –Muddled ownership as server admin must configure virtual network Web App DB –Organizational redundancy creates compliance challengesServer Server Server Hypervisor • Machine Segmentation VLANs –Server and application isolation on same physical server Virtual Contexts –No separation between compliant and non-compliant systems…
  19. 19. Virtualization & Virtual Service Nodes Virtual Security Gateway Web App Database Server Server Server Zone based intra-tenant segmentation of VMs Hypervisor Nexus 1000V ASA 1000V VSN VSN Ingress/Egress multi- Virtual Service Nodes tenant edge deployment
  20. 20. Cisco‘s Virtual Security Architecture Orchestration / Cloud Portals Virtual Network Management Center Extending existing operational workflows to virtualized environments VSG ASA 1000V Extending network services to virtualized environments Extending networking to virtualized environments Nexus 1000V vPath
  21. 21. vPath— The intelligent virtual network• vPath is intelligence build into Virtual Ethernet Module (VEM) of Nexus 1000V (1.4 and above)• vPath has two main functions: a. Intelligent Traffic Steering b. Offload processing via Fastpath from virtual Service Nodes to VEM• Dynamic Security Policy Provisioning (via security profile)• Leveraging vPath enhances the service performance by moving the processing to Hypervisor vPath Nexus 1000V-VEM
  22. 22. vPath: Fast Path Switching for Virtualization VM VM VM VNMC VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM 4 Nexus 1000V vPath Distributed Virtual Switch 3 Decision Caching ASA VSG 2 1000V 1 Initial Packet Flow Access Control Flow (policy evaluation)
  23. 23. Cisco Virtual Security Gateway Context aware Security VM context aware rules Zone based Virtual Controls Establish zones of trust Security Dynamic, Agile Policies follow vMotion Gateway (VSG) Best-in-class Architecture Efficient, Fast, Scale-out SW Non-DisruptiveVirtual Network Operations Security team manages security Management Policy Based Central mgmt, scalable deployment, Center Administration multi-tenancy Designed for (VNMC) Automation XML API, security profiles
  24. 24. Virtual Security Gateway • Context based rule engine, where ACLs can be expressed using any combination of network (5-tuple), custom and VM attributes. It’s extensible so other types of context/attributes can be added in future • No need to deploy on every physical server (this is due to 1000V vPath intelligence) • Hence can be deployed on a dedicated server, or hosted on a Nexus 1010 appliance • Performance optimization via enforcement off-load to 1000V vPath • High availability
  25. 25. ASA 1000v• Runs same OS as ASA appliance and blade• Maintains ASA Stateful Inspection Engines Tenant A VDC Tenant B VDC vApp• IPSEC site-to-site VPN VSG VSG VSG vApp• Collaborative Security Model VSG VSG for intra-tenant secure zones Virtual ASA Virtual ASA vPath Virtual ASA for tenant edge controls Nexus 1000V vSphere• Integration with Nexus 1000V & vPath
  26. 26. Nexus 1000V Port ProfilesPort Profile –> Port Group port-profile vm180 vCenter API vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown state enabled interface Vethernet9 inherit port-profile vm180 interface Vethernet10 inherit port-profile vm180Support Commands Include: Port management  Port-channel VLAN  ACL PVLAN  Netflow Port Security QoS
  27. 27. Security Policy to Port Profile
  28. 28. Design Fundamentals
  29. 29. Secure Data Center• Network security can be mapped and applied to both the physical and virtual DC networks• Zones can be used to provide data centric security policy enforcement• Steer VM traffic to Firewall Context• Segment pools of blade resources per Zone• Segment Network traffic w/in the Zone –System Traffic –VM Traffic –Management Traffic• Lockdown elements w/in a Zone• Unique policies and traffic decisions can be applied to each zone creating very flexible designs• Foundation for secure private cloud
  30. 30. Understand Network and Application Flows• Understand how the applications are deployed and accessed both internally and externally• Understand the North-South, East-West flow patterns• Adjacency of services to servers is important. Adding services to existing flow patterns minimizes packet gymnastics!• Again, design with the maximum amount of high availability: know your failover and failback times, traffic paths during failover scenarios Web App DB Web App DB Server Server server Server Server server Web Client Web-zone Application-zone Database-zone Only Permit Web Only Permit Application servers access to servers access to Database Application servers servers
  31. 31. Important• Careful attention should be given to where the server‘s default gateway resides• Can be disruptive to introduce changes to where the gateway resides. Non-greenfield designs require flexibility for deploying new services. Ex. From switch to service appliance• Service introduction ie. Firewall, Web security, load balancing, can all have an impact on data center traffic flows• Design with the maximum amount of high availability: know your failover and failback times, traffic paths during failover scenarios• Multicast support considerations for L2 vs L3 services
  32. 32. Traditional North-South Traffic Flow Internet Control Aggregation • Ingress and Egress traffic is from each ASA zone is routed and filtered appropriately w/ IPS • Physical firewall, IPS, etc deployed for each zoneAccess: • Physical devices for each zoneTop of Rack Zone A sometimes required but can be expensive B Zone Zone C solution vApp vApp vSphere vSphere
  33. 33. Network Virtualization and Zones Acme Co. - Control Traffic and Apply Policy per Zone• Zones used to provide data centric security policy enforcement Unique policies and traffic decisions applied to each• Physical network security zone mapped per zone – VRF, Virtual Context• Lockdown elements in Zone Steer VM traffic to Firewall Context Segment Network traffic in the Zone Segment pools of -System Traffic blade resources -VM Traffic Virtual Switch per Zone Virtual Switch -Management Traffic vSphere vSphere 34
  34. 34. North-South Traffic with Network Virtualization Internet Physical ASA Aggregation VLAN 10 VLAN 20192.168.10.1 VRF ASA Virtual Context (Layer 2) Access Zone A Zone B Zone C vApp vApp vSphere vSphere
  35. 35. Microsegmenation: Per Zone, Per VM, Per vNIC Aggregation VLAN 10 VLAN 20 IPSEC Virtual ASA Virtual ASA Zone B Zone CZone A • Stateful filtering for VDC Tenant B VDC ingress/egress for Zone. vApp Near East: VSG VSG • VM segmentation based on VSG vApp VM attributes or ACL vPath • Zone to zone can be Nexus 1000V encrypted via IPSEC vPath Demonstrable segmentation Nexus 1000V vSphere and encryption for vSphere virtualization compliance
  36. 36. Segmentation of Production and Non-ProductionTraffic VMkernal VSG vEth vEth vEth vEth Mgmt Storage vPath Production Nexus 1000V ASA 1000V VMNIC 1 VMNIC 2 VMNIC 3 VMNIC 4 Management Network Production Network Production vCenter VNMC Storage Network
  37. 37. Visibility: Monitor VM to VM Traffic Aggregation ID:2 ERSPAN DST Intrusion Detection NetFlow Analyzer ID:1 NetFlowNexus 1000V supports SPAN• NetFlow v9• ERSPAN/SPAN monitor session 1 type erspan- Zone B Zone C source• Permit protocol type description N1k ERSPAN – session 1 header “0x88BE” for monitor session 3 type erspan- VDC VDC destination vApp ERSPAN GRE description N1k ERSPAN to NAM• ERSPAN does not VSG VSG support fragmentation vApp monitor session 2 type erspan-source• 1000V requires Netflow description N1k ERSPAN –session 2 source interface monitor session 4 type erspan- vPath destination Defaults to Mgmt0 description N1k ERSPAN to IDS1 Nexus 1000V vSphere
  38. 38. Virtualization & Compliance:PCI DSS 2.0 Guidance• PCI security requirements apply to all ‗system components.‘  All virtual components in scope• System components are defined as: – Any network component, server, or application that  All virtual communications is included in or connected to the cardholder data and data flows must be identified and environment. documented – Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual  Virtualized environment must maintain applications/desktops, and hypervisors. proper segmentation• The cardholder data environment is that part of the network that possesses cardholder data or sensitive  Must meet intent of all 12 PCI authentication data. requirements• Adequate network segmentation, which isolates VMkernal systems that store, process, or transmit cardholder VSG data from those that do not, may reduce the scope of vEth vEth vEth vEth Mgmt Storage the cardholder data environment. Production vPath Nexus 1000V Source PCI DSS 2.0 ASA 1000V VMNIC 1 VMNIC 2 VMNIC 3 VMNIC 4
  39. 39. Design Details
  40. 40. Secure Data Center Reference Architecture• 2x Nexus 7010s with VDCs (Core and Aggregation) (NX-OS 5.1(3))• 2x Nexus 5Ks for top of rack• 2x ASA 5585-60 with IPS• 2x 6500-E with ASA-SMs• 2x Virtual Security Gateway (VSG) in HA mode• 2x Nexus 1000V with redundant VSMs• Identity Services Engine (ISE) for 802.1x user AAA• Standard VMWare ESXi Infrastructure with multiple service domains (Active Directory, DNS, VDI, etc)
  41. 41. Traditional Model• Services are Aggregated at the Distribution Layer L3• Single or Multi-Tenant zone based Routed segmentation L2 Boundary Core L2 Boundary• Virtual Context create security zones from the DC edge to the Virtual Machine• VRF->Firewall->VLAN->Virtual Switch->Virtual Firewall->vNIC->VM• EtherChannel and vPC provide loop-free Layer 2 environment• Visibility and control for vm-to-vm flows
  42. 42. ASA Details v201 - Outside v205 – Service-Out BVI-1 BVI-2 [Po1.204] [Po1.200] [Po1.201] [Po1.205] v200 – Inside v204 – Service-Inchannel-group 1 mode passive 5585-1 5585-2 Twain Voltaire vPC10 vPC9 7k-1 7k-2 AGG- AGG- VDC VDC Port Channel Load-Balancing Configuration: channel-group 1 mode active System: src-dst ip
  43. 43. Secure Service Pod Model• Services Pod centralizes security services L3• Traffic forwarded via service-specific Routed VLANs Core L2 Boundary• Modules (Cat 6500) and appliances L2 Boundary supported• Highly scalable module design 1/ 7• Single or Multi-Tenant zone based segmentation• Security zones from the DC edge to the Virtual Machine
  44. 44. Nexus 7000 & Cat 6500 Channel GroupModes Nexus 7000 Nexus 7000 Channel-Group 1 mode active 7k-1 7k-2 Channel-Group 2 mode active AGG-VDC AGG-VDC vPC2 vPC1 6506-1 6506-2Catalyst 6500 ASA-SM WestJet ASA-SM Airbus Catalyst 6500Channel-Group 1 mode on Channel-Group 2 mode on ASA SM ASA SM
  45. 45. ASA SM Layer 2 and 3 v221 - Outsideinterface BVI2 ASA SM description bvi for 221 and 220 ip address v220 – Inside
  46. 46. ASA SM Details interface Vlan221 interface Vlan221 mac-address mac-address b414.89e1.2222 b414.89e1.3333 ip address ip address hsrp 21 hsrp 21 preempt preempt priority 105 priority 100 ip ip interface port-channel1 switchport interface port-channel2 switchport mode trunk 7k-1 7k-2 switchport AGG-VDC AGG-VDC vpc 1 switchport mode trunk vPC2 vpc 2 vPC1 BVI2 6506-1 6506-2 ASA-SM ASA-SM ip address WestJet Airbus ASA SM ASA SMinterface Vlan220 nameif inside bridge-group 2 security-level 100! failover lan interface Failover Vlan44interface Vlan221 failover link State Vlan45 nameif outside failover interface ip Failover standby bridge-group 2 failover interface ip State standby security-level 0
  47. 47. Server Gateway Outside of Firewall:Design #1 ASA HA pair in transparent mode with SVI on Aggregation VDC. Server gateway on outside of firewall Aggregation VDC v201 - Outside v200 – Inside GW: 3 Layer 2 Simple design. Firewall part of layer 2 failure domain.
  48. 48. ASA in the Data Center: Design #2 Firewall Between Inter-VDC Traffic VRF VRFCore VDC North Aggregation ASA HA Pair 1 South VDC v200 VRF GW: VRF ASA HA Pair 2 VRF North South • Transparent (L2) firewall services are • Useful for topologies that require a FW ―sandwiched‖ between Nexus VDCs between aggregation and core • Allows for other services (IPS, LB, etc) to • Downside is that most/all traffic destined be layered in as needed for Core traverses FW; possible • ASAs can be virtualized to for 1x1 mapping bottleneck, etc to VRFs
  49. 49. Design Details and Benefits • Zone based differentiation, building blocks with VLANs and VRFs Inter-VM firewalling via VSG/ASA 1000V Intra-zone firewalling via both VSG/ASA 1000V and ASA/ASA-SM Inter-zone firewalling via ASA 1000V, ASA, or ASA-SM
  50. 50. Server Access and VM Network Details To Agg switch To Agg switch 1/1 1/2 1/2 1/1 PortChannel111 1/17 1/17 1/18 1/18 5k-1 5k-2 Inara 1/12 Jayne 1/11 1/11 1/12 VMNIC VMNIC VMNIC VMNIC #3 #2 #3 #2 ESX1 ESX2 ESX Host 1 vEth vEth vEth vEth ESX Host 2 VNMC VSG-2 Domain 90 VSG-1 VSM-2 HR Finance HR Finance VSM-1 Server #1 Server #2 Server #2 Server #1 Domain 1 1
  51. 51. Deny HR to Finance VMNIC VMNIC VMNIC VMNIC #3 #2 #3 #2 ESX1 ESX2 vEth vEth vEth vEth VSM-2 HR Finance Server #2 Server #1 Domain 1 HR Finance Server Server #1 #2 1
  52. 52. Policy Hierarchy
  53. 53. VNMC Policy: Deny HR to Finance Requests
  54. 54. Policy Summary on VSGNexus 1000V VSG
  55. 55. Syslog from VSG
  56. 56. Adding Identity and AccessControl Services :ISE and TrustSec
  57. 57. ISE Traffic Flow SXP IP Address = SGT 5 ISE RADIUS (Access Request) EAPOL (dot1x) RADIUS (Access Accept, SGT = 5) 6506 SG ACL Matrix IP Address to SGT Mapping HR Nexus 7000 Server #1 Core VDC Nexus 7000 Agg VDC ASAFinance ✓ Finance VSG Finance Server #1Finance HR
  58. 58. ISE Configuration Highlights ISE
  59. 59. ISE Authentication 6506-2-airbus#sho authen sess int g3/1 Interface: GigabitEthernet3/1 MAC Address: 0027.0e15.578e IP Address: User-Name: finance1 Status: Authz Success Domain: DATA Oper host mode: multi-auth Catalyst Oper control dir: both Authorized By: Authentication Server 6500 Vlan Policy: N/A SGT: 0005-0 Session timeout: N/A Idle timeout: N/A ISE Common Session ID: 0A01CC950000000D0EDFC178 Acct Session ID: 0x0000001E Handle: 0xC500000D Runnable methods list: Method State mab Failed over dot1x Authc Success
  60. 60. Driving Simplicity:Data Center Design – Resourcesfrom Cisco
  61. 61. Validated Design Guides A Cisco Competitive Differentiator• Cisco Validated Designs are recommended, validated, end-to- end designs for next-generation networks.• The validated designs are tested and fully documented to help ensure faster, more reliable, and more predictable customer deployments.• 3 types of guides •Design Guides – comprehensive design/implementation •Application Deployment Guides - Third-party applications •System Assurance Guides - intensive, ongoing system assurance test programs targeted at major network architectures or technologies.
  62. 62. Cisco Validated Designs for the DC•CVD > SAFE••CVD >Virtualized Multi-Tenant Data Center(VMDC)• ASA 5585-Xns/Enterprise/Data_Center/VMDC/1.1/design.html vPC vPC VSS•CVD > Secure Multi Tennant CVD SERVICES Catalyst• 6500 Firewall ACE ESA14/ns742/ns743/ns1050/landing_dcVDDC.html NAM IPS WSA Centralized Security and Application Service Modules and Appliances can be applied per zone
  63. 63. Cisco Secure Internet Edge Network Foundation Protection Infrastructure Security features are enabled to protect device, traffic Data Center plane, and control plane. Device virtualization provides control, data, and Data Center Core management plane segmentation. TrustSec VDC Consistent enforcement of security policies Data Center Nexus 7018 Nexus 7018 with Security Group ACL, and to control SAN Distribution access to resources based on user identity and group membership.Link level data v integrity and confidentiality with standard encryption. vPC vPC VSS vPC vPC vPC vPC vPC vPC Nexus SERVICES 5000 Series Unified Catalyst Computing 6500 ASA ACE Nexus Nexus 7000 System Virtual Service 2100 Nexus IPS Series NAM Nodes Series 1000VZone Zone Multi-Zone Centralized Security and Application 10Gig Server Rack 10Gig Server Rack Unified Compute Service Modules and Appliances can be applied per zoneStateful Packet Network Intrusion Server Load Web and Email Access Edge Security Flow Based Traffic AnalysisFiltering Prevention Balancing Security ACL, Dynamic ARP NAM virtual blade. Traffic analysisAdditional Application IPS/IDS: provides Masks servers and Security and filtering Inspection, DHCP Snooping, and reporting, ApplicationFirewall Services for traffic analysis and applications and for Web and Email IP Source Guard, Port performance monitoring. VM-levelServer Farm zone forensics provides scaling applications Security, Private VLANs, QoS interface statistics
  64. 64. Q&A #CiscoPlusCA
  65. 65. We value your feedback.Please be sure to complete the Evaluation Form for this session. Access today‘s presentations at Follow @CiscoCanada and join the #CiscoPlusCA conversation