Securing IT Through Macro-segmentation
As the very core of modern business, today's data center networks must provide a level of service and security like never before. It’s no longer a test of whether raw packets can move from one point to another, but really a function of how resources can be shared by various applications, without compromising security through errant or unauthorized access.
Join us for this 50-minute On-Demand Webinar where we will describe how Pluribus Virtualization-Centric switching solutions can be deployed across the data center to offer new services based on pools of distributed resources, without introducing added risks or compliance issues.
The Pluribus VCF architecture makes ‘touch of a button’ macro-segmentation possible, and is found in all switches powered by Netvisor or Open Netvisor Linux.
In these slides, we'll discuss the use of Macro-Segmentation found in all Netvisor powered switches including:
*How to quickly allocate distributed resources to specific applications, without adding risk or compliance issues
*Understanding the best practices associated with Macro-Segmentation including examples of deployment
*How to visualize resource consumption, to assist with capacity planning
Micro Segmentation Security: Securing IT Through Macro-segmentation
1. Proprietary & ConfidentialProprietary & Confidential
Security IT Through Macro-
Segmentation
November 15th, 2016
Marco Pessi
Sr. Technical Product Manager
Pluribus Networks
2. Proprietary & ConfidentialProprietary & Confidential
Agenda
How to Secure Network Fabric
‒ Fabric Management
‒ Multi-tenancy/Private Virtual Networks
‒ Secure Control Plane
‒ Security Service Insertion
‒ Putting it all together: Fabric Security Architecture
‒ Analytics
2
3. Proprietary & ConfidentialProprietary & Confidential
Securing Scale Out Fabrics
3
1 2 100
VXLAN L2 Extension Across All 100 Racks
IP
underlay
VTEP
Ext Network
VTEPVTEP
…
Spine Layer
VTEP
101
BGP/OSPF
…
4. Proprietary & ConfidentialProprietary & Confidential
Virtualization Centric Fabric – VCF
Built-in Fabric Controller
L2/L3/VXLAN
Open Networking
L2/L3/VXLAN
Open Networking
L2/L3/VXLAN
Open Networking
L2/L3/VXLAN
Open Networking
Built-in Fabric Controller Built-in Fabric Controller Built-in Fabric ControllerDistributed Peer-to-Peer Cluster – Configuration State Consistency (with rollback)
Singe CLI/API To Manage All Nodes
Built-in, no taps, no
brokers, no expensive
tools
Application Visibility Virtual Private Networks for holistic
multi-tenancy
Security Service Insertion
Granular flow control for
conditional security
insertion policies
TCP TCP TCP TCP
Secure Multi Tenancy
No controllers, No new protocols
100% interoperable
5. Proprietary & ConfidentialProprietary & Confidential
Netvisor Private Virtual Networks
Agile, Secure Multi-Tenancy
Rapid provisioning of Private Virtual
Networks (VNETs) as virtual PODs (vPODs)
with management, control and data plane
isolation
Independent tenant networks
‒ Overlapping subnets (VLANs and IP prefixes)
‒ Independent vRouter on each VNET
Independent Management Plane
‒ Independent Provisioning
‒ Per tenant visibility of flows, services, VMs
5
VNET-A
172.10.0.0/16
VLAN1-4K
VNET-B
172.0.0.0/8
VLAN1-4K
VNET-C
172.0.16.0/20
VLAN1-4K
VMs VMs VMs
6. Proprietary & ConfidentialProprietary & Confidential
Netvisor Private Virtual Networks
Agile, Secure Multi-Tenancy
Secure access to infrastructure network
‒ Simplified Tenant Network View isolates
common transport network from tenant
network
Data Plane Isolation
‒ Automatic orchestration of VLAN, VRF and
VXLAN VNI space to prevent leaking between
tenants
‒ Anti-spoofing mechanism
6
VNET-A
172.10.0.0/16
VLAN 1-4K
VNET-B
172.0.0.0/8
VLAN 1-4K
VNET-C
172.0.16.0/20
VLAN 1-4K
7. Proprietary & ConfidentialProprietary & Confidential
Netvisor Private Virtual Networks
Agile, Secure Multi-Tenancy
Secure access to infrastructure network
‒ Simplified Tenant Network View isolates
common transport network from tenant
network
Data Plane Isolation
‒ Automatic orchestration of VLAN, VRF and
VXLAN VNI space to prevent leaking between
tenants
‒ Anti-spoofing mechanism
7
VNET-A
172.10.0.0/16
VLAN 1-4K
VNET-B
172.0.0.0/8
VLAN 1-4K
VNET-C
172.0.16.0/20
VLAN 1-4K
Proprietary & Confidential
Anti-Spoofing Mechanism
vFlow Technology for comprehensive uRPF
6
CLI> vflow-create vlan <amber> src-ip 10.1.11.0/27 name amber-urpf-permit
action none table System-VCAP-table-1-0
CLI> vflow-create vlan <amber> src-ip 0.0.0.0/0 name amber-urpf-deny
action drop table System-VCAP-table-1-0
§ vFlow can be used to prevent servers
belonging to a logical tenant from
sourcing IP traffic with illegitimate prefix
‒ vFlow stats are provided to monitor
uRPF violations
‒ Independent dedicated TCAM space
§ Support all types of traffic:
‒ Bridged
‒ Routed
‒ VXLAN tunneled (terminated on switch)
‒ VXLAN tunneled (pass-through)
Enforce server traffic to use consistent VLAN/IP address:
8. Proprietary & Confidential
Netvisor Private Virtual Networks
Agile, Secure Multi-Tenancy
Secure access to infrastructure network
‒ Simplified Tenant Network View isolates
common transport network from tenant
network
Data Plane Isolation
‒ Automatic orchestration of VLAN, VRF and
VXLAN VNI space to prevent leaking between
tenants
‒ Anti-spoofing mechanism
Control Plane Isolation
‒ Tenant Routers run in dedicated containers of
the switch OS
9
VNET-A
172.10.0.0/16
VLAN 1-4K
VNET-B
172.0.0.0/8
VLAN 1-4K
VNET-C
172.0.16.0/20
VLAN 1-4K
9. Proprietary & Confidential
Netvisor Private Virtual Networks
Agile, Secure Multi-Tenancy
Secure access to infrastructure network
‒ Simplified Tenant Network View isolates
common transport network from tenant
network
Data Plane Isolation
‒ Automatic orchestration of VLAN, VRF and
VXLAN VNI space to prevent leaking between
tenants
‒ Anti-spoofing mechanism
Control Plane Isolation
‒ Tenant Routers run in dedicated containers of
the switch OS
10
VNET-A
172.10.0.0/16
VLAN 1-4K
VNET-B
172.0.0.0/8
VLAN 1-4K
VNET-C
172.0.16.0/20
VLAN 1-4K
Proprietary & Confidential
VCF Containers
Secure Multi-Tenant Control Plane
10
§ vRouters
‒ Independent OSPF/BGP/BFD Speakers
‒ Each vRouter has a simple tenant view
§ OVSDB Interface
‒ Synchronize fabric endpoint database (vPort) with
Hypervisor system for end-to-end VTEP auto-
provisioning
§ OpenDayLight
§ NSX
§ VNET Manager
‒ Provides a dedicated/isolated management
interface for a vPOD with provisioning/visibility
capability only for assigned resources
‒ Can run any vPOD custom application
§ simple example: WireShark
vRouter
Tenant
Crimson
vNICs
vRouter
Tenant
Blue
vNICs
vRouter
Tenant
Amber
vNICs
VNET
MGR
vNICs
vRouter
Tenant
Crimson
vNICs
vRouter
Tenant
Blue
vNICs
vRouter
Tenant
Amber
vNICs
OVSDB
Tenant
Amber
vNICs
10. Proprietary & ConfidentialProprietary & Confidential
Virtualization Centric Fabric – VCF
vFlow Technology
Built-in Fabric Controller
L2/L3/VXLAN
Open Networking
L2/L3/VXLAN
Open Networking
L2/L3/VXLAN
Open Networking
L2/L3/VXLAN
Open Networking
Built-in Fabric Controller Built-in Fabric Controller Built-in Fabric ControllerDistributed Cluster – Pluribus Management Fabric
Security Service Insertion
Granular flow control for
conditional security
insertion policies
TCP TCP TCP TCP
16. Proprietary & ConfidentialProprietary & Confidential
Fabric scope programmability
Policy enforcement E-W / N-S
Mgmt
domain
Virtualization Centric Fabric
Putting It All Together: Fabric Security Architecture
18
1 2 100
Edge Security Services Rack
Grey vRouter for VTEP, Red vRouter to DC network
101
VXLAN L2 Extension Across All 100 Racks
IP
underlay
VTEP
HA Leaf Services
HA VTEP
Active-Active LAG
towards servers
Ext Network
Spine is simple L3 non-blocking
interconnect
Underlay provides inter-rack reachability
All links are active
BGP/OSPF
VTEPVTEP
…
Spine Layer
VTEP
17. Proprietary & ConfidentialProprietary & Confidential
Mgmt
domain
Putting It All Together: Fabric Security Architecture
19
HA Leaf Services
1 2 100
Edge Security Services Rack
101
VXLAN L2 Extension Across All 100 Racks
IP
underlay
Ext Network
BGP/OSPF
…
Spine Layer
VTEP
Virtual Private Networks
Holistic multi-tenancy
Secure Multi Tenancy
VTEPVTEPVTEP
18. Proprietary & ConfidentialProprietary & Confidential
Mgmt
domain
Putting It All Together: Fabric Security Architecture
20
HA Leaf Services
1 2 100
Edge Security Services Rack
Grey vRouter for VTEP, Red vRouter to DC network Load
Balancers
Firewall on-a-stick in L2 mode for non mission-critical
traffic with bypass service option
vFlow security ACL for N-S Policy Enforcement
101
VXLAN L2 Extension Across All 100 Racks
IP
underlay
VTEP
HA VTEP
Active-Active LAG
towards servers
Global E-W vFlow
security service insertion
Ext Network
BGP/OSPF
VTEPVTEP
…
Spine Layer
VTEP
Granular flow control for conditional
security insertion policies
Security Service Insertion
19. Proprietary & ConfidentialProprietary & Confidential
Mgmt
domain
Putting It All Together: Fabric Security Architecture
21
HA Leaf Services
1 2 100
Edge Security Services Rack
Grey vRouter for VTEP, Red vRouter to DC network Load
Balancers
Firewall on-a-stick in L2 mode for non mission-critical
traffic with bypass service option
vFlow security ACL for N-S Policy Enforcement
101
VXLAN L2 Extension Across All 100 Racks
IP
underlay
VTEP
HA VTEP
Active-Active LAG
towards servers
Global E-W vFlow
security service insertion
Ext Network
BGP/OSPF
VTEPVTEP
…
Spine Layer
VTEP
Built-in:
no taps,
no brokers,
no expensive tools
Application Visibility
Pluribus VCF Analytics for mission-critical flow visibility
20. Proprietary & ConfidentialProprietary & Confidential
Connection Flow Analytics
22
VCF Center
Big Data Engine
Cluster of 1…N
server nodes
Flow Metadata
Integrated in the fabric = simple to deploy
Always on, zero touch = simple to use
No sampling…every EAST-WEST connection
TCP connection state machine tracking
Tenant aware
21. Proprietary & ConfidentialProprietary & Confidential
Packet Analytics
23
VCF Center
Big Data Engine
Cluster of 1…N
server nodesMirrored Packets
On-demand packet filtering L1-L4 header fields
Terabit filtering with offload on Broadcom silicon
Manage mirror sessions and PCAP files
Analytics on packet metadata extracted from PCAP
Bring-your-own PCAP
Program packet filters
in hardware
Start&Stop PCAP and
Mirror sessions
22. Proprietary & ConfidentialProprietary & Confidential24
Summary/Recap
1. Macro-Segmentation secures E-W traffic
2. Scalable HW Accelerated, cover P & V
3. Holistic multi-tenancy = Complete Isolation
4. Granular flow control for conditional security
insertion policies
5. Analytics/Visibility allows for continual policy
improvements