SlideShare a Scribd company logo

Micro Segmentation Security: Securing IT Through Macro-segmentation

Pluribus Networks
Pluribus Networks

Securing IT Through Macro-segmentation As the very core of modern business, today's data center networks must provide a level of service and security like never before. It’s no longer a test of whether raw packets can move from one point to another, but really a function of how resources can be shared by various applications, without compromising security through errant or unauthorized access. Join us for this 50-minute On-Demand Webinar where we will describe how Pluribus Virtualization-Centric switching solutions can be deployed across the data center to offer new services based on pools of distributed resources, without introducing added risks or compliance issues. The Pluribus VCF architecture makes ‘touch of a button’ macro-segmentation possible, and is found in all switches powered by Netvisor or Open Netvisor Linux. In these slides, we'll discuss the use of Macro-Segmentation found in all Netvisor powered switches including: *How to quickly allocate distributed resources to specific applications, without adding risk or compliance issues *Understanding the best practices associated with Macro-Segmentation including examples of deployment *How to visualize resource consumption, to assist with capacity planning

Technology
1 of 24
Download to read offline
Proprietary & ConfidentialProprietary & Confidential Security IT Through Macro- Segmentation November 15th, 2016 Marco Pessi Sr. Technical Product Manager Pluribus Networks
Proprietary & ConfidentialProprietary & Confidential Agenda  How to Secure Network Fabric ‒ Fabric Management ‒ Multi-tenancy/Private Virtual Networks ‒ Secure Control Plane ‒ Security Service Insertion ‒ Putting it all together: Fabric Security Architecture ‒ Analytics 2
Proprietary & ConfidentialProprietary & Confidential Securing Scale Out Fabrics 3 1 2 100 VXLAN L2 Extension Across All 100 Racks IP underlay VTEP Ext Network VTEPVTEP … Spine Layer VTEP 101 BGP/OSPF …
Proprietary & ConfidentialProprietary & Confidential Virtualization Centric Fabric – VCF Built-in Fabric Controller L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking Built-in Fabric Controller Built-in Fabric Controller Built-in Fabric ControllerDistributed Peer-to-Peer Cluster – Configuration State Consistency (with rollback) Singe CLI/API To Manage All Nodes  Built-in, no taps, no brokers, no expensive tools Application Visibility Virtual Private Networks for holistic multi-tenancy Security Service Insertion Granular flow control for conditional security insertion policies TCP TCP TCP TCP Secure Multi Tenancy No controllers, No new protocols  100% interoperable
Proprietary & ConfidentialProprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Rapid provisioning of Private Virtual Networks (VNETs) as virtual PODs (vPODs) with management, control and data plane isolation  Independent tenant networks ‒ Overlapping subnets (VLANs and IP prefixes) ‒ Independent vRouter on each VNET  Independent Management Plane ‒ Independent Provisioning ‒ Per tenant visibility of flows, services, VMs 5 VNET-A 172.10.0.0/16 VLAN1-4K VNET-B 172.0.0.0/8 VLAN1-4K VNET-C 172.0.16.0/20 VLAN1-4K VMs VMs VMs
Proprietary & ConfidentialProprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Secure access to infrastructure network ‒ Simplified Tenant Network View isolates common transport network from tenant network  Data Plane Isolation ‒ Automatic orchestration of VLAN, VRF and VXLAN VNI space to prevent leaking between tenants ‒ Anti-spoofing mechanism 6 VNET-A 172.10.0.0/16 VLAN 1-4K VNET-B 172.0.0.0/8 VLAN 1-4K VNET-C 172.0.16.0/20 VLAN 1-4K
Proprietary & ConfidentialProprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Secure access to infrastructure network ‒ Simplified Tenant Network View isolates common transport network from tenant network  Data Plane Isolation ‒ Automatic orchestration of VLAN, VRF and VXLAN VNI space to prevent leaking between tenants ‒ Anti-spoofing mechanism 7 VNET-A 172.10.0.0/16 VLAN 1-4K VNET-B 172.0.0.0/8 VLAN 1-4K VNET-C 172.0.16.0/20 VLAN 1-4K Proprietary & Confidential Anti-Spoofing Mechanism vFlow Technology for comprehensive uRPF 6 CLI> vflow-create vlan <amber> src-ip 10.1.11.0/27 name amber-urpf-permit action none table System-VCAP-table-1-0 CLI> vflow-create vlan <amber> src-ip 0.0.0.0/0 name amber-urpf-deny action drop table System-VCAP-table-1-0 § vFlow can be used to prevent servers belonging to a logical tenant from sourcing IP traffic with illegitimate prefix ‒ vFlow stats are provided to monitor uRPF violations ‒ Independent dedicated TCAM space § Support all types of traffic: ‒ Bridged ‒ Routed ‒ VXLAN tunneled (terminated on switch) ‒ VXLAN tunneled (pass-through) Enforce server traffic to use consistent VLAN/IP address:
Proprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Secure access to infrastructure network ‒ Simplified Tenant Network View isolates common transport network from tenant network  Data Plane Isolation ‒ Automatic orchestration of VLAN, VRF and VXLAN VNI space to prevent leaking between tenants ‒ Anti-spoofing mechanism  Control Plane Isolation ‒ Tenant Routers run in dedicated containers of the switch OS 9 VNET-A 172.10.0.0/16 VLAN 1-4K VNET-B 172.0.0.0/8 VLAN 1-4K VNET-C 172.0.16.0/20 VLAN 1-4K
Proprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Secure access to infrastructure network ‒ Simplified Tenant Network View isolates common transport network from tenant network  Data Plane Isolation ‒ Automatic orchestration of VLAN, VRF and VXLAN VNI space to prevent leaking between tenants ‒ Anti-spoofing mechanism  Control Plane Isolation ‒ Tenant Routers run in dedicated containers of the switch OS 10 VNET-A 172.10.0.0/16 VLAN 1-4K VNET-B 172.0.0.0/8 VLAN 1-4K VNET-C 172.0.16.0/20 VLAN 1-4K Proprietary & Confidential VCF Containers Secure Multi-Tenant Control Plane 10 § vRouters ‒ Independent OSPF/BGP/BFD Speakers ‒ Each vRouter has a simple tenant view § OVSDB Interface ‒ Synchronize fabric endpoint database (vPort) with Hypervisor system for end-to-end VTEP auto- provisioning § OpenDayLight § NSX § VNET Manager ‒ Provides a dedicated/isolated management interface for a vPOD with provisioning/visibility capability only for assigned resources ‒ Can run any vPOD custom application § simple example: WireShark vRouter Tenant Crimson vNICs vRouter Tenant Blue vNICs vRouter Tenant Amber vNICs VNET MGR vNICs vRouter Tenant Crimson vNICs vRouter Tenant Blue vNICs vRouter Tenant Amber vNICs OVSDB Tenant Amber vNICs
Proprietary & ConfidentialProprietary & Confidential Virtualization Centric Fabric – VCF vFlow Technology Built-in Fabric Controller L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking Built-in Fabric Controller Built-in Fabric Controller Built-in Fabric ControllerDistributed Cluster – Pluribus Management Fabric Security Service Insertion Granular flow control for conditional security insertion policies TCP TCP TCP TCP
Proprietary & ConfidentialProprietary & Confidential Conditional Security Insertion Configurable line rate redirection of E-W traffic 13 VM-10 VM-11 VM-20 VM-41 VL10 VL20 1. Default Behavior: no inspection • Fabric normally bridges and routes E-W traffic 2. Configurable Security Insertion • Fabric redirects to security appliance selected traffic (configurable L1-L4 parameters) VM-10 VM-11 VM-41 VL10 HTTP VM-20 VL20 HTTP
Proprietary & ConfidentialProprietary & Confidential Conditional Security Insertion Provide Inspection only to non-secure N-S traffic 14 1. Firewall Service Insertion for default traffic Perimeter Firewall Cluster HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL10 VL100 VXLAN VNI10 10.0.100.5/29VTEP NON-SECURESECURE 10.10.0.1/16
Proprietary & ConfidentialProprietary & Confidential Conditional Security Insertion Provide Inspection only to non-secure N-S traffic 15 1. Firewall Service Insertion for default traffic Perimeter Firewall Cluster HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL10 VL100 VXLAN VNI10 10.0.100.5/29VTEP NON-SECURESECURE 10.10.0.1/16 2. Firewall Bypass for Secure Traffic Perimeter Firewall Cluster HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL10 VL100 VNI10 VXLAN 10.0.100.5/29VTEP NON-SECURESECURE 10.10.0.1/16
Proprietary & ConfidentialProprietary & Confidential vFlow Filtering For Security Actions Provide Line Rate Redirection & Policy Enforcement 16 vFlow Structure Scope Switch local or Fabric-wide L1-L4 Match Rule Match rule deployed in HW TCAMs Actions Switch HW assisted drop to-cpu copy-to-cpu setvlan tunnel-pkt set-tunnel-id to-span cpu-rx cpu-rx-tx set-dscp decap set-dmac set-dmac-to-port to-port to-ports-and-cpu set-vlan-pri l3-to-cpu-switch 2. Firewall Bypass for Secure Traffic Perimeter Firewall Cluster HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL10 VL100 VNI10 VXLAN 10.0.100.5/29VTEP 10.10.0.1/16 NON-SECURESECURE 3. Line Rate Policy Enforcement
Proprietary & ConfidentialProprietary & Confidential Conditional Security Insertion for E-W & N-S traffic 17 Security Appliances (IPS, FW, etc.) HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL20 VL10 VL20 VL100 VNI10,VNI20 VXLAN 10.0.100.5/29VTEP 10.10.0.1/16 10.20.0.1/16 NON-SECURESECURE 1 2 VTEPVTEP 100 VTEP … VM-10 VM-41 10.10.0.10 MAC-10 10.10.0.41 MAC-11 VM-11 10.10.0.11 MAC-11 VM-20 10.20.0.11 MAC-20 • Leaf switches perform selective Security Insertion for bridged/routed E-W traffic using programmable fabric-wide policies
Proprietary & ConfidentialProprietary & Confidential Fabric scope programmability Policy enforcement E-W / N-S Mgmt domain Virtualization Centric Fabric Putting It All Together: Fabric Security Architecture 18 1 2 100 Edge Security Services Rack  Grey vRouter for VTEP, Red vRouter to DC network 101 VXLAN L2 Extension Across All 100 Racks IP underlay VTEP HA Leaf Services  HA VTEP  Active-Active LAG towards servers Ext Network  Spine is simple L3 non-blocking interconnect  Underlay provides inter-rack reachability  All links are active BGP/OSPF VTEPVTEP … Spine Layer VTEP
Proprietary & ConfidentialProprietary & Confidential Mgmt domain Putting It All Together: Fabric Security Architecture 19 HA Leaf Services 1 2 100 Edge Security Services Rack 101 VXLAN L2 Extension Across All 100 Racks IP underlay Ext Network BGP/OSPF … Spine Layer VTEP Virtual Private Networks Holistic multi-tenancy Secure Multi Tenancy VTEPVTEPVTEP
Proprietary & ConfidentialProprietary & Confidential Mgmt domain Putting It All Together: Fabric Security Architecture 20 HA Leaf Services 1 2 100 Edge Security Services Rack  Grey vRouter for VTEP, Red vRouter to DC network Load Balancers  Firewall on-a-stick in L2 mode for non mission-critical traffic with bypass service option  vFlow security ACL for N-S Policy Enforcement 101 VXLAN L2 Extension Across All 100 Racks IP underlay VTEP  HA VTEP  Active-Active LAG towards servers  Global E-W vFlow security service insertion Ext Network BGP/OSPF VTEPVTEP … Spine Layer VTEP Granular flow control for conditional security insertion policies Security Service Insertion
Proprietary & ConfidentialProprietary & Confidential Mgmt domain Putting It All Together: Fabric Security Architecture 21 HA Leaf Services 1 2 100 Edge Security Services Rack  Grey vRouter for VTEP, Red vRouter to DC network Load Balancers  Firewall on-a-stick in L2 mode for non mission-critical traffic with bypass service option  vFlow security ACL for N-S Policy Enforcement 101 VXLAN L2 Extension Across All 100 Racks IP underlay VTEP  HA VTEP  Active-Active LAG towards servers  Global E-W vFlow security service insertion Ext Network BGP/OSPF VTEPVTEP … Spine Layer VTEP Built-in: no taps, no brokers, no expensive tools Application Visibility  Pluribus VCF Analytics for mission-critical flow visibility
Proprietary & ConfidentialProprietary & Confidential Connection Flow Analytics 22 VCF Center Big Data Engine Cluster of 1…N server nodes Flow Metadata  Integrated in the fabric = simple to deploy  Always on, zero touch = simple to use  No sampling…every EAST-WEST connection  TCP connection state machine tracking  Tenant aware
Proprietary & ConfidentialProprietary & Confidential Packet Analytics 23 VCF Center Big Data Engine Cluster of 1…N server nodesMirrored Packets  On-demand packet filtering L1-L4 header fields  Terabit filtering with offload on Broadcom silicon  Manage mirror sessions and PCAP files  Analytics on packet metadata extracted from PCAP  Bring-your-own PCAP Program packet filters in hardware Start&Stop PCAP and Mirror sessions
Proprietary & ConfidentialProprietary & Confidential24 Summary/Recap 1. Macro-Segmentation secures E-W traffic 2. Scalable HW Accelerated, cover P & V 3. Holistic multi-tenancy = Complete Isolation 4. Granular flow control for conditional security insertion policies 5. Analytics/Visibility allows for continual policy improvements
Proprietary & ConfidentialProprietary & Confidential Thank You, Questions? 25
Proprietary & ConfidentialProprietary & Confidential26 pluribusnetworks.com/resources/#webinars Fall Webinar Series

Recommended

FIWARE: Managing Context Information at large scale
FIWARE: Managing Context Information at large scaleFIWARE: Managing Context Information at large scale
FIWARE: Managing Context Information at large scaleFermin Galan
 
How Will AI Change the Role of the Data Scientist?
How Will AI Change the Role of the Data Scientist?How Will AI Change the Role of the Data Scientist?
How Will AI Change the Role of the Data Scientist?Hugo Gävert
 
GreenBiz 17 Tutorial Slides: "How Corporates are Aligning with the Sustainabl...
GreenBiz 17 Tutorial Slides: "How Corporates are Aligning with the Sustainabl...GreenBiz 17 Tutorial Slides: "How Corporates are Aligning with the Sustainabl...
GreenBiz 17 Tutorial Slides: "How Corporates are Aligning with the Sustainabl...GreenBiz Group
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 
Atf 3 q15-8 - introducing macro-segementation
Atf 3 q15-8 - introducing macro-segementationAtf 3 q15-8 - introducing macro-segementation
Atf 3 q15-8 - introducing macro-segementationMason Mei
 
The Changing Landscape in Network Performance Monitoring
The Changing Landscape in Network Performance Monitoring The Changing Landscape in Network Performance Monitoring
The Changing Landscape in Network Performance Monitoring Savvius, Inc
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkVolker Hirsch
 
Generative adversarial networks
Generative adversarial networksGenerative adversarial networks
Generative adversarial networks남주 김
 

Recommended

FIWARE: Managing Context Information at large scale
FIWARE: Managing Context Information at large scaleFIWARE: Managing Context Information at large scale
FIWARE: Managing Context Information at large scaleFermin Galan
 
How Will AI Change the Role of the Data Scientist?
How Will AI Change the Role of the Data Scientist?How Will AI Change the Role of the Data Scientist?
How Will AI Change the Role of the Data Scientist?Hugo Gävert
 
GreenBiz 17 Tutorial Slides: "How Corporates are Aligning with the Sustainabl...
GreenBiz 17 Tutorial Slides: "How Corporates are Aligning with the Sustainabl...GreenBiz 17 Tutorial Slides: "How Corporates are Aligning with the Sustainabl...
GreenBiz 17 Tutorial Slides: "How Corporates are Aligning with the Sustainabl...GreenBiz Group
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 
Atf 3 q15-8 - introducing macro-segementation
Atf 3 q15-8 - introducing macro-segementationAtf 3 q15-8 - introducing macro-segementation
Atf 3 q15-8 - introducing macro-segementationMason Mei
 
The Changing Landscape in Network Performance Monitoring
The Changing Landscape in Network Performance Monitoring The Changing Landscape in Network Performance Monitoring
The Changing Landscape in Network Performance Monitoring Savvius, Inc
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkVolker Hirsch
 
Generative adversarial networks
Generative adversarial networksGenerative adversarial networks
Generative adversarial networks남주 김
 
Deep Learning and Reinforcement Learning
Deep Learning and Reinforcement LearningDeep Learning and Reinforcement Learning
Deep Learning and Reinforcement LearningRenārs Liepiņš
 
Viavi_datacentersolutions
Viavi_datacentersolutionsViavi_datacentersolutions
Viavi_datacentersolutionsScott Brown
 
JDSU - Delivering dynamic networks for a personalized experience
JDSU - Delivering dynamic networks for a personalized experienceJDSU - Delivering dynamic networks for a personalized experience
JDSU - Delivering dynamic networks for a personalized experienceSmall Cell Forum
 
A Dell and Nutanix solution can boost datacenter efficiency
A Dell and Nutanix solution can boost datacenter efficiencyA Dell and Nutanix solution can boost datacenter efficiency
A Dell and Nutanix solution can boost datacenter efficiencyPrincipled Technologies
 
Got Big Data? Splunk on Nutanix
Got Big Data? Splunk on NutanixGot Big Data? Splunk on Nutanix
Got Big Data? Splunk on NutanixNEXTtour
 
The science of network performance
The science of network performanceThe science of network performance
The science of network performanceMartin Geddes
 
Pluribus SDN Technology
Pluribus SDN TechnologyPluribus SDN Technology
Pluribus SDN TechnologyOpen Networking Summits
 
#Infographics#2011 CIC whitepaper: Chinese Social Network Efluencers Characte...
#Infographics#2011 CIC whitepaper: Chinese Social Network Efluencers Characte...#Infographics#2011 CIC whitepaper: Chinese Social Network Efluencers Characte...
#Infographics#2011 CIC whitepaper: Chinese Social Network Efluencers Characte...Kantar Media CIC
 
Modern Applications Demand Network Analytics
Modern Applications Demand Network AnalyticsModern Applications Demand Network Analytics
Modern Applications Demand Network AnalyticsPluribus Networks
 
Unlock the Magic of PPC Segmentation
Unlock the Magic of PPC SegmentationUnlock the Magic of PPC Segmentation
Unlock the Magic of PPC SegmentationKayden Kelly
 
Via Solutions, Transforming Networks, Unlocking Potential
Via Solutions, Transforming Networks, Unlocking PotentialVia Solutions, Transforming Networks, Unlocking Potential
Via Solutions, Transforming Networks, Unlocking PotentialSmall Cell Forum
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service NodeDavid Lapsley
 
Dell - The Incredible Shrinking Datacenter
Dell - The Incredible Shrinking DatacenterDell - The Incredible Shrinking Datacenter
Dell - The Incredible Shrinking DatacenterNEXTtour
 
PACE-IT: The Importance of Network Segmentation
PACE-IT: The Importance of Network SegmentationPACE-IT: The Importance of Network Segmentation
PACE-IT: The Importance of Network SegmentationPace IT at Edmonds Community College
 
Nutanix vdi workshop presentation
Nutanix vdi workshop presentationNutanix vdi workshop presentation
Nutanix vdi workshop presentationHe Hariyadi
 
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...CA Technologies
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 

More Related Content

Viewers also liked

Deep Learning and Reinforcement Learning
Deep Learning and Reinforcement LearningDeep Learning and Reinforcement Learning
Deep Learning and Reinforcement LearningRenārs Liepiņš
 
Viavi_datacentersolutions
Viavi_datacentersolutionsViavi_datacentersolutions
Viavi_datacentersolutionsScott Brown
 
JDSU - Delivering dynamic networks for a personalized experience
JDSU - Delivering dynamic networks for a personalized experienceJDSU - Delivering dynamic networks for a personalized experience
JDSU - Delivering dynamic networks for a personalized experienceSmall Cell Forum
 
A Dell and Nutanix solution can boost datacenter efficiency
A Dell and Nutanix solution can boost datacenter efficiencyA Dell and Nutanix solution can boost datacenter efficiency
A Dell and Nutanix solution can boost datacenter efficiencyPrincipled Technologies
 
Got Big Data? Splunk on Nutanix
Got Big Data? Splunk on NutanixGot Big Data? Splunk on Nutanix
Got Big Data? Splunk on NutanixNEXTtour
 
The science of network performance
The science of network performanceThe science of network performance
The science of network performanceMartin Geddes
 
#Infographics#2011 CIC whitepaper: Chinese Social Network Efluencers Characte...
#Infographics#2011 CIC whitepaper: Chinese Social Network Efluencers Characte...#Infographics#2011 CIC whitepaper: Chinese Social Network Efluencers Characte...
#Infographics#2011 CIC whitepaper: Chinese Social Network Efluencers Characte...Kantar Media CIC
 
Modern Applications Demand Network Analytics
Modern Applications Demand Network AnalyticsModern Applications Demand Network Analytics
Modern Applications Demand Network AnalyticsPluribus Networks
 
Unlock the Magic of PPC Segmentation
Unlock the Magic of PPC SegmentationUnlock the Magic of PPC Segmentation
Unlock the Magic of PPC SegmentationKayden Kelly
 
Via Solutions, Transforming Networks, Unlocking Potential
Via Solutions, Transforming Networks, Unlocking PotentialVia Solutions, Transforming Networks, Unlocking Potential
Via Solutions, Transforming Networks, Unlocking PotentialSmall Cell Forum
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service NodeDavid Lapsley
 
Dell - The Incredible Shrinking Datacenter
Dell - The Incredible Shrinking DatacenterDell - The Incredible Shrinking Datacenter
Dell - The Incredible Shrinking DatacenterNEXTtour
 
Nutanix vdi workshop presentation
Nutanix vdi workshop presentationNutanix vdi workshop presentation
Nutanix vdi workshop presentationHe Hariyadi
 
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...CA Technologies
 

Viewers also liked (16)

Deep Learning and Reinforcement Learning
Deep Learning and Reinforcement LearningDeep Learning and Reinforcement Learning
Deep Learning and Reinforcement Learning
 
Viavi_datacentersolutions
Viavi_datacentersolutionsViavi_datacentersolutions
Viavi_datacentersolutions
 
JDSU - Delivering dynamic networks for a personalized experience
JDSU - Delivering dynamic networks for a personalized experienceJDSU - Delivering dynamic networks for a personalized experience
JDSU - Delivering dynamic networks for a personalized experience
 
A Dell and Nutanix solution can boost datacenter efficiency
A Dell and Nutanix solution can boost datacenter efficiencyA Dell and Nutanix solution can boost datacenter efficiency
A Dell and Nutanix solution can boost datacenter efficiency
 
Got Big Data? Splunk on Nutanix
Got Big Data? Splunk on NutanixGot Big Data? Splunk on Nutanix
Got Big Data? Splunk on Nutanix
 
The science of network performance
The science of network performanceThe science of network performance
The science of network performance
 
Pluribus SDN Technology
Pluribus SDN TechnologyPluribus SDN Technology
Pluribus SDN Technology
 
#Infographics#2011 CIC whitepaper: Chinese Social Network Efluencers Characte...
#Infographics#2011 CIC whitepaper: Chinese Social Network Efluencers Characte...#Infographics#2011 CIC whitepaper: Chinese Social Network Efluencers Characte...
#Infographics#2011 CIC whitepaper: Chinese Social Network Efluencers Characte...
 
Modern Applications Demand Network Analytics
Modern Applications Demand Network AnalyticsModern Applications Demand Network Analytics
Modern Applications Demand Network Analytics
 
Unlock the Magic of PPC Segmentation
Unlock the Magic of PPC SegmentationUnlock the Magic of PPC Segmentation
Unlock the Magic of PPC Segmentation
 
Via Solutions, Transforming Networks, Unlocking Potential
Via Solutions, Transforming Networks, Unlocking PotentialVia Solutions, Transforming Networks, Unlocking Potential
Via Solutions, Transforming Networks, Unlocking Potential
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service Node
 
Dell - The Incredible Shrinking Datacenter
Dell - The Incredible Shrinking DatacenterDell - The Incredible Shrinking Datacenter
Dell - The Incredible Shrinking Datacenter
 
PACE-IT: The Importance of Network Segmentation
PACE-IT: The Importance of Network SegmentationPACE-IT: The Importance of Network Segmentation
PACE-IT: The Importance of Network Segmentation
 
Nutanix vdi workshop presentation
Nutanix vdi workshop presentationNutanix vdi workshop presentation
Nutanix vdi workshop presentation
 
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Micro Segmentation Security: Securing IT Through Macro-segmentation

  • 1. Proprietary & ConfidentialProprietary & Confidential Security IT Through Macro- Segmentation November 15th, 2016 Marco Pessi Sr. Technical Product Manager Pluribus Networks
  • 2. Proprietary & ConfidentialProprietary & Confidential Agenda  How to Secure Network Fabric ‒ Fabric Management ‒ Multi-tenancy/Private Virtual Networks ‒ Secure Control Plane ‒ Security Service Insertion ‒ Putting it all together: Fabric Security Architecture ‒ Analytics 2
  • 3. Proprietary & ConfidentialProprietary & Confidential Securing Scale Out Fabrics 3 1 2 100 VXLAN L2 Extension Across All 100 Racks IP underlay VTEP Ext Network VTEPVTEP … Spine Layer VTEP 101 BGP/OSPF …
  • 4. Proprietary & ConfidentialProprietary & Confidential Virtualization Centric Fabric – VCF Built-in Fabric Controller L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking Built-in Fabric Controller Built-in Fabric Controller Built-in Fabric ControllerDistributed Peer-to-Peer Cluster – Configuration State Consistency (with rollback) Singe CLI/API To Manage All Nodes  Built-in, no taps, no brokers, no expensive tools Application Visibility Virtual Private Networks for holistic multi-tenancy Security Service Insertion Granular flow control for conditional security insertion policies TCP TCP TCP TCP Secure Multi Tenancy No controllers, No new protocols  100% interoperable
  • 5. Proprietary & ConfidentialProprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Rapid provisioning of Private Virtual Networks (VNETs) as virtual PODs (vPODs) with management, control and data plane isolation  Independent tenant networks ‒ Overlapping subnets (VLANs and IP prefixes) ‒ Independent vRouter on each VNET  Independent Management Plane ‒ Independent Provisioning ‒ Per tenant visibility of flows, services, VMs 5 VNET-A 172.10.0.0/16 VLAN1-4K VNET-B 172.0.0.0/8 VLAN1-4K VNET-C 172.0.16.0/20 VLAN1-4K VMs VMs VMs
  • 6. Proprietary & ConfidentialProprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Secure access to infrastructure network ‒ Simplified Tenant Network View isolates common transport network from tenant network  Data Plane Isolation ‒ Automatic orchestration of VLAN, VRF and VXLAN VNI space to prevent leaking between tenants ‒ Anti-spoofing mechanism 6 VNET-A 172.10.0.0/16 VLAN 1-4K VNET-B 172.0.0.0/8 VLAN 1-4K VNET-C 172.0.16.0/20 VLAN 1-4K
  • 7. Proprietary & ConfidentialProprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Secure access to infrastructure network ‒ Simplified Tenant Network View isolates common transport network from tenant network  Data Plane Isolation ‒ Automatic orchestration of VLAN, VRF and VXLAN VNI space to prevent leaking between tenants ‒ Anti-spoofing mechanism 7 VNET-A 172.10.0.0/16 VLAN 1-4K VNET-B 172.0.0.0/8 VLAN 1-4K VNET-C 172.0.16.0/20 VLAN 1-4K Proprietary & Confidential Anti-Spoofing Mechanism vFlow Technology for comprehensive uRPF 6 CLI> vflow-create vlan <amber> src-ip 10.1.11.0/27 name amber-urpf-permit action none table System-VCAP-table-1-0 CLI> vflow-create vlan <amber> src-ip 0.0.0.0/0 name amber-urpf-deny action drop table System-VCAP-table-1-0 § vFlow can be used to prevent servers belonging to a logical tenant from sourcing IP traffic with illegitimate prefix ‒ vFlow stats are provided to monitor uRPF violations ‒ Independent dedicated TCAM space § Support all types of traffic: ‒ Bridged ‒ Routed ‒ VXLAN tunneled (terminated on switch) ‒ VXLAN tunneled (pass-through) Enforce server traffic to use consistent VLAN/IP address:
  • 8. Proprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Secure access to infrastructure network ‒ Simplified Tenant Network View isolates common transport network from tenant network  Data Plane Isolation ‒ Automatic orchestration of VLAN, VRF and VXLAN VNI space to prevent leaking between tenants ‒ Anti-spoofing mechanism  Control Plane Isolation ‒ Tenant Routers run in dedicated containers of the switch OS 9 VNET-A 172.10.0.0/16 VLAN 1-4K VNET-B 172.0.0.0/8 VLAN 1-4K VNET-C 172.0.16.0/20 VLAN 1-4K
  • 9. Proprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Secure access to infrastructure network ‒ Simplified Tenant Network View isolates common transport network from tenant network  Data Plane Isolation ‒ Automatic orchestration of VLAN, VRF and VXLAN VNI space to prevent leaking between tenants ‒ Anti-spoofing mechanism  Control Plane Isolation ‒ Tenant Routers run in dedicated containers of the switch OS 10 VNET-A 172.10.0.0/16 VLAN 1-4K VNET-B 172.0.0.0/8 VLAN 1-4K VNET-C 172.0.16.0/20 VLAN 1-4K Proprietary & Confidential VCF Containers Secure Multi-Tenant Control Plane 10 § vRouters ‒ Independent OSPF/BGP/BFD Speakers ‒ Each vRouter has a simple tenant view § OVSDB Interface ‒ Synchronize fabric endpoint database (vPort) with Hypervisor system for end-to-end VTEP auto- provisioning § OpenDayLight § NSX § VNET Manager ‒ Provides a dedicated/isolated management interface for a vPOD with provisioning/visibility capability only for assigned resources ‒ Can run any vPOD custom application § simple example: WireShark vRouter Tenant Crimson vNICs vRouter Tenant Blue vNICs vRouter Tenant Amber vNICs VNET MGR vNICs vRouter Tenant Crimson vNICs vRouter Tenant Blue vNICs vRouter Tenant Amber vNICs OVSDB Tenant Amber vNICs
  • 10. Proprietary & ConfidentialProprietary & Confidential Virtualization Centric Fabric – VCF vFlow Technology Built-in Fabric Controller L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking Built-in Fabric Controller Built-in Fabric Controller Built-in Fabric ControllerDistributed Cluster – Pluribus Management Fabric Security Service Insertion Granular flow control for conditional security insertion policies TCP TCP TCP TCP
  • 11. Proprietary & ConfidentialProprietary & Confidential Conditional Security Insertion Configurable line rate redirection of E-W traffic 13 VM-10 VM-11 VM-20 VM-41 VL10 VL20 1. Default Behavior: no inspection • Fabric normally bridges and routes E-W traffic 2. Configurable Security Insertion • Fabric redirects to security appliance selected traffic (configurable L1-L4 parameters) VM-10 VM-11 VM-41 VL10 HTTP VM-20 VL20 HTTP
  • 12. Proprietary & ConfidentialProprietary & Confidential Conditional Security Insertion Provide Inspection only to non-secure N-S traffic 14 1. Firewall Service Insertion for default traffic Perimeter Firewall Cluster HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL10 VL100 VXLAN VNI10 10.0.100.5/29VTEP NON-SECURESECURE 10.10.0.1/16
  • 13. Proprietary & ConfidentialProprietary & Confidential Conditional Security Insertion Provide Inspection only to non-secure N-S traffic 15 1. Firewall Service Insertion for default traffic Perimeter Firewall Cluster HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL10 VL100 VXLAN VNI10 10.0.100.5/29VTEP NON-SECURESECURE 10.10.0.1/16 2. Firewall Bypass for Secure Traffic Perimeter Firewall Cluster HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL10 VL100 VNI10 VXLAN 10.0.100.5/29VTEP NON-SECURESECURE 10.10.0.1/16
  • 14. Proprietary & ConfidentialProprietary & Confidential vFlow Filtering For Security Actions Provide Line Rate Redirection & Policy Enforcement 16 vFlow Structure Scope Switch local or Fabric-wide L1-L4 Match Rule Match rule deployed in HW TCAMs Actions Switch HW assisted drop to-cpu copy-to-cpu setvlan tunnel-pkt set-tunnel-id to-span cpu-rx cpu-rx-tx set-dscp decap set-dmac set-dmac-to-port to-port to-ports-and-cpu set-vlan-pri l3-to-cpu-switch 2. Firewall Bypass for Secure Traffic Perimeter Firewall Cluster HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL10 VL100 VNI10 VXLAN 10.0.100.5/29VTEP 10.10.0.1/16 NON-SECURESECURE 3. Line Rate Policy Enforcement
  • 15. Proprietary & ConfidentialProprietary & Confidential Conditional Security Insertion for E-W & N-S traffic 17 Security Appliances (IPS, FW, etc.) HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL20 VL10 VL20 VL100 VNI10,VNI20 VXLAN 10.0.100.5/29VTEP 10.10.0.1/16 10.20.0.1/16 NON-SECURESECURE 1 2 VTEPVTEP 100 VTEP … VM-10 VM-41 10.10.0.10 MAC-10 10.10.0.41 MAC-11 VM-11 10.10.0.11 MAC-11 VM-20 10.20.0.11 MAC-20 • Leaf switches perform selective Security Insertion for bridged/routed E-W traffic using programmable fabric-wide policies
  • 16. Proprietary & ConfidentialProprietary & Confidential Fabric scope programmability Policy enforcement E-W / N-S Mgmt domain Virtualization Centric Fabric Putting It All Together: Fabric Security Architecture 18 1 2 100 Edge Security Services Rack  Grey vRouter for VTEP, Red vRouter to DC network 101 VXLAN L2 Extension Across All 100 Racks IP underlay VTEP HA Leaf Services  HA VTEP  Active-Active LAG towards servers Ext Network  Spine is simple L3 non-blocking interconnect  Underlay provides inter-rack reachability  All links are active BGP/OSPF VTEPVTEP … Spine Layer VTEP
  • 17. Proprietary & ConfidentialProprietary & Confidential Mgmt domain Putting It All Together: Fabric Security Architecture 19 HA Leaf Services 1 2 100 Edge Security Services Rack 101 VXLAN L2 Extension Across All 100 Racks IP underlay Ext Network BGP/OSPF … Spine Layer VTEP Virtual Private Networks Holistic multi-tenancy Secure Multi Tenancy VTEPVTEPVTEP
  • 18. Proprietary & ConfidentialProprietary & Confidential Mgmt domain Putting It All Together: Fabric Security Architecture 20 HA Leaf Services 1 2 100 Edge Security Services Rack  Grey vRouter for VTEP, Red vRouter to DC network Load Balancers  Firewall on-a-stick in L2 mode for non mission-critical traffic with bypass service option  vFlow security ACL for N-S Policy Enforcement 101 VXLAN L2 Extension Across All 100 Racks IP underlay VTEP  HA VTEP  Active-Active LAG towards servers  Global E-W vFlow security service insertion Ext Network BGP/OSPF VTEPVTEP … Spine Layer VTEP Granular flow control for conditional security insertion policies Security Service Insertion
  • 19. Proprietary & ConfidentialProprietary & Confidential Mgmt domain Putting It All Together: Fabric Security Architecture 21 HA Leaf Services 1 2 100 Edge Security Services Rack  Grey vRouter for VTEP, Red vRouter to DC network Load Balancers  Firewall on-a-stick in L2 mode for non mission-critical traffic with bypass service option  vFlow security ACL for N-S Policy Enforcement 101 VXLAN L2 Extension Across All 100 Racks IP underlay VTEP  HA VTEP  Active-Active LAG towards servers  Global E-W vFlow security service insertion Ext Network BGP/OSPF VTEPVTEP … Spine Layer VTEP Built-in: no taps, no brokers, no expensive tools Application Visibility  Pluribus VCF Analytics for mission-critical flow visibility
  • 20. Proprietary & ConfidentialProprietary & Confidential Connection Flow Analytics 22 VCF Center Big Data Engine Cluster of 1…N server nodes Flow Metadata  Integrated in the fabric = simple to deploy  Always on, zero touch = simple to use  No sampling…every EAST-WEST connection  TCP connection state machine tracking  Tenant aware
  • 21. Proprietary & ConfidentialProprietary & Confidential Packet Analytics 23 VCF Center Big Data Engine Cluster of 1…N server nodesMirrored Packets  On-demand packet filtering L1-L4 header fields  Terabit filtering with offload on Broadcom silicon  Manage mirror sessions and PCAP files  Analytics on packet metadata extracted from PCAP  Bring-your-own PCAP Program packet filters in hardware Start&Stop PCAP and Mirror sessions
  • 22. Proprietary & ConfidentialProprietary & Confidential24 Summary/Recap 1. Macro-Segmentation secures E-W traffic 2. Scalable HW Accelerated, cover P & V 3. Holistic multi-tenancy = Complete Isolation 4. Granular flow control for conditional security insertion policies 5. Analytics/Visibility allows for continual policy improvements
  • 23. Proprietary & ConfidentialProprietary & Confidential Thank You, Questions? 25
  • 24. Proprietary & ConfidentialProprietary & Confidential26 pluribusnetworks.com/resources/#webinars Fall Webinar Series