Submit Search
Upload
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hypervisor to the Edge
•
0 likes
•
20 views
PROIDEA
Follow
Securing the Cloud Infrastructure - from Hypervisor to the Edge
Read less
Read more
Presentations & Public Speaking
Report
Share
Report
Share
1 of 25
Download now
Download to read offline
Recommended
#CiscoLiveLA 2017 Presentacion de Jerome Henry
#CiscoLiveLA 2017 Presentacion de Jerome Henry
ITSitio.com
Развитие решений для коммутации в корпоративных сетях Cisco
Развитие решений для коммутации в корпоративных сетях Cisco
Cisco Russia
Meraki Cloud Networking Workshop
Meraki Cloud Networking Workshop
Cisco Canada
Network Function Virtualization (NFV) using IOS-XR
Network Function Virtualization (NFV) using IOS-XR
Cisco Canada
Kendel Avaya-Fabric connect - Demo Lab Guide – Macsec-9
Kendel Avaya-Fabric connect - Demo Lab Guide – Macsec-9
ELI KENDEL אלי קנדל
Extreme 自動化ソリューション
Extreme 自動化ソリューション
エクストリーム ネットワークス / Extreme Networks Japan
Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...
xKinAnx
MPP Phone Roadmap
MPP Phone Roadmap
Cisco Canada
Recommended
#CiscoLiveLA 2017 Presentacion de Jerome Henry
#CiscoLiveLA 2017 Presentacion de Jerome Henry
ITSitio.com
Развитие решений для коммутации в корпоративных сетях Cisco
Развитие решений для коммутации в корпоративных сетях Cisco
Cisco Russia
Meraki Cloud Networking Workshop
Meraki Cloud Networking Workshop
Cisco Canada
Network Function Virtualization (NFV) using IOS-XR
Network Function Virtualization (NFV) using IOS-XR
Cisco Canada
Kendel Avaya-Fabric connect - Demo Lab Guide – Macsec-9
Kendel Avaya-Fabric connect - Demo Lab Guide – Macsec-9
ELI KENDEL אלי קנדל
Extreme 自動化ソリューション
Extreme 自動化ソリューション
エクストリーム ネットワークス / Extreme Networks Japan
Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...
xKinAnx
MPP Phone Roadmap
MPP Phone Roadmap
Cisco Canada
Cisco asa cx firwewall
Cisco asa cx firwewall
Anwesh Dixit
Innovations in the Enterprise Routing & Switching Space
Innovations in the Enterprise Routing & Switching Space
Cisco Canada
Secure collab on prem hikmat
Secure collab on prem hikmat
Cisco Canada
Meg asys isms
Meg asys isms
mksiu
Cisco ACI and_Ansible
Cisco ACI and_Ansible
Takao Setaka
10G/40G gen to 25G/100G gen, and go forward (HPVI community meetup)
10G/40G gen to 25G/100G gen, and go forward (HPVI community meetup)
Takao Setaka
Рекомендации по настройке контроллеров БЛВС Cisco
Рекомендации по настройке контроллеров БЛВС Cisco
Cisco Russia
PIX vs ASA_firewall
PIX vs ASA_firewall
Rajesh Porwal
Maximizing Firewall Performance (2012 San Diego)
Maximizing Firewall Performance (2012 San Diego)
Cisco Security
Развитие решений для маршрутизации в корпоративных сетях Cisco
Развитие решений для маршрутизации в корпоративных сетях Cisco
Cisco Russia
Présentation cisco aci in action fundamentals - fcouderc - v6
Présentation cisco aci in action fundamentals - fcouderc - v6
Dig-IT
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
IT Tech
Cisco asa 5515 datasheet
Cisco asa 5515 datasheet
Mark Tsui
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
armmbed
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
IT Tech
IXIA VISIBILITY ARCHITECTURE Eliminating Blind spots
IXIA VISIBILITY ARCHITECTURE Eliminating Blind spots
Cisco Russia
Cohesive Networks Support Docs: VNS3 Configuration for ElasticHosts
Cohesive Networks Support Docs: VNS3 Configuration for ElasticHosts
Cohesive Networks
Catalyst 6500 ASA Service Module
Catalyst 6500 ASA Service Module
Ixia
Chapter 8 overview
Chapter 8 overview
ali raza
Application Engineered Routing: Allowing Applications to Program the Network
Application Engineered Routing: Allowing Applications to Program the Network
Cisco Canada
Presentation cisco data center security deep dive
Presentation cisco data center security deep dive
xKinAnx
Cisco Virtualized Network Services
Cisco Virtualized Network Services
Soumen Chatterjee
More Related Content
What's hot
Cisco asa cx firwewall
Cisco asa cx firwewall
Anwesh Dixit
Innovations in the Enterprise Routing & Switching Space
Innovations in the Enterprise Routing & Switching Space
Cisco Canada
Secure collab on prem hikmat
Secure collab on prem hikmat
Cisco Canada
Meg asys isms
Meg asys isms
mksiu
Cisco ACI and_Ansible
Cisco ACI and_Ansible
Takao Setaka
10G/40G gen to 25G/100G gen, and go forward (HPVI community meetup)
10G/40G gen to 25G/100G gen, and go forward (HPVI community meetup)
Takao Setaka
Рекомендации по настройке контроллеров БЛВС Cisco
Рекомендации по настройке контроллеров БЛВС Cisco
Cisco Russia
PIX vs ASA_firewall
PIX vs ASA_firewall
Rajesh Porwal
Maximizing Firewall Performance (2012 San Diego)
Maximizing Firewall Performance (2012 San Diego)
Cisco Security
Развитие решений для маршрутизации в корпоративных сетях Cisco
Развитие решений для маршрутизации в корпоративных сетях Cisco
Cisco Russia
Présentation cisco aci in action fundamentals - fcouderc - v6
Présentation cisco aci in action fundamentals - fcouderc - v6
Dig-IT
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
IT Tech
Cisco asa 5515 datasheet
Cisco asa 5515 datasheet
Mark Tsui
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
armmbed
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
IT Tech
IXIA VISIBILITY ARCHITECTURE Eliminating Blind spots
IXIA VISIBILITY ARCHITECTURE Eliminating Blind spots
Cisco Russia
Cohesive Networks Support Docs: VNS3 Configuration for ElasticHosts
Cohesive Networks Support Docs: VNS3 Configuration for ElasticHosts
Cohesive Networks
Catalyst 6500 ASA Service Module
Catalyst 6500 ASA Service Module
Ixia
Chapter 8 overview
Chapter 8 overview
ali raza
Application Engineered Routing: Allowing Applications to Program the Network
Application Engineered Routing: Allowing Applications to Program the Network
Cisco Canada
What's hot
(20)
Cisco asa cx firwewall
Cisco asa cx firwewall
Innovations in the Enterprise Routing & Switching Space
Innovations in the Enterprise Routing & Switching Space
Secure collab on prem hikmat
Secure collab on prem hikmat
Meg asys isms
Meg asys isms
Cisco ACI and_Ansible
Cisco ACI and_Ansible
10G/40G gen to 25G/100G gen, and go forward (HPVI community meetup)
10G/40G gen to 25G/100G gen, and go forward (HPVI community meetup)
Рекомендации по настройке контроллеров БЛВС Cisco
Рекомендации по настройке контроллеров БЛВС Cisco
PIX vs ASA_firewall
PIX vs ASA_firewall
Maximizing Firewall Performance (2012 San Diego)
Maximizing Firewall Performance (2012 San Diego)
Развитие решений для маршрутизации в корпоративных сетях Cisco
Развитие решений для маршрутизации в корпоративных сетях Cisco
Présentation cisco aci in action fundamentals - fcouderc - v6
Présentation cisco aci in action fundamentals - fcouderc - v6
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5515 datasheet
Cisco asa 5515 datasheet
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
mbed Connect Asia 2016 Developing IoT devices with mbed OS 5
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
IXIA VISIBILITY ARCHITECTURE Eliminating Blind spots
IXIA VISIBILITY ARCHITECTURE Eliminating Blind spots
Cohesive Networks Support Docs: VNS3 Configuration for ElasticHosts
Cohesive Networks Support Docs: VNS3 Configuration for ElasticHosts
Catalyst 6500 ASA Service Module
Catalyst 6500 ASA Service Module
Chapter 8 overview
Chapter 8 overview
Application Engineered Routing: Allowing Applications to Program the Network
Application Engineered Routing: Allowing Applications to Program the Network
Similar to PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hypervisor to the Edge
Presentation cisco data center security deep dive
Presentation cisco data center security deep dive
xKinAnx
Cisco Virtualized Network Services
Cisco Virtualized Network Services
Soumen Chatterjee
Cisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnha
ldangelo0772
[Cisco Connect 2018 - Vietnam] Anh duc le reap the benefits of sdn with cisco...
[Cisco Connect 2018 - Vietnam] Anh duc le reap the benefits of sdn with cisco...
Nur Shiqim Chok
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
SDNRG ITB
Brkaci 1002
Brkaci 1002
ccherel
PLNOG14: Application Centric Infrastructure Introduction - Nick Martin
PLNOG14: Application Centric Infrastructure Introduction - Nick Martin
PROIDEA
Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0
solarisyougood
Show and Tell: VIRL for Network Programmability and Development
Show and Tell: VIRL for Network Programmability and Development
Cisco DevNet
Security & Virtualization in the Data Center
Security & Virtualization in the Data Center
Cisco Russia
The Data Center Network Evolution
The Data Center Network Evolution
Cisco Canada
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PROIDEA
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PROIDEA
Simplifying the secure data center
Simplifying the secure data center
Cisco Canada
End-to-End Data Center Virtualization
End-to-End Data Center Virtualization
Cisco Canada
Next Generation Campus Switching: Are You Ready
Next Generation Campus Switching: Are You Ready
Cisco Canada
Nexus 1000V Support for VMWare vSphere 6
Nexus 1000V Support for VMWare vSphere 6
Tony Antony
7th SDN Expert Group Seminar - Session2
7th SDN Expert Group Seminar - Session2
NAIM Networks, Inc.
08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...
08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...
Indonesia Network Operators Group
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2
Solomon Abavire Kobina,
Similar to PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hypervisor to the Edge
(20)
Presentation cisco data center security deep dive
Presentation cisco data center security deep dive
Cisco Virtualized Network Services
Cisco Virtualized Network Services
Cisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnha
[Cisco Connect 2018 - Vietnam] Anh duc le reap the benefits of sdn with cisco...
[Cisco Connect 2018 - Vietnam] Anh duc le reap the benefits of sdn with cisco...
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Brkaci 1002
Brkaci 1002
PLNOG14: Application Centric Infrastructure Introduction - Nick Martin
PLNOG14: Application Centric Infrastructure Introduction - Nick Martin
Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0
Show and Tell: VIRL for Network Programmability and Development
Show and Tell: VIRL for Network Programmability and Development
Security & Virtualization in the Data Center
Security & Virtualization in the Data Center
The Data Center Network Evolution
The Data Center Network Evolution
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
Simplifying the secure data center
Simplifying the secure data center
End-to-End Data Center Virtualization
End-to-End Data Center Virtualization
Next Generation Campus Switching: Are You Ready
Next Generation Campus Switching: Are You Ready
Nexus 1000V Support for VMWare vSphere 6
Nexus 1000V Support for VMWare vSphere 6
7th SDN Expert Group Seminar - Session2
7th SDN Expert Group Seminar - Session2
08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...
08 (IDNOG02) SP Transition to NG Infrastructure based on NFV Service Offering...
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2
Recently uploaded
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
NETWAYS
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Krijn Poppe
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software Engineering
Sebastiano Panichella
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Salam Al-Karadaghi
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
Tatiana Gurgel
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
FamilyWorshipCenterD
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
NETWAYS
LANDMARKS AND MONUMENTS IN NIGERIA.pptx
LANDMARKS AND MONUMENTS IN NIGERIA.pptx
Basil Achie
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
eCommerce Institute
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
NETWAYS
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptx
mavinoikein
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
Pooja Nehwal
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
vikas rana
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Kayode Fayemi
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Sebastiano Panichella
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
henrik385807
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation Track
Sebastiano Panichella
SBFT Tool Competition 2024 - CPS-UAV Test Case Generation Track
SBFT Tool Competition 2024 - CPS-UAV Test Case Generation Track
Sebastiano Panichella
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.ppt
ssuser319dad
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
soniya singh
Recently uploaded
(20)
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software Engineering
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
LANDMARKS AND MONUMENTS IN NIGERIA.pptx
LANDMARKS AND MONUMENTS IN NIGERIA.pptx
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptx
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 - CPS-UAV Test Case Generation Track
SBFT Tool Competition 2024 - CPS-UAV Test Case Generation Track
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.ppt
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hypervisor to the Edge
1.
Cisco Public 1©
2011 Cisco and/or its affiliates. All rights reserved. Securing the Cloud Infrastructure – from Hypervisorto the Edge Gaweł Mikołajczyk gmikolaj@cisco.com Security Consulting Systems Engineer EMEA Central Core Team CCIE #24987, CISSP-ISSAP, CISA PLNOG8, March 5, 2012, Warsaw, Poland
2.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 2 Policy Corporate Border Branch Office Applications and Data Corporate Office Home Office Attackers Coffee ShopCustomers Airport Mobile User Partners Platform as a Service Infrastructure as a Service X as a Service Software as a Service Trzy wymiary : dla Infrastruktury w chmurze, dla dostępu do chmury, komercyjne usługi bezpieczeństwa w chmurze.
3.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 3 Prywatny VPN MPLS lub IPSec / SSL NEXUS 1000v NAS Data Center Core Tenant A Tenant B Sub Tenant B1 i B2 WAN Compute Dostęp Usługi Agregacja Edge Dostęp L2 lub L3 Tenant per VRF Mapowanie VRF / VLAN do vFW/LB VRF do unikalnego VLAN Mapowanie do VM
4.
Cisco Public 4©
2011 Cisco and/or its affiliates. All rights reserved.
5.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 5 VMNIC #1 vEth vEth Virtualization Security V-Motion (Memory) V-Storage (VMDK) VM Segmentation Hypervisor Security Role Based Access Physical Security VM OS Hardening Patch Management VM Sprawl VMNIC #2 Real case: [...] It looks the O&M firewall is not filtering the ARP traffic the right way. This allows a VM to connect to any other VM through the O&M network after injecting malicious ARP traffic. This happens even if the destination VM belongs to a different tenant VDC [...]
6.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 6 Warstwa dostępu wirtualnego powinna oferować przynajmniej takie same mechanizmy bezpieczeństwa Layer-2 jak w fizycznym DataCenter : Access Lists, Dynamic ARP Inspection, DHCP Snooping, IP Source Guard, Port Security, Private VLANs, Layer-2 storm control, Rate-Limiters, VXLAN Bez tych mechanizmów, konsekwencje ataków na infrastruktuę sieciową, (biorąc pod uwagę skalę - tysiące VM) są katastrofalne. Widoczność w warstwie 2 można osiągnąć przez: NetFlow Collection SPAN, RSPAN or ERSPAN 1/ 7
7.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 7 port-profile vm180 vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown state enabled interface Vethernet9 inherit port-profile vm180 interface Vethernet10 inherit port-profile vm180 Port Profile –> Port Group vCenter API
8.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 8 10.20.20.50 10.20.30.10110.20.20.51 vPC Peer-link VSL vPC Service VLANs Nexus 1000V and VSG Nexus 7000 Nexus 5000 ESX Server ASA 5585 Cat 6500 monitor session 2 type erspan- source description N1k ERSPAN –session 2 monitor session 4 type erspan- destination description N1k ERSPAN to IDS1 monitor session 1 type erspan- source description N1k ERSPAN – session 1 monitor session 3 type erspan- destination description N1k ERSPAN to NAM NAM
9.
Cisco Public 9©
2011 Cisco and/or its affiliates. All rights reserved.
10.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 10 Hypervisor Appliance i moduły fizyczne Konteksty wirtualne VLANs Hypervisor Przekierowanie ruchu z VM do fizycznych urządzeń 1 App Server Database Server Web Server Usługi bezpieczeństwa na poziomie hypervisora 2 App Server Database Server Web Server VSN Appliance wirtualne VSN
11.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 11 Sandwich usługowy między VDC • ASA Service Module Konteksty wirtualne Tryb Transparentny / mixed • ACE LB Tryb transparentny • Web Application Firewall Farma firewalli • Network IPS/IDS Inline lub promiscuous N7k1-VDC1 N7k1-VDC2 ASA-SM 2 ASA-SM 1 ACE hsrp.1 IPS 162 161 163,164 WAF 190 SS1 SVI-151 vrf1 vrf2
12.
Cisco Public 12©
2011 Cisco and/or its affiliates. All rights reserved.
13.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 13 Security Administrator Port Group Service Administrator Virtual Network Management Center Virtual Security Gateway - VSG Cisco Nexus® 1000V z mechanizmem vPath • Rozproszony przełącznik • Część hypervisora Host • Cisco UCS • Other x86 server
14.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 14 Nexus 1000V Distributed Virtual Switch VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VMVM VM vPath VNMC Log/Audit Początkowy flow VSG 1 Początkowa ewaluacja polityki 2 Cache decyzji 3 4 1 2 3 4
15.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 15 Nexus 1000V Distributed Virtual Switch VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VMVM VM vPath VNMC Log/Audit VSG Pozostałe pakiety ACL offload do Nexus 1000V (wymuszenie polityki)
16.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 16 VSG: Security Profile to Port Profile
17.
Cisco Public 17©
2011 Cisco and/or its affiliates. All rights reserved.
18.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 18 Egress SGT=100 Pracownik, grupa HR HR (SGT=100) Ingress SGT Finance (SGT=4) 802.1X/MAB/Web Auth HR SGT = 100 SGACL • TrustSec to rozwiązanie o charakterze systemowym • Overlayowe tagowanie SGT na wejściu do sieci LAN/WAN/VPN • Wymuszenie polityki bezpieczeństwa przez SGACL na wyjściu • Centralnie przechowywane reguły SGT/SGACL dają spójność
19.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 19 TAG oparty o rolę: 1. Urządzenie uwierzytelnia się do sieci via 802.1X 2. ISE wysyła TAG jako wynik autoryzacji – bazuje on na roli użytkownika/urządzenia 3. Przełącznik dostępowy aplikuje TAG do ruchu użytkownika 4. Dodatkowe pola w ramkach L2 Ethernet lub propagacja mapowania OOB przez protokół SXP
20.
Cisco Public 20©
2011 Cisco and/or its affiliates. All rights reserved.
21.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 21 Chmura prywatna / publiczna Pracownik Spacely Sprockets SPACELY SPROCKETS Central Office Database Server ASA Appliance ASA1000V VSGWeb Server
22.
Cisco Public 22©
2011 Cisco and/or its affiliates. All rights reserved.
23.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 23 v Catalyst 6500 SERVICES Centralized Security and Application Service Modules and Appliances can be applied per zone ASA ACE IPS Nexus 7018 Nexus 7018 Data Center Distribution Data Center Core Internet Edge Nexus 5000 Series 10Gig Server Rack Nexus 2100 Series vPC Zone Multi-Zone VDC Nexus 7000 Series 10Gig Server Rack vPC Unified Computing System Nexus 1000V Zone Unified Compute NAM vPC vPC vPC vPCvPCvPC VSS Stateful Packet Filtering Network Intrusion Prevention Server Load Balancing Flow Based Traffic Analysis – Network Analysis Module Access Edge Security ACL, Dynamic ARP Inspection, DHCP Snooping, IP Source Guard, Port Security, Private VLANs, QoS Web and Email Security SAN Network Foundation Protection Virtual Service Nodes
24.
© 2011 Cisco
and/or its affiliates. All rights reserved. Cisco Public 24
Download now