Cisco Virtual Security Gateway (VSG) provides security policies and controls for virtual machine to virtual machine traffic. It analyzes VM attributes and context to dynamically apply access controls. VSG inserts transparently without relying on VLANs to protect intra-segment communication. It also supports multi-tenant environments through security domain separation and granular policy assignment.

1. Cisco Virtual Security
Gateway (VSG)
Скороходов Александр
Системный инженер-консультант
askorokh@cisco.com

2. Cisco Nexus 1000V
Виртуальный распределенный программный коммутатор
Nexus 1000V - коммутатор
Cisco для среды VMWare ESX
Реализует функции VN-Link:
Управление VM по политикам
Функции безопасности, поддержка Server 1 Server 2
Netflow, ERSPAN, мультикаста,
etherchannel VM VM VM VM VM
VM VM VM VM
#1 #2 #3 #4 #1
#5 #5
#6 #7 #8
Мобильность настроек сети,
безопасности и мониторинга
Сохраняет эксплуатационную VMware vSwitch 1000V Nexus 1000V
Nexus 1000V
Nexus VMware vSwitch
модель VMW ESX VMW ESX
Функции безопасности:
Списки доступа (ACL)
Port Security Nexus 1000V
Private VLAN
DHCP Snooping
Dynamic ARP Inspection VSM
Virtual Center
IP Source Guard
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

3. Cisco VSG: решаемая задача
Управление безопасностью
трафика между VM
Новое «слепое пятно» для средств
безопасности
Динамическое применение политик
с учетом контекста
Использование свойств VM
VM-to-VM traffic VM-to-VM traffic
Работа без опоры на VLAN
Защита трафика внутри сегмента
Разделение доменов эксплуатации
Вычисления
App App App App
Сеть
OS OS OS OS
Безопасность
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4. Эшелонированная
структура безопасности
• Политика на уровне зон VM
Virtual • Горизонтальное
VSG Security масштабирование
• Опора на контекст VM
• Сегментирование сети ЦОД
FWSM
Internal • Политика на уровне VLAN
Security • Инспекция протоколов
• Виртуальные контексты
ASA 55xx
• Фильтрация внешнего
трафика
Internet • Расширенная поддержка
Edge прикдадных протоколов
ASA 55xx • VPN доступ, борьба с
внешними угрозами
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

5. Virtual Security Gateway
Защита приложений в виртуальной среде
VNMC
VM VM VM
VM VM VM VM VM VM VM
VM VM VM VM VM VM VM VM VM
Nexus 1000V
vPath
Distributed Virtual Switch
VSG
Secure Segmentation Efficient Deployment Dynamic policy-based
(VLAN agnostic) (secure multiple hosts) provisioning
Transparent Insertion Mobility aware Log/Audit
High Availability
(topology agnostic) (policies follow vMotion)
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

6. Поддержка многих организаций
Virtual Network Management Center
Tenant A Tenant B
VDC-1 VDC-2
vApp
vApp
vPath
Nexus 1000V
vSphere
• Гранулярность в зависимости от требований задачи
Tenant, VDC, vApp
• Внедрение многих VSG для горизонтального масштабирования
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

7. Технология vPath
vPath
Nexus 1000V- VEM
Поддержка vPath встроена в Virtual Ethernet Module (VEM)
Nexus 1000V (с версии 1.4)
Две основные функции vPath:
• Интеллектальное перенаправление трафика
на VSG
• Разгрузка обработки с VSG на VEM
vPath поддерживает совместное размещение сервисов
разных организаций
Использование vPath повышает производительность за счёт
распределённой обработки
Может использоваться для других сервисов
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

8. Virtual Security Gateway
Перенаправление трафика с помощью vPath
VNMC
VM VM VM
VM VM VM VM VM VM VM
VM VM VM VM VM VM VM VM VM
4
Nexus 1000V vPath
Distributed Virtual Switch
VSG
Decision
Access Log
Caching 3 (syslog)
Initial Packet 2 Flow Access
1
Flow Control Log/Audit
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. (policy evaluation)
Cisco Public 9

9. Virtual Security Gateway
Повышение производительности с помощью vPath
VNMC
VM VM VM
VM VM VM VM VM VM VM
VM VM VM VM VM VM VM VM VM
Nexus 1000V
vPath
Distributed Virtual Switch
VSG
ACL offloaded to
Nexus 1000V
(policy enforcement)
Remaining
packets from flow
Log/Audit
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

10. VSG: поддержка прикладных протоколов
Пример: FTP
VNMC
VM VM VM VM VM VM
VM VM VM VM VM VM VM
Nexus 1000V vPath
Distributed Virtual Switch
VSG
FTP Control
FTP Data
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

11. VSG: поддержка прикладных протоколов
Пример: FTP
VNMC
VM VM VM VM VM VM
VM VM VM VM VM VM VM
Nexus 1000V vPath
Distributed Virtual Switch
VSG
FTP Data Path is
Allowed Bi-
Directional in the
vPath Flow Table FTP Control
FTP Data
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

12. Пример внедрения:
3-уровневая вычислительная архитектура
Web
Web
Client
Client
Permit Only Port 22 (SSH) to Block all external access to
Permit Only Port 80(HTTP) of Web application servers database servers
Servers
Web
Web App
App DB
DB
Web App DB
DB
server
Server
Web
Server Server
App
Server server
Server Server server
server
Server Server
Web-zone Application-zone Database-zone
Only Permit Web servers Only Permit Application servers
access to Application servers access to Database servers
Tenant A
Policy – Content Hosting
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

13. VSG: архитектура системы
VM
VMWare Attributes Virtual Network
Virtual Network
VMWare
VMWare
VMWare
vCenter
vCenter Management Center
Management Center
vCenter
vCenter
(VNMC)
(VNMC)
VM-to-IP Binding Security Profiles
VSM
VSM VSN
VSM VSG
Port Profiles Packets
Interactions (slow-path)
Packets Packets
(fast-path) (fast-path)
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

14. VSG: модель
политики
безопасности
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

15. VSG: политики безопасности
Security Policy is applied per Port-Profile (Port Group)
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

16. Составные элементы политики
Security Profile
Policy Set
Policy Set
Policy 1
Policy 1 Policy 2
Policy 2 Policy N
Policy N
Rule 1 Rule 1 Rule 1
Rule 2 Rule 2 Rule 2
Rule N Rule N Rule N
Правило – ACE; политика – аналог ACL
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

17. Политики VSG: структура правил
Rule
Source Destination
Action
Condition Condition
Condition Attribute Type
Network
VM
Custom
VM Attributes Network Attributes Operator Operator
Instance Name IP Address eq member
Guest OS full name Network Port neq Not-member
Zone Name gt Contains
Parent App Name lt
Port Profile Name range
Cluster Name
Not-in-range
Hypervisor Name
Prefix
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

18. Политики VSG: структура правил
Rule
Source Destination
Action
Condition Condition
Condition Attribute Type
Network
VM
Custom
VM Attributes Network Attributes Operator Operator
Instance Name IP Address eq member
Guest OS full name Network Port neq Not-member
Zone Name gt Contains
Parent App Name lt
Port Profile Name range
Cluster Name
Not-in-range
Hypervisor Name
Prefix
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

19. VSG – пример 1a
Использование сетевых атрибутов
Access Policy
Network Attributes – Allow Ping
Server A
Server A Server B
Server B
192.168.1.1 VSG 192.168.1.2
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

20. Пример 1a: настройка
Rule Leveraging Network Attribute to allow
communication between Server A and Server B
Source Destination Action
Condition Condition
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

21. VSG – пример 1b
Использование атрибутов VM
Access Policy
VM Attributes– Allow Ping
Server A
Server A Server B
Server B
WebServer VSG Database Server
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

22. Пример 1b: настройка
Rule Leveraging VM Attribute to allow
communication between Server A and Server B
Source Destination
Action
Condition Condition
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

23. Политики: зоны доверия
QA Zone
QA Zone
Dev Zone
Dev Zone
HR Zone
HR Zone
Finance Zone
Finance Zone
VDI Zone
VDI Zone
Tenant A
Tenant A
Классификация по зонам
На основании сетевых и VM атрибутов
Возможность применения политик к зонам
Внешняя безопасность: между внешним миром и зоной
Внутренная безопасность: между зонами и внутри зоны
Виртуальная машина может принадлежать ко многим зонам
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

24. VSG – пример 1c
Использование зон безопасности
Access Policy
Zone Based Policy– Allow Ping
Server A
Server A Server B
Server B
Server A
Server A Server B
Server B
Web Server VSG Database Server
Zone Zone
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

25. Пример 1c: настройка зон
Zones are defined by a condition leveraging the
attributes e.g. Network, VM or Custom Attributes
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

26. Пример 1c: использование зон
Rule Leveraging Zone to allow communication
between Server A and Server B
Source Destination Action
Condition Condition
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

27. Пример 2: многоуровневое приложение
Web
Web
Client
Client
Permit Only Port 22 (SSH) to Block all external access to
Permit Only Port 80(HTTP) of Web application servers database servers
Servers
Web
Web App
App DB
DB
Web App DB
DB
server
Server
Web
Server Server
App
Server server
Server Server server
server
Server Server
Web-zone Application-zone Database-zone
Only Permit Web servers Only Permit Application servers
access to Application servers access to Database servers
Policy – Content Hosting
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

28. Пример 2: политики с использованием зон
VM Attribute
Example
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

29. Virtual Network
Management Center
(VNMC)
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

30. Сохранение логики администрирования
vCenter Nexus 1KV VNMC
Port Group Port Profile Security Profile
Server Admin Network Admin Security Admin
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

31. VNMC: иерархия организаций
Один клиент может иметь до 3 подуровней иерархии
Поддержка пересекающихся адресов между клиентами
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

32. VNMC: иерархия администррования
VSG Enforcement can be applied any level of
the Tenant “tree”
Each tenant must have at least one active VSG
VSG “CANNOT” manage across tenants
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

33. VSG: порядок
развертывания

34. VSG: пример порядка настройки
Using VM/Network
Using VM/Network
vCenter
Attributes
Attributes
VNMC
Create Rules
Create Rules Define
PortGroup based on
based on Zones
Zones/Network
Zones/Network
Conditions
Conditions Define
Policy
VSM Put Policy Set in
Put Policy Set in Policy
the Security Profile
the Security Profile Set
Port Profile Create
Security
Protection Profile
Bind the Security
Bind the Security Assign
Profile to Port
Profile to Port Tenant
Profile
Profile VSG
Assign Security
Assign Security
Profile to Tenant
Profile to Tenant
VSG
VSG
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

35. Обслуживание разных организаций
Tenant A Standby VSG Standby VSG
Tenant B
Active VSG Active VSG
(Tenant A) Web Zone App Zone QA Zone Dev Zone (Tenant B)
VM VM VM VM VM VM VM VM
Cisco Cisco Cisco
Nexus Nexus Nexus
1000V 1000V 1000V
VEM vPath vPath vPath
VEM VEM
vSphere vSphere vSphere
Data Center
Network
1000V
VSM Cisco Virtual Network
VMWare vCenter
Management Center Server
Server
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

36. Обслуживание разных организаций
Tenant A Standby VSG Standby VSG
Tenant B
Active VSG Active VSG
(Tenant A) Web Zone App Zone QA Zone Dev Zone (Tenant B)
VM VM VM VM VM VM VM VM
Cisco Cisco Cisco
Nexus Nexus Nexus
1000V 1000V 1000V
VEM vPath vPath vPath
VEM VEM
vSphere vSphere vSphere
Security Policies Enforced on Shared Compute Environment
vPath Multitenant Aware Data Center
Network
1000V
Active Stand by VSGs on different Physical Host
VSM
VMWare vCenter
Server
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

37. Внедрение VSG на отдельных хостах
VSGs VSGs
A B Tenant A Tenant B A B
Web Zone App Zone QA Zone Dev Zone
VM VM VM VM VM VM VM VM
vPath vPath vPath
Data Center
Network
1000V
VSM Cisco Virtual Network
VMWare vCenter
Management Center Server
Server
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

38. Решение VSG – отказоустойчивость
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

39. Схема демонстрационного стенда
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

40. Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 42