Cisco Canada, profile picture
Uploaded byCisco Canada
PDF, PPTX12,603 views

Security and Virtualization in the Data Center

The document outlines best practices and security considerations for integrating security within data center virtualization, emphasizing the importance of understanding core data center technologies. Key takeaways include implementing microsegmentation, enforcing separation of duties, and ensuring continual compliance with standards like PCI. It also details various security components, challenges, and architectural designs essential for establishing a secure and efficient data center environment.

Technology
Related topics:
Data Center Overview

Embed presentation

Download as PDF, PPTX
Security and Virtualization in the Data Center
Speaker information • Contact information: – David Anderson – Solutions Architect – Borderless Security team – US – E-mail: dma1@cisco.com • Focus areas: – Data Center Security – Virtualization – Secure Mobility – Security Design – Compliance (PCI, Federal)
Takeaways • To effectively integrate security must understand the core data center fabric technologies and features: VDC, vPC, VRF, server virtualization, traffic flows • Security as part of the core design • Designs to enforce microsegmentation in the data center • Enforce separation of duties in virtualized and cloud environments • Security to enforce continuous compliance
Secure Data Center Data Center Primer Secure Data Center Components Secure Data Center Design Fundamentals Secure Data Center Design Details
Data Center Primer: Terms and Technology
Cisco Datacenter Terms Primer Know the lingo • VDC – Virtual Device Context • VPC – Virtual Port Channel • VSS & MEC – Virtual Switching System & Multi-chassis Ether-channel • VSL & Peer Link – Virtual Switch Link • ECMP – Equal cost Multi-Path • VSD – Virtual Service Domain • VBS – Virtual Blade Switching • VRF – Virtual Routing & Forwarding • FabricPath
Data Center Architecture Application Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Fabric-Hosted Storage Virtualization Virtual Device Contexts Internet IP-NGN Service Profiles Port Profiles & VN- Virtual Machine Link Application Control Optimization (SLB+) Port Profiles & VN- Partners Link Service Control Fibre Channel Forwarding Fabric Extension
Secure Data Center Architecture Application Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Firewall Services Fabric-Hosted Storage Virtualization Intrusion Detection Virtual Device Contexts Internet Storage Media Secure Domain Encryption Routing IP-NGN Service Profiles Port Profiles & VN- Port Profiles & Link VN-Link Virtual Machine Optimization Virtual Firewall Edge and VM Partners Fibre Channel Forwarding Fabric Extension Line-Rate NetFlow Application Control (SLB+) Service Control Virtual Contexts for FW & SLB
Data Center Security Challenges
Security Threats & Considerations  Denial of Service i.e. (Google, Twitter, Facebook)  APT – Targeted Attacks / Nation State Attacks  Data Protection for Privacy and Data Compliance  Application Exploits (SQL Injection)  Malware / Botnets  Mobile Malicious Code  Virtualization Concerns
Secure the Platform Add Security Services Network security best practices  VRF, VLAN, Access control Lists • Network device hardening • Defense in Depth  Stateful Network Firewalls • AAA  Intrusion Detection and Prevention • NetFlow • Separation of duties and least privileges  Web firewalls Virtualization specifics  Load Balancers • Follow hypervisor hardening recommendations  SSL Offloading • Access Controls (production vs. management) • Secure and harden Guest OS  Virtual security appliances • Segmentation  Management and Visibility tools
Data Center Security Components: What’s in our toolbox
Physical and Virtual Service Nodes Redirect VM traffic via VLANs to Apply hypervisor-based 1 external (physical) appliances 2 network services Web App Database Web App Database Server Server Server Server Server Server Hypervisor Hypervisor VLANs VSN Virtual Contexts VSN Virtual Service Nodes Traditional Service Nodes
Physical Firewalls ASA Services Module Web App Database Server Server Server Hypervisor VLANs ASA 5585 Appliance Virtual Contexts Traditional Service Nodes
Features in ASA Firewalls EtherChannel  ASA supports Link Aggregation Control Protocol (LACP), an IEEE 802.3ad standard  Each port-channel supports up to 8 active and 8 standby links  Supported methods of aggregation: Active, Passive & On  EtherChannel ports are treated just like physical and logical interfaces on ASA • ASA can tie-in directly to vPC (Nexus 7000) or VSS (6500) enabled switch Up to 32 interfaces per Virtual Context (formerly 2) – - 4 Interfaces per bridge group 8 bridge groups per Virtual Context
Catalyst 6500 VSS and Nexus 7000 vPC • Dual Active Forwarding Paths VSS • Loop-Free Design vPC VSL peer link MCEC MCEC vPC vPC EC EC EC EC Active Standby Active Standby Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
ASA Integration with vPC & VSS vPC VSS peer link VSL MCEC MCEC vPC vPC EC EC EC EC Active Standby Active Standby Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Virtualization Concerns • Policy Enforcement –Applied at physical server—not the individual VM –Impossible to enforce policy for VMs in motion • Operations and Management –Lack of VM visibility, accountability, and consistency –Difficult management model and inability to effectively troubleshoot • Roles and Responsibilities –Muddled ownership as server admin must configure virtual network Web App DB –Organizational redundancy creates compliance challenges Server Server Server Hypervisor • Machine Segmentation VLANs –Server and application isolation on same physical server Virtual Contexts –No separation between compliant and non-compliant systems…
Virtualization & Virtual Service Nodes Virtual Security Gateway Web App Database Server Server Server Zone based intra-tenant segmentation of VMs Hypervisor Nexus 1000V ASA 1000V VSN VSN Ingress/Egress multi- Virtual Service Nodes tenant edge deployment
Cisco‘s Virtual Security Architecture Orchestration / Cloud Portals Virtual Network Management Center Extending existing operational workflows to virtualized environments VSG ASA 1000V Extending network services to virtualized environments Extending networking to virtualized environments Nexus 1000V vPath
vPath— The intelligent virtual network • vPath is intelligence build into Virtual Ethernet Module (VEM) of Nexus 1000V (1.4 and above) • vPath has two main functions: a. Intelligent Traffic Steering b. Offload processing via Fastpath from virtual Service Nodes to VEM • Dynamic Security Policy Provisioning (via security profile) • Leveraging vPath enhances the service performance by moving the processing to Hypervisor vPath Nexus 1000V-VEM
vPath: Fast Path Switching for Virtualization VM VM VM VNMC VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM 4 Nexus 1000V vPath Distributed Virtual Switch 3 Decision Caching ASA VSG 2 1000V 1 Initial Packet Flow Access Control Flow (policy evaluation)
Cisco Virtual Security Gateway Context aware Security VM context aware rules Zone based Virtual Controls Establish zones of trust Security Dynamic, Agile Policies follow vMotion Gateway (VSG) Best-in-class Architecture Efficient, Fast, Scale-out SW Non-Disruptive Virtual Network Operations Security team manages security Management Policy Based Central mgmt, scalable deployment, Center Administration multi-tenancy Designed for (VNMC) Automation XML API, security profiles
Virtual Security Gateway • Context based rule engine, where ACLs can be expressed using any combination of network (5-tuple), custom and VM attributes. It’s extensible so other types of context/attributes can be added in future • No need to deploy on every physical server (this is due to 1000V vPath intelligence) • Hence can be deployed on a dedicated server, or hosted on a Nexus 1010 appliance • Performance optimization via enforcement off-load to 1000V vPath • High availability
ASA 1000v • Runs same OS as ASA appliance and blade • Maintains ASA Stateful Inspection Engines Tenant A VDC Tenant B VDC vApp • IPSEC site-to-site VPN VSG VSG VSG vApp • Collaborative Security Model VSG VSG for intra-tenant secure zones Virtual ASA Virtual ASA vPath Virtual ASA for tenant edge controls Nexus 1000V vSphere • Integration with Nexus 1000V & vPath
Nexus 1000V Port Profiles Port Profile –> Port Group port-profile vm180 vCenter API vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown state enabled interface Vethernet9 inherit port-profile vm180 interface Vethernet10 inherit port-profile vm180 Support Commands Include:  Port management  Port-channel  VLAN  ACL  PVLAN  Netflow  Port Security  QoS
Security Policy to Port Profile
Design Fundamentals
Secure Data Center • Network security can be mapped and applied to both the physical and virtual DC networks • Zones can be used to provide data centric security policy enforcement • Steer VM traffic to Firewall Context • Segment pools of blade resources per Zone • Segment Network traffic w/in the Zone –System Traffic –VM Traffic –Management Traffic • Lockdown elements w/in a Zone • Unique policies and traffic decisions can be applied to each zone creating very flexible designs • Foundation for secure private cloud
Understand Network and Application Flows • Understand how the applications are deployed and accessed both internally and externally • Understand the North-South, East-West flow patterns • Adjacency of services to servers is important. Adding services to existing flow patterns minimizes packet gymnastics! • Again, design with the maximum amount of high availability: know your failover and failback times, traffic paths during failover scenarios Web App DB Web App DB Server Server server Server Server server Web Client Web-zone Application-zone Database-zone Only Permit Web Only Permit Application servers access to servers access to Database Application servers servers
Important • Careful attention should be given to where the server‘s default gateway resides • Can be disruptive to introduce changes to where the gateway resides. Non-greenfield designs require flexibility for deploying new services. Ex. From switch to service appliance • Service introduction ie. Firewall, Web security, load balancing, can all have an impact on data center traffic flows • Design with the maximum amount of high availability: know your failover and failback times, traffic paths during failover scenarios • Multicast support considerations for L2 vs L3 services
Traditional North-South Traffic Flow Internet Control Aggregation • Ingress and Egress traffic is from each ASA zone is routed and filtered appropriately w/ IPS • Physical firewall, IPS, etc deployed for each zone Access: • Physical devices for each zone Top of Rack Zone A sometimes required but can be expensive B Zone Zone C solution vApp vApp vSphere vSphere
Network Virtualization and Zones Acme Co. - Control Traffic and Apply Policy per Zone • Zones used to provide data centric security policy enforcement Unique policies and traffic decisions applied to each • Physical network security zone mapped per zone – VRF, Virtual Context • Lockdown elements in Zone Steer VM traffic to Firewall Context Segment Network traffic in the Zone Segment pools of -System Traffic blade resources -VM Traffic Virtual Switch per Zone Virtual Switch -Management Traffic vSphere vSphere 34
North-South Traffic with Network Virtualization Internet Physical ASA Aggregation VLAN 10 VLAN 20 192.168.10.1 VRF 192.168.20.1 ASA Virtual Context (Layer 2) Access Zone A Zone B Zone C vApp vApp vSphere vSphere
Microsegmenation: Per Zone, Per VM, Per vNIC Aggregation VLAN 10 VLAN 20 IPSEC Virtual ASA Virtual ASA Zone B Zone C Zone A • Stateful filtering for VDC Tenant B VDC ingress/egress for Zone. vApp Near East: VSG VSG • VM segmentation based on VSG vApp VM attributes or ACL vPath • Zone to zone can be Nexus 1000V encrypted via IPSEC vPath Demonstrable segmentation Nexus 1000V vSphere and encryption for vSphere virtualization compliance
Segmentation of Production and Non-Production Traffic VMkernal VSG vEth vEth vEth vEth Mgmt Storage vPath Production Nexus 1000V ASA 1000V VMNIC 1 VMNIC 2 VMNIC 3 VMNIC 4 Management Network Production Network Production vCenter VNMC Storage Network
Visibility: Monitor VM to VM Traffic Aggregation ID:2 ERSPAN DST Intrusion Detection NetFlow Analyzer ID:1 NetFlow Nexus 1000V supports SPAN • NetFlow v9 • ERSPAN/SPAN monitor session 1 type erspan- Zone B Zone C source • Permit protocol type description N1k ERSPAN – session 1 header “0x88BE” for monitor session 3 type erspan- VDC VDC destination vApp ERSPAN GRE description N1k ERSPAN to NAM • ERSPAN does not VSG VSG support fragmentation vApp monitor session 2 type erspan-source • 1000V requires Netflow description N1k ERSPAN –session 2 source interface monitor session 4 type erspan- vPath destination Defaults to Mgmt0 description N1k ERSPAN to IDS1 Nexus 1000V vSphere
Virtualization & Compliance: PCI DSS 2.0 Guidance • PCI security requirements apply to all ‗system components.‘  All virtual components in scope • System components are defined as: – Any network component, server, or application that  All virtual communications is included in or connected to the cardholder data and data flows must be identified and environment. documented – Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual  Virtualized environment must maintain applications/desktops, and hypervisors. proper segmentation • The cardholder data environment is that part of the network that possesses cardholder data or sensitive  Must meet intent of all 12 PCI authentication data. requirements • Adequate network segmentation, which isolates VMkernal systems that store, process, or transmit cardholder VSG data from those that do not, may reduce the scope of vEth vEth vEth vEth Mgmt Storage the cardholder data environment. Production vPath Nexus 1000V Source PCI DSS 2.0 ASA 1000V VMNIC 1 VMNIC 2 VMNIC 3 VMNIC 4
Design Details
Secure Data Center Reference Architecture • 2x Nexus 7010s with VDCs (Core and Aggregation) (NX-OS 5.1(3)) • 2x Nexus 5Ks for top of rack • 2x ASA 5585-60 with IPS • 2x 6500-E with ASA-SMs • 2x Virtual Security Gateway (VSG) in HA mode • 2x Nexus 1000V with redundant VSMs • Identity Services Engine (ISE) for 802.1x user AAA • Standard VMWare ESXi Infrastructure with multiple service domains (Active Directory, DNS, VDI, etc)
Traditional Model • Services are Aggregated at the Distribution Layer L3 • Single or Multi-Tenant zone based Routed segmentation L2 Boundary Core L2 Boundary • Virtual Context create security zones from the DC edge to the Virtual Machine • VRF->Firewall->VLAN->Virtual Switch->Virtual Firewall->vNIC->VM • EtherChannel and vPC provide loop-free Layer 2 environment • Visibility and control for vm-to-vm flows
ASA Details v201 - Outside v205 – Service-Out BVI-1 BVI-2 10.1.204.199 10.1.200.199 [Po1.204] [Po1.200] [Po1.201] [Po1.205] v200 – Inside v204 – Service-In channel-group 1 mode passive 5585-1 5585-2 Twain Voltaire vPC10 vPC9 7k-1 7k-2 AGG- AGG- VDC VDC Port Channel Load-Balancing Configuration: channel-group 1 mode active System: src-dst ip
Secure Service Pod Model • Services Pod centralizes security services L3 • Traffic forwarded via service-specific Routed VLANs Core L2 Boundary • Modules (Cat 6500) and appliances L2 Boundary supported • Highly scalable module design 1/ 7 • Single or Multi-Tenant zone based segmentation • Security zones from the DC edge to the Virtual Machine
Nexus 7000 & Cat 6500 Channel Group Modes Nexus 7000 Nexus 7000 Channel-Group 1 mode active 7k-1 7k-2 Channel-Group 2 mode active AGG-VDC AGG-VDC vPC2 vPC1 6506-1 6506-2 Catalyst 6500 ASA-SM WestJet ASA-SM Airbus Catalyst 6500 Channel-Group 1 mode on Channel-Group 2 mode on ASA SM ASA SM
ASA SM Layer 2 and 3 v221 - Outside interface BVI2 ASA SM description bvi for 221 and 220 ip address 10.1.221.199 255.255.255.0 v220 – Inside
ASA SM Details interface Vlan221 interface Vlan221 mac-address mac-address b414.89e1.2222 b414.89e1.3333 ip address ip address 10.1.221.252/24 10.1.221.253/24 hsrp 21 hsrp 21 preempt preempt priority 105 priority 100 ip 10.1.221.254 ip 10.1.221.254 interface port-channel1 switchport interface port-channel2 switchport mode trunk 7k-1 7k-2 switchport AGG-VDC AGG-VDC vpc 1 switchport mode trunk vPC2 vpc 2 vPC1 BVI2 6506-1 6506-2 ASA-SM ASA-SM ip address WestJet Airbus 10.1.221.199 ASA SM ASA SM interface Vlan220 nameif inside bridge-group 2 security-level 100 ! failover lan interface Failover Vlan44 interface Vlan221 failover link State Vlan45 nameif outside failover interface ip Failover 10.90.44.1 255.255.255.0 standby 10.90.44.2 bridge-group 2 failover interface ip State 10.90.45.1 255.255.255.0 standby 10.90.45.2199 security-level 0
Server Gateway Outside of Firewall: Design #1 ASA HA pair in transparent mode with SVI on Aggregation VDC. Server gateway on outside of firewall Aggregation VDC v201 - Outside v200 – Inside GW: 10.1.200.254 Layer 3 Layer 2 Simple design. Firewall part of layer 2 failure domain.
ASA in the Data Center: Design #2 Firewall Between Inter-VDC Traffic VRF VRF Core VDC North Aggregation ASA HA Pair 1 South VDC v200 VRF GW: VRF ASA HA Pair 2 VRF 10.1.200.254 North South • Transparent (L2) firewall services are • Useful for topologies that require a FW ―sandwiched‖ between Nexus VDCs between aggregation and core • Allows for other services (IPS, LB, etc) to • Downside is that most/all traffic destined be layered in as needed for Core traverses FW; possible • ASAs can be virtualized to for 1x1 mapping bottleneck, etc to VRFs
Design Details and Benefits • Zone based differentiation, building blocks with VLANs and VRFs Inter-VM firewalling via VSG/ASA 1000V Intra-zone firewalling via both VSG/ASA 1000V and ASA/ASA-SM Inter-zone firewalling via ASA 1000V, ASA, or ASA-SM
Server Access and VM Network Details To Agg switch To Agg switch 1/1 1/2 1/2 1/1 PortChannel111 1/17 1/17 1/18 1/18 5k-1 5k-2 Inara 1/12 Jayne 1/11 1/11 1/12 VMNIC VMNIC VMNIC VMNIC #3 #2 #3 #2 ESX1 ESX2 ESX Host 1 vEth vEth vEth vEth ESX Host 2 192.168.100.199 192.168.100.198 VNMC VSG-2 192.168.100.20 192.168.100.31 Domain 90 VSG-1 VSM-2 192.168.100.30 HR Finance HR Finance 192.168.100.51 VSM-1 Server #1 Server #2 Server #2 Server #1 Domain 1 192.168.100.50 10.1.200.50 10.1.200.101 10.1.200.5 10.1.200.100 1
Deny HR to Finance VMNIC VMNIC VMNIC VMNIC #3 #2 #3 #2 ESX1 ESX2 vEth vEth vEth vEth VSM-2 HR Finance 192.168.100.51 Server #2 Server #1 Domain 1 HR Finance Server 10.1.200.5 10.1.200.100 Server #1 #2 1 10.1.200.50 10.1.200.101
Policy Hierarchy
VNMC Policy: Deny HR to Finance Requests
Policy Summary on VSG Nexus 1000V VSG
Syslog from VSG
Adding Identity and Access Control Services : ISE and TrustSec
ISE Traffic Flow SXP IP Address 10.1.204.126 = SGT 5 ISE RADIUS (Access Request) EAPOL (dot1x) 10.1.204.126 RADIUS (Access Accept, SGT = 5) 6506 10.1.204.254 SG ACL Matrix IP Address to SGT Mapping HR Nexus 7000 Server #1 Core VDC 10.1.200.254 10.1.200.50 Nexus 7000 Agg VDC ASA Finance ✓ Finance VSG Finance Server #1 Finance HR 10.1.200.100
ISE Configuration Highlights ISE
ISE Authentication 6506-2-airbus#sho authen sess int g3/1 Interface: GigabitEthernet3/1 MAC Address: 0027.0e15.578e IP Address: 10.1.204.126 User-Name: finance1 Status: Authz Success Domain: DATA Oper host mode: multi-auth Catalyst Oper control dir: both Authorized By: Authentication Server 6500 Vlan Policy: N/A SGT: 0005-0 Session timeout: N/A Idle timeout: N/A ISE Common Session ID: 0A01CC950000000D0EDFC178 Acct Session ID: 0x0000001E Handle: 0xC500000D Runnable methods list: Method State mab Failed over dot1x Authc Success
Driving Simplicity: Data Center Design – Resources from Cisco
Validated Design Guides A Cisco Competitive Differentiator • Cisco Validated Designs are recommended, validated, end-to- end designs for next-generation networks. • The validated designs are tested and fully documented to help ensure faster, more reliable, and more predictable customer deployments. • 3 types of guides •Design Guides – comprehensive design/implementation •Application Deployment Guides - Third-party applications •System Assurance Guides - intensive, ongoing system assurance test programs targeted at major network architectures or technologies.
Cisco Validated Designs for the DC •CVD > SAFE •http://www.cisco.com/en/US/docs/solutions/Enter prise/Security/SAFE_RG/SAFE_rg.pdf •CVD >Virtualized Multi-Tenant Data Center (VMDC) •http://www.cisco.com/en/US/partner/docs/solutio ASA 5585-X ns/Enterprise/Data_Center/VMDC/1.1/design.html vPC vPC VSS •CVD > Secure Multi Tennant CVD SERVICES Catalyst •http://www.cisco.com/en/US/solutions/ns340/ns4 6500 Firewall ACE ESA 14/ns742/ns743/ns1050/landing_dcVDDC.html NAM IPS WSA Centralized Security and Application Service Modules and Appliances can be applied per zone
Cisco Secure Internet Edge Network Foundation Protection Infrastructure Security features are enabled to protect device, traffic Data Center plane, and control plane. Device virtualization provides control, data, and Data Center Core management plane segmentation. TrustSec VDC Consistent enforcement of security policies Data Center Nexus 7018 Nexus 7018 with Security Group ACL, and to control SAN Distribution access to resources based on user identity and group membership.Link level data v integrity and confidentiality with standard encryption. vPC vPC VSS vPC vPC vPC vPC vPC vPC Nexus SERVICES 5000 Series Unified Catalyst Computing 6500 ASA ACE Nexus Nexus 7000 System Virtual Service 2100 Nexus IPS Series NAM Nodes Series 1000V Zone Zone Multi-Zone Centralized Security and Application 10Gig Server Rack 10Gig Server Rack Unified Compute Service Modules and Appliances can be applied per zone Stateful Packet Network Intrusion Server Load Web and Email Access Edge Security Flow Based Traffic Analysis Filtering Prevention Balancing Security ACL, Dynamic ARP NAM virtual blade. Traffic analysis Additional Application IPS/IDS: provides Masks servers and Security and filtering Inspection, DHCP Snooping, and reporting, Application Firewall Services for traffic analysis and applications and for Web and Email IP Source Guard, Port performance monitoring. VM-level Server Farm zone forensics provides scaling applications Security, Private VLANs, QoS interface statistics
Q&A #CiscoPlusCA
We value your feedback. Please be sure to complete the Evaluation Form for this session. Access today‘s presentations at cisco.com/ca/plus Follow @CiscoCanada and join the #CiscoPlusCA conversation

More Related Content

PDF
IPRAN BASICS.pdf
bymengistuyirga
 
PPTX
Internet of things (IoT) with Azure
byVinoth Rajagopalan
 
PPTX
Introduction to Software Defined Networking (SDN)
byBangladesh Network Operators Group
 
PPTX
Cloud Architecture in the Data Center
byInterVision Systems
 
PDF
Using Netconf/Yang with OpenDalight
byГлеб Хохлов
 
PDF
2.10b network layer services i pv4 - variable length subnetting
byJAIGANESH SEKAR
 
PDF
SDN & NFV Introduction - Open Source Data Center Networking
byThomas Graf
 
PPTX
X internet
bySanjit Shaw
 
IPRAN BASICS.pdf
bymengistuyirga
 
Internet of things (IoT) with Azure
byVinoth Rajagopalan
 
Introduction to Software Defined Networking (SDN)
byBangladesh Network Operators Group
 
Cloud Architecture in the Data Center
byInterVision Systems
 
Using Netconf/Yang with OpenDalight
byГлеб Хохлов
 
2.10b network layer services i pv4 - variable length subnetting
byJAIGANESH SEKAR
 
SDN & NFV Introduction - Open Source Data Center Networking
byThomas Graf
 
X internet
bySanjit Shaw
 

What's hot

PPTX
Technical Overview of Cisco Catalyst 9200 Series Switches
byRobb Boyd
 
DOCX
DHCP Server Guaidlines using CISCO PACKET TRACER
byCOMSATS Institute of Information Technology
 
PPT
NGN BASICS
byNiranjan Poojary
 
PPTX
Cisco SDWAN - Components Deployment Workflow
byFarooq Khan
 
PDF
Setting off the 5G Advanced evolution with 3GPP Release 18
byQualcomm Research
 
PDF
4G to 5G Evolution
byManoj Singh
 
PPT
Wireless LAN Technoloy
byDavid Livingston J
 
PPTX
Nfv
byAhmad Hijazi
 
PDF
Virtualization presentation
byMangesh Gunjal
 
PPTX
NFV +SDN (Network Function Virtualization)
byHamidreza Bolhasani
 
PDF
5G RAN fundamentals
byRavi Sharma
 
PPT
ALTTC(BSNL) PPT BY AMBRISH KUMAR SHUKLA
byEMAM RAZA KHAN
 
PPTX
Module 2 M2M, SDN, VNF.pptx...............
byspreya772
 
PDF
Advanced: 5G Service Based Architecture (SBA)
by3G4G
 
PPTX
Paging and Location Update
byAbidullah Zarghoon
 
PDF
5G NR radio protocols to support URLLC
by3G4G
 
PPTX
Fog computing
byHadi Fadlallah
 
PPTX
broad band
bysatish 486
 
PPTX
Dynamic routing protocols (CCNA)
byVarinder Singh Walia
 
PDF
Synchronization for 5G: the requirements and the solutions
byADVA
 
Technical Overview of Cisco Catalyst 9200 Series Switches
byRobb Boyd
 
DHCP Server Guaidlines using CISCO PACKET TRACER
byCOMSATS Institute of Information Technology
 
NGN BASICS
byNiranjan Poojary
 
Cisco SDWAN - Components Deployment Workflow
byFarooq Khan
 
Setting off the 5G Advanced evolution with 3GPP Release 18
byQualcomm Research
 
4G to 5G Evolution
byManoj Singh
 
Wireless LAN Technoloy
byDavid Livingston J
 
Nfv
byAhmad Hijazi
 
Virtualization presentation
byMangesh Gunjal
 
NFV +SDN (Network Function Virtualization)
byHamidreza Bolhasani
 
5G RAN fundamentals
byRavi Sharma
 
ALTTC(BSNL) PPT BY AMBRISH KUMAR SHUKLA
byEMAM RAZA KHAN
 
Module 2 M2M, SDN, VNF.pptx...............
byspreya772
 
Advanced: 5G Service Based Architecture (SBA)
by3G4G
 
Paging and Location Update
byAbidullah Zarghoon
 
5G NR radio protocols to support URLLC
by3G4G
 
Fog computing
byHadi Fadlallah
 
broad band
bysatish 486
 
Dynamic routing protocols (CCNA)
byVarinder Singh Walia
 
Synchronization for 5G: the requirements and the solutions
byADVA
 

Viewers also liked

PPTX
Virtualization: Security and IT Audit Perspectives
byJason Chan
 
PPTX
Hypervisor Security - OpenStack Summit Hong Kong
byRobert Clark
 
PPTX
6. Live VM migration
byHwanju Kim
 
PPTX
Virtualization Security
bysyrinxtech
 
PPTX
Challenges in Cloud Computing – VM Migration
bySarmad Makhdoom
 
PDF
Virtualization security and threat
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PPTX
Virtualization 101: Everything You Need To Know To Get Started With VMware
byDatapath Consulting
 
Virtualization: Security and IT Audit Perspectives
byJason Chan
 
Hypervisor Security - OpenStack Summit Hong Kong
byRobert Clark
 
6. Live VM migration
byHwanju Kim
 
Virtualization Security
bysyrinxtech
 
Challenges in Cloud Computing – VM Migration
bySarmad Makhdoom
 
Virtualization security and threat
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Virtualization 101: Everything You Need To Know To Get Started With VMware
byDatapath Consulting
 

Similar to Security and Virtualization in the Data Center

PPTX
OpenStack Quantum Network Service
byLew Tucker
 
PDF
Security & Governance for the Cloud: a Savvis Case Study (Presented at Cloud ...
byCA API Management
 
PDF
Software-Based Networking & Security for the Cloud
byMatt Wolpin
 
PDF
RunningQuantumOnQuantumAtNicira.pdf
byOpenStack Foundation
 
PPTX
Virtual Data Centers with OpenStack Quantum
bylaurabeckcahoon
 
PPTX
Virtual data centers with OpenStack Quantum
byLew Tucker
 
PDF
Game cloud reference architecture
byJonathan Spindel
 
PDF
A series presentation
bySergey Marunich
 
PPTX
Presentatie peter vink back to the future, TASS technology solutions
by#devdate
 
PDF
Nevmug Green Pages Cisco Nexus January 2009
bycsharney
 
PPTX
Citrix CloudStack - Build Your Own Scalable Infrastructure Cloud with CloudStack
byRightScale
 
PDF
The unified data center for cloud david yen
bydeepersnet
 
PPTX
Virtual Security in Cloud Networks
byMarcelo Grebois
 
PPTX
The Ever Changing Cloud, CloudExpo 2012
byLew Tucker
 
PDF
PHP Day 2011 PHP goes to the cloud
bypietrobr
 
PDF
Layer 7 & Burton Group: New Cloud Security Model Requirements
byCA API Management
 
PDF
Mach Technology
byOpen Stack
 
PPTX
Denial of Service in Software Defined Netoworks
byMohammad Faraji
 
PPT
Intro to Cloudstack
bySebastien Goasguen
 
PPTX
Clavister security for virtualized environment
bynicolasotira
 
OpenStack Quantum Network Service
byLew Tucker
 
Security & Governance for the Cloud: a Savvis Case Study (Presented at Cloud ...
byCA API Management
 
Software-Based Networking & Security for the Cloud
byMatt Wolpin
 
RunningQuantumOnQuantumAtNicira.pdf
byOpenStack Foundation
 
Virtual Data Centers with OpenStack Quantum
bylaurabeckcahoon
 
Virtual data centers with OpenStack Quantum
byLew Tucker
 
Game cloud reference architecture
byJonathan Spindel
 
A series presentation
bySergey Marunich
 
Presentatie peter vink back to the future, TASS technology solutions
by#devdate
 
Nevmug Green Pages Cisco Nexus January 2009
bycsharney
 
Citrix CloudStack - Build Your Own Scalable Infrastructure Cloud with CloudStack
byRightScale
 
The unified data center for cloud david yen
bydeepersnet
 
Virtual Security in Cloud Networks
byMarcelo Grebois
 
The Ever Changing Cloud, CloudExpo 2012
byLew Tucker
 
PHP Day 2011 PHP goes to the cloud
bypietrobr
 
Layer 7 & Burton Group: New Cloud Security Model Requirements
byCA API Management
 
Mach Technology
byOpen Stack
 
Denial of Service in Software Defined Netoworks
byMohammad Faraji
 
Intro to Cloudstack
bySebastien Goasguen
 
Clavister security for virtualized environment
bynicolasotira
 

More from Cisco Canada

PDF
Cisco connect montreal 2018 net devops
byCisco Canada
 
PDF
Cisco connect montreal 2018 iot demo kinetic fr
byCisco Canada
 
PPTX
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
byCisco Canada
 
PDF
Cisco connect montreal 2018 secure dc
byCisco Canada
 
PDF
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
byCisco Canada
 
PDF
Cisco connect montreal 2018 vision mondiale analyse locale
byCisco Canada
 
PDF
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
byCisco Canada
 
PDF
Cisco connect montreal 2018 collaboration les services webex hybrides
byCisco Canada
 
PDF
Integration cisco et microsoft connect montreal 2018
byCisco Canada
 
PDF
Cisco connect montreal 2018 compute v final
byCisco Canada
 
PDF
Cisco connect montreal 2018 saalvare md-program-xr-v2
byCisco Canada
 
PDF
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 DevNet Overview
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 DNA assurance
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 network-slicing
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 sixty to zero
byCisco Canada
 
Cisco connect montreal 2018 net devops
byCisco Canada
 
Cisco connect montreal 2018 iot demo kinetic fr
byCisco Canada
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
byCisco Canada
 
Cisco connect montreal 2018 secure dc
byCisco Canada
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
byCisco Canada
 
Cisco connect montreal 2018 vision mondiale analyse locale
byCisco Canada
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
byCisco Canada
 
Cisco connect montreal 2018 collaboration les services webex hybrides
byCisco Canada
 
Integration cisco et microsoft connect montreal 2018
byCisco Canada
 
Cisco connect montreal 2018 compute v final
byCisco Canada
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
byCisco Canada
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
byCisco Canada
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
byCisco Canada
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
byCisco Canada
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
byCisco Canada
 
Cisco Connect Toronto 2018 DevNet Overview
byCisco Canada
 
Cisco Connect Toronto 2018 DNA assurance
byCisco Canada
 
Cisco Connect Toronto 2018 network-slicing
byCisco Canada
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
byCisco Canada
 
Cisco Connect Toronto 2018 sixty to zero
byCisco Canada
 

Recently uploaded

PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 

Security and Virtualization in the Data Center

  • 1.
  • 2.
    Speaker information • Contactinformation: – David Anderson – Solutions Architect – Borderless Security team – US – E-mail: dma1@cisco.com • Focus areas: – Data Center Security – Virtualization – Secure Mobility – Security Design – Compliance (PCI, Federal)
  • 3.
    Takeaways • To effectivelyintegrate security must understand the core data center fabric technologies and features: VDC, vPC, VRF, server virtualization, traffic flows • Security as part of the core design • Designs to enforce microsegmentation in the data center • Enforce separation of duties in virtualized and cloud environments • Security to enforce continuous compliance
  • 4.
    Secure Data Center Data Center Primer Secure Data Center Components Secure Data Center Design Fundamentals Secure Data Center Design Details
  • 5.
  • 6.
    Cisco Datacenter TermsPrimer Know the lingo • VDC – Virtual Device Context • VPC – Virtual Port Channel • VSS & MEC – Virtual Switching System & Multi-chassis Ether-channel • VSL & Peer Link – Virtual Switch Link • ECMP – Equal cost Multi-Path • VSD – Virtual Service Domain • VBS – Virtual Blade Switching • VRF – Virtual Routing & Forwarding • FabricPath
  • 7.
    Data Center Architecture Application Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Fabric-Hosted Storage Virtualization Virtual Device Contexts Internet IP-NGN Service Profiles Port Profiles & VN- Virtual Machine Link Application Control Optimization (SLB+) Port Profiles & VN- Partners Link Service Control Fibre Channel Forwarding Fabric Extension
  • 8.
    Secure Data CenterArchitecture Application Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Firewall Services Fabric-Hosted Storage Virtualization Intrusion Detection Virtual Device Contexts Internet Storage Media Secure Domain Encryption Routing IP-NGN Service Profiles Port Profiles & VN- Port Profiles & Link VN-Link Virtual Machine Optimization Virtual Firewall Edge and VM Partners Fibre Channel Forwarding Fabric Extension Line-Rate NetFlow Application Control (SLB+) Service Control Virtual Contexts for FW & SLB
  • 9.
  • 10.
    Security Threats &Considerations  Denial of Service i.e. (Google, Twitter, Facebook)  APT – Targeted Attacks / Nation State Attacks  Data Protection for Privacy and Data Compliance  Application Exploits (SQL Injection)  Malware / Botnets  Mobile Malicious Code  Virtualization Concerns
  • 11.
    Secure the Platform Add Security Services Network security best practices  VRF, VLAN, Access control Lists • Network device hardening • Defense in Depth  Stateful Network Firewalls • AAA  Intrusion Detection and Prevention • NetFlow • Separation of duties and least privileges  Web firewalls Virtualization specifics  Load Balancers • Follow hypervisor hardening recommendations  SSL Offloading • Access Controls (production vs. management) • Secure and harden Guest OS  Virtual security appliances • Segmentation  Management and Visibility tools
  • 12.
    Data Center SecurityComponents: What’s in our toolbox
  • 13.
    Physical and VirtualService Nodes Redirect VM traffic via VLANs to Apply hypervisor-based 1 external (physical) appliances 2 network services Web App Database Web App Database Server Server Server Server Server Server Hypervisor Hypervisor VLANs VSN Virtual Contexts VSN Virtual Service Nodes Traditional Service Nodes
  • 14.
    Physical Firewalls ASA Services Module Web App Database Server Server Server Hypervisor VLANs ASA 5585 Appliance Virtual Contexts Traditional Service Nodes
  • 15.
    Features in ASAFirewalls EtherChannel  ASA supports Link Aggregation Control Protocol (LACP), an IEEE 802.3ad standard  Each port-channel supports up to 8 active and 8 standby links  Supported methods of aggregation: Active, Passive & On  EtherChannel ports are treated just like physical and logical interfaces on ASA • ASA can tie-in directly to vPC (Nexus 7000) or VSS (6500) enabled switch Up to 32 interfaces per Virtual Context (formerly 2) – - 4 Interfaces per bridge group 8 bridge groups per Virtual Context
  • 16.
    Catalyst 6500 VSSand Nexus 7000 vPC • Dual Active Forwarding Paths VSS • Loop-Free Design vPC VSL peer link MCEC MCEC vPC vPC EC EC EC EC Active Standby Active Standby Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  • 17.
    ASA Integration withvPC & VSS vPC VSS peer link VSL MCEC MCEC vPC vPC EC EC EC EC Active Standby Active Standby Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  • 18.
    Virtualization Concerns • Policy Enforcement –Applied at physical server—not the individual VM –Impossible to enforce policy for VMs in motion • Operations and Management –Lack of VM visibility, accountability, and consistency –Difficult management model and inability to effectively troubleshoot • Roles and Responsibilities –Muddled ownership as server admin must configure virtual network Web App DB –Organizational redundancy creates compliance challenges Server Server Server Hypervisor • Machine Segmentation VLANs –Server and application isolation on same physical server Virtual Contexts –No separation between compliant and non-compliant systems…
  • 19.
    Virtualization & VirtualService Nodes Virtual Security Gateway Web App Database Server Server Server Zone based intra-tenant segmentation of VMs Hypervisor Nexus 1000V ASA 1000V VSN VSN Ingress/Egress multi- Virtual Service Nodes tenant edge deployment
  • 20.
    Cisco‘s Virtual SecurityArchitecture Orchestration / Cloud Portals Virtual Network Management Center Extending existing operational workflows to virtualized environments VSG ASA 1000V Extending network services to virtualized environments Extending networking to virtualized environments Nexus 1000V vPath
  • 21.
    vPath— The intelligentvirtual network • vPath is intelligence build into Virtual Ethernet Module (VEM) of Nexus 1000V (1.4 and above) • vPath has two main functions: a. Intelligent Traffic Steering b. Offload processing via Fastpath from virtual Service Nodes to VEM • Dynamic Security Policy Provisioning (via security profile) • Leveraging vPath enhances the service performance by moving the processing to Hypervisor vPath Nexus 1000V-VEM
  • 22.
    vPath: Fast PathSwitching for Virtualization VM VM VM VNMC VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM 4 Nexus 1000V vPath Distributed Virtual Switch 3 Decision Caching ASA VSG 2 1000V 1 Initial Packet Flow Access Control Flow (policy evaluation)
  • 23.
    Cisco Virtual SecurityGateway Context aware Security VM context aware rules Zone based Virtual Controls Establish zones of trust Security Dynamic, Agile Policies follow vMotion Gateway (VSG) Best-in-class Architecture Efficient, Fast, Scale-out SW Non-Disruptive Virtual Network Operations Security team manages security Management Policy Based Central mgmt, scalable deployment, Center Administration multi-tenancy Designed for (VNMC) Automation XML API, security profiles
  • 24.
    Virtual Security Gateway • Context based rule engine, where ACLs can be expressed using any combination of network (5-tuple), custom and VM attributes. It’s extensible so other types of context/attributes can be added in future • No need to deploy on every physical server (this is due to 1000V vPath intelligence) • Hence can be deployed on a dedicated server, or hosted on a Nexus 1010 appliance • Performance optimization via enforcement off-load to 1000V vPath • High availability
  • 25.
    ASA 1000v • Runs same OS as ASA appliance and blade • Maintains ASA Stateful Inspection Engines Tenant A VDC Tenant B VDC vApp • IPSEC site-to-site VPN VSG VSG VSG vApp • Collaborative Security Model VSG VSG for intra-tenant secure zones Virtual ASA Virtual ASA vPath Virtual ASA for tenant edge controls Nexus 1000V vSphere • Integration with Nexus 1000V & vPath
  • 26.
    Nexus 1000V PortProfiles Port Profile –> Port Group port-profile vm180 vCenter API vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown state enabled interface Vethernet9 inherit port-profile vm180 interface Vethernet10 inherit port-profile vm180 Support Commands Include:  Port management  Port-channel  VLAN  ACL  PVLAN  Netflow  Port Security  QoS
  • 27.
    Security Policy toPort Profile
  • 28.
  • 29.
    Secure Data Center •Network security can be mapped and applied to both the physical and virtual DC networks • Zones can be used to provide data centric security policy enforcement • Steer VM traffic to Firewall Context • Segment pools of blade resources per Zone • Segment Network traffic w/in the Zone –System Traffic –VM Traffic –Management Traffic • Lockdown elements w/in a Zone • Unique policies and traffic decisions can be applied to each zone creating very flexible designs • Foundation for secure private cloud
  • 30.
    Understand Network andApplication Flows • Understand how the applications are deployed and accessed both internally and externally • Understand the North-South, East-West flow patterns • Adjacency of services to servers is important. Adding services to existing flow patterns minimizes packet gymnastics! • Again, design with the maximum amount of high availability: know your failover and failback times, traffic paths during failover scenarios Web App DB Web App DB Server Server server Server Server server Web Client Web-zone Application-zone Database-zone Only Permit Web Only Permit Application servers access to servers access to Database Application servers servers
  • 31.
    Important • Careful attentionshould be given to where the server‘s default gateway resides • Can be disruptive to introduce changes to where the gateway resides. Non-greenfield designs require flexibility for deploying new services. Ex. From switch to service appliance • Service introduction ie. Firewall, Web security, load balancing, can all have an impact on data center traffic flows • Design with the maximum amount of high availability: know your failover and failback times, traffic paths during failover scenarios • Multicast support considerations for L2 vs L3 services
  • 32.
    Traditional North-South TrafficFlow Internet Control Aggregation • Ingress and Egress traffic is from each ASA zone is routed and filtered appropriately w/ IPS • Physical firewall, IPS, etc deployed for each zone Access: • Physical devices for each zone Top of Rack Zone A sometimes required but can be expensive B Zone Zone C solution vApp vApp vSphere vSphere
  • 33.
    Network Virtualization andZones Acme Co. - Control Traffic and Apply Policy per Zone • Zones used to provide data centric security policy enforcement Unique policies and traffic decisions applied to each • Physical network security zone mapped per zone – VRF, Virtual Context • Lockdown elements in Zone Steer VM traffic to Firewall Context Segment Network traffic in the Zone Segment pools of -System Traffic blade resources -VM Traffic Virtual Switch per Zone Virtual Switch -Management Traffic vSphere vSphere 34
  • 34.
    North-South Traffic withNetwork Virtualization Internet Physical ASA Aggregation VLAN 10 VLAN 20 192.168.10.1 VRF 192.168.20.1 ASA Virtual Context (Layer 2) Access Zone A Zone B Zone C vApp vApp vSphere vSphere
  • 35.
    Microsegmenation: PerZone, Per VM, Per vNIC Aggregation VLAN 10 VLAN 20 IPSEC Virtual ASA Virtual ASA Zone B Zone C Zone A • Stateful filtering for VDC Tenant B VDC ingress/egress for Zone. vApp Near East: VSG VSG • VM segmentation based on VSG vApp VM attributes or ACL vPath • Zone to zone can be Nexus 1000V encrypted via IPSEC vPath Demonstrable segmentation Nexus 1000V vSphere and encryption for vSphere virtualization compliance
  • 36.
    Segmentation of Productionand Non-Production Traffic VMkernal VSG vEth vEth vEth vEth Mgmt Storage vPath Production Nexus 1000V ASA 1000V VMNIC 1 VMNIC 2 VMNIC 3 VMNIC 4 Management Network Production Network Production vCenter VNMC Storage Network
  • 37.
    Visibility: Monitor VMto VM Traffic Aggregation ID:2 ERSPAN DST Intrusion Detection NetFlow Analyzer ID:1 NetFlow Nexus 1000V supports SPAN • NetFlow v9 • ERSPAN/SPAN monitor session 1 type erspan- Zone B Zone C source • Permit protocol type description N1k ERSPAN – session 1 header “0x88BE” for monitor session 3 type erspan- VDC VDC destination vApp ERSPAN GRE description N1k ERSPAN to NAM • ERSPAN does not VSG VSG support fragmentation vApp monitor session 2 type erspan-source • 1000V requires Netflow description N1k ERSPAN –session 2 source interface monitor session 4 type erspan- vPath destination Defaults to Mgmt0 description N1k ERSPAN to IDS1 Nexus 1000V vSphere
  • 38.
    Virtualization & Compliance: PCIDSS 2.0 Guidance • PCI security requirements apply to all ‗system components.‘  All virtual components in scope • System components are defined as: – Any network component, server, or application that  All virtual communications is included in or connected to the cardholder data and data flows must be identified and environment. documented – Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual  Virtualized environment must maintain applications/desktops, and hypervisors. proper segmentation • The cardholder data environment is that part of the network that possesses cardholder data or sensitive  Must meet intent of all 12 PCI authentication data. requirements • Adequate network segmentation, which isolates VMkernal systems that store, process, or transmit cardholder VSG data from those that do not, may reduce the scope of vEth vEth vEth vEth Mgmt Storage the cardholder data environment. Production vPath Nexus 1000V Source PCI DSS 2.0 ASA 1000V VMNIC 1 VMNIC 2 VMNIC 3 VMNIC 4
  • 39.
  • 40.
    Secure Data CenterReference Architecture • 2x Nexus 7010s with VDCs (Core and Aggregation) (NX-OS 5.1(3)) • 2x Nexus 5Ks for top of rack • 2x ASA 5585-60 with IPS • 2x 6500-E with ASA-SMs • 2x Virtual Security Gateway (VSG) in HA mode • 2x Nexus 1000V with redundant VSMs • Identity Services Engine (ISE) for 802.1x user AAA • Standard VMWare ESXi Infrastructure with multiple service domains (Active Directory, DNS, VDI, etc)
  • 41.
    Traditional Model • Servicesare Aggregated at the Distribution Layer L3 • Single or Multi-Tenant zone based Routed segmentation L2 Boundary Core L2 Boundary • Virtual Context create security zones from the DC edge to the Virtual Machine • VRF->Firewall->VLAN->Virtual Switch->Virtual Firewall->vNIC->VM • EtherChannel and vPC provide loop-free Layer 2 environment • Visibility and control for vm-to-vm flows
  • 42.
    ASA Details v201 - Outside v205 – Service-Out BVI-1 BVI-2 10.1.204.199 10.1.200.199 [Po1.204] [Po1.200] [Po1.201] [Po1.205] v200 – Inside v204 – Service-In channel-group 1 mode passive 5585-1 5585-2 Twain Voltaire vPC10 vPC9 7k-1 7k-2 AGG- AGG- VDC VDC Port Channel Load-Balancing Configuration: channel-group 1 mode active System: src-dst ip
  • 43.
    Secure Service PodModel • Services Pod centralizes security services L3 • Traffic forwarded via service-specific Routed VLANs Core L2 Boundary • Modules (Cat 6500) and appliances L2 Boundary supported • Highly scalable module design 1/ 7 • Single or Multi-Tenant zone based segmentation • Security zones from the DC edge to the Virtual Machine
  • 44.
    Nexus 7000 &Cat 6500 Channel Group Modes Nexus 7000 Nexus 7000 Channel-Group 1 mode active 7k-1 7k-2 Channel-Group 2 mode active AGG-VDC AGG-VDC vPC2 vPC1 6506-1 6506-2 Catalyst 6500 ASA-SM WestJet ASA-SM Airbus Catalyst 6500 Channel-Group 1 mode on Channel-Group 2 mode on ASA SM ASA SM
  • 45.
    ASA SM Layer2 and 3 v221 - Outside interface BVI2 ASA SM description bvi for 221 and 220 ip address 10.1.221.199 255.255.255.0 v220 – Inside
  • 46.
    ASA SM Details interface Vlan221 interface Vlan221 mac-address mac-address b414.89e1.2222 b414.89e1.3333 ip address ip address 10.1.221.252/24 10.1.221.253/24 hsrp 21 hsrp 21 preempt preempt priority 105 priority 100 ip 10.1.221.254 ip 10.1.221.254 interface port-channel1 switchport interface port-channel2 switchport mode trunk 7k-1 7k-2 switchport AGG-VDC AGG-VDC vpc 1 switchport mode trunk vPC2 vpc 2 vPC1 BVI2 6506-1 6506-2 ASA-SM ASA-SM ip address WestJet Airbus 10.1.221.199 ASA SM ASA SM interface Vlan220 nameif inside bridge-group 2 security-level 100 ! failover lan interface Failover Vlan44 interface Vlan221 failover link State Vlan45 nameif outside failover interface ip Failover 10.90.44.1 255.255.255.0 standby 10.90.44.2 bridge-group 2 failover interface ip State 10.90.45.1 255.255.255.0 standby 10.90.45.2199 security-level 0
  • 47.
    Server Gateway Outsideof Firewall: Design #1 ASA HA pair in transparent mode with SVI on Aggregation VDC. Server gateway on outside of firewall Aggregation VDC v201 - Outside v200 – Inside GW: 10.1.200.254 Layer 3 Layer 2 Simple design. Firewall part of layer 2 failure domain.
  • 48.
    ASA in theData Center: Design #2 Firewall Between Inter-VDC Traffic VRF VRF Core VDC North Aggregation ASA HA Pair 1 South VDC v200 VRF GW: VRF ASA HA Pair 2 VRF 10.1.200.254 North South • Transparent (L2) firewall services are • Useful for topologies that require a FW ―sandwiched‖ between Nexus VDCs between aggregation and core • Allows for other services (IPS, LB, etc) to • Downside is that most/all traffic destined be layered in as needed for Core traverses FW; possible • ASAs can be virtualized to for 1x1 mapping bottleneck, etc to VRFs
  • 49.
    Design Details andBenefits • Zone based differentiation, building blocks with VLANs and VRFs Inter-VM firewalling via VSG/ASA 1000V Intra-zone firewalling via both VSG/ASA 1000V and ASA/ASA-SM Inter-zone firewalling via ASA 1000V, ASA, or ASA-SM
  • 50.
    Server Access andVM Network Details To Agg switch To Agg switch 1/1 1/2 1/2 1/1 PortChannel111 1/17 1/17 1/18 1/18 5k-1 5k-2 Inara 1/12 Jayne 1/11 1/11 1/12 VMNIC VMNIC VMNIC VMNIC #3 #2 #3 #2 ESX1 ESX2 ESX Host 1 vEth vEth vEth vEth ESX Host 2 192.168.100.199 192.168.100.198 VNMC VSG-2 192.168.100.20 192.168.100.31 Domain 90 VSG-1 VSM-2 192.168.100.30 HR Finance HR Finance 192.168.100.51 VSM-1 Server #1 Server #2 Server #2 Server #1 Domain 1 192.168.100.50 10.1.200.50 10.1.200.101 10.1.200.5 10.1.200.100 1
  • 51.
    Deny HR toFinance VMNIC VMNIC VMNIC VMNIC #3 #2 #3 #2 ESX1 ESX2 vEth vEth vEth vEth VSM-2 HR Finance 192.168.100.51 Server #2 Server #1 Domain 1 HR Finance Server 10.1.200.5 10.1.200.100 Server #1 #2 1 10.1.200.50 10.1.200.101
  • 52.
  • 53.
    VNMC Policy: DenyHR to Finance Requests
  • 54.
    Policy Summary onVSG Nexus 1000V VSG
  • 55.
  • 56.
    Adding Identity andAccess Control Services : ISE and TrustSec
  • 57.
    ISE Traffic Flow SXP IP Address 10.1.204.126 = SGT 5 ISE RADIUS (Access Request) EAPOL (dot1x) 10.1.204.126 RADIUS (Access Accept, SGT = 5) 6506 10.1.204.254 SG ACL Matrix IP Address to SGT Mapping HR Nexus 7000 Server #1 Core VDC 10.1.200.254 10.1.200.50 Nexus 7000 Agg VDC ASA Finance ✓ Finance VSG Finance Server #1 Finance HR 10.1.200.100
  • 58.
  • 59.
    ISE Authentication 6506-2-airbus#sho authen sess int g3/1 Interface: GigabitEthernet3/1 MAC Address: 0027.0e15.578e IP Address: 10.1.204.126 User-Name: finance1 Status: Authz Success Domain: DATA Oper host mode: multi-auth Catalyst Oper control dir: both Authorized By: Authentication Server 6500 Vlan Policy: N/A SGT: 0005-0 Session timeout: N/A Idle timeout: N/A ISE Common Session ID: 0A01CC950000000D0EDFC178 Acct Session ID: 0x0000001E Handle: 0xC500000D Runnable methods list: Method State mab Failed over dot1x Authc Success
  • 61.
    Driving Simplicity: Data CenterDesign – Resources from Cisco
  • 62.
    Validated Design Guides A Cisco Competitive Differentiator • Cisco Validated Designs are recommended, validated, end-to- end designs for next-generation networks. • The validated designs are tested and fully documented to help ensure faster, more reliable, and more predictable customer deployments. • 3 types of guides •Design Guides – comprehensive design/implementation •Application Deployment Guides - Third-party applications •System Assurance Guides - intensive, ongoing system assurance test programs targeted at major network architectures or technologies.
  • 63.
    Cisco Validated Designsfor the DC •CVD > SAFE •http://www.cisco.com/en/US/docs/solutions/Enter prise/Security/SAFE_RG/SAFE_rg.pdf •CVD >Virtualized Multi-Tenant Data Center (VMDC) •http://www.cisco.com/en/US/partner/docs/solutio ASA 5585-X ns/Enterprise/Data_Center/VMDC/1.1/design.html vPC vPC VSS •CVD > Secure Multi Tennant CVD SERVICES Catalyst •http://www.cisco.com/en/US/solutions/ns340/ns4 6500 Firewall ACE ESA 14/ns742/ns743/ns1050/landing_dcVDDC.html NAM IPS WSA Centralized Security and Application Service Modules and Appliances can be applied per zone
  • 64.
    Cisco Secure Internet Edge Network Foundation Protection Infrastructure Security features are enabled to protect device, traffic Data Center plane, and control plane. Device virtualization provides control, data, and Data Center Core management plane segmentation. TrustSec VDC Consistent enforcement of security policies Data Center Nexus 7018 Nexus 7018 with Security Group ACL, and to control SAN Distribution access to resources based on user identity and group membership.Link level data v integrity and confidentiality with standard encryption. vPC vPC VSS vPC vPC vPC vPC vPC vPC Nexus SERVICES 5000 Series Unified Catalyst Computing 6500 ASA ACE Nexus Nexus 7000 System Virtual Service 2100 Nexus IPS Series NAM Nodes Series 1000V Zone Zone Multi-Zone Centralized Security and Application 10Gig Server Rack 10Gig Server Rack Unified Compute Service Modules and Appliances can be applied per zone Stateful Packet Network Intrusion Server Load Web and Email Access Edge Security Flow Based Traffic Analysis Filtering Prevention Balancing Security ACL, Dynamic ARP NAM virtual blade. Traffic analysis Additional Application IPS/IDS: provides Masks servers and Security and filtering Inspection, DHCP Snooping, and reporting, Application Firewall Services for traffic analysis and applications and for Web and Email IP Source Guard, Port performance monitoring. VM-level Server Farm zone forensics provides scaling applications Security, Private VLANs, QoS interface statistics
  • 65.
    Q&A #CiscoPlusCA
  • 66.
    We value yourfeedback. Please be sure to complete the Evaluation Form for this session. Access today‘s presentations at cisco.com/ca/plus Follow @CiscoCanada and join the #CiscoPlusCA conversation