BRKDCT-2078 Final V4 PDF

BRKDCT-2078
Securing the Next-Generation

IaaS Architecture
2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1
2
Housekeeping
We value your feedback don't forget to complete your online session
evaluations after each session & complete the Overall Conference
Evaluation which will be available online from Thursday
Visit the World of Solutions
Please remember this is a 'non-smoking' venue!
Please switch off your mobile phones
Please make use of the recycling bins provided
Please remember to wear your badge at all times including the Party
3
Evolution of Cloud Computing
IaaS Architecture
Infrastructure & Virtualization
Orchestration Framework
IaaS Architecture Security
Infrastructure Security
Virtual Machine Security
Summary
What Well Cover
4
Journey Towards Cloud
Virtualization Automation Utility Cloud
Unified Fabric
Unified Computing
Enterprise Cloud
Inter-Cloud
HW
Freedom
Provisioning
Freedom
Data Center Networking
Consolidation
Location
Freedom
5
Automation Utility Cloud
Unified Computing
Enterprise Cloud
Inter-Cloud
Consolidation
Unified Fabric
Virtualization
HW
Freedom
Provisioning
Freedom
Location
Freedom
6
Unified Fabric
Virtualization
Utility Cloud
Enterprise Cloud
Inter-Cloud
Consolidation Automation
Unified Computing
HW
Freedom
Provisioning
Freedom
Location
Freedom
7
Unified Fabric
Virtualization
Cloud
Inter-Cloud
Unified Computing
Enterprise Cloud
Utility
HW
Freedom
Provisioning
Freedom
Location
Freedom
8
Enterprise Cloud
Utility
Unified Fabric
Virtualization
Unified Computing
Cloud
Inter-Cloud
HW
Freedom
Provisioning
Freedom
Location
Freedom
9
Enterprise Cloud
Utility
Unified Fabric
Virtualization
Unified Computing
Cloud
Inter-Cloud
HW
Freedom
Provisioning
Freedom
Location
Freedom
10
What Is Cloud Computing?
A model for enabling convenient, on-demand network
access to a shared pool of configurable computing
resources (e.g., networks, servers, storage,
applications and services) that can be rapidly
provisioned and released with minimal management
effort or Service Provider interaction.
Cloud Computing definition by NIST
(National Institute of Standards and Technology)
11
Inter-Cloud
Phased Evolution of Cloud
11
Public Clouds
External,
Off-Premise
Internal
On-Premise
Standalone/Private Clouds
12
Cloud Service Delivery Models
Software as a Service
(Application)
Infrastructure
as a Service
Platform as a Service
IT Foundation
Ciscos Focus
13
Cloud Infrastructure as a Service
The capability provided to the business
(customer) to rent processing, storage, networks
and other fundamental computing resources
where the business is able to deploy and run
arbitrary software, which can include operating
systems and applications.
14
IaaS Security Challenges
14
Shared Resources
Network infrastructure
Compute resources
Storage
Data Governance
Compliance
Reliability
Management
Monitoring
Identity Management
15
IaaS Architecture
Summary
What Well Cover
16
Orchestration/Operations/Management
Architecture
Cloud - IaaS
End User
Demand
Supply
Network
Storage
Compute
L2 Agg
and
Services
L2
Access
L2
Virtual
Access
Applications
Virtualized Data Center Architecture
Core and WAN
People Process
Quality
Management
Cost
Management
CMDB
Infrastructure
Management
Service
Delivery
SLA
Management
Tools
Management
Dashboard
Chargeback
Customer
Portal
Cloud Service Orchestration
Applications
(1 to n)
Applications
(n+1) to (n+m)
++
++
++
++
++ ++
++ ++
++ ++
What Is Cloud IaaS Architecture?
17
IaaS Architecture
Summary
What Well Cover
18
IaaS
Infrastructure and Virtualization
Virtualization is the catalyst to
enablement of IaaS
Core Layer
VDC, VRF
Aggregation/Services Layer
vPC, VSS, Virtual Contexts
Access Layer
Hypervisor
Nexus 1000v
Unified Computing System (UCS)
19
Device Pooling
Many to one device
Primary use case is maximum availability & density
Reduces management plane
Examples: VSS, vPC, GSLB, FHRP
Virtualized Interconnect
Multiple wires within a wire
Primary use case is link consolidation
Logical Tennant isolation
Examples: 802.1q, VPN, MPLS, Unified I/O FCoE
Device Partitioning
One to many devices
Primary use case is infrastructure reduction
Increases service agility & flexibility
Improves asset utilization
Examples: VLAN, VRF, VSAN, VDC, Firewall
Context, LB Context, Hypervisor
IaaS Virtualization
Building Blocks
Single Logical Switch
Switch 1 + Switch 2
Si Si Si Si
20
Software Separation
Software fault isolation domains
Addressing domains
Service differentiation domains
Management domains
Resource allocation
Security domains
Hardware Separation
Individual Physical Ports
Layer 2
Layer 3
Port Channels
Entire Linecards
Shared Resources
Software Infrastructure
Kernel
Power Supplies
Fans
Chassis
Virtual Device Context (VDC)
VDC is key to maximizing resource utilization while providing strong security and
software fault-isolation via logical device partitioning.
IaaS Virtualization
Core Layer
Layer-2 Protocols Layer-3 Protocols
VLAN mgr
STP
OSPF
BGP
MSDP
GLBP
HSRP
VRRP
UDLD
CDP
802.1Q IGMP snoop
LACP PIM SCH SNMP

Protocol Stack (IPv4 / IPv6 / L2)
RIB 1 RIB n
Layer-2 Protocols Layer-3 Protocols
VLAN mgr
STP
ISIS
BGP
NetFlow
GLBP
HSRP
IGMP
UDLD
CDP
802.1X Tunneling
LACP PIM CTS SNMP

Protocol Stack (IPv4 / IPv6 / L2)
RIB 1 RIB n
VDC 1
VDC 2
VDC n
Cisco Nexus 7K
21
Some Infosec departments are still reluctant
about collapsed infrastructure.
Concerns around change management.
Infrastructure misconfiguration could
bypass policies.
VDC Use Case
Security Partitioning
Appliance Model
VDC
Firewall
Inside
Outside
VDC
Firewall
Outside Inside
Ideally they want to have physically separate
infrastructure.
Not cost effective in larger deployments.
VDC provides logical separation simulating
air gap.
Extremely low possibility of configuration
bypassing security path Must be physically
bypassed.
Model can be applied for any DC services.
Service Module Model
22
IP Switching IP Switching
SVI or
Sub-Interface
(Layer 3)
SVI or
Sub-Interface
(Layer 3)
802.1q 802.1q
VRF
VRF
VRF
IaaS Virtualization
Core Layer
Virtual Routing and Forwarding (VRF)
VRF allows multiple instances of a routing table to co-exists within the same router.
Due to the fact that routing instances are independent, they play a very crucial role in
end-to-end separation of tenant traffic flows in a multi-tenant environment.
23
Gigabit Ethernet
10 Gigabit Ethernet
10 Gigabit DCE
4/8Gb Fiber Channel
10 Gigabit FCoE/DCE
Blade Servers
with FCoE
ToR FCoE End-of-Row ToR
Access
Nexus 7000
10GbE Agg
Catalyst 6500
DC Services
SAN/Storage End-of-Row
IP+MPLS
WAN
Blade Servers
Catalyst 6500
10GbE VSS Agg
DC Services
FC
SAN Fabric
Core
Aggregation
IaaS Virtualization
Aggregation Layer
WAN
Embedded Service
Modules
One-Arm Service Switches
24
Virtual Port Channel (vPC)
Allow a single device to use a port channel
across two upstream switches
Separate physical switches with
independent control and data plane
Eliminate STP blocked ports. Uses all
available uplink bandwidth
Dual-homed server operate in active-
active mode
Provide fast convergence upon link/
device failure
Active/Active L3 core routing. Efficient use
of L3 core links
Logical Topology without vPC
Logical Topology with vPC
IaaS Aggregation Layer
High Availability Services
25
Virtual Switch System (VSS)
Two physical Catalyst 6500 switches joined via a special link called a Virtual
Switch Link (VSL) running special hardware and software that allows the two
switches to operate as a single logical switch providing high availability for
security services.
VSS based services-chassis along with vPC at the Aggregation Layer provides high
availability and aggregated throughput.
Highly available services layer with Firewall, Load balancing and IPS for non-stop security
Integrated security with DHCP Snooping, Dynamic ARP inspection and
IP Source Guard
VSS - Single Logical Switch
Active Control Plane
Active Data Plane
Hot Standby Control Plane
Active Data Plane
Switch 1 + Switch 2
Virtual Switch Domain
Virtual Switch Link
Si Si Si Si
High Availability Services
26
Switch-1
(VSS Active)
Switch-2
(VSS Standby)
Data Plane Active
Control Plane Active
ACE Active
FWSM Standby
Data Plane Active
Control Plane Hot Standby
ACE Standby
FWSM Active
VSL
Failover/State Sync VLAN
Virtual Switch System (VSS)
Security Services
27
IaaS Virtualized Services
Security Services Use Case
Front-End VRFs (MSFC)
Firewall Contexts
ACE Contexts
Back-End VRFs (MSFC)
Server Side VLANs
v5
v105
v6
v206
v206
BU-2
v105
BU-1
1
2
VRF VRF
v7
v107
v207
BU-3
3
v207
3
VRF
v2081
v2082
v2083
...
BU-4
v108
4
v208
4
v8
VRF
VRF
28
Value Proposition
Reduced Power and Cooling
Reduced Management
Rapid Deployment and
Agility
Increased Availability
Reduced Rack space
Reduced CAPEX
Reduced OPEX
After Virtualization
Hardware-independence
of operating system and
appliances
Virtual machines can be
provisioned to any system
Can manage OS and
application as a single unit
by encapsulating them into
virtual machines
Before Virtualization
Single OS image per machine
Software and hardware tightly
coupled
Running multiple applications
on same machine often
creates conflict
Inflexible and costly
infrastructure
DC Server
Consolidation
One Application
Per Server
x86 Architecture
Operating System
Application
CPU Memory NIC Disk
Many Applications
Per Server
x86 Architecture
VMware Virtualization
Layer
Application
Operating
System
IMAGES
Application
Operating
System
IMAGES
CPU Memory NIC Disk
IaaS Virtual Access Layer
Server Virtualization
29
Network Challenges
Security & Policy Enforcement
Applied at physical server - not the individual VM
Impossible to enforce policy for VMs in motion
Operations & Management
Lack of VM visibility, accountability, and consistency
Inefficient management model and inability to effectively
troubleshoot
Organizational Structure
Muddled ownership as server admin must configure
virtual network
Organizational redundancy creates compliance challenges
30
Problems
VMotion
VMotion may move VMs across
physical ports. Security policies must
follow.
Impossible to view or apply security
policies to locally switched traffic.
Security Risk: Cannot correlate
traffic on physical links from multiple
VMs.
VLAN
101
VN-Link
Extends network to the VM
Consistent services
Coordinated coherent management
VN-Link
31
Virtual Supervisor Module (VSM)
Control Plane for VEMs
Central point for policy enforcement
Can be deployed in HA pair for availability
Virtual Ethernet Module (VEM)
Enables advanced networking capability on the hypervisor
Collection of VEMs = 1 Distributed Virtual Switch
vSphere vSphere vSphere
Nexus 1000v VSM
Nexus
1000v
VEM
Nexus
1000v
VEM
Nexus
1000v
VEM
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
vCenter
Policy-Based
VM Connectivity
Mobility of Network
& Security Properties
Non-Disruptive
Operational Model
Nexus 1000v
32
Nexus 1000v
Virtual Chassis
Cisco VSMs
Cisco VEM
VM1 VM2 VM3 VM4
Cisco VEM
VM5 VM6 VM7 VM8
prod-vsm# show module
Mod Ports Module-Type Model Status
1 0 Virtual Supervisor Module Nexus1000V active *
2 0 Virtual Supervisor Module Nexus1000V ha-standby
3 248 Virtual Ethernet Module NA ok
33
Secure Management UCS Manager
Stateless Computing Service Profiles
Resource Pools
QoS
Role-Based Access Control
Unified Fabric FCoE
Virtualized Adapter M81KR
Extended Memory Blades B250 M1
IaaS Virtual Access Layer
Unified Compute System
Uplink Port Configuration, Pinning,
VLAN, VSAN, QoS, and
EtherChannels
VN-Link Virtual Ports Link Virtual
Ethernet and Fibre Channel Links
to Switch
Server Port Configuration Including
Cisco DCE and FCoE Settings
Fabric Extender Configuration is
Implicitly Configured Based on the
Server Slot Chosen During Service
Profile Association and the Physical
Connectivity Between the Fabric
Extender and the Fabric
Interconnect
NIC Configuration, MAC Address,
VLAN, and QoS Settings; HBA
Configuration, WWNs, VSANs, and
Bandwidth Constraints; and
Firmware Revisions
UUID, Firmware Revisions, and
RAID Controller Settings
Blade Specified Explicitly by Slot, or
by Pool Membership
OS Provisioning and Patching
Through Higher-Level Software
Cisco UCS 6100
Series Fabric Interconnects
Cisco UCS 2100
Series Fabric Extenders
Cisco UCS
Network Adapters
Cisco UCS B-Series
Blade Server
34
Single point of device management
Adapters, blades, chassis, LAN & SAN connectivity
Embedded manager
GUI & CLI
Standard APIs for systems management
XML, SMASH-CLP, WSMAN, IPMI, SNMP
SDK for commercial & custom implementations
Designed for multi-tenancy
RBAC, Organizations, Pools & Policies
UCS Manager
XML API Standard APIs
CLI
GUI
Secure Management
UCS Manager
Custom Portal
Systems Management
Software
35
Stateless Computing
Service Profiles
Separate firmware, addresses, and parameter settings from server hardware
Physical servers become interchangeable hardware components
Easy to move OS & applications across server hardware
State abstracted from hardware
LAN Connectivity SAN Connectivity OS & Application
BMC Firmware MAC Address
NIC Firmware
NIC Settings
Drive Controller F/W
Drive Firmware
UUID
BIOS Firmware
BIOS Settings
Boot Order
WWN Address
HBA Firmware
HBA Settings
Chassis-1/Blade-2
Chassis-8/Blade-5
LAN SAN
UUID: 56 4d cd 3f 59 5b
MAC : 08:00:69:02:01:FC
WWN: 5080020000075740
Boot Order: SAN, LAN
36
Hierarchical model
Roles, Users, Resources, Actions,
Privileges, Locales
Resource pools assigned to groups
within the hierarchy
Groups control and manage
their own resources
Role-Based access
Access limited to authorized groups and
resources
Policies can be applied at a group level
of granularity within the organization
UCS
Role-Based Access Control
Company
HR Finance
Policies Policies
Network Management
Finance MAC
Finance MAC
Finance MAC
Finance MAC
Finance MAC
Finance Blades
Finance MAC
Finance MAC
HR WWN
Finance MAC
Finance MAC
HR Blades
37
Application
Software
Virtual
Machine
Virtual
Access
Storage
& SAN
Virtual
Compute Access
Aggregation
/ Services Core WAN Edge WWW
Applications
Hypervisor,
VMs
Virtual
Access
Layer, DVS
SAN Fabric,
Storage
Arrays
UCS
Manager,
Stateless
Server
Provisioning,
FCoE
Unified I/O
FCoE,
Fabric
Services
Services (LB,
FW, IPS, SSL,
VPN), VSS,
vPC, VLANs
VDC, VRFs,
VLANs,
Global Load
Balancing
Internet
Edge,
MPLS
World Wide
Web
WAAS
AXG
AVS
GSS
GSLB
Cluster
Internet
IP-NGN
Partners
10G Ethernet
10G FCoE
4G FC
1G Ethernet
VM to vSwitch
vSwitch to HW
App to HW / VM
IaaS Infrastructure & Virtualization
End-to-End
38
IaaS Architecture
Summary
What Well Cover
39
Technology Architecture
Storage Compute Network
End-to-End Security
CMDB
Infrastructure
Architecture
Abstraction (Includes
EMS & Domain Managers)
Service
Catalogue Asset Inventory
Mappings /
Relationships
Human
Resources
Service Orchestration
End User
INFRASTRUCTURE
MANAGEMENT
SERVICE
DELIVERY SERVICE MANAGEMENT
Optimization Selection (SDLC/BCP) Quality Cost SLA
Capacity Planning Allocate/Entitlement Performance
Compute, Network,
Storage Usage
RTO/RPO
HW/SW Management
Commission/
Decommission
Problem Detection-RCA Facilities Usage
Maintenance /
Avail. Windows
Audits Enablement (on/off) Security & Governance CAPEX/OPEX (time unit hrs) Penalties
Operations Fulfillment Assurance Metering & Billing Commitment
Customer Portal Scheduling Ordering Price Management Dashboard Financial Quality SLA
IaaS Orchestration Framework
40
Network Storage Compute
End-to-End Security
CMDB
Infrastructure
Architecture
Service
Mappings /
Relationships
Human
Resources
End User
INFRASTRUCTURE
MANAGEMENT
SERVICE
Compute, Network,
Storage Usage
RTO/RPO
HW/SW Management
Commission/
Decommission
Maintenance /
Avail. Windows
User logs onto the
self-service portal
41
End-to-End Security
CMDB
Infrastructure
Architecture
Service
Mappings /
Relationships
Human
Resources
End User
INFRASTRUCTURE
MANAGEMENT
SERVICE
Compute, Network,
Storage Usage
RTO/RPO
HW/SW Management
Commission/
Decommission
Maintenance /
Avail. Windows
Allocate/Entitlement
CUSTOMER CREDENTIALS
VERIFICATION
Existing User Login / Password
New User Login / Password,
Credit Card, Address etc.
User is Verified,
Updates Customer
Portal
42
End-to-End Security
CMDB
Infrastructure
Architecture
Service
Mappings /
Relationships
Human
Resources
End User
INFRASTRUCTURE
MANAGEMENT
SERVICE
Compute, Network,
Storage Usage
RTO/RPO
HW/SW Management
Commission/
Decommission
Maintenance /
Avail. Windows
Based on Customers
entitlement, Service
Catalog selects a
subset of services
Service Catalog
verifies with
Capacity
Planning
43
End-to-End Security
CMDB
Infrastructure
Architecture
Service
Mappings /
Relationships
Human
Resources
End User
INFRASTRUCTURE
MANAGEMENT
SERVICE
Compute, Network,
Storage Usage
RTO/RPO
HW/SW Management
Commission/
Decommission
Maintenance /
Avail. Windows
Capacity Planning
access Assets Inventory
(CMDB) to verify service
can be met
Subset of services
are presented at the
Customer Portal for
selection
44
End-to-End Security
CMDB
Infrastructure
Architecture
Service
Mappings /
Relationships
Human
Resources
INFRASTRUCTURE
MANAGEMENT
SERVICE
Compute, Network,
Storage Usage
RTO/RPO
HW/SW Management
Commission/
Decommission
Maintenance /
Avail. Windows
End User
End User selects the
services needed
Triggers msg to Selection for
resource reservation
45
End-to-End Security
CMDB
Infrastructure
Architecture
Service
Mappings /
Relationships
Human
Resources
INFRASTRUCTURE
MANAGEMENT
SERVICE
Compute, Network,
Storage Usage
RTO/RPO
HW/SW Management
Commission/
Decommission
Maintenance /
Avail. Windows
End User
Selection
reserves the
resources
1. Resources are marked
reserved in Assets Inventory
2. Opens a new service request in
Commission / Decommission
Selection (SDLC/BCP)
46
End-to-End Security
CMDB
Infrastructure
Architecture
Service
Mappings /
Relationships
Human
Resources
End User
INFRASTRUCTURE
MANAGEMENT
SERVICE
Compute, Network,
Storage Usage
RTO/RPO
HW/SW Management
Commission/
Decommission
Maintenance /
Avail. Windows
Triggers Domain Controllers for Individual
Domain Provisioning
Commission /
Decommission
47
End-to-End Security
CMDB
Infrastructure
Architecture
Service
Mappings /
Relationships
Human
Resources
End User
INFRASTRUCTURE
MANAGEMENT
SERVICE
Compute, Network,
Storage Usage
RTO/RPO
HW/SW Management
Commission/
Decommission
Maintenance /
Avail. Windows
NETWORK PROVISIONING
UCS Manager for Network parameters
(VLAN, QoS, Traffic, Adapters, FEX
uplinks, SpringField Uplinks: Pinning,
VLAN, Trunking)
DNS for IP/FQDN
ACE for Load Balancer
(Mapping of Real Servers to VIP)
FWSM/ASA for Firewall (ACL, ports,
IP)
WAAS at customer site (exception to
trigger Capacity Activation)
Network
Provisioning
sends
provisioning
completion
notification to
Commission /
Decommission
STORAGE PROVISIONING
UCS Manager for Network
parameters (VSAN, FC
speed, Adapters/HBA,
FEX uplinks, SpringField
Uplinks: NPV/Switching,
Pinning, VSAN, Trunking
Core SAN config: VSAN,
LUNs
Provision of Back-up
Infrastructure (snapshot to
storage)
Storage
Provisioning
sends
provisioning
completion
notification to
Commission /
Decommission
48
End-to-End Security
CMDB
Infrastructure
Architecture
Service
Mappings /
Relationships
Human
Resources
End User
INFRASTRUCTURE
MANAGEMENT
SERVICE
Compute, Network,
Storage Usage
RTO/RPO
HW/SW Management
Commission/
Decommission
Maintenance /
Avail. Windows
COMPUTE PROVISIONING
(Blade Logic, UCS Manager)
Blade Logic - Create/Clone Customer Service
Profile (UUID, MAC, IP/Subnet, WWN, VLAN,
Adapter properties, VSAN, Boot policy)
Blade Logic selects the blade from available
pool and binds the profile to Blade
UCS Manager: Boot the blade/system
Deploy OS image using Standard tools
(Altiris, ADS, HP-SAS, BladeLogic Prov)
49
IaaS Architecture
Summary
What Well Cover
50
External
Inter-Tenant
Intra-Tenant
Security Zones
Infrastructure
Infrastructure Zone
Most Secure, only Provider access
Network, compute, storage, management
End user instances should not have direct access
to the infrastructure
Intra-Tenant Zone
Sub Security Zone for a given tenant
Security grouping such as presentation layer,
application layer, database layer
Tiered levels of security and associated services
available from the catalog
Inter-Tenant Zone
Secure Zone, authorized to tenants and Providers
Tenants in the Multi-Tenant Cloud
Customers, business units, and other tenants sharing
the same physical infrastructure
Tenants should be isolated from one another
External Zone
External to the Cloud, Public, User Community,
Open, No Security
Controls should be in place to protect the Cloud
against external threats
51
Hierarchical network design
consists of the following layers:
Core
Aggregation / Services
Access / Virtual Access
Each layer needs to be secured
individually to achieve Defense-in-Depth
security mechanism.
Infrastructure security features
must be enabled to protect device, data
plane and control plane.
Device virtualization provides control,
data and management plane
segmentation.
IaaS Security Zones
Infrastructure
52
Infrastructure Zone Security
Device Hardening
Device hardening best practices:
CoPP
Secure Management Access
Restricted SNMP with ACLs
AAA/RBAC
Centralized logging
NTP
Configuration Management
Device Banners
Disabling Unwanted Services
53
Perimeter Firewall to secure ingress and
egress traffic.
DDOS Detection and Mitigation
Routing Protocol authentication
Separate VDC
Anti-Spoofing ACL
Unicast RPF
Core Layer
54
Aggregation Layer provides connectivity
to different blocks e.g. Tenants Blocks
access to Common Services Block.
Aggregation Block Filtering e.g. access
control between Tenant Blocks and
Common Services Block is done via
Firewall at Aggregation Layer.
Can be implemented by a stateful packet
filtering firewall like Cisco ASA 5500
Aggregation Layer
55
VPN Services are provided at
Aggregation Layer
IPSec Site-to-Site / Remote Access
SSL
Virtual Private Data Center - VPN
Services for extending customer sites to
their virtualized environment.
Remote Management of VMs through a
separate out of band management
network.
Aggregation Layer
56
Server Load Balancing
Server Load Balancing masks servers
and applications.
Application Firewall
Application Firewall mitigates XSS, HTTP,
SQL, XML based attacks.
Network Intrusion Prevention
IPS/IDS: Provides traffic analysis and
forensics.
Flow Based Traffic Analysis
Network Analysis for traffic monitoring and
data analysis.
XML based Application Control
XML Gateway to protect and optimize
Web-based services.
Services Layer
57
Enhanced Layer 2 Security features like:
Access Lists
Dynamic ARP Inspection
DHCP Snooping
IP Source Guard
Port Security
Private VLANs
STP Extensions
Layer 2 Storm Control
Layer 2 Flow Monitoring using:
NetFlow
SPAN
ERSPAN
ACL Logs
Access Layer
58
Security within the Hypervisor
Hypervisor
VMWARE DVS
Nexus 1000v
VMWare VShield Firewall
VMSAFE API based Virtual Security
Appliances
Virtual Access Layer
59
Common Services Block
A central management and monitoring
tool can be used to manage and monitor
the Infrastructure security.
Event are sent out by Host IPS, Network
IPS, Firewalls, LB, Routers and
Switches in terms of Syslogs, NetFlow,
SNMP traps and IPS alerts.
All events are sent to a central
repository to perform Anomaly
Detection, Event Correlation and
Forensics Analysis.
Security Management
60
Physical Firewall Instance
Intra-Tenant zone is created when
traditional three-tiered application model
is used:
Front End or WEB
Middle Tier or APP
Backend or DB
These applications tiers have different
security affinities and requirements.
Traffic flow between tiers is controlled
via policies at the firewall.
VMWare ESX Server
Cisco Nexus 1KV
WEB 1 WEB 2 APP DB
OS
App
OS
App
OS
App
OS
App
INTERNET
VLAN 10
VLAN 20
VLAN 30
IaaS Security Zones
Intra-Tenant
61
Virtual Firewall Instance
3rd party VM based solutions can also
be implemented via virtual security
firewall appliances to secure inter VM
traffic.
All traffic to and from the VMs
is passed through a virtual firewall
Traffic based on the policies configured
on vFW is permitted or denied
Scalable solution, per Tennant virtual
firewall provisioning possible
No dependency on proprietary
firewalling solutions
VMware VMsafe makes it possible for
security providers to develop security
virtual appliances that monitor and control
network activity across all virtual machines
Virtual-Switch
(Internal-only)
Virtual Switch
VMware ESX
Inter-VM Traffic
Secured VM Secured VM Secured VM
Third-Party Security
Virtual Appliance
VMsafe
OS
App
OS
App
OS
App
IaaS Security Zones
Intra-Tenant
62
Core & Aggregation Layer
At Core and Aggregation layer,
customers can be separated based
on VDCs and VRFs.
Multiple customers can be part of the
same VDC but separate VRF or a
particular customer can be part of one
VDC and one VRF.
One VRF corresponds to a particular
context on the Firewall.
VMWare ESX Server
Cisco Nexus 1KV
VM1 VM2 VM3 VM4
OS
App
OS
App
OS
App
OS
App
INTERNET
Nexus 7K
VDCA VDCB
VRF1 VRF2 VRF1
CTX3
CTX2
CTX1
Firewall
IaaS Security Zones
Inter-Tenant
63
Shared Firewall
At the Services layer, all Tenants are
sharing a single firewall.
Tenants have their own distinct Layer 2
VLANs and Layer 3 subnets.
Tenants are secured from External Zone
by the Firewall.
Security between the Tenants is
provided by the Firewall.
Inter-Tenant Zone Security
Services Layer
INTERNET
FIREWALL
VMWare ESX Server
Cisco Nexus 1KV
C1 C2 C3
App
OS
OS
App
OS
App
OS
App
OS
App
OS
App
64
Dedicated Firewall
A physical Firewall partitioned into
separate contexts, each with its own
data and management interfaces.
One virtual context or firewall instance
serves a single customer.
Tenants are secured by their own firewall
context from other Tenants and from
External Zone.
Tennant management access to their
dedicated firewall instance
Services Layer
Context 3
Context 2
Context 1
Firewall
INTERNET
VMWare ESX Server
Cisco Nexus 1KV
VM1 VM2 VM3
OS
App
OS
App
OS
App
65
Tenants separation based on L2 VLANs.
Implement standard L2 best practices to
protect customers at Access Layer e.g.
Access Lists
Dynamic ARP Inspection
DHCP Snooping
IP Source Guard
Port Security
Private VLANs
STP Extensions
Layer 2 Storm Control
Hardware Rate-Limiters
Access Layer
VMWare ESX Server
Cisco Nexus 1KV
VM1 VM2 VM3 VM4
OS
App
OS
App
OS
App
OS
App
INTERNET
Nexus 7K
VDCA VDCB
VRF1 VRF2 VRF1
Context 3
Context 2
Context 1
Firewall
66
VRF and VDCs are used to segregate at
Core and Aggregation layers.
Firewall, ACE, IPS and WAFs can be
utilized to provided security services to
Tenants.
Nexus 1000v is used at Virtual Access
Layer to provide L2 security.
VMWare VMSAFE API for 3
rd
party vFW
Integration or VMWare VShield based
solution.
Segregation based on VDC, VRF and
Virtual Contexts provides complete end-
to-end security domains and traffic
separation.
End-to-End
VMWare ESX Server
Cisco Nexus 1KV
VM1 VM2 VM3 VM4
OS
App
OS
App
OS
App
OS
App
INTERNET
Nexus 7K
VDCA VDCB
VRF1 VRF2 VRF1
Context 3
Context 2
Context 1
Firewall
67
External to the Cloud.
Public Zone e.g. Internet User Community.
Open, No Security
Controls should be in place to protect the Cloud against external threats.
External Zone could also be Virtual Private Data Center (VPDC) or Virtual
Private Cloud (VPC) which is the extension of Tenants existing
Infrastructure via VPN, MPLS etc.
Security and Other Controls to leverage Tenants pre-existing security
infrastructure.
IaaS Security Zones
External Zone
68
IaaS Architecture
Summary
What Well Cover
69
Hypervisor has access to all resources
Manages all system resources
Manages LAN & SAN access
Any exploit or vulnerability can
compromise the hypervisor.
vSwitch lacks standard network
functions
No visibility into VM-to-VM traffic on a
port group
No visibility into VM-to-Hypervisor calls
Hypervisor Security
pNIC
VMKernel VMotion
pNIC pNIC
!!
!!
!!
!!
70
Limit connectivity to both VMKernel and
VMotion segments
VMotion and VMkernel interfaces should
be unreachable from outside the data
center
Limit VMkernel management access to
DC Operations only using firewall & ACLs.
VMotion interface & VLAN should be
isolated for a given cluster
Use Firewall (Virtual Context) to control
access
Secure the VMs using Host IPS
pNIC
VMKernel VMotion
pNIC pNIC
CSA CSA CSA
Virtualized
Server
Hypervisor Security
Security Best Practices
71
Disable local and remote root access to
the hypervisor.
Manage the Hypervisor through Virtual
Center.
Consider vShield Zones for Hypervisor
level protection
Apply Updates and Patches to the
Hypervisor.
Disable Unauthorized Device Access /
Connectivity.
Hypervisor Security
72
Protect the Endpoints
Apply Host based FW or IPS to the VMs
e.g. Iptables, Windows FW and Cisco
CSA
Host IPS can be integrated with Network
based IPS to quarantine and black hole
or filter the infected VM at the network
level.
Apply Anti-viruses, Anti-Spywares.
Secure Inter-VM traffic using L2, L3
Controls and virtualized solution like
Nexus 1000v or vShield.
Host Posture
& Event Information
Network IPS
CSA
Management Center
SDEE
Host Posture &
Quarantine Events
ERSPAN
Management
Console
VM KERNEL
NEXUS 1000V
ESX
VM VM VM VM
Cisco Security Agent Host IPS
MANAGEMENT
NETWORK
Guest OS Security
73
Secure Virtual Machines as You
Would Secure Physical Machines
Apply updates and patches
Disable un-used Services.
Implement multi-factor authentication.
Disable remote ROOT access.
Implement secure access like SSH,
IPSEC.
Use a separate vNIC for management
access.
Avoid using Non-Persistence Disks
SDEE
Host Posture &
Quarantine Events
ERSPAN
Management
Console
VM KERNEL
NEXUS 1000V
ESX
VM VM VM VM
Cisco Security Agent Host IPS
Guest OS Security
74
Be aware of security affinities
Would you place all your applications
on the same VLAN?
Challenging troubleshooting and monitoring
environment
ESX vSwitch lacks standard network functions
No SNMP and NetFlow instrumentation
to monitor flows between VMs
No ACLs and PVLAN to limit inter-VM traffic
No SPAN to enable forensic analysis
of inter-VM traffic
Recommendation: Do not consolidate servers
with unlike security affinities onto a single VLAN
DMZ Web
Server
Application
Server
Database
Server
!! !! !!
Application Tier Security
75
With VMWare vSwitch we can use
Virtual Switch Tagging (VST)
Use Port Groups to segment vSwitch
& VMs.
Assign VLAN to Port-group based upon
security affinity, i.e., Web = Blue VLAN
Port-groups also simplify policies
that are applied to a VM, i.e.
Web = VLAN101 (Blue)
Use static MAC addresses per VM
to simplify troubleshooting
Intra-Tennant traffic between application
tiers and Inter-Tenant communication is
controlled via security firewall instance.
vNIC
pNIC
Port Group:
Web: Blue VLAN
vSwitch
Appln: Red VLAN
802.1Q Trunk
Trunkfast Enabled
DMZ
Web Server
Application
Server
Database
Server
DB: Green VLAN
VMWare vSwitch
76
Inter and Intra-Tenant Zone Security
is provided by Nexus 1000v.
Nexus 1000V provides enhanced
VM switching for VMW ESX
environments.
Nexus 1000v features VN-Link
capabilities like:
Policy-based VM connectivity
Mobility of network and security
properties
Non-disruptive operational model
Ensures visibility and continued
connectivity during VMotion
Nexus 1000v
VMW ESX
Nexus 1000V
Server 1
VMware vSwitch
VMW ESX
VMware vSwitch
Nexus 1000V
Server 2
VM
#4
VM
#3
VM
#2
VM
#8
VM
#7
VM
#5
VM
#5
Nexus 1000v
VM
#1
VM
#2
VM
#3
VM
#4
VM
#5
VM
#6
VM
#7
VM
#8
VM
#1
VM
#1
77
Security Policies in Port
Profile:
ACL
Port Security
VLAN, PVLAN
SPAN, RSPAN and ERSPAN
NetFlow Collection
Rate Limiting
QoS Marking (COS/DSCP)
Nexus 1000v
Port Profiles
Virtual Center
VMW ESX
Server
Nexus 1000V - VEM
VM
#1
VM
#4
VM
#3
VM
#2
Nexus 1000V
VSM
78
Traffic Filtering Mechanism
Provides filtering for ingress and
egress VM traffic for additional
network security
Permit/Drop traffic based on ACL
policies
ACL types supported:
IPv4
MAC ACLs
Supported on Eth and vEth interfaces
Configured via port profiles or directly
on the interface
Nexus 1000v
Access Control List
ACLs via
Port-Profiles ACLs via
Port-Profiles
79
Trusted Mac Addresses
Port Security secures a port by limiting
and identifying the MAC addresses that
can access a port.
Secure MACs can be manually
configured or dynamically learnt
Two security violation types are
supported
Addr-Count-Exceed Violation
MAC Move Violation
Port security can be applied to vEths
Cannot be applied to physical interfaces
Nexus 1000v
Port Security
80
Secure MAC
Type
Source Aging
Persistence
through
interface flaps
Persistence
through
Switch reboot
Static
CLI
Configuration
No
Yes
Yes
(with copy run
start)
Sticky
Dynamically
Learnt
No Yes
Yes
(with copy run
start)
Dynamic
Dynamically
Learnt
No (Default)/
Aging Time
and Type
Configurable
No No
Port Security
Types of Secure MAC Addresses
81
Nexus 1000v
Private VLANs
Private VLANs divide a normal VLAN
into sub-L2 domains
Consist of a Primary VLAN and one or
more secondary VLANs
Used to segregate L2 traffic without
wasting IP address space (smaller
subnets)
Three types of Ports:
Promiscuous, Isolated, or Community
Secondary VLAN access is restricted
by setting community or isolated status
82
Isolated ports can only communicate
with the promiscuous port.
Community ports can communicate
with other ports in the same
community and the promiscuous port.
Promiscuous port can communicate
with all isolated ports and community
ports and vice versa.
Nexus 1000v
Private VLANs
Isolated
Community
Promiscuous
Po1 Po3
83
Private VLAN
Configuration
Vlan 202
private-vlan primary
vlan 303
private-vlan isolated
vlan 202
private-vlan association add 303
port-profile type ethernet Promiscuous-Trunk
vmware port-group
switchport mode private-vlan trunk promiscuous
switchport private-vlan mapping trunk 202 303
switchport private-vlan trunk allowed vlan all
no shutdown
state enabled
port-profile type vethernet Customer-Data
vmware port-group
switchport mode private-vlan host
switchport private-vlan host-association 202 303
no shutdown
state enabled
84
ERSPAN
Remote monitoring of multiple
switches across your network
ERSPAN uses a GRE tunnel to carry
traffic between switches.
ERSPAN consists of a
source session
routable GRE-encapsulated traffic
destination session
An ERSPAN destination is specified
by an IP address
Source SPAN interface and
destination SPAN interface may be
on different devices interconnected
by an IP network.
Nexus 1000v
ERSPAN
Management
Console
Services
IDS1
NAM
ERSPAN DST
ID:1
ID:2
VM KERNEL
NEXUS 1000V
ESX
VM VM VM VM
85
Comprehensive view of VM traffic via
ERSPAN to two network analysis
devices simultaneously
NAM and IDS provides clarity
In this example, port scan of
VM detected on IDS and
visible on NAM
ERSPAN
Use Case
ERSPAN
Management
Console
Services
IDS1
NAM
ERSPAN DST
ID:1
ID:2
VM KERNEL
NEXUS 1000V
ESX
VM VM VM VM
86
ERSPAN
Use Case
87
port-profile erspan
capability l3control
vmware port-group
switchport access vlan 3000
no shutdown
system vlan 3000
state enabled
!
monitor session 1 type erspan-source
description - to SS1 NAM via VLAN 3000
source interface Vethernet8 both
destination ip 10.8.33.4
erspan-id 1
no shut
!
monitor session 2 type erspan-source
description - to SS1 IDS1 via VLAN 3000
source interface Vethernet8 both
destination ip 10.8.33.4
erspan-id 2
no shut
ERSPAN
Configuration
88
NetFlow gathers data that can
be used in accounting, network
monitoring, and network
planning
Nexus 1000v requires NetFlow
source interface
Defaults to Mgmt0
Support v9 format
Port profiles afford easy
deployment
Nexus 1000v
NetFlow
89
flow exporter exporttest
description exportv9
destination <IP ADDRESS> use-vrf management
transport udp 3000
surce mgmt0
version 9
template data timeout 1200
option exporter-stats timeout 1200
flow monitor NAMTest
description default flow to NAM
record netflow-original
exporter exporttest
port-profile vm180
vmware port-group pg180
switchport mode access
switchport access vlan 180
ip flow monitor NAMTest input
ip flow monitor NAMTest output
NetFlow
Configuration
90
Summary
Virtualization is the catalyst to enablement of IaaS.
Cisco provides end-to-end Cloud infrastructure device virtualization that is a key
requirement in a multi-tenant environment.
Virtualization technologies like VDC, VRF, VLAN and Virtual Contexts on services like
FW, LB & Intrusion Prevention Systems are key to deploying a Cloud infrastructure.
Cisco Nexus 1Kv DVS in the Hypervisor provide enhance Security and Switching
capabilities to virtual machines.
When using device virtualization access to each management plane should be limited
and enforced based on user authentication and role.
Virtualization introduces new security challenges but the traditional security problems
remain unchanged and security policies still need to be enforced.
91
Questions?
92
Complete Your Online
Session Evaluation
Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Cisco Preferred
Access points for each session
evaluation you complete.
Complete your session
evaluation online now (open a
browser through our wireless
network to access our portal) or
visit one of the Internet stations
throughout the Convention
Center.
Dont forget to activate your
Cisco Live and Networkers Virtual
account for access to all session
materials, communities, and on-demand
and live activities throughout the year.
Activate your account at any internet
station or visit www.ciscolivevirtual.com.
93
Check the Recommended Reading brochure for
suggested products available at the Cisco Store
Enter to Win a 12-Book Library
of Your Choice from Cisco Press
Visit the Cisco Store in the
World of Solutions, where you
will be asked to enter this
Session ID code

BRKDCT-2078 Final V4 PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

BRKDCT-2078 Final V4 PDF

Enviado por

Direitos autorais:

Formatos disponíveis

BRKDCT-2078

Securing the Next-Generation

Você também pode gostar