Security And Virtualization In The Data Center


Security and Virtualizationin the Data Center

Speaker information Contact information:––––David AndersonSolutions ArchitectBorderless Security team – USE-mail: Focus areas:–––––Data Center SecurityVirtualizationSecure MobilitySecurity DesignCompliance (PCI, Federal)

Takeaways To effectively integrate security must understand the core datacenter fabric technologies and features: VDC, vPC, VRF, servervirtualization, traffic flows Security as part of the core design Designs to enforce microsegmentation in the data center Enforce separation of duties in virtualized and cloud environments Security to enforce continuous compliance

Secure Data CenterData Center PrimerSecure Data Center ComponentsSecure Data Center DesignFundamentalsSecure Data Center Design Details

Data CenterPrimer:Terms andTechnology

Cisco Datacenter Terms PrimerKnow the lingo VDC – Virtual Device Context VPC – Virtual Port Channel VSS & MEC – Virtual Switching System & Multi-chassisEther-channel VSL & Peer Link – Virtual Switch Link ECMP – Equal cost Multi-Path VSD – Virtual Service Domain VBS – Virtual Blade Switching VRF – Virtual Routing & Forwarding FabricPath

Data Center tchStorage& SANComputeAccessAggregationand ServicesCoreEdgeIP-NGNBackboneVirtual rtual DeviceContextsInternetIP-NGNService ProfilesVirtual MachineOptimizationPort Profiles & VNLinkPort Profiles & VNLinkApplication Control(SLB )Service ControlFibre ChannelForwardingFabric ExtensionPartners

Secure Data Center tchStorage& SANComputeAccessAggregationand ServicesCoreEdgeIP-NGNBackboneVirtual DeviceContextsFirewall n DetectionInternetVirtual DeviceContextsSecure DomainRoutingStorage MediaEncryptionIP-NGNService ProfilesPort Profiles & VNLinkVirtual FirewallEdge and VMVirtual MachineOptimizationPort Profiles &VN-LinkPartnersFibre ChannelForwardingFabric ExtensionLine-Rate NetFlowApplication Control(SLB )Service ControlVirtual Contexts forFW & SLB

Data Center Security Challenges

Security Threats & Considerations Denial of Service i.e. (Google, Twitter, Facebook) APT – Targeted Attacks / Nation State Attacks Data Protection for Privacy and Data Compliance Application Exploits (SQL Injection) Malware / Botnets Mobile Malicious Code Virtualization Concerns

Secure the PlatformAdd Security ServicesNetwork security best practices Network device hardeningDefense in DepthAAANetFlowSeparation of duties and least privilegesVirtualization specifics VRF, VLAN, Access control Lists Stateful Network Firewalls Intrusion Detection and Prevention Web firewalls Load BalancersFollow hypervisor hardening recommendations SSL OffloadingAccess Controls (production vs. management) Virtual security appliancesSecure and harden Guest OSSegmentation Management and Visibility tools

Data Center Security Components:What’s in our toolbox

Physical and Virtual Service Nodes1Redirect VM traffic via VLANs toexternal (physical) or2Apply hypervisor-basednetwork VLANsVirtual ContextsTraditional Service NodesVSNVSNVirtual Service Nodes

Physical FirewallsASA Services ANsVirtual ContextsTraditional Service NodesASA 5585 Appliance

Features in ASA FirewallsEtherChannel ASA supports Link Aggregation Control Protocol (LACP),an IEEE 802.3ad standard Each port-channel supports up to 8 active and 8 standbylinks Supported methods of aggregation: Active, Passive & On EtherChannel ports are treated just like physical andlogical interfaces on ASA ASA can tie-in directly to vPC (Nexus 7000) or VSS(6500) enabled switchUp to 32 interfaces per Virtual Context (formerly 2)– - 4 Interfaces per bridge group 8 bridge groups perVirtual Context

Catalyst 6500 VSS and Nexus 7000 vPC VSSDual Active Forwarding PathsLoop-Free DesignvPCpeer linkVSLMCECECActivePresentation IDMCECvPCECECActiveStandby 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialvPCECStandby

ASA Integration with vPC & VSSvPCVSSpeer tion IDMCECECStandby 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential

Virtualization Concerns Policy Enforcement–Applied at physical server—not the individual VM–Impossible to enforce policy for VMs in motion Operations and Management–Lack of VM visibility, accountability, and consistency–Difficult management model and inability to ypervisorVLANsVirtual Contexts Roles and Responsibilities–Muddled ownership as server admin must configurevirtual network–Organizational redundancy creates compliance challenges Machine Segmentation–Server and application isolation on same physical server–No separation between compliant and non-compliantsystems

Virtualization & Virtual Service NodesVirtual Security exus 1000VZone based intra-tenantsegmentation of VMsASA 1000VVSNVSNVirtual Service NodesIngress/Egress multitenant edge deployment

Cisco‘s Virtual Security ArchitectureOrchestration / Cloud PortalsVirtual Network Management CenterVSGExtending existing operationalworkflows to virtualized environmentsASA 1000VExtending network services tovirtualized environmentsExtending networking to virtualizedenvironmentsNexus 1000VvPath

vPath— The intelligent virtual network vPath is intelligence build into Virtual Ethernet Module (VEM) of Nexus1000V (1.4 and above) vPath has two main functions:a. Intelligent Traffic Steeringb. Offload processing via Fastpath from virtual Service Nodes to VEM Dynamic Security Policy Provisioning (via security profile) Leveraging vPath enhances the service performance by moving theprocessing to HypervisorvPathNexus 1000V-VEM

vPath: Fast Path Switching for VMVMVM4Nexus 1000VDistributed Virtual Switch1vPathDecisionCaching2Initial PacketFlowFlow Access Control(policy evaluation)3ASA1000VVSG

Cisco Virtual Security GatewayVirtualSecurityGateway(VSG)Virtual NetworkManagementCenter(VNMC)Context awareSecurityZone basedControlsVM context aware rulesDynamic, AgilePolicies follow vMotionBest-in-classArchitectureEfficient, Fast, Scale-out SWNon-DisruptiveOperationsPolicy BasedAdministrationDesigned forAutomationEstablish zones of trustSecurity team manages securityCentral mgmt, scalable deployment,multi-tenancyXML API, security profiles

Virtual Security Gateway Context based rule engine, where ACLs can be expressedusing any combination of network (5-tuple), custom and VMattributes. It’s extensible so other types of context/attributescan be added in future No need to deploy on every physical server (this is due to1000V vPath intelligence) Hence can be deployed on a dedicated server, or hosted on aNexus 1010 appliance Performance optimization via enforcement off-load to 1000VvPath High availability

ASA 1000v Runs same OS as ASA appliance and blade Maintains ASA Stateful Inspection EnginesTenant BTenant AVDCVDCvApp IPSEC site-to-site VPNVSGVSGvAppCollaborative Security ModelVSGVSG for intra-tenant secure zonesVirtual ASA for tenant edge controls VSGIntegration with Nexus 1000V & vPathVirtual ASAVirtual ASAvPathvSphereNexus 1000V

Nexus 1000V Port ProfilesPort Profile – Port Groupport-profile vm180vmware port-group pg180switchport mode accessswitchport access vlan 180ip flow monitor ESE-flow inputip flow monitor ESE-flow outputno shutdownstate enabledinterface Vethernet9inherit port-profile vm180interface Vethernet10inherit port-profile vm180Support Commands Include: Port management Port-channel ACL VLAN Netflow PVLAN Port Security QoSvCenter API

Security Policy to Port Profile

Design Fundamentals

Secure Data Center Network security can be mapped and applied to both thephysical and virtual DC networks Zones can be used to provide data centric security policyenforcement Steer VM traffic to Firewall Context Segment pools of blade resources per Zone Segment Network traffic w/in the Zone–System Traffic–VM Traffic–Management Traffic Lockdown elements w/in a Zone Unique policies and traffic decisions can be applied to eachzone creating very flexible designs Foundation for secure private cloud

Understand Network and Application Flows Understand how the applications are deployed and accessed both internally and externally Understand the North-South, East-West flow patterns Adjacency of services to servers is important. Adding services to existing flow patternsminimizes packet gymnastics! Again, design with the maximum amount of high availability: know your failover and failbacktimes, traffic paths during failover se-zoneOnly Permit ApplicationOnly Permit Webservers access to Databaseservers access toApplication servers servers

Important Careful attention should be given to where the server‘s defaultgateway resides Can be disruptive to introduce changes to where the gatewayresides. Non-greenfield designs require flexibility for deployingnew services. Ex. From switch to service appliance Service introduction ie. Firewall, Web security, load balancing, canall have an impact on data center traffic flows Design with the maximum amount of high availability: know yourfailover and failback times, traffic paths during failover scenarios Multicast support considerations for L2 vs L3 services

Traditional North-South Traffic FlowControlInternetAggregationASAw/ IPSAccess:Top of RackZone A Ingress and Egress traffic is from eachzone is routed and filtered appropriately Physical firewall, IPS, etc deployed foreach zone Physical devices for each zonesometimes required but can be expensiveZone BsolutionZone CvAppvAppvSpherevSphere

Network Virtualization and ZonesAcme Co. - Control Traffic and Apply Policy per Zone Zones used to provide datacentric security policyenforcement Physical network securitymapped per zoneUnique policies and trafficdecisions applied to eachzone– VRF, Virtual Context Lockdown elements in ZoneSteer VM traffic toFirewall ContextVirtual SwitchvSphereSegment pools ofblade resourcesper ZoneVirtual SwitchvSphereSegment Network trafficin the Zone-System Traffic-VM Traffic-ManagementTraffic34

North-South Traffic with Network VirtualizationInternetPhysical ASAAggregationVLAN 10192.168.10.1VLAN 20VRF192.168.20.1ASAVirtual Context(Layer 2)AccessZone AZone BZone CvAppvAppvSpherevSphere

Microsegmenation:Per Zone, Per VM, Per vNICAggregationVLAN 10VLAN 20IPSECVirtual ASAVirtual ASAZone BZone A VSGvPathvSphereNexus 1000VStateful filtering foringress/egress for Zone.Near East: VM segmentation based onVM attributes or ACL Zone to zone can beencrypted viasegmentationIPSECDemonstrableand encryption forvirtualization complianceZone CTenant BVDCVDCvAppVSGVSGvAppvPathvSphereNexus 1000V

Segmentation of Production and mtvPathProductionNexus 1000VVMNIC 1StorageVMNIC 2VMNIC 3ASA 1000VVMNIC 4Management NetworkProduction NetworkProductionNetworkvCenterVNMCStorage

Visibility: Monitor VM to VM TrafficAggregationID:2ERSPAN DSTIntrusion DetectionNetFlow AnalyzerNexus 1000V supports NetFlow v9 ERSPAN/SPAN Permit protocol typeheader “0x88BE” forERSPAN GRE ERSPAN does notsupport fragmentation 1000V requires Netflowsource interfaceDefaults to Mgmt0ID:1NetFlowSPANmonitor session 1 type erspansourcedescription N1k ERSPAN – session 1monitor session 3 type erspandestinationdescription N1k ERSPAN to NAMZone BZone CVDCVDCvAppVSGVSGvAppmonitor session 2 type erspan-sourcedescription N1k ERSPAN –session 2monitor session 4 type erspandestinationdescription N1k ERSPAN to IDS1vPathvSphereNexus 1000V

Virtualization & Compliance:PCI DSS 2.0 PCI security requirements apply to all ‗systemcomponents.‘Guidance All virtual components in scope System components are defined as: All virtual communications– Any network component, server, or application thatand data flows must be identified andis included in or connected to the cardholder dataenvironment.documented– Virtualization components such as virtual machines,virtual switches/routers, virtual appliances, virtual Virtualized environment must maintainapplications/desktops, and hypervisors.proper segmentation The cardholder data environment is that part of thenetwork that possesses cardholder data or sensitiveauthentication data. Adequate network segmentation, which isolatessystems that store, process, or transmit cardholderdata from those that do not, may reduce the scope ofthe cardholder data environment. Must meet intent of all 12 tStorageProductionSource PCI DSS 2.0VMNIC 1Nexus 1000VVMNIC 2 VMNIC 3ASA1000VVMNIC 4

Design Details

Secure Data Center Reference Architecture 2x Nexus 7010s with VDCs (Core and Aggregation) (NX-OS 5.1(3))2x Nexus 5Ks for top of rack2x ASA 5585-60 with IPS2x 6500-E with ASA-SMs2x Virtual Security Gateway (VSG) in HA mode2x Nexus 1000V with redundant VSMsIdentity Services Engine (ISE) for 802.1x user AAAStandard VMWare ESXi Infrastructure with multiple service domains(Active Directory, DNS, VDI, etc)

Traditional Model Services are Aggregated at the DistributionLayer Single or Multi-Tenant zone basedsegmentation Virtual Context create security zones from theDC edge to the Virtual Machine VRF- Firewall- VLAN- Virtual Switch- VirtualFirewall- vNIC- VM EtherChannel and vPC provide loop-freeLayer 2 environment Visibility and control for vm-to-vm flowsL2 BoundaryL3RoutedCore

–Data Center Security –Virtualization –Secure Mobility –Security Design –Compliance (PCI, Federal) Takeaways To effectively integrate security must understand the core data center fabric technologies and features: VDC, vPC, VRF, server virtualization, traffic flows Security as part of the core design Designs to enforce microsegmentation in the data center Enforce .