We re ready. Are you?

Transcription

1 We re ready. Are you?

2 Security Architectures and the Data Center Evolution: Physical, Virtual, and Automated Gustavo Santana Technical Solutions Architect CCIEx3# 8806 (DC, SAN, R&Sw)

3 Agenda Security Threats and Data Center Architectures The Physical Data Center The Virtual Data Center The Automated Data Center

4 Security Threats and Data Center Architecture

5 The Industrialization of Hacking 95% Of Major Corporations suffer attacks 100% Of organizations interact with sites that host malware Source: 2014 Cisco Annual Security Report Viruses Worms Spyware and Rootkits 2005 Today APTs Cyberware Today +

6 Data Center Architecture

7 Data Center Architecture Applications Application Services Security Networking Servers SAN Storage Facilities

8 The Innovation Interval Is Compressing DC Architectures Physical Virtual Automated MAINFRAME MINICOMPUTER CLIENT SERVER DISTRIBUTED COMPUTING WEB SOFTWARE DEFINED X, DISAGGREGATED COMPUTING, SILICON PHOTONICS, APPLICATION CONTAINERS, ETC. SERVER VIRTUALIZATION CONVERGED INFRASTRUCTURE STORAGE VIRTUALIZATION HYPERCONVERGED

9 The Physical Data Center (Before 2006)

10 Edmund Burke

11 Common Attacks Viruses Website Defacing Low sophistication (SQL Injection, Buffer overflow, ) Fame Worms Destructives Network Impact CodeRed, Ninda

12 Security Access Control Lists (ACLs) ip access-list extended myacl permit tcp host host eq telnet interface GigabitEthernet3/1 ip address ip access-group myacl in applies ACL to interface Named ACL can be used to filter IP, TCP, UDP, ICMP traffic and more

13 Promiscuous Isolated Community A Community B Private VLANs

14 Intrusion Detection System (IDS) SOC IDS sig: SQL Inject sig: Conflicker sig: NINDA sig:code RED... SPAN port, Hub, TAP, or VACL

15 Firewall L2 L3 L4 L5-7 MAC src MAC dst IP src IP dst Port src Port dst Farmvile Firewall Tradicional Whitelist Behavior

16 Intrusion Prevention System (IPS) L2 L3 L4 L5-7 Deep Inspection MAC src MAC dst IP src IP dst Port src Port dst Farmvile Firewall Tradicional Blacklist Behavior IPS StandAlone SIO Updates sig: SQL Inject sig: Conflicker sig: NINDA sig:code RED Sig: Apache DoS..

17 North-South Data Center Topology Internet/WAN L3 L2 IDS Firewall/IPS Security ACLs East-West

18 Virtual Contexts Firewall VLAN10 VLAN20 VLAN30 Server Load Balancer VLAN110 VLAN120 VLAN130 App 1 App 2 App 3

19 Network Containers COMMON PHYSICAL INFRASTRUCTURE LOGICAL VIEW PER TENANT, SERVICE OR APPLICATION WAN DC NETWORK

20 The Virtual Data Center ( )

21 E. R. Beadle

22 Common Attacks Spyware and Rootkits Hacking Industry Obfuscation Techniques Botnets, Command-and-Control (CnC)

23 Traffic Distribution (Cisco Global Cloud Index) 17% End Users Internet/WAN Primary DC 7% Secondary DC 76%

24 Virtual Machine Mobility Limited per Rack or POD DC Virtual DC DC POD POD POD POD

25 Host 7 Host 6 Host 5 Host 4 Fabric = Big Non-Blocking Switch Host 1 Host 2 Host 3 Host 1 Host 2 Host 3 Host 4 Host 5 Host 6 Host 7

26 Host 7 Host 6 Host 5 Host 4 Fabric = Big Non-Blocking Switch LC LC LC LC LC FM FM FM LC LC LC LC LC Host 1 Host 2 Host 3

27 Spine-Leaf Topology Spines L3 L2 FabricPath Leaves Border Leaves Edge Internet/WAN Rack Blade Server UCS

28 Physical Firewall L3 L2 Fabric Path Border Leaves vpc Virtual Port Channel High Performance with Advanced Inspection Firewall Clustering

29 Virtual Networking Challenges No visibility Network Perimeter VMs on wrong VLANs NIC NIC Different control policies vswitch VM App OS VM App OS Illicit communication between VMs Host Virtual DMZ?

30 Cisco Nexus 1000V for Multi-Hypervisor NS1000V Virtual Networking Services Virtual ASAv vwaas VSG Supervisor Modules Physical Appliance: Cloud Service Platform Primary Secondary VSM vnam VSG NS1000V VSM vnam VSG NS1000V Virtual Ethernet Module vpath VXLAN ESX Virtual Ethernet Module vpath VXLAN WS2012 Hyper-V Virtual Ethernet Module vpath VXLAN KVM/OpenStack

31 Virtual Networking Security Services Virtual Security Gateway ASAv Traffic between VMs (East-West) External Access to VMs (North-South)

32 Micro-segmentation: Security Profiles per VM Attribute Administrador de Segurança

33 Micro-segmentation: Secure Group Tag N1000V: Assigns SGT based on Port-profile Assignments HR Dev VM VM VM VM Hypervisor Nexus 1000V VEM HR VM VM VM VM Hypervisor Dev Nexus 1000V VEM Server Server Finance Application ASA

34 VLAN Challenges VM VM VM VM VM VM VM VM Virtual Switch Hypervisor Up to 4094 segments Virtual Switch Hypervisor Per Device Provisioning Physical Network

35 VXLAN (Virtual extensible LAN): RFC 7348 VM VM VM VM VM VM VM VM Nexus 1000V Hypervisor VXLAN Up to 16M segments Nexus 1000V Hypervisor VXLAN Physical Network

36 Physical VXLAN Gateways VM VM VM VSM Users VM VM VM VSM Nexus 1000V VXLAN vsphere, Hyper-V, KVM Internet/WAN Nexus 1000V VXLAN vsphere, Hyper-V, KVM Nexus 5600, 6K, 7K, 9K ASR1K, ASR9K, ASA Physical Servers

37 Virtual VXLAN Gateways VXLAN VLAN 100 Layer 3 VXLAN ASAv VLAN 200 CSR 1000V Layer 2 VXLAN 5000 VXLAN Gateway CSP or x86 VLAN 500

38 VACS Virtual Application Container Services (VACS) Cloud Orchestrator VACS Administrator Internet/WAN REST API GUI Shared VLAN UCS Director Container CSR 1000V VSG Container CSR 1000V VSG Container CSR 1000V VSG PNSC Nexus 1000V VXLAN 5001 VXLAN 5002 VXLAN VM Manager Web Application Database Web Application Database Web Application Database

39

40

41 Valid Questions How can I have the same security policies for physical and virtual machines? How to provision networking (with security) automatically? How to achieve application-based visibility?

42 The Automated Data Center (After 2013)

43 Henry Ford

44 Attacks Advanced Persistent Threats (APTs) Cyberware 2013-Today Sophisticated code Script kids Multiple techniques Horizontal spread

45 Data Breach Anatomy 1 Research targets (Scan for Vulnerabilities) 2 Application Attack (SQL Injection, Buffer-Overflow) 3 Malware Transfer Perimeter (Inbound) 4 Malware installed, back door established and receives commands from CnC server Attacker 5 Scan DMZ for vulnerable Servers to exploit & retain alternative back door + find Target Server (DB) CnC Server 8 System compromised and data breached. 6 Target server found. Access to database backup, then copy them to staging server Perimeter (Outbound) 7 Target Node Zip data, slice it to multiple files, and send those out to external site over HTTPS Data Center

46 Next Generation Firewall L2 L3 L4 L5-7 Deep Inspection MAC src MAC dst IP src IP dst Port src Port dst AngryBird FW, VPN, IPS & APP, ID, URL CONTEXT-BASED Who is the user? Which is the application? Unified Management

47 Bi-Modal IT Traditional Systems of Record Cloud-Scale Systems of Engagement Getting IT Right SCM ERP/Financial Client/ Server CRM Getting IT Fast Online Content Gaming Mobile IoT ecommerce Efficient Stable Resilient Many Applications Single Application Agile / TTM / BU focused Experimental Rapid Application Evolution Server Single Server Many Servers

48

49 ACI Components APPLICATION CENTRIC INFRASTRUCTURE NEXUS 9000 APPLICATION POLICY INFRASTRUCTURE CONTROLLER ECOSYSTEM s APIC

50 ACI Example Web Application Profile The Application App DB External Users QoS QoS QoS P P P Filter Filter Filter Only VMs Physical P = Connectivity Policy Physical and Virtual

51 ACI Example

52 How to Insert a Firewall and an ADC

53 Application Profile with Service Chain

54 Provisioning an Application Profile Bare Metal Virtual Machine Containers Client Modeling Storage Storage Web Tier App Tier DB Tier Instantiation APIC VM VM VM VM VM VM VM

55 ACI is a Multi-Hypervisor Fabric Network Admin APIC ACI Fabric VLAN VXLAN VLAN NVGRE VLAN VXLAN VLAN VMware Microsoft Red Hat XenServer ESXi Hyper-V KVM VMware Microsoft Red Hat BARE METAL Virtualization Admin

56 Application Virtual Switch (AVS) Managed via APIC Segmentation: VLAN, VXLAN DVS AVS Microsegmentation: Port Group, MAC, IP, Guest OS, VM name, hypervisor, AVS AVS Extended ACI Fabric

57 Why Hybrid Cloud? Control DC/Private Clouds Security Data Sovereignty Economics Speed Scale Public Clouds Fixed workloads Choice to build / rent across providers Workload portability Consistent security Elastic workloads

58 Cisco Intercloud Native Cloud Applications Big Data and Analytics Enterprise Workloads Metacloud Collaboration and Video Enterprise Private Clouds WebEx HCS Meraki Security IaaS PaaS Partner Clouds Cisco Intercloud Services Analytics Microsoft Suite aas DRaaS Public Clouds HANA aas vdesktop aas IOE aas

59 Cisco Intercloud Fabric Architecture VM Manager ICFD App_VM VLAN 701 ICX VLAN 702 Web_VM WebServerA Private Cloud IP packet (ICX-ICS) Ethernet Frame (VM-VM) ICS VSG CSR Public Cloud ICFD = Intercloud Fabric Director ICX = Intercloud extender ICS = Intercloud Switch

60 Creating VM in Public Cloud

61 VM is Created in Cloud Provider

62 Migrating a VM to a Public Cloud

63

64 VM is Migrated

65 Intercloud Fabric Example VM Manager App_VM VLAN 701 VLAN 702 ICFD Web_VM ICX ICS VSG AppServer- 13 CSR WebServerA

66 Thank you

67 Reference Chapter 1: Virtualization definition and Data Center concepts Chapter 2: Ethernet evolution, common network topologies, and ANSI/TIA-942 Chapter 3: VLANs and VRFs Chapter 4: Server load balancing and virtual contexts Chapter 5: VDCs Chapter 6: vpc and FabricPath Chapter 7: FEX Chapter 8: EoMPLS, VPLS, and OTV Chapter 9: Storage concepts, SCSI, and virtualization Chapter 10: Fibre Channel and VSANs Chapter 11: FCIP, IVR, and NPV Chapter 12: DCB and FCoE Chapter 13: Server evolution (x86, virtualization e UCS) Chapter 14: Service Profiles Chapter 15: Nexus 1000V, VXLAN, and VM-FEX Chapter 16: vpath, VSG, ASA 1000V, vwaas, and CSR 1000V Chapter 17: Cloud computing, SDN, and Cisco ONE

68

69

70 What is MACSec? MACSec provides secure communication on Ethernet connections Guest User ENCRYPT DECRYPT 802.1X PaXrZRnOanUQ r75ptkp10eao zhip0cae34dx LRHdyhWz8k Authenticated User Supplicant With MACSec 802.1AE/Cisco SAP

71 Use Case: MACSec for Secure DCIs Single Access dark Fiber Connectivity Datacenter 1 Datacenter 2 Nexus 7000 Nexus 7000 Dual Access with dark Fiber Connectivity Datacenter 1 Datacenter 2 Nexus 7000 Nexus 7000 Nexus 7000s as Bulk Encrypters for Self managed MPLS DCI Cores Datacenter 1 Datacenter 2 Nexus 7000 Nexus 7000 MPLS Core V P C V P C Nexus 7000 Nexus 7000 Nexus 7000 Nexus 7000

72 Use Case: MACSec for Securing OTV DCIs OTV IP or Multicast-enabled Transport OTV S1 Receiver (for Gs1) S2 West East Receiver (for Gs2) OTV South