Security & Virtualization in the Data Center

Transcription

1

2 Security & Virtualization in the Data Center Jim Kotantoulas Consulting SE, Security Technologies CCIE #4446

3 Abstract The evolving complexity of the data center is placing increased demand on the network and security teams to come up with inventive methods for enforcing security policies in these ever-changing environments. The goal of this session is to provide participants with an understanding of features and design recommendations for integrating security into the data center environment. This session will focus on recommendations for securing next-generation data center architectures. Areas of focus include security services integration, leveraging device virtualization, and considerations and recommendations for server virtualization. The target audience are security and data center administrators. Related sessions are BRKSEC-2009 "Securing Cloud Computing" and TECSEC-2670 "Data Center Security" 3

4 Session Objectives Discuss common virtualization security concerns Gain an understanding on aligning physical and virtual network security resources Focus on tools available to unify policy enforcement for the virtual environment How to increase overall visibility for virtual machine traffic flows Understand application centric infrastructure and how security services can be integrated 4

5 Security and Virtualization in the Data Center Agenda Virtualization Trends, Priorities, Concerns Virtual Network Security Services Physical Network Security Services for Virtualization Threat Identification and Correlation Application Centric Infrastructure Security Summary 5

6 The Evolving Data Center Architecture Virtualization on Commodity Compute Traditional Virtualized App App OS OS App App OS OS 1 Application Transition App App App App App App OS OS OS OS OS OS Hypervisor c Many Apps, or VMs...1 Server...1 Server, or Host Tipping Point 6 Source: IDC, Nov 2010

7 Building and Efficient DC Fabric to Scale Starting Point The Compute Workload Domain Scaling and Distribution of the Workload (Striping servers and VMs amongst the rack, along the row, between the rows, ) Scaling of the Workload Capabilities (Number of Servers and VM s) Architectural Goal is balanced between the need to scale the application workload capabilities and provide availability and manageability of the network fabric Improving the efficiency of the Data Center requires a more scalable and flexible network fabric design 7

8 Server Virtualization Single physical server hosting multiple independent guest OS and applications Hypervisor abstracts physical hardware from guest OS and applications Partitions system resources: CPU, Memory, Disk, Network Application & OS encapsulated as virtual machine 8

9 Common Virtualization Concerns Policy, Workflow, Operations Unified Policy Enforcement Applied at physical server not the individual VM Impossible to enforce policy for VMs in motion Operations and Management Lack of VM visibility, accountability, and consistency Difficult management model and inability to effectively troubleshoot Roles and Responsibilities Muddled ownership as server admin must configure virtual network Organizational redundancy creates compliance challenges Isolation and Segmentation Machine and Application Segmentation Server and application isolation on same physical server No separation between compliant and non-compliant systems Management and Monitoring Initial Infection Hypervisor Secondary Infection Roles and Responsibilities 9

10 Virtualization Security Virtualization Attention Deficit Disorder Collateral hacking? Segmentation? Side channel attacks? Visibility? Threat identification and defense? What about Hypervisor Hyperjacking? VM Escape? What am I having for Dinner? Role Based Access VM OS Hardening Physical Security V-Motion (Memory) Virtualization Security Patch Management VM Sprawl V-Storage (VMDK) VM Segmentation Hypervisor Security 10

11 Simple, Effective, Achievable Segmentation Defend, Detect, Control Establish boundaries: network, compute, virtual Enforce policy by functions, devices, organizations, compliance North-South Control and prevent unauthorized access to networks, resources, applications Threat Defense Stop internal and external attacks and interruption of services Patrol zone and edge boundaries Control information access and usage, prevent data loss and data modification Visibility Provide transparency to usage East-West Apply business context to network activity Simplify operations and compliance reporting 11

12 Virtual Network & Security Services

13 Managing Virtual Networking Policy Virtual Switches: Example Nexus 1000V Nexus 1000V Non-disruptive operation model to maintain current workflows using Port Profiles Maintain network security policies with isolation and segmentation via VLANs, Private VLANs, Portbased Access Lists, Cisco Integrated Security Features Ensure visibility (VM Introspection) into virtual machine traffic flows using traditional network features such as ERSPAN and NetFlow Network Team Isolation and Segmentation Server Team Nexus 1000V Management and Monitoring Security Team Roles and Responsibilities 13

14 What is a Nexus Port-Profile? A port profile is a container used to define a common set of configuration commands for multiple interfaces Define once and apply many times Simplifies management by storing interface configuration Key to collaborative management of virtual networking resources Why is it not like a template or SmartPort macro? Port-profiles are live policies Editing an enabled profile will cause configuration changes to propagate to all interfaces using that profile (unlike a static one-time macro) * For lots more detail, reference BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000V 14

15 Port Profiles Port Profile > Port Group vcenter API port-profile vm180 vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown state enabled Network Server interface Vethernet9 inherit port-profile vm180 interface Vethernet10 inherit port-profile vm180 Security Nexus 1000V supports: ACLs Quality of Service (QoS) PVLANs Port channels SPAN ports vmotion Policy Stickiness 15

16 Nexus 1000V Security Features Laying the Foundation Switching Security Provisioning Visibility Management L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting (TX) IGMP Snooping, QoS Marking (COS & DSCP) Virtual Service Domain, Private VLANs w/ local PVLAN Enforcement Access Control Lists (L2 4 w/ Redirect), Port Security, vpath/vsg Dynamic ARP inspection, IP Source Guard, DHCP Snooping Automated vswitch Config, Port Profiles, Virtual Center Integration Optimized NIC Teaming with Virtual Port Channel Host Mode VMotion Tracking, ERSPAN, NetFlow v9, CDP v2 VM-Level Interface Statistics Virtual Center VM Provisioning, Cisco Network Provisioning, CiscoWorks Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3) 16

17 vpath Enables Chaining of Network Services vpath is Nexus 1000V data plane component: Topology agnostic service insertion model Service Chaining across multiple virtual services Performance acceleration with vpath e.g. VSG flow offload Efficient and Scalable Architecture Non- Disruptive Operational Model VM Policy mobility with VM mobility Nexus 1000V Hypervisor Cloud Network Services (CNS) vpath 17

18 What is the Virtual Security Gateway? VSG is a L2 firewall that runs as a virtual machine bump in the wire Similar to L2 transparent FW mode of ASA It provides firewall inspection between L2 adjacent hosts (same subnet or VLAN) It can use VMware attributes for policy Provides benefits of L2 separation for East- West traffic flows One or more VSGs are deployed per tenant Virtual Hosts Virtual Hosts Virtual Hosts require the Nexus 1000V Virtual Distributed Switch and utilize the vpath forwarding plane 18

19 VSG Attributes vcenter VM Attributes Name Meaning Source vm.name Name of this VM vcenter vm.host-name Name of this ESX-host vcenter vm.os-fullname Name of guest OS vcenter vm.vapp-name Name of the associated vapp vcenter vm.cluster-name Name of the cluster vcenter vm.portprofile-name Name of the port-profile Port-profile VM attribute information collected is used for enforcing security policy Security Policy Profile Defined/Managed by VNMC / Prime Network Services Controller NSC Bound to Cisco Nexus 1000V VSM port-profile 19

20 Policy Workflow Server, Network, Security Mitigate Operational errors between teams Security team defines security policies Networking team binds port-profile to VSG service profile Server team Assigns VMs to Nexus 1000V port-profiles vcenter Nexus 1KV Prime NSC Port Group Port Profile Security Profile Server Admin Network Admin Security Admin 20

21 Introducing the Virtualized ASA (ASAv) Developed due to customer feedback for a complete ASA firewall running as a virtual machine Nexus1000V not required Will support VMWare first then other hypervisors ASA feature parity (with some exceptions) No support for: 1. ASA clustering 2. Multi context mode 3. Etherchannel interfaces 4. Active/Active Failover (requires multi context mode) ASAv Firewall (Virtualized ASA) 21

22 ASAv Deployment: Cloud Security FW+VPN Today multi context mode on ASA is used to provide firewall inspection for multi tenant and multi zone environments Multi Context Mode ASA Trunks are typically used to transport zone and tenant traffic Challenge of E-W scale requires more firewall resources and scalable solution VM 1 VM 2 VM 3 VM 4 VM 5 VM 6 Vzone 1 Vzone 2 VM 7 VM 8 VFW 1 VFW 2 VFW 3 Zone 1 Zone 2 Zone 3 ASAv provides edge firewall and can scale for E-W buildout Each tenant or zone gets one or more ASAv for FW + VPN Scaled VPN termination for S2S and RA VPN clients 22

23 ASAv Three Modes of Policy Enforcement Routed Firewall Routing traffic between vnics Maintains ARP and routing table Tenant edge firewall Transparent Firewall VLAN or VxLAN Bridging / Stitching Maintains MAC-address tables Non-disruptive to L3 designs Service Tag Switching Applies inspection between service tags No network participation Fabric integration mode 23

24 Routed Firewall Routed - Tenant edge use case Gateway First-hop gateway to hosts Enable all client hosts, VM or physical host1 Outside Scale the number of data interfaces Shared Route between multiple subnets Traditional Layer 3 Boundary in the network Inside ASAv Routed client DMZ 24 host2

25 Transparent Firewall Bridging up to 4 (sub-)interfaces Max 8 BVIs per ASAv NAT and ACL available Non-disruptive PCI compliance Traditional Layer 2 boundary between hosts All segments in one broadcast domain Gateway host1 Segment-1 Segment-2 Segment-3 Segment-4 ASAv Transp client 25 host2

26 Nexus 5500 Application Security & Visibility ASAv Stateful inspection with virtual ASA for north-south, east-west VM traffic Transparent or routed mode Service Elasticity VLAN 50.1Q Trunk Nexus 1000V VRF VLAN 50 Nexus 7000 VLAN 200 VLAN 300 UCS Web-zone Fileserver-zone Hypervisor 26

27 Nexus 5500 Application Security & Visibility Service chaining - ASAv and vips Stateful inspection with virtual ASA for north-south, east-west VM traffic VRF VLAN 50 Nexus 7000 Deep inspection with virtual IPS inline with VLAN pairing or promiscuous port on vswitch VLAN 200 External VLAN 50.1Q Trunk Nexus 1000V Defense Center with Firesight for Application flow data Internal Inline Set Inline Set External Internal UCS Web-zone Fileserver-zone Hypervisor 27

28 Virtual IPS 28

29 vips Virtual Switch Inline and Passive Deployment Options Internal External vswitch vswitch vswitch VLAN 200 Promiscuous Port VLAN 200 Web-zone Web-zone 29

30 FireSIGHT Context Explorer Application Security and Visibility View all application traffic Look for risky applications Who is using them? What else have these users been up to? On what operating systems? What does their traffic look like over time?

31 Application Security & Visibility Defense Center with FireSight 31

32 Application Security & Visibility Geo Location Information 32

33 Application Security & Visibility Defense Center with FireSight 33

34 Deployment Example

35 Layer 2 Segmentation PVLANs for VM Isolation VMs in same Layer 2 subnet can be isolated VRF VLAN 20 Nexus 7000 Only allowed to communicate outbound to Layer 3 gateway Use ACL on gateway to block source and destination IPs from PVLANs Nexus 1000V.1Q Trunk Primary VLAN 20 *PVLANs also supported on VMware vswitch Isolated VLAN 100 Isolated VLAN 200 Community VLAN 300 Web-zone Application-zone Fileserver-zone UCS Hypervisor 35

36 VM Visibility NetFlow for VM Network Behavior Analysis VMs flows can be mirrored via span port on virtual switch. Can also use ERSPAN to forward via Layer 3 (ex NAM module). Layer w/ NAM VM flow analysis via NetFlow for trending, visibility, and security Nexus 1000V NetFlow/ERSPAN/SPAN NetFlow Data Collector Layer 2 Isolated VLAN 100 Isolated VLAN 200 Community VLAN 300 Web-zone Application-zone Fileserver-zone UCS Hypervisor 36

37 System Isolation via Micro Segmentation Policy Per App Tier, Per VM, Per vnic ASAv and vips Control ingress/egress & inter-vm traffic vfirewall, ACL, PVLAN ASAv and vips Tenant A Traffic and Threat Visibility vips, Netflow, SPAN/ERSPAN Web Tier VSD Tenant B App Tier VSD VSG Mobility Transparent Enforcement Port Profiles Web App Administrative Segregation Server Network Security SVM Web DB Nexus 1000V Nexus 1000V 37

38 Services Application Construct graph Orchestration of Virtual Security Deployment automation of security services SDN ACI Orchestration products: Embrane Lets have a look at ACI as an example: End Point Group A Web Server contract rule: redirect End Point Group B App Server start 1.. N end inst inst inst. inst Firewall/IPS load balancer 38

39 Physical Security Services for Virtualization

40 Physical to Virtual Segmentation VRF-VLAN-Virtual Merging physical and virtual infrastructure Zones used define policy enforcement Unique policies and traffic decisions applied to each zone Physical Infrastructure mapped per zone VRF, Nexus Virtual Device Context, VLANs, SGT Segmentation Building Blocks Nexus 7K ASA ASAv/ VSG Zone B CTX1 CTX2 CTX3 VLANx1 VLANx2 SGT SGT VLANy1 VLANy2 SGT SGT ASAv VLANz1 VLANz2 SGT SGT vips Zone C 40

41 ASA Firewalls and the Data Center Fabric Data Center Aggregation Layer ASA and Nexus Virtual Port Channel vpc ensures all active links utilized (eliminates blocked STP links) ASA leverages DC redundancy technologies Unique integration with ASA and Nexus (LACP) Core IP1 Core Layer Core IP2 IPS module relies of ASA connectivity provides DPI Validated design to provide segmentation, threat protection, visibility Active N7K VPC 40 vpc Peer-link Aggregatio n Layer N7K VPC 41 Active or Standby Transparent (recommended) and routed modes vpc vpc Access Layers Works with both A/S and A/A failover vpath Nexus 1000V Hypervisor vpath Nexus 1000V Hypervisor 41

42 ASA Connecting to Nexus with vpc Best Practices Shown DC Core / EDGE ASA connected to Nexus using multiple physical interfaces on vpc ASA can be configured to failover after a certain number of links lost (when using HA) Note that vpc identifiers are different for each ASA on the Nexus switch (this changes with ASA clustering feature and clacp [not yet shown]) L3 L2 SVI VLAN200 ASA channel 32 FHRP N7K VPC 40 VPC VPC PEER LINK Trunks VPC VPC VPC PEER LINK VPC FHRP N7K VPC 41 VPC FW HA SVI VLAN200 Aggregation Layer VLAN 200 Outside VLAN 201 Inside Access Layer North Zone VLAN 200 South Zone VLAN

43 Transparent Mode Configuration in the DC Two Interfaces interface TenGigabitEthernet0/6 channel-group 32 mode active no nameif no security-level! interface TenGigabitEthernet0/7 channel-group 32 mode active no nameif no security-level! interface BVI1 ip address ! interface Port-channel32 no nameif no security-level! interface Port-channel mac-address vlan 201 nameif inside bridge-group 1 security-level 100! interface Port-channel mac-address a1a.3232 vlan 200 nameif outside bridge-group 1 security-level 0 43 SVI VLAN FHRP VPC Trunk Allowed 1,201 Server in VLAN 201 VPC SVI VLAN FHRP /24 North Zone VLAN 200 VLAN 200 Outside VLAN 201 Inside South Zone VLAN 201

44 Physical to Virtual Leverage physical to provide isolation and segmentation for virtual Zones used define policy enforcement Physical Infrastructure mapped per zone Nexus 1000V Firewall VRF Blue Nexus 7000 Nexus 5500 VRF Purple Firewall Nexus 1000V Separate and dedicated routing tables per zone via VRF Firewall enforcement per zone maps north-south, east-west Layer 2 and Layer 3 path through physical services Hypervisor Hypervisor Hypervisor Hypervisor 44

45 Firewall & Virtual Environment ASA Virtual Contexts for Inter-Zone VM Traffic Flows Core Core Aggregation Aggregation Physical Layout ASA Context 1 Transparent Mode VLAN 21 VLAN 100 ASA Context 2 Transparent Mode ASA 5585 VLAN 20 VLAN 101 ASA 5585 East-West Zone filtering Firewall Virtual Context provides inter-zone East- West security Context1 Context2 Front-End Apps Hypervisor 45 Database Hypervisor

46 Inspecting Inter-VLAN VM Traffic Flows ASA with Bridge Groups within a context interface TenGigabitEthernet0/6 channel-group 32 mode active vss-id 1 no nameif no security-level! interface TenGigabitEthernet0/7 channel-group 32 mode active vss-id 2 no nameif no security-level! interface BVI1 ip address ! interface Port-channel32 no nameif no security-level! interface Port-channel32.20 mac-address vlan 20 nameif inside bridge-group 1 security-level 100! interface Port-channel32.21 mac-address a1a.3232 vlan 21 nameif outside bridge-group 1 security-level 0 Core Aggregation East-West VLAN filtering VLAN 21 VLAN 20 Hypervisor 46 VLAN 101 Layer 3 Gateway VRF or SVI ASA 5585 Transparent Mode VLAN 100 Core Aggregation interface vlan /24 interface vlan /24 Layer 2 Adjacent Switched Locally Direct Communication Physical Layout

47 ASA Clustering Overview Clustering is only supported on 5580 and 5585s and 5500-X (5500-X supports clustering of two units) CCL is critical for cluster, without it no clustering can occur Core Aggregation vpc Master is elected among cluster members for configuration sync only no bearing on packet flow through the cluster itself New concept of spanned port-channel i.e. a port channel configuration that is shared among clustered ASAs Cluster has capacity for rebalancing flows All flows in the cluster have an Owner and a Director and possibly a Forwarder vpc 40 Data Plane ASA Cluster Data Plane of Cluster MUST use clacp (Spanned Port-Channel) 47 Cluster Control Link

48 Firewall Clustering ASA Clustering to meet DC requirements Core Core Aggregation Aggregation Physical Layout IPS relies on ASA Clustering Cluster Control Link Cluster Control link shares state and connection information among cluster members ASA Cluster includes Context 1 & 2 Transparent Mode ASA 5585 ASA 5585 ASA 5585 ASA 5585 Owner Director Cluster functionally the same in either transparent or routed mode Context1 Context2 Web Apps Cluster members used for North-South, East-West inspection and filtering Database Hypervisor 48 Hypervisor

49 Firewall Section Summary Physical appliances and virtualized firewalls offer different options for security control in the DC Virtual firewalls (multi mode) are common for stateful control between VRF and Nexus VDC Transparent mode (L2) firewall offers many benefits without the constraints of routed mode Routing protocols, multicast, IPSEC, etc all can traverse Use LACP for link aggregation in the DC Firewall clustering offers benefits for higher throughput and asymmetric flow reassembly Integration with Emerging technologies ie. ACI 49

50 Enhanced Visibility and Threat Defense for the Data Center

51 NetFlow Security Use Cases Detecting Sophisticated and Persistent Threats. Malware that makes it past perimeter security can remain in the enterprise waiting to strike as lurking threats. These may be zero day threats. Identifying BotNet Command & Control Activity. BotNets are implanted in the enterprise to execute commands from their Bot herders to send SPAM, Denial of Service attacks, or other malicious acts. Uncovering Network Reconnaissance. Some attacks will probe the network looking for attack vectors to be utilized by custom-crafted cyber threats. Finding Internally Spread Malware. Network interior malware proliferation can occur across hosts for the purpose gathering security reconnaissance data, data exfiltration or network backdoors Revealing Data Loss. Code can be hidden in the enterprise to export of sensitive information back to the attacker. This Data Leakage may occur rapidly or over time. 51

52 NetFlow in a Nutshell Internal Network NetFlow Data NetFlow Collector 52

53 Cyber Threat Defense Solution Components StealthWatch Management Console Other tools/collectors https https StealthWatch FlowReplicator StealthWatch FlowCollector Cisco ISE NetFlow NetFlow NGA NetFlow Generating Appliance NBAR Cisco Network NSEL Users/Devices 53

54 Cyber Threat Defense Solution WHAT WHERE WHEN WHO Visibility, Context, and Control Data Center Context HOW Cisco ISE Cisco ASA + NSEL Use NetFlow Data to Extend Visibility to the Access Layer Cisco ISR G2 + NBAR Enrich Flow Data With Identity, Events and Application to Create Context Unify Into a Single Pane of Glass for Detection, Investigation and Reporting 54

55 Cisco CTD Solution Attack Detection without Signatures High Concern Index indicates a significant number of suspicious events that deviate from established baselines Host Groups Host CI CI% Alarms Alerts Desktops ,137, ,712% High Concern index Ping, Ping_Scan, TCP_Scan Monitor and baseline activity for a host and within host groups. 55

56 Identify Threats and Assign Attribution Leveraging an integration between Cisco ISE and Lancope StealthWatch Policy Start Active Time Alarm Source Source Host Group Inside Hosts 8-Feb-2012 Suspect Data Loss Wired Data Source User Name Bob Target Multiple Hosts 56

57 Detecting Internally Spreading Malware Management 5. Concern index increased Worm propagation Alarm generated 3. Collection and analysis of NetFlow data StealthWatch FlowCollector StealthWatch Management Console Cisco ISE 4. Contextual information added to NetFlow analysis Initial Infection Devices 2. Infrastructure generates records of the activity using NetFlow Secondary Infection Data Center 1. Infection propagates throughout the internal network as attacker executes their objective 57 NetFlow Capable

58 Detecting Internally Spreading Malware 3. Collection and analysis of NetFlow data StealthWatch FlowCollector Management StealthWatch Management Console Cisco ISE 5. Concern index increased Worm propagation Alarm generated 4. Contextual information added to NetFlow analysis Initial Infection Devices 2. Infrastructure generates records of the activity using NetFlow Secondary Infection Data Center Tertiary Infection 1. Infection propagates throughout the internal network as attacker executes their objective NetFlow Capable 58

59 Detecting Internally Spreading Malware IP Address Alarm indicating this host touched another host which then began exhibiting the same suspicious behavior Suspicious activity that triggered the alarm 59

60 Infection Tracking Initial Infection Secondary Infection Tertiary Infection 60

61 A Note on StealthWatch and NSEL NetFlow Secure Event Logging Flow Action field can provide additional context State-based NSEL reporting is taken into consideration in StealthWatch s behavioral analysis (concern Index points accumulated for Flow Denied events) NAT stitching deduplicates flow records from ASA and ASR1000 Lack of TCP flags and bi-directional byte and packet counters limit effectiveness of NSEL only in detecting certain threats (ex. SYN Flood); suggested deployment is to use in combination with other NetFlow sources 61

62 Summary Leverages Cisco Network for Security Telemetry Cisco Network Provides Rich Context Cisco ISE + NetFlow + NetFlow Generating Appliance NetFlow-enabled Cisco switches and routers become security telemetry sources Cisco is the undisputed market leader in Hardware-enabled NetFlow devices Unites NetFlow data with identity and application ID to provide security context + User? Device? Posture? Events? Application Cisco ISR? Vulnerability G2 + NBAR AV Patch Provides Threat Visibility and Context FlowSensor + + FlowCollector StealthWatch Management Console Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting 62

63 ACI Security Overview

64 ACI Introduces Logical Network Provisioning of Stateless Hardware Web App DB Outside (Tenant VRF) QoS Filter QoS Service QoS Filter APIC ACI Fabric Non-Blocking Penalty Free Overlay Application Policy Infrastructure Controller 64

65 ACI Fabric Flat Hardware Accelerated Network Full abstraction, de-coupled from VLANs and Dynamic Routing, low latency, built-in QoS Flexible Insertion Every device is one hop away, microsecond latency, no power or port availability constraints, ease of scaling ACI Fabric ACI Spine Nodes ACI Leaf Nodes Flexible Programmability XML/JSON for Northbound API Python scripting for custom device management Fabric Port Services Hardware filtering and bridging; seamless service insertion, service farm aggregation Unified Management and Visibility ACI Controller manages all participating devices, change control and audit capabilities SERVICE NODES PHYSICAL ENDPOINT VIRTUAL ENDPOINT Logical Endpoint Groups by Role Heterogeneous clients, servers, external clouds; fabric controls communication 65

66 ACI & Information Security CONFIDENTIALITY Preventing the disclosure of information to unauthorized individuals or systems EMBEDED MULTI- TENANCY SERVICE- GRAPHs POLICY-BASED FORWARDING INTEGRITY Maintaining and assuring the accuracy and consistency of data over APIs for AUDITING & FORENSICS PHYSICAL + VIRTUAL VISIBILITY ALWAYS-ON SECURITY AVAILABILITY The information must be available when it is needed DISTRIBUTED CONTROLLERS FEDERATION of APP POLICIES & RULES FABRIC-WIDE TELEMETRY & RBAC 66

67 ACI Fabric Policy

68 Application Policy Model and Instantiation Application policy model: Defines the application requirements (application network profile) Web Tier Application Client App Tier Storage DB Tier Storage Policy instantiation: Each device dynamically instantiates the required changes based on the policies APIC VM VM VM VM VM VM VM All forwarding in the fabric is managed through the application network profile IP addresses are fully portable anywhere within the fabric Security and forwarding are fully decoupled from any physical or virtual network attributes Devices autonomously update the state of the network based on configured policy requirements What should be allowed to communicate What should not be allowed to communicate What should use an application service (Firewall, ADC) What should have QoS, redirect,, policies applied 68

69 ACI Policy Model Formalized Description of Connectivity POLICY MODEL HTTPS Service HTTPS Service HTTP Service HTTP Service EPG - Web HTTPS Service HTTPS Service HTTP Service HTTP Service EPGs are a grouping of end-points representing application or application components independent of other network constructs. 69

70 Building Contracts Contracts define communication between source and destination EPGs Filter TCP Port 80 Subject Action Permit Filter Action Label Contract 1 Subject 1 Subject 2 Subject 3 Label Web Access Subjects are a combination of a filter, an action and a label Contracts are groups of subjects which define communication between EPGs. 70

71 Policy Options: Actions There are six policy options supported: Permit the traffic Block the traffic Redirect the traffic Log the traffic Copy the traffic Mark the traffic (DSCP/CoS) Permit Deny Redirect Log Copy Packet Mark Packet DSCP Policy encompasses traffic handling, quality of service, security monitoring and logging. 71

72 Inter-EPG Communication Example Application Container Web Subnet Default Gateway / Application Container "Database Subnet Default Gateway / / EPG Web Policy Contract Web Database Service TCP/23 TCP/22 TCP/1400 Actions Deny Allow Redirect to Web Database EPG Database Any Deny Service Chain Web Database 72

73 Service Insertion

74 Providers Service Profile Service Graph ACI Layer 4-7 Service Integration Centralized, Automated, and Supports Existing Model Elastic service insertion architecture for physical and virtual services Helps enable administrative separation between application tier policy and service definition Application Admin App Tier A Web Server Server Policy Redirection Chain Security 5 App Tier B Web App Server Server APIC as central point of network control with policy coordination Security 5 Chain Defined Automation of service bring-up / tear-down through programmable interface begin Stage 1.. Stage N end Supports existing operational model when integrated with existing services Service Admin.. Service enforcement guaranteed, regardless of endpoint location ASA Netscaler VPX 74

75 Device Package Defines services appliances Lists service functions offered by the services appliance Provides scripts for driving service configuration Plan is to open the API so that anyone can create a device package and have a community similar to Puppet manifests or Chef recipes SERVICE AUTOMATION ARCHITECTURE APIC Policy Element Configuration Model APIC Script Interface Device Specific Python Scripts Device Interface: REST/CLI Script Engine APIC Appliance

76 Services Application Construct graph Fabric Service Redirection Application-centric service graph simplifies and scales service operations Packet match on a redirection rule sends the packet into a services graph. A Service Graph can be one or more service nodes pre-defined in a series. Automated and scalable L4-L7 service insertion End Point Group A Web Server Redirect Traffic to a services graph Redirect [SRC, *] [DST, TCP 80] to FIREWALL_ADC_PROD contract rule: redirect start stage stage.. 1 N inst inst firewall. inst inst load balancer end End Point Group B App Server 77

77 Service Graph Definition Service Graphs are defined on the APIC. A service graph is a structure that defines the connectivity model between EPGs with one or more service nodes in between. The graphs can be a simple chain or involve splits, joins, taps, etc. Common services would be: Firewall IPS TAP/Packet mirror ADC/SLB EPG App EPG Outside EPG Web EPG Web1 EPG Web2 TAP IPS ADC ADC EPG DB EPG Web EPG Desktop EPG Mobile EPG AppA EPG App FW ADC EPG DB 78

78 Service & Application Health The Service Appliance can generate a health rating Application 1 Event Actions No New Hosts or VM s Evacuate Hypervisors Re-Balance Clusters Device: Score the health of the Device on a scale from 0(failing)-255(working). It is up to the DeviceScript to define the meaning of the score, the APIC will simply report it to the user. Virtual Device: Score the health of the VDev on a scale from Similar to the Device health score. Service Capacity: The capacity of the Device is typically defined by licensing and the DeviceScript needs to report capacity to the APIC to prevent over provisioning. Service Availability: Memory, CPU, cluster health, response time statistics as available on the service device or cluster. Application 1 Leaf 1 & 2 Spine 1 3 SLB Cluster 1 Atomic Counters Application 2 Leaf 2 & 3 Spine 1 2 FW Cluster 1 Atomic Counters Fabric provides next generation of analytic functions Per Application, Tenants and Infra: Health Scores Atomic Counters Latency Resources Consumption Application 3 Leaf 3 & 4 Spine 2 3 SLB Cluster 2 Atomic Counters Health Score tracks: Device Virtual Device Mem, CPU utilization Service Capacity 80

79 Demo Scenario

80 Physical Topology Nexus 9500 Nexus 9500 acts as Spine and Nexus 9300 act as Leaf Nodes. Nexus 9300 Nexus 9300 ASA5585-X appliance or cluster provides services to ACI tenants ACI inserts ASA and IPS services in the path of Web->App application traffic for Demo tenant Demo Tenant Sourcefire IPS Sourcefire IPS appliance provides services to ACI tenants ASA5585-X Web Server Web Server communicates to App Server through ACI App Server (VM) 82

81 Demo Flow Northbound API Application Policy Infrastructure Controller (APIC) Tenant, EPG, and contract configuration, ASA and IPS instantiation, and security policy definition is scripted through APIC Northbound API Service TCP/1399 Any Policy Contract appctrct Actions Redirect to ASAIPS Graph Deny ACI Tenant demo Policy contracts only permits TCP/1399 for the inter-epg communication; all permitted packets are redirected through the defined service graph EPG web should only connect to EPG app on port TCP/1399 ACI instantiates ASA and IPS services for the tenant and inserts these security devices into the application traffic path through service graph. ASA / /24 EPG App EPG Web SF IPS instance App Server Web Server 83

82

83 Summary

84 Summary Defend, Detect, Control Virtual network services Extend policy Extend Visibility Extend Workflow Leverage P-to-V fabric services to create unified policy Assume both internal and external threats ACI Automatically instantiate security services and policies right with the application flows 86

85 Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to View the official rules at 87

86 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 88

87 Continue Your Education Demos in the Cisco Campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 89

88 90 Q&A

89

90