Cyber Security and the Evolving Datacenter

Transcription

1 Cyber Security and the Evolving Datacenter Segmenting PINs to PICs

2 Preface Who is Arista? Work with 3 rd party best of breed partners Communication with customers and peers Foster Discussion Contact us to learn more - Lindsay Clarke Account Manager: lclarke@arista.com - Rich Whitney Engineering Manager: rw@arista.com *Vendors in this presentation are for reference only*

3 Arista PINs to PICs Private Cloud Public Cloud Branch Datacenter On-premise and/or hosted models Hypervisor centric Elastic demand-based service models Extremely agile MPLS to IPSEC driven VPN architectures High vendor lock-in Open leaf & spine cloud networking Siloes breaking down Challenges Hard to integrate across hypervisor vendor platforms Provider centric hard to tie to on-premise DC architectures Too many competing and vendor proprietary niches (i.e., SD-WAN) Silo Places in the Network (PINS) with Bolted After-Thoughts to Seamless and Secure Places-in-the-Cloud (PICs) Remaining legacy fabric hold-outs dying off 3

4 Secure Cloud Networking Goals Enable heterogeneous container deployments across virtual machines, bare-metal, and public or private clouds Production-grade networking to containers running on any platform Docker Swarm, Kubernetes or OpenShift Ability to migrate containerized workloads to and between clouds Uniform way to connect, manage and secure micro-services in a multi-cloud deployment Provide application layer visibility in the public cloud and aggregating telemetry data Ability to secure traffic flows to/from or within micro-services (i.e. inter & intra VPC/Vnet) traffic using same security policy mechanism as private cloud independently of public cloud provider lock-in security mechanisms Automatically secure applications in the cloud based on consistent set of enforcement mechanisms Manage secure cloud using same security orchestration rules as private cloud Integrate with best-of-breed security management to orchestrate security with open API in any public or private cloud Reduce capex and opex costs of running a multi-cloud infrastructure

5 Leaf Hosts Dual-Homed Leaf MLAG Pair Rack 1 Rack 2 The dual-hom ed compute leaf is usually provisioned with a 3:1 oversubsc ri ption ratio. Ensure a thorough understanding of the failover characteristics of the NIC redundancy plan here and deploy VARP for protocol- free first hop redundancy. Leaf Edge Routers Data Center Spine Spine Data Center Interconnect Metro A MLAG Pair VTEP(s) VARP-FHRP Metro B Storage Leaf Leaf Storage Devices MLAG Pair External First Hop FCOE Network MPLS CORE Switch FC SAN The Data Center Interconnec t Leaf serves as the gateway leaf to The storage leaf is usually provisioned with a 1:1 oversubsc r ipti on the Metro DC Pair, the MPLS network, and the Core to the ratio when the storage is serving hosts connected to the compute remote Data Center. VXLAN is used as the L2 transport between leaves. Legacy Fiber Channel connections will remain in the MDS the Metro pairs and in limited amounts across the Core Network and connect to the IP Fabric through the storage Leaf N AS IP Storage Services Leaf Leaf Network Services The network spine is provisioned to provide wire-speed connectivi ty with deep buffers to manage periods of sporadic congestion and incast. It is designed to be simple and thus highly available while To Spine network operations and change control via Smart Switches System Upgrades. The spine runs BGP as its primary MLAG Pair Checkpoint/ PAN Firewalls F5 Load balancer Acceleration/ ETC. The services leaf is usually provisioned with an uplink capacity based on the throughput of the services connected to and through it. It is important to monitor both bandwidth and critical table utilization for shared services to ensure stable connectivity. routing protocol Leaf Services Edge Routers External Network Internet DMZ allowing for routine The DMZ terminates the Internet traffic on the external routers and connects up to a typical Leaf model leveraging services that are specific for thedmz connectivity TAP and Monitor Port Aggregation MLAG Pair Services FW/LB/IPS... Storage Compute MLAG Pair Packet Monitor Application Performance Monitor IDS/IPS Each leaf switch and each spine switch connects to this switch with either one 10Gb or on 40GbE interface to simplify monitoring and troubleshooti ng as well as enabling APM and IDS systems to see any/all traffic as efficiently as possible. Management Leaf Leaf Network Services MLAG Pair CVX DHCP ZTP/ZTR Splunk The management leaf never needs much throughput, but does require maximum uptime and reliability to ensure the overall infrastructur e stays available. Each service is detailed in the accompanying design document. Arista EOS Use-cases Universal Cloud Network Data Center Interconnect Macro Segmentation DWDM MUX/ DMUX >3000km with Amplification SP IN E LEAF/ TOR SERV E RS DC1 DC 2 Virtual Virtual Physical Servers Physical Firewalls & Storage Network Virtualization DANZ, LANZ and Tracers NSX Software Defined Data Center Central Management IP Storage Media IPPeering ISP A ISP B CloudVision exchange Monitoring Tools EOS EOS EOS Programmable Underlay with EOS 5

6 Arista EOS Use-cases: Routing focus CCloouuddDDCCI IX Cloud Internet Inter-DCWAN DCI Transit Public Peering Universal Spine Core Spine BGP VxLAN EVPN IX IP Cloud network Spine Leaf AS2906 Customer Edge AS8075 BGP W A N D C 1 I nter-dc Traffic D C 2 Path computation P rogrammatic API s x MPLS TE signaling IGP, BGP - Segment Routing Segment Routing reduces complexity and improves scale by offering intelligent source routing with globally optimized traffic engineering 6

7 Arista EOS Use-cases: Arista Any Cloud Platform Private Cloud Cloud Exchange Public Cloud Any Cloud API Automation veos Router in AWS Analytics Agile Work-X DC Aggregation with Arista Universal Cloud Network veos Router in Azure East Available Architecture Arista Router at Equinix veos Router in Azure West Hybrid cloud, expanding seamlessly beyond the datacenter 7

8 What is Segmentation? Process of implementing isolation and segmentation for security purposes within the virtual data center Gartner, 2017

9 Standard Segmentation Methods Traditional physical firewalls and manually deploying security policies to isolate traffic

10 Micro-segmentation L3/L4 security policies on distributed virtual switch or vngfw down to VM

11 Adaptive Segmentation Automated application discovery, Orchestrate L7 Policies on distributed firewalls and Isolate threats

12 Cloud Based Segmentation L3/L4 security policy micro-segmentation enforcement by Cloud Providers

13 No silver bullets Security Criteria Traditional Segmentation Micro- Segmentation Adaptive Segmentation Cloud Segmentation Firewall Type Physical IP Tables / ACLs (Plug to vngfw) Firewall Location DMZ Top of Rack or Hypervisor Secure typical traffic flows North / South East/West & North/ South Virtual Distributed Operating System East/West & North/ South IP tables / ACLs (plug into NGFW) Hypervisor East/West & North/ South Security layer L3 - L7 L3/L4 on vswitch L3-L7 L3/L4 Security Policies provision & maintaining Manually Manually Application Learning Manually Security policy management Central firewall controller Central firewall controller Central firewall controller Cloud Orchestrator

14 Segmentations have created security islands DMZ Security Island Multi-Silo DC Security Island Branch / Campus Security Island Cloud Security Island Security Policy Sprawl Micro- Visibility per island Lack of Automation & Mobility & Agility Vendor Lock-in & lack of Open Integration

15 Macro-Segmentation with Macro-State Visibility is open to accommodate & enables any segmentation architecture Firewall Controller TapAggregation East Region Packet Monitoring A Z 1 A Z 2 A Z 1 A Z 2 A Z 1 A Z 2 2b). Adaptive Segmentation 2a). Micro Segmentation 1. Traditional Segmentation Transit VPC Internet VPC 4. CloudSegmentation

16 Macro-State Visibility to openly accommodate & enable any segmentation architecture Use CV s NetDB to collect Macro-State using countless EOS software features to provide network wide visibility and state stream the data using Open APIs to any 3rd party security controllers help provide scalable Macro-segmentation across all PlCs Firewall Controller Packet Monitoring TapAggregation DANZ LANZ EOS API SNMP CloudTracer VmTracer Atomic Counters Syslog MSS MapReduce Tracer ZTP Bug Alerts DFA Path Tracer Event Monitor Event Manager EOS SDK sflow VCS State Streaming 3rd party RPM packages Scripting DigitalOptical Monitoring

17 Macro-Segmentation with Macro-State Visibility Macro Application & WorkFlow Visibility & Analytics Open API Integration to with Best of Breed Security Full Security Automation & Segmentation VCS has Macro-State view of Network State Stream & provide atomic changes on end devicesconnected to physical& virtualnetwork State Stream & provide atomic changes on storage infrastructure Provide Cloud Visibility & Analytics to secure cloud workflows andworkloads Provide Visibility, Security, Analytics,Agilityto remoteusers Places In the Cloud (PICs) Compute / Big Data / HPC Edge Storage Edge Cloud Edge Branch / Campus / IoT Edge

18 Macro Threat Detection & Enforcement Arista Macro Detection & Enforcement Software Roadmap 1) 3rd Party threat security intelligence or enforcement 2) Real time data capture & enforcement 3) Real-time threat analysis via machine learning Phase 1) Provide 3rd Party security devices application visibility & network logs to do security intelligence & enforcement Phase 2) Arista provides policy enforcement on virtual routers and physical devices integrated to 3rd party Phase 3) Arista provides machine learning capabilities for advanced detection and correlation for intelligent & automated policy enforcement Private Cloud Macro visibility Macro W 1 or 0 kfl 1 ow Ne 1 tw 0 o 1 rk W1 o 0 rk 1 lo 0 ad visibility Macro visibility Public Cloud

19 Thank You 19