Cisco Virtual Security Gateway (VSG) Mohammad Salaheldin

Similar documents
Nevrijeme u oblacima i kako se zaštititi

Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC)

Network Services in Virtualized Data Center

Cisco Virtual Networking Solution Nexus 1000v and Virtual Services. Abhishek Mande Engineer

Virtuální firewall v ukázkách a příkladech

Cisco Virtual Security Gateway Deployment Guide VSG 1.4

Virtual Security Gateway Overview

Deploying the Cisco ASA 1000V

Securing Containers Using a PNSC and a Cisco VSG

Securing Containers Using a PNSC and a Cisco VSG

Segmentation. Threat Defense. Visibility

Cisco Nexus 1000V Switch for Microsoft Hyper-V

Data Center Virtualization Setting the Foundation. Ed Bugnion VP/CTO, Cisco Server, Access and Virtualization Technology Group

Cisco Virtual Security Gateway, Rel. 4.2(1)VSG1(3.1) and Cisco Virtual Network Management Center, Rel. 1.3 Installation and Upgrade Guide

HW virtualizace a podpora hypervizorů různých výrobců

Cisco Nexus 1000V Series Switches

Table of Contents HOL-PRT-1305

vshield Administration Guide

Cisco Nexus 1000V Series Switches

QUICK START GUIDE Cisco Virtual Network Management Center 2.0 Quick Start Guide

Cisco Virtual Network Management Center GUI Configuration Guide, Release 1.3

Cisco Prime Network Services Controller 3.0 CLI Configuration Guide

Nexus 1000V in Context of SDN. Martin Divis, CSE,

Cisco Nexus 1000V for Microsoft Hyper-V: Expanding the Virtual Edge

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Cisco Prime Network Services Controller 3.0 User Guide

Cisco Nexus 1000V InterCloud based Hybrid Cloud Architectures and Approaches

vshield Quick Start Guide

Cisco HyperFlex Systems

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

Solution Brief: VMware vcloud Director and Cisco Nexus 1000V

Borderless Networks. Tom Schepers, Director Systems Engineering

Creating Application Containers

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Hybrid Clouds: Integrating the Enterprise Data Center and the Public Cloud

Q&As DCID Designing Cisco Data Center Infrastructure

Attribute-Based Access Control

Creating Application Containers

Data Center 3.0 Technology Evolution. Session ID 20PT

Agenda Registration & Coffee

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

VMware vsphere 4.0 The best platform for building cloud infrastructures

Service Oriented Virtual DC Design

Cisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack

Designing Cisco Data Center Unified Computing

Managing ReadyClones

The Nexus 1000V on Microsoft Hyper-V: Expanding the Virtual Edge

Architecting Scalable Clouds using VXLAN and Nexus 1000V

Service Insertion with ACI using F5 iworkflow

What s New with VMware vcloud Director 8.0

Cisco Nexus 1000V InterCloud

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

Security for shared infrastructure in Cisco ONE Enterprise Cloud Suite BRKPCA-2040

Product Release 6.4 VMware Installation

Installing and Configuring vcloud Connector

Architecting Tenant Networking with VMware NSX in VMware vcloud Director

Next Generation Data Centers Networks Consolidation and Virtualization

Cisco Application Centric Infrastructure Roadshow. Wednesday, 2. April 14

ACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)

Cisco Exam. Volume: 223 Questions. Question No: 1 Which three commands can be used to harden a switch? (Choose three.)

Storage Considerations for VMware vcloud Director. VMware vcloud Director Version 1.0

Cisco Virtual Application Container Services 2.0 Lab v1

Configuring Administrative Operations

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

Cloud Computing the VMware Perspective. Bogomil Balkansky Product Marketing

Data Center Security. Fuat KILIÇ Consulting Systems

Orchestrating the Cloud Infrastructure using Cisco Intelligent Automation for Cloud

Building a Big IaaS Cloud. David /

Integration of Hypervisors and L4-7 Services into an ACI Fabric. Azeem Suleman, Principal Engineer, Insieme Business Unit

VMware vcloud Networking and Security Overview

VMware vcloud Director for Service Providers

Introducing the Cisco VNMC XML API

ANALYSIS OF VIRTUAL NETWORKS IN DATA CENTERS.

Security and Virtualisation in the Data Centre

Oracle E-Business Suite 11i with Cisco ACE Series Application Control Engine Deployment Guide, Version 1.0

Network Virtualization

Ethernet Fabrics- the logical step to Software Defined Networking (SDN) Frank Koelmel, Brocade

vcloud Director User's Guide 04 OCT 2018 vcloud Director 9.5

Application Provisioning

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

vsphere Networking for the Network Admin Jason Nash, Varrow CTO

VMware Integrated OpenStack Quick Start Guide

VMWARE SERVICE PROVIDER PROGRAM PRODUCT USAGE GUIDE Q2

Cisco VTS. Enabling the Software Defined Data Center. Jim Triestman CSE Datacenter USSP Cisco Virtual Topology System

Cisco Certdumps Questions & Answers - Testing Engine

SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

Cisco ACI Terminology ACI Terminology 2

Security Gateway Virtual Edition

Cisco ACI and Cisco AVS

VNS3 Configuration. Quick Launch for first time VNS3 users in Azure

Service Graph Design with Cisco Application Centric Infrastructure

Ordering and deleting Single-node Trial for VMware vcenter Server on IBM Cloud instances

Layer 4 to Layer 7 Design

VMWARE SOLUTIONS AND THE DATACENTER. Fredric Linder

Deployment Best Practices for Microsoft Platforms on UCS

vcloud Director Administrator's Guide

Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003

What s New in VMware vsphere 4: Virtual Networking W H I T E P A P E R

*Performance and capacities are measured under ideal testing conditions using PAN-OS.0. Additionally, for VM

Transcription:

Cisco Virtual Security Gateway (VSG) Mohammad Salaheldin

Virtual Security Gateway (VSG) Overview VSG Packet Flow VSG Policy Model Use Case Example ASA on 1000V Summary 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 2

1. vmotion moves s across physical ports the network policy must follow vmotion Port Group 2. Must view or apply network/ security policy to locally switched traffic Server Admin 3. Need to maintain segregation of duties while ensuring non-disruptive operations Security Admin Network Admin 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 3

Virtual Security Gateway (VSG) Context Aware Security Zone-Based Control Dynamic, Agile context aware rules Establish zones of trust Policies follow vmotion Best-in-Class Architecture Efficient, fast, scale-out SW Virtual Network Management Center (VNMC) Non-Disruptive Operations Policy Based Administration Designed for Automation Security team manages security Central mgmt, scalable deployment, multi-tenancy XML API, security profiles 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 4

Deployment granularity depending on use case Tenant, VDC, vapp Multi-instance deployment provides horizontal scale-out Virtual Network Management Center Tenant A Tenant B VDC-1 VDC-2 vapp vapp vpath Nexus 1000V vsphere 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 5

Virtual Security Gateway Intelligent Traffic Steering with vpath VNMC Nexus 1000V Distributed Virtual Switch vpath VSG 1 Initial Packet Flow Log/Audit 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 6

Virtual Security Gateway Intelligent Traffic Steering with vpath VNMC Nexus 1000V Distributed Virtual Switch vpath VSG 1 Initial Packet Flow 2 Flow Access Control (policy evaluation) Log/Audit 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 7

Virtual Security Gateway Intelligent Traffic Steering with vpath VNMC Nexus 1000V Distributed Virtual Switch vpath Decision Caching 3 VSG 1 Initial Packet Flow 2 Flow Access Control (policy evaluation) Log/Audit 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 8

Virtual Security Gateway Intelligent Traffic Steering with vpath VNMC 4 Nexus 1000V Distributed Virtual Switch vpath Decision Caching 3 VSG 1 Initial Packet Flow 2 Flow Access Control (policy evaluation) Log/Audit 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 9

VNMC Nexus 1000V Distributed Virtual Switch vpath ACL offloaded to Nexus 1000V (policy enforcement) VSG Remaining packets from flow Log/Audit 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 10

Ware vcenter Attributes Virtual Network Management Center (VNMC) -to-ip Binding Security Profiles Device Profiles attributes VSM VSM VSN VSG Port Profiles Interactions Packets (Slow-Path) Packets (Fast-Path) vpath Nexus 1000V ESX Servers Packets (Fast-Path) 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 11

VSG Security Policy Model

Security Profile Rule is analogous to an ACE; Policy is analogous to an ACL 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 13

Security Profile Policy Set Rule is analogous to an ACE; Policy is analogous to an ACL 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 14

Security Profile Policy Set Policy 1 Rule 1 Rule 2 Rule N Rule is analogous to an ACE; Policy is analogous to an ACL 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 15

Security Profile Policy Set Policy 1 Policy 2 Policy N Rule 1 Rule 1 Rule 1 Rule 2 Rule 2 Rule 2 Rule N Rule N Rule N Rule is analogous to an ACE; Policy is analogous to an ACL 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 16

Security Profile Policy Set Policy 1 Policy 2 Policy N Rule 1 Rule 1 Rule 1 Rule 2 Rule 2 Rule 2 Rule N Rule N Rule N Rule is analogous to an ACE; Policy is analogous to an ACL 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 17

Rule Source Condition Destination Condition Action 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 18

Rule Source Condition Destination Condition Action Condition Attribute Type Network User Defined vzone 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 19

Rule Source Condition Destination Condition Action Condition Attribute Type Network User Defined vzone New Attributes Name Guest OS full name Resource Pool Parent App Name Port Profile Name Cluster Name DNS Name Network Attributes IP Address Network Port Hypervisor Name 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 20

Rule Source Condition Destination Condition Action Condition Attribute Type Network User Defined vzone Attributes Name Guest OS full name Resource Pool Network Attributes IP Address Network Port Operator eq neq Operator member Not-member Parent App Name gt Contains Port Profile Name lt Cluster Name range DNS Name Not-in-range Hypervisor Name Prefix 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 21

Rule Source Condition Destination Condition Action Condition Attribute Type Network User Defined vzone New Attributes Network Attributes Instance Name IP Address Guest OS full name Network Port Zone Name Parent App Name Port Profile Name Cluster Name Hypervisor Name Operator Operator eq member neq Not-member gt Contains lt range Not-in-range Prefix 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 22

VSG Use Cases

Server Zones Portal Records Database Application Virtual Security Gateway (VSG) HVD Zones IT Admin Assistant Doctor Guest it Admin Network Guest Doctor 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 24

Server Zones Portal Records Database Application Virtual Security Gateway (VSG) HVD Zones IT Admin Assistant Doctor Guest it Admin Network Guest Doctor 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 25

Server Zones Portal Records Database Application Virtual Security Gateway (VSG) HVD Zones IT Admin Assistant Doctor Guest it Admin Network Guest Doctor 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 26

Server Zones Portal Records Database Application Virtual Security Gateway (VSG) HVD Zones IT Admin Assistant Doctor Guest it Admin Network Guest Doctor 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 27

Database Servers DMZ Servers Exchange Servers Application Servers Training Servers R&D Servers If vm-name contains TRNG, that belongs to TRNG zone Source Destination Protocol Action Zone=TRNG Zone=TRNG Any Permit Any Zone=TRNG Any Permit Zone=TRNG Any Any Drop 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 28

Web Client Permit Only Port 80(HTTP) of Web Servers Permit Only Port 22 (SSH) to Application Servers Block All External Access to Database Servers Web-Zone Web" Server" Web" Server" Application-Zone App" Server" App" Server" Database-Zone DB" Server" DB" Server" Only Permit Web Servers Access to Application Servers Only Permit Application Servers Access to Database Servers 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 29

Virtual ASA1000v

Proven Cisco Security Virtualized Physical virtual consistency vcenter Virtual Network Management Center (VNMC) Collaborative Security Model VSG for intra-tenant secure zones Virtual ASA for tenant edge controls Seamless Integration With Nexus 1000V & vpath Scales with Cloud Demand Multi-instance deployment for horizontal scale-out deployment vsphere Tenant A Virtual ASA Tenant B VDC VDC vapp VSG VSG VSG vapp VSG Virtual ASA vpath Nexus 1000V 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 31

Virtual Security Gateway / ASA Intelligent Traffic Steering with vpath Nexus 1000V Distributed Virtual Switch vpath ASA 1 Initial Packet Flow 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 32

Virtual Security Gateway / ASA Intelligent Traffic Steering with vpath VSG Nexus 1000V Distributed Virtual Switch vpath ASA 1 Initial Packet Flow 2 ASA in line 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 33

Virtual Security Gateway / ASA Intelligent Traffic Steering with vpath (policy evaluation) VSG 3 Nexus 1000V Distributed Virtual Switch vpath ASA 1 Initial Packet Flow 2 ASA in line 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 34

Virtual Security Gateway / ASA Intelligent Traffic Steering with vpath (policy evaluation) 4 VSG 3 Nexus 1000V Distributed Virtual Switch vpath ASA 1 Initial Packet Flow 2 ASA in line 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 35

Virtual Security Gateway / ASA Intelligent Traffic Steering with vpath (policy evaluation) 4 VSG 5 3 Nexus 1000V Distributed Virtual Switch vpath ASA 1 Initial Packet Flow 2 ASA in line 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 36

Virtual Security Gateway / ASA Intelligent Traffic Steering with vpath VSG Nexus 1000V Distributed Virtual Switch vpath 3 ASA 1 Rest of the flow 2 ASA in line (policy downloaded) 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 37

NAT IPSec VPN (Site-to-Site) Default Gateway DHCP Static Routing Stateful Protocol IP Audit Role based separation Consistent ASA feature set Intelligent traffic steering via vpath Strategic Partnership with Ware Not just an ASA Part of a solution which benefits from vpath 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 38

Cisco N1KV (vpath) is leveraged by VSG and vasa for deployment VSG is NOT required to installed on every physical host VSG provides a High Availability solution to protect multiple ESX hosts Supports a Multitenant Environment Non-Disruptive Administration Model - Security team manages Security Polices VNMC VSG vpath Nexus 1000V Hypervisor 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 39

Thank you. 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback