Cisco Virtual Security Gateway (VSG) Mohammad Salaheldin
Virtual Security Gateway (VSG) Overview VSG Packet Flow VSG Policy Model Use Case Example ASA on 1000V Summary 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 2
1. vmotion moves s across physical ports the network policy must follow vmotion Port Group 2. Must view or apply network/ security policy to locally switched traffic Server Admin 3. Need to maintain segregation of duties while ensuring non-disruptive operations Security Admin Network Admin 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 3
Virtual Security Gateway (VSG) Context Aware Security Zone-Based Control Dynamic, Agile context aware rules Establish zones of trust Policies follow vmotion Best-in-Class Architecture Efficient, fast, scale-out SW Virtual Network Management Center (VNMC) Non-Disruptive Operations Policy Based Administration Designed for Automation Security team manages security Central mgmt, scalable deployment, multi-tenancy XML API, security profiles 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 4
Deployment granularity depending on use case Tenant, VDC, vapp Multi-instance deployment provides horizontal scale-out Virtual Network Management Center Tenant A Tenant B VDC-1 VDC-2 vapp vapp vpath Nexus 1000V vsphere 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 5
Virtual Security Gateway Intelligent Traffic Steering with vpath VNMC Nexus 1000V Distributed Virtual Switch vpath VSG 1 Initial Packet Flow Log/Audit 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 6
Virtual Security Gateway Intelligent Traffic Steering with vpath VNMC Nexus 1000V Distributed Virtual Switch vpath VSG 1 Initial Packet Flow 2 Flow Access Control (policy evaluation) Log/Audit 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 7
Virtual Security Gateway Intelligent Traffic Steering with vpath VNMC Nexus 1000V Distributed Virtual Switch vpath Decision Caching 3 VSG 1 Initial Packet Flow 2 Flow Access Control (policy evaluation) Log/Audit 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 8
Virtual Security Gateway Intelligent Traffic Steering with vpath VNMC 4 Nexus 1000V Distributed Virtual Switch vpath Decision Caching 3 VSG 1 Initial Packet Flow 2 Flow Access Control (policy evaluation) Log/Audit 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 9
VNMC Nexus 1000V Distributed Virtual Switch vpath ACL offloaded to Nexus 1000V (policy enforcement) VSG Remaining packets from flow Log/Audit 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 10
Ware vcenter Attributes Virtual Network Management Center (VNMC) -to-ip Binding Security Profiles Device Profiles attributes VSM VSM VSN VSG Port Profiles Interactions Packets (Slow-Path) Packets (Fast-Path) vpath Nexus 1000V ESX Servers Packets (Fast-Path) 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 11
VSG Security Policy Model
Security Profile Rule is analogous to an ACE; Policy is analogous to an ACL 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 13
Security Profile Policy Set Rule is analogous to an ACE; Policy is analogous to an ACL 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 14
Security Profile Policy Set Policy 1 Rule 1 Rule 2 Rule N Rule is analogous to an ACE; Policy is analogous to an ACL 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 15
Security Profile Policy Set Policy 1 Policy 2 Policy N Rule 1 Rule 1 Rule 1 Rule 2 Rule 2 Rule 2 Rule N Rule N Rule N Rule is analogous to an ACE; Policy is analogous to an ACL 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 16
Security Profile Policy Set Policy 1 Policy 2 Policy N Rule 1 Rule 1 Rule 1 Rule 2 Rule 2 Rule 2 Rule N Rule N Rule N Rule is analogous to an ACE; Policy is analogous to an ACL 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 17
Rule Source Condition Destination Condition Action 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 18
Rule Source Condition Destination Condition Action Condition Attribute Type Network User Defined vzone 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 19
Rule Source Condition Destination Condition Action Condition Attribute Type Network User Defined vzone New Attributes Name Guest OS full name Resource Pool Parent App Name Port Profile Name Cluster Name DNS Name Network Attributes IP Address Network Port Hypervisor Name 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 20
Rule Source Condition Destination Condition Action Condition Attribute Type Network User Defined vzone Attributes Name Guest OS full name Resource Pool Network Attributes IP Address Network Port Operator eq neq Operator member Not-member Parent App Name gt Contains Port Profile Name lt Cluster Name range DNS Name Not-in-range Hypervisor Name Prefix 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 21
Rule Source Condition Destination Condition Action Condition Attribute Type Network User Defined vzone New Attributes Network Attributes Instance Name IP Address Guest OS full name Network Port Zone Name Parent App Name Port Profile Name Cluster Name Hypervisor Name Operator Operator eq member neq Not-member gt Contains lt range Not-in-range Prefix 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 22
VSG Use Cases
Server Zones Portal Records Database Application Virtual Security Gateway (VSG) HVD Zones IT Admin Assistant Doctor Guest it Admin Network Guest Doctor 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 24
Server Zones Portal Records Database Application Virtual Security Gateway (VSG) HVD Zones IT Admin Assistant Doctor Guest it Admin Network Guest Doctor 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 25
Server Zones Portal Records Database Application Virtual Security Gateway (VSG) HVD Zones IT Admin Assistant Doctor Guest it Admin Network Guest Doctor 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 26
Server Zones Portal Records Database Application Virtual Security Gateway (VSG) HVD Zones IT Admin Assistant Doctor Guest it Admin Network Guest Doctor 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 27
Database Servers DMZ Servers Exchange Servers Application Servers Training Servers R&D Servers If vm-name contains TRNG, that belongs to TRNG zone Source Destination Protocol Action Zone=TRNG Zone=TRNG Any Permit Any Zone=TRNG Any Permit Zone=TRNG Any Any Drop 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 28
Web Client Permit Only Port 80(HTTP) of Web Servers Permit Only Port 22 (SSH) to Application Servers Block All External Access to Database Servers Web-Zone Web" Server" Web" Server" Application-Zone App" Server" App" Server" Database-Zone DB" Server" DB" Server" Only Permit Web Servers Access to Application Servers Only Permit Application Servers Access to Database Servers 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 29
Virtual ASA1000v
Proven Cisco Security Virtualized Physical virtual consistency vcenter Virtual Network Management Center (VNMC) Collaborative Security Model VSG for intra-tenant secure zones Virtual ASA for tenant edge controls Seamless Integration With Nexus 1000V & vpath Scales with Cloud Demand Multi-instance deployment for horizontal scale-out deployment vsphere Tenant A Virtual ASA Tenant B VDC VDC vapp VSG VSG VSG vapp VSG Virtual ASA vpath Nexus 1000V 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 31
Virtual Security Gateway / ASA Intelligent Traffic Steering with vpath Nexus 1000V Distributed Virtual Switch vpath ASA 1 Initial Packet Flow 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 32
Virtual Security Gateway / ASA Intelligent Traffic Steering with vpath VSG Nexus 1000V Distributed Virtual Switch vpath ASA 1 Initial Packet Flow 2 ASA in line 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 33
Virtual Security Gateway / ASA Intelligent Traffic Steering with vpath (policy evaluation) VSG 3 Nexus 1000V Distributed Virtual Switch vpath ASA 1 Initial Packet Flow 2 ASA in line 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 34
Virtual Security Gateway / ASA Intelligent Traffic Steering with vpath (policy evaluation) 4 VSG 3 Nexus 1000V Distributed Virtual Switch vpath ASA 1 Initial Packet Flow 2 ASA in line 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 35
Virtual Security Gateway / ASA Intelligent Traffic Steering with vpath (policy evaluation) 4 VSG 5 3 Nexus 1000V Distributed Virtual Switch vpath ASA 1 Initial Packet Flow 2 ASA in line 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 36
Virtual Security Gateway / ASA Intelligent Traffic Steering with vpath VSG Nexus 1000V Distributed Virtual Switch vpath 3 ASA 1 Rest of the flow 2 ASA in line (policy downloaded) 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 37
NAT IPSec VPN (Site-to-Site) Default Gateway DHCP Static Routing Stateful Protocol IP Audit Role based separation Consistent ASA feature set Intelligent traffic steering via vpath Strategic Partnership with Ware Not just an ASA Part of a solution which benefits from vpath 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 38
Cisco N1KV (vpath) is leveraged by VSG and vasa for deployment VSG is NOT required to installed on every physical host VSG provides a High Availability solution to protect multiple ESX hosts Supports a Multitenant Environment Non-Disruptive Administration Model - Security team manages Security Polices VNMC VSG vpath Nexus 1000V Hypervisor 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 39
Thank you. 2011 Cisco and/or its affiliates. All rights reserved. - Last Updated 2/23/2012 Cisco Confidential 40