Virtualization in the Data Center and how to address Security Challenges

Virtualization in the Data Center
and how to address Security Challenges
Sergiu ION - Networking & Security Solutions Sales Representative
S&T România
Agenda
■ About S&T
■ Transform your Business with Virtualization
■ Data Center Virtualization
■ Addressing the Data Center Security Challenges
Member of S&T Group
S&T GROUP
■ a leading IT company acting in 17
countries
■ about 1,400 employees
■ #1 Consulting Service Provider in
CEE
(Gartner, July 2009)
■ among the top 5 in most of its
countries
■ uses the potential of growthmarkets
2011 - Quanmax AG and grosso holding GmbH are new majority shareholders
New management and supervisory board
We integrate
best-of-breed infrastructure solutions
Enterprise
Computing
Manufacturing
Trade
Financial Services
Telecom
Utilities
Government
Enterprise
Storage
Information
Management
Networks &
Security
Transform your Business with
Virtualization
www.snt.ro
What is Virtualization?
Virtualization is the pooling and abstraction of resources and services
in a way that masks the physical nature and boundaries of those
resources and services from their users
http://www.gartner.com/DisplayDocument?id=399577
■ If you can see it and it is there
– It’s real
■ If you can’t see it but it is there
– It’s transparent
■ If you can see it and it is not there
– It’s virtual
■
If you can not see it and it is not there
– It’s gone
Virtualization is … well, not exactly new
■ Nothing new! Concept known to mainframes back in the ‟70s
Virtualization is not a new concept
Mainframe of the „70s were underutilized and over-engineered
http://www-07.ibm.com/systems/my/z/about/timeline/1970/
Data Center and Network Evolution
IT Relevance and Control
Data Center 1.0
Mainframe
Data Center 2.0
Data Center 3.0
Client-Server and
Distributed Computing
Service Oriented and
Web 2.0 Based
Consolidate
Virtualize
Automate
Centralized
Decentralized
Application Architecture Evolution
Virtualized
Cisco Data Center products
Ethernet
Networking
Nexus 7000
Nexus
5K/4K/2K/1K
Catalyst 6500
Series
Catalyst 4900
Top-of-Rack
Application
Network
Services
Data Center
Security
ACE Application
Delivery –
Module and
Appliance
Firewall SM
Wide-Area
Application
Services
Web Application
Firewall
Data Center Provisioning
Data Center Management
IDS SM
ACE XML
Gateway
Infiniband
Clustering
Storage
Networking
SFS 7000
Infiniband
Switch
MDS 9500
Storage
Directors
SFS 3000
Infiniband
Gateway
MDS Fabric
Switches
Data
Center
Networking
Nexus 7000
Modular
Switching
System
Blade Switches
Nexus 5000
Rack Switch
(Unified Fabric
ready)
Nexus 1000v
VN-Link Switch
Unified Computing System
Data Center Network Manager– Topology
Visualization and Provisioning
ANM– Advanced L4-7 Services
Module Management
Four Drivers Behind Virtualization
Virtualization
in the Data Center
www.snt.ro
Data Center Virtualization
Network Virtualization
■ Overlay of logical topologies (1:N)
■ One physical network supports N virtual networks
Network Virtualization
■ Device Partitioning
› One to many devices
› Primary use case is infrastructure reduction
› Increases service agility & flexibility
› Improves asset utilization
› Examples: VLAN, VRF, VSAN, VDC, Firewall Context,
LB Context, Hypervisor
■ Virtualized Interconnect
› Primary use case is link consolidation
› Logical Tennant isolation
› Examples: 802.1q, VPN, MPLS, Unified I/O FCoE
■ Device Pooling
› Many to one device
› Primary use case is maximum availability & density
› Reduces management plane
› Examples: VSS, vPC, GSLB, FHRP
Network Virtualization
■ Network Virtualization is a key for path isolation and policy control
■ Provides control and data plane separation
Compute Virtualization
■ A single physical server hosting
multiple independent Guest OS +
application(s)
■ Hypervisor abstracts physical
hardware from Guest O/S and
application
■ Partitions systems resources
RAM, CPU, disk, etc.
Server Deployment Scale
Software Switch
Management
Software Switch
Management
Software Switch
Simplifying the Data Center
Mgmt Server
Simplifying the Data Center
Mgmt Server
Mgmt Server
A cohesive solution
Simplifying the Data Center
Mgmt Server
A cohesive solution
 Embed management
Simplifying the Data Center
Mgmt Server
A cohesive solution
 Embed management
 Unify fabrics
Simplifying the Data Center
Mgmt Server
A cohesive solution
 Embed management
 Unify fabrics
 Optimize virtualization
Simplifying the Data Center
Mgmt Server
A cohesive solution
 Embed management
 Unify fabrics
 Optimize virtualization
 Remove unnecessary
- Switches
- Adapters
- Management modules
Cisco Unified Computing System
Mgmt Server
■ UCS
■
■
■
■
Scalable compute platform
Integrated virtualization
Natural aggregation point: Network
Unified embedded management
Embedded on the network controller
Wire once: I/O on demand
LAN, SAN, IPC
Efficient Scale
Cisco network & services scale
Fewer servers with more memory
Lower cost
Fewer servers, switches, adapters, cables
Lower power consumption
Single Integrated System
■ Network + Compute Virtualization
SAN A
LAN
Mgmt
SAN B
5 x 8 = 40
5 x 8 = 40
5 x 8 = 40
5 x 8 = 40
5 x 8 = 40
5 x 8 = 40
5 x 8 = 40
5 x 8 = 40
320 Total
Dynamic Management
■ Server profiles
 Abstracts server
characteristics from the
physical server hardware
■ Pre-defined and pre-created
server identities
 Default is shipped hardware
 Stored in switch
Server Profiles
Server Name
Server Name
UUID
Server
UUID Name
MAC
UUID,
MAC MAC,WWN
WWN
Boot
info
WWN
Boot
info
firmware
Boot
info
LAN
Config
LAN,
SAN Config
LAN
Config
SAN
Config
Firmware…
SAN Config
Run-time
association
■ “Associated” with a physical
server
 Manual or policy-driven
Physical Servers
Stateless Computing
■ Server attributes no longer tied
to physical hardware
 Not just identity
SAN
LAN
 Seamless server mobility
 Within switch domain
■ Network boot (LAN or SAN)
 Boot order and devices are part
of server profile
Server Name: LS-A
UUID: 56 4d cd 3f 59 5b 61…
MAC : 08:00:69:02:01:FC
WWN: 5080020000075740
Boot Order: SAN, LAN
Chassis-1/Blade-5
 Local disks can be used for
temp, swap, etc.
Scrubbed between use
(optional)
Chassis-9/Blade-2
What Happens When
We Mix Network and Server Virtualization ?
■ Typically provisioned as trunk to the
server running ESX
■ No visibility to individual traffic from
each VM
■ Unable to troubleshoot, apply policy,
address performance issues
VN-Link Brings VM Level Granularity
VMotion
VLAN
101
Cisco VN-Link Switch
Problems:
• VMotion may move VMs
across physical ports—policy
must follow
• Impossible to view or apply
policy to locally switched
traffic
• Cannot correlate traffic on
physical links—from multiple
VMs
VN-Link:
•Extends network to the VM
•Consistent services
•Coordinated, coherent
management
Storage Virtualization
■ VSAN
A virtual storage area network (VSAN) is a collection of
ports from a set of connected Fibre Channel switches,
that form a virtual fabric. Ports within a single switch
can be partitioned into multiple VSANs, despite sharing
hardware resources. Conversely, multiple switches can
join a number of ports to form a single VSAN.
■
NPIV
N_Port ID Virtualization or NPIV is a Fibre Channel
facility allowing multiple N_Port IDs to share a single
physical N_Port. This allows multiple Fibre Channel
initiators to occupy a single physical port, easing
hardware requirements in Storage Area Network design,
especially where virtual SANs are called for.
Addressing the Data Center
Security Challenges
www.snt.ro
Hierarchical network design
■ Hierarchical network design consists
of the following layers:
- Core
- Aggregation / Services
- Access / Virtual Access
■ Infrastructure security features must
be enabled to protect device, data
plane and control plane.
■ Device virtualization provides
control, data and management plane
segmentation.
Each layer needs to be secured
individually to achieve Defensein-Depth security mechanism.
Core Layer
■ DDOS Detection and Mitigation
■ Routing Protocol authentication
■ Route filtering
■ Log neighbor changes
■ ACL for Anti-Spoofing and RFC1918
Addresses.
Aggregation Layer
■ Stateful Packet Filtering
- Initial filter for all DC ingress and
egress traffic
-
Cisco ASA 5500
10G stateful packet filtering
Deep packet inspection
■ Virtual Context allow correlation to
Nexus VDC
■ VPN
- IPSec Site-to-Site / Remote Access
- SSL
Services Layer
■ Server Load Balancing
- Server Load Balancing masks servers and
applications.
■ Additional Firewall Services for Server-Farm
specific protection
■ Application Firewall
- Application Firewall mitigates XSS, HTTP,
SQL, XML based attacks.
■ Network Intrusion Prevention
- IPS/IDS: Provides traffic analysis and
forensics.
■ Flow Based Traffic Analysis
- Network Analysis for traffic monitoring and
data analysis.
Access Layer
■ Enhanced Layer 2 Security
- Access Control Lists
- Dynamic ARP Inspection
- DHCP Snooping
- IP Source Guard
- Port Security
- Private VLANs
- STP Extensions
- Layer 2 Storm Control
- Hardware Rate-Limiters
■ Layer 2 Flow Monitoring
- NetFlow, SPAN, ERSPAN, ACL Logs
Virtual Access Layer
■ Virtualization security
-
The Cisco Virtual Security Gateway (VSG)
works with Cisco Nexus 1000V switches to
provide zone-based and policy-driven
security at the virtual machine level,
extending existing security policies into
virtual and cloud environments. The Cisco
Nexus 1000V adds additional security and
monitoring capabilities at the access layer,
including PVLAN, IP Source Guard, DHCP
Snooping, ARP inspection, and NetFlow.
■ Endpoint security
- Host intrusion prevention protect server
against zero day attacks.
Security Management
■ Management and monitoring tools can be
used to manage and monitor the
Infrastructure security.
■ Event are sent out by Host IPS, Network
IPS, Firewalls, LB, Routers and Switches in
terms of Syslogs, NetFlow, SNMP traps and
IPS alerts.
■ All events are sent to a central repository to
perform Anomaly Detection, Event
Correlation and Forensics Analysis.
Data Center Security Challenges
Thank you!
[email protected]
www.snt.ro