Virtualization in the Data Center and how to address Security Challenges
Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales Representative S&T România Agenda ■ About S&T ■ Transform your Business with Virtualization ■ Data Center Virtualization ■ Addressing the Data Center Security Challenges Member of S&T Group S&T GROUP ■ a leading IT company acting in 17 countries ■ about 1,400 employees ■ #1 Consulting Service Provider in CEE (Gartner, July 2009) ■ among the top 5 in most of its countries ■ uses the potential of growthmarkets 2011 - Quanmax AG and grosso holding GmbH are new majority shareholders New management and supervisory board We integrate best-of-breed infrastructure solutions Enterprise Computing Manufacturing Trade Financial Services Telecom Utilities Government Enterprise Storage Information Management Networks & Security Transform your Business with Virtualization www.snt.ro What is Virtualization? Virtualization is the pooling and abstraction of resources and services in a way that masks the physical nature and boundaries of those resources and services from their users http://www.gartner.com/DisplayDocument?id=399577 ■ If you can see it and it is there – It’s real ■ If you can’t see it but it is there – It’s transparent ■ If you can see it and it is not there – It’s virtual ■ If you can not see it and it is not there – It’s gone Virtualization is … well, not exactly new ■ Nothing new! Concept known to mainframes back in the ‟70s Virtualization is not a new concept Mainframe of the „70s were underutilized and over-engineered http://www-07.ibm.com/systems/my/z/about/timeline/1970/ Data Center and Network Evolution IT Relevance and Control Data Center 1.0 Mainframe Data Center 2.0 Data Center 3.0 Client-Server and Distributed Computing Service Oriented and Web 2.0 Based Consolidate Virtualize Automate Centralized Decentralized Application Architecture Evolution Virtualized Cisco Data Center products Ethernet Networking Nexus 7000 Nexus 5K/4K/2K/1K Catalyst 6500 Series Catalyst 4900 Top-of-Rack Application Network Services Data Center Security ACE Application Delivery – Module and Appliance Firewall SM Wide-Area Application Services Web Application Firewall Data Center Provisioning Data Center Management IDS SM ACE XML Gateway Infiniband Clustering Storage Networking SFS 7000 Infiniband Switch MDS 9500 Storage Directors SFS 3000 Infiniband Gateway MDS Fabric Switches Data Center Networking Nexus 7000 Modular Switching System Blade Switches Nexus 5000 Rack Switch (Unified Fabric ready) Nexus 1000v VN-Link Switch Unified Computing System Data Center Network Manager– Topology Visualization and Provisioning ANM– Advanced L4-7 Services Module Management Four Drivers Behind Virtualization Virtualization in the Data Center www.snt.ro Data Center Virtualization Network Virtualization ■ Overlay of logical topologies (1:N) ■ One physical network supports N virtual networks Network Virtualization ■ Device Partitioning › One to many devices › Primary use case is infrastructure reduction › Increases service agility & flexibility › Improves asset utilization › Examples: VLAN, VRF, VSAN, VDC, Firewall Context, LB Context, Hypervisor ■ Virtualized Interconnect › Primary use case is link consolidation › Logical Tennant isolation › Examples: 802.1q, VPN, MPLS, Unified I/O FCoE ■ Device Pooling › Many to one device › Primary use case is maximum availability & density › Reduces management plane › Examples: VSS, vPC, GSLB, FHRP Network Virtualization ■ Network Virtualization is a key for path isolation and policy control ■ Provides control and data plane separation Compute Virtualization ■ A single physical server hosting multiple independent Guest OS + application(s) ■ Hypervisor abstracts physical hardware from Guest O/S and application ■ Partitions systems resources RAM, CPU, disk, etc. Server Deployment Scale Software Switch Management Software Switch Management Software Switch Simplifying the Data Center Mgmt Server Simplifying the Data Center Mgmt Server Mgmt Server A cohesive solution Simplifying the Data Center Mgmt Server A cohesive solution Embed management Simplifying the Data Center Mgmt Server A cohesive solution Embed management Unify fabrics Simplifying the Data Center Mgmt Server A cohesive solution Embed management Unify fabrics Optimize virtualization Simplifying the Data Center Mgmt Server A cohesive solution Embed management Unify fabrics Optimize virtualization Remove unnecessary - Switches - Adapters - Management modules Cisco Unified Computing System Mgmt Server ■ UCS ■ ■ ■ ■ Scalable compute platform Integrated virtualization Natural aggregation point: Network Unified embedded management Embedded on the network controller Wire once: I/O on demand LAN, SAN, IPC Efficient Scale Cisco network & services scale Fewer servers with more memory Lower cost Fewer servers, switches, adapters, cables Lower power consumption Single Integrated System ■ Network + Compute Virtualization SAN A LAN Mgmt SAN B 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 320 Total Dynamic Management ■ Server profiles Abstracts server characteristics from the physical server hardware ■ Pre-defined and pre-created server identities Default is shipped hardware Stored in switch Server Profiles Server Name Server Name UUID Server UUID Name MAC UUID, MAC MAC,WWN WWN Boot info WWN Boot info firmware Boot info LAN Config LAN, SAN Config LAN Config SAN Config Firmware… SAN Config Run-time association ■ “Associated” with a physical server Manual or policy-driven Physical Servers Stateless Computing ■ Server attributes no longer tied to physical hardware Not just identity SAN LAN Seamless server mobility Within switch domain ■ Network boot (LAN or SAN) Boot order and devices are part of server profile Server Name: LS-A UUID: 56 4d cd 3f 59 5b 61… MAC : 08:00:69:02:01:FC WWN: 5080020000075740 Boot Order: SAN, LAN Chassis-1/Blade-5 Local disks can be used for temp, swap, etc. Scrubbed between use (optional) Chassis-9/Blade-2 What Happens When We Mix Network and Server Virtualization ? ■ Typically provisioned as trunk to the server running ESX ■ No visibility to individual traffic from each VM ■ Unable to troubleshoot, apply policy, address performance issues VN-Link Brings VM Level Granularity VMotion VLAN 101 Cisco VN-Link Switch Problems: • VMotion may move VMs across physical ports—policy must follow • Impossible to view or apply policy to locally switched traffic • Cannot correlate traffic on physical links—from multiple VMs VN-Link: •Extends network to the VM •Consistent services •Coordinated, coherent management Storage Virtualization ■ VSAN A virtual storage area network (VSAN) is a collection of ports from a set of connected Fibre Channel switches, that form a virtual fabric. Ports within a single switch can be partitioned into multiple VSANs, despite sharing hardware resources. Conversely, multiple switches can join a number of ports to form a single VSAN. ■ NPIV N_Port ID Virtualization or NPIV is a Fibre Channel facility allowing multiple N_Port IDs to share a single physical N_Port. This allows multiple Fibre Channel initiators to occupy a single physical port, easing hardware requirements in Storage Area Network design, especially where virtual SANs are called for. Addressing the Data Center Security Challenges www.snt.ro Hierarchical network design ■ Hierarchical network design consists of the following layers: - Core - Aggregation / Services - Access / Virtual Access ■ Infrastructure security features must be enabled to protect device, data plane and control plane. ■ Device virtualization provides control, data and management plane segmentation. Each layer needs to be secured individually to achieve Defensein-Depth security mechanism. Core Layer ■ DDOS Detection and Mitigation ■ Routing Protocol authentication ■ Route filtering ■ Log neighbor changes ■ ACL for Anti-Spoofing and RFC1918 Addresses. Aggregation Layer ■ Stateful Packet Filtering - Initial filter for all DC ingress and egress traffic - Cisco ASA 5500 10G stateful packet filtering Deep packet inspection ■ Virtual Context allow correlation to Nexus VDC ■ VPN - IPSec Site-to-Site / Remote Access - SSL Services Layer ■ Server Load Balancing - Server Load Balancing masks servers and applications. ■ Additional Firewall Services for Server-Farm specific protection ■ Application Firewall - Application Firewall mitigates XSS, HTTP, SQL, XML based attacks. ■ Network Intrusion Prevention - IPS/IDS: Provides traffic analysis and forensics. ■ Flow Based Traffic Analysis - Network Analysis for traffic monitoring and data analysis. Access Layer ■ Enhanced Layer 2 Security - Access Control Lists - Dynamic ARP Inspection - DHCP Snooping - IP Source Guard - Port Security - Private VLANs - STP Extensions - Layer 2 Storm Control - Hardware Rate-Limiters ■ Layer 2 Flow Monitoring - NetFlow, SPAN, ERSPAN, ACL Logs Virtual Access Layer ■ Virtualization security - The Cisco Virtual Security Gateway (VSG) works with Cisco Nexus 1000V switches to provide zone-based and policy-driven security at the virtual machine level, extending existing security policies into virtual and cloud environments. The Cisco Nexus 1000V adds additional security and monitoring capabilities at the access layer, including PVLAN, IP Source Guard, DHCP Snooping, ARP inspection, and NetFlow. ■ Endpoint security - Host intrusion prevention protect server against zero day attacks. Security Management ■ Management and monitoring tools can be used to manage and monitor the Infrastructure security. ■ Event are sent out by Host IPS, Network IPS, Firewalls, LB, Routers and Switches in terms of Syslogs, NetFlow, SNMP traps and IPS alerts. ■ All events are sent to a central repository to perform Anomaly Detection, Event Correlation and Forensics Analysis. Data Center Security Challenges Thank you! [email protected] www.snt.ro
© Copyright 2024