cisco data center security deep dive · gateway (vsg) non-disruptive security team manages security...
TRANSCRIPT
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Data Center Security Deep Dive Wednesday, March 23, 2011
Cisco Confidential 2 © 2010 Cisco and/or its affiliates. All rights reserved.
Per Hagen, Technical Marketing Engineer
March 23, 2011
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
New Trends Drive New Security Realities
2000 2005 2010 2015
Openness Secure Access for Mobile Users, Partners, Outsourcers
Virtualization Consolidation; Optimization; Agility
Cloud Computing On Demand Capacity; Global Reach
Scale and Simplicity Capacity and Operations Scaling with the Business
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Continue to Enable the Secure Borderless Enterprise
FIREWALL REMOTE ACCESS
Secure the Virtualized Data Center
Enable High Performance Data Centers
Deliver on Converged Client Strategy
Deliver Next Generation Remote Access
Globalization Mobility
Enterprise SaaS
Data Loss Threats
Collaboration
Acceptable Use
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Presentation_ID
Memory Unlock
Increased Scalability
ASA 5580 and ASA 5585-X
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
7
10
9
8
7
6
5
4
3
2
1
0
Ma
xim
um
Co
ncurr
ent
Sessio
ns
(Mill
ions)
Concurrent Sessions
ASA
8.3(32-bit) ASA 8. 4
(64-bit)
250
200
150
100
50
0
Maxi
mum
Security
Conte
xts
Security Contexts
5x
ASA
8.3(32-bit)
ASA 8. 4
(64-bit)
5x
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
8
Maximum Connections Per Second
400
350
300
250
200
150
100
50
0
60
175
350
Thousand C
onnections P
er
Second
Connections Per Sec
Competitor A Competitor B ASA 5585
SSP-60
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Presentation_ID
Device
Sessions
(8.3)
Sessions
(8.4)
Contexts
(8.3)
Contexts
(8.4)
VLANs
(8.3)
VLANs
(8.4)
5550 650K 650K 50 100 250 400
5580-20 1M 2M 50 250 250 1024
5580-40 2M 4M 50 250 250 1024
SSP-10 750K 1M 50 100 250 1024
SSP-20 1M 2M 50 250 250 1024
SSP-40 2M 4M 50 250 250 1024
SSP-60 2M 10M 50 250 250 1024
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Grouping of multiple physical interfaces
Supports LACP/
IEEE 802.3AD standard
8 active and 8 standby links
Treated like physical and logical interfaces on ASA
Better integration with Cat6K VSS and N7K vPC
Core
Access
Aggregation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
11 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Active and Passive: Negotiated by LACP
Mode On: Static (no LACP)
VLAN interfaces can be built on top of Port-Chanel
Support all ASA Modes
Members share MAC address
Configurable hash algorithm. Default with Source, Destination IP addresses.
VSL
MCEC MCEC
EC EC
Active Standby
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
12 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
VSS vPC
VSL
MCEC MCEC
EC EC
Active Standby
Peer Link
vPC vPC
EC EC
Active Standby
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
ASDM
Command Line Interface
lacp system-priority 1234
interface GigabitEthernet0/0
channel-group 1 mode active
interface GigabitEthernet0/1
channel-group 1 mode active
interface GigabitEthernet0/2
lacp port-priority 1234
channel-group 1 mode passive
interface Port-channel1
lacp max-bundle 4
port-channel min-bundle 2
port-channel load-balance dst-ip
nameif etherchannel
ip address 1.1.1.1 255.255.255.0
security-level 100
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
ASDM
Command Line Interface
lacp system-priority 1234
interface GigabitEthernet0/0
channel-group 1 mode active
interface GigabitEthernet0/1
channel-group 1 mode active
interface GigabitEthernet0/2
lacp port-priority 1234
channel-group 1 mode passive
interface Port-channel1
interface Port-channel1.100
Vlan 100
Interface Port-channel 1.200
Vlan 200
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
15
10.1.1.0 /24—vlan 20
10.1.1.0 /24—vlan 10
BVI 10.1.1.100
Bump in the wire
VLANs belong to the same subnet
Required management IP address
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
10.1.1.0 /24—vlan 20
Management IP
10.1.1.100
10.1.1.0 /24—vlan 10
4 VLANs per bridge group
8 bridge groups per firewall (or security context)
Transparent Virtual Context
vlan 10
vlan 12
vlan 13
vlan 11
Bridge Group1
BVI1
8.4 (1) Prior to 8.4 (1)
vlan 14
vlan 16
vlan 17
vlan 15
Bridge Group 2
BVI2
vlan 14
vlan 17
vlan 15
Bridge Group 8
BVI8
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
17
vlan 11
vlan 10
BVI1
Increases supported VLANs
Reduces the amount of virtual contexts
vlan 13
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
18 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
L3 device is required to route between BGs
Interfaces cannot be shared across BGs
VLAN interfaces can be built on top of Port-Chanel
BG ID: 1 to 100
One IP address for each BVI is required
Pre-8.4 configuration gets migrated to BG configuration
vlan 10
vlan 12
vlan 13
vlan 11
Bridge Group1
BVI1
vlan 14
vlan 16
vlan 17
vlan 15
Bridge Group 2
BVI2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
ASDM
Command Line Interface
interface GigabitEthernet 0/0
nameif inside
security 100
bridge-group 1
interface GigabitEthernet 0/1
nameif outside
security 10
bridge-group 1
interface GigabitEthernet 0/2
nameif dmz
security 50
bridge-group 1
interface BVI 1
Ip address 10.10.10.100 255.255.255.0
Cisco Confidential 20 © 2010 Cisco and/or its affiliates. All rights reserved.
Syed Ghayur—Technical Marketing Engineer
March 23, 2011
Background (1000V)
Virtual Security Gateway (VSG) Overview
VSG Packet Flow
VSG Policy Model
Deployment Scenario
Use Case Example
Policy Configuration
Summary
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Security Admin
Network Admin
Port Group
1. vMotion moves VMs across physical ports—the network policy must follow vMotion
2. Must view or apply network/security policy to locally switched traffic
3. Need to maintain segregation of duties while ensuring non-disruptive operations
Service Admin
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
L2
M
O
D
E
L3
M
O
D
E
…
ESX ESX ESX
VSM-1
VSM-2
VEM-1
VEM-2
VEM-N
Modular Switch
Nexus 1010
VSM-A1 VSM-A4
VSM-B1 VSM-B4
Virtual Appliance
Supervisor-1
Supervisor-2
Linecard-1
Linecard-2
Linecard-N
…
B
A
C
K
P
L
A
N
E
VSM: Virtual Supervisor Module
VEM: Virtual Ethernet Module
• 200+ vEth ports per VEM
• 64 VEMs per 1000V
• 2K vEths per 1000V
• Multiple 1000Vs can be created per vCenter
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
vPath—Virtual Service Datapath
Nexus 1010 Virtual Appliance
vWAAS VSG VSM … VSM-1 VSM-4
… VSM-1 VSM-4
L2
M
O
D
E
L3
M
O
D
E
ESX ESX
VEM-1 VEM-2
vPath vPath
vPath: Virtual Service Datapath
VSG: Virtual Security Gateway for 1000V
vWAAS: Virtual WAAS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Nexus 1010 Virtual Appliance
vWAAS VSG VSM
L2
M
O
D
E
L3
M
O
D
E
ESX ESX
VEM-1 VEM-2
vPath vPath
… VSM-1 VSM-4
… VSM-1 VSM-4
NAM
NAM
VSG
VSG
*VSG on 1010 target: 2Q CY11
vPath: Virtual Service Datapath
VSG: Virtual Security Gateway for 1000V
vWAAS: Virtual WAAS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
26
Virtual Firewall for Nexus 1000V
VM context aware rules Context Aware
Security
Establish zones of trust Zone-Based
Control
Policies follow vMotion Dynamic, Agile
Efficient, fast, scale-out SW Best-in-Class
Architecture
Virtual
Security
Gateway
(VSG)
Security team manages security Non-Disruptive
Operations
Central mgmt, scalable deployment, multi-tenancy
Policy Based
Administration
XML API, security profiles Designed for
Automation
Virtual Network
Management
Center
(VNMC)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
• Deployment granularity depending on use case
Tenant, VDC, vApp
• Multi-instance deployment provides horizontal scale-out
Tenant A
vSphere
Nexus 1000V
vPath
Tenant B
VDC-1
vApp
vApp
VDC-2
Virtual Network Management Center
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Logical deployment like physical appliances
Nexus 1000V
Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VM VM
VM
vPath
VNMC
Log/Audit
VSG
Secure Segmentation
(VLAN agnostic)
Efficient Deployment
(secure multiple hosts)
Transparent Insertion
(topology agnostic) High Availability
Dynamic policy-based
provisioning
Mobility aware
(policies follow vMotion)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Intelligent Traffic Steering with vPath
Nexus 1000V
Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VM VM
VM
vPath
VNMC
Log/Audit Initial Packet
Flow
VSG
1 Flow Access
Control
(policy evaluation)
2
Decision
Caching 3
4
Access Log
(syslog)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Performance Acceleration with vPath
Nexus 1000V
Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VM VM
VM
vPath
VNMC
Log/Audit
VSG
Access Log
(syslog)
Remaining
packets from flow
ACL offloaded to
Nexus 1000V
(policy enforcement)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
• vPath is intelligence build into Virtual Ethernet Module (VEM) of N1KV (1.4 and above)
• vPath has two main functions:
a. Intelligent Traffic Steering to VSG
b. Offload the processing from VSG to VEM
• Dynamic Security Policy Provisioning (via security profile)
• vPath is Multi-tenant Aware
• Leveraging vPath enhances the service performance by moving the processing to Hypervisor
Nexus 1000V-VEM
vPath
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Security Profiles Device Profiles VM attributes
Port Profiles Interactions
VM Attributes
Packets (Slow-Path)
VM-to-IP Binding
Packets (Fast-Path)
ESX Servers
Nexus 1000V
vPath
VMWarev
Center
VSM VSM
VSN
VSG
Packets (Fast-Path)
Virtual Network Management
Center (VNMC)
Cisco Confidential 33 © 2010 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
34
vSphere
Cisco Nexus
1000V
VEM
vSphere vSphere
Cisco Nexus
1000V
VEM
Cisco Nexus
1000V
VEM
VM VM VM VM VM VM VM VM
Active VSG
(Tenant B)
Active VSG
(Tenant A) Web Zone App Zone
Tenant A Tenant B
Dev Zone QA Zone
VMWare vCenter
Server
Data Center
Network
vPath vPath
1000V
VSM
Standby VSG Standby VSG
vPath
Cisco Virtual Network
Management Center Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
35
vSphere
Cisco Nexus
1000V
VEM
vSphere vSphere
Cisco Nexus
1000V
VEM
Cisco Nexus
1000V
VEM
VM VM VM VM VM VM VM VM
Active VSG
(Tenant B)
Active VSG
(Tenant A) Web Zone App Zone
Tenant A Tenant B
Dev Zone QA Zone
VMWare vCenter
Server
Data Center
Network
vPath vPath
1000V
VSM
Standby VSG Standby VSG
vPath
Security Policies Enforced on Shared Compute Environment
vPath Multitenant Aware
Active Stand by VSGs on different Physical Host
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
36
VM VM VM VM VM VM VM
Web Zone App Zone
Tenant A Tenant B
Dev Zone QA Zone
VMWare vCenter
Server
1000V
VSM
VSGs VSGs
Cisco Virtual Network
Management Center Server
vPath
vPath
vPath
Data Center
Network
VM
A A B B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
37
VM VM VM VM VM VM VM
Web Zone App Zone
Tenant A Tenant B
Dev Zone QA Zone
VMWare vCenter
Server
1000V
VSM
Standby VSGs Active VSGs
Cisco Virtual Network
Management Center Server
vPath
vPath
vPath
Data Center
Network
VM
A A B B
Dedicated Servers to host VSG Appliances
Decouple Service from Compute Resources
Easy to scale out with dedicated hosting of Service
Cisco Confidential 38 © 2010 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Security Profile
Policy Set
Policy 1
Policy 2
Policy N
Rule 2
Rule N
Rule 1
Rule 2
Rule N
Rule 1
Rule 2
Rule N
Rule 1
Rule is analogous to an ACE; Policy is analogous to an ACL
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Source
Condition
Destination
Condition Action
Rule
Attribute Type
Network
VM
Custom
VM Attributes
Instance Name
Guest OS full name
Zone Name
Parent App Name
Port Profile Name
Cluster Name
Hypervisor Name
Network Attributes
IP Address
Network Port
Operator
eq
neq
gt
lt
range
Not-in-range
Prefix
Operator
member
Not-member
Contains
Condition
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Source
Condition
Destination
Condition Action
Rule
Attribute Type
Network
VM
Custom
VM Attributes
Instance Name
Guest OS full name
Zone Name
Parent App Name
Port Profile Name
Cluster Name
Hypervisor Name
Network Attributes
IP Address
Network Port
Operator
eq
neq
gt
lt
range
Not-in-range
Prefix
Operator
member
Not-member
Contains
Condition
Cisco Confidential 42 © 2010 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
43
Permit Only Port 80(HTTP)
of Web Servers
Permit Only Port 22 (SSH)
to Application Servers
Only Permit Web Servers
Access to Application Servers
Policy—Content Hosting
Web-Zone
DB Server DB
Server
Database-Zone Application-Zone
Only Permit Application Servers
Access to Database Servers
Block All External Access
to Database Servers
Web Client
App Server App
Server
Web Server Web
Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
44
VSM
Port Profile
Protection
VNMC
Using VM/Network
Attributes
vCenter
Port Group
Create Rules-Based
on Zones/Network
Conditions
Put Policy Set in the
Security Profile
Bind the Security
Profile to Port Profile
Assign Security Profile
to Tenant VSG
Define Zones
Define Policy
Policy Set
Create Security
Profile
Assign Tenant VSG
Put Policy Set in the
Security Profile
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
1 Zones
2 Policies
3 Rules
4 Conditions
5 Policy Set
6 Security-
Profile
7 Assign VSG
8 Profile-
Binding
Policy Management > Firewall Policy > Tenant > Zones
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
1 Zones
2 Policies
3 Rules
4 Conditions
5 Policy Set
6 Security-
Profile
7 Assign VSG
8 Profile-
Binding
Policy Management > Firewall Policy > Tenant > Zones
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
1 Zones
2 Policies
3 Rules
4 Conditions
5 Policy Set
6 Security-
Profile
7 Assign VSG
8 Profile-
Binding
Policy Management > Firewall Policy > Tenant > Policies
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
1 Zones
2 Policies
3 Rules
4 Conditions
5 Policy Set
6 Security-
Profile
7 Assign VSG
8 Profile-
Binding
Edit the Policy to create Rule(s) where source and destination conditions are specified based on
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
1 Zones
2 Policies
3 Rules
4 Conditions
5 Policy Set
6 Security-
Profile
7 Assign VSG
8 Profile-
Binding
Edit the Policy to create Rule(s) where source and destination conditions are specified based on
No Condition means
“Any” traffic
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
1 Zones
2 Policies
3 Rules
4 Conditions
5 Policy Set
6 Security-
Profile
7 Assign VSG
8 Profile-
Binding
One OR More Policies are assigned to the Policy Set
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
1 Zones
2 Policies
3 Rules
4 Conditions
5 Policy Set
6 Security-
Profile
7 Assign VSG
8 Profile-
Binding
Create Security Profile at the tenant level
Select from the available Policy Sets from the drop down menu
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
1 Zones
2 Policies
3 Rules
4 Conditions
5 Policy Set
6 Security-
Profile
7 Assign VSG
8 Profile-
Binding
Assign VSG at a tenant level under Resource Management > Managed Resources > Virtual Security Gateways > Tenant (tree level) > VSG Details
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
• In VSM, Associate Port Profile to the Tenant and bind the Security Profile
1 Zones
2 Policies
3 Rules
4 Conditions
5 Policy Set
6 Security-
Profile
7 Assign VSG
8 Profile-
Binding
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
1 Zones 2 Policies 3 Rules 4 Conditions 5 Policy Set 6 Security- Profile 7 Assign
VSG 8 Profile- Binding 9 VM Port-
Group Mapping
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
• Cisco N1KV Switch is required components to deploy VSG
• VSG leverages vPath technology on VEM and NOT required to be installed on every ESX Host
• Non-Disruptive Administration Model
• One or more active VSG per tenant
VNMC VSG
Hypervisor
Nexus 1000V
vPath
Thank you.