virt network sec 2010

8/3/2019 Virt Network Sec 2010

http://slidepdf.com/reader/full/virt-network-sec-2010 1/34

© 2009 VMware Inc. All rights reserved

Virtual Network Security

Matt Skipton

System Engineer, VMware Inc.

Confidential



Agenda

2

What NOT to Worry About

Virtual Network Designs

Virtual Network Security Challenges

VMware Solution

Cisco Nexus 1000v

Confidential



What not to worry about

Virtualization-basedAttacks

• Examples: Blue Pill,SubVirt, etc.

• These are ALLtheoretical, highlycomplex attacks

• Some depend uponvirtualization in CPUhardware

• Widely recognizedby securitycommunity as being

only of academicinterest

IrrelevantArchitectures

• Example: numerousreports claimingguest escape

• Most apply onlyhosted architecture(e.g. Workstation),not bare-metal (i.e.ESX)

• Hosted architecturedeliberately includenumerous channelsfor exchanginginformation betweenguest and host.

Contrived Scenarios

• Example: VMotionintercept

• Involved exploitswhere

• Best practicesaround hardening,lockdown, design,for virtualizationetc, not followed, or

• Poor general ITinfrastructure

security isassumed



Isolation: Virtual Networks

Design Highlights

• No code exists to link virtual switches

• Virtual switches provide protection by design against attack:

MAC flooding, 802.1q and ISL tagging attacks, Double-encapsulation attacks, Multicast brute-force attacks, Spanning-tree attacks, Random frame attacks

Can restrict malicious network behavior:

- MAC address change, impersonation

Such protection not possible with physical switches

VirtualNetwork

VirtualNetwork



Agenda

5




VMware Solution

Cisco Nexus 1000v

Confidential



Isolation in the Architecture

Segment out all non-production

networks• Use VLAN tagging, or

• Use separate vSwitch (seediagram)

Strictly control access to

management network, e.g.• RDP to jump box, or

• VPN through firewall

6

vSwitch1

vmnic1 2 3 4

Production

vSwitch2

VMkernel

Mgmt Storage

v n i c

v n i c

v n i c

vCenter IP-basedStorage

Other ESX/ESXihosts

Mgmt

Network

Prod

Network

VMware Infrastructure 3 Security Hardening Guidehttp://www.vmware.com/resources/techresources/726



Physical Separation of Trust Zones

Advantages

Simpler, less complexconfiguration

Less change to physicalenvironment

Little change toseparation of duties

Less change in staff knowledge requirements

Smaller chance of misconfiguration

Disadvantages

Lower consolidation and utilization of resources

Higher cost



Virtual Separation of Trust Zones with Physical Security Devices

Advantages

Better utilization of resources

Take Full Advantage of VirtualizationBenefits

Lower cost

Disadvantages (can be mitigated)

More complexity

Greater chance of misconfiguration



Advantages

Full utilization of resources, replacingphysical security devices with virtual

Lowest-cost option

Management of entire DMZ andnetwork from a single managementworkstation

Disadvantages (can be mitigated)

Greatest complexity, which in turncreates highest chance of misconfiguration

Requirement for explicit configurationto define separation of duties andregular audits to help mitigate risk of misconfiguration

Fully Collapsed Trust Zones Including Security Devices



Agenda

10




VMware Solution

Cisco Nexus 1000v

Confidential



Network Security in the Good Old Days

11 Confidential

• Plug a server in to a switch port

• Switch lights up and registers the servers MAC address

• Security policies and QoS can be applied to the port and they properly effect

the workload on the server



Network Security in in the Traditional Virtual World

12 Confidential

• For each server you have 2 to 10 network links

• Each physical cable could have 1 to 100 VM MAC addrs on it• Even on a single physical host the VM MAC addrs move among the physical

cables as load demands

• To make matters worse, then the VMs and MACs move between physical

servers also!

• You can not apply a security policy to a physical switch port since you don’tknow which one a workload may be connecting on.

Does This Look Familiar?



n1000v# sh int

Cisco CLI (network admin)

vCenter (server admin)

Three main network hurdles to 100% virtualization

VMotion 1. vMotion moves VMsacross physical ports,

network security policydoes not follow

2. Impossible to isolate or

apply policy to locally

switched traffic

3. Need coordinationbetween network and

server admins

VLAN104



Agenda

14




VMware Solution

Cisco Nexus 1000v

Confidential



Capabilities

• Bridge, firewall, or isolate VM zones basedon familiar VI containers

• Monitor allowed and disallowed activity byapplication-based protocols

• One-click flow-to-firewall blocks precisenetwork traffic

Benefits

• Pervasive: well-defined security posture for inter-VM traffic anywhere and everywhere invirtual environment

• Persistent: monitoring and assured policies

for entire VM lifecycle, including VMotionlive migrations

• Simple: Zone-based rules reduces policyerrors

VMware vShield Zones



vShield Zones: Architecture

vShield Host Appliance

• Virtual Network Monitoring

• Virtual Network Firewall

vShield Manager

• Centralized Monitoring

• Centralized PolicyAssignment

VMware ESX

vShield

VMware ESX

vShieldVMware

vCenter

VMware

vShieldManager VMware ESX

vShield



vNetwork Distributed Switch

• Simplifies datacenter administration

• Security Benefits

- Helps to mitigate misconfiguration

- PVLAN Support

- Inbound Bandwidth Control

• Enables networking statistics and policies to migrate with virtual machines (Network VMotion)

Key to enable VMsafe Appliances to Provide Stateful Security

Netflow Statistics Don’t Reset

• Provides for customization and third-party development

Cisco’s Nexus1000V has even more security controls build right in.

vSwitch vSwitchvSwitch

Distributed Virtual Switch

Standard Switch Distributed Switch



Private VLANs

PVLAN (Private VLAN)

• Enables Layer-2 isolation between VMs

on the same switch, even though they are

on the same subnet

• Traffic from one VM forwarded out through

uplink, without being seen by other VMs

• Communication between VMs on PVLANscan still occur at Layer-3

Benefits

• Scale VMs on same subnet but selectivity

restrict inter-VM communication

• Avoids scaling issues from assigning oneVLAN and IP subnet per VM

Implementation

• Available when using Distributed Switch

vSwitch with

Private VLAN

capability

Private VLAN traffic isolation

between guest VMs

Common

Primary VLAN

on uplinks



Agenda

19




VMware Solution

Cisco Nexus 1000v

Confidential



vNetwork Distributed Switch

" Aggregated datacenter level

virtual networking

" Simplified setup and change

" Easy troubleshooting,

monitoring and debugging

" Enables transparent thirdparty management of virtualenvironments

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

VMware vSphere™

vNetwork Distributed SwitchvSwitch vSwitch vSwitch

Cisco Nexus 1000V



Current View of the Access Layer

Typically provisioned astrunk to the server runningESX

No visibility to individualtraffic from each VM

Unable to troubleshoot,apply policy, addressperformance issues

Boundary of network visibility



Nexus 1000V w/ VN-Link (Network View)

VN-Link provide visibility to

the individual VMs

Policy can be configured per-

VM

Policy is mobile within the ESX

cluster

VN-Link refers to a literal link

between a VM VNIC & a CiscoVN-Link Switch

Boundary of network visibility



Benefits for the Server Admin

1000V overcomes network

hurdles to virtualize tier-1,regulatory and DMZ applications

1000V makes ESX deployment

faster, “one and done”

1000V offloads network workflow

to the network admin

“1000V has a lot more functionality than our own virtual switch”

– Steve Herrod, VMware CTO



Benefits for the Network Admin

1000V overcomes hurdles to

virtualize applications withDMZ, high bandwidth, highly

secure applications

1000V standardizes workflow

for virtual and physical

networks

1000V allows visibility into VM

traffic

BEFORE 1000V AFTER 1000V

“1000V overcomes the biggest network hurdles to virtualization”

– Ed Bugnion, Cisco CTO



Cisco Nexus 1000V Security Features

I I

SGACLMatrix

Destination Group

S o u r c e

G r o u p - +

+ -



Nexus 1000V Architecture

Nexus 1000V VSM

vSphere vSphere vSphere

Nexus

1000V

VEM



Policy Based VM Connectivity

1. Nexus 1000V automatically enables

port groups in VMware vCenter

2. Server Admin uses vCenter to

assign vnic policy from available

port groups

3. Nexus 1000V automatically enables

VM connectivity at VM power-on

vSphere

1. 2.

3.



Policy Based VM Connectivity

vSphere



Mobility of Security & Network Properties

1. vCenter kicks off a

Vmotion (manual/DRS)

and notifies Nexus

1000V

2. During VM replication,

Nexus 1000V copies

VM port state to newhost

vSphere vSphere

VMotion Notification

Current: VM1 on Server 1

New: VM1 on Server 2

1.

Network Persistence

VM port config, state

VM monitoring statistics

2.



Mobility of Security & Network Properties

1. vCenter kicks off a

Vmotion (manual/

DRS) and notifies

Nexus 1000V

2. During VM

replication, Nexus1000V copies VM

port state to new

host

3. Once VMotion

completes, port on

new ESX host is

brought up & VM’sMAC address is

announced to the

network

vSphere vSphere

Network Update

ARP for VM1 sentto network

Flows to VM1 MAC

redirected to Server 2

3.



Cisco Nexus 1000V – VM Security

SGACLMatrix

Destination Group

S o u r c e

G r o u p - +

+ -

vSphere vSphere vSphere



Keep your process consistent



Keep your process consistent

Few of the Datacenter are completely virtualized

• Using Nexus 1000V keeps all the process consistent and give you the samevisibility for VMs and Server

• Troubleshoot your network as before using tools you know

• Make your regulatory compliance much easier because of the simpler process

Cisco VEM

VM1 VM2 VM3 VM4

ERSPAN

NetflowCounters

CDP PVLAN

virt network sec 2010

Documents