virtualization & tipping point
TRANSCRIPT
AgendaPart 1 - Virtualization & Server
• Virtualization basics (Hypervisor)
• Virtual (VM) Switch Vs Physical Switch • vSwitch & dvSwitch & port group
• VMware -vSphere Components
• HP BladeSystem matrix• C7000 and OA vs iLO • vConnect Part 2 – Network & TippingPoint
• North South & East West Communication (Datacenter traffic flow architect)
• TippingPoint
• SVF – Secure Virtual Framework• Digital Vaccine – DV• VMC and SMS Servers• vController + vFirewall
VM-Tipping 2
Self Intro
Disclaimer :Here I’m trying to couple between Virtual machine to you network skills (Intermediate Level).Only theoretical discussions , not covered practical / lab environment. The materials are gathered from WW Internet.To view the detailed contents run the slide show
Part 1 - Virtualization & Server
In computing, virtualization refers to the act of creating a virtual (rather than actual) version of something, including (but not limited to) a virtual computer hardware platform, operating system (OS), storage device, or computer network resources. Wiki
VM-Tipping 3
Virtualization !!!
VM-Tipping 4
Virtual Machine• A virtual machine is a software computer that, like a physical computer, runs an operating system and applications. The hypervisor serves as a platform
for running virtual machines and allows for the consolidation of computing resources. Each virtual machine contains its own virtual, or software-based hardware, including a virtual CPU, memory, hard disk, and network interface card.
• A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor is running one or more virtual machines is defined as a host machine. Each virtual machine is called a guest machine.
• Because virtual machines are decoupled from specific underlying physical hardware, virtualization allows you to consolidate physical computing resources such as CPUs, memory, storage, and networking into pools of resources that can be dynamically and flexibly made available to virtual machines. With appropriate management software, such as vCenter Server, you can also use a number of features that increase the availability and security of your virtual infrastructure.
VM-Tipping 5
Virtual Machine (Hypervisor Type 1 & 2)
Picture 2 : VM workstation or Virtual Box or KVMPicture 1: ESXi or Hyper-V or KVM 1 . Type 2 – Software-based Virtualization
2. Better hardware compatibility 3. Single point of failure ?4. Host OS impact the performance
1 . Type 1 – Bare Metal Hypervisor2. Better Performance3. Single point of failure ? Really ? 4. Hardware, Expertise and Cost
Type 1 hypervisors are commonly considered bare metal hypervisors, in that the hypervisor code itself runs directly on top of your hardware. Type 1 hypervisors tend to enjoy much better performance than type 2 hypervisors, due in part to their direct positioning on top of hardware. Unlike type 1 hypervisors, a type 2 hypervisor must be installed on top of an existing OS. These hypervisors tend to have better hardware compatibility because they use software-based virtualization.
VM-Tipping 6
Virtual Machine Product Lines
VM-Tipping 7
Physical Topology of vSphere (Components)A typical VMware vSphere datacenter consists of basic physical building blocks such as x86 virtualization servers, storage networks and arrays, IP networks, a management server, and desktop clients.
The vSphere datacenter topology includes the following components.
• Compute servers : Industry standard x86 servers that run ESXi on the bare metal. ESXi software provides resources for and runs the virtual machines. Each computing server is referred to as a standalone host in the virtual environment. You can group a number of similarly configured x86 servers with connections to the same network and storage subsystems to provide an aggregate set of resources in the virtual environment, called a cluster.
• Storage networks and arrays : Fibre Channel SAN arrays, iSCSI SAN arrays, and NAS arrays are widely used storage technologies supported by VMware vSphere to meet different datacenter storage needs. The storage arrays are connected to and shared between groups of servers through storage area networks.
• IP networks : Each compute server can have multiple physical network adapters to provide high bandwidth and reliable networking to the entire VMware vSphere datacenter.
• vCenter Server : vCenter Server (Its Service !!) provides a single point of control to the datacenter. It provides essential datacenter services such as access control, performance monitoring, and configuration. It unifies the resources from the individual computing servers to be shared among virtual machines in the entire datacenter. It does this by managing the assignment of virtual machines to the computing servers and the assignment of resources to the virtual machines within a given computing server based on the policies that the system administrator sets.
• Management clients : VMware vSphere provides several interfaces for datacenter management and virtual machine access. These interfaces include VMware vSphere Client (vSphere Client), vSphere Web Client for access through a web browser, or vSphere Command-Line Interface (vSphere CLI).
VM-Tipping 8
Architectures – VMWare || Hyper-V || KVM
Picture 3 : VMware Architect Picture 5 : Hyper-V Architect
Only for reference , no explanation
Picture 4 : KVM Architect
VM & Hyper V for x86 processer architects , KVM can support x86, power and other + its Open sourceVM-Tipping 9
Physical Vs Virtual switch
VM-Tipping 10
vSwitch Vs dvSwitch Features Standard Switch Distributed Switch
Management
Standard switch needs to managed at each individualhost level
Provides centralized management and monitoring of the network configuration of all the ESXi hosts that areassociated with the dvswitch.
LicensingStandard Switch is available for all Licensing Edition
Distributed switch is only available forenterprise edition of licensing
Creation & configuration
Standard switch can be created and configured at ESX/ESXi host level
Distributed switch can be created and configured at the vCenter server level
Layer 2 Switch Yes, can forward Layer 2 frames Yes, can forward Layer 2 framesVLAN segmentation Yes Yes
802.1Q taggingCan use and understand 802.1qVLAN tagging
Can use and understand 802.1qVLAN tagging
NIC teamingYes, can utilize multiple uplink to form NIC teaming
Yes, can utilize multiple uplink to form NIC teaming
Outbound Traffic Shaping
Can be achieved using standard switch
Can be achieved using distributed switch
Inbound Traffic ShapingNot available as part of standardswitches Only possible at distributed switch
VM port blockingNot available as part of standard switches Only possible at distributed switch
Private VLAN Not available
PVLAN can be created as part of dvswitch. 3 types of PVLAN(Promiscuous, Community and Isolated)
Load based Teaming Not availableCan be achieved using distributed switch
Network vMotion Not availableCan be achieved using distributed switch
Per Port policy settingPolicy can be applied at switchand port group
Policy can be applied at switch, port group and even per port level
NetFlow Not available YesPort Mirroring Not available YesPicture 9: dvSwitch
Picture 8 : vSwitch
VM-Tipping 11
• Each (Virtual) port group is identified by a network label, which is unique to the current host. Network labels are used to make virtual machine configuration portable across hosts. All port groups in a datacenter that are physically connected to the same network (in the sense that each can receive broadcasts from the others) are given the same label. Conversely, if two port groups cannot receive broadcasts from each other, they have distinct labels.
• A VLAN ID, which restricts port group traffic to a logical Ethernet segment within the physical network, is optional. If you use VLAN IDs, you must change the port group labels and VLAN IDs together so that the labels properly represent connectivity.
Port Groups and VLAN
VM-Tipping 12
ESX vSwitch : Capabilities
VM-Tipping 13
vSphere
VM-Tipping 14
vSphere Network Setting
VM-Tipping 15
HP BladeSystem Matrix• It is built upon the core technologies of HP BladeSystem, HP Virtual Connect, HP Insight software and
implementation services. It also includes optimized support for HP Storage Works and factory integration and onsite services.
• BladeSystem Matrix delivers a converged infrastructure built on well-established HP technologies and functionality including:• HP BladeSystem c-Class c7000 enclosure, server blades (ex: DL360 G8 – half blade), Virtual Connect with
Flex-10, and Thermal Logic• HP Insight software• Factory Integration, Factory Express, and Technology Services• HP Storage Works 4400 Enterprise Virtual Array Starter kit
• Onboard Administration (OA) for enclosure : HP Onboard Administrator for BladeSystem delivers unmatched Blade enclosure power and remote management capability, now with KVM capability.
• iLO : HP Integrated Lights-Out (iLO) provides the automated intelligence to maintain complete server control from any place. HP iLO functions out-of-the-box without additional software installation regardless of the servers' state of operation giving you complete access to your server from any location via a web browser or the iLO Mobile App.
VM-Tipping 16
HP c7000 enclosure view
• Single-phase AC input, 3-phase AC input, -48V DC input, and high voltage DC input.
• With Onboard Administrator, iLO remote management, and HP OneView you can manage your servers and take complete control regardless of the state of the server operating system.
• Hot plug redundant standard
• Form factor - 10U
• BladeSystem supportedVM-Tipping 17
HP Onboard Administration -OA vs iLO
VM-Tipping 18
HP vConnect and Flex-ConnectReduce costs and simplify connections to SANs, consolidate your network connections, and enable administrators to add, replace and recover server resources on-the-fly. Being standards-based, it looks like a pass-thru device to the Fibre Channel network, yet provides all the key benefits of integrated switching including high performance 16 Gb uplinks to the SAN. VCM / VCEM used to manage vConnect.
VM-Tipping 19
Part1 Recap …• Have you downloaded and played around VM machine trails provided by VMware !
• What is vMotion and why required dedicated EW communication?
• What are the draw back of Virtualization ?
• Any security breach noticed , How Inter VM communication Secured!
• What is vShield, vApp,
• ToR !! The onion Router ? No… it’s Top of Rack!!!
• How many vSS /dvS in 16 blade enclosure , as minimum ?
VM-Tipping 20
Part 2 – Network & Tipping Point
VM-Tipping 21
North-South & East-West
VM-Tipping 22
Datacenter Traffic Data centers have grown to become more modular, reaching up to thousands of VMs over the host, and networks are shifting from the traditional three-tier model (top-of-rack/aggregation/core) to flattened (leaf/TOR-spine/core) topology. These changes imply a change in traffic from a north-south orientation to an east-west orientation and consequently, 75% of data center traffic is now east-west.
VM-Tipping 23
• TippingPoint now functions as a part of HP Enterprise Security Products business in the HP Software Division. Originally, TippingPoint was an American software company with roots back to 1999 focused on network security products, particularly intrusion prevention systems for networks. Until September 2011, TippingPoint was within HP Networking, the networking division of HP. It transferred to the HP Software Division.
• HP maintains the TippingPoint name today. In September 2013, HP announced that it entered the next-generation firewall market with a new line of TippingPoint firewalls. The new line extends TippingPoint's existing intrusion prevention system (IPS) appliances with traditional stateful packet filtering and application control.
• Security (S) Product Lines (8) • NG Intrusion prevention system• NG Firewall• TippingPoint DV labs• APT – Advance Thread Appliance• Security management System (SMS)• Digital Vaccine ToolKit• Thread DV (Reputation Service)• ThreadLinQ
• Where is vConnect in product!
HP TippingPoint
VM-Tipping 24
HP TippingPoint Product
VM-Tipping 25
SVF – Secure Virtual Framework• The HP TippingPoint Secure Virtualization Framework (SVF) is designed specifically for implementing threat protection for the virtualized infrastructure.
• The HP TippingPoint Virtual Controller + Virtual Firewall (vController+vFW) extends our leading IPS Platform for data center security from the physical to the virtual data center enforcing security policies in VMs and mobile VMs. The vController+vFW and Virtual Management Center are purpose built software solutions designed to enable and enforce full data center firewall segmentation and IPS inspection between trust zones for physical hosts, virtual machines (VMs) and even mobile VMs. vController+vFW+vFW intercepts all packets within the hypervisor and based upon user defined policies permits traffic, blocks traffic, or tunnels packets to a HP TippingPoint N-Platform IPS for inspection.
Key features• Single solution for physical & virtual data center• Purpose-built for virtualization security• Real-time visibility of entire virtual data center• VMware certified, VMsafe compatible• Security policies follow VMs
Components• HP TippingPoint
• IPS Platform• vController +vFirewall• vConnect & VCM/VECM(optional)• SMS
• VMware vSphere• ESXi – Hypervisor• vCenter Server• vSphere Client• vSafe
VM-Tipping 26
SVF Component overview• Purpose-built data center segmentation solution: The HP TippingPoint vController and vMC are purpose-built software
solutions designed to enable the physical IPS platform to enforce full data center segmentation of trust zones for physical hosts, virtual machines (VMs), and even mobile VMs. The vController intercepts all packets within the hypervisor and based upon user-defined policies, tunnels packets to an HP N Series IPS for inspection.
• The vController provides a direct path to the TippingPoint IPS Platform (appliance) to inspect and control VM-to-VM communications. Using the VMSafe API, the vController efficiently directs appropriate traffic to TippingPoint’s appliance and its leading threat suppression engine (TSE) ensures the optimal performance and control required in the virtual data center. The vController and IPS Platform also operate in unison to support HA capabilities, including fail over of the vController when HA requirements and configured policy dictate.
• The TippingPoint SMS is an enterprise class management platform that provides administration, configuration, monitoring and reporting for multiple TippingPoint IPS platforms. Because the TippingPoint SMS provides a scalable, policy-based operational model, it enables straightforward management of large scale IPS deployments across both physical and virtualized infrastructure.
• This is in addition to the TippingPoint Security Management System (SMS), which provides a valuable tool for configuring security policy management, monitoring and reporting. TippingPoint’s integration with VMware’s Vmsafe APIs via Reflex System’s vTrust and Reflex’s Virtual Management Center (VMC) provides many advantages.• Automatic discovery and graphical mapping of virtual infrastructure topology• Supports Separation of Duties (SOD) between operations and network/security teams• Security teams can monitor vSwitch and VM changes to identify tampering or disablement of security controls• Upgradeable and compatible with full Reflex VMC• Complete visibility and control over entire virtual infrastructureVM-Tipping 27
• Digital Vaccine Filter Service — New filters are continuously fed to the IPS device to keep it up to date against the latest vulnerabilities
• ThreatLinQ Portal — Easy to use, real time, threat monitoring allows user to optimize their network security
• Reputation Digital Vaccine Service — Allows organizations to recognize and block "bad traffic" at the network perimeter
• Application Digital Vaccine — Provides granular application control and bandwidth rate limiting
• Digital Vaccine Toolkit — Allows users in sensitive environments to build their own filters
• Web App Digital Vaccine — Identifies and remedies vulnerabilities within custom built applications without affecting network performance.
TippingPoint NG IPS
VM-Tipping 28
TippingPoint NG IPS Initial setup1. Connect cables into the IPS segments(pair of ingress / egress ports)
2. Serial Cable to setup the IP and user credentials at ‘Security level two’• Level 0 - Weak Security checking• Level 1 - Basic Security checking• Level 2 - Recommended Maximum Security checking
3. Connect Web GUI - LSM (Local Security Manager) IP address set in previous setup
4. TOS update, TippingPoint Operating System update to latest
5. DV update , Digital Vaccine update to latest to get the inspection packages and enable
6. Apply the profile / filter to the Segment connected.• IPS Digital Vaccine (DV) Filters monitor traffic passing between network segments. Based on the Security Profiles configured
on the device, the IPS applies the filters to traffic on each segment included in the profile. Each Security Profile has its own filter settings. Within a Security Profile, you can accept the recommended settings for a filter category, or, if necessary, customize individual filters based on your network environment and security needs.
• You configure filters separately for each Security Profile configured on the IPS device. When a profile is initially created, all filters are set to the default Category Settings. You can change the Category Settings for filters or edit individual filters from the Edit Security Profile page in the LSM.
VM-Tipping 29
LSM & SMS Servers
VM-Tipping 30
SMS : IPS integration
VM-Tipping 31
SMS – Security management System
• SMS Event page• SMS Profile• SMS \ filter• SMS Device \ log
VM-Tipping 32
vController + vFirewall + VMC
• vMC show real time stat of vCenter• Topology view
• Easy to deploy vController in VM• Inventory view
• vController Workspace ; Zone creation with VQL (read-only)• Pg.name=Department project
vm• vController Policy editor; Policy
creation by VQL• Vm.name contain ‘Bugzilla
web’• To direct specific traffic to IPS
inspection or allow/ block by firewall
• Monitor SMS for events
VM-Tipping 33
Part 2 Recap…• ASICs and Multi-Core processors have traditionally been used with IPS applications. This luxury is not available in virtualized environments
because virtualization technologies typically do not allow direct hardware access to the underlying application-specific hardware. Virtualization is well suited for general purpose applications which would otherwise be underutilized on dedicated hosting hardware. Overcompensating for the loss of specific hardware by using larger than normal amounts of compute cycles for encryption, or memory for state maintenance, defeats the purpose of server virtualization.
• How vCenter and vController Connected and where intial vController service run!
• Which Firewall is really working vshield or vController !
• How SMS Identify real event from the ocean of events from IPS !
VM-Tipping 34
