vmware professionals - security, multitenancy and flexibility

34
Microsoft Virtual Academy M3: Security, Multi-tenancy & Flexibility Symon Perriman Matt McSpirit Technical Evangelist Technical Product Manager

Upload: paulo-freitas

Post on 14-May-2015

375 views

Category:

Technology


6 download

TRANSCRIPT

Page 1: VMWARE Professionals -  Security, Multitenancy and Flexibility

MicrosoftVirtual Academy

M3: Security, Multi-tenancy & Flexibility

Symon Perriman Matt McSpiritTechnical Evangelist Technical Product Manager

Page 2: VMWARE Professionals -  Security, Multitenancy and Flexibility

MicrosoftVirtual Academy

Introduction to Hyper-V Jump StartPart 1 | Windows Server 2012

Hyper-V &. VMware vSphere 5.1Part 2 | System Center 2012 SP1 &

VMware’s Private Cloud

(01) Introduction & Scalability(05) Introduction & Overview of

System Center 2012

(02) Storage & Resource Management

(06) Application Management

(03) Security, Multi-tenancy & Flexibility

(07) Cross-Platform Management

(04) High-Availability & Resiliency(08) Foundation, Hybrid Clouds &

Costs

** MEAL BREAK **

Page 3: VMWARE Professionals -  Security, Multitenancy and Flexibility

Module Agenda

Multitenancy and SecurityHyper-V Extensible SwitchNetworking PerformanceSecurity

Flexible InfrastructureVirtual Machine Mobility Network Virtualization

Page 4: VMWARE Professionals -  Security, Multitenancy and Flexibility

Multi-Tenancy & Security

Page 5: VMWARE Professionals -  Security, Multitenancy and Flexibility

Benefits• Layer 2 virtual interface • Managed programmatically• Extensible by partners or customers

New featureHandles network traffic among virtual machines, external network, and host operating system

Hyper‑V Extensible SwitchISOLATION AND MULTITENANCY

Virtual machine

Networkapplication

Virtual network adapter

Hyper–V host

Hyper‑VExtensible Switch

Physical networkadapter

Physical switch

Virtual machine

Networkapplication

Virtual networkadapter

Virtual machine

Networkapplication

Virtual networkadapter

Page 6: VMWARE Professionals -  Security, Multitenancy and Flexibility

Hyper-V Extensible Switch

PVLANS

ARP/ND Poisoning Protection

DHCP Guard Protection

Virtual Port ACLs

Trunk Modeto Virtual Machines

Monitoring & Port Mirroring

Windows PowerShell & WMI Management

6

The Hyper-V Extensible Switch allows a deeper integration with customers’ existing network infrastructure, monitoring and security tools

Page 7: VMWARE Professionals -  Security, Multitenancy and Flexibility

Hyper-V Extensible Switch

CiscoNexus 1000VUCS VM-FEX

5nineSecurity Manager

NECOpenFlow

InMonsFlow

Multiple Partner Extensions

7

Hyper-V Extensible Switch is an open platform that lets multiple vendors provide extensions that are written to standard Windows API frameworks

Packet Inspection

Packet Filtering

Network Forwarding

Intrusion Detection

Page 8: VMWARE Professionals -  Security, Multitenancy and Flexibility

VMware ComparisonThe Hyper-V Extensible Switch is open and extensible, unlike VMware’s vSwitch, which is closed, and replaceable

Capability Hyper-V(2012)

vSphereHypervisor

vSphere 5.1Enterprise

Plus

Extensible vSwitch Yes No Replaceable1

Confirmed Partner Extensions 5 No 2

Private Virtual LAN (PVLAN) Yes No Yes1

ARP Spoofing Protection Yes No vCNS/Partner2

DHCP Snooping Protection Yes No vCNS/Partner2

Virtual Port ACLs Yes No vCNS/Partner2

Trunk Mode to Virtual Machines Yes No Yes3

Port Monitoring Yes Per Port Group Yes3

Port Mirroring Yes Per Port Group Yes31 The vSphere Distributed Switch (required for PVLAN capability) is available only in the Enterprise Plus edition of vSphere 5.1 and is replaceable (By Partners such as Cisco/IBM) rather than extensible.2 ARP Spoofing, DHCP Snooping Protection & Virtual Port ACLs require the App component of VMware vCloud Network & Security (vCNS) product or a Partner solution, all of which are additional purchases3 Trunking VLANs to individual vNICs, Port Monitoring and Mirroring at a granular level requires vSphere Distributed Switch, which is available in the Enterprise Plus edition of vSphere 5.1vSphere Hypervisor / vSphere 5.x Ent+ Information: http://www.vmware.com/products/cisco-nexus-1000V/overview.html, http://www-03.ibm.com/systems/networking/switches/virtual/dvs5000v/, http://www.vmware.com/technical-resources/virtualization-topics/virtual-networking/distributed-virtual-switches.html, http://www.vmware.com/files/pdf/techpaper/Whats-New-VMware-vSphere-51-Network-Technical-Whitepaper.pdf, http://www.vmware.com/products/vshield-app/features.html and http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/data_sheet_c78-492971.html

Page 9: VMWARE Professionals -  Security, Multitenancy and Flexibility

Networking Performance

DynamicVMq

IPsec Task Offload

SR-IOV Support

The Hyper-V Extensible Switch takes advantage of hardware innovation to drive the highest levels of networking performance within virtual machines

Dynamically span multiple CPUs when processingvirtual machine network trafficOffload IPsec processing from within virtual machine,to physical network adaptor, enhancing performance

Map virtual function of an SR-IOV capable physical network adaptor, directly to a virtual machine

Page 10: VMWARE Professionals -  Security, Multitenancy and Flexibility

Single-Root I/O Virtualization (SR-IOV)

• Reduces latency of network path

• Reduces CPU utilization for processing network traffic

• Increases throughput• Direct device assignment to

virtual machines without compromising flexibility

• Supports Live MigrationNetwork I/O path with SR-IOVNetwork I/O path without SR-

IOV

Physical NIC

Root Partition

Hyper-V Switch

RoutingVLAN Filtering

Data Copy

Virtual Machine

Virtual NIC

SR-IOV Physical NIC

Virtual Function

VMBUS

Page 11: VMWARE Professionals -  Security, Multitenancy and Flexibility

Virtual MachineNetwork Stack

Software NIC

Enable IOV (VM NIC Property) Virtual Function is “Assigned” Team automatically created Traffic flows through VF

Turn On IOV Break Team Reassign Virtual Function

Assuming resources are available Migrate as normal

Live Migration Post Migration

Remove VF from VM

VM has connectivity even if

Switch not in IOV mode IOV physical NIC not

present Different NIC vendor Different NIC firmwareSR-IOV Physical NIC

Physical NIC

Software Switch

(IOV Mode)

“TEAM”Software NIC

Virtual Function

SR-IOV Physical NIC

Software Switch

(IOV Mode)

“TEAM”

Virtual Function

Software path is not used

SR-IOV Enabling & Live Migration

Page 12: VMWARE Professionals -  Security, Multitenancy and Flexibility

Physical SecurityBitLocker ensures your data stays secure, even when your Hyper-V hosts, clusters, and storage reside in less-physically-secure locations

Local DiskTraditional Cluster Disk CSV 2.0

BitLocker

Page 13: VMWARE Professionals -  Security, Multitenancy and Flexibility

VMware Comparison

Unlike VMware, Hyper-V’s SR-IOV support ensures the highest performance without sacrificing key features such as Live Migration

Capability Hyper-V(2012)

vSphereHypervisor

vSphere 5.1Enterprise

Plus

Dynamic Virtual Machine Queue Yes NetQueue1 NetQueue1

IPsec Task Offload Yes No No

SR-IOV with Live Migration Yes No2 No2

Storage Encryption Yes No No1 VMware vSphere and the vSphere Hypervisor support VMq only (NetQueue)2 VMware’s SR-IOV implementation does not support vMotion, HA or Fault Tolerance. DirectPath I/O, whilst not identical to SR-IOV, aims to provide virtual machines with more direct access to hardware devices, with network cards being a good example. Whilst on the surface, this will boost VM networking performance, and reduce the burden on host CPU cycles, in reality, there are a number of caveats in using DirectPath I/O:

• Very small Hardware Compatibility List• No Memory Overcommit• No vMotion (unless running certain configurations of Cisco UCS)• No Fault Tolerance• No Network I/O Control• No VM Snapshots (unless running certain configurations of Cisco UCS)• No Suspend/Resume (unless running certain configurations of Cisco UCS)• No VMsafe/Endpoint Security support

SR-IOV also requires the vSphere Distributed Switch, meaning customers have to upgrade to the highest vSphere edition to take advantage of this capability. No such restrictions are imposed when using SR-IOV in Hyper-V, ensuring customers can combine the highest levels of performance with the flexibility they need for an agile infrastructure.

vSphere Hypervisor / vSphere 5.x Ent+ Information: http://www.vmware.com/pdf/Perf_Best_Practices_vSphere5.1.pdf

Page 14: VMWARE Professionals -  Security, Multitenancy and Flexibility

Flexible Infrastructure

Page 15: VMWARE Professionals -  Security, Multitenancy and Flexibility

Virtual Machine Mobility

LiveMigrationFaster, unrestricted, simultaneous VM live migrations between cluster nodes with no downtime

Page 16: VMWARE Professionals -  Security, Multitenancy and Flexibility

Migrate virtual machines without downtime

Improvements• Faster and simultaneous migration

• Live migration outside a clustered environment

• Store virtual machines on a File Share

VM VM

Target host

Live migration setup

SMB network storage

IP connection

Configuration data

Memory pages transferred

Memory content

MEM

ORY

MEM

ORY

Modified pages transferred

Modified memory pages

Storage handle moved

VIRTUAL MACHINE MOBILITY

Live migration based on server message block (SMB) share

VM

Page 17: VMWARE Professionals -  Security, Multitenancy and Flexibility

Virtual Machine Mobility

LiveMigrationFaster, unrestricted, simultaneous VM live migrations between cluster nodes with no downtime

Live StorageMigrationMove the virtual hard disks of running virtual machines to a different storage location with no downtime

Page 18: VMWARE Professionals -  Security, Multitenancy and Flexibility

Computer running Hyper‑V

Target device

Move virtual machine storage without downtime

Source device

VIRTUAL MACHINE MOBILITY

Benefits• Manage storage in a cloud

environment with greater flexibility and control

• Move storage with no downtime

• Update physical storage available to a virtual machine (such as SMB-based storage)

• Windows PowerShell cmdlets

Live migration of storageMove virtual hard disks attached to a running virtual machine

Reads and writes go to the source VHD

Disk contents are copied to new destination VHD

VHD

Disk writes are mirrored; outstanding changes are replicated

Reads and writes go to new destination VHD

Virtual machine

VHD

Page 19: VMWARE Professionals -  Security, Multitenancy and Flexibility

Virtual Machine Mobility

LiveMigrationFaster, unrestricted, simultaneous VM live migrations between cluster nodes with no downtime

Live StorageMigrationMove the virtual hard disks of running virtual machines to a different storage location with no downtime

Shared-Nothing Live MigrationMove Virtual Machines between Hyper-V hosts with nothing but a network cable

Page 20: VMWARE Professionals -  Security, Multitenancy and Flexibility

Destination

Hyper‑VVirtualmachine

Target deviceSource device

Virtualmachine

Source Hyper‑V

IP connection

Configuration dataMemory contentModified memory pages

Migrate virtual machines without downtime

VIRTUAL MACHINE MOBILITY

Benefits• Increase flexibility of virtual machine

placement

• Increase administrator efficiency

• Reduce downtime for migrations across cluster boundaries

Shared-nothing live migration

Reads and writes go to the source VHD

Reads and writes go to the source VHD. Live Migration

Begins

Disk contents are copied to new destination VHD

Disk writes are mirrored; outstanding changes are

replicatedLive Migration

MEM

ORY

MEM

ORY

VHDVHD

Live Migration ContinuesLive Migration Completes

Page 21: VMWARE Professionals -  Security, Multitenancy and Flexibility

Network Virtualization

SecureIsolationIsolate network traffic from different business units or customers on a shared infrastructure without VLANs

FlexibleMigrationsMove VMs as needed within your virtual infrastructure while preserving their virtual network assignments

SeamlessIntegrationTransparently integrate these private networks into a preexisting infrastructure on another site

Page 22: VMWARE Professionals -  Security, Multitenancy and Flexibility

Dynamic VLAN Reconfiguration is Cumbersome

VLAN tags

ToR

AggregationSwitches

VMs

ToR

Topology limits VM placement and requires reconfiguration of production switches

Page 23: VMWARE Professionals -  Security, Multitenancy and Flexibility

Hyper-V Network Virtualization

Server Virtualization Run multiple virtual servers

on a physical server Each VM has illusion it is running

as a physical server

Hyper-V Network Virtualization

Run multiple virtual networks on a physical network

Each virtual network has illusion it is running as a physical network

Blue VM Red VMVirtualization

PhysicalServer

Blue Network Red Network

PhysicalNetwork

Page 24: VMWARE Professionals -  Security, Multitenancy and Flexibility

Virtualization Policy

System Center

Virtualize Customer Addresses

Customer Address Space (CA)

Red2

Blue2

10.0.0.5

Red1

Blue1

10.0.0.5 10.0.0.7 10.0.0.7

Blue

10.0.0.5192.168.4.1

1

10.0.0.7192.168.4.2

2Red

10.0.0.5192.168.4.1

1

10.0.0.7192.168.4.2

2

Blue10.0.0.510.0.0.7

BlueCorp

RedCorp Red

10.0.0.510.0.0.7

Datacenter Network

Host 1 Host 2

Provider Address Space (PA)

192.168.4.22192.168.4.11

Blue

10.0.0.5192.168.4.

11

10.0.0.7192.168.4.

22Red

10.0.0.5192.168.4.

11

10.0.0.7192.168.4.

22

Blue

10.0.0.5192.168.4.

11

10.0.0.7192.168.4.

22Red

10.0.0.5192.168.4.

11

10.0.0.7192.168.4.

22

CA PA

Page 25: VMWARE Professionals -  Security, Multitenancy and Flexibility

Hyper-V NV Concepts Customer Network

One or more virtual subnets forming an isolation boundary A customer may have multiple Customer Networks

e.g. Blue R&D and Blue Sales

Virtual Subnet Broadcast boundary

Blue Corp Red Corp

Blue Subnet1

Blue Subnet3Blue Subnet2

Blue Subnet5

Blue Subnet4

Red Subnet2

Red Subnet1

Blue R&D Net Blue Sales Net Red HR Net

Hoster Datacenter

CustomerNetwork

VirtualSubnet

Page 26: VMWARE Professionals -  Security, Multitenancy and Flexibility

Different subnets

Standards-Based Encapsulation - NVGRE• Better network scalability by sharing PA among VMs• Explicit Virtual Subnet ID for better multi-tenancy

support

10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7

192.168.2.22 192.168.5.55

192.168.2.22192.168.5.55

10.0.0.5 10.0.0.7

GRE Key 5001

MAC

10.0.0.5 10.0.0.7

GRE Key 6001

MAC192.168.2.22

192.168.5.55

10.0.0.510.0.0.7

10.0.0.510.0.0.7

10.0.0.5 10.0.0.7

10.0.0.510.0.0.7

Page 27: VMWARE Professionals -  Security, Multitenancy and Flexibility

Hyper-V NV Architecture• Network Virtualization is transparent to VMs

Management OS traffic is NOT virtualized; only VM traffic

• Hyper-V Switch and Extensions operate in CA space

PA Y

CA Y

Datacenter

Host 1

VM2 VMY

Host 2

CA2

PA2

CA1

AA1

PA1

VM1

CAX

AAX

PAX

VMX

System Center

Blue• VM1: MAC1, CA1, PA1

• VM2: MAC2, CA2, PA3

• VM3: MAC3, CA3, PA5

• … Red• VM1: MACX, CA1, PA2

• VM2: MACY, CA2, PA4

• VM3: MACZ, CA3, PA6

• …

Data Center Policy

NIC

Management

Cluster Storage

Live Migration

NIC

Hyper-V Switch

VSID ACL IsolationSwitch Extensions

Host Network Stack

PA1

Network Virtualization

VM1 VM1

SystemCenterHost

Agent

Windows Server 2012 CA1 CA1

IP VirtualizationPolicy Enforcement

Routing

Page 28: VMWARE Professionals -  Security, Multitenancy and Flexibility

Packet Flow: Blue1 Sending to Blue2

192.168.4.11

NIC

Hyper-V Switch

IP VirtualizationPolicy Enforcement

Routing

VSID ACL Enforcement

Blue1 Red1

Network Virtualization

10.0.0.510.0.0.5

MACPA1

VSID5001

VSID6001

where is 10.0.0.7 ?ARP for 10.0.0.7

192.168.4.22

NIC

IP VirtualizationPolicy Enforcement

Routing

Network Virtualization

MACPA2

Hyper-V Switch

VSID ACL Enforcement

Blue2 Red2

10.0.0.710.0.0.7

VSID5001

VSID6001

Hyper-V Switch broadcasts ARP to:1. All local VMs on VSID 50012. Network Virtualization filter

OOB: VSID:5001

Network Virtualization filter responds to ARP for IP 10.0.0.7 on VSID 5001

with Blue2 MAC

ARP for 10.0.0.7

ARP is NOT broadcast to the network

Page 29: VMWARE Professionals -  Security, Multitenancy and Flexibility

Packet Flow: Blue1 Sending to Blue2

192.168.4.11

NIC

Hyper-V Switch

IP VirtualizationPolicy Enforcement

Routing

VSID ACL Enforcement

Blue1 Red1

Network Virtualization

10.0.0.510.0.0.5

MACPA1

VSID5001

VSID6001

192.168.4.22

NIC

IP VirtualizationPolicy Enforcement

Routing

Network Virtualization

MACPA2

Hyper-V Switch

VSID ACL Enforcement

Blue2 Red2

10.0.0.710.0.0.7

VSID5001

VSID6001

ARP is NOT broadcast to the network

OOB: VSID:5001

Use MACB2 for 10.0.0.7

Use MACB2 for 10.0.0.7

Blue1 learns MAC of Blue2

Page 30: VMWARE Professionals -  Security, Multitenancy and Flexibility

Packet Flow: Blue1 Sending to Blue2

192.168.4.11

NIC

Hyper-V Switch

IP VirtualizationPolicy Enforcement

Routing

VSID ACL Enforcement

Blue1 Red1

Network Virtualization

10.0.0.510.0.0.5

MACPA1

VSID5001

VSID6001

sent from Blue1

MACB1MACB2 10.0.0.5 10.0.0.7

192.168.4.22

NIC

IP VirtualizationPolicy Enforcement

Routing

Network Virtualization

MACPA2

Hyper-V Switch

VSID ACL Enforcement

Blue2 Red2

10.0.0.710.0.0.7

VSID5001

VSID6001

OOB: VSID:5001

in Hyper-V switch

MACB1MACB2 10.0.0.5 10.0.0.7

in Network Virtualization filterOOB: VSID:5001

MACB1MACB2 10.0.0.5 10.0.0.7

NVGRE on the wireMACPA1 MACPA2 192.168.4.11 192.168.4.22 5001 MACB1MACB2 10.0.0.5 10.0.0.7

Page 31: VMWARE Professionals -  Security, Multitenancy and Flexibility

Packet flow: Blue2 receiving from Blue1

192.168.4.11

NIC

Hyper-V Switch

IP VirtualizationPolicy Enforcement

Routing

VSID ACL Enforcement

Blue1 Red1

Network Virtualization

10.0.0.510.0.0.5

MACPA1

VSID5001

VSID6001

received by Blue2

MACB1MACB2 10.0.0.5 10.0.0.7

192.168.4.22

NIC

IP VirtualizationPolicy Enforcement

Routing

Network Virtualization

MACPA2

Hyper-V Switch

VSID ACL Enforcement

Blue2 Red2

10.0.0.710.0.0.7

VSID5001

VSID6001

OOB: VSID:5001

in Hyper-V switch

MACB1MACB2 10.0.0.5 10.0.0.7

NVGRE on the wire

in Network Virtualization filterOOB: VSID:5001

MACB1MACB2 10.0.0.5 10.0.0.7

MACPA1 MACPA2 192.168.4.11 192.168.4.22 5001 MACB1MACB2 10.0.0.5 10.0.0.7

Page 32: VMWARE Professionals -  Security, Multitenancy and Flexibility

VMware ComparisonOnly Hyper-V provides key VM migration features in the box, with no additional licensing costs

Capability Hyper-V(2012)

vSphereHypervisor

vSphere 5.1Enterprise

Plus

VM Live Migration Yes No1 Yes2

1GB Simultaneous Live Migrations Unlimited3 N/A 4

10GB Simultaneous Live Migrations Unlimited3 N/A 8

Live Storage Migration Yes No4 Yes5

Shared Nothing Live Migration Yes No Yes5

Network Virtualization Yes No VXLAN61 Live Migration (vMotion) is unavailable in the vSphere Hypervisor – vSphere 5.1 required2 Live Migration (vMotion) and Shared Nothing Live Migration (Enhanced vMotion) is available in Essentials Plus & higher editions of vSphere 5.13 Within the technical capabilities of the networking hardware4 Live Storage Migration (Storage vMotion) is unavailable in the vSphere Hypervisor5 Live Storage Migration (Storage vMotion) is available in Standard, Enterprise & Enterprise Plus editions of vSphere 5.16 VXLAN is a feature of the vCloud Networking & Security Product, which is available at additional cost to vSphere 5.1. In addition, it requires the vSphere Distributed Switch, only available in vSphere 5.1 Enterprise Plus.

vSphere Hypervisor / vSphere 5.x Ent+ Information: http://www.vmware.com/products/vsphere/buy/editions_comparison.html, http://www.vmware.com/files/pdf/products/vcns/vCloud-Networking-and-Security-Overview-Whitepaper.pdf http://www.vmware.com/products/datacenter-virtualization/vcloud-network-security/features.html#vxlan

Page 33: VMWARE Professionals -  Security, Multitenancy and Flexibility
Page 34: VMWARE Professionals -  Security, Multitenancy and Flexibility

©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34