You are on page 1of 20

Architecting DMZ Virtualization

v1.5

Brad Hedlund
Solutions Architect, Data Center
CCIE #5530, VCP
February 2010
bhedlund@cisco.com

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1


Policy Driven Network Design: Physical

Each network switch has


independent code, control
plane, data plane,
interfaces & configuration.

Isolation provided by
physical cabling

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2


Network Virtualization: Logical Partitions

Security zones share a


common network switch
infrastructure.

Common switch with


discrete forwarding tables

Isolation provided by
switch configuration

VN-Tag, VLAN, VRF,


MPLS

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3


H/W scheduled Control Plane isolation

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4


Inconsistent Isolation Policies

Attaching differing
isolation policies together
results in the lowest
common denominator
policy

Physical partitions merely


become extensions of
what is a logical policy
architecture

Considered “Out of Policy”


with Physical Isolation

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5


Server Virtualization with Physical Isolation

How is a physical isolation


policy preserved with
server virtualization?

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6


Network policy moves into the Server (Host)

Server virtualization
creates a network inside
the Host, a virtual network.

Attempts are made to keep


the virtual and physical
network policy consistent

Conventional thinking:
“physically separate
vSwitches” is the solution.

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7


The false sense of “vSwitch” security…

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8


What is a vSwitch?

"Each vSwitch is just a data structure saying what ports


are connected to it (along with other information).”

“So while using vSwitches sounds more


compartmentalized than VLANs, they provide
equivalent separation”

-Mark Bakke, Nexus 1000V Principal Architect, Cisco

Source: http://faz1.com/blog/2009/08/20/two-vswitches-are-better-than-1-right/

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9


Simple Example: Host Memory Footprint:
1 vSwitch
Each network switch has
its own independent code
and control plane…

Adding multiple vSwitches


should add multiple copies
of unique vSwitch code.

Lets add 11 vSwitches and


see what happens…

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10


11 “vSwitches”
same footprint
11, 20, or 200 “vSwitches”
is really 1 switch

Each “vSwitch” is just a


unique logical partition of
a single software switch

Delivers the same concept


of logical forwarding
partitions of a VLAN

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11


The consequential
architecture based
on an illusion…
Consequences

Many adapters required per server


(1) per DMZ
(2) per DMZ for redundancy
… even more to scale BW
… and even more for mgmt

Many adapters in one server force 1GE


and prohibits 10GE adoption

Less BW from 1GE requires more


servers with fewer VMs to scale I/O

Lower physical to virtual consolidation


ratios

Larger 4U rackmount servers required


for adapter real estate – blade server
prohibitive

Cannot leverage DVS


© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
The Result:
Inconsistent Policy

… and missed
opportunities.

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13


Consistent Policy of
Logical Separation
Server + Network Virtualization

Physical switch uses logical


isolation consistent with the virtual
switch

Fewer adapters

10GE & Unified I/O

Higher consolidation ratios

Right sized 1RU-2RU servers

Blade server inclusive

DVS inclusive

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14


Consistent
Physical
Policy

Virtual network physical


isolation consistent with the
physical network

Fewer adapters per server

10GE & Unified I/O

Higher consolidation ratios

Right sized 2RU/1RU servers

Blade server inclusive

DVS inclusive

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15


H/W Scheduled Control Plane Isolation
Physical Network switch
uses similar H/W scheduling
to VMware Host.

Switch Consolidation

Nexus 7000 VDC

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16


Securing the Virtual Switch
Nexus 1000V Security Features
Not available in vSwitch or vDS

IP Source Guard
-duplicate IP, Spoofed IP protection

Private VLAN (source enforced)


-stop denied frames at source host

DHCP Snooping
-Rouge DHCP server protection
VEM  
Dynamic ARP Inspection
-Man-in-the-middle protection

IP access control (Per VM) filtering


-TCP bits/flags (FIN, ACK, RST, PSH, etc)
-TCP/UDP ports
-ICMP types & codes

MAC ACL’s

Port Security

Nexus  1000V  VSM  

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17


Securing the Physical Switch
for Network Virtualization
Securing against Physical switch attacks

Attack: MAC Overflow (macof)


Solution: Port Security

Attack: VLAN Hopping


Solution: Best Practice Configuration
- disable auto trunking
- VLAN tag all frames (including native)
- dedicated VLAN ID for trunks

Attack: Spoofed IP, Spoofed MAC


Solution: Dynamic ARP Inspection
IP Source Guard
Port Security

Attack: Rouge DHCP


Solution: DHCP Snooping

Attack: Spanning Tree Spoofing


Solution: Root Guard
BPDU Guard

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18


Summary
  Whatever your policy: Physical or Logical separation,
maintain consistent policy in both the virtual and
physical network
  The ILLUSION of “vSwitch” physical separation
  Consequences of the vSwitch illusion
10GE, DVS, & blade server prohibitive, large servers, excessive
adapters/cables, just to gain: Inconsistent Policy

  Physically separate networks should be paired with


physically separate Hosts to be policy consistent
  The Logical separation policy with Server+Network
virtualization can be secured with security built in to the
physical and virtual network

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19


© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20