Scribd Logo
Upload

Welcome to Scribd!

  • Architecting DMZ Virtualization Securtity Policy

    Uploaded by

    Shiv Raj Virk
    61 views20 pages
    Cisco Confidential Policy Driven Network Design: Physical Each network switch has independent code, control plane, data plane, interfaces and configuration. Each vSwitch is just a data structure saying what ports are connected to it (along with other information).

    Original Description:

    Original Title

    Architecting-DMZ-virtualization-securtity-policy

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Cisco Confidential Policy Driven Network Design: Physical Each network switch has independent code, control plane, data plane, interfaces and configuration. Each vSwitch is just a data structure saying what ports are connected to it (along with other information).

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    61 views20 pages

    Architecting DMZ Virtualization Securtity Policy

    Uploaded by

    Shiv Raj Virk
    Cisco Confidential Policy Driven Network Design: Physical Each network switch has independent code, control plane, data plane, interfaces and configuration. Each vSwitch is just a data structure saying what ports are connected to it (along with other information).

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    Architecting DMZ Virtualization

    v1.5

    Brad Hedlund
    Solutions Architect, Data Center
    CCIE #5530, VCP
    February 2010
    bhedlund@cisco.com

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1


    Policy Driven Network Design: Physical

    Each network switch has


    independent code, control
    plane, data plane,
    interfaces & configuration.

    Isolation provided by
    physical cabling

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2


    Network Virtualization: Logical Partitions

    Security zones share a


    common network switch
    infrastructure.

    Common switch with


    discrete forwarding tables

    Isolation provided by
    switch configuration

    VN-Tag, VLAN, VRF,


    MPLS

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3


    H/W scheduled Control Plane isolation

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4


    Inconsistent Isolation Policies

    Attaching differing
    isolation policies together
    results in the lowest
    common denominator
    policy

    Physical partitions merely


    become extensions of
    what is a logical policy
    architecture

    Considered “Out of Policy”


    with Physical Isolation

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5


    Server Virtualization with Physical Isolation

    How is a physical isolation


    policy preserved with
    server virtualization?

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6


    Network policy moves into the Server (Host)

    Server virtualization
    creates a network inside
    the Host, a virtual network.

    Attempts are made to keep


    the virtual and physical
    network policy consistent

    Conventional thinking:
    “physically separate
    vSwitches” is the solution.

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7


    The false sense of “vSwitch” security…

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8


    What is a vSwitch?

    "Each vSwitch is just a data structure saying what ports


    are connected to it (along with other information).”

    “So while using vSwitches sounds more


    compartmentalized than VLANs, they provide
    equivalent separation”

    -Mark Bakke, Nexus 1000V Principal Architect, Cisco

    Source: http://faz1.com/blog/2009/08/20/two-vswitches-are-better-than-1-right/

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9


    Simple Example: Host Memory Footprint:
    1 vSwitch
    Each network switch has
    its own independent code
    and control plane…

    Adding multiple vSwitches


    should add multiple copies
    of unique vSwitch code.

    Lets add 11 vSwitches and


    see what happens…

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10


    11 “vSwitches”
    same footprint
    11, 20, or 200 “vSwitches”
    is really 1 switch

    Each “vSwitch” is just a


    unique logical partition of
    a single software switch

    Delivers the same concept


    of logical forwarding
    partitions of a VLAN

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11


    The consequential
    architecture based
    on an illusion…
    Consequences

    Many adapters required per server


    (1) per DMZ
    (2) per DMZ for redundancy
    … even more to scale BW
    … and even more for mgmt

    Many adapters in one server force 1GE


    and prohibits 10GE adoption

    Less BW from 1GE requires more


    servers with fewer VMs to scale I/O

    Lower physical to virtual consolidation


    ratios

    Larger 4U rackmount servers required


    for adapter real estate – blade server
    prohibitive

    Cannot leverage DVS


    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
    The Result:
    Inconsistent Policy

    … and missed
    opportunities.

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13


    Consistent Policy of
    Logical Separation
    Server + Network Virtualization

    Physical switch uses logical


    isolation consistent with the virtual
    switch

    Fewer adapters

    10GE & Unified I/O

    Higher consolidation ratios

    Right sized 1RU-2RU servers

    Blade server inclusive

    DVS inclusive

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14


    Consistent
    Physical
    Policy

    Virtual network physical


    isolation consistent with the
    physical network

    Fewer adapters per server

    10GE & Unified I/O

    Higher consolidation ratios

    Right sized 2RU/1RU servers

    Blade server inclusive

    DVS inclusive

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15


    H/W Scheduled Control Plane Isolation
    Physical Network switch
    uses similar H/W scheduling
    to VMware Host.

    Switch Consolidation

    Nexus 7000 VDC

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16


    Securing the Virtual Switch
    Nexus 1000V Security Features
    Not available in vSwitch or vDS

    IP Source Guard
    -duplicate IP, Spoofed IP protection

    Private VLAN (source enforced)


    -stop denied frames at source host

    DHCP Snooping
    -Rouge DHCP server protection
    VEM  
    Dynamic ARP Inspection
    -Man-in-the-middle protection

    IP access control (Per VM) filtering


    -TCP bits/flags (FIN, ACK, RST, PSH, etc)
    -TCP/UDP ports
    -ICMP types & codes

    MAC ACL’s

    Port Security

    Nexus  1000V  VSM  

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17


    Securing the Physical Switch
    for Network Virtualization
    Securing against Physical switch attacks

    Attack: MAC Overflow (macof)


    Solution: Port Security

    Attack: VLAN Hopping


    Solution: Best Practice Configuration
    - disable auto trunking
    - VLAN tag all frames (including native)
    - dedicated VLAN ID for trunks

    Attack: Spoofed IP, Spoofed MAC


    Solution: Dynamic ARP Inspection
    IP Source Guard
    Port Security

    Attack: Rouge DHCP


    Solution: DHCP Snooping

    Attack: Spanning Tree Spoofing


    Solution: Root Guard
    BPDU Guard

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18


    Summary
      Whatever your policy: Physical or Logical separation,
    maintain consistent policy in both the virtual and
    physical network
      The ILLUSION of “vSwitch” physical separation
      Consequences of the vSwitch illusion
    10GE, DVS, & blade server prohibitive, large servers, excessive
    adapters/cables, just to gain: Inconsistent Policy

      Physically separate networks should be paired with


    physically separate Hosts to be policy consistent
      The Logical separation policy with Server+Network
    virtualization can be secured with security built in to the
    physical and virtual network

    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19


    © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20

    You might also like