Download - STORMY WEATHER SECURING CLOUD COMPUTING
STORMY WEATHER SECURING CLOUD COMPUTING
Russell Skingsley Director of Advanced Technology Data Centre and Cloud, APAC Juniper Networks
2 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
DISCLAIMER
These are not necessarily the views of Juniper Networks even though I have pilfered some of their slides for my own nefarious purposes.
3 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
TRADITIONAL DC NETWORK SECURITY
Server 1 Server 2 Server 3
Security Complex Switching Complex
Big Bad World
802.1Q
VLAN A VLAN B VLAN C
4 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
THE PRINCIPLE OF CONSOLIDATION – PER SERVER
Physical Servers
Work
WasteWaste
Work WorkWork
Waste
Waste
Virtualised Server
WorkWork
Work
Work
Waste
5 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
LARGER POOL, MORE CONSOLIDATION
Physical Servers
Work
WasteWaste
Work WorkWork
Waste
Waste
Virtualised Servers
WorkWork
Work
Work
Waste
WorkWork
6 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SAME PRINCIPLE, FOR WHOLE DATA CENTERS Small DCs
Consolidated DCs
7 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Capital Savings
THE ECONOMICS OF THE DATA CENTER
0
20
40
60
80
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Physical Server Installed Base (Millions) Logical Server Installed Base (Millions)
Millions Installed Servers
Source: IDC
Complexity and Operating Costs
8 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
THE ECONOMICS OF THE DATA CENTER
9 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
THE NEW EDGE
VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9
vDS
Physical Network
ESX1 ESX2 ESX3
802.1Q 802.1Q 802.1Q
VMKernel VMKernel VMKernel
10 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VLAN LIMITATIONS
DA SA 802.1QType
or Length
Data FCS
Tag ProtocolIdentifier(0x8100)
Priority(802.1p)
Canonical Format
IndicatorVLAN ID
16 Bits 3 Bits 1 Bit 12 Bits
32 Bits
11 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SCALING BEYOND 4K TENANTS – BRIDGE DOMAINS
Core Switch
Distribution Switch
Access Switch
Distribution Switch Distribution Switch
Access Switch Access Switch Access Switch Access Switch Access Switch
VDC 1 VDC 2 VDC 3
1-4000 1-4000 1-4000
Mobility Extent Mobility Extent Mobility Extent
12 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SCALING BEYOND 4K TENANTS – VCD-NI
Mobility Extent
DC Switching
Access Access Access
Access
ESXi ESXi ESXi ESXi
VM1 VM2 VM3VM1 VM2 VM3
VLAN 5 VLAN 5 VLAN 5 VLAN 5
MAC 1 MAC 2 MAC 3 MAC 4
MAC 1:1 MAC 1:2 MAC 3:1MAC 2:1 MAC 4:2MAC 4:1
13 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VCD-NI PORTGROUP LABELS
dvs.<vCenterID><DS#><vCD#><VLAN><Network ID><Name>
<Network ID> is a 24 bit value expressed in Hexadecimal
(This is sometime referred to as a fence ID)
For Example:
dvs.VC1012345678DVS3CM1-V32-C2E-Coke Org1
14 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
THE NEW EDGE – WITH TUNNELS
VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9
vDS
Physical Network
ESX1 ESX2 ESX3
802.1Q 802.1Q 802.1Q
VMKernel VMKernel VMKernel
15 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
THE BROADCAST RADIATION WILL KILL US ALL
VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9
vDS
Physical Network
ESX1 ESX2 ESX3
802.1Q 802.1Q 802.1Q
VMKernel VMKernel VMKernel
X
X
X
X X
16 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
REMEMBER THESE RULES OF THUMB?
Max IP hosts per subnet – 500
Max IPX Hosts per subnet – 256
Max Appletalk hosts per subnet - 128
http://docwiki.cisco.com/wiki/Internetwork_Design_Guide_--_Broadcasts_in_Switched_LAN_Internetworks
17 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
TIMES CHANGE
SparcStation 2
28 MIPS
0.000392 MIPS used per host
500 Hosts Cost 0.7% of CPU
Ivy Bridge Xeon
180,000 MIPS
0.000392 MIPS used per host
3.2 Million Hosts cost 0.7% of CPU
18 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
THE BROADCAST RADIATION WONT KILL US ALL
VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9
vDS
Physical Network
ESX1 ESX2 ESX3
802.1Q 802.1Q 802.1Q
VMKernel VMKernel VMKernel
X
X
X
X X
19 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SECURITY IMPLICATION OF VIRTUALIZATION
Security Complex Sees/Protects All Traffic Between Servers
Physical Security is “Blind” to Traffic Between Virtual Machines
VM1 VM2 VM3
Virtual Switch
HYPERVISOR
ES
X H
ost
Physical Network Virtual Network
20 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
THIS IS HOW WE HAVE BUILT DATA CENTRES…
WANRouting
Security
Switching
Compute
3840 Gbps
122000 Gbps
40900 Gbps
120 Gbps
21 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
NETWORK THROUGHPUT IS A DIFFERENT STORY WANRouting
Switching
Compute
22 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
3. Kernel-based
Inter-VM traffic always protected; Micro-segmenting capabilities
High-Performance from implementing firewall in the kernel
Secures Hypervisor connections
VM1 VM2 VM3
VS
ESX Host
FW as Kernel Module
2. Agent-based 1. VLAN Segmentation
VM1 VM2 VM3
VS
ESX Host
VMs segmented into separate VLANs; Inter-VM communications must route through the firewall
Drawbacks: Complex VLAN networking; Lacks hypervisor visibility; High overhead
Each VM has a software firewall
Drawbacks: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs
VM1 VM2 VM3
VS
ESX Host
FW Agents
HYPERVISOR HYPERVISOR HYPERVISOR
APPROACHES TO SECURING VIRTUAL NETWORKS
23 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
THE NEW EDGE OPPORTUNITIES AND CHALLENGES FOR ALL
VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9
vDS
Physical Network
ESX1 ESX2 ESX3
802.1Q 802.1Q 802.1Q
VMKernel VMKernel VMKernel
Russell Skingsley