virtualization in the data center and how to address ...virtualization in the data center and how to...
TRANSCRIPT
Virtualization in the Data Center
and how to address Security Challenges
Sergiu ION - Networking & Security Solutions Sales Representative
S&T România
Agenda
■ About S&T
■ Transform your Business with Virtualization
■ Data Center Virtualization
■ Addressing the Data Center Security Challenges
Member of S&T Group
S&T GROUP
■ a leading IT company acting in 17
countries
■ about 1,400 employees
■ #1 Consulting Service Provider in
CEE
(Gartner, July 2009)
■ among the top 5 in most of its
countries
■ uses the potential of growthmarkets
2011 - Quanmax AG and grosso holding GmbH are new majority shareholders
New management and supervisory board
We integrate
best-of-breed infrastructure solutions
Enterprise
Computing
Enterprise
Storage
Networks &
Security
Information
Management
Financial Services
Manufacturing
Trade
Telecom
Utilities
Government
Transform your Business with
Virtualization
www.snt.ro
What is Virtualization?
Virtualization is the pooling and abstraction of resources and services
in a way that masks the physical nature and boundaries of those
resources and services from their users http://www.gartner.com/DisplayDocument?id=399577
■ If you can see it and it is there
– It’s real
■ If you can’t see it but it is there
– It’s transparent
■ If you can see it and it is not there
– It’s virtual
■ If you can not see it and it is not there
– It’s gone
Virtualization is … well, not exactly new
■ Nothing new! Concept known to mainframes back in the ‟70s
Virtualization is not a new concept
Mainframe of the „70s were underutilized and over-engineered
http://www-07.ibm.com/systems/my/z/about/timeline/1970/
Data Center and Network Evolution
Data Center 1.0
Mainframe
Centralized
Data Center 2.0
Client-Server and
Distributed Computing
Decentralized Virtualized
Data Center 3.0
Service Oriented and
Web 2.0 Based
IT
Rele
va
nc
e a
nd
Co
ntr
ol
Application Architecture Evolution
Consolidate
Virtualize
Automate
Cisco Data Center products
Data Center
Security
Firewall SM
IDS SM
ACE XML
Gateway
Web Application
Firewall
Application
Network
Services
ACE Application
Delivery –
Module and
Appliance
Wide-Area
Application
Services
Storage
Networking
MDS 9500
Storage
Directors
MDS Fabric
Switches
Blade Switches
(Unified Fabric
ready)
Infiniband
Clustering
SFS 7000
Infiniband
Switch
SFS 3000
Infiniband
Gateway
Data Center Provisioning
Data Center Management Data Center Network Manager– Topology
Visualization and Provisioning
ANM– Advanced L4-7 Services
Module Management
Nexus 7000
Nexus
5K/4K/2K/1K
Catalyst 6500
Series
Catalyst 4900
Top-of-Rack
Ethernet
Networking
Data
Center
Networking
Nexus 7000
Modular
Switching
System
Nexus 5000
Rack Switch
Nexus 1000v
VN-Link Switch
Unified Computing System
Four Drivers Behind Virtualization
Virtualization
in the Data Center
www.snt.ro
Data Center Virtualization
Network Virtualization
■ Overlay of logical topologies (1:N)
■ One physical network supports N virtual networks
Network Virtualization
■ Device Partitioning › One to many devices
› Primary use case is infrastructure reduction
› Increases service agility & flexibility
› Improves asset utilization
› Examples: VLAN, VRF, VSAN, VDC, Firewall Context,
LB Context, Hypervisor
■ Virtualized Interconnect › Primary use case is link consolidation
› Logical Tennant isolation
› Examples: 802.1q, VPN, MPLS, Unified I/O FCoE
■ Device Pooling › Many to one device
› Primary use case is maximum availability & density
› Reduces management plane
› Examples: VSS, vPC, GSLB, FHRP
Network Virtualization
■ Network Virtualization is a key for path isolation and policy control
■ Provides control and data plane separation
Compute Virtualization
■ A single physical server hosting multiple independent Guest OS + application(s)
■ Hypervisor abstracts physical hardware from Guest O/S and application
■ Partitions systems resources
RAM, CPU, disk, etc.
Management Management Management Management
Server Deployment Scale
Software Switch Software Switch Software Switch
Simplifying the Data Center
Mgmt Server
Simplifying the Data Center
Mgmt Server Mgmt Server
A cohesive solution
Simplifying the Data Center
Mgmt Server
A cohesive solution
Embed management
Simplifying the Data Center
A cohesive solution
Embed management
Unify fabrics
Mgmt Server
Simplifying the Data Center
A cohesive solution
Embed management
Unify fabrics
Optimize virtualization
Mgmt Server
Simplifying the Data Center
A cohesive solution
Embed management
Unify fabrics
Optimize virtualization
Remove unnecessary
- Switches
- Adapters
- Management modules
Mgmt Server
Mgmt Server
Cisco Unified Computing System
■ UCS
Scalable compute platform
Integrated virtualization
Natural aggregation point: Network
■ Unified embedded management
Embedded on the network controller
■ Wire once: I/O on demand
LAN, SAN, IPC
■ Efficient Scale
Cisco network & services scale
Fewer servers with more memory
■ Lower cost
Fewer servers, switches, adapters, cables
Lower power consumption
■ Network + Compute Virtualization
SAN B
Single Integrated System
Mgmt SAN A LAN
5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 320 Total
Physical Servers
Server Profiles
Run-time
association
Server Name
UUID
MAC
WWN
Boot info
LAN Config
SAN Config
Server Name
UUID
MAC
WWN
Boot info
LAN Config
SAN Config
Server Name
UUID, MAC,WWN
Boot info
firmware
LAN, SAN Config
Firmware…
Dynamic Management
■ Server profiles
Abstracts server characteristics from the physical server hardware
■ Pre-defined and pre-created server identities
Default is shipped hardware
Stored in switch
■ “Associated” with a physical server
Manual or policy-driven
Stateless Computing
■ Server attributes no longer tied to physical hardware
Not just identity
Seamless server mobility
Within switch domain
■ Network boot (LAN or SAN)
Boot order and devices are part
of server profile
Local disks can be used for
temp, swap, etc.
Scrubbed between use
(optional)
SAN LAN
Chassis-1/Blade-5
Chassis-9/Blade-2
Server Name: LS-A
UUID: 56 4d cd 3f 59 5b 61…
MAC : 08:00:69:02:01:FC
WWN: 5080020000075740
Boot Order: SAN, LAN
What Happens When
We Mix Network and Server Virtualization ?
■ Typically provisioned as trunk to the server running ESX
■ No visibility to individual traffic from each VM
■ Unable to troubleshoot, apply policy, address performance issues
VN-Link Brings VM Level Granularity
Problems:
VN-Link:
•Extends network to the VM
•Consistent services
•Coordinated, coherent
management
VMotion • VMotion may move VMs
across physical ports—policy
must follow
• Impossible to view or apply
policy to locally switched
traffic
• Cannot correlate traffic on
physical links—from multiple
VMs
VLAN 101
Cisco VN-Link Switch
Storage Virtualization
■ VSAN
A virtual storage area network (VSAN) is a collection of
ports from a set of connected Fibre Channel switches,
that form a virtual fabric. Ports within a single switch
can be partitioned into multiple VSANs, despite sharing
hardware resources. Conversely, multiple switches can
join a number of ports to form a single VSAN.
■ NPIV
N_Port ID Virtualization or NPIV is a Fibre Channel
facility allowing multiple N_Port IDs to share a single
physical N_Port. This allows multiple Fibre Channel
initiators to occupy a single physical port, easing
hardware requirements in Storage Area Network design,
especially where virtual SANs are called for.
Addressing the Data Center
Security Challenges
www.snt.ro
Hierarchical network design
■ Hierarchical network design consists of the following layers:
- Core
- Aggregation / Services
- Access / Virtual Access
■ Infrastructure security features must be enabled to protect device, data plane and control plane.
■ Device virtualization provides control, data and management plane segmentation.
Each layer needs to be secured individually to achieve Defense-in-Depth security mechanism.
Core Layer
■ DDOS Detection and Mitigation
■ Routing Protocol authentication
■ Route filtering
■ Log neighbor changes
■ ACL for Anti-Spoofing and RFC1918 Addresses.
Aggregation Layer
■ Stateful Packet Filtering
- Initial filter for all DC ingress and egress traffic
- Cisco ASA 5500
10G stateful packet filtering
Deep packet inspection
■ Virtual Context allow correlation to Nexus VDC
■ VPN
- IPSec Site-to-Site / Remote Access
- SSL
Services Layer
■ Server Load Balancing
- Server Load Balancing masks servers and applications.
■ Additional Firewall Services for Server-Farm specific protection
■ Application Firewall
- Application Firewall mitigates XSS, HTTP, SQL, XML based attacks.
■ Network Intrusion Prevention
- IPS/IDS: Provides traffic analysis and forensics.
■ Flow Based Traffic Analysis
- Network Analysis for traffic monitoring and data analysis.
Access Layer
■ Enhanced Layer 2 Security
- Access Control Lists
- Dynamic ARP Inspection
- DHCP Snooping
- IP Source Guard
- Port Security
- Private VLANs
- STP Extensions
- Layer 2 Storm Control
- Hardware Rate-Limiters
■ Layer 2 Flow Monitoring
- NetFlow, SPAN, ERSPAN, ACL Logs
Virtual Access Layer
■ Virtualization security
- The Cisco Virtual Security Gateway (VSG) works with Cisco Nexus 1000V switches to provide zone-based and policy-driven security at the virtual machine level, extending existing security policies into virtual and cloud environments. The Cisco Nexus 1000V adds additional security and monitoring capabilities at the access layer, including PVLAN, IP Source Guard, DHCP Snooping, ARP inspection, and NetFlow.
■ Endpoint security
- Host intrusion prevention protect server against zero day attacks.
Security Management
■ Management and monitoring tools can be used to manage and monitor the Infrastructure security.
■ Event are sent out by Host IPS, Network IPS, Firewalls, LB, Routers and Switches in terms of Syslogs, NetFlow, SNMP traps and IPS alerts.
■ All events are sent to a central repository to perform Anomaly Detection, Event Correlation and Forensics Analysis.
Data Center Security Challenges