PLNOG8 Gawel Mikolajczyk Securing the Cloud - Proidea

Securing the Cloud Infrastructure –
from Hypervisor to the Edge
Gaweł Mikołajczyk
gmikolaj@cisco.com
Security Consulting Systems Engineer
EMEA Central Core Team
CCIE #24987, CISSP-ISSAP, CISA
PLNOG8, March 5, 2012, Warsaw, Poland
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public 1

Policy
Corporate Border
Applications
and Data
Corporate Office
Branch Office
Airport
Software
as a Service
Platform
as a Service
Mobile
User Attackers Partners
Infrastructure
as a Service
Customers
X
as a Service
Home Office
Trzy wymiary : dla Infrastruktury w chmurze, dla dostępu do chmury, komercyjne
usługi bezpieczeństwa w chmurze.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Coffee
Shop

Prywatny VPN
MPLS lub IPSec / SSL
NEXUS 1000v
NAS
Edge
Dostęp L2 lub L3
Agregacja
Tenant per VRF
Usługi
Mapowanie VRF / VLAN do vFW/LB
Dostęp
Mapowanie do VM
Compute
VRF do unikalnego VLAN
Data Center
Core
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Tenant
A
WAN
Tenant B
Sub Tenant
B1 i B2

© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public 4

Role
Based
Access
Physical
Security
VM OS
Hardening
V-Motion
(Memory)
Virtualization
Security
Patch
Management
VM
Sprawl
V-Storage
(VMDK)
VM
Segmentation
Hypervisor
Security
Real case: [...] It looks the O&M firewall is not filtering the ARP traffic
the right way. This allows a VM to connect to any other VM through the
O&M network after injecting malicious ARP traffic. This happens even
if the destination VM belongs to a different tenant VDC [...]
VMNIC #1
vEth vEth
VMNIC #2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

Warstwa dostępu wirtualnego powinna
oferować przynajmniej takie same
mechanizmy bezpieczeństwa Layer-2 jak w
fizycznym DataCenter :
Access Lists, Dynamic ARP Inspection,
DHCP Snooping, IP Source Guard, Port
Security, Private VLANs, Layer-2 storm
control, Rate-Limiters, VXLAN
Bez tych mechanizmów, konsekwencje
ataków na infrastruktuę sieciową, (biorąc
pod uwagę skalę - tysiące VM) są
katastrofalne.
Widoczność w warstwie 2 można osiągnąć
przez:
NetFlow Collection
SPAN, RSPAN or ERSPAN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
1/
7

Port Profile –> Port Group
port-profile vm180
vmware port-group pg180
switchport mode access
switchport access vlan 180
ip flow monitor ESE-flow input
ip flow monitor ESE-flow output
no shutdown
state enabled
interface Vethernet9
inherit port-profile vm180
interface Vethernet10
inherit port-profile vm180
vCenter API
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

Nexus 7000
vPC Peer-link
Cat 6500
Nexus 5000
Nexus 1000V and VSG
10.20.20.50 10.20.20.51 10.20.30.101
Service VLANs
ESX Server
vPC
VSL
ASA 5585
monitor session 1 type erspansource
description N1k ERSPAN –
session 1
monitor session 3 type erspandestination
description N1k ERSPAN to NAM
monitor session 2 type erspansource
description N1k ERSPAN –session 2
monitor session 4 type erspandestination
description N1k ERSPAN to IDS1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
NAM

© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public 9

1
Przekierowanie ruchu z VM do
fizycznych urządzeń
Web
Server
App
Server
Hypervisor
VLANs
Konteksty wirtualne
Database
Server
Appliance i moduły fizyczne
Usługi bezpieczeństwa
na poziomie hypervisora
Hypervisor
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
2
Web
Server
App
Server
VSN VSN
Appliance wirtualne
Database
Server

Sandwich usługowy między VDC
• ASA Service Module
Konteksty wirtualne
Tryb Transparentny / mixed
• ACE LB
Tryb transparentny
• Web Application Firewall
Farma firewalli
• Network IPS/IDS
Inline lub promiscuous
WAF
IPS
ASA-SM 1
ASA-SM 2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
190
163,164
SS1
ACE
161
162
N7k1-VDC1
SVI-151
N7k1-VDC2
vrf1 vrf2
hsrp.1

© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public 12

Virtual Network
Management Center
Virtual Security
Gateway - VSG
Port
Group
Security
Administrator
Service
Administrator
Cisco Nexus ® 1000V
z mechanizmem vPath
• Rozproszony przełącznik
• Część hypervisora
Host
• Cisco UCS
• Other x86 server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

VM
VM
VM VM
VM VM VM
VM
VM
VM VM VM
Nexus 1000V
Distributed Virtual Switch
1
1
Początkowy flow
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
4
VM
VM VM VM
VM VM VM
2
vPath
Cache
decyzji 3
Początkowa
ewaluacja polityki
Log/Audit
VNMC
VSG

VM
VM
VM VM
VM VM VM
VM
VM
VM VM VM
Nexus 1000V
Distributed Virtual Switch
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
VM
Pozostałe pakiety
VM VM VM
VM VM VM
vPath
ACL offload do
Nexus 1000V
(wymuszenie polityki)
Log/Audit
VNMC
VSG

VSG: Security Profile to Port Profile
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public 17

• TrustSec to rozwiązanie o charakterze systemowym
• Overlayowe tagowanie SGT na wejściu do sieci LAN/WAN/VPN
• Wymuszenie polityki bezpieczeństwa przez SGACL na wyjściu
• Centralnie przechowywane reguły SGT/SGACL dają spójność
802.1X/MAB/Web Auth
Pracownik,
grupa HR
Ingress SGT
HR SGT = 100
SGT=100
SGACL
Egress
Finance (SGT=4)
HR (SGT=100)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

TAG oparty o rolę:
1. Urządzenie uwierzytelnia się
do sieci via 802.1X
2. ISE wysyła TAG jako wynik
autoryzacji – bazuje on na roli
użytkownika/urządzenia
3. Przełącznik dostępowy
aplikuje TAG do ruchu
użytkownika
4. Dodatkowe pola w ramkach L2
Ethernet lub propagacja
mapowania OOB przez
protokół SXP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public 20

Pracownik Spacely Sprockets
Chmura prywatna / publiczna
Central Office
SPACELY SPROCKETS
Web
Server
ASA1000V
ASA Appliance
Database
Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
VSG

© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public 22

Nexus
7000
Series
Zone
vPC
v
10Gig Server Rack
Stateful Packet
Filtering
SAN
vPC
Data Center
Distribution
Nexus
5000
Series
Nexus
2100
Series
Zone
Network Intrusion
Prevention
Data Center Core
vPC
Internet
Edge
Nexus 7018 Nexus 7018
vPC
10Gig Server Rack
Server Load
Balancing
VDC
Unified
Computing
System
Multi-Zone
Catalyst
6500
ASA
SERVICES
Centralized Security and Application
Service Modules and Appliances can be applied per zone
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
vPC
Nexus
1000V
Web and Email
Security
vPC
Unified Compute
NAM
Access Edge Security
ACL, Dynamic ARP
Inspection, DHCP Snooping,
IP Source Guard, Port
Security, Private VLANs, QoS
Network Foundation Protection
vPC vPC
ACE
IPS
VSS
Virtual Service
Nodes
Flow Based Traffic Analysis –
Network Analysis Module

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24