PLNOG8 Gawel Mikolajczyk Securing the Cloud - Proidea
PLNOG8 Gawel Mikolajczyk Securing the Cloud - Proidea
PLNOG8 Gawel Mikolajczyk Securing the Cloud - Proidea
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Securing</strong> <strong>the</strong> <strong>Cloud</strong> Infrastructure –<br />
from Hypervisor to <strong>the</strong> Edge<br />
Gaweł Mikołajczyk<br />
gmikolaj@cisco.com<br />
Security Consulting Systems Engineer<br />
EMEA Central Core Team<br />
CCIE #24987, CISSP-ISSAP, CISA<br />
<strong>PLNOG8</strong>, March 5, 2012, Warsaw, Poland<br />
© 2011 Cisco and/or its affiliates. All rights reserved.<br />
Cisco Public 1
Policy<br />
Corporate Border<br />
Applications<br />
and Data<br />
Corporate Office<br />
Branch Office<br />
Airport<br />
Software<br />
as a Service<br />
Platform<br />
as a Service<br />
Mobile<br />
User Attackers Partners<br />
Infrastructure<br />
as a Service<br />
Customers<br />
X<br />
as a Service<br />
Home Office<br />
Trzy wymiary : dla Infrastruktury w chmurze, dla dostępu do chmury, komercyjne<br />
usługi bezpieczeństwa w chmurze.<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2<br />
Coffee<br />
Shop
Prywatny VPN<br />
MPLS lub IPSec / SSL<br />
NEXUS 1000v<br />
NAS<br />
Edge<br />
Dostęp L2 lub L3<br />
Agregacja<br />
Tenant per VRF<br />
Usługi<br />
Mapowanie VRF / VLAN do vFW/LB<br />
Dostęp<br />
Mapowanie do VM<br />
Compute<br />
VRF do unikalnego VLAN<br />
Data Center<br />
Core<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3<br />
Tenant<br />
A<br />
WAN<br />
Tenant B<br />
Sub Tenant<br />
B1 i B2
© 2011 Cisco and/or its affiliates. All rights reserved.<br />
Cisco Public 4
Role<br />
Based<br />
Access<br />
Physical<br />
Security<br />
VM OS<br />
Hardening<br />
V-Motion<br />
(Memory)<br />
Virtualization<br />
Security<br />
Patch<br />
Management<br />
VM<br />
Sprawl<br />
V-Storage<br />
(VMDK)<br />
VM<br />
Segmentation<br />
Hypervisor<br />
Security<br />
Real case: [...] It looks <strong>the</strong> O&M firewall is not filtering <strong>the</strong> ARP traffic<br />
<strong>the</strong> right way. This allows a VM to connect to any o<strong>the</strong>r VM through <strong>the</strong><br />
O&M network after injecting malicious ARP traffic. This happens even<br />
if <strong>the</strong> destination VM belongs to a different tenant VDC [...]<br />
VMNIC #1<br />
vEth vEth<br />
VMNIC #2<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Warstwa dostępu wirtualnego powinna<br />
oferować przynajmniej takie same<br />
mechanizmy bezpieczeństwa Layer-2 jak w<br />
fizycznym DataCenter :<br />
Access Lists, Dynamic ARP Inspection,<br />
DHCP Snooping, IP Source Guard, Port<br />
Security, Private VLANs, Layer-2 storm<br />
control, Rate-Limiters, VXLAN<br />
Bez tych mechanizmów, konsekwencje<br />
ataków na infrastruktuę sieciową, (biorąc<br />
pod uwagę skalę - tysiące VM) są<br />
katastrofalne.<br />
Widoczność w warstwie 2 można osiągnąć<br />
przez:<br />
NetFlow Collection<br />
SPAN, RSPAN or ERSPAN<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6<br />
1/<br />
7
Port Profile –> Port Group<br />
port-profile vm180<br />
vmware port-group pg180<br />
switchport mode access<br />
switchport access vlan 180<br />
ip flow monitor ESE-flow input<br />
ip flow monitor ESE-flow output<br />
no shutdown<br />
state enabled<br />
interface Ve<strong>the</strong>rnet9<br />
inherit port-profile vm180<br />
interface Ve<strong>the</strong>rnet10<br />
inherit port-profile vm180<br />
vCenter API<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Nexus 7000<br />
vPC Peer-link<br />
Cat 6500<br />
Nexus 5000<br />
Nexus 1000V and VSG<br />
10.20.20.50 10.20.20.51 10.20.30.101<br />
Service VLANs<br />
ESX Server<br />
vPC<br />
VSL<br />
ASA 5585<br />
monitor session 1 type erspansource<br />
description N1k ERSPAN –<br />
session 1<br />
monitor session 3 type erspandestination<br />
description N1k ERSPAN to NAM<br />
monitor session 2 type erspansource<br />
description N1k ERSPAN –session 2<br />
monitor session 4 type erspandestination<br />
description N1k ERSPAN to IDS1<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8<br />
NAM
© 2011 Cisco and/or its affiliates. All rights reserved.<br />
Cisco Public 9
1<br />
Przekierowanie ruchu z VM do<br />
fizycznych urządzeń<br />
Web<br />
Server<br />
App<br />
Server<br />
Hypervisor<br />
VLANs<br />
Konteksty wirtualne<br />
Database<br />
Server<br />
Appliance i moduły fizyczne<br />
Usługi bezpieczeństwa<br />
na poziomie hypervisora<br />
Hypervisor<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10<br />
2<br />
Web<br />
Server<br />
App<br />
Server<br />
VSN VSN<br />
Appliance wirtualne<br />
Database<br />
Server
Sandwich usługowy między VDC<br />
• ASA Service Module<br />
Konteksty wirtualne<br />
Tryb Transparentny / mixed<br />
• ACE LB<br />
Tryb transparentny<br />
• Web Application Firewall<br />
Farma firewalli<br />
• Network IPS/IDS<br />
Inline lub promiscuous<br />
WAF<br />
IPS<br />
ASA-SM 1<br />
ASA-SM 2<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11<br />
190<br />
163,164<br />
SS1<br />
ACE<br />
161<br />
162<br />
N7k1-VDC1<br />
SVI-151<br />
N7k1-VDC2<br />
vrf1 vrf2<br />
hsrp.1
© 2011 Cisco and/or its affiliates. All rights reserved.<br />
Cisco Public 12
Virtual Network<br />
Management Center<br />
Virtual Security<br />
Gateway - VSG<br />
Port<br />
Group<br />
Security<br />
Administrator<br />
Service<br />
Administrator<br />
Cisco Nexus ® 1000V<br />
z mechanizmem vPath<br />
• Rozproszony przełącznik<br />
• Część hypervisora<br />
Host<br />
• Cisco UCS<br />
• O<strong>the</strong>r x86 server<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
VM<br />
VM<br />
VM VM<br />
VM VM VM<br />
VM<br />
VM<br />
VM VM VM<br />
Nexus 1000V<br />
Distributed Virtual Switch<br />
1<br />
1<br />
Początkowy flow<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14<br />
4<br />
VM<br />
VM VM VM<br />
VM VM VM<br />
2<br />
vPath<br />
Cache<br />
decyzji 3<br />
Początkowa<br />
ewaluacja polityki<br />
Log/Audit<br />
VNMC<br />
VSG
VM<br />
VM<br />
VM VM<br />
VM VM VM<br />
VM<br />
VM<br />
VM VM VM<br />
Nexus 1000V<br />
Distributed Virtual Switch<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15<br />
VM<br />
Pozostałe pakiety<br />
VM VM VM<br />
VM VM VM<br />
vPath<br />
ACL offload do<br />
Nexus 1000V<br />
(wymuszenie polityki)<br />
Log/Audit<br />
VNMC<br />
VSG
VSG: Security Profile to Port Profile<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
© 2011 Cisco and/or its affiliates. All rights reserved.<br />
Cisco Public 17
• TrustSec to rozwiązanie o charakterze systemowym<br />
• Overlayowe tagowanie SGT na wejściu do sieci LAN/WAN/VPN<br />
• Wymuszenie polityki bezpieczeństwa przez SGACL na wyjściu<br />
• Centralnie przechowywane reguły SGT/SGACL dają spójność<br />
802.1X/MAB/Web Auth<br />
Pracownik,<br />
grupa HR<br />
Ingress SGT<br />
HR SGT = 100<br />
SGT=100<br />
SGACL<br />
Egress<br />
Finance (SGT=4)<br />
HR (SGT=100)<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
TAG oparty o rolę:<br />
1. Urządzenie uwierzytelnia się<br />
do sieci via 802.1X<br />
2. ISE wysyła TAG jako wynik<br />
autoryzacji – bazuje on na roli<br />
użytkownika/urządzenia<br />
3. Przełącznik dostępowy<br />
aplikuje TAG do ruchu<br />
użytkownika<br />
4. Dodatkowe pola w ramkach L2<br />
E<strong>the</strong>rnet lub propagacja<br />
mapowania OOB przez<br />
protokół SXP<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
© 2011 Cisco and/or its affiliates. All rights reserved.<br />
Cisco Public 20
Pracownik Spacely Sprockets<br />
Chmura prywatna / publiczna<br />
Central Office<br />
SPACELY SPROCKETS<br />
Web<br />
Server<br />
ASA1000V<br />
ASA Appliance<br />
Database<br />
Server<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21<br />
VSG
© 2011 Cisco and/or its affiliates. All rights reserved.<br />
Cisco Public 22
Nexus<br />
7000<br />
Series<br />
Zone<br />
vPC<br />
v<br />
10Gig Server Rack<br />
Stateful Packet<br />
Filtering<br />
SAN<br />
vPC<br />
Data Center<br />
Distribution<br />
Nexus<br />
5000<br />
Series<br />
Nexus<br />
2100<br />
Series<br />
Zone<br />
Network Intrusion<br />
Prevention<br />
Data Center Core<br />
vPC<br />
Internet<br />
Edge<br />
Nexus 7018 Nexus 7018<br />
vPC<br />
10Gig Server Rack<br />
Server Load<br />
Balancing<br />
VDC<br />
Unified<br />
Computing<br />
System<br />
Multi-Zone<br />
Catalyst<br />
6500<br />
ASA<br />
SERVICES<br />
Centralized Security and Application<br />
Service Modules and Appliances can be applied per zone<br />
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23<br />
vPC<br />
Nexus<br />
1000V<br />
Web and Email<br />
Security<br />
vPC<br />
Unified Compute<br />
NAM<br />
Access Edge Security<br />
ACL, Dynamic ARP<br />
Inspection, DHCP Snooping,<br />
IP Source Guard, Port<br />
Security, Private VLANs, QoS<br />
Network Foundation Protection<br />
vPC vPC<br />
ACE<br />
IPS<br />
VSS<br />
Virtual Service<br />
Nodes<br />
Flow Based Traffic Analysis –<br />
Network Analysis Module
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24