Beruflich Dokumente
Kultur Dokumente
mkader@cisco.com
security-request@cisco.com
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Validated Designs Deliver Results
Data Center / Secure Data Center CVD – www.cisco.com/go/vmdc
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Setting the Foundation for the Secure
Designs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Architecture
Traditional Data Center Architecture
Items of note:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Traditional Secure Data Center Design – Basic and Simplified
Data Center 1.11 Physical Network Fabric –
1
1 2
2 -Creates the shared physical infrastructure for moving packets within the
Physical Network Virtual Fabric & Data Center (North, South, East and West)
Fabric Compute
-Leverages the DC-Class Technologies of Cisco Nexus Switching
A
A External DC Edge – (External Zoning)
A
External DC Virtual -Boundary between the Data Center and the rest of the corporate
Edge Workloads network (or Internet) (North-South)
B Internal DC Zones – Stateful Internal separation
B B
-Allows Secure Zones or Trust Enclaves to be established within the DC
Internal DC
Zoning
Virtual
Services
Network Fabric, establishing secure separation via External DC Zones
or other Internal DC Zones (North-South)
-Should inherently take advantage of the optimized network infrastructure
without violating proper Data Center Design objectives
High-Availability / Zero Downtime
Scalability / Massive Workload Processing
Survivability / Redundancy
Low Latency / No Packet Loss
Asymmetric Traffic Flows
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditional Secure Data Center Design – Basic and Simplified
Data Center 21.2 Virtual Fabric and Compute–
1
1 2
2 -Creates the shared virtual infrastructure for moving packets within the
Physical Network Virtual Fabric & Virtualized Data Center
Fabric Compute
-Leverages Virtualization & Compute Technologies of Cisco Nexus /
Unified Compute System (UCS) and Virtualization Software e.g.
A A
External DC
‘Secure’ VMWare, Citrix, etc.
Virtual
Edge
Workloads
A Secure Virtual Workloads -
-Securing the sum of the requests made by users and applications of a
B B ‘virtual system’
Virtual
Internal DC
Security -Typically defined as a self-contained unit: an integrated stack consisting
Zoning
Services of application, middleware, database, and operating system devoted to a
specific computing task
B
Virtual Security Services -
-The Virtual services defined to successfully secure and optimize a Virtual
Workload - Virtual Firewalls, Virtual Routing, Network Management,
Virtual Load Balancers, Cloud Interconnect, VPN, etc.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Architecture
Secure DC: Traditional Use Cases
1 Secure Internal Zone From External Zone Secure Data in a Compliance Scenario [PCI, FISMA, HIPAA, etc.]
2
Internet VDC1
CTX1
DMZ
CTX2 VDC2
Cisco VXI
vPC
vPC
CTX2 Partner
Web Tier
(business logic)
CTX2 vPC
DB Tier
(data access)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Architecture
Secure DC: Evolving Deployment Use Cases
VDC1
VDC2
Cisco VXI
PaaS
6 Public Cloud
SaaS
Aggregation Layer
• Initial filter for all ingress and egress to DC services & compute -
“North-South” protection
• Stateful filtering and logging for all ingress and egress traffic flows
• Physical appliances can be virtualized and applied to server enclaves
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
VDC and VPC Designs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditional Secure DC Design – Network Fabric Best Practices
Data Center 1.11 Physical Network Fabric –
1
1 2 -Leverage the full capacity of the Cisco Nexus Switching infrastructure
Physical Network Virtual Fabric & -Security is pervasive, and while it has been known to ‘reduce
Fabric Compute
convenience’; decreasing required network functionality is unacceptable.
A
A External DC Edge – (External Zoning)
A
External DC Virtual -Leverage Edge connectivity (routing)
Edge Workloads -Provide Edge Security (Firewall at minimum)
-Layer 3 Firewalling (with or without NAT) may be used successfully
B B
-IPS and Next Generation Systems can add additional visibility and
Internal DC Virtual
Zoning Services protection
-If very high-speed firewalling / federations, etc. are desired at the DC
edge, ASR1K can deliver up to 100Gbps FW with Stateful HA
-Path diversity into the datacenter if you can. Stateless with Federation to
authenticate to the app, Stateful with Federation for compliance
B
Internal DC Zones – Stateful Internal separation
-Keep routing on the Routers (Firewalls implemented transparently)
-Leverage vPC/vPC+ and/or FabricPath technology to maximize DC traffic
flow capability
-All flows are expected to be asymmetric, therefore zone design
should support this
-No additional Packet-Loss penalties should be introduced
-Zero-downtime Firewall upgrades should be supported
-Survivability/HA on the Firewall / IPS devices is critical
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connectivity
Building an Efficient DC Fabric to Scale
Scaling the Network Fabric - Virtual Device Context (VDC)
VDC 1
Layer 2 Protocols Layer 3 Protocols
VLAN UDLD OSPF GLBP
PVLAN CDP BGP HSRP
STP 802.1X EIGRP IGMP
LACP CTS PIM SNMP
VDCs … …
VDC 2
Layer 2 Protocols Layer 3 Protocols
VLAN UDLD OSPF GLBP
PVLAN CDP BGP HSRP
STP 802.1X EIGRP IGMP
LACP CTS PIM SNMP
… …
Nexus 7000 VDC – Virtual Device Context (up to 8 VDCs plus 1 Management VDC – SUP2E w/ NXOS
6.04/6.1)
Flexible separation/distribution of hardware resources and software components
Complete data plane and control plane separation
Complete software fault isolation
Securely delineated administrative contexts
Each physical interface can only be active in one VDC
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Connectivity
Using VDCs for Vertical Consolidation
One of the most common uses of VDCs
• Allows Consolidation of Core, Aggregation while maintaining network hierarchy
• No reduction in port count or links but fewer physical switches
‒ Copper Twinax cables (CX-1) provide a low cost 10G interconnect option
Core
Core Core
Agg
Agg Agg
Access
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connectivity
Using VDCs for Internet Edge/DMZ/Core
Internet
Internet
Edge(XL) Internet Internet Edge
Edge(XL) (XL)
Core Core
Core
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connectivity
VDC Security Certification
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Connectivity
Using VDCs for PCI Compliance Segmentation
Internet
Internet
Edge(XL) Internet Internet Edge
Edge(XL) (XL)
Core Core
Core
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connectivity
Building an Efficient DC Fabric to Scale
Logical Topology without vPC
Scaling the Network Fabric – Virtual Port Channel vPC)
Aggregation
• Allow a single device to use a port channel across two upstream
switches (aka MCEC)
• Eliminate STP blocked ports
Access
• Simplify L2 Paths by supporting loopfree non-blocking concurrent
L2 paths
• Dual-homed server operate in active-active mode
• Provide fast convergence upon link/device failure
Logical Topology with vPC vPC Peers
! Enable vpc on the switch Aggregation
dc11-5020-1(config)# feature vpc
MCEC
! Check the feature status
dc11-5020-1(config)# show feature | include vpc
vpc 1 enabled vPC Peers
Access
MCEC
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Connectivity
What is a Virtual Port Channel (vPC)?
• vPC is a Port-channeling concept extending link aggregation to two separate physical switches
• vPC allows a single device to use a port channel
across two neighbor switches (vPC peers)
• vPC Peer link is used to synchronize state between
vPC peer devices, must be 10GE
• Eliminates STP blocked ports/STP delays/Calculations
and uses all available uplink bandwidth (active/active)
‒ Does not actually turn off STP – FabricPath does this
• Supported in NX-OS switches only
• Recommended to always use LACP for dynamic LAG
VPC PEER LINK
• vPC Design & Best Practices Guide:
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-
00_Agg_Dsgn_Config_DG.pdf
19
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connectivity
Why use vPC? – Multi-Chassis Etherchannel (MEC)
20
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connectivity
VPC with Multiple ASAs – A/S or A/A Failover
• Part of CVD architecture since in July 2011
• vPC ensures zero packet loss in the event of a link failure to the ASA channel 32
firewall, a firewall failure, a switch failure, VDC reset, or vPC peer- State and Failover links
link loss
‒ Works with both A/S and A/A failover (and with ASA 9x Clustering)
• Allows ASA to participate in necessary DC redundancy technologies
with expected flow asymmetry
• ASA is only DC Firewall on market that can simultaneously:
1. Run standards-based LACP for Dynamic LAG to Nexus vPC/vPC+ or Cat6K
VSS with proper bundling semantics N7K VPC 40 N7K VPC 41
no traffic black holes or loss of state due to expected flow asymmetry / out-of-order packets VPC PEER LINK
2. Supports all of the same LACP load balancing hash values as the switch
fabric(s) [def. = src-dst IP]
3. Able to support dynamic LAG (LACP) in all modes: Routed / Transparent /
Multi-context / Mixed-context(s) / Clustering
4. Successfully handles the expected flow asymmetry and out-of-order packets
from Multiple chassis simultaneously
21
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connectivity
ASA Connecting to Nexus with vPC (basic)
interface Ethernet4/1
switchport mode trunk
channel-group 40 mode active
no shutdown
!
interface Ethernet4/2 VPC PEER LINK
switchport mode trunk North Zone
channel-group 40 mode active
no shutdown VLAN 200
!
interface port-channel4 0 N7K VPC 40
switchport interface TenGigabitEthernet0/6
switchport mode trunk channel-group 32 mode active vss-id 1
switchport trunk allowed vlan 1,200,201 vpc 40 no nameif Trunks
! no security-level VPC
vpc domain 10 !
role priority 50 interface TenGigabitEthernet0/7
peer-keepalive dest 10.1.1.2 source 10.1.1.1 vrf channel-group 32 mode active vss-id 2 ASA channel 32
VLAN 200
vpc-mgmt no nameif Outside
peer-gateway no security-level
!
interface BVI1
ip address 172.16.25.86 255.255.255.0 VLAN 201
! Inside
interface Port-channel32
no nameif
no security-level
! South Zone
Note: interface Port-channel32.201 VLAN 201
mac-address 3232.1111.3232
vlan 201
Example shows only one side of config: N7K1 and ASA1. nameif inside
Full configuration would be assumed. bridge-group 1
security-level 100
!
ASA connected to Nexus with vPC and establishing an interface Port-channel32.200
internal DC zone pair between VL200 (N) and VL201(S). mac-address 3232.1a1a.3232
vlan 200
ASA is deployed using transparent (L2) mode in this nameif outside
example to minimize network fabric modification(s) – Will bridge-group 1
security-level 0
be discussed in detail later
Connectivity
ASA Connecting to Nexus with vPC (Best Practices Shown)
• ASA connected to Nexus using multiple
physical interfaces on vPC DC Core /
EDGE
‒ ASA can be configured to failover after a
certain number of links lost (when using HA)
L3
SVI VLAN200 SVI VLAN200 Aggregation Layer
• Note that vPC identifiers are different FHRP
VPC PEER LINK
FHRP
L2
for each ASA on the Nexus switch (this
VLAN 200
changes with ASA clustering feature N7K VPC 40
Trunks
N7K VPC 41 Outside
VPC
and cLACP [not yet shown]) VPC
North Zone
FW HA VLAN 200
ASA channel 32
VPC VPC VLAN 201
Inside
Access Layer
VPC
South Zone
VLAN 201
Secure Design Building Blocks
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Segmentation
Security Building Block: Segmentation
• While not a security technology, segmentation has long been used as a means for
grouping similar resources in order to apply specific configuration or policy
• Sometimes there is a technical benefit with segmentation
• An example is using VLANs to reduce the L2 broadcast domain and improve network
efficiency
• VRF (Virtual Routing and Forwarding) typically used for virtualizing L3 services
• VDCs (Virtual Device Context) on the Nexus platforms allow multiple, independent
virtualized switches inside of a single physical switch
• Zones are a common term to refer to units in the data centre that share a common trait and
can reduce operational complexity with both physical and virtualized hosts and services
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Segmentation
Security Building Block: Segmentation
6 Degrees of Separation
Nexus 7K
1. Virtual Device Context
2. Virtual Routing/Forwarding (VRF)
VRF-Lite can be easily used as it does not require MPLS
3. VLANs
4. Security Group Tags (SGT in packet) ASA
802.1AE
(encrypt)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Segmentation
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate
L3 domains
• Transparent Mode is where the firewall acts as a bridge functioning mostly at L2
• Multi-context mode involves the use of virtual firewalls, which can be either routed or
transparent mode
• Mixed mode is the concept of using virtualization to combine routed and transparent mode
virtual firewalls
• Transparent mode firewall offers some unique benefits in the DC
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Segmentation
Why Deploy Transparent Mode?
• Existing Nexus Network Fabric does not need to be modified to employ L2 Firewall!
• Simple as changing host(s) VLAN ID
• Firewall does not need to run routing protocols / become a segment gateway
• Firewalls are more suited to flow-based inspection (not packet forwarding like a router)
• Routing protocols can establish adjacencies through the firewall
• Protocols such as HSRP, VRRP, GLBP can cross the firewall
• Multicast streams can traverse the firewall
• Non-IP traffic can be allowed (IPX, MPLS, BPDUs)
• (CVD) 9 of 10 internal zoning scenarios recommends Transparent FW (L2) deployed
versus Routed Firewall (L3)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Segmentation
Firewall - Transparent Mode
L2 Firewall
• Firewall functions like a bridge (“bump in the wire”) at L2, only ARP packets pass without an explicit ACL
• Uses traditional ACLs on the firewall
• Does not forward Cisco Discovery Protocol (CDP)
• Same subnet exists on all interfaces in the bridge-group
• Different VLANs on inside and outside interfaces
• In addition to Extended ACLs, use an EtherType ACL to restrict or allow L2 protocols
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Transparent Mode Configuration in the DC (2 interfaces)
interface TenGigabitEthernet0/6
SVI VLAN200 172.16.25.253 SVI VLAN200 172.16.25.254
channel-group 32 mode active vss-id 1 FHRP – 172.16.25.1 FHRP – 172.16.25.1
no nameif
no security-level North Zone
! VLAN 200
interface TenGigabitEthernet0/7
channel-group 32 mode active vss-id 2
no nameif
no security-level
!
interface BVI1
ip address 172.16.25.86 255.255.255.0 VPC
! VLAN 200
interface Port-channel32 Outside
no nameif
no security-level VLAN 201
! Inside
interface Port-channel32.201 VPC 172.16.25.86/24
mac-address 3232.1111.3232
vlan 201
nameif inside
bridge-group 1
security-level 100
! Trunk Allowed 1,201 South Zone
interface Port-channel32.200
VLAN 201
mac-address 3232.1a1a.3232
vlan 200
nameif outside
bridge-group 1
security-level 0
Server in
VLAN 201
Segmentation
Firewall - Mixed Mode vFW Contexts
• Mixed Mode is the concept of using virtual firewalls, some in routed mode and some in transparent (L2)
mode
• This is only supported on the ASA running at least v9.0 or any ASA-SM version
• Up to 8 pairs of physical interfaces are supported per context
• This could conceivably allow both the Edge (L3) firewall and Internal (L2) firewall to live on the same set of
physical appliances
mode multiple
context context1
firewall transparent
allocate-interface vlan99 outside
allocate-interface vlan100 inside
config-url disk0:/ctx1.cfg
member gold
context context2
allocate-interface vlan200 outside
allocate-interface vlan210 inside
config-url disk0:/ctx2.cfg
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Physical and Virtual Internal Zoning
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example Internal Zoning for DEV – Option 1 Internal Zoning
Physical Separation Internet /
Extranet
Model could provide for Application load testing. ASA A/S HA CTX
FW CLUSTER(s)
ASAs in Aggregation layer could be oriented in
several ways. CTX CTX
1- Single ASA Cluster with separate vFW
Contexts for the DEV zones – Would require
ports on the ASA are physically connected to Virtual
each VDC Access Layer
2- Separate ASA Clusters with or without vFW
Contexts PoD PoD
ASA A/S HA
DC Edge
Virtual Separation model uses a shared
Physical Infrastructure (Nexus) for routing and
transport DC Core VDC (Routed)
BGP/OSPF
ASAs are used to separate DEV and PROD Core
traffic L3
L2
Virtual resources can share physical Server Aggregation Layer VDC
Hardware and PoD. Security implemented
similarly than to a Secure Multi Tenant
environment
FW CLUSTER
Virtual
Access Layer
Internal Zoning
Virtualization Security Concerns
Policy Enforcement
‒ Applied at physical server—not the individual VM
‒ Impossible to enforce policy for VMs in motion
Operations and Management
‒ Lack of VM visibility, accountability, and consistency
‒ Difficult management model and inability to effectively troubleshoot
Roles and Responsibilities
‒ Muddled ownership as server admin must configure
virtual network
‒ Organizational redundancy creates compliance challenges
Machine Segmentation
‒ Server and application isolation on same physical server
‒ No separation between compliant and non-compliant systems…
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internal Zoning
Cisco Virtual Networking and Cloud Network Services
Cloud Network Services
Tenant A
Virtualized/Cloud Imperva
SecureSphere
Cloud Services Network
ASA 1000V
Cloud
Cisco Virtual
Security
Data Center WAF
Citrix Router 1000V Analysis
Module
Firewall Gateway
NetScaler
Servers VPX
vWAAS
(vNAM)
WAN Router Switches
Zone A
Zone B
Nexus 1000V VSG ASA 1000V vWAAS CSR 1000V vNAM Ecosystem
(Dist. Virtual Switch) (Zone-based FW) (Cloud FW) (WAN Optimization) (Cloud Router) (Network Analytics) Services
• Distributed switch • VM-level controls • Edge firewall, VPN • WAN optimization • Citrix NetScaler VPX
• WAN L3 gateway • App Visibility (L2-L7)
virtual ADC
• NX-OS consistency • Zone-based FW • Protocol Inspection • Application traffic • Routing and VPN • Overlay Intelligence
• Imperva Web App. FW
(OTV, VXLAN, FP**)
N1110: 1H CY2013
7000+ Customers Available Now Available Now Available Now 1H 2013 PoC: 1H 2013 vPath: 2H CY2013
Server
Network Team
Security
Team
Team
Nexus 1000V (1110/1010)
Non-disruptive operation model to maintain
current workflows using Port Profiles
Nexus 1000V Maintain network security policies with
isolation and segmentation via VLANs,
Private VLANs, Port-based Access Lists,
Cisco Integrated Security Features
Ensure visibility (VM Introspection) into
virtual machine traffic flows using traditional
network features such as ERSPAN and
NetFlow
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internal Zoning
Cisco’s Virtual Security Portfolio
Intra-Tenant Tenant-Edge
Security Security
• Secures traffic between virtual
• Secures the tenant edge
machines within a tenant
• Default gateway; Layer 3 firewall
• Layer 2 and 3 firewall to secure to secure north-to-south traffic
east-to-west traffic
• Edge firewall capabilities including
• ACLs using network attributes network attribute-based ACLs,
and virtual machine attributes site-to-site VPN, NAT, DHCP,
inspections, and IP audit
• First-packet lookup and
performance acceleration using • All packets go through the Cisco
vPath ASA 1000V
Internal Zoning
Security for Virtualization
Virtual Security Gateway
ASA 1000V
Virtual Service Nodes
vPATH
Nexus 1000V
Hypervisor
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internal Zoning
Microsegmenation
Policy Per Zone, Per VM, Per vNIC
vPath
Nexus 1000V
vSphere vPath
Nexus 1000V
vSphere
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internal Zoning
Physical to Virtual
48
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internal Zoning
vPath Intelligence: Service Chaining
ASA 1000V and VSG
Core
Aggregation 10.1.2.254
Layer 3
Protected VRF 10.1.2.254
ASA 5585
ASA 5585
Layer 3
10.1.1.254 Layer 3
Layer 2 10.1.3.254
10.1.1.252 10.1.1.253
ASA 1000V
vPath vPath
vPath
Nexus 1000V Nexus 1000V Nexus 1000V
Hypervisor Hypervisor
Hypervisor Sub Zones
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Internal Zoning
Multi-Tier Application Architecture
Edge Firewall Web
Client
• Tier Deployment
• Multi-Tier application architectures
• Application vendor often has specific recommendations on ASA 1000V
how to deploy an application
• Can consist of
Permit Only Port Permit Only Port 22 Block all external access
• Web (presentation) tier 80(HTTP) of Web Servers (SSH) to application to database servers
servers
• Application tier
• Database tier
Web App DBDB
Web App
• Web and Application services can be on physically separate Server
Server
Server
Server
server
server
servers or collapsed into single in some cases
Web-zone Application-zone Database-zone
• Normal flow is often client->web->application->database
• No direct client to database communication Only Permit Web servers Only Permit Application servers
access to Application servers access to Database servers
• Servers may be clustered for high availability. Often uses
layer 2 multicast protocol for state exchange
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Compliance
PCI Compliance Design Option –
Physical Separation with VDC
Internet /
Extranet
Edge ASAs may implement a specific context for IPSec
Compliance needs or a distinct pair of ASA s may be
used
PCI VRF
DC Edge
SGT
Nexus 7K carries traffic from ASA Context across
vRF – PCI VRF – Moves packets across routed Core DC Core VDC (Routed) PCI VRF
802.1AE
to PCI Distribution VDC (encrypt)
SGT
PCI VRF
SGT
BGP/OSPF
Security Group Access with MACSEC can be used on Core PCI VRF
the Nexus 7000 to provide hop-by-hop encryption L3
L2
Dedicated ASAs (or vFW Context(s)) in Distribution Prod Aggregation Layer PCI Aggregation Layer
Layer VDC invoke North-South Security Policy, VDC VDC
possibly even enforcing using the SGT (via SXP)
limiting compliant access to only the PCI Zone
Servers by network, service or application
FW CLUSTER(s)
© 2012 Cisco and/or its affiliates. All rights reserved. CISCO CONFIDENTIAL INTERNAL USE ONLY 54