Virtual Network Security

Matt Skipton System Engineer, VMware Inc.

Confidential
2009 VMware Inc. All rights reserved

Agenda
What NOT to Worry About Virtual Network Designs Virtual Network Security Challenges VMware Solution Cisco Nexus 1000v

Confidential

What not to worry about

Virtualization-based Attacks Examples: Blue Pill, SubVirt, etc. These are ALL theoretical, highly complex attacks Some depend upon virtualization in CPU hardware Widely recognized by security community as being only of academic interest Irrelevant Architectures Example: numerous reports claiming guest escape Most apply only hosted architecture (e.g. Workstation), not bare-metal (i.e. ESX) Hosted architecture deliberately include numerous channels for exchanging information between guest and host.

Contrived Scenarios Example: VMotion intercept Involved exploits where Best practices around hardening, lockdown, design, for virtualization etc, not followed, or Poor general IT infrastructure security is assumed

Isolation: Virtual Networks

Design Highlights No code exists to link virtual switches Virtual switches provide protection by design against attack:
MAC flooding, 802.1q and ISL tagging attacks, Double-encapsulation attacks, Multicast bruteforce attacks, Spanning-tree attacks, Random frame attacks Can restrict malicious network behavior: - MAC address change, impersonation Such protection not possible with physical switches

Virtual Network

Virtual Network

Agenda
What NOT to Worry About Virtual Network Designs Virtual Network Security Challenges VMware Solution Cisco Nexus 1000v

Confidential

Isolation in the Architecture

Segment out all non-production networks Use VLAN tagging, or Use separate vSwitch (see
diagram)

vnic

vnic

vnic

VMkernel
Mgmt Storage
vSwitch2

Production
vSwitch1

vmnic1

Prod Network

Mgmt Network

Strictly control access to management network, e.g. RDP to jump box, or VPN through firewall
VMware Infrastructure 3 Security Hardening Guide http://www.vmware.com/resources/techresources/726

vCenter

Other ESX/ESXi hosts

IP-based Storage

Physical Separation of Trust Zones

Advantages Simpler, less complex configuration Less change to physical environment Little change to separation of duties Less change in staff knowledge requirements Smaller chance of misconfiguration

Disadvantages Lower consolidation and utilization of resources Higher cost

Virtual Separation of Trust Zones with Physical Security Devices

Advantages Better utilization of resources Take Full Advantage of Virtualization Benefits Lower cost

Disadvantages (can be mitigated)

More complexity Greater chance of misconfiguration

Fully Collapsed Trust Zones Including Security Devices

Advantages Full utilization of resources, replacing physical security devices with virtual Lowest-cost option Management of entire DMZ and network from a single management workstation

Disadvantages (can be mitigated) Greatest complexity, which in turn creates highest chance of misconfiguration Requirement for explicit configuration to define separation of duties and regular audits to help mitigate risk of misconfiguration

Agenda
What NOT to Worry About Virtual Network Designs Virtual Network Security Challenges VMware Solution Cisco Nexus 1000v

10

Confidential

Network Security in the Good Old Days

Plug a server in to a switch port Switch lights up and registers the servers MAC address Security policies and QoS can be applied to the port and they properly effect
the workload on the server

11

Confidential

Network Security in in the Traditional Virtual World

For each server you have 2 to 10 network links Each physical cable could have 1 to Look Familiar? Does This 100 VM MAC addrs on it Even on a single physical host the VM MAC addrs move among the physical
cables as load demands

To make matters worse, then the VMs and MACs move between physical
servers also!

You can not apply a security policy to a physical switch port since you dont
know which one a workload may be connecting on.

12

Confidential

Three main network hurdles to 100% virtualization

VMotion

1. vMotion moves VMs across physical ports, network security policy does not follow 2. Impossible to isolate or apply policy to locally switched traffic

VLAN 104

vCenter (server admin)

Cisco CLI (network admin) n1000v# sh int

3. Need coordination between network and server admins

Agenda
What NOT to Worry About Virtual Network Designs Virtual Network Security Challenges VMware Solution Cisco Nexus 1000v

14

Confidential

VMware vShield Zones

Capabilities
Bridge, firewall, or isolate VM zones based
on familiar VI containers

Monitor allowed and disallowed activity by

application-based protocols network traffic

One-click flow-to-firewall blocks precise

Benefits
Pervasive: well-defined security posture for
inter-VM traffic anywhere and everywhere in virtual environment for entire VM lifecycle, including VMotion live migrations errors

Persistent: monitoring and assured policies

Simple: Zone-based rules reduces policy

vShield Zones: Architecture

vShield Host Appliance

Virtual Network Monitoring Virtual Network Firewall

vShield Manager
Centralized Monitoring Centralized Policy
Assignment

VMware vCenter

vShield VMware ESX

vShield VMware ESX

vShield VMware ESX

VMware vShield Manager

vNetwork Distributed Switch

Standard Switch Distributed Switch

vSwitch

vSwitch

vSwitch Distributed Virtual Switch

Simplifies datacenter administration Security Benefits

- Helps to mitigate misconfiguration - PVLAN Support - Inbound Bandwidth Control

Enables networking statistics and policies to migrate with virtual machines (Network VMotion)
Key to enable VMsafe Appliances to Provide Stateful Security Netflow Statistics Dont Reset

Provides for customization and third-party development

Ciscos Nexus1000V has even more security controls build right in.

Private VLANs
PVLAN (Private VLAN)

Enables Layer-2 isolation between VMs

on the same switch, even though they are on the same subnet

Private VLAN traffic isolation between guest VMs

Traffic from one VM forwarded out through

uplink, without being seen by other VMs

Communication between VMs on PVLANs

can still occur at Layer-3 Benefits
vSwitch with Private VLAN capability

Scale VMs on same subnet but selectivity

restrict inter-VM communication

Avoids scaling issues from assigning one

VLAN and IP subnet per VM Implementation

Common Primary VLAN on uplinks

Available when using Distributed Switch

Agenda
What NOT to Worry About Virtual Network Designs Virtual Network Security Challenges VMware Solution Cisco Nexus 1000v

19

Confidential

vNetwork Distributed Switch

"
APP OS APP OS APP OS APP OS APP OS APP OS APP OS APP OS APP OS

Aggregated datacenter level virtual networking Simplified setup and change Easy troubleshooting, monitoring and debugging Enables transparent third party management of virtual environments

" "

vSwitch

vSwitch Cisco Nexus 1000V vNetwork Distributed Switch VMware vSphere

vSwitch

"

Current View of the Access Layer

Boundary of network visibility

Typically provisioned as trunk to the server running ESX No visibility to individual traffic from each VM Unable to troubleshoot, apply policy, address performance issues

Nexus 1000V w/ VN-Link (Network View)

Boundary of network visibility

VN-Link provide visibility to the individual VMs Policy can be configured perVM Policy is mobile within the ESX cluster VN-Link refers to a literal link between a VM VNIC & a Cisco VN-Link Switch

Benefits for the Server Admin

1000V overcomes network hurdles to virtualize tier-1, regulatory and DMZ applications 1000V makes ESX deployment faster, one and done 1000V offloads network workflow to the network admin

1000V has a lot more functionality than our own virtual switch Steve Herrod, VMware CTO

Benefits for the Network Admin

1000V overcomes hurdles to virtualize applications with DMZ, high bandwidth, highly secure applications 1000V standardizes workflow for virtual and physical networks 1000V allows visibility into VM traffic

BEFORE 1000V

AFTER 1000V

1000V overcomes the biggest network hurdles to virtualization Ed Bugnion, Cisco CTO

Cisco Nexus 1000V Security Features

SGACL Matrix
Source Group

Destination Group

+ -

Nexus 1000V Architecture

Nexus 1000V VEM vSphere vSphere vSphere

Nexus 1000V VSM

Policy Based VM Connectivity

1.

Nexus 1000V automatically enables port groups in VMware vCenter

2.

Server Admin uses vCenter to assign vnic policy from available port groups

3. 1. 2.
vSphere

3.

Nexus 1000V automatically enables VM connectivity at VM power-on

Policy Based VM Connectivity

vSphere

Mobility of Security & Network Properties

1.

vCenter kicks off a Vmotion (manual/DRS) and notifies Nexus 1000V During VM replication, Nexus 1000V copies VM port state to new host

2.

vSphere

vSphere

1.

2.

VMotion Notification Network Persistence

Current: VM1 on Server VM port config, state 1

New: VM1 on statistics VM monitoringServer 2

Mobility of Security & Network Properties

1. vCenter kicks off a Vmotion (manual/ DRS) and notifies Nexus 1000V 2. During VM replication, Nexus 1000V copies VM port state to new host 3. Once VMotion completes, port on new ESX host is brought up & VMs MAC address is announced to the network
vSphere vSphere

3.
Network Update

ARP for VM1 sent to network

Flows to VM1 MAC redirected to Server 2

Cisco Nexus 1000V VM Security

vSphere

vSphere

vSphere

SGACL Matrix
Source Group

Destination Group

+ -

Keep your process consistent

Keep your process consistent

Few of the Datacenter are completely virtualized
Using Nexus 1000V keeps all the process consistent and give you the same
visibility for VMs and Server

Troubleshoot your network as before using tools you know Make your regulatory compliance much easier because of the simpler process

Cisco VEM

VM1

VM2

VM3

VM4

ERSPAN Counters Netflow CDP PVLAN

Thank You!

2009 VMware Inc. All rights reserved