Beruflich Dokumente
Kultur Dokumente
Confidential
2009 VMware Inc. All rights reserved
Agenda
What NOT to Worry About Virtual Network Designs Virtual Network Security Challenges VMware Solution Cisco Nexus 1000v
Confidential
Contrived Scenarios Example: VMotion intercept Involved exploits where Best practices around hardening, lockdown, design, for virtualization etc, not followed, or Poor general IT infrastructure security is assumed
Design Highlights No code exists to link virtual switches Virtual switches provide protection by design against attack:
MAC flooding, 802.1q and ISL tagging attacks, Double-encapsulation attacks, Multicast bruteforce attacks, Spanning-tree attacks, Random frame attacks Can restrict malicious network behavior: - MAC address change, impersonation Such protection not possible with physical switches
Virtual Network
Virtual Network
Agenda
What NOT to Worry About Virtual Network Designs Virtual Network Security Challenges VMware Solution Cisco Nexus 1000v
Confidential
vnic
vnic
vnic
VMkernel
Mgmt Storage
vSwitch2
Production
vSwitch1
vmnic1
Prod Network
Mgmt Network
Strictly control access to management network, e.g. RDP to jump box, or VPN through firewall
VMware Infrastructure 3 Security Hardening Guide http://www.vmware.com/resources/techresources/726
vCenter
IP-based Storage
Disadvantages (can be mitigated) Greatest complexity, which in turn creates highest chance of misconfiguration Requirement for explicit configuration to define separation of duties and regular audits to help mitigate risk of misconfiguration
Agenda
What NOT to Worry About Virtual Network Designs Virtual Network Security Challenges VMware Solution Cisco Nexus 1000v
10
Confidential
11
Confidential
To make matters worse, then the VMs and MACs move between physical
servers also!
You can not apply a security policy to a physical switch port since you dont
know which one a workload may be connecting on.
12
Confidential
VMotion
1. vMotion moves VMs across physical ports, network security policy does not follow 2. Impossible to isolate or apply policy to locally switched traffic
VLAN 104
Agenda
What NOT to Worry About Virtual Network Designs Virtual Network Security Challenges VMware Solution Cisco Nexus 1000v
14
Confidential
Benefits
Pervasive: well-defined security posture for
inter-VM traffic anywhere and everywhere in virtual environment for entire VM lifecycle, including VMotion live migrations errors
vShield Manager
Centralized Monitoring Centralized Policy
Assignment
VMware vCenter
vSwitch
vSwitch
Enables networking statistics and policies to migrate with virtual machines (Network VMotion)
Key to enable VMsafe Appliances to Provide Stateful Security Netflow Statistics Dont Reset
Private VLANs
PVLAN (Private VLAN)
Agenda
What NOT to Worry About Virtual Network Designs Virtual Network Security Challenges VMware Solution Cisco Nexus 1000v
19
Confidential
"
APP OS APP OS APP OS APP OS APP OS APP OS APP OS APP OS APP OS
Aggregated datacenter level virtual networking Simplified setup and change Easy troubleshooting, monitoring and debugging Enables transparent third party management of virtual environments
" "
vSwitch
vSwitch
"
Typically provisioned as trunk to the server running ESX No visibility to individual traffic from each VM Unable to troubleshoot, apply policy, address performance issues
VN-Link provide visibility to the individual VMs Policy can be configured perVM Policy is mobile within the ESX cluster VN-Link refers to a literal link between a VM VNIC & a Cisco VN-Link Switch
1000V has a lot more functionality than our own virtual switch Steve Herrod, VMware CTO
BEFORE 1000V
AFTER 1000V
1000V overcomes the biggest network hurdles to virtualization Ed Bugnion, Cisco CTO
SGACL Matrix
Source Group
Destination Group
+ -
1.
2.
Server Admin uses vCenter to assign vnic policy from available port groups
3. 1. 2.
vSphere
3.
vSphere
1.
vCenter kicks off a Vmotion (manual/DRS) and notifies Nexus 1000V During VM replication, Nexus 1000V copies VM port state to new host
2.
vSphere
vSphere
1.
2.
1. vCenter kicks off a Vmotion (manual/ DRS) and notifies Nexus 1000V 2. During VM replication, Nexus 1000V copies VM port state to new host 3. Once VMotion completes, port on new ESX host is brought up & VMs MAC address is announced to the network
vSphere vSphere
3.
Network Update
vSphere
vSphere
vSphere
SGACL Matrix
Source Group
Destination Group
+ -
Troubleshoot your network as before using tools you know Make your regulatory compliance much easier because of the simpler process
Cisco VEM
VM1
VM2
VM3
VM4
Thank You!