Security & Virtualization in the Data Center

Security & Virtualization in the Data Center BRKSEC-2206

Руслан Иванов Системный инженер-консультант [email protected]

© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public

Requiring a Solutions Approach Internet Edge

DISTRIBUTION

SAN ASA 5585-X ASA 5585-X

VDC Nexus 7018 Nexus 7018

CORE

= Compute

= Network

= Security

Nexus 7000

Series

Nexus 5000

Series

Nexus 2100

Series

Zone

Unified Computing

System

Nexus 1000V VSG

Multizone

Catalyst 6500 SERVICES

VSS

Firewall ACE

NAM IPS

VSS VPC VPC VPC VPC VPC VPC VPC VPC

10G Server Rack 10 G Server Rack Unified Compute Unified Access


Reduce complexity and fragmentation of security

solutions

Maintain Security and Compliance while the data

center evolves

Stay ahead of the evolving threat

landscape

95% of firewall breaches caused by

misconfigurations*

3000% increase in network connections/second by 2015

Over 100K new threats every day

* Greg Young, Gartner Inc

PROVISIONING SCALLABILITY PROTECTION

DataCenter Security Challenges


Security and Virtualization in the Data Center Agenda

Virtualization Trends, Priorities, Concerns

Virtual Network Security Services

Physical Network Security Services for Virtualization Threat Identification and Correlation Application Centric Infrastructure Security

Summary

4

© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public Source: IDC, Nov 2010

Tipping Point

Traditional Virtualized

c

App OS

App OS

App OS

App OS

App OS

App OS

App OS

App OS

App OS

...1 Server, or “Host”

Many Apps, or “VMs”…

Hypervisor

App OS

App OS

App OS 1 Application…

...1 Server

App OS

App OS

App OS Transition

The Evolving Data Center Architecture Virtualization on Commodity Compute

5


Common Virtualization Concerns

•  Unified Policy Enforcement –  Applied at physical server—not the individual VM –  Impossible to enforce policy for VMs in motion

•  Operations and Management –  Lack of VM visibility, accountability, and consistency –  Difficult management model and inability to effectively troubleshoot

•  Roles and Responsibilities –  Muddled ownership as server admin must configure

virtual network –  Organizational redundancy creates compliance challenges

•  Machine and Application Segmentation –  Server and application isolation on same physical server –  No separation between compliant and non-compliant systems…

Policy, Workflow, Operations

Roles and Responsibilities

Isolation and Segmentation

Management and Monitoring

Hypervisor

Initial Infection

Secondary Infection

6


Virtualization Security

•  Collateral hacking?

•  Segmentation?

•  Side channel attacks?

•  Visibility?

•  Threat identification and defense?

•  What about Hypervisor Hyperjacking?

•  VM Escape?

•  Virtualization Attention Deficit Disorder

Virtualization Security

V-Motion (Memory)

V-Storage (VMDK)

VM Segmentation

Hypervisor Security

Role Based Access

Physical Security

VM OS Hardening

Patch Management VM

Sprawl

7


Simple, Effective, Achievable

Segmentation •  Establish boundaries: network, compute, virtual •  Enforce policy by functions, devices, organizations, compliance •  Control and prevent unauthorized access to networks, resources, applications

Threat Defense •  Stop internal and external attacks and interruption of services •  Patrol zone and edge boundaries •  Control information access and usage, prevent data loss and data modification

Visibility •  Provide transparency to usage •  Apply business context to network activity •  Simplify operations and compliance reporting

North-South

East-West

Defend, Detect, Control

8


Security Model

BEFORE Detect Block

Defend

DURING AFTER Control Enforce Harden

Scope Contain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in time Continuous


From Best of Breed…

10

Physical Hosts

NGIPS

ASA FW

Clustering

•  Control North/South traffic with ASA 5585

•  Scale and HA with Clustering

•  Inspect North/South traffic with NGIPS •  Segment and Protect virtual enclave with

ASAv and vNGIPS


…With Best Infrastructure…

11

NGIPS

ASA FW

Clustering

NGA

Virtual FlowSensor

CTD : Cisco Thread Defense Leverage your Cisco Infrastructure to fight Advanced Pervasive Threats

TrustSec with Security Group Tagging

SGT

SGT SGT

SGT SGT

SGT

SGT

SGT

ISE SGT

Simplify

Automate

Accelerate

Standardize

SGT


…With Best Architecture…

12

Virtual Hosts

B

Physical Hosts

NGIPS

SGT

SGT SGT

SGT SGT

SGT SGT

SGT

SGT

SGT

Virtual Hosts

B

Physical Hosts

NGIPS

SGT

SGT SGT

SGT SGT

SGT SGT

SGT

SGT

INTER DC CLUSTERING

OTV


…Ready for Next Generation DataCenter.

13 13

Physical Hosts

NGIPS

ASA FW

Clustering

VIRTUAL ENDPOINT

ACI Fabric

PHYSICAL ENDPOINT

SERVICE NODES

SECURITY NODES

Application Centric Infrastructure -  Scalable -  Simple -  Flexible -  Reliable -  Automated -  Secured

Virtual Network & Security Services


Managing Virtual Networking Policy

Nexus 1000V § Non-disruptive operation model to

maintain current workflows using Port Profiles

§ Maintain network security policies with isolation and segmentation via VLANs, Private VLANs, Port-based Access Lists, Cisco Integrated Security Features

§  Ensure visibility (VM Introspection) into virtual machine traffic flows using traditional network features such as ERSPAN and NetFlow

Virtual Switches: Example Nexus 1000V

Network Team

Server Team

Management and Monitoring

Roles and Responsibilities

Isolation and Segmentation

Security Team

Nexus 1000V

15


What is a Nexus Port-Profile?

•  A port profile is a container used to define a common set of configuration commands for multiple interfaces

•  Define once and apply many times

•  Simplifies management by storing interface configuration

•  Key to collaborative management of virtual networking resources

•  Why is it not like a template or SmartPort macro? –  Port-profiles are ‘live’ policies –  Editing an enabled profile will cause configuration changes to propagate to all

interfaces using that profile (unlike a static one-time macro)

* For lots more detail, reference BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000V

16


Port Profiles

Nexus 1000V supports: ü  ACLs ü  Quality of Service (QoS) ü  PVLANs ü  Port channels ü  SPAN ports

port-profile vm180 vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown state enabled interface Vethernet9 inherit port-profile vm180 interface Vethernet10 inherit port-profile vm180

Port Profile –> Port Group vCenter API

vMotion Policy Stickiness

Network

Security

Server

17


Nexus 1000V Security Features •  Laying the Foundation

Switching §  L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting (TX)

§  IGMP Snooping, QoS Marking (COS & DSCP)

Security §  Virtual Service Domain, Private VLANs w/ local PVLAN Enforcement

§  Access Control Lists (L2–4 w/ Redirect), Port Security, vPATH/VSG

§  Dynamic ARP inspection, IP Source Guard, DHCP Snooping

Provisioning §  Automated vSwitch Config, Port Profiles, Virtual Center Integration

§  Optimized NIC Teaming with Virtual Port Channel – Host Mode

Visibility §  VMotion Tracking, ERSPAN, NetFlow v9, CDP v2

§  VM-Level Interface Statistics

Management §  Virtual Center VM Provisioning, Cisco Network Provisioning, CiscoWorks

§  Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3)

18


vPath Enables Chaining of Network Services vPath is Nexus 1000V data plane component:

•  Topology agnostic service insertion model

•  Service Chaining across multiple virtual services

•  Performance acceleration with vPath e.g. VSG flow offload

•  Efficient and Scalable Architecture

•  Non- Disruptive Operational Model

•  VM Policy mobility with VM mobility

Cloud Network Services (CNS)

Hypervisor

Nexus 1000V vPath

19


What is the Virtual Security Gateway? •  VSG is a L2 firewall that runs as a virtual

machine “bump in the wire”

•  Similar to L2 transparent FW mode of ASA

•  It provides firewall inspection between L2 adjacent hosts (same subnet or VLAN)

•  It can use VMware attributes for policy

•  Provides benefits of L2 separation for East-West traffic flows

•  One or more VSGs are deployed per tenant

•  require the Nexus 1000V Virtual Distributed Switch and utilize the vPath forwarding plane

20

Virtual Hosts

Virtual Hosts

Virtual Hosts


VSG Attributes

Name Meaning Source

vm.name Name of this VM vCenter

vm.host-name Name of this ESX-host vCenter

vm.os-fullname Name of guest OS vCenter

vm.vapp-name Name of the associated vApp vCenter

vm.cluster-name Name of the cluster vCenter

vm.portprofile-name Name of the port-profile Port-profile

VM attribute information collected is used for enforcing security policy

Security Policy Profile §  Defined/Managed by VNMC / Prime Network Services Controller NSC §  Bound to Cisco Nexus 1000V VSM port-profile

vCenter VM Attributes

21


Network Admin Security Admin

Policy Workflow

•  Mitigate Operational errors between teams •  Security team defines security policies •  Networking team binds port-profile to VSG service profile •  Server team Assigns VMs to Nexus 1000V port-profiles

Server, Network, Security

Server Admin

vCenter Nexus 1KV Prime NSC

Port Group Port Profile Security Profile

22


Introducing the Virtualized ASA (ASAv)

•  Developed due to customer feedback for a complete ASA firewall running as a virtual machine

•  Nexus1000V not required

•  Will support VMWare first then other hypervisors

•  ASA feature parity (with some exceptions)

•  No support for: 1.  ASA clustering 2.  Multi context mode 3.  Etherchannel interfaces 4.  Active/Active Failover (requires multi context mode)

23

ASAv Firewall (Virtualized ASA)


ASAv Deployment: Cloud Security FW+VPN

24

•  Today multi context mode on ASA is used to provide firewall inspection for multi tenant and multi zone environments

•  Trunks are typically used to transport zone and tenant traffic

•  Challenge of E-W scale requires more firewall resources and scalable solution

Zone 1 Zone 2 Zone 3

VM 1

VM 2

VM 3

VM 4

VFW 1

VM 5

VM 6

VM 7

VM 8

VFW 2 VFW 3

§  ASAv provides edge firewall and can scale for E-W buildout

§  Each tenant or zone gets one or more ASAv for FW + VPN

§  Scaled VPN termination for S2S and RA VPN clients

Vzone 1 Vzone 2

Multi Context Mode ASA


ASAv •  Three Modes of Policy Enforcement

Routed Firewall •  Routing traffic between vNICs •  Maintains ARP and routing table •  Tenant edge firewall

Transparent Firewall

•  VLAN or VxLAN Bridging / Stitching •  Maintains MAC-address tables •  Non-disruptive to L3 designs

Service Tag Switching

•  Applies inspection between service tags •  No network participation •  Fabric integration mode

25


Routed Firewall

•  Routed - Tenant edge use case

•  First-hop gateway to hosts

•  Enable all client hosts, VM or physical

•  Scale the number of data interfaces

•  Route between multiple subnets

•  Traditional Layer 3 Boundary in the network

ASAv Routed

client

Gateway

Outside

Inside

host1

host2

Shared

DMZ

26


Transparent Firewall

•  Bridging up to 4 (sub-)interfaces

•  Max 8 BVIs per ASAv

•  NAT and ACL available

•  Non-disruptive PCI compliance

•  Traditional Layer 2 boundary between hosts

•  All segments in one broadcast domain

ASAv Transp

Gateway

client

Segment-1

Segment-3

host1

host2

Segment-2

Segment-4

27


Web-zone Fileserver-zone

Hypervisor

Nexus 7000

Nexus 5500

Nexus 1000V

VRF VLAN 50

UCS

VLAN 200 VLAN 300

Application Security & Visibility

•  Stateful inspection with virtual ASA for north-south, east-west VM traffic

•  Transparent or routed mode

•  Service Elasticity

ASAv

.1Q Trunk

VLAN 50

28


Comparing Cisco Virtual Firewalls ASAv ASA1000V (Edge) Virtual Security Gateway

L2 and L3 mode L3 routed mode only L2 mode (transparent)

Dynamic and static routing Static routes only No routing DHCP server and client support

DHCP server and client support

No DHCP support

IP And User Based Policies IP and User Based Policies IP and VM Attribute Based Policies S2S and RA VPN Supports S2S IPSEC Only No IPSEC support

Managed via CLI, ASDM, CSM

Managed by ASDM and VNMC/PNSC

Managed by VNMC/PNSC only

Full ASA code, CLI, SSH, REST API

Uses ASA code, CLI, SSH Minimal config via CLI, SSH

Policy for Virtual and Physical Hosts

Policy for Virtual Host only Policy for Virtual Host only

29

More Segmentation Solutions ?


Web-zone Fileserver-zone Application-zone

Hypervisor

Nexus 7000

Nexus 1000V

Primary VLAN 20

VRF VLAN 20

UCS

VLAN 100 Isolated

VLAN 200 Isolated

VLAN 300 Community

Layer 2 Segmentation

•  VMs in same Layer 2 subnet can be isolated

•  Only allowed to communicate outbound to Layer 3 gateway

•  Use ACL on gateway to block source and destination IPs from PVLANs

PVLANs for VM Isolation

*PVLANs also supported on VMware vswitch

.1Q Trunk

31


Web-zone Fileserver-zone Application-zone

Hypervisor

Nexus 1000V

UCS

VLAN 100 Isolated

VLAN 200 Isolated

VLAN 300 Community

VM Visibility

•  VMs flows can be mirrored via span port on virtual switch. Can also use ERSPAN to forward via Layer 3 (ex. 6500 NAM module).

•  VM flow analysis via NetFlow for trending, visibility, and security

NetFlow for VM Network Behavior Analysis

NetFlow/ERSPAN/SPAN

NetFlow Data Collector

6500 w/ NAM Layer 3

Layer 2

32


System Isolation via Micro Segmentation Policy Per App Tier, Per VM, Per vNIC

Tenant B VSD

Web App

Web DB

Nexus 1000V

VSD

ASAv and vIPS

Nexus 1000V

Web Tier App Tier

Control ingress/egress & inter-VM traffic

vFirewall, ACL, PVLAN

Traffic and Threat Visibility vIPS, Netflow, SPAN/ERSPAN

Mobility Transparent Enforcement Port Profiles

Administrative Segregation Server • Network • Security

Tenant A

ASAv and vIPS

33

VSG

TrustSec


Drivers for Deploying TrustSec

35

Reducing attack surface with segmentation Mitigate Risk

Manage security using logical groups not IP

addresses/VLANs

Increase SecOps efficiency

Authorize access to compliance-critical

apps

Meet Compliance Objectives


•  Managing security rules by groups instead of individual identifiers can mean: –  Fewer rules/access control entries –  Easier to understand and audit policies –  New assets can join a group without changing the policy

•  Automating assignment of group membership – avoids rule provisioning effort/lag –  Frees SecOps effort for other tasks –  Avoids time required for manual provisions of new apps/services

•  If group membership can be independent of the network topology –  Can apply group-based policies anywhere on the network –  Avoids/reduces need for device-specific ACL configurations

36

Simplicity Goals of Group-Based Policies


TrustSec Concept

•  Classification of systems/users based on context (user role, device, location, access method)

•  Context (role) expressed as Security Group Tag (SGT)

•  Firewalls, routers and switches use SGT to make filtering decisions

•  Classify once – reuse result multiple times 37

Users, Devices

Switch Router DC FW DC Switch

HR Servers

Enforcement

SGT Propagation

Fin Servers SGT = 4

SGT = 10

ISE Directory Classification

SGT:5


Inline tagging (SGT in data plane)

38

•  SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame

•  Capable switches process SGT at line-rate

•  Optional MACsec protection

•  No impact to QoS, IP MTU/Fragmentation

•  L2 Frame Impact: ~40 bytes

•  Recommend L2 MTU~1600 bytes

•  N.B. Assume incapable devices will drop frames with unknown Ethertype

CRC

PAYLOAD

ETHTYPE

CMD

802.1Q

Source MAC

Destination MAC

Ethernet Frame CMD EtherType Version Length SGT Option Type

Cisco Meta Data

SGT Value Other CMD Option

CRC

PAYLOAD

ETHTYPE

CMD

802.1Q

Source MAC

Destination MAC

MACsec Frame

802.1AE Header

802.1AE Header

AE

S-G

CM

128

bit

Enc

rypt

ion

ETHTYPE:0x88E5

ETHTYPE:0x8909

38


SGT eXchange Protocol (SGT in Control Plane)

39

•  SXP very simple to enable –  SGT propagation without hardware dependencies –  Propagation poss from access edge to enforcement device

•  Uses TCP for transport protocol

•  TCP port 64999 for connection initiation

•  Use MD5 for authentication and integrity check

•  Two roles: Speaker (initiator) and Listener (receiver) SW

SW RT

SW

SXP (Aggregation) SXP

SXP

Speaker Listener


Assigning Security Groups

40

Dynamic Classification Static Classification •  IP Address

•  VLANs

•  Subnets

•  L2 Interface

•  L3 Interface

•  Virtual Port Profile

•  Layer 2 Port Lookup

Common Classification for Mobile Devices

Classification for Servers, Topology-based assignments.

802.1X Authentication

MAC Auth Bypass

Web Authentication SGT

40


Dynamic SGT Assignments in Authorization Rules

41

•  Policy > Authorization > Permissions > Security Groups

•  Requires basic authorization profile (Access Accept, Access Reject)


Nexus 1000V: SGT Assignment in Port Profile

42

•  Port Profile – Container of network

properties – Applied to different

interfaces •  Server Admin may assign

Port Profiles to new VMs •  VMs inherit network

properties of the port-profile including SGT

•  SGT stays with the VM even if moved


Static SGT Assignments

43

IP to SGT mapping cts role-based sgt-map A.B.C.D sgt SGT_Value

VLAN to SGT mapping* cts role-based sgt-map vlan-list VLAN sgt SGT_Value

Subnet to SGT mapping cts role-based sgt-map A.B.C.D/nn sgt SGT_Value

L3 ID to Port Mapping** (config-if-cts-manual)#policy dynamic identity name

L3IF to SGT mapping** cts role-based sgt-map interface name sgt SGT_Value

L2IF to SGT mapping* (config-if-cts-manual)#policy static sgt SGT_Value

IOS CLI Example

* relies on IP Device Tracking ** relies on route prefix snooping


Access Layer Classification Summary

44

C2960-S C3750X C3850/WLC 5760

C4500 C6x00 ISR/ASR1000

WLC

Dynamic 802.1X X X X X X X X

MAB X X X X X X X

Web Auth X X X X X X X

Static VLAN/SGT - X* X X X* - -

Subnet/SGT - - X X X - -

Layer 3 Interface Mapping

- - - X - -

* - limits on the number of VLANs per platform


Applying SGACL policies (Matrix View)

45

permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip

Portal_ACL

45


Policy Enforcement on Firewalls: ASA SG-FW

Can still use Network Object (Host, Range, Network’ FQDN)

AND / OR the SGT

SXP informs the ASA of Security Group membership

Security Group definitions from ISE

Trigger other services by SGT like NGIPS

46


Typical Deployment Approach

47

Egress Enforcement

§  Security Group ACL

Campus Network

Catalyst® Switches/WLC (3K/4K/6K)

Users, Endpoints

Monitor Mode SRC \ DST PCI Server (111) Dev Server (222)

Dev User(8) Deny all Permit all

PCI User (10) Permit all Permit all

Unknown (0) Deny all Deny all

authentication port-control auto authentication open dot1x pae authenticator

PCI Server

Production Server

Development Server

AUTH=OK SGT= PCI User (10)

N7K

1. Users connect to network, Monitor mode allows traffic regardless of authentication

2. Authentication can be performed passively resulting in SGT assignments

3. Traffic traverses network to Data Center enforcement points

4. Enforcement may be enabled gradually per destination Security Group


Classification Propagation Enforcement

TrustSec Functions and Platform Support

Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/-X Catalyst 3750-E/-X

Catalyst 4500E (Sup6E/7E) Catalyst 4500E (Sup8) Catalyst 6500E (Sup720/2T)

Catalyst 3850/3650 WLC 5760

Wireless LAN Controller 2500/5500/WiSM2

Nexus 7000

Nexus 5500 Nexus 1000v (Port Profile)

ISR G2 Router, CGR2000

Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X, 3750-X Catalyst 3850/3650 Catalyst 4500E (Sup6E) Catalyst 4500E (7E, 8), 4500X Catalyst 6500E (Sup720) Catalyst 6500E (2T), 6800 WLC 2500, 5500, WiSM2 WLC 5760 Nexus 1000v Nexus 6000/5600 Nexus 5500/22xx FEX Nexus 7000/22xx FEX ISRG2, CGS2000 ASR1000 ASA5500 Firewall, ASASM

SXP

SXP

IE2000/3000, CGS2000 NEW

ASA5500 (VPN RAS)

SXP SGT

SXP

SXP SGT

SXP

SXP SGT

SXP

SGT

SXP

SXP SGT

SXP SGT

SXP SGT

SXP

NEW inline tagging

GETVPN. DMVPN, IPsec

•  Inline SGT on all ISRG2 except 800 series:

Catalyst 3560-X Catalyst 3750-X

Catalyst 4500E (7E) Catalyst 4500E (8E) Catalyst 6500E (2T) Catalyst 6800

Catalyst 3850/3650 WLC 5760

Nexus 7000

Nexus 5600

Nexus 1000v

ISR G2 Router, CGR2000

ASA 5500 Firewall ASAv Firewall

ASR 1000 Router CSR-1000v Router

SXP

SGT

NEW

SGFW

SGFW

SGFW

SGACL

SGACL

SGACL

SGACL

SGACL

SGACL

SXP SGT

SXP SGT

Nexus 6000

Nexus 6000

NEW

Nexus 5500 NEW

Nexus 5600 NEW NEW

NEW

SXP SGT NEW

NEW

SGT

NEW

GETVPN. DMVPN, IPsec

SGT

Use Case for DC Segmentation


Server Segmentation in Data Center

DR Cluster Web Server VLAN App VLAN Database VLAN

Database Web Servers App Servers

App VLAN?

Which Policy?

Physical and Virtual Servers Segmented using VLAN

Policy Stays with VLAN or IP address, Not with Servers

Network Ops, Server Ops, and Security Ops are involved in Operation

As the number of server grows… Complexity and OPEX follow


Web Server SGT (10)

Application Server SGT (20)

Database Server SGT (30)

Server Segmentation with TrustSec

DR Cluster Production Server VLAN

DB

Web App DB

permit tcp from src Web to dst App eq HTTPS permit tcp from src App to dst DB eq SQL deny any from src Web to dst DB eq SQL

App Web

Server, Network, and Security Team share common security object

Policy Stays with Servers, Not based on Topology

Works for both Physical and Virtual Servers

As the number of servers grows… Management complexity and OPEX do not


•  Segment servers into logical zones

•  Control access to logical DC entities based on role

•  Apply controls to physical and virtual servers

52

Data Center Segmentation

Web Servers Middleware Servers

Database Servers Storage

Web Servers R R Q Q Middleware Servers R R R R Database Servers Q R R R Storage Q R R R Switch

How to define this policy:

Web Servers

Middleware Servers

Database Servers

Storage

Blocked


Using SGACL and SG-FW functions together

53

Risk Level 1

ISE

Risk Level 2

PCI_Web PCI_App PCI_DB

SXP SXP

LOB2_DB

PCI_Users

•  SGACL on switches enforcing policy within each Risk Level

•  ASA enforcing policy between Risk Levels (with IP/SGT mappings supplied from switch infrastructure)

Virtual NGIPS

54


vIPS •  Virtual Switch Inline and Passive Deployment Options

Web-zone

VLAN 200

Promiscuous Port

vSwitch

Web-zone

VLAN 200

External

vSwitch vSwitch

55

Internal



Hypervisor

Nexus 7000

Nexus 5500

Nexus 1000V

VRF VLAN 50

UCS

Application Security & Visibility

•  Stateful inspection with virtual ASA for north-south, east-west VM traffic

•  Deep inspection with virtual IPS – inline with VLAN pairing

Service chaining - ASAv and vIPS

.1Q Trunk

External VLAN 50

Defense Center with Firesight for Application flow data

56

Inline Set

Inline Set Internal

External Internal

VLAN 200



Hypervisor

Nexus 7000

Nexus 5500

Nexus 1000V

VRF VLAN 50

UCS

VLAN 200

VLAN 300

Application Security & Visibility ASAv + vNGIPS passive

.1Q Trunk

VLAN 50

57


Virtual Appliance Inline

58


Virtual IDS Passive

59


FireSIGHT Context Explorer Application Security and Visibility

View all application traffic… Look for risky applications… Who is using them?

On what operating systems? What else have these users been up to?

What does their traffic look like over time?


Application Security & Visibility •  Geo Location Information

61


Application Security & Visibility •  Defense Center with FireSight

62


Application Security & Visibility •  Defense Center with FireSight

63

Physical Security Services for Virtualization


ASA Firewalls and the Data Center Fabric

•  ASA and Nexus Virtual Port Channel –  vPC ensures all active links utilized (eliminates blocked STP

links) –  ASA leverages DC redundancy technologies –  Unique integration with ASA and Nexus (LACP)

•  IPS module relies of ASA connectivity –provides DPI

•  Validated design to provide segmentation, threat protection, visibility

•  Transparent (recommended) and routed modes

•  Works with both A/S and A/A failover

Data Center Aggregation Layer

Active vPC Peer-link

vPC vPC

Core IP1

Core IP2

Active or Standby

N7K VPC 41 N7K VPC 40

Nexus 1000V vPath

Hypervisor Nexus 1000V

vPath

Hypervisor

Core Layer

Aggregation Layer

Access Layers

65


Aggregation Layer

L2

L3

FW HA

VPC VPC

VPC

DC Core / EDGE

VPC VPC

FHRP FHRP

SVI VLAN200 SVI VLAN200

North Zone VLAN 200

South Zone VLAN 201

Trunks

VLAN 200 Outside

VLAN 201 Inside

N7K VPC 40

N7K VPC 41

ASA channel 32

VPC PEER LINK

VPC PEER LINK

Access Layer

ASA Connecting to Nexus with vPC

•  ASA connected to Nexus using multiple physical interfaces on vPC – ASA can be configured to

failover after a certain number of links lost (when using HA)

•  Note that vPC identifiers are different for each ASA on the Nexus switch (this changes with ASA clustering feature and cLACP [not yet shown])

Best Practices Shown

66


North Zone VLAN 200

South Zone VLAN 201

VPC VLAN 200 Outside

VLAN 201 Inside

interface TenGigabitEthernet0/6 channel-group 32 mode active no nameif no security-level ! interface TenGigabitEthernet0/7 channel-group 32 mode active no nameif no security-level !

Server in VLAN 201

Trunk Allowed 1,200,201

Trunk Allow

ed 1,201

VPC

Trun

k A

llow

ed 1

,201

Trunk Allowed 1,201

SVI VLAN200 172.16.25.253 FHRP – 172.16.25.1

SVI VLAN200 172.16.25.254 FHRP – 172.16.25.1

172.16.25.86/24

Transparent Mode Configuration in the DC Two Interfaces

interface BVI1 ip address 172.16.25.86 255.255.255.0 ! interface Port-channel32 no nameif no security-level ! interface Port-channel32.201 mac-address 3232.1111.3232 vlan 201 nameif inside bridge-group 1 security-level 100 ! interface Port-channel32.200 mac-address 3232.1a1a.3232 vlan 200 nameif outside bridge-group 1 security-level 0

67


Physical to Virtual

Hypervisor Hypervisor Hypervisor Hypervisor

VRF Blue VRF Purple

Firewall Firewall Nexus 7000

Nexus 5500

Nexus 1000V Nexus 1000V

Aggregation

Core

Physical Layout

•  Leverage physical to provide isolation and segmentation for virtual

•  Zones used define policy enforcement

•  Physical Infrastructure mapped per zone

§  Separate and dedicated routing tables per zone via VRF

§  Firewall enforcement per zone maps north-south, east-west

§  Layer 2 and Layer 3 path through physical services

68


Firewall & Virtual Environment ASA Virtual Contexts for Inter-Zone VM Traffic Flows

Firewall Virtual Context provides

inter-zone East-West security

Aggregation

Core

Hypervisor Hypervisor

Database

ASA Context 2 Transparent Mode

ASA Context 1 Transparent Mode

ASA 5585 ASA 5585

Aggregation

Core

Physical Layout

East-West Zone filtering

VLAN 21

VLAN 20

VLAN 100

VLAN 101

Context1 Context2

Front-End Apps

69

© 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-2206 Cisco Public Hypervisor

Inspecting Inter-VLAN VM Traffic Flows ASA with Bridge Groups within a context

Layer 2 AdjacentSwitched Locally

Direct Communication

ASA 5585 Transparent Mode

Aggregation

Core

Layer 3 GatewayVRF or SVI

Aggregation

Core

Physical Layout

East-West VLAN filtering

VLAN 20

VLAN 100

interface vlan 21 10.10.20.1/24 interface vlan 101 10.10.101.1/24

interface TenGigabitEthernet0/6 channel-group 32 mode active vss-id 1 no nameif no security-level ! interface TenGigabitEthernet0/7 channel-group 32 mode active vss-id 2 no nameif no security-level ! interface BVI1 ip address 10.10.20.254 255.255.255.0 ! interface Port-channel32 no nameif no security-level ! interface Port-channel32.20 mac-address 3232.1111.3232 vlan 20 nameif inside bridge-group 1 security-level 100 ! interface Port-channel32.21 mac-address 3232.1a1a.3232 vlan 21 nameif outside bridge-group 1 security-level 0 …

70

VLAN 21

VLAN 101


ASA Clustering Overview •  Clustering is only supported on 5580 and 5585s

and 5500-X (5500-X supports clustering of two units)

•  CCL is critical for cluster, without it no clustering can occur

•  Master is elected among cluster members for configuration sync only—no bearing on packet flow through the cluster itself

•  New concept of “spanned port-channel” i.e. a port channel configuration that is shared among clustered ASAs

•  Cluster has capacity for rebalancing flows

•  All flows in the cluster have an Owner and a Director and possibly a Forwarder

•  Data Plane of Cluster MUST use cLACP (Spanned Port-Channel) Cluster Control Link

vPC

Data Plane

Aggregation

Core

ASA Cluster

vPC 40

71


Firewall Clustering ASA Clustering to meet DC requirements

Cluster Control link shares state and

connection information among cluster members

Aggregation

Core

Hypervisor Hypervisor

Database

ASA Cluster includes Context 1 & 2

Transparent Mode

ASA 5585 ASA 5585 ASA 5585 ASA 5585

Aggregation

Core

Physical Layout

Cluster Control Link

Cluster functionally the same in either

transparent or routed mode

Cluster members used for North-South, East-West inspection and

filtering

Context1 Context2

Owner Director

IPS relies on ASA Clustering

72

Web Apps


Firewall Section Summary •  Physical appliances and virtualized firewalls offer different options for security

control in the DC

•  Virtual firewalls (multi mode) are common for stateful control between VRF and Nexus VDC

•  Transparent mode (L2) firewall offers many benefits without the constraints of routed mode

•  Routing protocols, multicast, IPSEC, etc all can traverse

•  Use LACP for link aggregation in the DC

•  Firewall clustering offers benefits for higher throughput and asymmetric flow reassembly

•  Integration with Emerging technologies ie. ACI

73


8250

8370

8360

8350

8140

7120

All appliances include: ●  Integrated lights-out management ●  Sourcefire acceleration technology ●  LCD display

7020

7010

30 Gbps

15 Gbps

6 Gbps

4 Gbps

2 Gbps

1 Gbps

500 Mbps

250 Mbps

100 Mbps 50 Mbps

8130

60 Gbps

45 Gbps

8390

Appliances Summary

7125

750 Mbps

1.25 Gbps

SSL2000

SSL1500

SSL8200

500 Mbps 7050

7030

10 Gbps

IPS Throughput (440Byte HTTP)

AMP 8150

AMP 7150

Sourcefire Proprietary & Confiden:al

7115

1.5 Gbps

8120

7110

NGIPS / Ap

p Co

ntrol / NGFW

/ AMP


What platforms support FP Hardware Module? Maximum AVC and IPS throughput

75

ASA 5585-SSP10 ASA 5585-SSP20

Campus / Data Center

2 Gbps NGFW 500K Connections 40,000 CPS

3.5 Gbps NGFW 1 M Connections 75,000 CPS

Enterprise Internet Edge

ASA 5585-SSP40

ASA 5585-SSP60

6 Gbps NGFW 1.8 M Connections 120,000 CPS

10 Gbps NGFW 4 M Connections 160,000 CPS


In Cluster

Cisco Classic IPS Module in ASA Data Center Core Layer

DC Aggregation Layer

DC Access Layer

Access & Virtual Access

Virtual Servers

Physical Servers

ASA5585 + NGIPS FP service Module HA – Act/Stb

ASA5585 + NGIPS FP service Module


Physical to Virtual Segmentation VRF-VLAN-Virtual

ASAv/VSG

vIPS

ASAv Zone B Zone C

Nexus 7K

ASA

CTX1 CTX2 CTX3

VLANx1 VLANx2

VLANy1 VLANy2

VLANz1 VLANz2

SGT SGT SGT SGT SGT SGT

Segmentation Building Blocks

•  Merging physical and virtual infrastructure

•  Zones used define policy enforcement

•  Unique policies and traffic decisions applied to each zone

•  Physical Infrastructure mapped per zone – VRF, Nexus Virtual Device Context,

VLANs, SGT

77

Enhanced Visibility and Threat Defense for the Data Center


Security Model

BEFORE Detect Block

Defend

DURING AFTER Control Enforce Harden

Scope Contain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in time Continuous


Detection is key to Respond and Recover

Source: Verizon 2012 Data Breach Investigation Report


1. Command and Control

2. Reconnaissance

3.Propagation 4. Data Theft

Kill Chain: Post Breach

Firewall

IPS

Web Sec

N-AV

Email Sec

Routers

Switches

Firewall

Threat Detection


1. Command and Control

2. Reconnaissance

3.Propagation 4. Data Theft

Scalable Network Defense

Firewall

IPS

Web Sec

N-AV

Email Sec

Threat Detection

Routers

Switches

Firewall


Scalable Network Defense

Today – Advanced Visibility & Investigation

•  Partner with Lancope to deliver NetFlow visibility and security intelligence •  Enhance with Identity, device, application awareness

Cisco ISE

Cisco ISR G2 + NBAR

Firewall

IPS

Web Sec

N-AV

Email Sec

Threat Detection

Routers

Switches

Firewall

NetFlow

Visibility


Cisco CTD Solution: Providing Scalable Visibility Drilling into a single flow yields a plethora of information


Collect & Analyze Flows

1 2 •  # Concurrent flows • Packets per second • Bits per second • New flows created • Number of SYNs sent • Time of day

• Number of SYNs received

• Rate of connection resets

• Duration of the flow • Over 80+ other

attributes

Establish Baseline of Behaviors

Alarm on Anomalies & Changes in Behavior

threshold

threshold

threshold threshold

Critical Servers Exchange Server Web Servers Marketing

Anomaly detected in host behavior

3

Flow-based Anomaly Detection


Behavior-Based Attack Detection

High Concern Index indicates a significant number of suspicious events that deviate from

established baselines

Host Groups Host CI CI% Alarms Alerts

Desktops 10.10.101.118 865,645,669 8,656% High Concern Index

Ping, Ping_Scan, TCP_Scan


Cisco Network

StealthWatch FlowCollector

StealthWatch Management

Console

NetFlow

Users/Devices

Cisco ISE

NBAR NSEL

StealthWatch Solution Components

StealthWatch FlowSensor

StealthWatch FlowSensor

VE

NetFlow

StealthWatch FlowReplicator

Other tools/collectors


Cyber Threat Defence in the Data Center

88

Data Center Best Practices:

§  Very high volume of traffic (choose the Flow Collector accordingly in size)

§  In asymmetric traffic, all devices should send to same collector

§  SGT can be reported and seen via ISE

§  Position the collectors in choke point to have full visibility of traffic

§  Monitor entrance to DC with N7K or ASA

§  Monitor virtual traffic with N1000v, or FlowSensor VE

§  Best Practice would be to offload Netflow Generation to external FlowSensors and not

do it directly on devices to optimize performances


Cisco Netflow Generation Appliance (NGA)

StealthWatch FlowCollector

StealthWatch Management

Console

https

Data Center Switch

Cisco NGA

SPAN or passive Tap

NetFlow §  Offloads NetFlow Generation to Dedicated High-Performance §  End-to-end flow information collected across multiple network

observation points using SPAN and passive TAP §  Up to 6 destinations

•  4x10G Monitoring Interfaces

•  80M Active Flow Cache

•  Targets 200K Flow record export per sec

NGA §  Very high volume §  Less boxes and more

centralized deployment

Flow Sensor §  Less scalable §  More capabilities like Deep

Packet inspection and URL data


Flow Exporters

Flow Collectors

Management and Reporting

Scalability

X 25 up to 25 collectors per StealthWatch System

StealthWatch FC for NetFlow

StealthWatch Management Console

X 2 full redundancy between primary and secondary

X 2000 up to 2000 exporters and/or 120,000 flows per second

User Interface X everyone customizable views for Virtualization, Network, and Security Teams

Physical Virtual

Routers, switches, firewall FlowSensor VE FlowSensor

3 million flows per second scalability

Nexus 1000v


§  Revealing Data Loss. Code can be hidden in the enterprise to export of sensitive information back to the attacker. This Data Leakage may occur rapidly or over time.

NetFlow Security Use cases

§  Identifying BotNet Command & Control Activity. BotNets are implanted in the enterprise to execute commands from their Bot herders to send SPAM, Denial of Service attacks, or other malicious acts.

§  Detecting Sophisticated and Persistent Threats. Malware that makes it past perimeter security can remain in the enterprise waiting to strike as lurking threats. These may be zero day threats that do not yet have an antivirus signature or be hard to detect for other reasons.

§  Finding Internally Spread Malware. Network interior malware proliferation can occur across hosts for the purpose gathering security reconnaissance data, data exfiltration or network backdoors.

§  Uncovering Network Reconnaissance. Some attacks will probe the network looking for attack vectors to be utilized by custom-crafted cyber threats.


Detecting Command and Control

NetFlow: what to analyze? •  Countries •  Applications •  Uploads/Downloads ratio •  Time of day •  Repeated connections •  Beaconing - Repeated

dead connections •  Long lived flows •  Known C&C servers

Periodic “phone home” activity

StealthWatch Method of Detection: Host Lock Violation Suspect Long Flow

Beaconing Host SLIC Reputation Feed


Detecting Command and Control

Start Active Time

Alarms Source User Name

Source Source Host Groups

Target Target Host Groups

Details

Dec 11, 2012

Bot Infected Host –

Attempted C&C Activity

John Chambers

1.1.1.1 Sales and Marketing, Atlanta,

Desktops

node1.bytecluster.com (209.190.85.12)

Optima, United Kingdom

Attempted communication was detected between this inside host and C&C server using port 80 and the TCP

protocol

Alarm indicating communication with known

BotNet Controllers Source IP Address and username Target that trigged alarm Details


Identifying Reconnaissance Activity

What to analyze: •  High number of flows •  High client byte ratio •  One-way or unanswered flows •  Flows within the subnet/host group •  Flows to non-existent IP’s •  Flow patterns •  Abnormal behaviour

Long and slow activity to discover resources and vulnerabilities

StealthWatch Method of Detection: Concern Index

High Traffic High Connections

Trapped Hosts


Identifying Reconnaissance Activity

High Concern Index indicates a significant number of suspicious events that deviate from

established baselines

Host Groups Host CI CI% Alarms Alerts

Desktops 10.10.101.118 865,645,669 8,656% High Concern Index

Ping, Ping_Scan, TCP_Scan


Identifying Malware Propagation Discovered host answers and

vulnerability exploited

What to analyze: •  High number of flows •  High client byte ratio •  Connections within the subnet/

host group •  Flow patterns •  Abnormal behaviour

StealthWatch Method of Detection: Concern Index, Target Index

Scanning Alarms Touched Host

Worm Propagation Alarm Worm Tracker


Infection Tracking

Initial infection

Secondary infection

Tertiary infection


Detecting Data Loss

What to analyze: •  Historical data transfer behaviour •  Applications •  Time of day •  Countries •  Amount of data – single and in

aggregate •  Time frames •  Asymmetric traffic patterns •  Traffic between functional groups

Data is exported off resource

StealthWatch Method of Detection: Suspect Data Loss Alarm Suspect Long Flow Alarm

Beaconing Host Alarm

Intermediary resource used to obfuscate theft


Looking at abnormal traffic

99


Looking at abnormal traffic

100


Summary

Provides Rich Context Unites NetFlow data with identity and application ID to provide security context

Leverages Cisco Network for Security Telemetry

NetFlow-enabled Cisco switches and routers become security telemetry sources Cisco is the undisputed market leader in Hardware-enabled NetFlow devices

Cisco ISE

Cisco Network

Provides Threat Visibility and Context

Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting

Cisco ISR G2/ASR1k + NBAR

+ +

+ NetFlow

FlowSensor FlowCollector StealthWatch Management

Console

Cisco ASA Who What Where When How

BRKSEC-2136 – Preventing Armagedon

Summary


Summary

•  Virtual network services – Extend policy – Extend Visibility – Extend Workflow

•  Leverage P-to-V fabric services to create unified policy

•  Assume both internal and external threats

•  ACI – Automatically instantiate security services and policies right with the

application flows

Defend, Detect, Control

103

Q&A

104

Security & Virtualization in the Data Center

Technology

Transcript of Security & Virtualization in the Data Center