VSG-TDM

Virtual Security Gateway

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 2 2

Agenda

 Nexus 1000V Overview

 Virtual Security Gateway (VSG) Overview

 VSG Policy Model

 VSG Packet Flow

 Virtual Network Management Center (VNMC)

 Deployment Scenario

 Use Case Example

 Summary

Nexus 1000V


L2

MO D E

L3

M O D E

… ESX ESX ESX

VSM-1

VSM-2

VEM-1

VEM-2

VEM-N

Nexus 1000V Architecture

Supervisor-1

Supervisor-2

Linecard-1

Linecard-2

Linecard-N

…

Modular Switch

Nexus 1010

VSM-A1

VSM-A4

VSM-B1

VSM-B4

Virtual Appliance

B

A

C

K

P

L

A

N

E

VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module

•  200+ vEth ports per VEM •  64 VEMs per 1000V •  2K vEths per 1000V •  Multiple 1000Vs can be created per vCenter


… ESX ESX

Embedding Intelligence for Virtual Services vPath – Virtual Service Datapath

L2

MO D E

L3

M O D E

VEM-1 VEM-2 vPath vPath

vPath: Virtual Service Datapath VSG: Virtual Security Gateway for 1000V vWAAS: Virtual WAAS

Nexus 1010 Virtual Appliance

vWAAS VSG VSM … VSM-1 VSM-4

… VSM-1 VSM-4


… ESX ESX

Nexus 1010 – hosting platform for services

L2

MO D E

L3

M O D E

VEM-1 VEM-2 vPath vPath

NAM

NAM

VSG

VSG

vPath: Virtual Service Datapath VSG: Virtual Security Gateway for 1000V vWAAS: Virtual WAAS

Nexus 1010 Virtual Appliance

vWAAS VSG VSM … VSM-1 VSM-4

… VSM-1 VSM-4

*VSG on 1010 target: 2Q CY11

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 7 7 7 7

Why 1000V?

  Feature & operational consistency NX-OS across physical and virtual networks (Nexus 7K/5K/2K/1KV) Cisco CLI experience Standards based, IEEE 802.1Q

  Advanced NX-OS switching features Security, QoS, Monitoring, Management, …

  Non-disruptive administration Network team manages virtual network, creates port profiles Server team assigns port profiles to VMs

  Intelligent integration with virtual services (vPath) Transparent insertion (topology agnostic) Efficient deployment – no need to deploy on every host Dynamic policy-based operation Performance acceleration

Nexus 1000V Differentiators Software Switch for VMware vSphere and vCloud

Director

vSphere


Securing Virtual Desktops (VDI)

1000V Security Features for VDI •  Access Control List •  Port Security •  Private VLAN •  DHCP Snooping •  Dynamic ARP Inspection •  IP Source Guard

Desktop Virtualization Software

WAAS

Nexus Switch

Desktop OS

ACE

Hypervisor

Virtualized Data Center

Applications Desktop Applications

Nexus 1000V

WAAS: Wide Area Application Service ACE: Application Control Engine


Securing Virtual Desktops (Use Case)

 Persistent virtual workspace for the doctor

  Flexible workspace for Doctor’s assistant

 Maintain compliance while supporting IT consumerization

Cisco AnyConnect


Cisco Nexus 7000 Series

vSphere

vSphere

Long Distance vMotion across 2 DCs Nexus innovations – virtual to physical

•  Network integrity is critical to long distance vMotion

•  Security •  Quality of Service •  Network Monitoring •  Troubleshooting

•  Nexus 1000V provides these critical network functions across data centers

Cisco Nexus 7000 Series

OTV: Overlay Transport Virtualization

Layer-2 extension across DCs with Nexus 7K OTV

O T V

QA validation: 2QCY11

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 11 11 11 11

Quality of Service

  Provide bandwidth guarantee for up to 64 total queues on uplinks

  User defined Queues

  8 Predefined traffic classes For VMware and 1000V protocol traffic

  Queuing configured via modular QoS CLI (MQC)

20%

30%

15%

5%

15%

15%

vMotion

VM_Platinum

VM_Gold

Default

ESX_Mgmt

N1K_Control, N1K_Packet


Vblocks Imagine:

30 racks reduced down to 3 racks Provisioning applications in hours instead of weeks

Secure Multi-tenancy

Imagine: Securely sharing servers between

multiple users/groups without having to add another server

Nexus 1000V in Cisco Validated Solutions

Cisco’s network-centric virtualized data center is best positioned to enable the journey to the networked cloud

Flexpod Imagine:

Predesigned, validated, Flexible infrastructure that can grow and scale to meet cloud computing

requirements

Virtual Desktop

Imagine: Over 4000 desktops in a single rack! Savings up to 60+% per PC per year

Significant savings in operations

1000V

"1000V

"

1000V

"1000V

"

VSG Overview


App

OS

App

OS

App

OS

App

OS

VM-to-VM traffic VM-to-VM traffic

Control inter-VM traffic Address new blind spot

Enable Dynamic Provisioning

Mobility Transparent Enforcement

VLAN-agnostic Operation Policy based

Administrative Segregation Server • Network • Security

VSG: What Problem is Being Solved ?


Virtual Network Management

Center (VNMC)

Virtual Security Gateway Virtual Firewall for Nexus 1000V

VM context aware rules Context aware Security

Establish zones of trust Zone based Controls

Policies follow vMotion Dynamic, Agile

Efficient, Fast, Scale-out SW Best-in-class Architecture

Security team manages security Non-Disruptive Operations

Central mgmt, scalable deployment, multi-tenancy

Policy Based Administration

Virtual Security Gateway

(VSG)

XML API, security profiles Designed for Automation


Defense in Depth Security Model

Internet Edge

•  Filter external traffic •  Extensive app protocol support •  VPN access, Threat mitigation

Internal Security

•  Segment internal network • Policy applied to VLANs • Application protocol inspection • Virtual Contexts

Virtual Security

•  Policy applied to VM zones •  Dynamic, scale-out operation •  VM context based controls

ASA 55xx

ASA 55xx

FWSM

VSG


 VMWare vSphere 4.0+ and Virtual Center

 Nexus 1000V Series switch (1.4 or later)

 One (or More) Active VSGs per tenant

 Virtual Network Management Center (VNMC)

VSG Deployment Requirements

Note: Licensing is based on per protected CPU socket (same as Nexus 1000V)

VSG can protect subset of 1000V-licensed CPUs.

vPath


Multi-tenant Deployment

•  Deployment granularity depending on use case   Tenant, VDC, vApp

•  Multi-instance deployment provides horizontal scale-out

Tenant A

vSphere Nexus 1000V

vPath

Tenant B

VDC-1

vApp

vApp

VDC-2

Virtual Network Management Center


Example: 3-tier Server Zones

Permit Only Port 80(HTTP) of Web Servers

Permit Only Port 22 (SSH) to application servers

Only Permit Web servers access to Application servers

Policy – Content Hosting

Web-zone Database-zone Application-zone

Only Permit Application servers access to Database servers

Block all external access to database servers

Tenant A


Virtual Security Gateway Logical deployment like physical appliances

Nexus 1000V Distributed Virtual Switch

VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VM VM

VM

vPath

VNMC

Log/Audit

VSG

Secure Segmentation (VLAN agnostic)

Efficient Deployment (secure multiple hosts)

Transparent Insertion (topology agnostic) High Availability

Dynamic policy-based provisioning

Mobility aware (policies follow vMotion)


Virtual Security Gateway Intelligent Traffic Steering with vPath


VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VM VM

VM

vPath

VNMC

Log/Audit Initial Packet Flow

VSG

1 Flow Access Control (policy evaluation)

2

Decision Caching

3

4

Access Log (syslog)


Virtual Security Gateway Performance Acceleration with vPath


VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VM VM

VM

vPath

Remaining packets from flow

ACL offloaded to Nexus 1000V

(policy enforcement)

VNMC

Log/Audit

VSG


vPath- Summary

  vPath is intelligence build into Virtual Ethernet Module (VEM) of N1KV (1.4 and above)

  vPath has two main functions:

a.  Intelligent Traffic Steering to VSG

b.  Offload the processing from VSG to VEM

  Dynamic Security Policy Provisioning (via security profile)

  vPath is Multi-tenant Aware

  Leveraging vPath enhances the service performance by moving the processing to Hypervisor

Nexus 1000V- VEM vPath


VSG: Fixup Support

  vPath maintains the state of each flow after caching the decision (Syn, Syn-Ack, Ack, Established etc.)

 Application Level Protocol Fixup (e.g. FTP) to dynamically allow additional connections is accomplished by keeping the control connection in the VSG and NOT offloaded to vPath



vPath

VSG: Application Layer Protocol Fixup (Example FTP)

VM

VM

VM VM VM

VM

VM VM VM

VM VM VM VM

VNMC

VSG

FTP Control FTP Data

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 27 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 27

VSG System Architecture


VMWare vCenter

VSM

VMWare vCenter

VSM

Virtual Network Management Center (VNMC)

Security Profiles

Port Profiles Interactions

VM Attributes

VSN VSG

Packets (slow-path, ??)

VSG System Architecture

ESX Servers Nexus 1000V

vPath

VM-to-IP Binding

Packets (fast-path)

Packets (fast-path)


VMWare vCenter

VSM

VMWare vCenter

VSM


Encrypted Channel

VSN VSG

VSG System Architecture - Communication

SOAP/HTTPS API

XML/HTTPS


vPath

XML/HTTPS

Encrypted Channel

Security Profiles


VM Attributes

Packets (slow-path)

VM-to-IP Binding

Packets (fast-path)

Packets (fast-path)


System Interactions VNMC – vCenter Communication

  VNMC communicate with vCenter over VIM API

  VNMC gets the visibility to vCenter VM attributes to use in the Security Policy

Network (L3)

SSL (443)

1000V VSM

SSL (443)

Network (L3)

Network (L2)

1000V VEM

Network (L2 or L3)

VIM: Vmware Infrastructure Methodology

Service VLAN

SSL (443)

VSG

Network (L3)

vPath


System Interactions VNMC – VSG Communication

  VSG and VMNC communicate over secure layer 3 (SSL) with Pre-Shared Key

  VNMC publishes Device and Security Policies to Tenant VSGs

Network (L3)

SSL (443)

1000V VSM

SSL (443)

Network (L3)

Network (L2)

1000V VEM

Network (L2 or L3)

Service VLAN

SSL (443)

VSG

Network (L3)

vPath


System Interactions VNMC – VSM Communication

  VMNC and VSM communicate over secure layer 3 (SSL) with Pre-Shared Key

  VSM provides VM to IP Mapping to VNMC

Network (L3)

SSL (443)

SSL (443)

VSG

Network (L3)

1000V VSM

SSL (443)

Network (L3)

Network (L2)

1000V VEM

Network (L2 or L3)

Service VLAN

vPath


System Interactions VSG – VEM Communication

  VEM communicate with VSG over Layer 2 Service VLAN

  vPath redirects the data traffic over Service VLAN

  Policy Result is send to vPath (VEM) by VSG

Network (L3)

SSL (443)

SSL (443)

Network (L3)

1000V VSM

SSL (443)

Network (L3)

Network (L2)

1000V VEM

Network (L2 or L3)

Service VLAN

VSG

vPath


VSG Security Policy Model


VSG Policy Model

Security Policy

Network Attributes VM Attributes Custom

Attributes

Zones

Security Policy is applied per Port-Profile (Port Group)


Security Policy Building Block

Security Profile

Policy Set

Policy 1 Policy 2 Policy N

Rule 2

Rule N

Rule 1

Rule 2

Rule N

Rule 1

Rule 2

Rule N

Rule 1

Rule is analogous to an ACE; Policy is analogous to an ACL


VSG Policy: Rule (ACE) Construct

Source

Condition Destination Condition Action

Rule

Attribute Type

Network

VM

Custom

VM Attributes

Instance Name

Guest OS full name

Zone Name

Parent App Name

Port Profile Name

Cluster Name

Hypervisor Name

Network Attributes

IP Address

Network Port

Operator

eq

neq

gt

lt

range

Not-in-range

Prefix

Operator

member

Not-member

Contains

Condition


VSG

Access Policy Network Attributes – Allow Ping

192.168.1.1 192.168.1.2

VSG – Use Case 1a Access Policy based on Network Attributes


Use Case 1a: Simple Rule

Source Condition

Destination Condition

Action

 Rule Leveraging Network Attribute to allow communication between Server A and Server B


VSG

Access Policy VM Attributes– Allow Ping

WebServer Database Server

VSG – Use Case 1b Access Policy based on VM Attributes


Use Case 1b: Simple Rule

Source Condition

Destination Condition Action

 Rule Leveraging VM Attribute to allow communication between Server A and Server B


VSG

Access Policy Zone Based Policy– Allow Ping

Web Server Zone

Database Server Zone

VSG – Use Case 1c Access Policy based on Zones


  Zones are defined by a condition leveraging the attributes e.g. Network, VM or Custom Attributes

VSG – Use Case 1c Defining the Zones


Use Case 1c: Simple Rule with Zones

Source Condition

Destination Condition

Action

 Rule Leveraging Zone to allow communication between Server A and Server B









Use Case 2: Content Hosting Policy


Use Case 2: Policy Rules with Zones

  Leveraging Zones in Rule Conditions

VM Attribute Example


HR Zone Finance Zone

QA Zone Dev Zone

VDI Zone

Tenant A

VSG

  Zoning Classification

 Based upon network/VM attributes

  Security Policies can be defined on Zones

 Exterior Security: External-to-Zone

  Interior Security: Zone-to-Zone and within-Zone

 Virtual Machine(s) can belong in multiple zones

Policy: Trusted Zones


Virtual Network Management Center

(VNMC)



 VNMC is available as a Virtual Appliance

 Manages Multitenant Environment

 XML APIs for 3rd Party Management tool Integration

 Provides Non-disruptive Administration Model


Network Admin Security Admin

Non-Disruptive Administration

Server Admin

vCenter Nexus 1KV VNMC

Mitigate Operational errors between teams   Security team defines security policies   Networking team binds port-profile to VSG service profile   Server team Assigns VMs to Nexus 1000V port-profiles

Port Group Port Profile Security Profile


VNMC: Multitenant Org Structure

Tier Level

vApp Level

vDC Level

Tenant Level

Root Tenant A

DC 1

DC 2 App 1

Tier 1

Tier 2

Tier 3 App 2 DC 3 Tenant B

  Single Tenant can have up to 3 sub-levels of orgs   Each sub-Level can have multiple orgs

  Overlapping Network Addresses across Tenants are supported


VNMC: Multi-Tenant Management

  VSG Enforcement can be applied any level of the Tenant “tree”

  Each tenant must have at least one active VSG

  VSG “CANNOT” manage across tenants


VNMC: Administrative Roles

1. VNMC Admin Roles 2. Tenant Level Access Tenant Level RBAC Access for Security Admin


  Integrated with LDAP to leverage AD Credentials

 User can be placed to a pre-defined role based on the LDAP attributes

VNMC Administrative Access


  Locales Option restrict the admin to tenant level access

VNMC Admin Access – Tenant Level

VSG Deployment Scenario


vSphere vSphere vSphere

Active VSG (Tenant B)

Active VSG (Tenant A) Web Zone App Zone

Tenant A Tenant B

Dev Zone QA Zone

VMWare vCenter Server

Data Center Network

vPath vPath

1000V VSM

Deployment in Multitenant Environment

Standby VSG Standby VSG

vPath

Cisco Virtual Network Management Center Server


vSphere vSphere vSphere

Active VSG (Tenant B)

Active VSG (Tenant A) Web Zone App Zone

Tenant A Tenant B

Dev Zone QA Zone


Data Center Network

vPath vPath

1000V VSM

Deployment in Multitenant Environment

Standby VSG Standby VSG

vPath

  Security Policies Enforced on Shared Compute Environment

  vPath Multitenant Aware

  Active Stand by VSGs on different Physical Host


Web Zone App Zone

Tenant A Tenant B

Dev Zone QA Zone


1000V VSM

Deployment VSGs on Dedicated Host VSGs VSGs


vPath vPath vPath

Data Center Network

A A B B


Web Zone App Zone

Tenant A Tenant B

Dev Zone QA Zone


1000V VSM

Deployment VSGs on Dedicated Host Standby VSGs Active VSGs


vPath vPath vPath

Data Center Network

A A B B

 Dedicated Servers to host VSG Appliances

 Decouple Service from Compute Resources

 Easy to scale out with dedicated hosting of Service


VMWare vCenter

VSM


VSG

VSG/VNMC Deployment Steps

1)  Install VNMC

2)  Register VNMC to vCenter

3)  Register VSM to VNMC

4)  Install VSG

5)  Register VSG to VNMC

1

2

3

4

5

Note: vCenter, vSphere and Nexus 1000V (VSM & VEMs) are assumed to be already installed; VSM can be a VM or on Nexus 1010


Deployment Step 1: Install VNMC

  Install VNMC as a Virtual Appliance in vCenter

  Installed as OVA or ISO image


Deployment Step 2: Register VNMC

 Register the VNMC to vCenter

  vCenter Extension File installed via vCenter Plug-in

 Similar to VSM integration with vCenter


Deployment Step 3: Register VSM

 Register VSM to VNMC via Policy Agent

 VNMC gets the VM to IP Mapping from VSM

Registration Steps

Registration Status


Deployment Step 4: Install VSG

  Install VSG as a Virtual Appliance in vCenter

  Installed as OVA or ISO image


Deployment Step 5: Register VSG

 Register VSG to VNMC via Policy Agent

 Security and Device Policies are published to VSG once it is registered to VNMC

NOTE: Registration is done as part of installing VSG via OVA Template

Registration Steps

Registration Status


VSG High Availability (HA)


VSG Solution – High Availability

Component High Availability Behavior

VSG Active Standby Standby VSG takes over within 6-10 seconds

VNMC VMware High Availability

Hardware Failures backup

VSM Active Standby Standby VSM takes over within 6-10 seconds


VSG Solution – High Availability Head-less operation

VSM

VMWare vCenter

VSM


VSN VSG


vPath

Security Profiles


VM Attributes

Packets (slow-path)

VM-to-IP Binding

Packets (fast-path)

Packets (fast-path)

Head-less operation: vPath continues to enforce security decision on existing flows during temporary failures of vCenter, VNMC, VSM and/or VSG


Performance/Scale

Feature VSG VNMC

Zones 32 4096

Access control Rules 1024 8192

Max attributes per rule 16 16 Max concurrent connections

128K in vPath 256K in VSG N/A

Max New Connections/Sec 4K N/A

Max VSGs N/A 128

Max VSMs N/A 3

Max VCs N/A 2

Max tenants 1 128

Max VMs 300 800 – 1000 (1600 vnics)

Host scalability 12 VEMs N/A

Max Security Profiles 256 2048


VSG: Use Case


Example: 3-tier Server Zones









VSG Policy Provisioning Logical Flow

Define Zones

Define Policy

Port Profile

VSM

VNMC

PortGroup

vCenter

Protection

Policy Set

Create Security Profile Assign Tenant VSG


Security Policy Flow – Define Zones

1 Zones 2 Policies 3 Rules 4 Conditions 5 Policy Set 6 Security-

Profile 7 Assign

VSG 8 Profile-

Binding

Policy Management > Firewall Policy > Tenant > Zones


Security Policy Flow – Define Zones


Profile 7 Assign

VSG 8 Profile-

Binding

Policy Management > Firewall Policy > Tenant > Zones


Security Policy Flow – Define Policy


Profile 7 Assign

VSG 8 Profile-

Binding

Policy Management > Firewall Policy > Tenant > Policies


Security Policy Flow – Rules Within Policy


Profile 7 Assign

VSG 8 Profile-

Binding

Edit the Policy to create Rule(s) where source and destination conditions are specified based on


Security Policy Flow- Conditions Within Rules


Profile 7 Assign

VSG 8 Profile-

Binding

Edit the Policy to create Rule(s) where source and destination conditions are specified based on


Security Policy Flow- Assign Policies to Policy Set


Profile 7 Assign

VSG 8 Profile-

Binding

One OR More Policies are assigned to the Policy Set


Security Profile


Profile 7 Assign

VSG 8 Profile-

Binding

Create Security Profile at the tenant level

Select from the available Policy Sets from the drop down menu


Assign VSG to the Security Profile


Profile 7 Assign

VSG 8 Profile-

Binding

Assign VSG at a tenant level under Resource Management > Managed Resources > Virtual Security Gateways > Tenant (tree level) > VSG Details


Port Profile to Security Profile Binding

 Go to VSM and under port profile, apply the security profile and define the tenant tree


Profile 7 Assign

VSG 8 Profile-

Binding


vCenter: VM attach to a PortGroup (PortProfile)


Profile 7 Assign

VSG 8 Profile-

Binding 9   VM Port-

Group Mapping


Summary

 Cisco N1KV Switch is required components to deploy VSG

 VSG leverages vPath technology on VEM and NOT required to be installed on every ESX Host

 Non-Disruptive Administration Model

 One or more active VSG per tenant

Hypervisor Nexus 1000V

vPath

VSG-TDM

Documents

Transcript of VSG-TDM