Professional Documents
Culture Documents
• Contact information:
– David Anderson
– Solutions Architect
– Borderless Security team – US
– E-mail: dma1@cisco.com
• Focus areas:
– Data Center Security
– Virtualization
– Secure Mobility
– Security Design
– Compliance (PCI, Federal)
Takeaways
• To effectively integrate security must understand the core data
center fabric technologies and features: VDC, vPC, VRF, server
virtualization, traffic flows
• Security as part of the core design
• Designs to enforce microsegmentation in the data center
• Enforce separation of duties in virtualized and cloud environments
• Security to enforce continuous compliance
Secure Data Center
Virtual Device
Contexts
Fabric-Hosted
Storage
Virtualization Virtual Device
Contexts
Internet
IP-NGN
Service Profiles
Port Profiles & VN-
Virtual Machine Link
Application Control
Optimization (SLB+)
Port Profiles & VN-
Partners
Link Service Control
Fibre Channel
Forwarding
Fabric Extension
Secure Data Center Architecture
Application Virtual Storage Aggregation IP-NGN
VSwitch Compute Access Core Edge
Software Machines & SAN and Services Backbone
Virtual Device
Contexts
Firewall Services
Fabric-Hosted
Storage
Virtualization Intrusion Detection Virtual Device
Contexts
Internet
Storage Media Secure Domain
Encryption Routing
IP-NGN
Service Profiles
Port Profiles & VN- Port Profiles &
Link VN-Link
Virtual Machine
Optimization
Virtual Firewall
Edge and VM Partners
Fibre Channel
Forwarding
Application Control
(SLB+)
Service Control
Hypervisor Hypervisor
VLANs
VSN
Virtual Contexts
VSN
Hypervisor
VLANs
ASA 5585 Appliance
Virtual Contexts
MCEC MCEC
vPC vPC
EC EC
EC EC
Active Standby
Active Standby
Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
ASA Integration with vPC & VSS
vPC VSS
peer link VSL
MCEC MCEC
vPC vPC
EC EC
EC EC
Active Standby
Active Standby
Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Virtualization Concerns
• Policy Enforcement
–Applied at physical server—not the individual VM
–Impossible to enforce policy for VMs in motion
ASA 1000V
VSN
VSN
Ingress/Egress multi-
Virtual Service Nodes tenant edge deployment
Cisco‘s Virtual Security Architecture
Orchestration / Cloud Portals
Virtual Network Management Center Extending existing operational
workflows to virtualized environments
VSG ASA 1000V
Extending network services to
virtualized environments
Extending networking to virtualized
environments
Nexus 1000V vPath
vPath— The intelligent virtual network
• vPath is intelligence build into Virtual Ethernet Module (VEM) of Nexus
1000V (1.4 and above)
• vPath has two main functions:
a. Intelligent Traffic Steering
b. Offload processing via Fastpath from virtual Service Nodes to VEM
• Dynamic Security Policy Provisioning (via security profile)
• Leveraging vPath enhances the service performance by moving the
processing to Hypervisor
vPath
Nexus 1000V-VEM
vPath: Fast Path Switching for Virtualization
VM VM VM VNMC
VM VM VM VM VM VM VM
VM VM VM VM VM VM VM VM VM
4
Nexus 1000V
vPath
Distributed Virtual Switch 3
Decision
Caching
ASA VSG
2 1000V
1
Initial Packet Flow Access Control
Flow (policy evaluation)
Cisco Virtual Security Gateway
Context aware
Security
VM context aware rules
Zone based
Virtual Controls Establish zones of trust
Security
Dynamic, Agile Policies follow vMotion
Gateway
(VSG) Best-in-class
Architecture Efficient, Fast, Scale-out SW
Non-Disruptive
Virtual Network Operations Security team manages security
Management Policy Based Central mgmt, scalable deployment,
Center Administration multi-tenancy
Designed for
(VNMC) Automation XML API, security profiles
Virtual Security Gateway
• Context based rule engine, where ACLs can be expressed
using any combination of network (5-tuple), custom and VM
attributes. It’s extensible so other types of context/attributes
can be added in future
• No need to deploy on every physical server (this is due to
1000V vPath intelligence)
• Hence can be deployed on a dedicated server, or hosted on a
Nexus 1010 appliance
• Performance optimization via enforcement off-load to 1000V
vPath
• High availability
ASA 1000v
• Runs same OS as ASA appliance and blade
port-profile vm180
vCenter API
vmware port-group pg180
switchport mode access
switchport access vlan 180
ip flow monitor ESE-flow input
ip flow monitor ESE-flow output
no shutdown
state enabled
interface Vethernet9
inherit port-profile vm180
interface Vethernet10
inherit port-profile vm180
Web App DB
Web App DB
Server Server server
Server Server server
Web
Client Web-zone Application-zone Database-zone
vApp
vSphere vSphere
Network Virtualization and Zones
Acme Co. - Control Traffic and Apply Policy per Zone
34
North-South Traffic with Network Virtualization
Internet
Physical ASA
Aggregation
VLAN 10 VLAN 20
ASA
Virtual Context
(Layer 2)
Access
vApp
vSphere vSphere
Microsegmenation:
Per Zone, Per VM, Per vNIC
Aggregation
VLAN 10 VLAN 20
IPSEC
Virtual ASA Virtual ASA
Zone B Zone C
Zone A
• Stateful filtering for VDC
Tenant B
VDC
ingress/egress for Zone. vApp
Near East: VSG
VSG • VM segmentation based on VSG
vApp
VM attributes or ACL
vPath
• Zone to zone can be
Nexus 1000V encrypted viasegmentation
IPSEC vPath
Demonstrable Nexus 1000V
vSphere
and encryption for vSphere
virtualization compliance
Segmentation of Production and Non-Production
Traffic
VMkernal
VSG
vEth vEth vEth vEth
Mgmt Storage
vPath
Production
Nexus 1000V ASA 1000V
ID:1
NetFlow
Nexus 1000V supports
SPAN
• NetFlow v9
• ERSPAN/SPAN monitor session 1 type erspan- Zone B Zone C
source
• Permit protocol type description N1k ERSPAN – session 1
header “0x88BE” for monitor session 3 type erspan- VDC VDC
destination vApp
ERSPAN GRE description N1k ERSPAN to NAM
• ERSPAN does not VSG
VSG
support fragmentation vApp
monitor session 2 type erspan-source
• 1000V requires Netflow description N1k ERSPAN –session 2
source interface monitor session 4 type erspan-
vPath
destination
Defaults to Mgmt0 description N1k ERSPAN to IDS1
Nexus 1000V
vSphere
Virtualization & Compliance:
PCI DSS 2.0 Guidance
• PCI security requirements apply to all ‗system
components.‘ All virtual components in scope
• System components are defined as:
– Any network component, server, or application that
All virtual communications
is included in or connected to the cardholder data and data flows must be identified and
environment. documented
– Virtualization components such as virtual machines,
virtual switches/routers, virtual appliances, virtual Virtualized environment must maintain
applications/desktops, and hypervisors. proper segmentation
• The cardholder data environment is that part of the
network that possesses cardholder data or sensitive Must meet intent of all 12 PCI
authentication data. requirements
• Adequate network segmentation, which isolates
VMkernal
systems that store, process, or transmit cardholder VSG
data from those that do not, may reduce the scope of vEth vEth vEth vEth
Mgmt Storage
the cardholder data environment.
Production
vPath
Nexus 1000V
Source PCI DSS 2.0 ASA
1000V
VMNIC 1 VMNIC 2 VMNIC 3 VMNIC 4
Design Details
Secure Data Center Reference Architecture
• 2x Nexus 7010s with VDCs (Core and Aggregation) (NX-OS 5.1(3))
• 2x Nexus 5Ks for top of rack
• 2x ASA 5585-60 with IPS
• 2x 6500-E with ASA-SMs
• 2x Virtual Security Gateway (VSG) in HA mode
• 2x Nexus 1000V with redundant VSMs
• Identity Services Engine (ISE) for 802.1x user AAA
• Standard VMWare ESXi Infrastructure with multiple service domains
(Active Directory, DNS, VDI, etc)
Traditional Model
• Services are Aggregated at the Distribution
Layer L3
• Single or Multi-Tenant zone based Routed
segmentation L2 Boundary Core L2 Boundary
• Virtual Context create security zones from the
DC edge to the Virtual Machine
• VRF->Firewall->VLAN->Virtual Switch->Virtual
Firewall->vNIC->VM
• EtherChannel and vPC provide loop-free
Layer 2 environment
• Visibility and control for vm-to-vm flows
ASA Details
v201 - Outside v205 – Service-Out
BVI-1 BVI-2
10.1.204.199
10.1.200.199
[Po1.204]
[Po1.200]
[Po1.201] [Po1.205]
v200 – Inside v204 – Service-In
channel-group 1 mode passive
5585-1 5585-2
Twain Voltaire
vPC10
vPC9
7k-1 7k-2
AGG- AGG-
VDC VDC Port Channel Load-Balancing Configuration:
channel-group 1 mode active System: src-dst ip
Secure Service Pod Model
• Services Pod centralizes security
services L3
• Traffic forwarded via service-specific Routed
VLANs Core
L2 Boundary
• Modules (Cat 6500) and appliances L2 Boundary
supported
• Highly scalable module design 1/
7
vPC2
vPC1
6506-1 6506-2
Catalyst 6500
ASA-SM
WestJet
ASA-SM
Airbus
Catalyst 6500
Channel-Group 1 mode on Channel-Group 2 mode on
ASA SM ASA SM
ASA SM Layer 2 and 3
v221 - Outside
VRF GW:
VRF ASA HA Pair 2 VRF 10.1.200.254
North South
ESX1 ESX2
ESX1 ESX2
vEth vEth
vEth vEth
VSM-2
HR Finance 192.168.100.51
Server #2 Server #1 Domain 1
HR Finance Server
10.1.200.5 10.1.200.100
Server #1 #2
1
10.1.200.50 10.1.200.101
Policy Hierarchy
VNMC Policy: Deny HR to Finance Requests
Policy Summary on VSG
ISE
RADIUS (Access Request)
EAPOL (dot1x)
10.1.204.126 RADIUS (Access Accept, SGT = 5)
6506
10.1.204.254
SG ACL Matrix
IP Address to SGT Mapping
HR
Nexus 7000 Server #1
Core VDC 10.1.200.254 10.1.200.50
Nexus 7000
Agg VDC
ASA
Finance ✓ Finance
VSG
Finance Server
#1
Finance HR 10.1.200.100
ISE Configuration Highlights
ISE
ISE Authentication
6506-2-airbus#sho authen sess int g3/1
Interface: GigabitEthernet3/1
MAC Address: 0027.0e15.578e
IP Address: 10.1.204.126
User-Name: finance1
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Catalyst Oper control dir: both
Authorized By: Authentication Server
6500 Vlan Policy: N/A
SGT: 0005-0
Session timeout: N/A
Idle timeout: N/A
ISE Common Session ID: 0A01CC950000000D0EDFC178
Acct Session ID: 0x0000001E
Handle: 0xC500000D
#CiscoPlusCA
We value your feedback.
Please be sure to complete the Evaluation Form for this session.