Cyber Security and the Evolving Datacenter · • Production-grade networking to containers running...
Transcript of Cyber Security and the Evolving Datacenter · • Production-grade networking to containers running...
Copyright © Arista 2018. All rights reserved.
Cyber Security and the Evolving DatacenterSegmenting PINs to PICs
Copyright © Arista 2018. All rights reserved.
Preface
Copyright © Arista 2018. All rights reserved.
• Who is Arista? • Work with 3rd party best of breed partners • Communication with customers and peers • Foster Discussion • Contact us to learn more
- Lindsay Clarke – Account Manager: [email protected] Rich Whitney – Engineering Manager: [email protected]
• *Vendors in this presentation are for reference only*
Arista PINs to PICs
● Elastic demand-based service models
● Extremely agile
Provider centric – hard to tie to on-premise DC architectures
Branch
● MPLS to IPSEC driven VPN architectures
● High vendor lock-in
Too many competing andvendor proprietary niches(i.e., SD-WAN)
Private Cloud Public Cloud
● On-premise and/or hosted models
● Hypervisor centric
Hard to integrate across hypervisor vendor platforms
Datacenter
● Open leaf & spine cloud networking
● Siloes breaking down
Remaining legacy fabric hold-outs dying offC
halle
nges
Silo Places in the Network (PINS) with Bolted After-Thoughts to Seamless and Secure Places-in-the-Cloud (PICs)
3 Copyright © Arista 2018. All rights reserved.
Secure Cloud Networking Goals
Copyright © Arista 2018. All rights reserved.
• Enable heterogeneous container deployments across virtual machines, bare-metal, and public or private clouds
• Production-grade networking to containers running on any platform – Docker Swarm, Kubernetes or OpenShift
• Ability to migrate containerized workloads to and between clouds
• Uniform way to connect, manage and secure micro-services in a multi-cloud deployment
• Provide application layer visibility in the public cloud and aggregating telemetry data
• Ability to secure traffic flows to/from or within micro-services (i.e. inter & intra VPC/Vnet) traffic using same security policy mechanism as private cloud independently of public cloud provider lock-in security mechanisms
• Automatically secure applications in the cloud based on consistent set of enforcement mechanisms
• Manage secure cloud using same security orchestration rules as private cloud
• Integrate with best-of-breed security management to orchestrate security with open API in any public or private cloud
• Reduce capex and opex costs of running a multi-cloud infrastructure
Arista EOS Use-cases
Spine
The spine runs BGP as its primary routing protocol
Data Center Spine
Appl i cat i on
P e r f o r m a n c e M oni tor
ID S/IPS
Packet M oni torTAP and Monitor Port Aggregat ion
Each leaf switch and each spine switch connects to this switch with either one 10Gb or on 40GbE interface to simplify monitoring and troubleshooti ng as well as enabling APM and IDS systems to seeany/all traffic as efficientl y as possible.
The network spine is provisioned to provide wire-speed connectivi ty with deep buffers to manage periods of sporadic congestion andincast. It is desi gned to be si m pl e and thus hi ghly avail able w hi le To S p i n e all owi ng for rout inenetwork operations and change control via Smart Sw i tches System Upgrades.
Leaf
Hosts
Dua l -Hom ed LeafM L A G Pai r
R a c k 1 R a c k 2
The dual-hom ed compute leaf is usually provisioned with a 3:1 oversubscri pt ion ratio. Ensure a thorough understanding of the failover characteri s ti cs of the NIC redundancy plan here and deployVARP for protocol- free first hop redundancy.
Edge Routers
Leaf
ExternalNetwork M P L S C O R E
M e t r o A M e t r o B
Data Center InterconnectM L A G Pai rVTEP(s)
VARP-FHRP
Storage Leaf
Leaf
Storage Devices
The Data Center Interconnec t Leaf serves as the gateway leaf to The storage leaf is usually provisioned with a 1:1 oversubscr ipti on the Metro D C Pair, the M PLS network, and the Core to the ratio when the storage is serving hosts connected to the compute remote Data Center. VXLAN is used as the L2 transport between leaves. Legacy Fiber Channel connections will remain in the M D S the Metro pairs and in limited amounts across the Core Network and connect to the IP Fabric through the storage Leaf
N A S
IP S t o r a g e
F C S A N
F i r s t H o p F C O E
Sw i tch
M L A G Pai r
C heckpoi nt/
PA N F i r ew al l s
F 5 Load
bal ancer
Services Leaf
Leaf
Network Services
M L A G Pai r
Accel er at i on/
E T C .
The services leaf is usually provisioned with an uplink capacity based on the throughput of the services connected to and through it. It is important to monitor both bandwidth and critical table utilizati on forshared services to ensure stable connectiv ity.
C V X
M anagem en t Leaf
Leaf
Network Services
The management leaf never needs much throughput, but does require maximum uptime and reliability to ensure the overall infrastructur e stays available. Each service is detailed in the accompanyi ng designdocument.
D H C P
Z T P / Z T R
Spl unk
M L A G Pai r
Edge Routers
Leaf
External Network
The D M Z terminates the Internet traffic on the external routers and connects up to a typical Leaf model leveraging services that arespecific for the D M Z connectiv ity
Services
Internet DM ZM L A G Pai r
Services FW/LB/IPS...
Storage
ComputeM L A G Pai r
Virtual Virtual Physical Servers Physical Firewalls & Storage
EOS EOS EOS
CloudVision
eXchange
Central Management
Monitoring Tools
Programmable Underlay with EOS
DWDM MUX/ DMUX
SPINE
LEAF/ TOR
SERVE RS DC 2DC1
>3000kmwith
Amplification
Universal Cloud Network Data Center Interconnect Macro Segmentation
IP Storage Media
DANZ, LANZ and TracersNSX
Software DefinedData Center
Network Virtualization IP Peering
ISP BISP A
5 Copyright © Arista 2018. All rights reserved.
Arista EOS Use-cases: Routing focus
Internet Inter-DCWAN
Spine Core
DCI
Transit PublicPeering
CClloouuddDDCCI
Universal Spine
Spine
Leaf AS2906 AS8075
IX IP Cloud network
Customer Edge
BGP VxLAN EVPN
BGP
IX Cloud
Path computat ion
IG P , B G P - Segm en t Routing
P rogram m atic A P I ’ s
D C 2
D C 1
S e g m e n t R o u t i n g r ed u c e s c omp l e x i t y an di m p r o v e s s c a l e b y of f er ing in tel l i g en t sourcer ou t i n g w i t h g l ob a l l y op t i m i z e d traf f ic e n g i n e e r i n g
W A N
x MP L S T E signaling
Inter -DC T raf f i c
6 Copyright © Arista 2018. All rights reserved.
Arista EOS Use-cases: Arista Any Cloud Platform
Hybrid cloud, expanding seamlessly beyond the datacenter
Arista Router at Equinix
vEOS Router in AWS
DC Aggregation with Arista Universal Cloud Network
vEOS Router in Azure West
Analytics
vEOS Router in Azure East
Automation
Any Cloud API
Agile Work-X
Available Architecture
Private Cloud Cloud Exchange Public Cloud
7 Copyright © Arista 2018. All rights reserved.
What is Segmentation?
“Process of implementing isolation and segmentation for security purposeswithin the virtual data center”
Gartner, 2017
Copyright © Arista 2018. All rights reserved.
Standard Segmentation Methods
Traditional physical firewalls and manually deploying security policies to isolate traffic
Copyright © Arista 2018. All rights reserved.
Micro-segmentation
L3/L4 security policies on distributed virtual switch or vNGFW down to VM
Copyright © Arista 2018. All rights reserved.
Adaptive Segmentation
Automated application discovery, Orchestrate L7 Policies on distributed firewalls and Isolate threats
Copyright © Arista 2018. All rights reserved.
Cloud Based Segmentation
L3/L4 security policy micro-segmentation enforcement by Cloud Providers
Copyright © Arista 2018. All rights reserved.
No silver bullets
Copyright © Arista 2018. All rights reserved.
Security Criteria Traditional Segmentation
Micro-Segmentation
Adaptive Segmentation
Cloud Segmentation
Firewall Type Physical IP Tables / ACLs (Plug to vNGFW)
Virtual Distributed IP tables / ACLs (plug into NGFW)
Firewall Location DMZ Top of Rack or Hypervisor
Operating System Hypervisor
Secure typical traffic flows North / South East/West & North/ South
East/West & North/ South
East/West & North/ South
Security layer L3 - L7 L3/L4 on vswitch L3-L7 L3/L4
Security Policies provision & maintaining
Manually Manually Application Learning Manually
Security policy management Central firewall controller
Central firewall controller
Central firewall controller
Cloud Orchestrator
Segmentations have created security islands
DMZ Security Island Multi-Silo DC Security Island Cloud Security Island
Security Policy Sprawl
Micro-Visibility
per island
Lack of Automation & Mobility & Agility
Vendor Lock-in &
lack of Open
Integration
Branch / Campus Security Island
Copyright © Arista 2018. All rights reserved.
2b). Adaptive Segmentation
2a). Micro Segmentation
1. Traditional Segmentation
Internet VPC
AZ2
AZ1
AZ2
AZ1
Transit VPC
AZ2
AZ1
Firewall Controller
TapAggregation
East Region
Packet Monitoring
Macro-Segmentation with Macro-State Visibility is open to accommodate & enables any segmentation architecture
4. CloudSegmentationCopyright © Arista 2018. All rights reserved.
TapAggregation
DANZ LANZ
VmTracer
MapReduce Tracer
SNMP
Syslog
Path Tracer
Bug Alerts
EOS SDK
EOS API
Atomic Counters
CloudTracer
Scripting
ZTP
Event Monitor Event Manager
3rd party RPM packages
VCS State Streaming
MSS
DFA
sflow
DigitalOptical Monitoring
FirewallController
PacketMonitoring
Macro-State Visibility to openly accommodate & enable any segmentation architecture
Use CV’s NetDB to collect Macro-State using countless EOS software features to provide network wide visibility and state stream the data using Open APIs to any 3rd party security controllers help provide
scalable Macro-segmentation across all PlCs
Copyright © Arista 2018. All rights reserved.
Macro-Segmentation with Macro-State Visibility
Compute / Big Data /
HPCEdge
Branch / Campus /
IoTEdge
Cloud Edge
Storage Edge
Macro Application & WorkFlow Visibility & Analytics
Open API Integration to with Best of Breed SecurityFull Security Automation &
Segmentation
VCS has Macro-State view of Network
State Stream & provide atomic
changes on end devicesconnected
to physical&virtualnetwork
State Stream & provide atomic
changes on storage
infrastructure
Provide Cloud Visibility &
Analytics to secure cloud workflows andworkloads
Provide Visibility, Security,
Analytics,Agilityto remoteusers
Places In the Cloud (PICs)
Copyright © Arista 2018. All rights reserved.
Macro Threat Detection & Enforcement
3) Real-time threat
analysis via machine learning
2) Real time data capture
& enforcement
1) 3rd Party threat security
intelligence or
enforcement
Macro
visibility
Macro
visibility
Macro10101010101010W1or0kfl1ow010101010101010101010Ne1tw0o1rk010101010110101010W1o0rk1lo0ad10101010101010101
visibility
Public Cloud
Private Cloud
Arista Macro Detection & Enforcement Software Roadmap
Phase 1) Provide 3rd Party security devices application visibility & network logs to do security intelligence & enforcement
Phase 2) Arista provides policy enforcement on virtual routers and physical devices integrated to 3rd party
Phase 3) Arista provides machine learning capabilities for advanced detection and correlation for intelligent & automated policy enforcement
Copyright © Arista 2018. All rights reserved.
Copyright © Arista 2018. All rights reserved.
www.arista.com19 Copyright © Arista 2018. All rights reserved.
Thank You