Data Center Optimization and Security Design

© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Data Center Optimization and Security Design

April 2009

Teerapol Tuanpusa

Cisco Systems Thailand

Email: [email protected]


Agenda

Optimize and Secure Data Center

Drivers and Requirements

Design Guidance

Common Points of Interest

ACE vs FWSM vs Appliances

Key Takeaways


Business Continuity

Effective crisis management

Protected data redundancy

Improved global access to core critical services and data

Optimize and Secure Data Center

Compliance Issues

SOX

PCI

HIPAA

Gramm-Leach-Bliley Act (GLBA)

Load sharing and acceleration

Application protection

SSL Offload and load balancing

Perimeter Protection

Encryption Services

Virtualized data inspection services

XML/APP Security

Service Resilience

Data Protection


Data Center are EvolvingIT

Rele

van

ce a

nd

Co

ntr

ol

Application Architecture Evolution

Data Center 1.0

Mainframe

CENTRALIZED

Data Center 2.0

Client-Server and

Distributed Computing

DECENTRALIZED VIRTUALIZED

Data Center 3.0

Service Oriented and

Web 2.0 Based


5

© 2005 Cisco Systems, Inc. All rights reserved.

• Net-Centric Server

Evolution

• Virtual Machine

Network Coupling

• Inline Data

Protection

• Separation of Policy

and Forwarding

Automation

Session Number

Presentation_ID

• Scale

• Performance

• Density

• Availability

• Operational Manageability

• Investment Protection

Data Center Strategy and Evolution

Virtualization

• Power Savings

• Service Velocity

• Opex Alignment

• Capital Utilization Improvement

• Flexibility

VirtualizationConsolidation


DC Optimization and Acceleration Technologies

WAE

(WAAS)

WAE

(WAAS)AVS

(Now integrated into ACE)

Cat6K

ACE

Branch

Applications

Datacenter

WAN

Storage

Content

ISR

Wide Area Application Engine (WAE)

Integrated Services Router (ISR)

IOS with NetFlow, NBAR, QoS, IP-SLAs…

Branch/WAN Data Center

Application Velocity System (AVS)

Application Control Engine (ACE)

Catalyst 6500 switches

HQ Router


Cisco Application Control Engine (ACE) Solution

WAAS

MDS 9500

w/ Fabric

Services

Enterprise

Class

Storage

Web

Servers Application

Servers

Virtualized application services

Application Switching and Server Offload

(SSL Offload)

Application Acceleration (AVS integrated)

Application and Server Farm Security

Solution Benefits:

Faster application deployment/scale

Maximum availability and performance

Comprehensive security

Ready for SOA evolution

Network Services for

SOA and Web 2.0 Applications

Catalyst 6500 ACE

Web

Services

ACE XML Gateway

Multi-DC Application

Traffic Mgmt

ACE GSS

Application Fluent Networking for Data Center


Supporting Multiple Applications : The Old Way

OR

No isolation

Device sprawl

Underutilized device resources

Complex to upgrade

Inefficient Isolation

One Physical

Application

Switch

Many

Physical

Application

Switches

Applications compete for resources

Changes to one app can impact others

Overly complex device config files

Device 1

Application 1

Device 1

Application 3Application 2Application 1

Device 2

Application 2

Device 3

Application 3


Supporting Multiple Applications :The Cisco ACE Way

Multiple Virtual

Devices

Ideal Isolation

One Physical

Application

Switch

Isolate and secure applications, customers, and/or departments based on virtual devices

Single ACE

Customized, guaranteed resources per application

ACE Virtualized Architecture: Virtual Devices and RBA


Cisco Wide Area Application Service (WAAS)Bridging the gap between centralized IT and distributed users

Solutions

Application acceleration

Branch IT consolidation

WAN bandwidth optimization

Improved data compliance

Technologies

Compression & acceleration

Router integration

Security integration

Application SLA integration

Deployment

Software: Wide Area Application Services

Hardware: Wide Area Application Engine

Branch and data center deployment

Mobile VPN acceleration deployment

Branch Office

Regional

Office

WAAS

WAASWAAS Data Center

WAAS

Mobile

Server VPN VPN

WAAS

Mobile

Server

International

Mobile User

WAAS Mobile SW

over VPNWAAS Mobile SW

over VPN

Domestic

Mobile User

WAN

Internet


Wide Area Application Services (WAAS)Acceleration Technologies

Data Redundancy Elimination(DRE) and compression

Strong data reduction (5-10x typical, 100x peak)

Excellent support for HTTP, FTP, CIFS,MAPI, notes, and most known protocols

TCP Flow Optimizations (TFO) Fill-the-pipe: Window scaling,congestion management

Support transactional traffic throughnetwork latency reduction

Up to 450Mbps optimized traffic

Support for File Server ConsolidationSafe caching of data, meta-data

Predictive read-ahead, write-behind, 93% latency reduction

Pre-position, disconnected operation

Print services

10x OFFLOAD factor

DRE Database

NO MATCHNO MATCHNO MATCHNO MATCH

Original

Message

Encoded

Message

Non-Redundant Data and New Signatures

= 552 Bytes Transferred

cwnd

TCP

Cisco TFO Provides Significant Throughput

Improvements over Standard TCP Implementations

TFO

Time (RTT)Slow Start Congestion Avoidance


Branch User Acceleration Technologies

WAN

Advanced Compression/

Cache

Data Redundancy Elimination

(Up to 100:1 compression)

Persistent LZ Compression

(Additional 10:1 compression)

Application Specific

Acceleration

Application protocol aware

Windows file services (CIFS)

Windows print services

Server offload technology)

TCP Flow

Optimization (TFO)

LAN-like TCP behavior

Loss mitigation

Slow-start mitigation)

Th

rou

gh

pu

t

Throughput

60Mbps

10 Mbps

20 Mbps

30 Mbps

40 Mbps

50 Mbps

01:20 01:21 01:22 01:23 01:24 01:25 01:26

Th

rou

gh

pu

t

Throughput

3 Mbps

.5 Mbps

1 Mbps

1.5 Mbps

2 Mbps

2.5 Mbps

01:20 01:21 01:22 01:23 01:24 01:25 01:26

End User Throughput

Goes Up 5xWAN Consumption

Drops 67%

LAN-Like

Throughput

Bandwidth Savings

Fewer Roundtrips

Optimization Enabled


ACNS/WAAS Bandwidth Savings

Similar to ACNS, but now for *all* TCP protocols

Bandwidth savings

Improved response time as a result of chattiness reduction

Enabler for additional consolidation and virtualization

Before

ACNSAfter

ACNS

HTTP*

Non-HTTP

HTTP

Non-HTTP

* Note: ACNS also reduces Video streaming and CIFS for laptop re-imaging

Before

WAAS

After

WAAS

HTTP*

Non-HTTP

WAN

volume


ANS Acceleration Findings

Observation

Varies greatly by protocol, application & network capacity / delay

Data Points (based on a subset of technologies)

Remote users: typically 1.5 to 20x faster for unencrypted apps

HTTP: 2.5 to 10x faster

Outlook/Exchange: 1.5 to 2x faster (small RPC/MAPI buffer size)

CIFS over the WAN: 1.5 to 20x faster

HTTPS: no data (limited acceleration today using AVS, more with WAAS+ Distributed Reverse Proxy in future)

Nearby users: 1.0 to 2.5x faster

Productivity Impact

Assume 20 HTTP pages / user / day at 30 seconds each = 10 mins

Key Messages

Absolute “wait time” can be excessive (30-90 seconds for 1 HTTP page not a seldom exception)

The worse the performance caused by WAN, the better the acceleration


Application Vendor Validated

Cisco WAAS + VPN Routers (IOS 12.3) Certified by SAP:

•WAN Optimization, Enterprise SOA compliant

•SAP NetWeaver

•Application Server 7.0

•SAP ERP ECC 6.0

―Working together with Cisco on their application delivery and application-oriented

networking solutions, we aim to raise the application awareness of the network

layers of the IT architecture, resulting in a stronger, more effective business process

framework for our customers.‖

- Gordon Simpson, Vice President of Applied Platform Technology, SAP

―Cisco WAAS has accelerated our SAP response time for

up to 75% across WAN, and given us the best compatibility

and lowest TCO.‖

— Jim Ward, CIO, Pacer International

Company

Validation

Product

Validation

Customer

Validation

http://www.sap.com/index.epx

http://www.pacer-international.com/index.html


Features of a typical data center design

Maximum protection at the application and data layers

Higher level of protection from DDoS and malicious traffic

Three Tiers of Data Center Security

1 2 3



Security Services in the Data Center

Firewalls

SLB+SSL

IDS (IPS)

VPN

DDoS detection and mitigation

Application Firewalls


Typical Concerns from Customers

Segmentation and Insertion

Logging/Reporting/Operations

Performance bottlenecks

Server-to-Server, Client-to-Server


Services Layer Security

The services-plane for a Service Provider‟s Data Center typically supports the „Managed Services‟ delivered to end-customers. Services like managed firewall and network-based VPN services.

Insertion of “Virtualized” Services adds new challenges

Resource Management

Service Chaining

Service path selection

Network service scale – VLANs, VRFs, Interfaces, Bandwidth

Virtualized

Cust

1

Cust

2

Cust

N…

Virtual

Network Service


Services Layer Security

The services-plane for a Service Provider‟s Data Center typically supports the „Managed Services‟ delivered to end-customers. Services like managed firewall and network-based VPN services.

Insertion of “Virtualized” Services adds new challenges

Resource Management

Service Chaining

Service path selection

Network service scale – VLANs, VRFs, Interfaces, Bandwidth

Virtualized

Cust

1

Cust

2

Cust

N…

Virtual

Network Service

VRF, VPN, VSS

ACE Context, RBAC

FWSM Context, RBAC

Virtual Sensor

VLAN, PVLAN


Server to Server traffic3 Tier Server Design

Minimize VLAN consumption – Shared VLAN for Client traffic

Dynamic path selection for severs behind Services (RHI)


Service InsertionConsolidate in DC Aggregation or Core

Consolidate FW, SSL and SLB services in the Aggregation or Core layers

Cost drives consolidation to Core, bandwidth not an issue

Server-to-Server Traffic requirements may drive services to Aggregation

Segment TrafficLayer 2 VLAN/PVLANs

Layer 3 VRF/VPNs

DC CoreCore

Access

L3 Edge

Aggregation


Service InsertionServices Chassis

DC CoreCore

Access

L3 Edge

Aggregation

Services Switching Chassis

Free slots in Agg and Core layers for 10GE ports

10GigEtherchannel Interconnectivity

Segment Traffic

Layer 2 VLAN/PVLANs

Layer 3 VRF/VPNs

Dual Chassis for HA Resilience

Services Chained in Web, Application and Database Tiers


FWSM and Private VLANSecure Server-to-Server Traffic on 1 VLAN

Dot1Q Trunk

Secure Server-to-Server Traffic

PVLAN at the Access layer

Server Access Port isolated

Trunk Primary VLAN to FWSM

Set Permit intra-interface on FWSM

VLAN

Cons

Each server requires static route to

server on same VLAN

Save VLAN consumption, but now

consume BW resources between AGG

and ACCESS

Server-to-Server and Server-Client

traffic counted at FWSM, could be

problematic for billing


Service Module VirtualizationResource Management

There are NO templates or cookie-cutter designs

First Goal should be to protect against resource exhaustion

Cap “Connections” and “Inspections”

FWSM Logging requires control

Most log on “deny connections”

ACE logging done in “fast-path”

If not logging in fast-path then Control-plane based syslog resource management required

Difference in CLI can be challenging

ACE FWSM

Defined as percentage % Defined as a percentage or absolute number

Resource set as “maximum equal minimum” or unlimited

Resource set as maximum

Bandwidth treated as resource

Not an option


Service Layer DesignFault-Tolerant Service Design

Active-Active Service Design

Application Control Engine

Active-standby distribution per context

Firewall Service Module (3.x)

Two active-standby groups permit distribution of contexts across two FWSM‟s (not per context)

Permits uplink load balancing while having services applied

Increases overall service performance

Complex troubleshooting

vlan6 vlan6

vlan5 vlan6 vlan6 vlan5

Core


Service Layer Design Fault-Tolerant Service Design

Active/Standby alignment

Align server access to primary components in aggregation layer:

–primary HSRP instance

–Active/standby service context

–path preference

Provides more predictable design

Simplifies troubleshooting

More efficient traffic flowDecreases chance of flow ping-pong across inter-switch link

Core

vlan5 vlan6 vlan6 vlan5


Services LayerSecurity and Optimization Appliances

IPS Appliances

Inline-on-a-Stick – VLAN pairs mapped on Sensor

Server side VLANs and Service Side VLANs

ACE XG / AVS

Full Proxy insertion

Future integration w/ ACE-SLB

WAAS

MSFC WCCPv2 redirection

ACE-SLB redirection

MAC-sticky

VLAN pairs mapped to virtual

sensor

Vlan 100Vlan 10

Vlan 110

Vlan 120

Vlan 11

Vlan 12

Server Side Service Side


IPS InsertionExternal Appliances or Catalyst 4xIDSM-2 Bundle

Inline, Interface Mode (aka: on a stick)

VLANs from Servers terminate to IPS sensor via dot1q trunk

VLAN pairs mapped on Sensor

Server side Vlans

Service side Vlans

Service side Vlans are switched to appropriate Service Module

Virtual Firewall

Virtual SLB/SSL

IPS

Dot 1q Trunk

Vlan 110

Vlan 120

Inline, VLAN Group Mode

Cisco IPS appliance Put inline between CORE and AGGREGATION

Sensors put inline to monitor traffic carried on dot1q VLAN trunks


IPS Insertion Pros and Cons of each Mode

VLAN Group Mode

Pros

No Vlan changes required at the CORE or AGGREGATION Layers

Existing Failover design maintained (Flex-Links)

Monitor Inter-Vlan traffic

Cons

All traffic is monitored, no ability to select by VLAN

Re-cabling required for Sensors

NO Per VLAN IPS-Policy

Inline Interface Pair Mode

Pros

Select traffic by Vlan to be monitored by sensor

No inline cabling between CORE and Aggregation

Monitor Inter-Vlan traffic

Cons

IPS monitored Vlans require second Vlan for mapping

Failover requires Etherchannel to 2 IPS Sensors

NO Per VLAN IPS-Policy


DDoS Services

Goal – Move mitigation above Core

Detection –Netflow at the Internet Edge

Detectors Synching w/ Guards drives interest

SPs have MPLS/IP Backbone for Inter-connect

DDoS services not in Data Center

Services moved to Peering/Transit Edge

Service Modules solves Bandwidth scaling, but adds new requirements to hosting chassis

Diversion and Injection

CEF Loadbalancing

Multiple Blade support

Management

Storm Control required at Access Layer Switches

Server goes offline and Broadcast traffic brings switch to its knees

DC CoreCore

Access

L3 Edge

Aggregation


Infrastructure SecurityManagement-Plane Best Practices

Secure / Segment communications In-Band and Out-Band with IPSec, SSH, SSL

Encrypt stored password and key information

Employ remote-access filters allowing only trusted hosts and protocols and restricting all other traffic

Employ AAA services – TACACS+ for internal operations

Log changes made to the actual device and device‟s configuration

File-system integrity checks and backup and recovery services

6500 does provide challenges – No dedicated Management-Plane Protection (yet)

AAA Encryption FiltersTACACS

ServerVTY ACLs

SSH, SCP,

IPSec

Local


Infrastructure SecurityControl-Plane Best Practices

6500 and 7600 IOS

Catalyst 6500 Nodes - MLS Rate-limiters; rate-limit traffic punted to CPU

Catalyst 6500 and 7600 IOS Nodes - Control-Plane Policing; classify and police traffic classes destined to CPU

12k IOS-XR

IP/MPLS Edge – IOS-XR Nodes - Dynamic Control-Plane Policing and Local Packet Transport Switching, Selective Filter packets w/ IP options set

CORE to MPLS/IP Edge

Neighbor Authentication – OSPF, IS-IS and BGP neighbor authentication; securely authenticate topology peers before exchanging control-plane traffic

OSPF, IS-IS and BGP route-maps and prefix-lists; control the information transmitted and received between neighboring peers

ACESS Layer Edge

Layer 2 Data-Plane Filters – BPDU filtering, Spanning-tree security, Storm Control, Port Control; secure the Layer 2 edge to protect control-plane layers of upstream devices and control unknown broadcast and multicast traffic.


6500/7600 Hardware Based Control-Plane Protection

CPU

DFC3

Software Control

Plane Policing

DFC3 PFC3

Trafficto CPU

Trafficto CPU

Trafficto CPU

HW Control

Plane Policing

HW Control

Plane Policing

HW Control

Plane Policing

Each LC Processes CoPP Policy and

Rate-Limits Independently





The aggregate traffic that makes it through all LCs is then processed

again by centralized SW CoPP. The aggregate traffic hitting SW CoPP

can be N times larger than the configured rate limit, where N is the

number of DFCs/PFCs.

Traffic Destined to MSFC


Infrastructure SecurityData-Plane Best Practices

Data-Plane ACLs – filter illegitimate traffic

IP/MPLS Edge – Layer 3 ACLs; Infrastrucuture ACLs (iACLs)

Layer 2 – VLAN ACLs (VACLs) and Storm Control

Data-Plane QOS treatment – Classify and apply traffic polices to each class

IP/MPLS Edge – Color and Police IP traffic destined to Data Center resources

Access Layer – Color traffic based on Layer 2 COS or Layer 3 TOS

Aggregation and Core Layer – Police and Implement congestion avoidance mechanisms: LLQ, WRR, WRED, Scavenger Qs

Traffic Monitoring – SNMP interface and traffic counters, Netflow v9 analysis and data export, CPU and memory thresholds Device; monitor network usage and detect anomalies


Edge Packet Filtering

Internet Edge

Block known BAD packets – RFC-1918 and BOGON Blocks

Service Edge (Aggregation Layer)

IP and TCP checks – Malformed packets (FWSM and ACE)

Server Edge (Access Layer)

VLAN ACLs

Private VLANs – Filter at Gateway Address (SVI ACL or FWSMVLAN)

ARP ACLs


Layer 2 Port Security

What is available at the Access Layer

Low End switches have limited security

2950/2960 – Port-Security, Storm Control, ACLs, 802.1X, NAC

Layer 3 switches have required features, but increase cost per GE

3750 – L3 ACLs, Private VLAN, DAI, IP Source Guard

4948 – VACLs, Netflow

Blade switches have required features

CBS – L3 ACLs, Private VLAN, DAI, IP Source Guard

AND VLAN Aware Port Security – Shut down VLAN not entire port


Access Layer SecurityARP Poisoning and Anti-Spoofing

In a Data Center, DHCP not likely

Static Bindings for IP Source Guard (a lot of typing for a large scale DC)

DAI – Prevent MITM attacks

Static ARP ACLs

IP Source Guard – Prevent IP and MAC spoofing

Aggregation

DAI and IP Source Guard at Aggregation layer

Features enabled at Aggregation Layer

NO DAI at Access layer allows ARP traffic local to access switch (ARP broadcasts)

ARP ACLs can be used to deny server-to-server between Access layer switches

Block MITM and Spoofing between Switches


Visibility in the Data Center

2 Applications for NetFlow

Billing – v8 aggregate Mode

DDoS – v5 or v9 sampled Mode

MQC MIBs being used to monitor traffic usage in Bytes

Service Modules add Layers of Visibility


Anomaly Detection with CS-MARS

Sun AM

Mon AM

Mon PM

Sun PM

Pre-virus activityActual virus hit

Top

Destination

ports reports

On the

dashboard

Port 445


Front-End IP Access Layer


Front-End IP Access Layer

―Content Routing‖

Global Site Selection


Application and Database Layer

―Content Switching‖Load Balancing

―Server Clustering‖ High Availability

―Application Acceleration‖ Optimized Performance

―Security‖Application


Backend SAN Extension

―Storage‖ & ―Optical‖

Data

Mirroring and Replication


Cisco Secure Data Center Architecture

Detect and Mitigate against threats which impose a risk to availability, confidentiality and integrity

Secure both physical and logical boundaries of the Data Center network

Consolidate and Compartmentalize services (advanced virtualization)

Proactively adapt to new threats (application layer attacks targeted to Web 2.0 applications and tools are increasing)

Scale to meet challenging service-levels of the network and application(s)

Meet regulatory and business continuance requirements

Blade Chassis w/ Integrated SwitchServer

Virtualization (Zen, VMWare)

HPCToR and EoR

Server NIC Teaming

DC Aggregation

DC Core

SONET/SDHSONET/SDH

DC IP/MPLS Edge

Regional Metro

DC Inter-connect

DC Access

CWDM/DWDMCWDM/DWDMCWDM/DWDM

SANs

Long-haul

http://www.cisco.com/go/safe

(SAFE Architecture)

http://www.cisco.com/go/srnd

(Solution Reference Network Design)





Firewall Security Services

ACE vs FWSM

Service Modules vs Appliances

IOS Security vs Module/Appliance security


Common Points of InterestTechnology Comparisons

ACE 1.4 FWSM 3.1

Syslog Performance – Connections logged in fast-path

Log forwarding to Supervisor

Firewall Logging (log per ACL, log denied connections, filtering)

Fault-tolerant Probes

FT per Context (Active or Standby)

ACL and NAT

Object groups, Policy-NAT, Time Based ACLs

Bandwidth resource control per Context Resource Management CLI allows absolute maximum to be defined

Route Health Injection – Dynamically announce availability of hosts

More Application Inspections

Higher scale – BW, Conns, Fabric inter-connect, ACLs, NAT

TCP/IP normalizations done in hardware

Industry Firewall certification

OS dedicated to Security

Both provide:

Stateful Inspection

MCP CLI

Virtualization w/ Resource Management


Common Points of InterestEffectively positioning Technologies

ACE provides Scalable SECURE Server Load balancing

Security services meant to protect servers (ACLs, NAT, SSL)

Insertion close to Servers

FWSM provides Scalable Firewall services

Virtualization allows for consolidation in Data Centers

Consistent Firewall features expected from experience with ASA and PIX

Industry certified as a Firewall

Neither provides 100% a “Perfect Solution”

Together, scaling complex server environments

ACE secures server entrance

FWSM secures backend transactions

Services Chained by SUP720


Service Modules vs Appliances

Appliances still have use in Security services

Special Purpose Appliances – IPS, XML, Application

Appliances dedicated to Customer

Operational Separation – OS updates, Reboots

Compared to FWSM or ACE

Limiting factor of VLANs

ASA (10 and 5 G) support 250

FWSM – 1k

ACE – 2k

Requirement to Consolidate physical resources into 10GESwitching

ACE and FWSM provide means to reduce cooling, power, real-estate

Appliances require more of


Key Takeaways

DC Consolidation and Virtualization optimize DC performance and efficiency

Security considerations for Data Center must address

Business Continuity

Regulatory Compliance

Mitigating risk to service availability, service integrity and service confidentiality

Secure Data Center Designs leverage breadth and depth of defense

Services Layer design critical to delivery of Virtualized security services

Differentiate technologies based on customer requirements and placement w/in the Data Center

Deliver Secure Data Center designs based:

Scalable network

Agile services

Highly Available

Validated approach


More information

http://www.cisco.com/go/safe (SAFE Architecture)

http://www.cisco.com/go/srnd (Solution Reference Network Design)



Data Center Optimization and Security Design

Technology

Transcript of Data Center Optimization and Security Design