Virt Network Sec 2010
-
Upload
gellomello -
Category
Documents
-
view
225 -
download
0
Transcript of Virt Network Sec 2010
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 1/34
© 2009 VMware Inc. All rights reserved
Virtual Network Security
Matt Skipton
System Engineer, VMware Inc.
Confidential
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 2/34
Agenda
2
What NOT to Worry About
Virtual Network Designs
Virtual Network Security Challenges
VMware Solution
Cisco Nexus 1000v
Confidential
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 3/34
What not to worry about
Virtualization-basedAttacks
• Examples: Blue Pill,SubVirt, etc.
• These are ALLtheoretical, highlycomplex attacks
• Some depend uponvirtualization in CPUhardware
• Widely recognizedby securitycommunity as being
only of academicinterest
IrrelevantArchitectures
• Example: numerousreports claimingguest escape
• Most apply onlyhosted architecture(e.g. Workstation),not bare-metal (i.e.ESX)
• Hosted architecturedeliberately includenumerous channelsfor exchanginginformation betweenguest and host.
Contrived Scenarios
• Example: VMotionintercept
• Involved exploitswhere
• Best practicesaround hardening,lockdown, design,for virtualizationetc, not followed, or
• Poor general ITinfrastructure
security isassumed
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 4/34
Isolation: Virtual Networks
Design Highlights
• No code exists to link virtual switches
• Virtual switches provide protection by design against attack:
MAC flooding, 802.1q and ISL tagging attacks, Double-encapsulation attacks, Multicast brute-force attacks, Spanning-tree attacks, Random frame attacks
Can restrict malicious network behavior:
- MAC address change, impersonation
Such protection not possible with physical switches
VirtualNetwork
VirtualNetwork
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 5/34
Agenda
5
What NOT to Worry About
Virtual Network Designs
Virtual Network Security Challenges
VMware Solution
Cisco Nexus 1000v
Confidential
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 6/34
Isolation in the Architecture
Segment out all non-production
networks• Use VLAN tagging, or
• Use separate vSwitch (seediagram)
Strictly control access to
management network, e.g.• RDP to jump box, or
• VPN through firewall
6
vSwitch1
vmnic1 2 3 4
Production
vSwitch2
VMkernel
Mgmt Storage
v n i c
v n i c
v n i c
vCenter IP-basedStorage
Other ESX/ESXihosts
Mgmt
Network
Prod
Network
VMware Infrastructure 3 Security Hardening Guidehttp://www.vmware.com/resources/techresources/726
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 7/34
Physical Separation of Trust Zones
Advantages
Simpler, less complexconfiguration
Less change to physicalenvironment
Little change toseparation of duties
Less change in staff knowledge requirements
Smaller chance of misconfiguration
Disadvantages
Lower consolidation and utilization of resources
Higher cost
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 8/34
Virtual Separation of Trust Zones with Physical Security Devices
Advantages
Better utilization of resources
Take Full Advantage of VirtualizationBenefits
Lower cost
Disadvantages (can be mitigated)
More complexity
Greater chance of misconfiguration
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 9/34
Advantages
Full utilization of resources, replacingphysical security devices with virtual
Lowest-cost option
Management of entire DMZ andnetwork from a single managementworkstation
Disadvantages (can be mitigated)
Greatest complexity, which in turncreates highest chance of misconfiguration
Requirement for explicit configurationto define separation of duties andregular audits to help mitigate risk of misconfiguration
Fully Collapsed Trust Zones Including Security Devices
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 10/34
Agenda
10
What NOT to Worry About
Virtual Network Designs
Virtual Network Security Challenges
VMware Solution
Cisco Nexus 1000v
Confidential
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 11/34
Network Security in the Good Old Days
11 Confidential
• Plug a server in to a switch port
• Switch lights up and registers the servers MAC address
• Security policies and QoS can be applied to the port and they properly effect
the workload on the server
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 12/34
Network Security in in the Traditional Virtual World
12 Confidential
• For each server you have 2 to 10 network links
• Each physical cable could have 1 to 100 VM MAC addrs on it• Even on a single physical host the VM MAC addrs move among the physical
cables as load demands
• To make matters worse, then the VMs and MACs move between physical
servers also!
• You can not apply a security policy to a physical switch port since you don’tknow which one a workload may be connecting on.
Does This Look Familiar?
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 13/34
n1000v# sh int
Cisco CLI (network admin)
vCenter (server admin)
Three main network hurdles to 100% virtualization
VMotion 1. vMotion moves VMsacross physical ports,
network security policydoes not follow
2. Impossible to isolate or
apply policy to locally
switched traffic
3. Need coordinationbetween network and
server admins
VLAN104
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 14/34
Agenda
14
What NOT to Worry About
Virtual Network Designs
Virtual Network Security Challenges
VMware Solution
Cisco Nexus 1000v
Confidential
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 15/34
Capabilities
• Bridge, firewall, or isolate VM zones basedon familiar VI containers
• Monitor allowed and disallowed activity byapplication-based protocols
• One-click flow-to-firewall blocks precisenetwork traffic
Benefits
• Pervasive: well-defined security posture for inter-VM traffic anywhere and everywhere invirtual environment
• Persistent: monitoring and assured policies
for entire VM lifecycle, including VMotionlive migrations
• Simple: Zone-based rules reduces policyerrors
VMware vShield Zones
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 16/34
vShield Zones: Architecture
vShield Host Appliance
• Virtual Network Monitoring
• Virtual Network Firewall
vShield Manager
• Centralized Monitoring
• Centralized PolicyAssignment
VMware ESX
vShield
VMware ESX
vShieldVMware
vCenter
VMware
vShieldManager VMware ESX
vShield
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 17/34
vNetwork Distributed Switch
• Simplifies datacenter administration
• Security Benefits
- Helps to mitigate misconfiguration
- PVLAN Support
- Inbound Bandwidth Control
• Enables networking statistics and policies to migrate with virtual machines (Network VMotion)
Key to enable VMsafe Appliances to Provide Stateful Security
Netflow Statistics Don’t Reset
• Provides for customization and third-party development
Cisco’s Nexus1000V has even more security controls build right in.
vSwitch vSwitchvSwitch
Distributed Virtual Switch
Standard Switch Distributed Switch
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 18/34
Private VLANs
PVLAN (Private VLAN)
• Enables Layer-2 isolation between VMs
on the same switch, even though they are
on the same subnet
• Traffic from one VM forwarded out through
uplink, without being seen by other VMs
• Communication between VMs on PVLANscan still occur at Layer-3
Benefits
• Scale VMs on same subnet but selectivity
restrict inter-VM communication
• Avoids scaling issues from assigning oneVLAN and IP subnet per VM
Implementation
• Available when using Distributed Switch
vSwitch with
Private VLAN
capability
Private VLAN traffic isolation
between guest VMs
Common
Primary VLAN
on uplinks
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 19/34
Agenda
19
What NOT to Worry About
Virtual Network Designs
Virtual Network Security Challenges
VMware Solution
Cisco Nexus 1000v
Confidential
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 20/34
vNetwork Distributed Switch
" Aggregated datacenter level
virtual networking
" Simplified setup and change
" Easy troubleshooting,
monitoring and debugging
" Enables transparent thirdparty management of virtualenvironments
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
VMware vSphere™
vNetwork Distributed SwitchvSwitch vSwitch vSwitch
Cisco Nexus 1000V
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 21/34
Current View of the Access Layer
Typically provisioned astrunk to the server runningESX
No visibility to individualtraffic from each VM
Unable to troubleshoot,apply policy, addressperformance issues
Boundary of network visibility
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 22/34
Nexus 1000V w/ VN-Link (Network View)
VN-Link provide visibility to
the individual VMs
Policy can be configured per-
VM
Policy is mobile within the ESX
cluster
VN-Link refers to a literal link
between a VM VNIC & a CiscoVN-Link Switch
Boundary of network visibility
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 23/34
Benefits for the Server Admin
1000V overcomes network
hurdles to virtualize tier-1,regulatory and DMZ applications
1000V makes ESX deployment
faster, “one and done”
1000V offloads network workflow
to the network admin
“1000V has a lot more functionality than our own virtual switch”
– Steve Herrod, VMware CTO
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 24/34
Benefits for the Network Admin
1000V overcomes hurdles to
virtualize applications withDMZ, high bandwidth, highly
secure applications
1000V standardizes workflow
for virtual and physical
networks
1000V allows visibility into VM
traffic
BEFORE 1000V AFTER 1000V
“1000V overcomes the biggest network hurdles to virtualization”
– Ed Bugnion, Cisco CTO
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 25/34
Cisco Nexus 1000V Security Features
I I
SGACLMatrix
Destination Group
S o u r c e
G r o u p - +
+ -
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 26/34
Nexus 1000V Architecture
Nexus 1000V VSM
vSphere vSphere vSphere
Nexus
1000V
VEM
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 27/34
Policy Based VM Connectivity
1. Nexus 1000V automatically enables
port groups in VMware vCenter
2. Server Admin uses vCenter to
assign vnic policy from available
port groups
3. Nexus 1000V automatically enables
VM connectivity at VM power-on
vSphere
1. 2.
3.
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 28/34
Policy Based VM Connectivity
vSphere
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 29/34
Mobility of Security & Network Properties
1. vCenter kicks off a
Vmotion (manual/DRS)
and notifies Nexus
1000V
2. During VM replication,
Nexus 1000V copies
VM port state to newhost
vSphere vSphere
VMotion Notification
Current: VM1 on Server 1
New: VM1 on Server 2
1.
Network Persistence
VM port config, state
VM monitoring statistics
2.
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 30/34
Mobility of Security & Network Properties
1. vCenter kicks off a
Vmotion (manual/
DRS) and notifies
Nexus 1000V
2. During VM
replication, Nexus1000V copies VM
port state to new
host
3. Once VMotion
completes, port on
new ESX host is
brought up & VM’sMAC address is
announced to the
network
vSphere vSphere
Network Update
ARP for VM1 sentto network
Flows to VM1 MAC
redirected to Server 2
3.
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 31/34
Cisco Nexus 1000V – VM Security
SGACLMatrix
Destination Group
S o u r c e
G r o u p - +
+ -
vSphere vSphere vSphere
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 32/34
Keep your process consistent
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 33/34
Keep your process consistent
Few of the Datacenter are completely virtualized
• Using Nexus 1000V keeps all the process consistent and give you the samevisibility for VMs and Server
• Troubleshoot your network as before using tools you know
• Make your regulatory compliance much easier because of the simpler process
Cisco VEM
VM1 VM2 VM3 VM4
ERSPAN
NetflowCounters
CDP PVLAN
8/3/2019 Virt Network Sec 2010
http://slidepdf.com/reader/full/virt-network-sec-2010 34/34
© 2009 VMware Inc. All rights reserved
Thank You!