Europeana Members Council Meeting, The Hague by Sergiu Gordea
Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to...
Transcript of Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to...
![Page 1: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/1.jpg)
Virtualization in the Data Center
and how to address Security Challenges
Sergiu ION - Networking & Security Solutions Sales Representative
S&T România
![Page 2: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/2.jpg)
Agenda
■ About S&T
■ Transform your Business with Virtualization
■ Data Center Virtualization
■ Addressing the Data Center Security Challenges
![Page 3: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/3.jpg)
Member of S&T Group
S&T GROUP
■ a leading IT company acting in 17
countries
■ about 1,400 employees
■ #1 Consulting Service Provider in
CEE
(Gartner, July 2009)
■ among the top 5 in most of its
countries
■ uses the potential of growthmarkets
2011 - Quanmax AG and grosso holding GmbH are new majority shareholders
New management and supervisory board
![Page 4: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/4.jpg)
We integrate
best-of-breed infrastructure solutions
Enterprise
Computing
Enterprise
Storage
Networks &
Security
Information
Management
Financial Services
Manufacturing
Trade
Telecom
Utilities
Government
![Page 5: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/5.jpg)
Transform your Business with
Virtualization
www.snt.ro
![Page 6: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/6.jpg)
What is Virtualization?
Virtualization is the pooling and abstraction of resources and services
in a way that masks the physical nature and boundaries of those
resources and services from their users http://www.gartner.com/DisplayDocument?id=399577
■ If you can see it and it is there
– It’s real
■ If you can’t see it but it is there
– It’s transparent
■ If you can see it and it is not there
– It’s virtual
■ If you can not see it and it is not there
– It’s gone
![Page 7: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/7.jpg)
Virtualization is … well, not exactly new
■ Nothing new! Concept known to mainframes back in the ‟70s
Virtualization is not a new concept
Mainframe of the „70s were underutilized and over-engineered
http://www-07.ibm.com/systems/my/z/about/timeline/1970/
![Page 8: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/8.jpg)
Data Center and Network Evolution
Data Center 1.0
Mainframe
Centralized
Data Center 2.0
Client-Server and
Distributed Computing
Decentralized Virtualized
Data Center 3.0
Service Oriented and
Web 2.0 Based
IT
Rele
va
nc
e a
nd
Co
ntr
ol
Application Architecture Evolution
Consolidate
Virtualize
Automate
![Page 9: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/9.jpg)
Cisco Data Center products
Data Center
Security
Firewall SM
IDS SM
ACE XML
Gateway
Web Application
Firewall
Application
Network
Services
ACE Application
Delivery –
Module and
Appliance
Wide-Area
Application
Services
Storage
Networking
MDS 9500
Storage
Directors
MDS Fabric
Switches
Blade Switches
(Unified Fabric
ready)
Infiniband
Clustering
SFS 7000
Infiniband
Switch
SFS 3000
Infiniband
Gateway
Data Center Provisioning
Data Center Management Data Center Network Manager– Topology
Visualization and Provisioning
ANM– Advanced L4-7 Services
Module Management
Nexus 7000
Nexus
5K/4K/2K/1K
Catalyst 6500
Series
Catalyst 4900
Top-of-Rack
Ethernet
Networking
Data
Center
Networking
Nexus 7000
Modular
Switching
System
Nexus 5000
Rack Switch
Nexus 1000v
VN-Link Switch
Unified Computing System
![Page 10: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/10.jpg)
Four Drivers Behind Virtualization
![Page 11: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/11.jpg)
Virtualization
in the Data Center
www.snt.ro
![Page 12: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/12.jpg)
Data Center Virtualization
![Page 13: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/13.jpg)
Network Virtualization
■ Overlay of logical topologies (1:N)
■ One physical network supports N virtual networks
![Page 14: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/14.jpg)
Network Virtualization
■ Device Partitioning › One to many devices
› Primary use case is infrastructure reduction
› Increases service agility & flexibility
› Improves asset utilization
› Examples: VLAN, VRF, VSAN, VDC, Firewall Context,
LB Context, Hypervisor
■ Virtualized Interconnect › Primary use case is link consolidation
› Logical Tennant isolation
› Examples: 802.1q, VPN, MPLS, Unified I/O FCoE
■ Device Pooling › Many to one device
› Primary use case is maximum availability & density
› Reduces management plane
› Examples: VSS, vPC, GSLB, FHRP
![Page 15: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/15.jpg)
Network Virtualization
■ Network Virtualization is a key for path isolation and policy control
■ Provides control and data plane separation
![Page 16: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/16.jpg)
Compute Virtualization
■ A single physical server hosting multiple independent Guest OS + application(s)
■ Hypervisor abstracts physical hardware from Guest O/S and application
■ Partitions systems resources
RAM, CPU, disk, etc.
![Page 17: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/17.jpg)
Management Management Management Management
Server Deployment Scale
Software Switch Software Switch Software Switch
![Page 18: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/18.jpg)
Simplifying the Data Center
Mgmt Server
![Page 19: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/19.jpg)
Simplifying the Data Center
Mgmt Server Mgmt Server
A cohesive solution
![Page 20: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/20.jpg)
Simplifying the Data Center
Mgmt Server
A cohesive solution
Embed management
![Page 21: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/21.jpg)
Simplifying the Data Center
A cohesive solution
Embed management
Unify fabrics
Mgmt Server
![Page 22: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/22.jpg)
Simplifying the Data Center
A cohesive solution
Embed management
Unify fabrics
Optimize virtualization
Mgmt Server
![Page 23: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/23.jpg)
Simplifying the Data Center
A cohesive solution
Embed management
Unify fabrics
Optimize virtualization
Remove unnecessary
- Switches
- Adapters
- Management modules
Mgmt Server
![Page 24: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/24.jpg)
Mgmt Server
Cisco Unified Computing System
■ UCS
Scalable compute platform
Integrated virtualization
Natural aggregation point: Network
■ Unified embedded management
Embedded on the network controller
■ Wire once: I/O on demand
LAN, SAN, IPC
■ Efficient Scale
Cisco network & services scale
Fewer servers with more memory
■ Lower cost
Fewer servers, switches, adapters, cables
Lower power consumption
![Page 25: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/25.jpg)
■ Network + Compute Virtualization
SAN B
Single Integrated System
Mgmt SAN A LAN
5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 5 x 8 = 40 320 Total
![Page 26: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/26.jpg)
Physical Servers
Server Profiles
Run-time
association
Server Name
UUID
MAC
WWN
Boot info
LAN Config
SAN Config
Server Name
UUID
MAC
WWN
Boot info
LAN Config
SAN Config
Server Name
UUID, MAC,WWN
Boot info
firmware
LAN, SAN Config
Firmware…
Dynamic Management
■ Server profiles
Abstracts server characteristics from the physical server hardware
■ Pre-defined and pre-created server identities
Default is shipped hardware
Stored in switch
■ “Associated” with a physical server
Manual or policy-driven
![Page 27: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/27.jpg)
Stateless Computing
■ Server attributes no longer tied to physical hardware
Not just identity
Seamless server mobility
Within switch domain
■ Network boot (LAN or SAN)
Boot order and devices are part
of server profile
Local disks can be used for
temp, swap, etc.
Scrubbed between use
(optional)
SAN LAN
Chassis-1/Blade-5
Chassis-9/Blade-2
Server Name: LS-A
UUID: 56 4d cd 3f 59 5b 61…
MAC : 08:00:69:02:01:FC
WWN: 5080020000075740
Boot Order: SAN, LAN
![Page 28: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/28.jpg)
What Happens When
We Mix Network and Server Virtualization ?
■ Typically provisioned as trunk to the server running ESX
■ No visibility to individual traffic from each VM
■ Unable to troubleshoot, apply policy, address performance issues
![Page 29: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/29.jpg)
VN-Link Brings VM Level Granularity
Problems:
VN-Link:
•Extends network to the VM
•Consistent services
•Coordinated, coherent
management
VMotion • VMotion may move VMs
across physical ports—policy
must follow
• Impossible to view or apply
policy to locally switched
traffic
• Cannot correlate traffic on
physical links—from multiple
VMs
VLAN 101
Cisco VN-Link Switch
![Page 30: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/30.jpg)
Storage Virtualization
■ VSAN
A virtual storage area network (VSAN) is a collection of
ports from a set of connected Fibre Channel switches,
that form a virtual fabric. Ports within a single switch
can be partitioned into multiple VSANs, despite sharing
hardware resources. Conversely, multiple switches can
join a number of ports to form a single VSAN.
■ NPIV
N_Port ID Virtualization or NPIV is a Fibre Channel
facility allowing multiple N_Port IDs to share a single
physical N_Port. This allows multiple Fibre Channel
initiators to occupy a single physical port, easing
hardware requirements in Storage Area Network design,
especially where virtual SANs are called for.
![Page 31: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/31.jpg)
Addressing the Data Center
Security Challenges
www.snt.ro
![Page 32: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/32.jpg)
Hierarchical network design
■ Hierarchical network design consists of the following layers:
- Core
- Aggregation / Services
- Access / Virtual Access
■ Infrastructure security features must be enabled to protect device, data plane and control plane.
■ Device virtualization provides control, data and management plane segmentation.
Each layer needs to be secured individually to achieve Defense-in-Depth security mechanism.
![Page 33: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/33.jpg)
Core Layer
■ DDOS Detection and Mitigation
■ Routing Protocol authentication
■ Route filtering
■ Log neighbor changes
■ ACL for Anti-Spoofing and RFC1918 Addresses.
![Page 34: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/34.jpg)
Aggregation Layer
■ Stateful Packet Filtering
- Initial filter for all DC ingress and egress traffic
- Cisco ASA 5500
10G stateful packet filtering
Deep packet inspection
■ Virtual Context allow correlation to Nexus VDC
■ VPN
- IPSec Site-to-Site / Remote Access
- SSL
![Page 35: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/35.jpg)
Services Layer
■ Server Load Balancing
- Server Load Balancing masks servers and applications.
■ Additional Firewall Services for Server-Farm specific protection
■ Application Firewall
- Application Firewall mitigates XSS, HTTP, SQL, XML based attacks.
■ Network Intrusion Prevention
- IPS/IDS: Provides traffic analysis and forensics.
■ Flow Based Traffic Analysis
- Network Analysis for traffic monitoring and data analysis.
![Page 36: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/36.jpg)
Access Layer
■ Enhanced Layer 2 Security
- Access Control Lists
- Dynamic ARP Inspection
- DHCP Snooping
- IP Source Guard
- Port Security
- Private VLANs
- STP Extensions
- Layer 2 Storm Control
- Hardware Rate-Limiters
■ Layer 2 Flow Monitoring
- NetFlow, SPAN, ERSPAN, ACL Logs
![Page 37: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/37.jpg)
Virtual Access Layer
■ Virtualization security
- The Cisco Virtual Security Gateway (VSG) works with Cisco Nexus 1000V switches to provide zone-based and policy-driven security at the virtual machine level, extending existing security policies into virtual and cloud environments. The Cisco Nexus 1000V adds additional security and monitoring capabilities at the access layer, including PVLAN, IP Source Guard, DHCP Snooping, ARP inspection, and NetFlow.
■ Endpoint security
- Host intrusion prevention protect server against zero day attacks.
![Page 38: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/38.jpg)
Security Management
■ Management and monitoring tools can be used to manage and monitor the Infrastructure security.
■ Event are sent out by Host IPS, Network IPS, Firewalls, LB, Routers and Switches in terms of Syslogs, NetFlow, SNMP traps and IPS alerts.
■ All events are sent to a central repository to perform Anomaly Detection, Event Correlation and Forensics Analysis.
![Page 39: Virtualization in the Data Center and how to address ...Virtualization in the Data Center and how to address Security Challenges Sergiu ION - Networking & Security Solutions Sales](https://reader031.fdocuments.us/reader031/viewer/2022041821/5e5e0b6ba725b02b5c1aa66b/html5/thumbnails/39.jpg)
Data Center Security Challenges