Cisco Virtual Security Gateway (VSG)
Скороходов Александр
Системный инженер-консультант[email protected]
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 22
Cisco Nexus 1000VВиртуальный распределенный программный коммутатор
Nexus 1000V - коммутаторCisco для среды VMWare ESX Реализует функции VN-Link:Управление VM по политикамФункции безопасности, поддержкаNetflow, ERSPAN, мультикаста, etherchannelМобильность настроек сети, безопасности и мониторингаСохраняет эксплуатационнуюмодель
Функции безопасности:Списки доступа (ACL)Port SecurityPrivate VLANDHCP SnoopingDynamic ARP InspectionIP Source Guard
VMW ESX
Server 1Server 1
VMware vSwitchNexus 1000VVMW ESX
VMware vSwitchNexus 1000V
Server 2Server 2
Nexus 1000V
VM #4
VM #3
VM #2
VM #1
VM #8
VM #7
VM #5
VM #5
VM #2
VM #3
VM #4
VM #5
VM #6
VM #7
VM #8
VM #1
VM #1
Virtual Center
Nexus 1000V
VSM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 33
App
OS
App
OS
App
OS
App
OS
VM-to-VM traffic VM-to-VM traffic
Cisco VSG: решаемая задача
Управление безопасностьютрафика между VMНовое «слепое пятно» для средствбезопасности
Динамическое применение политикс учетом контекстаИспользование свойств VM
Работа без опоры на VLANЗащита трафика внутри сегмента
Разделение доменов эксплуатацииВычисленияСетьБезопасность
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 55
Эшелонированнаяструктура безопасности
Internet Edge
• Фильтрация внешнеготрафика• Расширенная поддержкаприкдадных протоколов• VPN доступ, борьба свнешними угрозами
Internal Security
• Сегментирование сети ЦОД• Политика на уровне VLAN• Инспекция протоколов• Виртуальные контексты
Virtual Security
• Политика на уровне зон VM • Горизонтальноемасштабирование
• Опора на контекст VM
ASA 55xx
ASA 55xx
FWSM
VSG
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 66
Virtual Security GatewayЗащита приложений в виртуальной среде
Nexus 1000VDistributed Virtual Switch
Nexus 1000VDistributed Virtual Switch
VMVM VMVM VMVM
VMVM VMVM
VMVM
VMVM VMVM VMVM
VMVM
VMVM
VMVM VMVM VMVM
VMVM VMVM VMVMVMVM
VMVM
vPathvPath
VNMC
Log/Audit
VSG
Secure Segmentation(VLAN agnostic)
Efficient Deployment(secure multiple hosts)
Transparent Insertion(topology agnostic) High Availability
Dynamic policy-based provisioning
Mobility aware(policies follow vMotion)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 77
Поддержка многих организаций
• Гранулярность в зависимости от требований задачиTenant, VDC, vApp
• Внедрение многих VSG для горизонтального масштабирования
Tenant A
vSphereNexus 1000VNexus 1000V
vPath
Tenant B
VDC-1
vApp
vApp
VDC-2
Virtual Network Management Center
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 88
Технология vPath
Поддержка vPath встроена в Virtual Ethernet Module (VEM) Nexus 1000V (с версии 1.4)
Две основные функции vPath:
• Интеллектальное перенаправление трафикана VSG
• Разгрузка обработки с VSG на VEMvPath поддерживает совместное размещение сервисовразных организаций
Использование vPath повышает производительность за счётраспределённой обработки
Может использоваться для других сервисов
Nexus 1000V- VEMNexus 1000V- VEMvPath
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 99
Virtual Security GatewayПеренаправление трафика с помощью vPath
Nexus 1000VDistributed Virtual Switch
Nexus 1000VDistributed Virtual Switch
VMVM VMVM VMVM
VMVM VMVM
VMVM
VMVM VMVM VMVM
VMVM
VMVM
VMVM VMVM VMVM
VMVM VMVM VMVMVMVM
VMVM
vPathvPath
VNMC
Log/AuditInitial Packet Flow
VSG
11Flow Access Control(policy evaluation)
22
DecisionCaching 33
44
Access Log(syslog)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 1010
Virtual Security GatewayПовышение производительности с помощью vPath
Nexus 1000VDistributed Virtual Switch
Nexus 1000VDistributed Virtual Switch
VMVM VMVM VMVM
VMVM VMVM
VMVM
VMVM VMVM VMVM
VMVM
VMVM
VMVM VMVM VMVM
VMVM VMVM VMVMVMVM
VMVM
vPathvPath
Remaining packets from flow
ACL offloaded to Nexus 1000V
(policy enforcement)
VNMC
Log/Audit
VSG
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 1111
Nexus 1000VDistributed Virtual Switch
Nexus 1000VDistributed Virtual Switch
vPathvPath
VSG: поддержка прикладных протоколовПример: FTP
VMVM
VMVM
VMVM VMVM VMVM
VMVM
VMVM VMVM VMVM
VMVM VMVM VMVMVMVM
VNMC
VSG
FTP ControlFTP Data
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 1212
Nexus 1000VDistributed Virtual Switch
Nexus 1000VDistributed Virtual Switch
vPathvPath
VSG: поддержка прикладных протоколовПример: FTP
VMVM
VMVM
VMVM VMVM VMVM
VMVM
VMVM VMVM VMVM
VMVM VMVM VMVMVMVM
VNMC
VSG
FTP ControlFTP Data
FTP Data Path is FTP Data Path is Allowed BiAllowed Bi--Directional in the Directional in the vPathvPath Flow TableFlow Table
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 1313
Пример внедрения: 3-уровневая вычислительная архитектура
WebServerWebWebServerServerWeb
ServerWebWebServerServer
Permit Only Port 80(HTTP) of Web Servers
Permit Only Port 22 (SSH) to application servers
Only Permit Web serversaccess to Application servers
Policy – Content Hosting
WebClientWebWebClientClient
Web-zone
DBserverDBDBserverserverDB
serverDBDBserverserver
Database-zone
AppServerAppAppServerServerApp
ServerAppAppServerServer
Application-zone
Only Permit Application serversaccess to Database servers
Block all external access to database servers
Tenant A
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 1414
VMWarevCenterVMWarevCenter
VSMVSM
VMWarevCenterVMWarevCenter
VSMVSM
Virtual Network Management Center (VNMC)
Virtual Network Management Center (VNMC)
Security Profiles
Port ProfilesInteractions
VMAttributes
VSNVSNVSGVSG
Packets(slow-path)
VSG: архитектура системы
VM-to-IP Binding
Packets(fast-path)
Packets(fast-path)
© 2010 Cisco and/or its affiliates. All rights reserved.Presentation_ID 15© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 15
VSG: модельполитикибезопасности
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 1616
VSG: политики безопасности
Security Policy is applied per Port-Profile (Port Group)Security Policy is applied per Port-Profile (Port Group)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 1717
Составные элементы политики
Security Profile
Policy SetPolicy Set
Policy 1Policy 1 Policy 2Policy 2 Policy NPolicy N
Rule 2Rule 2
Rule NRule N
Rule 1Rule 1
Rule 2Rule 2
Rule NRule N
Rule 1Rule 1
Rule 2Rule 2
Rule NRule N
Rule 1Rule 1
Правило – ACE; политика – аналог ACL
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 1818
Политики VSG: структура правил
Source ConditionSource
ConditionDestination Condition
Destination Condition ActionAction
Rule
Attribute Type
Network
VM
Custom
VM Attributes
Instance Name
Guest OS full name
Zone Name
Parent App Name
Port Profile Name
Cluster Name
Hypervisor Name
Network Attributes
IP Address
Network Port
Operator
eq
neq
gt
lt
range
Not-in-range
Prefix
Operator
member
Not-member
Contains
ConditionCondition
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 1919
Политики VSG: структура правил
Source ConditionSource
ConditionDestination Condition
Destination Condition ActionAction
Rule
Attribute Type
Network
VM
Custom
VM Attributes
Instance Name
Guest OS full name
Zone Name
Parent App Name
Port Profile Name
Cluster Name
Hypervisor Name
Network Attributes
IP Address
Network Port
Operator
eq
neq
gt
lt
range
Not-in-range
Prefix
Operator
member
Not-member
Contains
ConditionCondition
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2020
VSG
Access PolicyNetwork Attributes – Allow Ping
192.168.1.1
Server AServer AServer A Server BServer BServer B
192.168.1.2
VSG – пример 1aИспользование сетевых атрибутов
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2121
Пример 1a: настройка
Source ConditionSource
ConditionDestination Condition
Destination Condition ActionAction
Rule Leveraging Network Attribute to allow communication between Server A and Server B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2222
VSG
Access PolicyVM Attributes– Allow Ping
WebServer
Server AServer AServer A Server BServer BServer B
Database Server
VSG – пример 1bИспользование атрибутов VM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2323
Пример 1b: настройка
Source ConditionSource
ConditionDestination Condition
Destination Condition ActionAction
Rule Leveraging VM Attribute to allow communication between Server A and Server B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2424
HR ZoneHR ZoneFinance ZoneFinance Zone
QA ZoneQA ZoneDev ZoneDev Zone
VDI ZoneVDI Zone
Tenant ATenant AКлассификация по зонам
На основании сетевых и VM атрибутов
Возможность применения политик к зонам
Внешняя безопасность: между внешним миром и зоной
Внутренная безопасность: между зонами и внутри зоны
Виртуальная машина может принадлежать ко многим зонам
Политики: зоны доверия
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2525
VSG
Access PolicyZone Based Policy– Allow Ping
Web Server Zone
Server AServer AServer A Server BServer BServer B
Database ServerZone
VSG – пример 1cИспользование зон безопасности
Server AServer AServer A Server BServer BServer B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2626
Zones are defined by a condition leveraging the attributes e.g. Network, VM or Custom Attributes
Пример 1c: настройка зон
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2727
Пример 1c: использование зон
Source ConditionSource
ConditionDestination Condition
Destination Condition ActionAction
Rule Leveraging Zone to allow communication between Server A and Server B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2828
WebServerWebWebServerServerWeb
ServerWebWebServerServer
Permit Only Port 80(HTTP) of Web Servers
Permit Only Port 22 (SSH) to application servers
Only Permit Web servers access to Application servers
Policy – Content Hosting
WebClientWebWebClientClient
Web-zone
DBserverDBDBserverserverDB
serverDBDBserverserver
Database-zone
AppServerAppAppServerServerApp
ServerAppAppServerServer
Application-zone
Only Permit Application serversaccess to Database servers
Block all external access to database servers
Пример 2: многоуровневое приложение
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2929
Пример 2: политики с использованием зон
VM Attribute Example
VM Attribute Example
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3030
Virtual Network Management Center
(VNMC)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3131
Network Admin Security Admin
Сохранение логики администрирования
Server Admin
vCenter Nexus 1KV VNMC
Port GroupPort Group Port ProfilePort Profile Security ProfileSecurity Profile
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3232
VNMC: иерархия организаций
Один клиент может иметь до 3 подуровней иерархии
Поддержка пересекающихся адресов между клиентами
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3333
VNMC: иерархия администррования
VSG Enforcement can be applied any level of the Tenant “tree”
Each tenant must have at least one active VSG
VSG “CANNOT” manage across tenants
VSG Enforcement can be applied any level of the Tenant “tree”
Each tenant must have at least one active VSG
VSG “CANNOT” manage across tenants
VSG: порядокразвертывания
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3535
VSG: пример порядка настройки
Define Zones
Define Policy
Port Profile
VSM
VNMC
Using VM/Network AttributesUsing VM/Network Using VM/Network AttributesAttributes
Assign Security Profile to Tenant VSG
Assign Security Assign Security Profile to Tenant Profile to Tenant VSGVSG
Bind the Security Profile to Port Profile
Bind the Security Bind the Security Profile Profile to Port to Port ProfileProfile
Create Rules based on Zones/Network Conditions
Create Rules Create Rules based on based on Zones/Network Zones/Network ConditionsConditions
Put Policy Set in the Security ProfilePut Policy Put Policy SSet et in in the Security Profilethe Security Profile
PortGroup
vCenter
Protection
Policy Set
Create Security ProfileAssign Tenant VSG
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3636
vSphere
CiscoCiscoNexusNexus1000V1000VVEMVEM
vSphere vSphere
CiscoCiscoNexusNexus1000V 1000V VEMVEM
CiscoCiscoNexusNexus1000V1000VVEMVEM
VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM
Active VSG(Tenant B)
Active VSG(Tenant A) Web Zone App Zone
Tenant A Tenant B
Dev ZoneQA Zone
VMWare vCenterServer
Data Center Network
vPath vPath
1000VVSM
Обслуживание разных организаций
Standby VSG Standby VSG
vPath
Cisco Virtual Network Management Center Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3737
vSphere
CiscoCiscoNexusNexus1000V1000VVEMVEM
vSphere vSphere
CiscoCiscoNexusNexus1000V 1000V VEMVEM
CiscoCiscoNexusNexus1000V1000VVEMVEM
VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM
Active VSG(Tenant B)
Active VSG(Tenant A) Web Zone App Zone
Tenant A Tenant B
Dev ZoneQA Zone
VMWare vCenterServer
Data Center Network
vPath vPath
1000VVSM
Обслуживание разных организаций
Standby VSG Standby VSG
vPath
Security Policies Enforced on Shared Compute Environment
vPath Multitenant Aware
Active Stand by VSGs on different Physical Host
Security Policies Enforced on Shared Compute Environment
vPath Multitenant Aware
Active Stand by VSGs on different Physical Host
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3838
VMVM VMVM VMVM VMVM VMVM VMVM VMVM
Web Zone App Zone
Tenant A Tenant B
Dev ZoneQA Zone
VMWare vCenterServer
1000VVSM
Внедрение VSG на отдельных хостахVSGs VSGs
Cisco Virtual Network Management Center Server
vPathvPathvPath
Data Center Network
VMVM
A AB B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3939
Решение VSG – отказоустойчивость
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 4040
Схема демонстрационного стенда
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 4242
Top Related