Virtual Network Security

deadhorsevoicelessΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

65 εμφανίσεις

© 2009 VMware Inc. All rights reserved
Virtual Network Security


Matt Skipton


System Engineer, VMware Inc.
Confidential
Agenda
2


What NOT to Worry About


Virtual Network Designs


Virtual Network Security Challenges


VMware Solution


Cisco Nexus 1000v
Confidential
What
not
to worry about
Virtualization-based
Attacks


Examples: Blue Pill,
SubVirt
, etc.


These are ALL
theoretical, highly
complex attacks


Some depend upon
virtualization in CPU
hardware



Widely recognized
by security
community as being
only of academic
interest
Irrelevant
Architectures


Example: numerous
reports claiming
guest escape


Most apply only
hosted architecture
(e.g. Workstation),
not bare-metal (i.e.
ESX)


Hosted architecture
deliberately
include
numerous channels
for exchanging
information between
guest and host.
Contrived Scenarios


Example: VMotion
intercept


Involved exploits
where


Best practices
around hardening,
lockdown, design,
for virtualization
etc, not followed, or


Poor general IT
infrastructure
security is
assumed
Isolation: Virtual Networks


Design Highlights


No code exists to link virtual switches


Virtual switches provide protection by design against attack:


MAC flooding, 802.1q and ISL tagging attacks, Double-encapsulation attacks, Multicast brute-
force attacks, Spanning-tree attacks, Random frame attacks


Can restrict malicious network behavior:
-

MAC address change, impersonation


Such protection not possible with physical switches
Virtual
Network
Virtual
Network
Agenda
5


What NOT to Worry About


Virtual Network Designs


Virtual Network Security Challenges


VMware Solution


Cisco Nexus 1000v
Confidential
Isolation in the Architecture


Segment out all non-production
networks


Use VLAN tagging, or


Use separate vSwitch (see
diagram)


Strictly control access to
management network, e.g.


RDP to jump box, or


VPN through firewall
6
vSwitch1
vmnic1
2
3
4
Production
vSwitch2
VMkernel

Mgmt

Storage
vnic
vnic
vnic

vCenter
IP-based
Storage
Other ESX/ESXi
hosts
Mgmt
Network
Prod
Network
VMware Infrastructure 3 Security Hardening Guide
http://www.vmware.com/resources/techresources/726

Physical Separation of Trust Zones
Advantages


Simpler, less complex
configuration


Less change to physical
environment


Little change to
separation of duties


Less change in staff
knowledge requirements


Smaller chance of
misconfiguration

Disadvantages


Lower consolidation and utilization of
resources


Higher cost
Virtual Separation of Trust Zones with Physical Security Devices
Advantages


Better utilization of resources


Take Full Advantage of Virtualization
Benefits


Lower cost
Disadvantages (can be mitigated)


More complexity


Greater chance of misconfiguration
Advantages


Full utilization of resources, replacing
physical security devices with virtual


Lowest-cost option


Management of entire DMZ and
network from a single management
workstation
Disadvantages (can be mitigated)


Greatest complexity, which in turn
creates highest chance of
misconfiguration


Requirement for explicit configuration
to define separation of duties and
regular audits to help mitigate risk of
misconfiguration

Fully Collapsed Trust Zones Including Security Devices
Agenda
10


What NOT to Worry About


Virtual Network Designs


Virtual Network Security Challenges


VMware Solution


Cisco Nexus 1000v
Confidential
Network Security in the Good Old Days
11
Confidential


Plug a server in to a switch port


Switch lights up and registers the servers MAC address


Security policies and
QoS
can be applied to the port and they properly effect
the workload on the server
Network Security in in the Traditional Virtual World
12
Confidential


For each server you have 2 to 10 network links


Each physical cable could have 1 to 100 VM MAC
addrs
on it


Even on a single physical host the VM MAC
addrs
move among the physical
cables as load demands


To make matters worse, then the
VMs
and
MACs
move between physical
servers also!


You can not apply a security policy to a physical switch port since you don’t
know which one a workload may be connecting on.
Does This Look Familiar?

n1000v# sh int

Cisco CLI (network admin)
vCenter (server admin)
Three main network hurdles to 100% virtualization
VMotion
1.

vMotion
moves
VMs

across physical ports,
network security policy
does not follow

2.

Impossible to isolate or
apply policy to locally
switched traffic

3.

Need coordination
between network and
server admins

VLAN
104
Agenda
14


What NOT to Worry About


Virtual Network Designs


Virtual Network Security Challenges


VMware Solution


Cisco Nexus 1000v
Confidential
Capabilities


Bridge, firewall, or isolate VM zones based
on familiar VI containers


Monitor allowed and disallowed activity by
application-based protocols


One-click flow-to-firewall blocks precise
network traffic
Benefits


Pervasive: well-defined security posture for
inter-VM traffic anywhere and everywhere in
virtual environment


Persistent: monitoring and assured policies
for entire VM lifecycle, including VMotion
live migrations


Simple: Zone-based rules reduces policy
errors
VMware vShield Zones
vShield Zones: Architecture


vShield Host Appliance


Virtual Network Monitoring


Virtual Network Firewall


vShield Manager


Centralized Monitoring


Centralized Policy
Assignment
VMware ESX
vShield
VMware ESX
vShield
VMware
vCenter
VMware
vShield
Manager
VMware ESX
vShield
vNetwork
Distributed Switch



Simplifies datacenter administration


Security Benefits
-

Helps to mitigate
misconfiguration

-

PVLAN Support
-

Inbound Bandwidth Control


Enables networking statistics and policies to migrate with virtual machines (Network
VMotion
)


Key to enable VMsafe Appliances to Provide
Stateful
Security


Netflow
Statistics Don’t Reset


Provides for customization and third-party development


Cisco’s Nexus1000V
has even more security controls build right in.
vSwitch
vSwitch
vSwitch
Distributed Virtual Switch
Standard Switch
Distributed Switch
Private VLANs


PVLAN (Private VLAN)


Enables Layer-2 isolation between VMs
on the same switch, even though they are
on the same subnet


Traffic from one VM forwarded out through
uplink, without being seen by other VMs


Communication between VMs on PVLANs
can still occur at Layer-3


Benefits


Scale VMs on same subnet but selectivity
restrict inter-VM communication


Avoids scaling issues from assigning one
VLAN and IP subnet per VM


Implementation


Available when using Distributed Switch
vSwitch with
Private VLAN
capability
Private VLAN traffic isolation
between guest VMs
Common
Primary VLAN
on uplinks
Agenda
19


What NOT to Worry About


Virtual Network Designs


Virtual Network Security Challenges


VMware Solution


Cisco Nexus 1000v
Confidential
vNetwork
Distributed Switch
"

Aggregated datacenter level
virtual networking
"

Simplified setup and change
"

Easy troubleshooting,
monitoring and debugging
"

Enables transparent third
party management of virtual
environments
OS
APP

OS
APP

OS
APP

OS
APP

OS
APP

OS
APP

OS
APP

OS
APP

OS
APP

VMware vSphere™
vNetwork Distributed Switch
vSwitch

vSwitch

vSwitch

Cisco Nexus 1000V
Current View of the Access Layer


Typically provisioned as
trunk to the server running
ESX


No visibility to individual
traffic from each VM


Unable to troubleshoot,
apply policy, address
performance issues
Boundary of network visibility
Nexus 1000V
w
/ VN-Link (Network View)


VN-Link provide visibility to
the individual VMs


Policy can be configured per-
VM


Policy is mobile within the ESX
cluster


VN-Link refers to a literal link
between a VM VNIC & a Cisco
VN-Link Switch
Boundary of network visibility
Benefits for the Server Admin


1000V overcomes network
hurdles to
virtualize
tier-1,
regulatory and DMZ applications


1000V makes ESX deployment
faster, “one and done”


1000V offloads network workflow
to the network admin
“1000V has
a lot more functionality
than our own virtual switch”
– Steve Herrod, VMware CTO
Benefits for the Network Admin


1000V overcomes hurdles to
virtualize
applications with
DMZ, high bandwidth, highly
secure applications


1000V standardizes workflow
for virtual and physical
networks


1000V allows visibility into VM
traffic
BEFORE 1000V
AFTER 1000V
“1000V
overcomes
the biggest network hurdles to virtualization”
– Ed Bugnion, Cisco CTO
Cisco Nexus 1000V Security Features
I
I
SGACL
Matrix
Destination Group
Source
Group
-
+
+
-
Nexus 1000V Architecture
Nexus 1000V VSM
vSphere
vSphere
vSphere
Nexus
1000V
VEM
Policy Based VM Connectivity
1.

Nexus 1000V automatically enables
port groups in VMware
vCenter

2.

Server Admin uses
vCenter
to
assign
vnic
policy from available
port groups
3.

Nexus 1000V automatically enables
VM connectivity at VM power-on
vSphere
1.
2.
3.
Policy Based VM Connectivity

vSphere
Mobility of Security & Network Properties
1.

vCenter
kicks off a
Vmotion
(manual/DRS)
and notifies Nexus
1000V

2.

During
VM
replication,
Nexus
1000V
copies
VM
port state to new
host
vSphere
vSphere
VMotion
Notification


Current: VM1 on Server 1


New: VM1 on Server 2
1.
Network Persistence


VM port
config
, state


VM monitoring statistics
2.
Mobility of Security & Network Properties
1.

vCenter
kicks off a
Vmotion
(manual/
DRS) and notifies
Nexus 1000V
2.

During VM
replication, Nexus
1000V copies VM
port state to new
host
3.

Once
VMotion

completes, port on
new ESX host is
brought up &
VM’s

MAC address is
announced to the
network
vSphere
vSphere
Network Update


ARP for VM1 sent
to network


Flows to VM1 MAC
redirected to Server 2
3.
Cisco Nexus 1000V – VM Security
SGACL
Matrix
Destination Group
Source
Group
-
+
+
-
vSphere
vSphere
vSphere
Keep your process consistent
Keep your process consistent


Few of the Datacenter are completely virtualized


Using Nexus 1000V keeps all the process consistent and give you the same
visibility for
VMs
and Server


Troubleshoot your network as before using tools you know


Make your regulatory compliance much easier because of the simpler process
Cisco VEM

VM1

VM2

VM3

VM4

ERSPAN
Netflow

Counters
CDP
PVLAN
© 2009 VMware Inc. All rights reserved
Thank You!