Secure Virtualization with Nexus 1000V and VSG

Security & Virtualization
in the Data Center
BRKSEC-2206
Руслан Иванов
Системный инженер-консультант
ruivanov@cisco.com

© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2206 Cisco Public
Requiring a Solutions Approach
Internet Edge
DISTRIBUTION
SAN
ASA 5585-X ASA 5585-X
VDC
Nexus 7018 Nexus 7018
CORE
= Compute
= Network
= Security
Nexus
7000
Series
Nexus
5000
Series
Nexus
2100
Series
Zone
Unified
Computing
System
Nexus
1000V VSG
Multizone
Catalyst
6500
SERVICES
VSS
Firewall ACE
NAM IPS
VSSVPCVPCVPCVPCVPCVPCVPCVPC
10G Server Rack 10 G Server Rack Unified Compute Unified Access

Reduce complexity and
fragmentation of security
solutions
Maintain Security and
Compliance while the data
center evolves
Stay ahead of
the evolving threat
landscape
95% of firewall breaches
caused by
misconfigurations*
3000% increase in network
connections/second by 2015
Over 100K new threats every
day
* Greg Young, Gartner Inc
PROVISIONING SCALLABILITY PROTECTION
DataCenter Security Challenges

Security and Virtualization in the Data Center
Agenda
Virtualization Trends,
Priorities, Concerns
Virtual Network Security
Services
Physical Network Security
Services for Virtualization
Threat Identification and
Correlation
Application Centric
Infrastructure Security
Summary
4

Source: IDC, Nov 2010
Tipping Point
Traditional Virtualized
c
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
...1 Server,
or “Host”
Many Apps,
or “VMs”…
Hypervisor
App
OS
App
OS
App
OS 1 Application…
...1 Server
App
OS
App
OS
App
OS
Transition
The Evolving Data Center Architecture
Virtualization on Commodity Compute
5

Common Virtualization Concerns
•  Unified Policy Enforcement
–  Applied at physical server—not the individual VM
–  Impossible to enforce policy for VMs in motion
•  Operations and Management
–  Lack of VM visibility, accountability, and consistency
–  Difficult management model and inability to effectively troubleshoot
•  Roles and Responsibilities
–  Muddled ownership as server admin must configure
virtual network
–  Organizational redundancy creates compliance challenges
•  Machine and Application Segmentation
–  Server and application isolation on same physical server
–  No separation between compliant and non-compliant systems…
Policy, Workflow, Operations
Roles and
Responsibilities
Isolation and
Segmentation
Management and
Monitoring
Hypervisor
Initial
Infection
Secondary
Infection
6

Virtualization Security
•  Collateral hacking?
•  Segmentation?
•  Side channel attacks?
•  Visibility?
•  Threat identification and defense?
•  What about Hypervisor Hyperjacking?
•  VM Escape?
•  Virtualization Attention Deficit Disorder
Virtualization
Security
V-Motion
(Memory)
V-Storage
(VMDK)
VM
Segmentation
Hypervisor
Security
Role
Based
Access
Physical
Security
VM OS
Hardening
Patch
Management
VM
Sprawl
7

Simple, Effective, Achievable
Segmentation
•  Establish boundaries: network, compute, virtual
•  Enforce policy by functions, devices, organizations, compliance
•  Control and prevent unauthorized access to networks, resources, applications
Threat Defense
•  Stop internal and external attacks and interruption of services
•  Patrol zone and edge boundaries
•  Control information access and usage, prevent data loss and data modification
Visibility
•  Provide transparency to usage
•  Apply business context to network activity
•  Simplify operations and compliance reporting
North-South
East-West
Defend, Detect, Control
8

Security Model
BEFORE
Detect
Block
Defend
DURING AFTER
Control
Enforce
Harden
Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous

From Best of Breed…
10
Physical
Hosts
NGIPS
ASA FW
Clustering
•  Control North/South traffic with ASA 5585
•  Scale and HA with Clustering
•  Inspect North/South traffic with NGIPS
•  Segment and Protect virtual enclave with
ASAv and vNGIPS

…With Best Infrastructure…
11
NGIPS
ASA FW
Clustering
NGA
Virtual
FlowSensor
CTD : Cisco Thread Defense
Leverage your Cisco Infrastructure to
fight Advanced Pervasive Threats
TrustSec with Security Group Tagging
SGT
SGT SGT
SGT
SGT
SGT
SGT
SGT
ISE SGT
Simplify
Automate
Accelerate
Standardize
SGT

…With Best Architecture…
12
Virtual
Hosts
B
Physical
Hosts
NGIPS
SGT
SGTSGT
SGT SGT
SGT
SGT
SGT
SGT
SGT
Virtual
Hosts
B
Physical
Hosts
NGIPS
SGT
SGTSGT
SGT SGT
SGT
SGT
SGT
SGT
INTER DC CLUSTERING
OTV

…Ready for Next Generation DataCenter.
13 13
Physical
Hosts
NGIPS
ASA FW
Clustering
VIRTUAL ENDPOINT
ACI Fabric
PHYSICAL ENDPOINT
SERVICE NODES
SECURITY NODES
Application Centric Infrastructure
-  Scalable
-  Simple
-  Flexible
-  Reliable
-  Automated
-  Secured

Virtual Network & Security Services

Managing Virtual Networking Policy
Nexus 1000V
§  Non-disruptive operation model to
maintain current workflows using
Port Profiles
§  Maintain network security policies
with isolation and segmentation via
VLANs, Private VLANs, Port-
based Access Lists, Cisco
Integrated Security Features
§  Ensure visibility (VM Introspection)
into virtual machine traffic flows
using traditional network features
such as ERSPAN and NetFlow
Virtual Switches: Example Nexus 1000V
Network
Team
Server
Team
Management
and Monitoring
Roles and
Responsibilities
Isolation and
Segmentation
Security
Team
Nexus 1000V
15

What is a Nexus Port-Profile?
•  A port profile is a container used to define a common set of configuration
commands for multiple interfaces
•  Define once and apply many times
•  Simplifies management by storing interface configuration
•  Key to collaborative management of virtual networking resources
•  Why is it not like a template or SmartPort macro?
–  Port-profiles are ‘live’ policies
–  Editing an enabled profile will cause configuration changes to propagate to all
interfaces using that profile (unlike a static one-time macro)
* For lots more detail, reference BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000V
16

Port Profiles
Nexus 1000V supports:
ü  ACLs
ü  Quality of Service (QoS)
ü  PVLANs
ü  Port channels
ü  SPAN ports
port-profile vm180
vmware port-group pg180
switchport mode access
switchport access vlan 180
ip flow monitor ESE-flow input
ip flow monitor ESE-flow output
no shutdown
state enabled
interface Vethernet9
inherit port-profile vm180
interface Vethernet10
inherit port-profile vm180
Port Profile –> Port Group vCenter API
vMotion
Policy Stickiness
Network
Security
Server
17

Nexus 1000V Security Features
•  Laying the Foundation
Switching
§  L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting (TX)
§  IGMP Snooping, QoS Marking (COS & DSCP)
Security
§  Virtual Service Domain, Private VLANs w/ local PVLAN Enforcement
§  Access Control Lists (L2–4 w/ Redirect), Port Security, vPATH/VSG
§  Dynamic ARP inspection, IP Source Guard, DHCP Snooping
Provisioning
§  Automated vSwitch Config, Port Profiles, Virtual Center Integration
§  Optimized NIC Teaming with Virtual Port Channel – Host Mode
Visibility
§  VMotion Tracking, ERSPAN, NetFlow v9, CDP v2
§  VM-Level Interface Statistics
Management
§  Virtual Center VM Provisioning, Cisco Network Provisioning, CiscoWorks
§  Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3)
18

vPath Enables Chaining of Network Services
vPath is Nexus 1000V data plane
component:
•  Topology agnostic service insertion
model
•  Service Chaining across multiple virtual
services
•  Performance acceleration with vPath
e.g. VSG flow offload
•  Efficient and Scalable Architecture
•  Non- Disruptive Operational Model
•  VM Policy mobility with VM mobility
Cloud Network Services (CNS)
Hypervisor
Nexus 1000V vPath
19

What is the Virtual Security Gateway?
•  VSG is a L2 firewall that runs as a virtual
machine “bump in the wire”
•  Similar to L2 transparent FW mode of ASA
•  It provides firewall inspection between L2
adjacent hosts (same subnet or VLAN)
•  It can use VMware attributes for policy
•  Provides benefits of L2 separation for East-
West traffic flows
•  One or more VSGs are deployed per tenant
•  require the Nexus 1000V Virtual Distributed
Switch and utilize the vPath forwarding
plane
20
Virtual
Hosts
Virtual
Hosts
Virtual
Hosts

VSG Attributes
Name Meaning Source
vm.name Name of this VM vCenter
vm.host-name Name of this ESX-host vCenter
vm.os-fullname Name of guest OS vCenter
vm.vapp-name Name of the associated vApp vCenter
vm.cluster-name Name of the cluster vCenter
vm.portprofile-name Name of the port-profile Port-profile
VM attribute information collected is used for enforcing
security policy
Security Policy Profile
§  Defined/Managed by VNMC / Prime Network Services Controller NSC
§  Bound to Cisco Nexus 1000V VSM port-profile
vCenter VM Attributes
21

Network Admin Security Admin
Policy Workflow
•  Mitigate Operational errors between teams
•  Security team defines security policies
•  Networking team binds port-profile to VSG service profile
•  Server team Assigns VMs to Nexus 1000V port-profiles
Server, Network, Security
Server Admin
vCenter Nexus 1KV Prime NSC
Port Group Port Profile Security Profile
22

Introducing the Virtualized ASA (ASAv)
•  Developed due to customer feedback for a complete ASA firewall running as a
virtual machine
•  Nexus1000V not required
•  Will support VMWare first then other hypervisors
•  ASA feature parity (with some exceptions)
•  No support for:
1.  ASA clustering
2.  Multi context mode
3.  Etherchannel interfaces
4.  Active/Active Failover (requires multi context mode)
23
ASAv Firewall
(Virtualized ASA)

ASAv Deployment: Cloud Security FW+VPN
24
•  Today multi context mode on ASA is used to
provide firewall inspection for multi tenant
and multi zone environments
•  Trunks are typically used to transport zone
and tenant traffic
•  Challenge of E-W scale requires more
firewall resources and scalable solution
Zone 1 Zone 2 Zone 3
VM 1
VM 2
VM 3
VM 4
VFW 1
VM 5
VM 6
VM 7
VM 8
VFW 2 VFW 3
§  ASAv provides edge firewall and can
scale for E-W buildout
§  Each tenant or zone gets one or more
ASAv for FW + VPN
§  Scaled VPN termination for S2S and RA
VPN clients
Vzone 1 Vzone 2
Multi Context Mode ASA

ASAv
•  Three Modes of Policy Enforcement
Routed Firewall
•  Routing traffic between vNICs
•  Maintains ARP and routing table
•  Tenant edge firewall
Transparent
Firewall
•  VLAN or VxLAN Bridging / Stitching
•  Maintains MAC-address tables
•  Non-disruptive to L3 designs
Service Tag
Switching
•  Applies inspection between service tags
•  No network participation
•  Fabric integration mode
25

Routed Firewall
•  Routed - Tenant edge use case
•  First-hop gateway to hosts
•  Enable all client hosts, VM or physical
•  Scale the number of data interfaces
•  Route between multiple subnets
•  Traditional Layer 3 Boundary in the network
ASAv
Routed
client
Gateway
Outside
Inside
host1
host2
Shared
DMZ
26

Transparent Firewall
•  Bridging up to 4 (sub-)interfaces
•  Max 8 BVIs per ASAv
•  NAT and ACL available
•  Non-disruptive PCI compliance
•  Traditional Layer 2 boundary between hosts
•  All segments in one broadcast domain
ASAv
Transp
Gateway
client
Segment-1
Segment-3
host1
host2
Segment-2
Segment-4
27

Web-zone
Fileserver-zone
Hypervisor
Nexus 7000
Nexus 5500
Nexus
1000V
VRF
VLAN 50
UCS
VLAN 200
VLAN 300
Application Security & Visibility
•  Stateful inspection with virtual ASA for north-south,
east-west VM traffic
•  Transparent or routed mode
•  Service Elasticity
ASAv
.1Q Trunk
VLAN 50
28

Comparing Cisco Virtual Firewalls
ASAv ASA1000V (Edge) Virtual Security Gateway
L2 and L3 mode L3 routed mode only L2 mode (transparent)
Dynamic and static routing Static routes only No routing
DHCP server and client
support
DHCP server and client
support
No DHCP support
IP And User Based Policies IP and User Based Policies IP and VM Attribute Based Policies
S2S and RA VPN Supports S2S IPSEC Only No IPSEC support
Managed via CLI, ASDM,
CSM
Managed by ASDM and
VNMC/PNSC
Managed by VNMC/PNSC only
Full ASA code, CLI, SSH,
REST API
Uses ASA code, CLI, SSH Minimal config via CLI, SSH
Policy for Virtual and
Physical Hosts
Policy for Virtual Host only Policy for Virtual Host only
29

Web-zone Fileserver-zoneApplication-zone
Hypervisor
Nexus 7000
Nexus
1000V
Primary VLAN 20
VRF
VLAN 20
UCS
VLAN 100
Isolated
VLAN 200
Isolated
VLAN 300
Community
Layer 2 Segmentation
•  VMs in same Layer 2 subnet can be
isolated
•  Only allowed to communicate outbound
to Layer 3 gateway
•  Use ACL on gateway to block source
and destination IPs from PVLANs
PVLANs for VM Isolation
*PVLANs also
supported on
VMware vswitch
.1Q Trunk
31

Web-zone Fileserver-zoneApplication-zone
Hypervisor
Nexus
1000V
UCS
VLAN 100
Isolated
VLAN 200
Isolated
VLAN 300
Community
VM Visibility
•  VMs flows can be mirrored via span port on
virtual switch. Can also use ERSPAN to
forward via Layer 3 (ex. 6500 NAM module).
•  VM flow analysis via NetFlow for trending,
visibility, and security
NetFlow for VM Network Behavior Analysis
NetFlow/ERSPAN/SPAN
NetFlow Data Collector
6500 w/
NAMLayer 3
Layer 2
32

System Isolation via Micro Segmentation
Policy Per App Tier, Per VM, Per vNIC
Tenant B
VSD
Web App
Web DB
Nexus 1000V
VSD
ASAv and vIPS
Nexus 1000V
Web Tier App Tier
Control ingress/egress & inter-VM
traffic
vFirewall, ACL, PVLAN
Traffic and Threat Visibility
vIPS, Netflow, SPAN/ERSPAN
Mobility Transparent Enforcement
Port Profiles
Administrative Segregation
Server • Network • Security
Tenant A
ASAv and vIPS
33
VSG

Drivers for Deploying TrustSec
35
Reducing attack surface
with segmentationMitigate Risk
Manage security using
logical groups not IP
addresses/VLANs
Increase SecOps
efficiency
Authorize access to
compliance-critical
apps
Meet Compliance
Objectives

•  Managing security rules by groups instead of individual identifiers can mean:
–  Fewer rules/access control entries
–  Easier to understand and audit policies
–  New assets can join a group without changing the policy
•  Automating assignment of group membership – avoids rule provisioning effort/lag
–  Frees SecOps effort for other tasks
–  Avoids time required for manual provisions of new apps/services
•  If group membership can be independent of the network topology
–  Can apply group-based policies anywhere on the network
–  Avoids/reduces need for device-specific ACL configurations
36
Simplicity Goals of Group-Based Policies

TrustSec Concept
•  Classification of systems/users based on context
(user role, device, location, access method)
•  Context (role) expressed as Security Group Tag (SGT)
•  Firewalls, routers and switches use SGT to make filtering decisions
•  Classify once – reuse result multiple times
37
Users, Devices
Switch Router DC FW DC Switch
HR Servers
Enforcement
SGT Propagation
Fin Servers SGT = 4
SGT = 10
ISE Directory
Classification
SGT:5

Inline tagging (SGT in data plane)
38
•  SGT embedded within Cisco Meta
Data (CMD) in Layer 2 frame
•  Capable switches process SGT at
line-rate
•  Optional MACsec protection
•  No impact to QoS, IP MTU/
Fragmentation
•  L2 Frame Impact: ~40 bytes
•  Recommend L2 MTU~1600 bytes
•  N.B. Assume incapable devices will
drop frames with unknown Ethertype
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
Ethernet Frame
CMD EtherType
Version
Length
SGT Option Type
Cisco Meta Data
SGT Value
Other CMD Option
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
MACsec Frame
802.1AE Header
802.1AE Header
AES-GCM128bit
Encryption
ETHTYPE:0x88E5
ETHTYPE:0x8909
38

SGT eXchange Protocol (SGT in Control Plane)
39
•  SXP very simple to enable
–  SGT propagation without hardware dependencies
–  Propagation poss from access edge to enforcement device
•  Uses TCP for transport protocol
•  TCP port 64999 for connection initiation
•  Use MD5 for authentication and integrity check
•  Two roles: Speaker (initiator) and Listener (receiver)
SW
SW RT
SW
SXP
(Aggregation)SXP
SXP
Speaker Listener

Assigning Security Groups
40
Dynamic Classification Static Classification
•  IP Address
•  VLANs
•  Subnets
•  L2 Interface
•  L3 Interface
•  Virtual Port Profile
•  Layer 2 Port Lookup
Common Classification for
Mobile Devices
Classification for Servers,
Topology-based assignments.
802.1X Authentication
MAC Auth Bypass
Web Authentication
SGT
40

Dynamic SGT Assignments in Authorization Rules
41
•  Policy > Authorization >
Permissions > Security Groups
•  Requires basic authorization profile
(Access Accept, Access Reject)

Nexus 1000V: SGT Assignment in Port Profile
42
•  Port Profile
–  Container of network
properties
–  Applied to different
interfaces
•  Server Admin may assign
Port Profiles to new VMs
•  VMs inherit network
properties of the port-
profile including SGT
•  SGT stays with the VM
even if moved

Static SGT Assignments
43
IP to SGT mapping
cts role-based sgt-map A.B.C.D sgt SGT_Value
VLAN to SGT mapping*
cts role-based sgt-map vlan-list VLAN sgt SGT_Value
Subnet to SGT mapping
cts role-based sgt-map A.B.C.D/nn sgt SGT_Value
L3 ID to Port Mapping**
(config-if-cts-manual)#policy dynamic identity name
L3IF to SGT mapping**
cts role-based sgt-map interface name sgt SGT_Value
L2IF to SGT mapping*
(config-if-cts-manual)#policy static sgt SGT_Value
IOS CLI Example
* relies on IP Device Tracking
** relies on route prefix snooping

Access Layer Classification Summary
44
C2960-S C3750X C3850/
WLC 5760
C4500 C6x00 ISR/
ASR1000
WLC
Dynamic 802.1X X X X X X X X
MAB X X X X X X X
Web Auth X X X X X X X
Static VLAN/SGT - X* X X X* - -
Subnet/SGT - - X X X - -
Layer 3
Interface
Mapping
- - - X - -
* - limits on the number of VLANs per platform

Applying SGACL policies (Matrix View)
45
permit tcp dst eq 443
permit tcp des eq 139
deny ip
Portal_ACL
45

Policy Enforcement on Firewalls: ASA SG-FW
Can still use Network Object (Host,
Range, Network’ FQDN)
AND / OR the SGT
SXP informs the ASA of Security
Group membership
Security Group definitions from
ISE
Trigger other services by SGT
like NGIPS
46

Typical Deployment Approach
47
Egress Enforcement
§  Security Group ACL
Campus
Network
Catalyst® Switches/WLC
(3K/4K/6K)
Users,
Endpoints
Monitor Mode
SRC DST PCI Server (111) Dev Server (222)
Dev User(8) Deny all Permit all
PCI User (10) Permit all Permit all
Unknown (0) Deny all Deny all
authentication port-control auto
authentication open
dot1x pae authenticator
PCI Server
Production Server
Development Server
AUTH=OK
SGT= PCI User (10)
N7K
1.  Users connect to network, Monitor mode allows traffic regardless of authentication
2.  Authentication can be performed passively resulting in SGT assignments
3.  Traffic traverses network to Data Center enforcement points
4.  Enforcement may be enabled gradually per destination Security Group

Classification Propagation Enforcement
TrustSec Functions and Platform Support
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/-X
Catalyst 3750-E/-X
Catalyst 4500E (Sup6E/7E)
Catalyst 4500E (Sup8)
Catalyst 6500E (Sup720/2T)
Catalyst 3850/3650
WLC 5760
Wireless LAN Controller
2500/5500/WiSM2
Nexus 7000
Nexus 5500
Nexus 1000v (Port Profile)
ISR G2 Router, CGR2000
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/, 3750-E
Catalyst 3560-X, 3750-X
Catalyst 3850/3650
Catalyst 4500E (Sup6E)
Catalyst 4500E (7E, 8), 4500X
Catalyst 6500E (Sup720)
Catalyst 6500E (2T), 6800
WLC 2500, 5500, WiSM2
WLC 5760
Nexus 1000v
Nexus 6000/5600
Nexus 5500/22xx FEX
Nexus 7000/22xx FEX
ISRG2, CGS2000
ASR1000
ASA5500 Firewall, ASASM
SXP
SXP
IE2000/3000, CGS2000 NEW
ASA5500 (VPN RAS)
SXP SGT
SXP
SXP SGT
SXP
SXP SGT
SXP
SGT
SXP
SXP SGT
SXP SGT
SXP SGT
SXP
NEW inline tagging
GETVPN. DMVPN, IPsec
•  Inline SGT on all ISRG2 except 800 series:
Catalyst 3560-X
Catalyst 3750-X
Catalyst 4500E (7E)
Catalyst 4500E (8E)
Catalyst 6500E (2T)
Catalyst 6800
Catalyst 3850/3650
WLC 5760
Nexus 7000
Nexus 5600
Nexus 1000v
ISR G2 Router, CGR2000
ASA 5500 Firewall
ASAv Firewall
ASR 1000 Router
CSR-1000v Router
SXP
SGT
NEW
SGFW
SGFW
SGFW
SGACL
SGACL
SGACL
SGACL
SGACL
SGACL
SXP SGT
SXP SGT
Nexus 6000
Nexus 6000
NEW
Nexus 5500
NEW
Nexus 5600
NEW
NEW
NEW
SXP SGT NEW
NEW
SGT
NEW
GETVPN. DMVPN, IPsec
SGT

Server Segmentation in Data Center
DR ClusterWeb Server VLAN App VLAN Database VLAN
DatabaseWeb Servers App Servers
App VLAN?
Which Policy?
Physical and Virtual Servers Segmented using VLAN
Policy Stays with VLAN or IP address, Not with Servers
Network Ops, Server Ops, and Security Ops are involved
in Operation
As the number of server grows…
Complexity and OPEX follow

Web Server SGT (10)
Application Server SGT (20)
Database Server SGT (30)
Server Segmentation with TrustSec
DR ClusterProduction Server VLAN
D
B
Web App D
B
permit tcp from src Web to dst App eq HTTPS
permit tcp from src App to dst DB eq SQL
deny any from src Web to dst DB eq SQL
AppWeb
Server, Network, and Security Team share common security object
Policy Stays with Servers, Not based on Topology
Works for both Physical and Virtual Servers
As the number of servers grows…
Management complexity and OPEX do not

•  Segment servers into logical
zones
•  Control access to logical DC
entities based on role
•  Apply controls to physical and
virtual servers 52
Data Center Segmentation
Web Servers
Middleware
Servers
Database
Servers
Storage
Web Servers R R Q Q
Middleware Servers R R R R
Database Servers Q R R R
Storage Q R R R Switch
How to define this policy:
Web
Servers
Middleware
Servers
Database
Servers
Storage
Blocked

Using SGACL and SG-FW functions together
53
Risk Level 1
ISE
Risk Level 2
PCI_Web PCI_App PCI_DB
SXP SXP
LOB2_DB
PCI_Users
•  SGACL on switches enforcing policy within each Risk Level
•  ASA enforcing policy between Risk Levels (with IP/SGT mappings supplied from
switch infrastructure)

vIPS
•  Virtual Switch Inline and Passive Deployment Options
Web-zone
VLAN 200
Promiscuous
Port
vSwitch
Web-zone
VLAN 200
External
vSwitchvSwitch
55
Internal

Web-zone
Fileserver-zone
Hypervisor
Nexus 7000
Nexus 5500
Nexus
1000V
VRF
VLAN 50
UCS
•  Stateful inspection with virtual ASA for north-south,
east-west VM traffic
•  Deep inspection with virtual IPS – inline with VLAN
pairing
Service chaining - ASAv and vIPS
.1Q Trunk
External VLAN 50
Defense Center
with Firesight for
Application flow
data
56
Inline Set
Inline Set
Internal
External Internal
VLAN 200

Web-zone
Fileserver-zone
Hypervisor
Nexus 7000
Nexus 5500
Nexus
1000V
VRF
VLAN 50
UCS
VLAN 200
VLAN 300
ASAv + vNGIPS passive
.1Q Trunk
VLAN 50
57

Virtual Appliance
Inline
58

Virtual IDS
Passive
59

FireSIGHT Context Explorer
Application Security and Visibility
View all application traffic… Look for risky applications… Who is using them?
On what operating systems?What else have these
users been up to?
What does their traffic look
like over time?

•  Geo Location Information
61

•  Defense Center with FireSight
62

•  Defense Center with FireSight
63

Physical Security Services for Virtualization

ASA Firewalls and the Data Center Fabric
•  ASA and Nexus Virtual Port Channel
–  vPC ensures all active links utilized (eliminates blocked STP
links)
–  ASA leverages DC redundancy technologies
–  Unique integration with ASA and Nexus (LACP)
•  IPS module relies of ASA connectivity –provides DPI
•  Validated design to provide segmentation, threat protection,
visibility
•  Transparent (recommended) and routed modes
•  Works with both A/S and A/A failover
Data Center Aggregation Layer
Active vPC Peer-link
vPC vPC
Core
IP1
Core
IP2
Active or
Standby
N7K VPC 41N7K VPC 40
Nexus 1000V
vPath
Hypervisor
Nexus 1000V
vPath
Hypervisor
Core Layer
Aggregatio
n Layer
Access Layers
65

Aggregation Layer
L2
L3
FW HA
VPCVPC
VPC
DC Core /
EDGE
VPCVPC
FHRPFHRP
SVI VLAN200 SVI VLAN200
North Zone
VLAN 200
South Zone
VLAN 201
Trunks
VLAN 200
Outside
VLAN 201
Inside
N7K VPC
40
N7K VPC
41
ASA channel
32
VPC PEER LINK
VPC PEER LINK
Access Layer
ASA Connecting to Nexus with vPC
•  ASA connected to Nexus using
multiple physical interfaces on
vPC
– ASA can be configured to
failover after a certain number
of links lost (when using HA)
•  Note that vPC identifiers are
different for each ASA on the
Nexus switch (this changes with
ASA clustering feature and
cLACP [not yet shown])
Best Practices Shown
66

North Zone
VLAN 200
South Zone
VLAN 201
VPC
VLAN 200
Outside
VLAN 201
Inside
interface
TenGigabitEthernet0/6
channel-group 32 mode
active
no nameif
no security-level
!
interface
TenGigabitEthernet0/7
channel-group 32 mode
active
no nameif
no security-level
!
Server in
VLAN 201
TrunkAllowed1,200,201
TrunkAllowed1,201
VPC
TrunkAllowed1,201
Trunk Allowed 1,201
SVI VLAN200 172.16.25.253
FHRP – 172.16.25.1
SVI VLAN200 172.16.25.254
FHRP – 172.16.25.1
172.16.25.86/24
Transparent Mode Configuration in the DC
Two Interfaces
interface BVI1
ip address 172.16.25.86
255.255.255.0
!
interface Port-channel32
no nameif
no security-level
!
interface Port-channel32.201
mac-address 3232.1111.3232
vlan 201
nameif inside
bridge-group 1
security-level 100
!
mac-address 3232.1a1a.3232
vlan 200
nameif outside
bridge-group 1
security-level 0
67

Physical to Virtual
HypervisorHypervisor Hypervisor Hypervisor
VRF Blue VRF Purple
Firewall Firewall
Nexus 7000
Nexus 5500
Nexus 1000V Nexus 1000V
•  Leverage physical to provide
isolation and segmentation for
virtual
•  Zones used define policy
enforcement
•  Physical Infrastructure mapped per
zone
§  Separate and dedicated routing
tables per zone via VRF
§  Firewall enforcement per zone
maps north-south, east-west
§  Layer 2 and Layer 3 path through
physical services
68

Firewall & Virtual Environment
ASA Virtual Contexts for Inter-Zone VM Traffic Flows
Firewall Virtual
Context provides
inter-zone East-West
security
Aggregation
Core
Hypervisor Hypervisor
Database
ASA Context 2
Transparent Mode
ASA Context 1
Transparent Mode
ASA 5585
ASA 5585
Aggregation
Core
Physical
Layout
East-West Zone
filtering
VLAN
21
VLAN
20
VLAN
100
VLAN
101
Context1 Context2
Front-End Apps
69

Hypervisor
Inspecting Inter-VLAN VM Traffic Flows
ASA with Bridge Groups within a context
Layer 2 Adjacent
Switched Locally
Direct Communication
ASA 5585
Transparent Mode
Aggregation
Core
Layer 3 Gateway
VRF or SVI
Aggregation
Core
Physical
Layout
East-West VLAN
filtering
VLAN
20
VLAN
100
interface vlan 21
10.10.20.1/24
interface vlan 101
10.10.101.1/24
interface TenGigabitEthernet0/6
channel-group 32 mode active vss-id 1
no nameif
no security-level
!
interface TenGigabitEthernet0/7
channel-group 32 mode active vss-id 2
no nameif
no security-level
!
interface BVI1
ip address 10.10.20.254 255.255.255.0
!
interface Port-channel32
no nameif
no security-level
!
mac-address 3232.1111.3232
vlan 20
nameif inside
bridge-group 1
security-level 100
!
mac-address 3232.1a1a.3232
vlan 21
nameif outside
bridge-group 1
security-level 0
…
70
VLAN
21
VLAN
101

ASA Clustering Overview
•  Clustering is only supported on 5580 and 5585s
and 5500-X (5500-X supports clustering of two
units)
•  CCL is critical for cluster, without it no clustering
can occur
•  Master is elected among cluster members for
configuration sync only—no bearing on packet flow
through the cluster itself
•  New concept of “spanned port-channel” i.e. a port
channel configuration that is shared among
clustered ASAs
•  Cluster has capacity for rebalancing flows
•  All flows in the cluster have an Owner and a
Director and possibly a Forwarder
•  Data Plane of Cluster MUST use cLACP (Spanned
Port-Channel)
Cluster Control Link
vPC
Data Plane
Aggregation
Core
ASA Cluster
vPC 40
71

Firewall Clustering
ASA Clustering to meet DC requirements
Cluster Control link
shares state and
connection information
among cluster members
Aggregation
Core
Hypervisor Hypervisor
Database
ASA Cluster includes
Context 1 & 2
Transparent Mode
ASA 5585 ASA 5585 ASA 5585 ASA 5585
Aggregation
Core
Physical
Layout
Cluster Control Link
Cluster functionally
the same in either
transparent or routed
mode
Cluster members used
for North-South, East-
West inspection and
filtering
Context1 Context2
Owner Director
IPS relies on ASA
Clustering
72
Web
Apps

Firewall Section Summary
•  Physical appliances and virtualized firewalls offer different options for security
control in the DC
•  Virtual firewalls (multi mode) are common for stateful control between VRF and
Nexus VDC
•  Transparent mode (L2) firewall offers many benefits without the constraints of
routed mode
•  Routing protocols, multicast, IPSEC, etc all can traverse
•  Use LACP for link aggregation in the DC
•  Firewall clustering offers benefits for higher throughput and asymmetric flow
reassembly
•  Integration with Emerging technologies ie. ACI
73

8250
8370
8360
8350
8140
7120
All appliances include:
●  Integrated lights-out management
●  Sourcefire acceleration technology
●  LCD display
7020
7010
30 Gbps
15 Gbps
6 Gbps
4 Gbps
2 Gbps
1 Gbps
500 Mbps
250 Mbps
100 Mbps
50 Mbps
8130
60 Gbps
45 Gbps
8390
Appliances
Summary
7125
750 Mbps
1.25 Gbps
SSL2000
SSL1500
SSL8200
500 Mbps 7050
7030
10 Gbps
IPS
Throughput

(440Byte
HTTP)

AMP
8150

AMP
7150

Sourceﬁre
Proprietary
&
Conﬁden:al

7115
1.5 Gbps
8120
7110
NGIPS
/
App
Control
/
NGFW
/
AMP

What platforms support FP Hardware Module?
Maximum AVC and IPS throughput
75
ASA 5585-SSP10
ASA 5585-SSP20
Campus / Data Center
2 Gbps NGFW
500K Connections
40,000 CPS
3.5 Gbps NGFW
1 M Connections
75,000 CPS
Enterprise Internet Edge
ASA 5585-SSP40
ASA 5585-SSP60
6 Gbps NGFW
1.8 M Connections
120,000 CPS
10 Gbps NGFW
4 M Connections
160,000 CPS

In Cluster
Cisco Classic IPS Module in ASA
Data Center Core
Layer
DC Aggregation
Layer
DC Access Layer
Access & Virtual Access
Virtual Servers
Physical Servers
ASA5585 +
NGIPS FP
service Module
HA – Act/Stb
ASA5585 +
NGIPS FP
service Module

Physical to Virtual
Segmentation VRF-VLAN-Virtual
ASAv/
VSG
vIPS
ASAv
Zone B Zone C
Nexus 7K
ASA
CTX1 CTX2 CTX3
VLANx1
VLANx2
VLANy1
VLANy2
VLANz1
VLANz2
SGTSGT SGTSGT SGTSGT
Segmentation Building Blocks
•  Merging physical and virtual
infrastructure
•  Zones used define policy enforcement
•  Unique policies and traffic decisions
applied to each zone
•  Physical Infrastructure mapped per
zone
–  VRF, Nexus Virtual Device Context,
VLANs, SGT
77

Enhanced Visibility and Threat Defense for
the Data Center

Detection is key to Respond and Recover
Source: Verizon 2012 Data Breach Investigation Report

1. Command
and Control
2. Reconnaissance
3.Propagation
4. Data Theft
Kill Chain: Post Breach
Firewall
IPS
Web Sec
N-AV
Email Sec
Routers
Switches
Firewall
Threat Detection

1. Command
and Control
2. Reconnaissance
3.Propagation
4. Data Theft
Scalable Network Defense
Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
Routers
Switches
Firewall

Scalable Network Defense
Today – Advanced Visibility & Investigation
•  Partner with Lancope to deliver NetFlow visibility and security intelligence
•  Enhance with Identity, device, application awareness
Cisco ISE
Cisco ISR G2 +
NBAR
Firewall
IPS
Web Sec
N-AV
Email Sec
Threat Detection
Routers
Switches
Firewall
NetFlow
Visibility

Cisco CTD Solution: Providing Scalable Visibility
Drilling into a single flow yields a plethora of information

Collect & Analyze Flows
1 2
•  # Concurrent flows
•  Packets per second
•  Bits per second
•  New flows created
•  Number of SYNs sent
•  Time of day
•  Number of SYNs
received
•  Rate of connection
resets
•  Duration of the flow
•  Over 80+ other
attributes
Establish Baseline of Behaviors
Alarm on Anomalies & Changes in Behavior
threshold
threshold
threshold
threshold
Critical Servers Exchange Server Web Servers Marketing
Anomaly detected in
host behavior
3
Flow-based Anomaly Detection

Behavior-Based Attack Detection
High Concern Index indicates a significant
number of suspicious events that deviate from
established baselines
Host Groups Host CI CI% Alarms Alerts
Desktops 10.10.101.118 865,645,669 8,656% High Concern
Index
Ping, Ping_Scan, TCP_Scan

Cisco Network
StealthWatch
FlowCollector
StealthWatch
Management
Console
NetFlow
Users/Devices
Cisco ISE
NBAR NSEL
StealthWatch Solution Components
StealthWatch
FlowSensor
StealthWatch
FlowSensor
VE
NetFlow
StealthWatch
FlowReplicator
Other tools/
collectors

Cyber Threat Defence in the Data Center
88
Data Center Best Practices:
§  Very high volume of traffic (choose the Flow Collector accordingly in size)
§  In asymmetric traffic, all devices should send to same collector
§  SGT can be reported and seen via ISE
§  Position the collectors in choke point to have full visibility of traffic
§  Monitor entrance to DC with N7K or ASA
§  Monitor virtual traffic with N1000v, or FlowSensor VE
§  Best Practice would be to offload Netflow Generation to external FlowSensors and not
do it directly on devices to optimize performances

Cisco Netflow Generation Appliance (NGA)
StealthWatch
FlowCollector
StealthWatch
Management
Console
https
Data Center
Switch
Cisco
NGA
SPAN or
passive Tap
NetFlow
§  Offloads NetFlow Generation to Dedicated High-Performance
§  End-to-end flow information collected across multiple network
observation points using SPAN and passive TAP
§  Up to 6 destinations
•  4x10G Monitoring Interfaces
•  80M Active Flow Cache
•  Targets 200K Flow record export per sec
NGA
§  Very high volume
§  Less boxes and more
centralized deployment
Flow Sensor
§  Less scalable
§  More capabilities like Deep
Packet inspection and URL data

Flow Exporters
Flow Collectors
Management
and Reporting
Scalability
X 25
up to 25 collectors per
StealthWatch System
StealthWatch FC for
NetFlow
StealthWatch
Management
Console
X 2
full redundancy between primary and
secondary
X 2000
up to 2000
exporters
and/or 120,000
flows per second
User Interface
X everyone
customizable views for Virtualization,
Network, and Security Teams
Physical Virtual
Routers, switches, firewall FlowSensor VEFlowSensor
3 million
flows per second
scalability
Nexus 1000v

§  Revealing Data Loss. Code can be hidden in the enterprise to export of sensitive
information back to the attacker. This Data Leakage may occur rapidly or over time.
NetFlow Security Use cases
§  Identifying BotNet Command & Control Activity. BotNets are implanted in the
enterprise to execute commands from their Bot herders to send SPAM, Denial of Service
attacks, or other malicious acts.
§  Detecting Sophisticated and Persistent Threats. Malware that makes it past perimeter
security can remain in the enterprise waiting to strike as lurking threats. These may be
zero day threats that do not yet have an antivirus signature or be hard to detect for other
reasons.
§  Finding Internally Spread Malware. Network interior malware proliferation can occur
across hosts for the purpose gathering security reconnaissance data, data exfiltration or
network backdoors.
§  Uncovering Network Reconnaissance. Some attacks will probe the network looking for
attack vectors to be utilized by custom-crafted cyber threats.

Detecting Command and Control
NetFlow: what to analyze?
•  Countries
•  Applications
•  Uploads/Downloads ratio
•  Time of day
•  Repeated connections
•  Beaconing - Repeated
dead connections
•  Long lived flows
•  Known C&C servers
Periodic “phone home” activity
StealthWatch Method of Detection:
Host Lock Violation
Suspect Long Flow
Beaconing Host
SLIC Reputation Feed

Detecting Command and Control
Start
Active
Time
Alarms Source
User
Name
Source Source Host
Groups
Target Target Host
Groups
Details
Dec 11,
2012
Bot Infected
Host –
Attempted
C&C Activity
John
Chambers
1.1.1.1 Sales and
Marketing, Atlanta,
Desktops
node1.bytecluster.com
(209.190.85.12)
Optima, United
Kingdom
Attempted communication
was detected between this
inside host and C&C server
using port 80 and the TCP
protocol
Alarm indicating
communication with known
BotNet Controllers
Source IP Address and username Target that trigged alarm Details

Identifying Reconnaissance Activity
What to analyze:
•  High number of flows
•  High client byte ratio
•  One-way or unanswered flows
•  Flows within the subnet/host group
•  Flows to non-existent IP’s
•  Flow patterns
•  Abnormal behaviour
Long and slow activity to discover
resources and vulnerabilities
Concern Index
High Traffic
High Connections
Trapped Hosts

Identifying Reconnaissance Activity
High Concern Index indicates a significant
number of suspicious events that deviate from
established baselines
Host Groups Host CI CI% Alarms Alerts
Desktops 10.10.101.118 865,645,669 8,656% High Concern
Index
Ping, Ping_Scan, TCP_Scan

Identifying Malware Propagation Discovered host answers and
vulnerability exploited
What to analyze:
•  High number of flows
•  High client byte ratio
•  Connections within the subnet/
host group
•  Flow patterns
•  Abnormal behaviour
Concern Index, Target Index
Scanning Alarms
Touched Host
Worm Propagation Alarm
Worm Tracker

Infection Tracking
Initial infection
Secondary infection
Tertiary infection

Detecting Data Loss
What to analyze:
•  Historical data transfer behaviour
•  Applications
•  Time of day
•  Countries
•  Amount of data – single and in
aggregate
•  Time frames
•  Asymmetric traffic patterns
•  Traffic between functional groups
Data is exported off resource
Suspect Data Loss Alarm
Suspect Long Flow Alarm
Beaconing Host Alarm
Intermediary resource used to
obfuscate theft

Looking at abnormal traffic
99

Looking at abnormal traffic
100

Summary
Provides Rich Context
Unites NetFlow data with identity and application ID to provide security context
Leverages Cisco Network for Security Telemetry
NetFlow-enabled Cisco switches and routers become security telemetry sources
Cisco is the undisputed market leader in Hardware-enabled NetFlow devices
Cisco ISE
Cisco Network
Provides Threat Visibility and Context
Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting
Cisco ISR
G2/ASR1k
+ NBAR
+ +
+
NetFlow
FlowSensor FlowCollector
StealthWatch
Management
Console
Cisco ASA
Who What Where When How
BRKSEC-2136 – Preventing Armagedon

Summary
•  Virtual network services
–  Extend policy
–  Extend Visibility
–  Extend Workflow
•  Leverage P-to-V fabric services to create unified policy
•  Assume both internal and external threats
•  ACI
–  Automatically instantiate security services and policies right with the
application flows
Defend, Detect, Control
103

Secure Virtualization with Nexus 1000V and VSG

Secure Virtualization with Nexus 1000V and VSG

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (18)

En vedette

En vedette (16)

Similaire à Secure Virtualization with Nexus 1000V and VSG

Similaire à Secure Virtualization with Nexus 1000V and VSG (20)

Plus de Cisco Russia

Plus de Cisco Russia (20)

Dernier

Dernier (20)

Secure Virtualization with Nexus 1000V and VSG