1 - Talk 2 Cisco

Cisco Expo
2011
Zabezpečení datových
center s implementovanými
virtualizacemi
DC5 / L2
Martin Diviš – Cisco Systems, [email protected]
David Matějů – RSA, [email protected]
Cisco Expo
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
1
• Twitter
www.twitter.com/CiscoCZ
• Talk2cisco www.talk2cisco.cz/dotazy
• SMS
Cisco
ExpoExpo
Cisco
732 488 666
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
2
• Tradiční pohled na síťovou bezpečnost v DC
• Odlišnosti fyzického a virtuálního prostředí
• Správa politik ve virtuálním prostředí
• Cisco Virtual Security Gateway – firewall pro prostředí VMware
• RSA – Řešení pro virtualizovaná datová centra
• Shrnutí
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
3
Tradiční pohled na bezpečnost DC
BRKVIR-2011
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Public
4
FWSM
• Segmentace vnitřní sítě
Internal • Politika aplikovaná na VLAN
Security • Inspekce aplikačních protokolů
• Virtuální kontexty
ASA 55xx
Internet
Edge
• Filtrace externího provozu
• Aplikační inspekce
• VPN access, Threat mitigation
ASA 55xx
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
5
Služby podpory aplikací
Enterprise Core
Server Health Monitoring
Server Load Balancing
TCP Reuse
SSL Termination
Application Acceleration
Bandwidth Optimization
NAT / PAT
TCP Optimization
Data Redundancy
Elimination
DC Core
DC Aggregation
Bezpečnostní a dozorové služby
DC Access
Access Control
Web Application Security
Intrusion Detection / Prevention
NetFlow
Traffic Analysis
Security Monitoring
Per port politiky
Access Control
Port security
Cisco
ExpoExpo
Cisco
Blade Chassis w/
Integrated Switch
Blade Chassis w/
Pass Thru
L2 w/ Clustering
and NIC Teaming
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Mainframe
w/ OSA
L3 Access
Cisco Public
6
• 6 firevallů
• 6-14 loadbalancerů
• DC LAN infrastruktura
Vnější
DMZ
Application
Gateway
Customer Portal
• Obtížná správa
• Těžko udržitelná
konzistence pravidel
Vnitřní
DMZ
SRM
Composite App
• A co když budeme
potřebovat
implementovat další
aplikaci?
Corporate Portal
Vysoce
bezpečná
zóna
ERP
BI
BI DB
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
7
Adaptive Security Service
Module (ASA-SM)
ASA 8855 Appliance
• Až 20 Gbps multi-protocol
firewall
• Firewal služby
• 16 Gbps per blade, 4x
rychlejší než FWSM
• Výborná price/performance
• Konzistence s produktovou
řadou ASA
• Firewall a IPS až 10 Gbps
• Až 10,000 uživatelů remote
access VPN
• Investment Protection
• Škálovatelné chassis
• FW a VPN zároveň
• 60 Gbps backplane pro
budoucí rozšíření
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
8
Změny, které přináší virtualizace
serverů a desktopů
BRKVIR-2011
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Public
9
“I'm not after servers.
I'm after virtualization,
where you don't know where your
processors are,
your information's stored,
the application resides.
You don't care”.
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
10
• Virtualizace – mizící port
• Širší L2 domény, L2 DC interconnect
• Desktop v DC
• DC perimetr
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
11
Virtual networking a správa politik
BRKVIR-2011
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
• 1. vMotion přnáší VMs mezi
fyzickými porty—politiky
musí následovat
2. Viditelnost a aplikace politik
pro lokálně přepínaný provoz
Port
Group
3. Potřeba rozdělení pravomocí
mezi správce sítě a serverů
Security
Admin
Server Admin
Network Admin
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
14
VN-Link – princip řešení
• Rozšíření sítě k virtuálním strojům
• Vyžaduje nové funkce v LAN prostředí
Virtual Ethernet Interface
Port Profiles
Mobilitu virtuálních rozhraní
Konzistentní model správy
• Řešení integrované s hypervisorem
vETH
© 2010 Cisco and/or its affiliates. All rights reserved.
vETH
Cisco Confidential
15
VN-Link
VN-Link in
Software (dnes)
© 2010 Cisco and/or its affiliates. All rights reserved.
VN-Link in
Hardware (dnes na
VN-Link in Hardware
w/VM DirectPath (dnes
UCS)
na UCS)
Cisco Confidential
16
Cisco VN-Link: Virtual Network Link
VM
VM
VM
VM
VM
VM
VM
VM
Port Profiles
WEB Apps
HR
Nexus
1000V
VEM
Nexus
1000V
VEM
DB
vSphere
vSphere
DMZ
VM Connection Policy
•
Defined in the network
•
Applied in Virtual Center
•
Linked to VM UUID
vCenter
© 2010 Cisco and/or its affiliates. All rights reserved.
Nexus 1000V VSM
Cisco Confidential
17
Cisco VN-Link: Virtual Network Link
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VMs Need to Move
•
VMotion
•
DRS
•
SW Upgrade/Patch
•
Hardware Failure
Nexus
1000V
VEM
Nexus
1000V
VEM
vSphere
vSphere
Property Mobility
•
VMotion for the network
•
Ensures VM security
•
Maintains connection state
vCenter
© 2010 Cisco and/or its affiliates. All rights reserved.
Nexus 1000V VSM
Cisco Confidential
18
n1000v# show port-profile name WebProfile
port-profile WebServers-PP
description:
status: enabled
capability uplink: no
system vlans:
port-group: WebServers
config attributes:
switchport mode access
switchport access vlan 110
no shutdown
evaluated config attributes:
switchport mode access
switchport access vlan 110
no shutdown
assigned interfaces:
Veth10
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Funkce zahrnují příkazy pro:
 Port management
 VLAN
 PVLAN
 Port-channel
 ACL
 Netflow
 Port Security
 QoS
Cisco Public
19
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
20
Switching
Bezpečnost
Síťové služby
Administrace
Analyzovatelnost
Správa
© 2010 Cisco and/or its affiliates. All rights reserved.

L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting (TX)

IGMP Snooping, QoS Marking (COS & DSCP), Class-based WFQ

Policy Mobility, Private VLANs w/ local PVLAN Enforcement

Access Control Lists (L2–4 w/ Redirect), Port Security

Dynamic ARP inspection, IP Source Guard, DHCP Snooping

Virtual Services Datapath (vPath) support for traffic steering & fast-path
off-load [leveraged by Virtual Security Gateway (VSG) and vWAAS]

Automated vSwitch Config, Port Profiles, Virtual Center Integration

Optimized NIC Teaming with Virtual Port Channel – Host Mode

VMotion Tracking, NetFlow v.9 w/ NDE, CDP v.2

VM-Level Interface Statistics

SPAN & ERSPAN (policy-based)

Virtual Center VM Provisioning, Cisco Network Provisioning, CiscoWorks

Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3)

Hitless upgrade, SW Installer
Cisco Confidential
21
Virtual Network Services
BRKVIR-2011
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
1
Přesměrovat provoz z VM
pomocí VLAN na fyzické zařízení
Web
Server
App
Server
Database
Server
Hypervisor
2
Využít možností
virtuálního prostředí
Web
Server
App
Server
Database
Server
Hypervisor
VLANs
Virtual Contexts
VSN
VSN
Virtual Service Nodes
Traditional Service Nodes
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
23
Policy
framework
Security
Application
Acceleration
Application
Delivery
Network
Analysis/
Monitoring
…
ANY
SERVICE
…..
Dedicated
(Hardware coupled)
Dynamic
“On-demand”
Feature
Consistency
Appliance
Workload
mobility
Module
Network
Integrated
Compute
Virtual
Cloud
ANY
DELIVERY MECHANISM
ANY
FORM FACTOR
ANY
ENVIRONMENT
Flexibilita a možnost volby podle potřeb
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
24
Virtual Security Gateway (VSG)
BRKVIR-2011
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Public
25
Virtual
Security
Gateway
(VSG)
Virtual Network
Management
Center
(VNMC)
Cisco
ExpoExpo
Cisco
Context aware
Security
pravidla zohledňují kontext VM
Zone based
Controls
Zóny vzájemné důvěry
Dynamic, Agile
Politiky následují VM
Best-in-class
Architecture
Efektivní škálovatelná
architektura
Non-Disruptive
Operations
Security team spravuje
bezpečnost
Policy Based
Administration
Central mgmt, škálovatelné prostředí,
multi-tenancy
Designed for
Automation
XML API, bezpečnostní profily
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
26
Cisco
VSG
Cisco
VSG
• Není třeba implementovat služby na
každém hostu
• Seprátní plánování kapacit
• Jednodušší implemetance několika
týmy (server, network, security atd.)
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
27
27
VM
VM
VM
VM
VM
VM
VM
VM
VM
VNMC
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
4
Nexus 1000V
vPath
Distributed Virtual Switch
Zapamatování
rozhodnutí
1
Cisco
ExpoExpo
Cisco
Iniciální paket
datového toku
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
2 Flow Access
VSG
3
Control
Log/Audit
Cisco Public
28
VM
VM
VM
VM
VM
VM
VM
VM
VM
VNMC
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Nexus 1000V
vPath
Distributed Virtual Switch
ACL offload na
Nexus 1000V
(policy enforcement)
Další pakety
datového toku
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
VSG
Log/Audit
Cisco Public
29
vCenter
pomocí atributů
VM/Network
VNMC
PortGroup
VSM
Pravidla na základě
podmínek Zones /
Network
Definice
zón
Vytvořit bezpečnostní
profil ze sady politik
Definice
politik
Vytvořit
bezpečnos
tní profil
Port Profile
Ochrana
Navázat bezpečnostní
profil na profil portu
Přiřadit
nájemci
VSG
Přiřadit určitou
VSG „nájemci“
nebo organizaci
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
30
Attribute Type
Network
VM
Custom
Operator
Operator
VM Attributes
Network Attributes
eq
member
Instance Name
IP Address
neq
Not-member
Guest OS full name
Network Port
gt
Contains
Zone Name
lt
Parent App Name
range
Port Profile Name
Not-in-range
Cluster Name
Prefix
Hypervisor Name
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
31
Tenant A
VDC
Tenant B
vApp
vApp
vPath
Nexus 1000V
vSphere
Zóny definují granularitu množin virtuálních strojů
 Nájemce / organizace
 VDC
 vApp
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
32
bezpečnostního profilu
porten profilu
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
33
• Politiky aplikované na zóny s VM
VSG
Virtual
• Dynamické, škálovaletné
Security • Pravidla založená na kontextu
VM
FWSM
• Segmentace vnitřní sítě
Internal • Politika aplikovaná na VLAN
Security • Inspekce aplikačních protokolů
• Virtuální kontexty
ASA 55xx
Internet
Edge
• Filtrace externího provozu
• Aplikační inspekce
• VPN access, Threat mitigation
ASA 55xx
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
34
RSA
BRKVIR-2011
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Public
35
Bezpečnost infrastruktury a dat
ve virtuálním prostředí
David Mateju
RSA, The Security Division of EMC
[email protected]
RSA – Sada řešení (nejen) pro virtuální prostředí
Řízení přístupu
•
Silná dvoufaktorová a multifaktorová autentizace pro uživatele
a administrátory
Ochrana citlivých dat před jejich únikem
•
Na úložištích, na síti, na virtuálních desktopech
Bezpečnostní monitoring celé virtualizované infrastruktury
•
Kompletní SIEM řešení plnící roli Security Operations Center
Audit a a zajištění shody s legislativou a interními předpisy
•
eGRC (Governance, Risk, Compliance) platforma pro kontinuální
řízení podniku z pohledu bezpečnosti, procesů, služeb, zdrojů, atd.
RSA, The Security Division of EMC
1st
Authentication
Leader
Leader
Leader
Leader
Data Loss
Prevention
Web Fraud
Detection
SIEM
eGRC
RSA – Ochrana citlivých dat
Policy
Management
System
Administration
RSA DLP
Enterprise Manager
Policies
DLP Datacenter
DLP Network
Reporting &
Dashboard
Incident
Workflow
Incidents
DLP Endpoint
Discover sensitive data
from everywhere
Monitor all traffic for
sensitive data
Discover sensitive data
and Monitor
user actions
Enforce controls on
sensitive data
Enforce controls on
sensitive transmissions
Enforce controls on
both data and user
actions
Third Party Enforcement Controls
DLP SDK
Partners
Solutions
(DLP as a
add-on)
RSA DLP – Cisco IronPort
1
Cisco IronPort RSA Email
DLP add-on
1
•RSA Email DLP software add-on pro IronPort C-Series V7.0
•Produkt Cisco založen na RSA DLP SDK & politikách
Cisco IronPort C-Series
2
Integrace RSA DLP Enterprise
Manager
1
•Integrace mezi Cisco IronPort’s RSA Email DLP add-on
a RSA DLP Enterprise Manager
•Společný produkt Cisco a RSA
Cisco IronPort’s
RSA Email DLP
(add-on)
RSA DLP
Enterprise
Manager
•Dostupný v 2. polovině 2011
3
Interoperabilita s RSA 1DLP ICAP serverem
•Interoperabilita mezi IronPort S-Series
(ICAP Interface V6.3) a RSA DLP Network ICAP Server
•Přináší DLP funkčnost pro webový provoz díky
připojenému modulu RSA DLP Network.
Cisco IronPort S-Series
RSA DLP Network ICAP Server
Pokud již máte Cisco IronPort C-Series ...
... zapněte RSA Email DLP add-on
... případně rozšiřte o DLP pro web, datové centrum
a koncová zařízení
RSA DLP Enterprise Manager
Cisco IronPort C-Series
RSA DLP Datacenter
RSA DLP Endpoint
RSA DLP NW Web
RSA – Bezpečnostní monitoring (SIEM)
RSA enVision SIEM Plaform
•
Sběr a bezpečné uchování logů z infrastruktury
• Aktuálně podporováno přes 20 Cisco zařízení včetně MARS
•
Korelace, alerty, notifikace, reporty
Ukázky z praxe – SIEM pro VMware
Applying Patch to
Production System
Unauthorized
Administrator
Scenario
Apply Patch to Production System - Before
Production Datacenter
Test Environment
HR Application Server VM
HR Application Server VM
PATCH
PATCH
HR Database Server VM
HR Database Server VM
HRDB
HRDB
Name, SSN, DoB, etc
Name, SSN, DoB, etc
Is the test environment
IsAthis
an
Who
accessed
the
Was the VM
virtual
environment
1 Clone
common way
to apply
patches
is
to
try
them
out
in
a
test
environment
sufficiently
protected
&
Test Patch
to production
environment
authorized 3 Apply Patch 2
data
in the test
destroyed after it
controlled?
In a virtual
world
you
can
clone
the
system,
data
and
all
This is difficult and time-consuming
in a production
procedure?
environment?
was used?
environment, but very easy in a virtual environment
Scenario
Apply Patch to Production System - After
Production Datacenter
Test Environment
HR Application Server VM
HR Application Server VM
PATCH
PATCH
HR Database Server VM
HR Database Server VM
HRDB
HRDB
Name, SSN, DoB, etc
Name, SSN, DoB, etc
Test Patch
Clone
virtual
environment
environment
3 Apply1Patch
2to production
VM Cloned
VM Cloned
RSA enVision
can log the
administrative
activity from
Patch Applied
vCenter, like the VM being cloned
RSA enVision
IfPatch
this is out
of policy
Applied
we of
can
alert
security
Monitoring
the
testaenvironment
VM
Deleted
ensuresanalyst
protection of data
Scenario
Unauthorized Administrator/Mis-Configuration
PCI Network
Non-PCI Network
Retail Store Management
Virtual Machine
Transaction Management
Application
Transaction DB
Credit Card numbers
In a PCI environment, you
Suppose permissions are set up
needVM
to validate
Movedthat only
incorrectly, and an unauthorized
authorized
administrators
by kpbrady
administrator
can move a VM
are modifying the system
46
RSA enVision
Authorized
PCI Admin?
If the enVision
RSA
administrator
RSA enVision
can check
islogs
not what
against
authorized,
activities
a “watchlist”
RSA
of authorized
enVision
were
can
performed
alert
PCI administrators
a security
and byanalyst
whom
Active
Directory
RSA enVision SIEM In Action At a SOC
EMC Critical Incident Response Center
RSA – Audit a zajištění shody s legislativou
Jsme zabezpečeni?
Jsme v souladu se zákony?
Kde máme mezery?
Jak máme prioritizovat?
RSA – Audit a zajištění shody s legislativou
RSA Solution for Cloud Security and Compliance
Automated
Measurement
Agent
VI Component Discovery and Population
VI Configuration Measurement
VMware-specific
Controls
alerts
RSA Archer eGRC
RSA enVision
50
Compliance across Physical and Virtual
Infrastructure
RSA Archer eGRC
• Virtualizace serverů a desktopů představuje nový fenomén pro
bezpečnost DC
Chceme zpět svůj port!
Desktop v DC je stále desktop
• Bezpečnost není jen o síťové vrstvě a protokolech
• Koncept víceúrovňové bezpečnosti
• Autentizace, řízení přístupů
• Ochrana dat
• Shoda s legislativními a interními požadavky
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
54
• Twitter
www.twitter.com/CiscoCZ
• Talk2Cisco www.talk2cisco.cz/dotazy
• SMS
732 488 666
Zveme Vás na Ptali jste se… v sále TAURUS, 17:45 – 18:30
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
55
Kód přednášky
Prosíme, ohodnoťte
tuto přednášku.
Cisco
ExpoExpo
Cisco
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
© 2011
Cisco
and/or
its affiliates.
All rights
reserved.
Cisco Public
56