PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hypervisor to the Edge
0 likes26 views
This document discusses securing cloud infrastructure from the hypervisor to the edge. It covers three dimensions: security for cloud infrastructure, security for cloud access, and commercial cloud security services. It provides examples of implementing security controls at different layers, including at the virtual access layer, hypervisor layer, and cloud edge. Virtual security appliances and segmentation techniques are also described.
![© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
VMNIC #1
vEth vEth
Virtualization
Security
V-Motion
(Memory)
V-Storage
(VMDK)
VM
Segmentation
Hypervisor
Security
Role
Based
Access
Physical
Security
VM OS
Hardening
Patch
Management
VM
Sprawl
VMNIC #2
Real case: [...] It looks the O&M firewall is not filtering the ARP traffic
the right way. This allows a VM to connect to any other VM through the
O&M network after injecting malicious ARP traffic. This happens even
if the destination VM belongs to a different tenant VDC [...]](https://image.slidesharecdn.com/gawelmikolajczyksecuringthecloud-190619122403/85/PLNOG-8-Gawel-Mikolajczyk-Securing-the-Cloud-Infrastructure-from-Hypervisor-to-the-Edge-5-320.jpg)
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hypervisor to the Edge
- 1. Cisco Public 1© 2011 Cisco and/or its affiliates. All rights reserved. Securing the Cloud Infrastructure – from Hypervisorto the Edge Gaweł Mikołajczyk gmikolaj@cisco.com Security Consulting Systems Engineer EMEA Central Core Team CCIE #24987, CISSP-ISSAP, CISA PLNOG8, March 5, 2012, Warsaw, Poland
- 2. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Policy Corporate Border Branch Office Applications and Data Corporate Office Home Office Attackers Coffee ShopCustomers Airport Mobile User Partners Platform as a Service Infrastructure as a Service X as a Service Software as a Service Trzy wymiary : dla Infrastruktury w chmurze, dla dostępu do chmury, komercyjne usługi bezpieczeństwa w chmurze.
- 3. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Prywatny VPN MPLS lub IPSec / SSL NEXUS 1000v NAS Data Center Core Tenant A Tenant B Sub Tenant B1 i B2 WAN Compute Dostęp Usługi Agregacja Edge Dostęp L2 lub L3 Tenant per VRF Mapowanie VRF / VLAN do vFW/LB VRF do unikalnego VLAN Mapowanie do VM
- 4. Cisco Public 4© 2011 Cisco and/or its affiliates. All rights reserved.
- 5. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 VMNIC #1 vEth vEth Virtualization Security V-Motion (Memory) V-Storage (VMDK) VM Segmentation Hypervisor Security Role Based Access Physical Security VM OS Hardening Patch Management VM Sprawl VMNIC #2 Real case: [...] It looks the O&M firewall is not filtering the ARP traffic the right way. This allows a VM to connect to any other VM through the O&M network after injecting malicious ARP traffic. This happens even if the destination VM belongs to a different tenant VDC [...]
- 6. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Warstwa dostępu wirtualnego powinna oferować przynajmniej takie same mechanizmy bezpieczeństwa Layer-2 jak w fizycznym DataCenter : Access Lists, Dynamic ARP Inspection, DHCP Snooping, IP Source Guard, Port Security, Private VLANs, Layer-2 storm control, Rate-Limiters, VXLAN Bez tych mechanizmów, konsekwencje ataków na infrastruktuę sieciową, (biorąc pod uwagę skalę - tysiące VM) są katastrofalne. Widoczność w warstwie 2 można osiągnąć przez: NetFlow Collection SPAN, RSPAN or ERSPAN 1/ 7
- 7. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 port-profile vm180 vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown state enabled interface Vethernet9 inherit port-profile vm180 interface Vethernet10 inherit port-profile vm180 Port Profile –> Port Group vCenter API
- 8. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 10.20.20.50 10.20.30.10110.20.20.51 vPC Peer-link VSL vPC Service VLANs Nexus 1000V and VSG Nexus 7000 Nexus 5000 ESX Server ASA 5585 Cat 6500 monitor session 2 type erspan- source description N1k ERSPAN –session 2 monitor session 4 type erspan- destination description N1k ERSPAN to IDS1 monitor session 1 type erspan- source description N1k ERSPAN – session 1 monitor session 3 type erspan- destination description N1k ERSPAN to NAM NAM
- 9. Cisco Public 9© 2011 Cisco and/or its affiliates. All rights reserved.
- 10. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Hypervisor Appliance i moduły fizyczne Konteksty wirtualne VLANs Hypervisor Przekierowanie ruchu z VM do fizycznych urządzeń 1 App Server Database Server Web Server Usługi bezpieczeństwa na poziomie hypervisora 2 App Server Database Server Web Server VSN Appliance wirtualne VSN
- 11. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Sandwich usługowy między VDC • ASA Service Module Konteksty wirtualne Tryb Transparentny / mixed • ACE LB Tryb transparentny • Web Application Firewall Farma firewalli • Network IPS/IDS Inline lub promiscuous N7k1-VDC1 N7k1-VDC2 ASA-SM 2 ASA-SM 1 ACE hsrp.1 IPS 162 161 163,164 WAF 190 SS1 SVI-151 vrf1 vrf2
- 12. Cisco Public 12© 2011 Cisco and/or its affiliates. All rights reserved.
- 13. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Security Administrator Port Group Service Administrator Virtual Network Management Center Virtual Security Gateway - VSG Cisco Nexus® 1000V z mechanizmem vPath • Rozproszony przełącznik • Część hypervisora Host • Cisco UCS • Other x86 server
- 14. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Nexus 1000V Distributed Virtual Switch VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VMVM VM vPath VNMC Log/Audit Początkowy flow VSG 1 Początkowa ewaluacja polityki 2 Cache decyzji 3 4 1 2 3 4
- 15. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Nexus 1000V Distributed Virtual Switch VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VMVM VM vPath VNMC Log/Audit VSG Pozostałe pakiety ACL offload do Nexus 1000V (wymuszenie polityki)
- 16. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 VSG: Security Profile to Port Profile
- 17. Cisco Public 17© 2011 Cisco and/or its affiliates. All rights reserved.
- 18. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Egress SGT=100 Pracownik, grupa HR HR (SGT=100) Ingress SGT Finance (SGT=4) 802.1X/MAB/Web Auth HR SGT = 100 SGACL • TrustSec to rozwiązanie o charakterze systemowym • Overlayowe tagowanie SGT na wejściu do sieci LAN/WAN/VPN • Wymuszenie polityki bezpieczeństwa przez SGACL na wyjściu • Centralnie przechowywane reguły SGT/SGACL dają spójność
- 19. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 TAG oparty o rolę: 1. Urządzenie uwierzytelnia się do sieci via 802.1X 2. ISE wysyła TAG jako wynik autoryzacji – bazuje on na roli użytkownika/urządzenia 3. Przełącznik dostępowy aplikuje TAG do ruchu użytkownika 4. Dodatkowe pola w ramkach L2 Ethernet lub propagacja mapowania OOB przez protokół SXP
- 20. Cisco Public 20© 2011 Cisco and/or its affiliates. All rights reserved.
- 21. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Chmura prywatna / publiczna Pracownik Spacely Sprockets SPACELY SPROCKETS Central Office Database Server ASA Appliance ASA1000V VSGWeb Server
- 22. Cisco Public 22© 2011 Cisco and/or its affiliates. All rights reserved.
- 23. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 v Catalyst 6500 SERVICES Centralized Security and Application Service Modules and Appliances can be applied per zone ASA ACE IPS Nexus 7018 Nexus 7018 Data Center Distribution Data Center Core Internet Edge Nexus 5000 Series 10Gig Server Rack Nexus 2100 Series vPC Zone Multi-Zone VDC Nexus 7000 Series 10Gig Server Rack vPC Unified Computing System Nexus 1000V Zone Unified Compute NAM vPC vPC vPC vPCvPCvPC VSS Stateful Packet Filtering Network Intrusion Prevention Server Load Balancing Flow Based Traffic Analysis – Network Analysis Module Access Edge Security ACL, Dynamic ARP Inspection, DHCP Snooping, IP Source Guard, Port Security, Private VLANs, QoS Web and Email Security SAN Network Foundation Protection Virtual Service Nodes
- 24. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24