SlideShare a Scribd company logo

Tech r33

S
SelectedPresentations

This document summarizes a presentation on network security in virtual and cloud environments. It discusses how traditional network security approaches rely on physical infrastructure assumptions that do not apply in virtual networks. It then explores options for replicating common network security capabilities like firewalls, IDS/IPS, and traffic monitoring in virtual and cloud systems. These include implementing capabilities locally on virtual network components, using external cloud-based monitoring, redirecting traffic, and leveraging emerging technologies like software defined networking. Major cloud providers like Amazon, Google, and Rackspace are also summarized in terms of their network segmentation, firewall, and traffic inspection/capture capabilities.

1 of 36
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Session ID: Session Classification: Eric Hanselman 451 Research TECH-R33 Intermediate The Cloud Ate My Network! Security for Virtual Networks
► Definition is foggy ► Cloud versus virtualization ► They do some wacky things to networks. ► Obscuration is an issue ► Flexibility should be a plus ► Scale should be a plus Clouds Are Wonderful
But Can Also be Disruptive…
► Cloud and virtual networking ► Some conflating of issues ► Traditional enterprise architecture migration ► Network security focus ► An overview of the options ► There won’t be time to cover them all in depth ► Mostly focusing on monitoring and segregation ► Might accidently talk about availability… ► Q&A What This Session Covers
► Network Security Tasks ► Confidentiality/Access control ► Firewalls, VPN’s, ACL’s ► Integrity/Regulatory ► More firewalls, WAF ► IDS/IPS ► Monitoring, recording ► Availability ► Monitoring and recording ► Proactive ► Capacity/trending ► Reactive ► Troubleshooting Typical Enterprise Goals
► Expectations of physical access ► Natural aggregation ► Fixed location ► Techniques have been built around cables and ports ► Access controls ► Network segmentation ► Isolation ► Monitoring and recording ► Lots of SPAN ports Traditional Approaches
► Host-based capabilities could be simpler ► In a cloudy world ► Historic reasons still matter ► It’s independent ► It’s activity based ► It’s the only thing I own! Why Use Network Security?
► A typical monitoring architecture How To Replicate This
In a World Like This
► More flexible configuration ► Connection automation ► Tied to orchestration ► Locality ► Tied to compute instances ► No more span ports! Virtual Networks Offer Hope
► There’s a gap! ► Transitioning is complex ► Physical infrastructure ► Existing tools and techniques ► Virtual networks ► Limited tools ► Limited access ► Convergence/consolidation ► Scale What Could Possibly Go Wrong?
► Replicate capabilities locally ► Equivalent functionality ► Replicate capabilities externally ► Coverage and scale ► Push traffic somewhere else ► Reconnecting the tubes ► Change tactics ► Some answers can be found in clouds ► Or hosts… How to Cope?
► Firewalls and ACL’s ► Finding equivalents ► Vendor specific functionality ► Managing different implementations ► Aligning policies ► Correlating events ► IDS/IPS ► Scale in virtual implementation ► More instances ► Managing different implementations ► Aligning policies ► Correlating events Replicate Capabilities Locally
► Access networks ► Can work for external access controls ► WAF ► Some malicious behavior ► Harder to make application specific ► No internal visibility ► Cloud-based monitoring ► Might be closer (topologically) ► Potential to scale Replicate Capabilities Externally
► Clouds ► Hard to do ► Hypervisors ► Finding virtual edges ► Physical network access ► Build conduits ► Assigned VLAN’s ► Virtual taps Push Traffic Somewhere Else
► Long live span ports! ► Still the most universal mechanism ► Don’t forget physical network! ► Routing monitoring traffic ► VLANs ► Dedicated for monitoring ► Works at low scale ► Virtual monitoring ► Management scale ► Have to manage sprawl ► Data access monitoring ► Better filtering ► Helping to manage scale Span Ports Are Dead!
Platform Notes VMware VDS Span ports Cisco Nexus 1000v SPAN, ERSPAN Virtual Security Gateway Juniper vGateway Kernel module IBM 5000v SPAN, ERSPAN Microsoft Hyper-V Extensible Switch Open source Open vSwitch Mirroring, SPAN, RSPAN HP vController Kernel module NetOptics Virtual Tap Kernel module Gigamon GigaVUE-VM VM based Reestablishing Paths
► Where do they integrate? ► Switch port taps ► Switch integration ► VM integration ► Hypervisor kernel ► Deployed footprint ► Management VM’s ► Per host ► Hypervisor support ► IPv6 support… General Concepts
► Simple capabilities ► vShield provides screening functionality ► No traffic mirroring VMware vSphere Distributed Switch Details Type Switch integration Support RSPAN, ERSPAN Sources VLAN, port
► Nexus 1000v ► Supported on vSphere, announced support for Hyper-V ► Virtual Security Gateway ► Independent control VM ► Dedicated VLANs required Cisco Virtual Security Gateway Details Type Nexus 1000v VEM integration Support Internal traffic routing Sources VEM connections Nexus 1000v Details Type Mirroring switch integration Support RSPAN, ERSPAN Sources VLAN, port
► Security Design VM for management ► Security VM and kernel module per ESX host ► Physical/virtual support ► Support on vSphere ► IPv6 support Juniper vGateway Details Type Hypervisor kernel module Support Traffic redirection, ERSPAN Sources Firewall filtering
► Separate controller VM ► Support on vSphere IBM Distributed Switch 5000V Details Type Switch integration Support SPAN (mirror), ERSPAN Sources VLAN, port
► Rules per instance ► Only port to port ► Not mobile ► IPv6 support ► Future possibilities with extensions, Nexus 1000v Microsoft Hyper-V Extensible Switch Details Type Hypervisor integration Support Simple mirroring Sources port
► Xen and KVM support ► Basic mirroring Open vSwitch Open vSwitch Details Type Switch integration Support SPAN, RSPAN Sources VLAN, port
► VM per ESX host ► External monitoring support ► Supported on vSphere HP vController Details Type Kernel module, control VM Support RSPAN, ERSPAN Sources VLAN, port
► Better for existing users ► Gigamon release expected soon Data Access Approaches NetOptics Details Type Hypervisor module Support Redirection Sources Filtering Gigamon Details Type Monitoring VM Support Redirection Sources Filtering
► Infrastructure statistics ► Clouds allow agentless monitoring ► Instrument hosts ► Integration concerns ► Overlay networks ► Have to be designed in ► Shift to activity-based (logs) ► A more dramatic change Change Tactics
► Cloudy networks ► Amazon ► Fully virtual ► Google Compute Engine ► Rackspace et al ► Mixed possibilities ► VMware-based clouds ► See below ► OpenStack ► Virtual platforms ► VMware ► Citrix/Xen ► Microsoft ► KVM/Red Hat What’s Out There Today?
► Virtual Private Cloud offers the best options ► Network segmentation ► Multiple interfaces per instance ► Virtual appliance support ► Firewalls ► IDS ► APM ► Recording not practical Through the Amazon
Capability Options Network segmentation Within VPC Firewall ACL Security Groups in VPC for egress Traffic inspection (IDS) Appliance-based Traffic capture Statistics through CloudWatch Host agents Amazon Overview
► Google Compute Engine holds promise ► Similar to early VPC ► Four network segments ► Inbound firewalling ► Still in “limited preview” ► No appliance support Google
► Cloud and managed hosting ► Cloud is evolving with OpenStack and Nicira support ► Promise of more flexible future ► Cloud Networks just rolling out ► Instances perform routing ► 3 networks with 64 servers each ► Hardware front ends ► F5 LTM ► Cisco ASA ► Software, too ► Zeus ADC Rackspace
Capability Options Network segmentation Cloud Networking only Firewall Physical Cisco, virtual option ACL Inbound Traffic inspection (IDS) Limited Traffic capture Host agents Rackspace Overview
► Software Defined Networking could help ► Someday… ► Automated packet replication ► Automated identification and forwarding ► Better scale than virtual SPAN ports ► Different technology platforms ► OpenFlow ► OpenStack/CloudStack/Quantum ► Networking vendors ► Cisco ONE, onePK ► Arista DANZ A Shiny SDN Future
► Many goals can be achieved ► Access tools are available ► Isolation can work ► Within scaling considerations ► Monitoring ► Full recording remains a challenge ► SDN could help ► Where available… Seeing Through the Mists
Questions? eric.hanselman@451research.com @e_hanselman

More Related Content

PDF
Security Practitioners guide to Micro Segmentation with VMware NSX and Log In...
Anthony Burke
 
PDF
Si fa presto a dire SDDC: come, quando e perché?
Andrea Mauro
 
PDF
VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld
 
PDF
VMworld 2013: Real-world Deployment Scenarios for VMware NSX
VMworld
 
PDF
Secure SDN
APNIC
 
PDF
Does Hypervisor matter in OpenStack
Nermina Miller
 
PDF
NSX: La Virtualizzazione di Rete e il Futuro della Sicurezza
VMUG IT
 
PDF
VMworld 2013: Advanced VMware NSX Architecture
VMworld
 
Security Practitioners guide to Micro Segmentation with VMware NSX and Log In...
Anthony Burke
 
Si fa presto a dire SDDC: come, quando e perché?
Andrea Mauro
 
VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld
 
VMworld 2013: Real-world Deployment Scenarios for VMware NSX
VMworld
 
Secure SDN
APNIC
 
Does Hypervisor matter in OpenStack
Nermina Miller
 
NSX: La Virtualizzazione di Rete e il Futuro della Sicurezza
VMUG IT
 
VMworld 2013: Advanced VMware NSX Architecture
VMworld
 

What's hot (20)

PDF
VMUG - NSX Architettura e Design
VMUG IT
 
PPTX
NSX 9 Core Use Cases
Kevin Groat
 
PPTX
VMUGbe 21 Filip Verloy
Filip Verloy
 
PPTX
nsx overview with use cases 1.0
Ploynatcha Akkaraputtipat
 
PDF
Commonsense Linux sysad and scaling of webapps in the cloud
mkpai
 
PDF
The Future of Cloud Networking is VMware NSX (Danish VMUG edition)
Scott Lowe
 
PPTX
Nsx security deep dive
solarisyougood
 
PDF
VMware NSX for vSphere - Intro and use cases
Angel Villar Garea
 
PDF
The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)
Scott Lowe
 
PPTX
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld
 
PPTX
IaaS with Software Defined Networking
Prasenjit Sarkar
 
PDF
VMware NSX + Cumulus Networks: Software Defined Networking
Cumulus Networks
 
PDF
The Vision for the Future of Network Virtualization with VMware NSX
Scott Lowe
 
PDF
Serverless security for multi cloud workloads
Runcy Oommen
 
PDF
SDN, Network Virtualization, and the Right Abstraction
Scott Lowe
 
PDF
Atf 3 q15-6 - solutions for scaling the cloud computing network infrastructure
Mason Mei
 
PDF
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld
 
PPTX
VMWare NSX Components
Muhammad Yasir Nawaz
 
PPTX
VMworld 2015: VMware NSX Deep Dive
VMworld
 
PDF
VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld
 
VMUG - NSX Architettura e Design
VMUG IT
 
NSX 9 Core Use Cases
Kevin Groat
 
VMUGbe 21 Filip Verloy
Filip Verloy
 
nsx overview with use cases 1.0
Ploynatcha Akkaraputtipat
 
Commonsense Linux sysad and scaling of webapps in the cloud
mkpai
 
The Future of Cloud Networking is VMware NSX (Danish VMUG edition)
Scott Lowe
 
Nsx security deep dive
solarisyougood
 
VMware NSX for vSphere - Intro and use cases
Angel Villar Garea
 
The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)
Scott Lowe
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld
 
IaaS with Software Defined Networking
Prasenjit Sarkar
 
VMware NSX + Cumulus Networks: Software Defined Networking
Cumulus Networks
 
The Vision for the Future of Network Virtualization with VMware NSX
Scott Lowe
 
Serverless security for multi cloud workloads
Runcy Oommen
 
SDN, Network Virtualization, and the Right Abstraction
Scott Lowe
 
Atf 3 q15-6 - solutions for scaling the cloud computing network infrastructure
Mason Mei
 
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld
 
VMWare NSX Components
Muhammad Yasir Nawaz
 
VMworld 2015: VMware NSX Deep Dive
VMworld
 
VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld
 
Ad

Viewers also liked (18)

PDF
Sem 004
SelectedPresentations
 
PDF
Sect r35 a
SelectedPresentations
 
PDF
Spo2 w23 a
SelectedPresentations
 
PDF
Law r31
SelectedPresentations
 
PDF
Stu w25 a
SelectedPresentations
 
PDF
Spo2 r35
SelectedPresentations
 
PDF
Stu w27 b
SelectedPresentations
 
PDF
Tech w23
SelectedPresentations
 
PDF
Spo2 t18 spo2-t18
SelectedPresentations
 
PDF
Iam f43
SelectedPresentations
 
PDF
Law r33
SelectedPresentations
 
PDF
Tech t18
SelectedPresentations
 
PDF
Stu t17 b
SelectedPresentations
 
PDF
Stu w21 b
SelectedPresentations
 
PDF
Spo1 w23 b
SelectedPresentations
 
PDF
Law t19
SelectedPresentations
 
PDF
Stu r35 b
SelectedPresentations
 
PDF
Sem 001 sem-001
SelectedPresentations
 
Sem 004
SelectedPresentations
 
Sect r35 a
SelectedPresentations
 
Spo2 w23 a
SelectedPresentations
 
Law r31
SelectedPresentations
 
Stu w25 a
SelectedPresentations
 
Spo2 r35
SelectedPresentations
 
Stu w27 b
SelectedPresentations
 
Tech w23
SelectedPresentations
 
Spo2 t18 spo2-t18
SelectedPresentations
 
Iam f43
SelectedPresentations
 
Law r33
SelectedPresentations
 
Tech t18
SelectedPresentations
 
Stu t17 b
SelectedPresentations
 
Stu w21 b
SelectedPresentations
 
Spo1 w23 b
SelectedPresentations
 
Law t19
SelectedPresentations
 
Stu r35 b
SelectedPresentations
 
Sem 001 sem-001
SelectedPresentations
 
Ad

Similar to Tech r33 (20)

PDF
Технологии ЦОД. Virtual Chassis Fabric
TERMILAB. Интернет - лаборатория
 
PDF
Presentation cloud computing and the internet
xKinAnx
 
PPTX
CCNA4 Verson6 Chapter7
Chaing Ravuth
 
PDF
Net1674 final emea
VMworld
 
PDF
Network virtualization seminar report
SKS
 
PDF
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2
Felipe Prado
 
PPTX
Cloud101-Introduction to cloud
Ranjan Ghosh
 
PPTX
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Dan Mihai Dumitriu
 
PPTX
Virtualization and cloud computing
Deep Gupta
 
PDF
Security & Virtualization in the Data Center
Cisco Russia
 
PDF
ACM-CTO-Roundtable
Surendra Reddy
 
PDF
Cloud Network Technology Development & Deployment Trends
Huawei Enterprise Hong Kong
 
PDF
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
John Atchison
 
PPTX
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEX
David Pasek
 
PPTX
Windows Server 8 Hyper V Networking
Aidan Finn
 
PPTX
Network virtualization
Damian Parniewicz
 
PPTX
Reference design for v mware nsx
solarisyougood
 
PDF
Windows server 8 hyper v networking (aidan finn)
hypervnu
 
PDF
App to Cloud: Patrick Kerpan's DataCenter Dynamics Converged Keynote
Cohesive Networks
 
PDF
VMware and AWS Together - VMware Cloud on AWS
Kristana Kane
 
Технологии ЦОД. Virtual Chassis Fabric
TERMILAB. Интернет - лаборатория
 
Presentation cloud computing and the internet
xKinAnx
 
CCNA4 Verson6 Chapter7
Chaing Ravuth
 
Net1674 final emea
VMworld
 
Network virtualization seminar report
SKS
 
DEF CON 23 - Ronny Bull and Jeanna Matthews - exploring layer 2
Felipe Prado
 
Cloud101-Introduction to cloud
Ranjan Ghosh
 
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Dan Mihai Dumitriu
 
Virtualization and cloud computing
Deep Gupta
 
Security & Virtualization in the Data Center
Cisco Russia
 
ACM-CTO-Roundtable
Surendra Reddy
 
Cloud Network Technology Development & Deployment Trends
Huawei Enterprise Hong Kong
 
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
John Atchison
 
VMware Networking, CISCO Nexus 1000V, and CISCO UCS VM-FEX
David Pasek
 
Windows Server 8 Hyper V Networking
Aidan Finn
 
Network virtualization
Damian Parniewicz
 
Reference design for v mware nsx
solarisyougood
 
Windows server 8 hyper v networking (aidan finn)
hypervnu
 
App to Cloud: Patrick Kerpan's DataCenter Dynamics Converged Keynote
Cohesive Networks
 
VMware and AWS Together - VMware Cloud on AWS
Kristana Kane
 

More from SelectedPresentations (20)

PDF
Длительное архивное хранение ЭД: правовые аспекты и технологические решения
SelectedPresentations
 
PDF
Трансграничное пространство доверия. Доверенная третья сторона.
SelectedPresentations
 
PDF
Варианты реализации атак через мобильные устройства
SelectedPresentations
 
PDF
Новые технологические возможности и безопасность мобильных решений
SelectedPresentations
 
PDF
Управление безопасностью мобильных устройств
SelectedPresentations
 
PDF
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
SelectedPresentations
 
PDF
Кадровое агентство отрасли информационной безопасности
SelectedPresentations
 
PDF
Основное содержание профессионального стандарта «Специалист по безопасности и...
SelectedPresentations
 
PDF
Основное содержание профессионального стандарта «Специалист по безопасности а...
SelectedPresentations
 
PDF
Основное содержание профессионального стандарта «Специалист по технической за...
SelectedPresentations
 
PDF
Основное содержание профессионального стандарта «Специалист по безопасности т...
SelectedPresentations
 
PDF
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
SelectedPresentations
 
PDF
Запись активности пользователей с интеллектуальным анализом данных
SelectedPresentations
 
PDF
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
SelectedPresentations
 
PDF
Обеспечение защиты информации на стадиях жизненного цикла ИС
SelectedPresentations
 
PDF
Документ, как средство защиты: ОРД как основа обеспечения ИБ
SelectedPresentations
 
PDF
Чего не хватает в современных ids для защиты банковских приложений
SelectedPresentations
 
PDF
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
SelectedPresentations
 
PDF
Оценка состояния, меры формирования индустрии информационной безопасности Рос...
SelectedPresentations
 
PDF
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
SelectedPresentations
 
Длительное архивное хранение ЭД: правовые аспекты и технологические решения
SelectedPresentations
 
Трансграничное пространство доверия. Доверенная третья сторона.
SelectedPresentations
 
Варианты реализации атак через мобильные устройства
SelectedPresentations
 
Новые технологические возможности и безопасность мобильных решений
SelectedPresentations
 
Управление безопасностью мобильных устройств
SelectedPresentations
 
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
SelectedPresentations
 
Кадровое агентство отрасли информационной безопасности
SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по безопасности и...
SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по безопасности а...
SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по технической за...
SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по безопасности т...
SelectedPresentations
 
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
SelectedPresentations
 
Запись активности пользователей с интеллектуальным анализом данных
SelectedPresentations
 
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
SelectedPresentations
 
Обеспечение защиты информации на стадиях жизненного цикла ИС
SelectedPresentations
 
Документ, как средство защиты: ОРД как основа обеспечения ИБ
SelectedPresentations
 
Чего не хватает в современных ids для защиты банковских приложений
SelectedPresentations
 
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
SelectedPresentations
 
Оценка состояния, меры формирования индустрии информационной безопасности Рос...
SelectedPresentations
 
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
SelectedPresentations
 

Tech r33

  • 1. Session ID: Session Classification: Eric Hanselman 451 Research TECH-R33 Intermediate The Cloud Ate My Network! Security for Virtual Networks
  • 2. ► Definition is foggy ► Cloud versus virtualization ► They do some wacky things to networks. ► Obscuration is an issue ► Flexibility should be a plus ► Scale should be a plus Clouds Are Wonderful
  • 3. But Can Also be Disruptive…
  • 4. ► Cloud and virtual networking ► Some conflating of issues ► Traditional enterprise architecture migration ► Network security focus ► An overview of the options ► There won’t be time to cover them all in depth ► Mostly focusing on monitoring and segregation ► Might accidently talk about availability… ► Q&A What This Session Covers
  • 5. ► Network Security Tasks ► Confidentiality/Access control ► Firewalls, VPN’s, ACL’s ► Integrity/Regulatory ► More firewalls, WAF ► IDS/IPS ► Monitoring, recording ► Availability ► Monitoring and recording ► Proactive ► Capacity/trending ► Reactive ► Troubleshooting Typical Enterprise Goals
  • 6. ► Expectations of physical access ► Natural aggregation ► Fixed location ► Techniques have been built around cables and ports ► Access controls ► Network segmentation ► Isolation ► Monitoring and recording ► Lots of SPAN ports Traditional Approaches
  • 7. ► Host-based capabilities could be simpler ► In a cloudy world ► Historic reasons still matter ► It’s independent ► It’s activity based ► It’s the only thing I own! Why Use Network Security?
  • 8. ► A typical monitoring architecture How To Replicate This
  • 9. In a World Like This
  • 10. ► More flexible configuration ► Connection automation ► Tied to orchestration ► Locality ► Tied to compute instances ► No more span ports! Virtual Networks Offer Hope
  • 11. ► There’s a gap! ► Transitioning is complex ► Physical infrastructure ► Existing tools and techniques ► Virtual networks ► Limited tools ► Limited access ► Convergence/consolidation ► Scale What Could Possibly Go Wrong?
  • 12. ► Replicate capabilities locally ► Equivalent functionality ► Replicate capabilities externally ► Coverage and scale ► Push traffic somewhere else ► Reconnecting the tubes ► Change tactics ► Some answers can be found in clouds ► Or hosts… How to Cope?
  • 13. ► Firewalls and ACL’s ► Finding equivalents ► Vendor specific functionality ► Managing different implementations ► Aligning policies ► Correlating events ► IDS/IPS ► Scale in virtual implementation ► More instances ► Managing different implementations ► Aligning policies ► Correlating events Replicate Capabilities Locally
  • 14. ► Access networks ► Can work for external access controls ► WAF ► Some malicious behavior ► Harder to make application specific ► No internal visibility ► Cloud-based monitoring ► Might be closer (topologically) ► Potential to scale Replicate Capabilities Externally
  • 15. ► Clouds ► Hard to do ► Hypervisors ► Finding virtual edges ► Physical network access ► Build conduits ► Assigned VLAN’s ► Virtual taps Push Traffic Somewhere Else
  • 16. ► Long live span ports! ► Still the most universal mechanism ► Don’t forget physical network! ► Routing monitoring traffic ► VLANs ► Dedicated for monitoring ► Works at low scale ► Virtual monitoring ► Management scale ► Have to manage sprawl ► Data access monitoring ► Better filtering ► Helping to manage scale Span Ports Are Dead!
  • 17. Platform Notes VMware VDS Span ports Cisco Nexus 1000v SPAN, ERSPAN Virtual Security Gateway Juniper vGateway Kernel module IBM 5000v SPAN, ERSPAN Microsoft Hyper-V Extensible Switch Open source Open vSwitch Mirroring, SPAN, RSPAN HP vController Kernel module NetOptics Virtual Tap Kernel module Gigamon GigaVUE-VM VM based Reestablishing Paths
  • 18. ► Where do they integrate? ► Switch port taps ► Switch integration ► VM integration ► Hypervisor kernel ► Deployed footprint ► Management VM’s ► Per host ► Hypervisor support ► IPv6 support… General Concepts
  • 19. ► Simple capabilities ► vShield provides screening functionality ► No traffic mirroring VMware vSphere Distributed Switch Details Type Switch integration Support RSPAN, ERSPAN Sources VLAN, port
  • 20. ► Nexus 1000v ► Supported on vSphere, announced support for Hyper-V ► Virtual Security Gateway ► Independent control VM ► Dedicated VLANs required Cisco Virtual Security Gateway Details Type Nexus 1000v VEM integration Support Internal traffic routing Sources VEM connections Nexus 1000v Details Type Mirroring switch integration Support RSPAN, ERSPAN Sources VLAN, port
  • 21. ► Security Design VM for management ► Security VM and kernel module per ESX host ► Physical/virtual support ► Support on vSphere ► IPv6 support Juniper vGateway Details Type Hypervisor kernel module Support Traffic redirection, ERSPAN Sources Firewall filtering
  • 22. ► Separate controller VM ► Support on vSphere IBM Distributed Switch 5000V Details Type Switch integration Support SPAN (mirror), ERSPAN Sources VLAN, port
  • 23. ► Rules per instance ► Only port to port ► Not mobile ► IPv6 support ► Future possibilities with extensions, Nexus 1000v Microsoft Hyper-V Extensible Switch Details Type Hypervisor integration Support Simple mirroring Sources port
  • 24. ► Xen and KVM support ► Basic mirroring Open vSwitch Open vSwitch Details Type Switch integration Support SPAN, RSPAN Sources VLAN, port
  • 25. ► VM per ESX host ► External monitoring support ► Supported on vSphere HP vController Details Type Kernel module, control VM Support RSPAN, ERSPAN Sources VLAN, port
  • 26. ► Better for existing users ► Gigamon release expected soon Data Access Approaches NetOptics Details Type Hypervisor module Support Redirection Sources Filtering Gigamon Details Type Monitoring VM Support Redirection Sources Filtering
  • 27. ► Infrastructure statistics ► Clouds allow agentless monitoring ► Instrument hosts ► Integration concerns ► Overlay networks ► Have to be designed in ► Shift to activity-based (logs) ► A more dramatic change Change Tactics
  • 28. ► Cloudy networks ► Amazon ► Fully virtual ► Google Compute Engine ► Rackspace et al ► Mixed possibilities ► VMware-based clouds ► See below ► OpenStack ► Virtual platforms ► VMware ► Citrix/Xen ► Microsoft ► KVM/Red Hat What’s Out There Today?
  • 29. ► Virtual Private Cloud offers the best options ► Network segmentation ► Multiple interfaces per instance ► Virtual appliance support ► Firewalls ► IDS ► APM ► Recording not practical Through the Amazon
  • 30. Capability Options Network segmentation Within VPC Firewall ACL Security Groups in VPC for egress Traffic inspection (IDS) Appliance-based Traffic capture Statistics through CloudWatch Host agents Amazon Overview
  • 31. ► Google Compute Engine holds promise ► Similar to early VPC ► Four network segments ► Inbound firewalling ► Still in “limited preview” ► No appliance support Google
  • 32. ► Cloud and managed hosting ► Cloud is evolving with OpenStack and Nicira support ► Promise of more flexible future ► Cloud Networks just rolling out ► Instances perform routing ► 3 networks with 64 servers each ► Hardware front ends ► F5 LTM ► Cisco ASA ► Software, too ► Zeus ADC Rackspace
  • 33. Capability Options Network segmentation Cloud Networking only Firewall Physical Cisco, virtual option ACL Inbound Traffic inspection (IDS) Limited Traffic capture Host agents Rackspace Overview
  • 34. ► Software Defined Networking could help ► Someday… ► Automated packet replication ► Automated identification and forwarding ► Better scale than virtual SPAN ports ► Different technology platforms ► OpenFlow ► OpenStack/CloudStack/Quantum ► Networking vendors ► Cisco ONE, onePK ► Arista DANZ A Shiny SDN Future
  • 35. ► Many goals can be achieved ► Access tools are available ► Isolation can work ► Within scaling considerations ► Monitoring ► Full recording remains a challenge ► SDN could help ► Where available… Seeing Through the Mists