Upload
hoanganh
View
213
Download
0
Embed Size (px)
Citation preview
SECURE DATA CENTER DESIGN Piotr Wojciechowski (CCIE #25543)
ABOUT ME ¢ Senior Network Engineer MSO at VeriFone Inc. ¢ Previously Network Solutions Architect at one of top
polish IT integrators ¢ CCIE #25543 (Routing & Switching) ¢ Blogger – http://ccieplayground.wordpress.com ¢ Administrator of CCIE.PL board
� The biggest Cisco community in Europe � Over 6800 users � 3 admin, 7 moderators � 58 polish CCIEs as members, 20 of them actively posting � About 150 new topics per month � About 1000 posts per month � English section available
AGENDA ¢ What we want to protect? ¢ Physical DC security ¢ Secure Network Design ¢ Internet Edge Protection ¢ Security Audits
WHAT WE WANT TO PROTECT?
WHAT WE WANT TO PROTECT? ¢ Sensitive data ¢ Business-related processes ¢ Network services ¢ Applications ¢ Hardware
WHAT WE WANT TO PROTECT?
WHAT WE WANT TO PROTECT?
WHERE WE PROTECT?
WHERE WE PROTECT?
SECURITY AS A PROCESS
1. Subject matter experts define policies 2. Policies used to create application templates 3. Application templates used to create application profiles 4. Associated profiles creates resources automatically
PHYSICAL DC SECURITY
DATA CENTER PHYSICAL SECURITY ¢ Site location
� Risk of natural disasters on acceptable level (fires, lightning storms, hurricanes, earthquakes etc.)
� Man-made disasters on low level (plane crashes, riots, fires, explosions etc.) ¢ Site should not be adjacent to airports, prisons, freeways,
banks, rafineries etc.) � Data center should not share the same building with
other offices, especially offices not owned by organization
DATA CENTER PHYSICAL SECURITY ¢ Site location
� Electrical utility powering the site should have 99,9% or better reliability of service. ¢ It must be delivered from at least two separate substations ¢ Backup power generators
� Water should be delivered from more than one source
DATA CENTER PHYSICAL SECURITY ¢ Perimiters
� Fence around the facility � Guard kiosks at each access point � Automatic authentication method for employees
(badges) � CCTV � Parking not align to the building � No clear advertisement that Data Center is located at
this facility
DATA CENTER PHYSICAL SECURITY ¢ Surveillance
� Monitoring of property as well as neighborhood � Guards on patrol � Parking permits for vehicles � Separate parking areas for employees and visitors
DATA CENTER PHYSICAL SECURITY ¢ Entry points
� Loading docks and all outside doors should have automatic authentication methods (ie. badges)
� Each entrance should have physical barriers and CCTV cameras
� Engineers must be required to use badges with pictures � Track equippment being placed in and removed
DATA CENTER PHYSICAL SECURITY ¢ NOC (Network Operation Centre)
� Must have power, temperature, fire and humidity monitoring systems in place
� Redundant methods of communication with outside (analog phones, IP phones, cell phones etc.)
� Manned 24/7
DATA CENTER PHYSICAL SECURITY ¢ Disaster Recovery
� It’s a must have! � Must contain – definition of disaster, who gets notified,
who conduct damage assessment, where backups are located and what to do to maintain them
� Plan must be updated and reviewed
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
SECURE NETWORK DESIGN
MULTI-LAYER DC PROTECTION ¢ No single solution for all data centers ¢ Security should be deployed basing on application
requirement, certification requirement as well as traffic flow
¢ To much protection can be worse than no protection ¢ Virtualization – new challenges for security
SECURITY ZONES ¢ A security zone is an area within a network
occupied by a group of systems and components with similar requirements for the protection of information and the attendant characteristics associated with those requirements.
¢ Security zones are often layered as trust zones such that resources in higher trust zones may communicate with resource in lower trust zones, but not the other way around.
SECURITY ZONES
SECURITY ZONES ¢ Goal of security zones:
� Control inter-zone communication � Monitor inter-zone communication using IDP/IPS � Control management access into, out of and within the
zone (jump servers) � Enforce data confidential and integrity rules for data
stored within a zone, as well as for replication and backup.
SECURITY ZONES ¢ How to establish security zone?
IPS DEPLOYMENT ¢ The Intrusion Prevention System (IPS) provides
deep packet and anomaly inspection to protect against both common and complex embedded attacks.
¢ Because of the nature of IPS and the intense inspection capabilities, the amount of overall throughput varies depending on the active policy.
¢ The IPS deployment in the data center usually leverages EtherChannel load balancing from the service switch. This method is recommended for the data center because it allows the IPS services to scale to meet the data center requirements
IPS DEPLOYMENT ¢ Usually deployed in service
layer (part or DMZ and high security zones)
¢ A port channel is configured on the services switch to forward traffic
IPS DEPLOYMENT ¢ Spanning tree plays an
important role for IPS redundancy in this design � Under normal operating
conditions traffic, a VLAN will always follow the same active Layer-2 path
IPS DEPLOYMENT ¢ Spanning tree plays an
important role for IPS redundancy in this design � If a failure occurs (service
switch failure or a service switch link failure), spanning tree would converge and the active Layer-2 traffic path would change to the redundant service switch and Cisco IPS appliances.
IPS DEPLOYMENT – SECURE TRAFFIC FLOW
VIRTUALIZATION CHALLENGES - VISIBILITY ¢ New challenges for
visibility into what is occurring at the virtual network level
¢ Traffic flows can now occur within the server between virtual machines without needing to traverse a physical access switch
VIRTUALIZATION CHALLENGES - VISIBILITY ¢ If a virtual machine
is infected or compromised it might be more difficult for administrators to spot without the traffic forwarding through security appliances
VIRTUALIZATION CHALLENGES - VISIBILITY ¢ ERSPAN forwards
copies of the virtual machine traffic to the Cisco IPS appliance and the Cisco Network Analysis Module (NAM)
VIRTUALIZATION CHALLENGES - ISOLATION ¢ Server-to-server filtering can be
performed using ACLs on the Cisco Nexus 1000V
¢ Because the server-to-server traffic never leaves the physical server, the ACL provides an excellent method for segmenting this traffic.
VIRTUALIZATION CHALLENGES - ISOLATION ¢ There are two options for adding an
access list to the virtual Ethernet interfaces to block communication: � The ACL can be defined and the access
group can be applied to a port profile. All interfaces configured for the port profile will inherit the access-group setting.
� Specific ACLs on an interface can be applied directly to the virtual Ethernet interface in addition to the port profile. The port profile will still apply but the access group will only be applied to the specific interface instead of all interfaces that have inherited the particular port profile.
VIRTUALIZATION CHALLENGES - FIREWALLING ¢ An additional virtual
context is created on the Cisco ASA and designated to reside between the servers and an Oracle database
¢ It can also be virtual firewall ASA 1000V
VIRTUALIZATION CHALLENGES - FIREWALLING ¢ The goal is not to prevent
any server from communicating with the database, but rather to control which servers can access the database
¢ Context firewalls can run in routed and transparent modes
VIRTUALIZATION CHALLENGES – WEB APPLICATION FIREWALL ¢ WAF can protect
servers from a number of highly damaging application-layer attacks—including command injection, directory traversal attacks, and cross-site (XSS) attacks
VIRTUALIZATION CHALLENGES – WEB APPLICATION FIREWALL ¢ Can be used also for
SSL offloading
VIRTUALIZATION CHALLENGES – VM-TO-VM IDS ¢ ERSPAN on the Cisco
Nexus 1000V is leveraged to forward a copy of virtual machine-to-virtual machine traffic to the IDS at the services layer
¢ Both virtual machines reside on the same physical server
VIRTUALIZATION CHALLENGES – VM-TO-VM IDS ¢ The attempt triggers a
signature on the IDS and is logged for investigation
VIRTUALIZATION CHALLENGES – SUMMARY
Botnets DoS Unauthorized Access
Spyware, Malware
Network Abuse
Data Leakage
Visibility Control
Routing Security Yes Yes Yes Yes Yes
Service Resiliency Yes Yes Yes
Network Policy Enforcement
Yes Yes Yes Yes Yes
Application Control Engine (ACE)
Yes Yes Yes Yes
Web Application Firewall (WAF)
Yes Yes Yes Yes Yes
IPS Integration Yes Yes Yes Yes Yes
Switching Security Yes Yes Yes Yes
Endpoint Security Yes Yes Yes Yes Yes Yes Yes Yes
Secure Device Access Yes Yes Yes Yes Yes
Telemetry Yes Yes Yes Yes Yes
INTERNET EDGE PROTECTION
INTERNET EDGE PROTECTION
INTERNET EDE PROTECTION ¢ The Internet edge is a public-facing network
infrastructure and is particularly exposed to large array of external threats. Some of the expected threats are as follows: � Denial-of-service (DoS), distributed DoS (DDoS) � Spyware, malware, and adware � Network intrusion, takeover, and unauthorized network
access � E-mail spam and viruses � Web-based phishing, viruses, and spyware � Application-layer attacks (XML attacks, cross scripting,
and so on) � Identity theft, fraud, and data leakage
FIREWALL PHYSICAL INTERFACES LAYOUT
The different logical interfaces on the Cisco ASA can be used to separate the DMZ, SP-facing interfaces, and the inside corporate infrastructure
WEB APPLICATION FIREWALL
WEB APPLICATION FIREWALL ¢ Configure the web application firewall to retain the
source IP address if the traffic is directed to appliances in the data center.
¢ It is recommended that HTTPS traffic directed to the data center, not be encrypted as the Cisco ACE module in data center will perform the load-balancing and decryption while also providing higher performance.
¢ The web application firewall in the Internet edge and the web application firewall in data center to be configured in the same cluster.
SERVICE PROVIDER EDGE ¢ Use BGP as the routing protocol for all dynamic
routing—both between the border routers and between the border routers and SP.
¢ Have an independent autonomous system number. This will give the flexibility of advertising the Internet prefix to different SPs.
¢ Use PfR as path-optimization mechanism. This will ensure that the optimal path is selected between the SPs—thereby increasing the application performance.
SECURITY AUDITS
SECURITY AUDITS ¢ There is no one template of security audit that will
fit everyone ¢ Some security audits are cerification related (in
example PCI-DSS) ¢ Audits does not cover only networking aspects ¢ If performed correctly, a security audit can reveal
weakness in technology, practices, employees and other key areas
¢ Usually is semi-automated
SECURITY AUDITS ¢ Audit components (some, not all):
� Vulnerability scans � Examination of OS settings � Examination of application settings � Network analyses � Employee interview � Logs studying � Security policies review
SECURITY AUDITS ¢ Some of the key questions that auditor must ask
include: � Who is in charge of security, and who does this person
report to? � Have ACLs (Access Control Lists) been placed on
network devices to control who has access to shared data?
� How are passwords created and managed? � Are there audit logs to record who accesses data? � Who reviews the audit logs, and how often are they
examined? � Are the security settings for OSes and applications in
accordance with accepted industry security practices?
SECURITY AUDITS ¢ Some of the key questions that auditor must ask
include: � Have unnecessary applications and services been purged
from systems? How often does this task take place? � Are all OSes and applications updated to current levels? � How is backup media stored? Who has access to it? Is it
up-to-date? � How is email security addressed? � How is Web security addressed? � How is wireless security addressed?
SECURITY AUDITS ¢ Some of the key questions that auditor must ask
include: � Are remote workers covered by security policies? � Is a disaster-recovery plan in place? Has the plan ever
been rehearsed? � Have custom applications been tested for security flaws? � How are configuration and code changes documented?
How often are these records reviewed? Many other questions pertaining to the exact nature of the business's operations also must be addressed.
INERNAL AUDITS ¢ BAU audits:
� Checking current status of maintained platform and software
� Should be regular ¢ On-demand audits
� Test if procedures are working � Test if team is prepared for emergency situation � Test third-party responsibility
SECURITY AUDITS ¢ „Off-the-shelf” auditis:
� Ineffective � More costly in long term � Are not showing results management and security
teams are requesting � Usually 99% software-based
SECURITY AUDITS ¢ Audit time:
Stage % of Total Time
Preparation 10
Reviewint Policy/Docs 10
Talking/Interviewing 10
Technical Investigation 15
Reviewing Data 20
Writing Up Documentation 20
Report Presentation 5
Post Audit Actions 10
QUESTIONS?
THANK YOU