Embed Size (px)
Citation preview
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 1
Securing The Virtualized DMZ
David AndersonData Center Solutions ArchitectCCIE, CISSP
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 2
What Is Driving DMZ Virtualization?
Virtualization Benefits
Lower Rack Space Utilization
Power savings
Better Utilization through resource consolidation
Machine and Application mobility
Reduced Deployment Times
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 3
Network Team Virtualization Concerns
Policy EnforcementApplied at physical server—not the individual VMImpossible to enforce policy for VMs in motion
Operations and ManagementLack of VM visibility, accountability, and consistencyDifficult management model and inability to effectively troubleshoot
Roles and ResponsibilitiesMuddled ownership as server admin must configure virtual network Organizational redundancy creates compliance challenges
Machine SegmentationServer and application isolation on same physical serverNo separation between compliant and non-compliant systems…
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 4
Maintaining Compliance Through Virtualization
Nexus 1000V Features Common Requirements
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 5
dcvsm(config)# ip access-list deny-vm-to-vm-trafficdcvsm(config-acl)# deny ip host 10.10.10.10 host 10.10.20.20
dcvsm(config-acl)# permit ip any any
Nexus 1000V: Control and Isolation of Virtual Machine Traffic
dcvsm(config)# ip access-list deny-vm-traffic-to- service console
dcvsm(config-acl)# deny ip 10.10.0.0 192.168.20.0
dcvsm(config-acl)# permit ip any any
Intranet
Application
Servers
DMZ‐Based
ServicesPrivate VLAN
Green
Network Segmentation
• VLANs• Private VLANs
Network Network SegmentationSegmentation
•• VLANsVLANs•• Private Private VLANsVLANs
Access Controls & Network Security
• Port ACLs (IP & MAC)
Access Controls & Access Controls & Network SecurityNetwork Security
•• Port Port ACLsACLs (IP & MAC)(IP & MAC)Private VLAN
Red
Private VLAN
Purple
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 6
Nexus 1000V: Management and Monitoring Virtual Machine Traffic
VM Traffic Mirroring
• ERSPAN
VM Traffic VM Traffic MirroringMirroring
•• ERSPANERSPAN
VM Traffic Analysis and
Reporting • NetFlow• Syslog
VM Traffic VM Traffic Analysis and Analysis and
ReportingReporting•• NetFlowNetFlow•• SyslogSyslog
Intranet
Application
Servers
DMZ‐Based
ServicesPrivate VLAN
GreenPrivate VLAN
Red
Private VLAN
Purple
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 7
Nexus 1000V: Maintaining Roles & Workflows1. Nexus 1000V automatically enables port groups in Virtual Center via API
2. Server Admin uses Virtual Center to assign vnic policy from available port groups
3. Nexus 1000V automatically enables VM connectivity at VM power-on
vSphere
NexusNexus1000V1000VVEMVEM
DMZ‐Based Services
Thin Client
Nexus 1000V VSM
vCentervCenter
Network Admin Benefits• Unifies network mgmt and ops• Improves operational security• Enhances VM network features• Ensures policy persistence• Enables VM-level visibility
Network Admin BenefitsNetwork Admin Benefits•• Unifies network mgmt and opsUnifies network mgmt and ops•• Improves operational securityImproves operational security•• Enhances VM network featuresEnhances VM network features•• Ensures policy persistenceEnsures policy persistence•• Enables VMEnables VM--level visibilitylevel visibility
VI Admin Benefits• Maintains existing VM mgmt• Reduces deployment time• Improves scalability• Reduces operational workload• Enables VM-level visibility
VI Admin BenefitsVI Admin Benefits•• Maintains existing VM mgmtMaintains existing VM mgmt•• Reduces deployment timeReduces deployment time•• Improves scalabilityImproves scalability•• Reduces operational workloadReduces operational workload•• Enables VMEnables VM--level visibilitylevel visibility
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 8
Nexus 1000V: Security Policy Mobility with Vmotion
1. Virtual Center kicks off a VMotion (manual/DRS) & notifies Nexus 1000V
2. During VM replication, Nexus 1000V copies VM port state to new host
3. Once VMotion completes, port on new ESX host is brought up & VM’s MAC address is announced to the network
Mobile Properties Include:
Port policy
Interface state and counters
Flow statistics
Remote port mirror session
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 9
Uplink Ports
Virtual Ethernet (vnet) Adapters
Uplink Ports
Physical Adapters
Intranet Application ServersDMZ‐Based Services
Intranet Server Farm
DMZ Infrastructure
FTP
The Virtualized DMZ: Nexus 1000V & VMware
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 10
Summary
Nexus 1000V:
Supports traditional Network Capabilities
Roles and workflows are unchanged
VM security policies are the same as physical server policies
Maintain Compliance requirements
© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 11
For more information visit: www.cisco.com/go/vmworld09
