Upload
trinhhanh
View
215
Download
1
Embed Size (px)
Citation preview
SECURITY IN THE CLOUD DATA CENTER PATARAKORN VAETEEWOOTACHARN
SYSTEMS ENGINEER
ARISTA NETWORKS
#CLOUDSEC
Mo
du
lar
Fixe
d
General Compute Advanced Functionality
7300X Series
7250X, 7050X Series 7150S, 7280E Series
7500E Series
7010T 7048T
The best switch for the application but still a single OS software
Ultra-low latency, deep buffers or tap aggregation
Scale from 10 to 40 to 100 GbE by swapping cables
1. Cloud Data Center Switches
Familiar interface for both network and systems teams
Run ready or self-developed applications with help from the user community
Network wide operations and visibility at scale
2. Cloud Network Operating System
Arista#config t
Arista(config)#vlan 10
Arista(config-vlan-10)#name new_vlan
Arista(config-vlan-10)#show vlan
VLAN Name Status Ports
----- ------------ ------- ----------------
1 default active Cpu, Et12, Et26
10 new_vlan active
20 data_center active Et15
30 user_vlan active
Arista(config-vlan-10)#
Arista#bash
Arista Networks EOS shell
[admin@Arista ~]$ ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 May15 ? 00:00:00 /sbin/init
root 2 0 0 May15 ? 00:00:00 [kthreadd]
root 3 2 0 May15 ? 00:00:00 [migration/0]
root 4 2 0 May15 ? 00:00:00 [ksoftirqd/0
...
Proven cloud scale and resiliency in the largest cloud operators
Automated operations with high device-to-staff ratios
Practical SDN applications with common software controllers
3. Largest Cloud Data Centers
Spine
Switches
MLAG MLAG
Servers Servers
Leaf
Switches
MLAG
Servers Servers
Routers
VLANs span across Racks for ease of Workload Mobility
Network Virtualization with VXLAN
VTEP VTEP VTEP
VLANs
VNIs
Orchestration Controllers
VTEP VTEP VTEP
Security
Devices
CHALLENGERS LEADERS
NICHE PLAYERS VISIONARIES
COMPLETENESS OF VISION
AB
ILIT
Y T
O E
XE
CU
TE
As of May 2015
Huawei
Lenovo
Dell
Extreme Networks
Avaya
Brocade
Juniper Networks
HP
VMware
Arista Networks
Cisco
The New Standard in Software Driven Cloud Networking
Gartner Magic Quadrant for Data Center Networking
Cloud Data Center Scale Challenges
• Larger number of hosts
• Server virtualization
• Higher bandwidth
• Higher performance
• Latency
• IP storage, incasts
More sessions, security devices
More MACs, ARPs, IP routes
40/100GbE security devices?
Security device throughput
Device bottlenecks
More buffers needed
Scale Security with Symmetry
“Ingress” Switch “Egress” Switch
Eth1 Eth1
Security Platform
10GbE
Eth4 Eth4
. . .
Security Platforms
with 40GbE interfaces
are being introduced
Load balancers add
network complexity
and cost
Arista DirectFlow –
OpenFlow without the
need for a Controller
Eth2 Eth2
Eth3 Eth3
100GbE 100GbE
Security Platforms
10GbE
Scale Security with Symmetry
“Ingress” Switch “Egress” Switch
Eth1 Eth1
10GbE
Eth4 Eth4
Eth2 Eth2
Eth3 Eth3
40GbE 40GbE
Security Platforms
10GbE
Bucket # SRC IP SRC IP MASK DST IP Egress Port
1 x.x.x.0 0.0.0.224 Any Ethernet 1
2 x.x.x.32 0.0.0.224 Any Ethernet 2
3 x.x.x.64 0.0.0.224 Any Ethernet 3
4 x.x.x.96 0.0.0.224 Any Ethernet 4
5 x.x.x.128 0.0.0.224 Any Ethernet 1
6 x.x.x.160 0.0.0.224 Any Ethernet 2
7 x.x.x.192 0.0.0.224 Any Ethernet 3
8 x.x.x.224 0.0.0.224 Any Ethernet 4
Ingress Switch Flow Table
Flow from x.x.x.165
Source IP = x.x.x.165
Match Mask = 0.0.0.224
Match IP = x.x.x.160
111 00000
101 00000
101 00101
Last octet in binary
“Don’t care bits”
Egress Switch Flow Table
Bucket # DST IP DST IP MASK SRC IP Egress Port
1 x.x.x.0 0.0.0.224 Any Ethernet 1
2 x.x.x.32 0.0.0.224 Any Ethernet 2
3 x.x.x.64 0.0.0.224 Any Ethernet 3
4 x.x.x.96 0.0.0.224 Any Ethernet 4
5 x.x.x.128 0.0.0.224 Any Ethernet 1
6 x.x.x.160 0.0.0.224 Any Ethernet 2
7 x.x.x.192 0.0.0.224 Any Ethernet 3
8 x.x.x.224 0.0.0.224 Any Ethernet 4
Return Flow (to x.x.x.165)
Data Center Monitoring Challenges
• Data center scale
• In-band monitoring
• Switch port mirroring
• Network packet brokers
• Multiple tools needed
• Tools limited to 1/10G
• 24/7 monitoring
Number of tap points
Competes for bandwidth
Reactive approach
Expensive
Send traffic to all tools
Tools overwhelmed by traffic
Not practical
Tap Aggregation With Switches
Spine Layer
MLAG MLAG
Servers Servers
Leaf Layer
Servers Servers
Data Center Network Tools
10Gbps
1Gbps
EOS eAPI
Tap Aggregation Network
Tap Layer Tool Layer
100Gbps
40Gbps
Arista 7150S
Arista 7150S
Arista 7280E
Arista 7500E Hybrid Mode
Value Proposition Example
$-
$50
$100
$150
$200
$250
NPBs Arista
Tho
usa
nd
s
Tools
Aggregation
DANZ Frees up IT Budget for Better Tools and Broader Access
24 x 10GbE Ports
48 x 10GbE
DPI with Cloud Scale Data Center
7150 Series 7050/7050X Series
7500E Series 7300X Series
TAP AGGREGATOR
7280E Series
OpenFlow
EO
S
Trend Micro™ DEEP DISCOVERY INSPECTOR
Best-of-breed solution, End2End network security DPI to examining and analyzing massive amount of data in modern data center
Arista and Trend Micro Joint Solution
Production Network
Mirrored
Ports
Taps
Monitoring Network
DANZ Enabled
Switches
Application Visibility
Redirect interested traffic to DDI for monitoring and analysis
Detect and Protection
Inbound/Outbound/Internal network traffic
Economic Scale
1G/10G/40G and 100G
Arista and Trend Micro Joint Solution
Symmetrical/Dynamic
distribution of flows
across NxDDI
QSFP100 Ports for
support of 100G Tap
interfaces
10
%
10
%
10
%
10
%
10
%
10
%
10
%
10
%
10
%
10
%
Scale out Trend Micro DDI with Arista symmetric hash algorithm
B – C C – B
D – C C – D
A – D D – A
Ensure all traffic in one conversation hits the same analyzer
Adding Mitigation to Monitoring
Production Network Monitoring Network
Mirrored
Ports Taps
DANZ Enabled Switches
Active
Mitigation
Next Generation Firewall
Load Balancer
Content Monitor (DLP)
IDS/IPS Platform
Anomaly Detection
Traffic Data Recorder
Monitoring Tools
Active Mitigation
The visibility and context provided by security devices are leveraged to make optimized and secure SDN forwarding decisions on Arista switches
Trusted Flow
Arista Switch
Security Platform
Attack Flow
SDN flow configuration is
integrated into the security
policy and configured
through the device GUI
The device triggers per-
flow policy on the switch
Policy
Arista EOS receives the
device request, and modifies
the flow tables appropriately
Untrusted/Unknown Flow
Mitigation Through Programmability
Standard Linux Kernel
KV
M -
Virtu
al M
ach
ine
SysDB - Central State Database
XM
PP
Clie
nt
JS
ON
RP
C A
PI
AS
IC D
rivers
Spannin
g T
ree
CLI
MLA
G
Routing P
roto
co
ls
Lin
ux T
oo
ls
Partner Logic
OpenS
tack
F5 iC
on
tro
l
VM
wa
re N
SX
Local Daemons/Extensions
- C++, Python, etc
Local Scripts
- Python, TCL, Shell
EOS eAPI
- JSON Web Services API
OpenFlow 1.0/1.3
- Multi-vendor services
Packaged Extensions
- CloudVision, etc
Partner Integration
- F5, Palo Alto, OMI
Direct Flow Programming
- Customized redirection