SECURITY IN THE CLOUD DATA CENTER PATARAKORN VAETEEWOOTACHARN

SYSTEMS ENGINEER

ARISTA NETWORKS

#CLOUDSEC

Reinventing Data Center Networking

Mo

du

lar

Fixe

d

General Compute Advanced Functionality

7300X Series

7250X, 7050X Series 7150S, 7280E Series

7500E Series

7010T 7048T

The best switch for the application but still a single OS software

Ultra-low latency, deep buffers or tap aggregation

Scale from 10 to 40 to 100 GbE by swapping cables

1. Cloud Data Center Switches

Familiar interface for both network and systems teams

Run ready or self-developed applications with help from the user community

Network wide operations and visibility at scale

2. Cloud Network Operating System

Arista#config t

Arista(config)#vlan 10

Arista(config-vlan-10)#name new_vlan

Arista(config-vlan-10)#show vlan

VLAN Name Status Ports

----- ------------ ------- ----------------

1 default active Cpu, Et12, Et26

10 new_vlan active

20 data_center active Et15

30 user_vlan active

Arista(config-vlan-10)#

Arista#bash

Arista Networks EOS shell

[admin@Arista ~]$ ps -ef

UID PID PPID C STIME TTY TIME CMD

root 1 0 0 May15 ? 00:00:00 /sbin/init

root 2 0 0 May15 ? 00:00:00 [kthreadd]

root 3 2 0 May15 ? 00:00:00 [migration/0]

root 4 2 0 May15 ? 00:00:00 [ksoftirqd/0

...

Proven cloud scale and resiliency in the largest cloud operators

Automated operations with high device-to-staff ratios

Practical SDN applications with common software controllers

3. Largest Cloud Data Centers

Spine

Switches

MLAG MLAG

Servers Servers

Leaf

Switches

MLAG

Servers Servers

Routers

VLANs span across Racks for ease of Workload Mobility

Network Virtualization with VXLAN

VTEP VTEP VTEP

VLANs

VNIs

Orchestration Controllers

VTEP VTEP VTEP

Security

Devices

CHALLENGERS LEADERS

NICHE PLAYERS VISIONARIES

COMPLETENESS OF VISION

AB

ILIT

Y T

O E

XE

CU

TE

As of May 2015

Huawei

Lenovo

Dell

Extreme Networks

Avaya

Brocade

Juniper Networks

HP

VMware

Arista Networks

Cisco

The New Standard in Software Driven Cloud Networking

Gartner Magic Quadrant for Data Center Networking

Cloud Data Center Scale

http://i.ytimg.com/vi/kB-rHzYUeNg/maxresdefault.jpg

Cloud Data Center Scale Challenges

• Larger number of hosts

• Server virtualization

• Higher bandwidth

• Higher performance

• Latency

• IP storage, incasts

More sessions, security devices

More MACs, ARPs, IP routes

40/100GbE security devices?

Security device throughput

Device bottlenecks

More buffers needed

Scale Security with Symmetry

“Ingress” Switch “Egress” Switch

Eth1 Eth1

Security Platform

10GbE

Eth4 Eth4

. . .

Security Platforms

with 40GbE interfaces

are being introduced

Load balancers add

network complexity

and cost

Arista DirectFlow –

OpenFlow without the

need for a Controller

Eth2 Eth2

Eth3 Eth3

100GbE 100GbE

Security Platforms

10GbE

Scale Security with Symmetry

“Ingress” Switch “Egress” Switch

Eth1 Eth1

10GbE

Eth4 Eth4

Eth2 Eth2

Eth3 Eth3

40GbE 40GbE

Security Platforms

10GbE

Bucket # SRC IP SRC IP MASK DST IP Egress Port

1 x.x.x.0 0.0.0.224 Any Ethernet 1

2 x.x.x.32 0.0.0.224 Any Ethernet 2

3 x.x.x.64 0.0.0.224 Any Ethernet 3

4 x.x.x.96 0.0.0.224 Any Ethernet 4

5 x.x.x.128 0.0.0.224 Any Ethernet 1

6 x.x.x.160 0.0.0.224 Any Ethernet 2

7 x.x.x.192 0.0.0.224 Any Ethernet 3

8 x.x.x.224 0.0.0.224 Any Ethernet 4

Ingress Switch Flow Table

Flow from x.x.x.165

Source IP = x.x.x.165

Match Mask = 0.0.0.224

Match IP = x.x.x.160

111 00000

101 00000

101 00101

Last octet in binary

“Don’t care bits”

Egress Switch Flow Table

Bucket # DST IP DST IP MASK SRC IP Egress Port

1 x.x.x.0 0.0.0.224 Any Ethernet 1

2 x.x.x.32 0.0.0.224 Any Ethernet 2

3 x.x.x.64 0.0.0.224 Any Ethernet 3

4 x.x.x.96 0.0.0.224 Any Ethernet 4

5 x.x.x.128 0.0.0.224 Any Ethernet 1

6 x.x.x.160 0.0.0.224 Any Ethernet 2

7 x.x.x.192 0.0.0.224 Any Ethernet 3

8 x.x.x.224 0.0.0.224 Any Ethernet 4

Return Flow (to x.x.x.165)

Comprehensive Visibility

http://www.crimeanairwars.com/Frontpage2/FA18E/Cockpit%20Night%202.jpg

Data Center Monitoring Challenges

• Data center scale

• In-band monitoring

• Switch port mirroring

• Network packet brokers

• Multiple tools needed

• Tools limited to 1/10G

• 24/7 monitoring

Number of tap points

Competes for bandwidth

Reactive approach

Expensive

Send traffic to all tools

Tools overwhelmed by traffic

Not practical

Tap Aggregation With Switches

Spine Layer

MLAG MLAG

Servers Servers

Leaf Layer

Servers Servers

Data Center Network Tools

10Gbps

1Gbps

EOS eAPI

Tap Aggregation Network

Tap Layer Tool Layer

100Gbps

40Gbps

Arista 7150S

Arista 7150S

Arista 7280E

Arista 7500E Hybrid Mode

Value Proposition Example

$-

$50

$100

$150

$200

$250

NPBs Arista

Tho

usa

nd

s

Tools

Aggregation

DANZ Frees up IT Budget for Better Tools and Broader Access

24 x 10GbE Ports

48 x 10GbE

DPI with Cloud Scale Data Center

7150 Series 7050/7050X Series

7500E Series 7300X Series

TAP AGGREGATOR

7280E Series

OpenFlow

EO

S

Trend Micro™ DEEP DISCOVERY INSPECTOR

Best-of-breed solution, End2End network security DPI to examining and analyzing massive amount of data in modern data center

Arista and Trend Micro Joint Solution

Production Network

Mirrored

Ports

Taps

Monitoring Network

DANZ Enabled

Switches

Application Visibility

Redirect interested traffic to DDI for monitoring and analysis

Detect and Protection

Inbound/Outbound/Internal network traffic

Economic Scale

1G/10G/40G and 100G

Arista and Trend Micro Joint Solution

Symmetrical/Dynamic

distribution of flows

across NxDDI

QSFP100 Ports for

support of 100G Tap

interfaces

10

%

10

%

10

%

10

%

10

%

10

%

10

%

10

%

10

%

10

%

Scale out Trend Micro DDI with Arista symmetric hash algorithm

B – C C – B

D – C C – D

A – D D – A

Ensure all traffic in one conversation hits the same analyzer

Active Mitigation

http://data.hdwallpapers.im/ready_for_thunder_f_15.jpg

Adding Mitigation to Monitoring

Production Network Monitoring Network

Mirrored

Ports Taps

DANZ Enabled Switches

Active

Mitigation

Next Generation Firewall

Load Balancer

Content Monitor (DLP)

IDS/IPS Platform

Anomaly Detection

Traffic Data Recorder

Monitoring Tools

Active Mitigation

The visibility and context provided by security devices are leveraged to make optimized and secure SDN forwarding decisions on Arista switches

Trusted Flow

Arista Switch

Security Platform

Attack Flow

SDN flow configuration is

integrated into the security

policy and configured

through the device GUI

The device triggers per-

flow policy on the switch

Policy

Arista EOS receives the

device request, and modifies

the flow tables appropriately

Untrusted/Unknown Flow

Mitigation Through Programmability

Standard Linux Kernel

KV

M -

Virtu

al M

ach

ine

SysDB - Central State Database

XM

PP

Clie

nt

JS

ON

RP

C A

PI

AS

IC D

rivers

Spannin

g T

ree

CLI

MLA

G

Routing P

roto

co

ls

Lin

ux T

oo

ls

Partner Logic

OpenS

tack

F5 iC

on

tro

l

VM

wa

re N

SX

Local Daemons/Extensions

- C++, Python, etc

Local Scripts

- Python, TCL, Shell

EOS eAPI

- JSON Web Services API

OpenFlow 1.0/1.3

- Multi-vendor services

Packaged Extensions

- CloudVision, etc

Partner Integration

- F5, Palo Alto, OMI

Direct Flow Programming

- Customized redirection

Experience The Power of vEOS

www.arista.com

eos.arista.com

www.youtube.com/user/AristaNetworks