Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Sigurnosna rješenja za financijske
© 2006 Cisco Systems, Inc. All rights reserved.VM_security 1
financijske institucije
Goran PetehEnterprise Systems [email protected]
Cisco Nexus 1000VCisco Nexus 1000VCisco Nexus 1000VSoftware Based� Industry’s first 3rd-party vNetwork Distributed Switch for VMware vSphere
� Built on Cisco NX-OSNexusNexus1000V1000V
VMVM VMVM VMVM VMVM
© 2009 Cisco Systems, Inc. All rights reserved.
� Compatible with all switching platforms
PolicyPolicy--Based Based VM ConnectivityVM ConnectivityPolicyPolicy--Based Based VM ConnectivityVM Connectivity
Mobility of Network & Mobility of Network & Security PropertiesSecurity PropertiesMobility of Network & Mobility of Network & Security PropertiesSecurity Properties
NonNon--DisruptiveDisruptiveOperational ModelOperational ModelNonNon--DisruptiveDisruptiveOperational ModelOperational Model
vSphere
Nexus 1000VNexus 1000V
VN-Link Brings VM Level GranularityProblems:
VMotion • VMotion may move VMs across physical ports—policy must follow • Impossible to view or apply policy to locally switched traffic
© 2009 Cisco Systems, Inc. All rights reserved. 3
VN-Link:•Extends network to the VM •Consistent services •Coordinated, coherent management
traffic• Cannot correlate traffic on physical links—from multiple VMsVLAN
101
Cisco VN-Link Switch
Cisco Nexus 1000V Architecture
vSphere
NexusNexus1000V1000VVEMVEM
vSphere vSphere
Nexus1000V VEM
NexusNexus1000V1000VVEMVEM
VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM
© 2009 Cisco Systems, Inc. All rights reserved. 4
Nexus 1000V VSM
vCentervCenter
Virtual Supervisor Module (VSM)Virtual Supervisor Module (VSM)�� Virtual or Physical appliance running Virtual or Physical appliance running
Cisco NXOS (supports HA)Cisco NXOS (supports HA)�� Performs management, monitoring, & Performs management, monitoring, &
configurationconfiguration�� Tight integration with VMware vCenterTight integration with VMware vCenter
Virtual Supervisor Module (VSM)Virtual Supervisor Module (VSM)�� Virtual or Physical appliance running Virtual or Physical appliance running
Cisco NXOS (supports HA)Cisco NXOS (supports HA)�� Performs management, monitoring, & Performs management, monitoring, &
configurationconfiguration�� Tight integration with VMware vCenterTight integration with VMware vCenter
Virtual Ethernet Module (VEM)Virtual Ethernet Module (VEM)�� Enables advanced networking Enables advanced networking
capability on the hypervisorcapability on the hypervisor�� Provides each VM with dedicated Provides each VM with dedicated
“switch port”“switch port”�� Collection of VEMs = 1 vNetwork Collection of VEMs = 1 vNetwork
Distributed SwitchDistributed Switch
Virtual Ethernet Module (VEM)Virtual Ethernet Module (VEM)�� Enables advanced networking Enables advanced networking
capability on the hypervisorcapability on the hypervisor�� Provides each VM with dedicated Provides each VM with dedicated
“switch port”“switch port”�� Collection of VEMs = 1 vNetwork Collection of VEMs = 1 vNetwork
Distributed SwitchDistributed Switch
Cisco Nexus 1000V InstallationCisco Nexus 1000V Installation�� ESX & ESXiESX & ESXi�� VUM & Manual InstallationVUM & Manual Installation�� VEM is installed/upgraded like an ESX VEM is installed/upgraded like an ESX
patchpatch
Cisco Nexus 1000V InstallationCisco Nexus 1000V Installation�� ESX & ESXiESX & ESXi�� VUM & Manual InstallationVUM & Manual Installation�� VEM is installed/upgraded like an ESX VEM is installed/upgraded like an ESX
patchpatch
Virtualizing the DMZMapping the Roles and Responsibilities
n1000v# show port-profile name WebServersport-profile WebProfile
description:status: enabledcapability uplink: nosystem vlans:port-group: WebProfileconfig attributes:switchport mode accessswitchport access vlan 110no shutdown
evaluated config attributes:switchport mode access
© 2009 Cisco Systems, Inc. All rights reserved. 55
� Separation of duties for virtualization, security, and network administrators� Implement existing policies and procedures� Identical tools for physical network: Minimize miscommunication
switchport mode accessswitchport access vlan 110no shutdown
assigned interfaces:Veth10
Virtualize the DMZ� Restrict production VM access to sensitive parts of data centerSegregate Traffic To/From Web ServerProtect Management Traffic
Access Control List VMKernelVMKernelFTPFTP WWWWWWVMVM
© 2009 Cisco Systems, Inc. All rights reserved. 66
Protect Management TrafficProtect Servers
vSphere
dcvsm(config)# ip access-list deny-vm-traffic-to-ftp-serverdcvsm(config-acl)# deny tcp host 10.10.10.10 eq ftp anydcvsm(config-acl)# permit ip any any
Increase DMZ Visibility with ERSPAN� ERSPAN allows VM traffic to be mirrored to traffic analyzer� Mirrored traffic can traverse through Layer 3 Network
Port Mirroring VMVM VMVM VMVM VMVM
© 2009 Cisco Systems, Inc. All rights reserved. 77
3 Network� Visibility through centralized L4-7 services FirewallIntrusion Detection System
Intrusion Detection
Firewall
Monitor a High Density VM Deployment with the Nexus 1000V
© 2009 Cisco Systems, Inc. All rights reserved. 99
� Select individual VM traffic to review� Mirror traffic for further inspection using ERSPAN� Analyze network traffic patterns and export it to a collector using NetFlow
Network AnalysisIntrusion Detection
Cisco Integrated Security Features Mitigates Network Attacks
VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM
Rogue VM: Change/Add MAC Address
Rogue VM: Change/Add IP Address
Rogue DHCPServer
Rogue VM: Send ARP to Announce VM Location
Port Security IP Source Guard
© 2009 Cisco Systems, Inc. All rights reserved. 10
DHCP Snooping
Dynamic ARP Inspection
VMotion
Loop Prevention without STP
© 2009 Cisco Systems, Inc. All rights reserved. 1111
Cisco VEM
VM1 VM2 VM3 VM4
Cisco VEM
VM5 VM6 VM7 VM7
Cisco VEM
VM9 VM10 VM11 VM12
�������������
Eth4/1 Eth4/2
X
�� �������������������������������
�������������������������������
�������� �!"
X
Port Profile Configuration
n1000v# show port-profile name WebProfileport-profile WebProfile
description:status: enabledcapability uplink: nosystem vlans:port-group: WebProfileconfig attributes:
Support Commands Include:
� Port management� VLAN
Support Commands Include:
� Port management� VLAN
© 2009 Cisco Systems, Inc. All rights reserved. 1212
config attributes:switchport mode accessswitchport access vlan 110no shutdown
evaluated config attributes:switchport mode accessswitchport access vlan 110no shutdown
assigned interfaces:Veth10
� PVLAN� Port-channel� ACL� Netflow� Port Security� QoS
� PVLAN� Port-channel� ACL� Netflow� Port Security� QoS
How Cisco NAC WorksTHE GOAL
NAC Manager
End user attempts to access network� Initial access is blocked� Single-sign-on or web login
AuthenticationServer
1
© 2009 Cisco Systems, Inc. All rights reserved.
NAC Server gathers and assesses user/device information � Username and password� Device configuration and vulnerabilities
Noncompliant deviceor incorrect login� Access denied� Placed to quarantine for remediation
Device is compliant� Placed on “certified devices list”� Network access granted
NAC ServerNAC Manager
2
3a 3bQuarantineRole
Intranet/Network
Device ProfilingAutomate inventory collection
NAC Manager
NAC Profiler
© 2009 Cisco Systems, Inc. All rights reserved.
Mac
Identify all endpointsReal time monitoring and profiling
NAC Server
AAA ServerWindows AD
Cover All Use CasesEndpoint ComplianceNetwork access only for compliant devices
Wireless ComplianceSecured network access only for compliant wireless devices
Governance Compliance802.1Q
Campus Building 1
© 2009 Cisco Systems, Inc. All rights reserved.
Guest ComplianceRestricted internet access
only for guest usersVPN User ComplianceIntranet access only for compliant remote access users
Ensure user compliance to governance and risk user acceptable policies
Wireless Building 2
Conference Roomin Building 3
Internet IPSec
What is a WAF?
Web Servers
BrowserWAF devices protect web applications from specific vulnerabilities that IDS/IPS/FW do not see.
Web Application Firewalls intercept, inspect and deny/reject/allow Layer-7 traffic
© 2009 Cisco Systems, Inc. All rights reserved.
Application Servers
Servers
Database Servers
WAF devices intercept all traffic bound for the web server.
WAF devices are complex devices with sophisticated features: actually, they have to be as complex as web applications
DDoS protection
Cisco Anomaly Guard Module
© 2009 Cisco Systems, Inc. All rights reserved.
Protected Zone 1: Web Protected
Zone 2: Name Servers
Protected Zone 3: E-Commerce Application
Cisco Traffic Anomaly Detector Module (or Cisco IDS or third- party system)
Dynamic Mitigation At Work
Cisco Anomaly Guard Module
3. Divert only target’s traffic
4. Identify and filter malicious traffic
Traffic Destined to the Target
Legitimate Traffic to
6. Non-targeted traffic flows
© 2009 Cisco Systems, Inc. All rights reserved.
Protected Zone 1: Web Protected
Zone 2: Name Servers
Protected Zone 3: E-Commerce Application
Cisco Traffic Anomaly Detector Module
1. Detect
Target
2. Activate: Auto/Manual
Traffic to Target
5. Forward legitimate traffic
flowsfreely
Security Operations/Reactions Today
Action Steps:1. Alert2. Investigate3. Mitigate
Always Too Late
21
Security Knowledge Base
Firewall IDS/IPSVPN
VulnerabilityScanners
AuthenticationServers
Router/Switch Anti-Virus
10K Win, 100s UNIX Collect Network
DiagramRead and AnalyzeTons of DataRepeat
Security Threat ManagementPassive monitoring Active (real time) monitoring
22
Network IntelligenceAttack Vector AnalysisBetter performanceAbility to mitigate or contain threats
Security Threat Management (STM)
Key Concept
Mark was hired to break into buildings.
• Events―raw messages sent to CS-MARS by the monitoring/ reporting devices• Sessions―events that are correlated by the
2 Sessions(Each Sentence == 1 Session)
23
buildings. He must assure securitypersonnel are vigilant.
are correlated by the CS-MARS across NAT boundaries• Incidents―identification of sessions to correlation rules
14 Events(Each Word = 1 Event)
1 Incident(The Whole Story)
Lab
Building
Building DistributionISP B
Enterprise Campus Enterprise Edge Service Provider Edge
Sessionization
E-CommerceEdge Distribution
Joe Smith Did Lots of Traffic at 9pm PST
Unusual Traffic Based on Baseline
24
ACSCSM
Management
Server
Core
WAN
ISP A
PSTN
Frame/ATM
CS-MARS
Corporate Internet
VPN and Remote Access
2
5
1
3
467
High Amount of IPSec Packets
Joe Smith performed a Buffer Overflow
Joe Smith performed a Buffer Overflow
Unusual Traffic Based on Baseline
Unusual Traffic Based on Baseline
Typical IncidentHost A Recon ICMPand Port Scans to Target X
Host A Buffer Overflow Attack to Target X
Y Followed by
RECON-
Followed by Port Sweep
Target X Executes Password Attack
on Target Y
25
Target X
Where X Is Vulnerableto Attack,
Target X Executes Password Attack on Target Y
X
A
Hi, They Call Me Joe
RECON-ICMP
Followed by HostA Buffer OverflowAttack to Target X
Followed by
Life of an Incident
1. Events come into the appliancefrom network devices
2. Events are parsed3. Normalized4. Sessionized/NAT correlation
27
4. Sessionized/NAT correlation5. Run against rule engine
Drop rule matched firstAll rules are checked
6. False-positive analysis7. Vulnerability Assessments
against suspected hosts
Rules: Matching(Incident Detail Page)
$TARGET02 = 192.168.1.10
A Match for the First Line Gives a Value to the Variables $TARGET01 = 40.40.1.23
29
Incident Details
30
• Detailed information for each session• Reporting devices• Raw messages for the session selected
Topology and Attack VectorIt is important to visualize the information
not just see the data
31
Topology Graph Attack Diagramand
Rules: Path
192.168.1.10Step 1: 40.40.1.23
1 Sessions Can Be Graphically Displayed with Their Sequence2 Sessions
32
192.168.1.101 SessionStep 2: 40.40.1.23
Step 3: 192.168.1.10 10.1.1.103 Sessions
2
3
Rules: Attack Vector
Event:ICMP Ping Network Sweep
1
2
Graphical Representation of the Attack Vector Time Sequence
33
Event:Built/Teardown/Permitted IP Connection
3
ICMP Ping Network Sweep
Event:WWW IIS .ida Indexing Service Overflow
Rules: Mitigation
Two Possible Mitigation Points on Which We Can Act
34
Choose:1. The mitigation device2. The preferred command:
Block hostBlock connectionShun
Addressing the Twelve Requirements of PCI DSS
PCI Data Security Standard RequirementsBuild and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system passwords and
other security requirements
Protect Cardholder Data
3. Protect stored data4. Encrypt transmission of cardholder data and sensitive information
across public networksMaintain a 5. Use and regularly update anti-virus software
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97_469267_c1 35
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processesMaintain an Information Security Policy
12. Maintain a policy that addresses information security
PCI Solution MappingPCI ISR ASA CSA MARS WLAN IPS NAC 6500 Iron
Port CSM NCM ACE XML ACS
1 � � � � � n/a n/a � n/a � � n/a n/a2 � � n/a � � n/a n/a n/a n/a � � n/a n/a3 n/a n/a � � n/a n/a n/a n/a n/a n/a n/a n/a n/a4 � � n/a � � n/a n/a � � � � n/a n/a
Presentation_ID 36
4 � � n/a � � n/a n/a � � � � n/a n/a5 � � � � n/a n/a � n/a � n/a n/a n/a n/a6 � n/a � � n/a n/a � n/a � n/a � � n/a7 � � � � n/a n/a � � n/a � � n/a �
8 � � � � n/a n/a n/a n/a n/a � � n/a �
9 n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a10 � � � � � � n/a � n/a � � n/a �
11 � � � � � � n/a � n/a � � n/a n/a12 � � � � � � � � � � � � �
More Information
� Cisco Compliance informationhttp://www.cisco.com/go/compliance
� PCI Solution for Retail – DIG, Architectureshttp://www.cisco.com/web/strategy/retail/pci.html
Presentation_ID 38
� PCI Security Standards Councilhttps://www.pcisecuritystandards.org/
� VISA Cardholder Information Security Programhttp://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
� MasterCard Site Data Protectionhttps://sdp.mastercardintl.com/