Micro Segmentation Security: Securing IT Through Macro-segmentation

Proprietary & ConfidentialProprietary & Confidential

Security IT Through Macro-Segmentation

November 15th, 2016

Marco Pessi

Sr. Technical Product Manager

Pluribus Networks


Agenda

How to Secure Network Fabric

‒ Fabric Management

‒ Multi-tenancy/Private Virtual Networks

‒ Secure Control Plane

‒ Security Service Insertion

‒ Putting it all together: Fabric Security Architecture

‒ Analytics

2


Securing Scale Out Fabrics

3

1 2 100

VXLAN L2 Extension Across All 100 Racks

IP

underlay

VTEP

Ext Network

VTEPVTEP

…

Spine Layer

VTEP

101

BGP/OSPF

…


Virtualization Centric Fabric – VCF

Built-in Fabric Controller

L2/L3/VXLAN Open Networking




Built-in Fabric Controller Built-in Fabric Controller Built-in Fabric ControllerDistributed Peer-to-Peer Cluster – Configuration State Consistency (with rollback)

Singe CLI/API To Manage All Nodes

Built-in, no taps, no

brokers, no expensive

tools

Application Visibility Virtual Private Networks for holistic

multi-tenancy

Security Service Insertion

Granular flow control for

conditional security

insertion policies

TCP TCP TCP TCP

Secure Multi Tenancy

No controllers, No new protocols

100% interoperable


Netvisor Private Virtual NetworksAgile, Secure Multi-Tenancy

Rapid provisioning of Private Virtual

Networks (VNETs) as virtual PODs (vPODs)

with management, control and data plane

isolation

Independent tenant networks

‒ Overlapping subnets (VLANs and IP prefixes)

‒ Independent vRouter on each VNET

Independent Management Plane

‒ Independent Provisioning

‒ Per tenant visibility of flows, services, VMs

5

VNET-A172.10.0.0/16

VLAN1-4K

VNET-B172.0.0.0/8

VLAN1-4K

VNET-C172.0.16.0/20

VLAN1-4K

VMs VMs VMs



Secure access to infrastructure network

‒ Simplified Tenant Network View isolates

common transport network from tenant

network

Data Plane Isolation

‒ Automatic orchestration of VLAN, VRF and

VXLAN VNI space to prevent leaking between

tenants

‒ Anti-spoofing mechanism

6

VNET-A172.10.0.0/16

VLAN 1-4K

VNET-B172.0.0.0/8

VLAN 1-4K

VNET-C172.0.16.0/20

VLAN 1-4K






network




tenants


7

VNET-A172.10.0.0/16

VLAN 1-4K

VNET-B172.0.0.0/8

VLAN 1-4K

VNET-C172.0.16.0/20

VLAN 1-4K

Proprietary & Confidential

Anti-Spoofing Mechanism vFlow Technology for comprehensive uRPF

6

CLI>vflow-createvlan<amber>src-ip10.1.11.0/27nameamber-urpf-permitactionnonetableSystem-VCAP-table-1-0CLI>vflow-createvlan<amber>src-ip0.0.0.0/0nameamber-urpf-denyactiondroptableSystem-VCAP-table-1-0

§ vFlow can be used to prevent servers

belonging to a logical tenant from

sourcing IP traffic with illegitimate prefix

‒ vFlow stats are provided to monitor uRPF violations

‒ Independent dedicated TCAM space

§ Support all types of traffic:

‒ Bridged

‒ Routed

‒ VXLAN tunneled (terminated on switch)

‒ VXLAN tunneled (pass-through)

Enforce server traffic to use consistent VLAN/IP address:






network




tenants


Control Plane Isolation

‒ Tenant Routers run in dedicated containers of

the switch OS

9

VNET-A172.10.0.0/16

VLAN 1-4K

VNET-B172.0.0.0/8

VLAN 1-4K

VNET-C172.0.16.0/20

VLAN 1-4K






network




tenants


Control Plane Isolation

‒ Tenant Routers run in dedicated containers of

the switch OS

10

VNET-A172.10.0.0/16

VLAN 1-4K

VNET-B172.0.0.0/8

VLAN 1-4K

VNET-C172.0.16.0/20

VLAN 1-4K


VCF Containers Secure Multi-Tenant Control Plane

10

§ vRouters

‒ Independent OSPF/BGP/BFD Speakers

‒ Each vRouter has a simple tenant view

§ OVSDB Interface

‒ Synchronize fabric endpoint database (vPort) with

Hypervisor system for end-to-end VTEP auto-

provisioning

§ OpenDayLight

§ NSX

§ VNET Manager

‒ Provides a dedicated/isolated management

interface for a vPOD with provisioning/visibility

capability only for assigned resources

‒ Can run any vPOD custom application

§ simple example: WireShark

vRouter

Tenant

Crimson

vNICs

vRouter

Tenant

Blue

vNICs

vRouter

Tenant

Amber

vNICs

VNET

MGR

vNICs

vRouter

Tenant

Crimson

vNICs

vRouter

Tenant

Blue

vNICs

vRouter

Tenant

Amber

vNICs

OVSDB

Tenant

Amber

vNICs


Virtualization Centric Fabric – VCFvFlow Technology

Built-in Fabric Controller





Built-in Fabric Controller Built-in Fabric Controller Built-in Fabric ControllerDistributed Cluster – Pluribus Management Fabric


Granular flow control for

conditional security

insertion policies

TCP TCP TCP TCP


Conditional Security InsertionConfigurable line rate redirection of E-W traffic

13

VM-10

VM-11 VM-20

VM-41

VL10 VL20

1. Default Behavior: no inspection

• Fabric normally bridges and routes E-W traffic

2. Configurable Security Insertion

• Fabric redirects to security appliance

selected traffic (configurable L1-L4

parameters)

VM-10

VM-11

VM-41

VL10

HTTP

VM-20

VL20

HTTP


Conditional Security InsertionProvide Inspection only to non-secure N-S traffic

14

1. Firewall Service Insertion for default traffic

Perimeter

Firewall

Cluster

HA Services Leaf ClusterVXLAN Routing + FW Insertion

Ext Network

VL10 VL10

VL100VXLAN

VNI10

10.0.100.5/29VTEP

NON-SECURESECURE

10.10.0.1/16


Conditional Security InsertionProvide Inspection only to non-secure N-S traffic

15

1. Firewall Service Insertion for default traffic

Perimeter

Firewall

Cluster


Ext Network

VL10 VL10

VL100VXLAN

VNI10

10.0.100.5/29VTEP

NON-SECURESECURE

10.10.0.1/16

2. Firewall Bypass for Secure Traffic

Perimeter

Firewall

Cluster


Ext Network

VL10 VL10

VL100

VNI10

VXLAN

10.0.100.5/29VTEP

NON-SECURESECURE

10.10.0.1/16


vFlow Filtering For Security ActionsProvide Line Rate Redirection & Policy Enforcement

16

vFlow Structure

Scope

Switch local or Fabric-wide

L1-L4 Match Rule

Match rule deployed in

HW TCAMs

Actions

Switch HW assisted

drop

to-cpu

copy-to-cpu

setvlan

tunnel-pkt

set-tunnel-id

to-span

cpu-rx

cpu-rx-tx

set-dscp

decap

set-dmac

set-dmac-to-port

to-port

to-ports-and-cpu

set-vlan-pri

l3-to-cpu-switch

2. Firewall Bypass for Secure Traffic

Perimeter

Firewall

Cluster


Ext Network

VL10 VL10

VL100

VNI10

VXLAN

10.0.100.5/29VTEP

10.10.0.1/16

NON-SECURESECURE

3. Line Rate Policy Enforcement


Conditional Security Insertion for E-W & N-S traffic

17

Security

Appliances

(IPS, FW,

etc.)


Ext Network

VL10

VL20

VL10

VL20

VL100

VNI10,VNI20

VXLAN

10.0.100.5/29VTEP

10.10.0.1/16

10.20.0.1/16

NON-SECURESECURE

1 2

VTEPVTEP

100

VTEP

…

VM-10 VM-41

10.10.0.10

MAC-10

10.10.0.41

MAC-11

VM-11

10.10.0.11

MAC-11

VM-20

10.20.0.11

MAC-20

• Leaf switches perform selective Security Insertion for bridged/routed

E-W traffic using programmable fabric-wide policies


Fabric scope programmability

Policy enforcement E-W / N-S

Mgmt

domain

Virtualization Centric Fabric

Putting It All Together: Fabric Security Architecture

18

1 2 100

Edge Security Services Rack

Grey vRouter for VTEP, Red vRouter to DC network

101


IP

underlay

VTEPHA Leaf Services HA VTEP

Active-Active LAG

towards servers

Ext Network Spine is simple L3 non-blocking

interconnect

Underlay provides inter-rack reachability

All links are active

BGP/OSPF

VTEPVTEP

…

Spine Layer

VTEP


Mgmt

domain


19

HA Leaf Services

1 2 100


101


IP

underlay

Ext Network

BGP/OSPF

…

Spine Layer

VTEP

Virtual Private Networks

Holistic multi-tenancy

Secure Multi Tenancy

VTEPVTEPVTEP


Mgmt

domain


20

HA Leaf Services

1 2 100


Grey vRouter for VTEP, Red vRouter to DC network Load

Balancers

Firewall on-a-stick in L2 mode for non mission-critical

traffic with bypass service option

vFlow security ACL for N-S Policy Enforcement

101


IP

underlay

VTEP HA VTEP

Active-Active LAG

towards servers

Global E-W vFlow

security service insertion

Ext Network

BGP/OSPF

VTEPVTEP

…

Spine Layer

VTEP

Granular flow control for conditional

security insertion policies



Mgmt

domain


21

HA Leaf Services

1 2 100


Grey vRouter for VTEP, Red vRouter to DC network Load

Balancers

Firewall on-a-stick in L2 mode for non mission-critical

traffic with bypass service option

vFlow security ACL for N-S Policy Enforcement

101


IP

underlay

VTEP HA VTEP

Active-Active LAG

towards servers

Global E-W vFlow

security service insertion

Ext Network

BGP/OSPF

VTEPVTEP

…

Spine Layer

VTEP

Built-in:

no taps,

no brokers,

no expensive tools

Application Visibility

Pluribus VCF Analytics for mission-critical flow visibility


Connection Flow Analytics

22

VCF Center

Big Data Engine

Cluster of 1…N

server nodes

Flow Metadata

Integrated in the fabric = simple to deploy

Always on, zero touch = simple to use

No sampling…every EAST-WEST connection

TCP connection state machine tracking

Tenant aware


Packet Analytics

23

VCF Center

Big Data Engine

Cluster of 1…N

server nodesMirrored Packets

On-demand packet filtering L1-L4 header fields

Terabit filtering with offload on Broadcom silicon

Manage mirror sessions and PCAP files

Analytics on packet metadata extracted from PCAP

Bring-your-own PCAP

Program packet filters

in hardware

Start&Stop PCAP and

Mirror sessions

Proprietary & ConfidentialProprietary & Confidential24

Summary/Recap

1. Macro-Segmentation secures E-W traffic

2. Scalable HW Accelerated, cover P & V

3. Holistic multi-tenancy = Complete Isolation

4. Granular flow control for conditional security

insertion policies

5. Analytics/Visibility allows for continual policy

improvements


Thank You, Questions?

25

Proprietary & ConfidentialProprietary & Confidential26

pluribusnetworks.com/resources/#webinars

Fall Webinar Series

http://www.pluribusnetworks.com/resources/#webinars