PLNOG8 Gawel Mikolajczyk Securing the Cloud
Transkrypt
PLNOG8 Gawel Mikolajczyk Securing the Cloud
Securing the Cloud Infrastructure – from Hypervisor to the Edge Gaweł Mikołajczyk [email protected] Security Consulting Systems Engineer EMEA Central Core Team CCIE #24987, CISSP-ISSAP, CISA PLNOG8, March 5, 2012, Warsaw, Poland © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Policy Corporate Border Platform as a Service Applications and Data Infrastructure as a Service X as a Service Software as a Service Corporate Office Branch Office Home Office Airport Mobile User Attackers Partners Customers Coffee Shop Trzy wymiary : dla Infrastruktury w chmurze, dla dostępu do chmury, komercyjne usługi bezpieczeństwa w chmurze. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Prywatny VPN MPLS lub IPSec / SSL WAN Edge Dostęp L2 lub L3 NAS Agregacja Data Center Core Tenant A Tenant B Sub Tenant B1 i B2 Tenant per VRF Usługi Mapowanie VRF / VLAN do vFW/LB Dostęp Mapowanie do VM Compute VRF do unikalnego VLAN NEXUS 1000v © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 V-Motion (Memory) Physical Security Role Based Access V-Storage (VMDK) Virtualization Security VM Segmentation VMNIC #2 VMNIC #1 Hypervisor Security VM OS Hardening vEth Patch Management vEth VM Sprawl Real case: [...] It looks the O&M firewall is not filtering the ARP traffic the right way. This allows a VM to connect to any other VM through the O&M network after injecting malicious ARP traffic. This happens even if the destination VM belongs to a different tenant VDC [...] © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Warstwa dostępu wirtualnego powinna oferować przynajmniej takie same mechanizmy bezpieczeństwa Layer-2 jak w fizycznym DataCenter : Access Lists, Dynamic ARP Inspection, DHCP Snooping, IP Source Guard, Port Security, Private VLANs, Layer-2 storm control, Rate-Limiters, VXLAN 1/ 7 Bez tych mechanizmów, konsekwencje ataków na infrastruktuę sieciową, (biorąc pod uwagę skalę - tysiące VM) są katastrofalne. Widoczność w warstwie 2 można osiągnąć przez: NetFlow Collection SPAN, RSPAN or ERSPAN © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Port Profile –> Port Group vCenter API port-profile vm180 vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown state enabled interface Vethernet9 inherit port-profile vm180 interface Vethernet10 inherit port-profile vm180 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Nexus 7000 vPC Peer-link Service VLANs vPC Cat 6500 VSL monitor session 1 type erspansource description N1k ERSPAN – session 1 monitor session 3 type erspandestination description N1k ERSPAN to NAM Nexus 5000 ASA 5585 ESX Server Nexus 1000V and VSG NAM monitor session 2 type erspansource description N1k ERSPAN –session 2 monitor session 4 type erspandestination description N1k ERSPAN to IDS1 10.20.20.50 10.20.20.51 10.20.30.101 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 1 Przekierowanie ruchu z VM do fizycznych urządzeń Web Server App Server Database Server Hypervisor 2 Usługi bezpieczeństwa na poziomie hypervisora Web Server App Server Database Server Hypervisor VLANs Konteksty wirtualne Appliance i moduły fizyczne © 2011 Cisco and/or its affiliates. All rights reserved. VSN VSN Appliance wirtualne Cisco Public 10 Sandwich usługowy między VDC Konteksty wirtualne Tryb Transparentny / mixed ASA-SM 2 • ACE LB Tryb transparentny • Web Application Firewall hsrp.1 161 ASA-SM 1 N7k1-VDC1 • ASA Service Module SVI-151 WAF N7k1-VDC2 190 162 Farma firewalli • Network IPS/IDS ACE IPS vrf1 vrf2 Inline lub promiscuous SS1 163,164 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Virtual Network Management Center Cisco Nexus® 1000V z mechanizmem vPath Rozproszony przełącznik • Część hypervisora • Virtual Security Gateway - VSG Port Group Host • Cisco UCS • Other x86 server Security Administrator © 2011 Cisco and/or its affiliates. All rights reserved. Service Administrator Cisco Public 13 VM VM VM VM VM VM VM VM VM VNMC VM VM VM VM VM VM VM VM VM VM 4 Nexus 1000V vPath Distributed Virtual Switch Cache decyzji 1 © 2011 Cisco and/or its affiliates. All rights reserved. Początkowy flow 22 VSG 3 Początkowa ewaluacja polityki Log/Audit Cisco Public 14 VM VM VM VM VM VM VM VM VM VNMC VM VM VM VM VM VM VM VM VM VM Nexus 1000V vPath Distributed Virtual Switch VSG ACL offload do Nexus 1000V (wymuszenie polityki) Pozostałe pakiety Log/Audit © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 VSG: Security Profile to Port Profile © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 • TrustSec to rozwiązanie o charakterze systemowym • Overlayowe tagowanie SGT na wejściu do sieci LAN/WAN/VPN • Wymuszenie polityki bezpieczeństwa przez SGACL na wyjściu • Centralnie przechowywane reguły SGT/SGACL dają spójność Ingress SGT Finance (SGT=4) SGT=100 802.1X/MAB/Web Auth Pracownik, grupa HR © 2011 Cisco and/or its affiliates. All rights reserved. HR SGT = 100 HR (SGT=100) SGACL Egress Cisco Public 18 TAG oparty o rolę: 1. Urządzenie uwierzytelnia się do sieci via 802.1X 2. ISE wysyła TAG jako wynik autoryzacji – bazuje on na roli użytkownika/urządzenia 3. Przełącznik dostępowy aplikuje TAG do ruchu użytkownika 4. Dodatkowe pola w ramkach L2 Ethernet lub propagacja mapowania OOB przez protokół SXP © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Chmura prywatna / publiczna SPACELY SPROCKETS Web Server VSG ASA1000V ASA Appliance Central Office Pracownik Spacely Sprockets © 2011 Cisco and/or its affiliates. All rights reserved. Database Server Cisco Public 21 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Internet Edge Network Foundation Protection Data Center Core VDC Data Center Distribution Nexus 7018 Nexus 7018 SAN v vPC vPC vPC vPC vPC vPC Nexus 5000 Series Nexus 7000 Series Zone Unified Computing System Nexus 1000V Multi-Zone Zone Stateful Packet Filtering 10Gig Server Rack Network Intrusion Prevention © 2011 Cisco and/or its affiliates. All rights reserved. vPC SERVICES Nexus 2100 Series 10Gig Server Rack vPC VSS Server Load Balancing Unified Compute Web and Email Security Catalyst 6500 ASA ACE NAM IPS Virtual Service Nodes Centralized Security and Application Service Modules and Appliances can be applied per zone Access Edge Security ACL, Dynamic ARP Inspection, DHCP Snooping, IP Source Guard, Port Security, Private VLANs, QoS Flow Based Traffic Analysis – Network Analysis Module Cisco Public 23 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24