© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Architecting DMZ Virtualization
Brad Hedlund Solutions Architect, Data Center CCIE #5530, VCP February 2010 [email protected]
v1.5
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Policy Driven Network Design: Physical
Each network switch has independent code, control plane, data plane, interfaces & configuration.
Isolation provided by physical cabling
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Network Virtualization: Logical Partitions
Security zones share a common network switch infrastructure.
Common switch with discrete forwarding tables
Isolation provided by switch configuration
VN-Tag, VLAN, VRF, MPLS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
H/W scheduled Control Plane isolation
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Inconsistent Isolation Policies
Attaching differing isolation policies together results in the lowest common denominator policy
Physical partitions merely become extensions of what is a logical policy architecture
Considered “Out of Policy” with Physical Isolation
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Server Virtualization with Physical Isolation
How is a physical isolation policy preserved with server virtualization?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Network policy moves into the Server (Host)
Server virtualization creates a network inside the Host, a virtual network.
Attempts are made to keep the virtual and physical network policy consistent
Conventional thinking: “physically separate vSwitches” is the solution.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
The false sense of “vSwitch” security…
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
What is a vSwitch?
"Each vSwitch is just a data structure saying what ports are connected to it (along with other information).”
“So while using vSwitches sounds more compartmentalized than VLANs, they provide equivalent separation”
-Mark Bakke, Nexus 1000V Principal Architect, Cisco
Source: http://faz1.com/blog/2009/08/20/two-vswitches-are-better-than-1-right/
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Simple Example: Host Memory Footprint: 1 vSwitch
Each network switch has its own independent code and control plane…
Adding multiple vSwitches should add multiple copies of unique vSwitch code.
Lets add 11 vSwitches and see what happens…
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
11 “vSwitches” same footprint
11, 20, or 200 “vSwitches” is really 1 switch
Each “vSwitch” is just a unique logical partition of a single software switch
Delivers the same concept of logical forwarding partitions of a VLAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
The consequential architecture based on an illusion…
Consequences
Many adapters required per server (1) per DMZ (2) per DMZ for redundancy … even more to scale BW … and even more for mgmt
Many adapters in one server force 1GE and prohibits 10GE adoption
Less BW from 1GE requires more servers with fewer VMs to scale I/O
Lower physical to virtual consolidation ratios
Larger 4U rackmount servers required for adapter real estate – blade server prohibitive
Cannot leverage DVS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
The Result: Inconsistent Policy
… and missed opportunities.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Consistent Policy of Logical Separation
Server + Network Virtualization
Physical switch uses logical isolation consistent with the virtual switch
Fewer adapters
10GE & Unified I/O
Higher consolidation ratios
Right sized 1RU-2RU servers
Blade server inclusive
DVS inclusive
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
Consistent Physical Policy
Virtual network physical isolation consistent with the physical network
Fewer adapters per server
10GE & Unified I/O
Higher consolidation ratios
Right sized 2RU/1RU servers
Blade server inclusive
DVS inclusive
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
H/W Scheduled Control Plane Isolation
Physical Network switch uses similar H/W scheduling to VMware Host.
Switch Consolidation
Nexus 7000 VDC
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
Securing the Virtual Switch
Nexus 1000V VSM
VEM
Nexus 1000V Security Features Not available in vSwitch or vDS
IP Source Guard -duplicate IP, Spoofed IP protection
Private VLAN (source enforced) -stop denied frames at source host
DHCP Snooping -Rouge DHCP server protection
Dynamic ARP Inspection -Man-in-the-middle protection
IP access control (Per VM) filtering -TCP bits/flags (FIN, ACK, RST, PSH, etc) -TCP/UDP ports -ICMP types & codes
MAC ACL’s
Port Security
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Securing the Physical Switch for Network Virtualization
Securing against Physical switch attacks
Attack: MAC Overflow (macof) Solution: Port Security
Attack: VLAN Hopping Solution: Best Practice Configuration - disable auto trunking - VLAN tag all frames (including native) - dedicated VLAN ID for trunks
Attack: Spoofed IP, Spoofed MAC Solution: Dynamic ARP Inspection IP Source Guard Port Security
Attack: Rouge DHCP Solution: DHCP Snooping
Attack: Spanning Tree Spoofing Solution: Root Guard BPDU Guard
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Summary Whatever your policy: Physical or Logical separation,
maintain consistent policy in both the virtual and physical network
The ILLUSION of “vSwitch” physical separation
Consequences of the vSwitch illusion 10GE, DVS, & blade server prohibitive, large servers, excessive adapters/cables, just to gain: Inconsistent Policy
Physically separate networks should be paired with physically separate Hosts to be policy consistent
The Logical separation policy with Server+Network virtualization can be secured with security built in to the physical and virtual network