Date post: | 18-Nov-2014 |
Category: |
Technology |
Upload: | lancope-inc |
View: | 2,427 times |
Download: | 0 times |
Securing the Data Center
Matt Robertson - Lancope Technical Marketing EngineerDavid Anderson – Cisco Principal Solution Architect, Data Center Security
Defending Against Humans
Evolution of Cyber Conflict
War Dialing, Phone Phreaking …
Manual Attacks (1980s)
Viruses, Worms …
Mechanized Attacks (1988)
Google, RSA …
Talented Human / Mechanized Attackers (2009)
Cyrptocurrency Ransoms, Store-bought Credentials ...
DIY Human / Mechanized Attackers (2011)
Intelligence Driven Human Defenders
Manual DefensesUnplug
Mechanized DefensesFirewall, IDS/IPS
Targeted Human/Mechanized DefendersReputation, App-aware FirewallAPT, Multi-Step Attacks…
Target, Neiman Marcus …
Security Buckets
Segmentation• Establish boundaries: network, compute, virtual• Enforce policy by functions, devices, organizations, compliance• Control and prevent unauthorized access to networks, resources, applications
Threat Defense• Stop internal and external attacks and interruption of services• Patrol zone and edge boundaries• Control information access and usage, prevent data loss and data modification
Visibility• Provide transparency to usage• Apply business context to network activity • Simplify operations and compliance reporting
Internet
Partners
ApplicationSoftware
VirtualMachines VSwitch Access Aggregation
and Services Core Edge IP-NGNBackbone
Storage and SAN Compute
IP-NGN
Application Control (SLB+)
Service Control
Firewall Services
Virtual Device Contexts
Fibre Channel Forwarding
Fabric Extension
Fabric-Hosted Storage Virtualization
Storage Media Encryption
Virtual Contexts for FW & SLB
Port Profiles & VN-Link
Port Profiles & VN-Link
Line-Rate NetFlow
Virtual Device Contexts
Secure Domain Routing
Service Profiles
Virtual Machine Optimization
Virtual FirewallEdge and VM
Intrusion Detection
PhysicalVirtual
Security As A System
Unified Policy
UCSVirtual AccessStorage
Data Center Security Control FrameworkMulti-Layer, Distributed Model
Data Center Core Layer
DC Service Layer
DC Access Layer
Services
• Initial filter for DC ingress and egress traffic. Virtual Context used to split polices for server-to-server filtering
• Additional firewall services for server farm specific protection
Infrastructure Security
• Infrastructure Security features are enabled to protect device, traffic plane and control plane
• 802.1ae and vPC provides internal/external separation
Services
• IPS/IDS provide traffic analysis and forensics
• Network Analysis provide traffic monitoring and data analysis
• Server load balancing masks servers and applicationsData security
authenticate & access control
Port security authentication, QoS features
Virtual FirewallReal-time MonitoringFirewall Rules
ACLs, Port Security, VN Tag, Netflow, ERSPAN, QoS, CoPP, DHCP snooping
Security Management
• Visibility• Event correlation, syslog,
centralized authentication• Forensics• Anomaly detection• Compliance
AD, ASDM CSM, VNMC, ACS
DC Aggregation Layer
Visibility Challenges in the Data Center
High value assets and data
Large, high volume throughput Multiple layers and levels of
communication
Virtual hosts
NetFlow
8
10.2.2.2port 1024
10.1.1.1port 80
eth0
/1
eth0
/2
Start Time Interface Src IP Src Port
Dest IP Dest Port
Proto Pkts Sent
Bytes Sent
TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 SYN,ACK,PSH10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 SYN,ACK,FIN
Start Time Interface Src IP Src Port
Dest IP Dest Port
Proto Pkts Sent
Bytes Sent
TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 SYN,ACK,PSH
Network Devices
StealthWatch FlowCollector
StealthWatch Management
Console
NetFlow
Users/Devices
Cisco ISE
NBAR NSEL
StealthWatch Solution Components
StealthWatch FlowSensor
StealthWatch FlowSensor
VE
NetFlow
StealthWatch FlowReplicator
Other tools/collectors
10
Behavior Based Analysis
Behavior-Based Attack DetectionHigh Concern Index indicates a significant number of suspicious events that deviate from established
baselines
StealthWatch: Alarms
12
Alarms• Indicate significant behavior changes and policy violations• Known and unknown attacks generate alarms• Activity that falls outside the baseline, acceptable behavior or
established policies
13© 2013 Lancope, Inc. All rights reserved.
Suspect Data Hoarding
Unusually large amount of data inbound from other hosts
Default Policy
14© 2013 Lancope, Inc. All rights reserved.
Target Data Hoarding
Unusually large amount of data outbound from a host to multiple hosts
Default Policy
Custom Security Events
Time range
Object conditions
Peer conditions
Connection conditions
Custom Security Events
High Level Use cases:• Check policy• Check for known bad conditions
Examples:• IOC specific to environment• Audit compliance (ex. Users to PCI servers) • VM-to-VM communication• Inappropriate access or applications
17
Cisco Cyber Threat Defense Solution for the Data Center Design
About this section
http://www.cisco.com/go/securedatacenter
CTD Data Center Validated Architecture
Nexus 1000v
Nexus 7000
StealthWatch FlowCollector
StealthWatch Management
Console
https
NetFlow
Cisco NGACisco NGA
Cisco ASA
SPAN SPAN
Edge: ASA
20
NetFlow Security Event Logging:• Provides visualization into policy enforcement points
Monitor communication between branches• Efficient event reporting mechanism:
• Syslog - Verbose, text based, single event per packet: ~30% processing overhead
• NetFlow - Compact, binary, multiple events per packet: ~7-10% processing overhead
• Context rich:• Event driven: Flow Created, Denied, tear-down• Network Address Translations• User-ID
ASA NSEL Configuration
21
!flow-export destination management <ip-address> 2055!policy-map global_policy class class-default flow-export event-type all destination <ip-address>!flow-export template timeout-rate 2logging flow-export syslogs disable!
ASA Flow Table
22
Inside local Outside global Server
User
Core: Nexus 7000 & NGA
23
Nexus 7000
Cisco NGA
SPAN
NetFlow Generation Appliance:• 4x10 G monitoring interfaces• Non-performance impacting 1:1 NetFlow generation• NetFlow version 5, 9 and IPFIX • 80M Active Flow Cache• 200K NetFlow record export per sec
Nexus 7004 Configuration
24
!interface port-channel8 description <<** NGA SPAN PORTS **>> switchport mode trunk switchport monitor ! monitor session 1 description SPAN ASA Data Traffic from Po20 source interface port-channel20 rx destination interface port-channel8 no shut
NGA Config
25
Alternative: Physical FlowSensor
26
Nexus 7000
StealthWatch FlowSensor
SPAN
StealthWatch FlowSensor• Multiple hardware platforms up to 20 Gbps throughout• Non-performance impacting 1:1 NetFlow generation• Recognition of over 900 Applications• URL capture• Additional statistics:
• Server Response Time• Round Trip Time
Access: Nexus 1000v
27
Nexus 1000v
Nexus 1000v:• NetFlow as close to access as possible: complete visibility • Visibility into VM-to-VM communication (across the 1000v) • Up to 256 NetFlow interfaces; one flow monitor per interface,
per direction• Cache: 256 to 16384 entries - default is 4096.
Nexus 1000v NetFlow Config
28
feature netflow ! flow exporter nf-export-1 description <<** SEA Lancope Flow Collector **>> destination 172.26.164.240 use-vrf management transport udp 2055 source mgmt0 version 9 option exporter-stats timeout 300 option interface-table timeout 300 !flow monitor sea-enclaves record netflow-original exporter nf-export-1 timeout active 60 timeout inactive 15 ! port-profile type vethernet enc1-3001 ip flow monitor sea-enclaves input
29
Optional: StealthWatch FlowSensor VE
capture
SERVICECONSOLEVM VM
lightweight packet capture and IPFIX generation
Visibility & Context:• Flow records include:
• VM name• VM server name• VM State
• vMotion aware• Host Profiled in terms of VM name• Application, SRT, RRT (same as physical)
30
FlowSensor VE: VM Visbility
31
FlowSensor VE: VM Visbility
Provide VM-to-VM Policy Monitoring within the same VMware server
Summary
32
More Information: • http://www.lancope.com/• http://www.cisco.com/go/securedatacenter• http://www.cisco.com/go/threatdefense
NetFlow and the Lancope StealthWatch System provide actionable security intelligence in data centers
Visibility into Data Center traffic has historically been difficult
33
THANK YOU
© 2013 Lancope, Inc. All rights reserved.