Securing the Data Center

Matt Robertson - Lancope Technical Marketing EngineerDavid Anderson – Cisco Principal Solution Architect, Data Center Security

Defending Against Humans

Evolution of Cyber Conflict

War Dialing, Phone Phreaking …

Manual Attacks (1980s)

Viruses, Worms …

Mechanized Attacks (1988)

Google, RSA …

Talented Human / Mechanized Attackers (2009)

Cyrptocurrency Ransoms, Store-bought Credentials ...

DIY Human / Mechanized Attackers (2011)

Intelligence Driven Human Defenders

Manual DefensesUnplug

Mechanized DefensesFirewall, IDS/IPS

Targeted Human/Mechanized DefendersReputation, App-aware FirewallAPT, Multi-Step Attacks…

Target, Neiman Marcus …

Security Buckets

Segmentation• Establish boundaries: network, compute, virtual• Enforce policy by functions, devices, organizations, compliance• Control and prevent unauthorized access to networks, resources, applications

Threat Defense• Stop internal and external attacks and interruption of services• Patrol zone and edge boundaries• Control information access and usage, prevent data loss and data modification

Visibility• Provide transparency to usage• Apply business context to network activity • Simplify operations and compliance reporting

Internet

Partners

ApplicationSoftware

VirtualMachines VSwitch Access Aggregation

and Services Core Edge IP-NGNBackbone

Storage and SAN Compute

IP-NGN

Application Control (SLB+)

Service Control

Firewall Services

Virtual Device Contexts

Fibre Channel Forwarding

Fabric Extension

Fabric-Hosted Storage Virtualization

Storage Media Encryption

Virtual Contexts for FW & SLB

Port Profiles & VN-Link

Port Profiles & VN-Link

Line-Rate NetFlow

Virtual Device Contexts

Secure Domain Routing

Service Profiles

Virtual Machine Optimization

Virtual FirewallEdge and VM

Intrusion Detection

PhysicalVirtual

Security As A System

Unified Policy

UCSVirtual AccessStorage

Data Center Security Control FrameworkMulti-Layer, Distributed Model

Data Center Core Layer

DC Service Layer

DC Access Layer

Services

• Initial filter for DC ingress and egress traffic. Virtual Context used to split polices for server-to-server filtering

• Additional firewall services for server farm specific protection

Infrastructure Security

• Infrastructure Security features are enabled to protect device, traffic plane and control plane

• 802.1ae and vPC provides internal/external separation

Services

• IPS/IDS provide traffic analysis and forensics

• Network Analysis provide traffic monitoring and data analysis

• Server load balancing masks servers and applicationsData security

authenticate & access control

Port security authentication, QoS features

Virtual FirewallReal-time MonitoringFirewall Rules

ACLs, Port Security, VN Tag, Netflow, ERSPAN, QoS, CoPP, DHCP snooping

Security Management

• Visibility• Event correlation, syslog,

centralized authentication• Forensics• Anomaly detection• Compliance

AD, ASDM CSM, VNMC, ACS

DC Aggregation Layer

Visibility Challenges in the Data Center

High value assets and data

Large, high volume throughput Multiple layers and levels of

communication

Virtual hosts

NetFlow

8

10.2.2.2port 1024

10.1.1.1port 80

eth0

/1

eth0

/2

Start Time Interface Src IP Src Port

Dest IP Dest Port

Proto Pkts Sent

Bytes Sent

TCP Flags

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 SYN,ACK,PSH10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 SYN,ACK,FIN

Start Time Interface Src IP Src Port

Dest IP Dest Port

Proto Pkts Sent

Bytes Sent

TCP Flags

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 SYN,ACK,PSH

Network Devices

StealthWatch FlowCollector

StealthWatch Management

Console

NetFlow

Users/Devices

Cisco ISE

NBAR NSEL

StealthWatch Solution Components

StealthWatch FlowSensor

StealthWatch FlowSensor

VE

NetFlow

StealthWatch FlowReplicator

Other tools/collectors

10

Behavior Based Analysis

Behavior-Based Attack DetectionHigh Concern Index indicates a significant number of suspicious events that deviate from established

baselines

StealthWatch: Alarms

12

Alarms• Indicate significant behavior changes and policy violations• Known and unknown attacks generate alarms• Activity that falls outside the baseline, acceptable behavior or

established policies

13© 2013 Lancope, Inc. All rights reserved.

Suspect Data Hoarding

Unusually large amount of data inbound from other hosts

Default Policy

14© 2013 Lancope, Inc. All rights reserved.

Target Data Hoarding

Unusually large amount of data outbound from a host to multiple hosts

Default Policy

Custom Security Events

Time range

Object conditions

Peer conditions

Connection conditions

Custom Security Events

High Level Use cases:• Check policy• Check for known bad conditions

Examples:• IOC specific to environment• Audit compliance (ex. Users to PCI servers) • VM-to-VM communication• Inappropriate access or applications

17

Cisco Cyber Threat Defense Solution for the Data Center Design

About this section

http://www.cisco.com/go/securedatacenter

CTD Data Center Validated Architecture

Nexus 1000v

Nexus 7000

StealthWatch FlowCollector

StealthWatch Management

Console

https

NetFlow

Cisco NGACisco NGA

Cisco ASA

SPAN SPAN

Edge: ASA

20

NetFlow Security Event Logging:• Provides visualization into policy enforcement points

Monitor communication between branches• Efficient event reporting mechanism:

• Syslog - Verbose, text based, single event per packet: ~30% processing overhead

• NetFlow - Compact, binary, multiple events per packet: ~7-10% processing overhead

• Context rich:• Event driven: Flow Created, Denied, tear-down• Network Address Translations• User-ID

ASA NSEL Configuration

21

!flow-export destination management <ip-address> 2055!policy-map global_policy class class-default flow-export event-type all destination <ip-address>!flow-export template timeout-rate 2logging flow-export syslogs disable!

ASA Flow Table

22

Inside local Outside global Server

User

Core: Nexus 7000 & NGA

23

Nexus 7000

Cisco NGA

SPAN

NetFlow Generation Appliance:• 4x10 G monitoring interfaces• Non-performance impacting 1:1 NetFlow generation• NetFlow version 5, 9 and IPFIX • 80M Active Flow Cache• 200K NetFlow record export per sec

Nexus 7004 Configuration

24

!interface port-channel8 description <<** NGA SPAN PORTS **>> switchport mode trunk switchport monitor ! monitor session 1 description SPAN ASA Data Traffic from Po20 source interface port-channel20 rx destination interface port-channel8 no shut

NGA Config

25

Alternative: Physical FlowSensor

26

Nexus 7000

StealthWatch FlowSensor

SPAN

StealthWatch FlowSensor• Multiple hardware platforms up to 20 Gbps throughout• Non-performance impacting 1:1 NetFlow generation• Recognition of over 900 Applications• URL capture• Additional statistics:

• Server Response Time• Round Trip Time

Access: Nexus 1000v

27

Nexus 1000v

Nexus 1000v:• NetFlow as close to access as possible: complete visibility • Visibility into VM-to-VM communication (across the 1000v) • Up to 256 NetFlow interfaces; one flow monitor per interface,

per direction• Cache: 256 to 16384 entries - default is 4096.

Nexus 1000v NetFlow Config

28

feature netflow ! flow exporter nf-export-1 description <<** SEA Lancope Flow Collector **>> destination 172.26.164.240 use-vrf management transport udp 2055 source mgmt0 version 9 option exporter-stats timeout 300 option interface-table timeout 300 !flow monitor sea-enclaves record netflow-original exporter nf-export-1 timeout active 60 timeout inactive 15 ! port-profile type vethernet enc1-3001 ip flow monitor sea-enclaves input

29

Optional: StealthWatch FlowSensor VE

capture

SERVICECONSOLEVM VM

lightweight packet capture and IPFIX generation

Visibility & Context:• Flow records include:

• VM name• VM server name• VM State

• vMotion aware• Host Profiled in terms of VM name• Application, SRT, RRT (same as physical)

30

FlowSensor VE: VM Visbility

31

FlowSensor VE: VM Visbility

Provide VM-to-VM Policy Monitoring within the same VMware server

Summary

32

More Information: • http://www.lancope.com/• http://www.cisco.com/go/securedatacenter• http://www.cisco.com/go/threatdefense

NetFlow and the Lancope StealthWatch System provide actionable security intelligence in data centers

Visibility into Data Center traffic has historically been difficult

33

THANK YOU

© 2013 Lancope, Inc. All rights reserved.