Designing Secure Cisco Data Centers

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public

Михаил Кадер,

[email protected]

[email protected]

mailto:[email protected]





“59% of organizations lack the lab resources or test environments to validate vendor claims for themselves.”

—SANS Institute

“Organizations clearly lack well-defined standards, processes, and resources for determining the resiliency of their critical network devices and systems.... Need methodical resiliency validation using a combo of real

traffic, heavy load and security attacks.” —SANS and TOGAG

Cisco Validated Designs Deliver Results

Data Center / Secure Data Center CVD – www.cisco.com/go/vmdc

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Setting the Foundation for the Secure

Designs


Traditional Data Center Architecture

4

Items of note:

- Both Physical Network Fabric and Virtualization components

are represented

- Well defined DC Edge (layer 3) providing connectivity and

security services to/from DC and Internet/Extranet

- DMZ network (physical or virtual workload) on DC edge that

could securely leverage physical workloads or virtual

workloads

- DC Core is Routed (OSPF, BGP, EIGRP) with ECMP

- DC Aggregation layer contains Physical Security Services

allowing the creation of internal zones / trust enclaves without

crossing core (East-West) and crossing core (North-South)

only when required

- Various End-of-Row/Top-of-Rack options represented between

Aggregation and Compute/Access Layer

- Virtual Security services represented with Nexus 1000v

Architecture


Traditional Secure Data Center Design – Basic and Simplified

Physical Network Fabric

External DC Edge

Internal DC Zoning

Virtual Fabric & Compute

Virtual Workloads

Virtual Services

Data Center

1 2

A A

B B

1. Physical Network Fabric –

-Creates the shared physical infrastructure for moving packets within the

Data Center (North, South, East and West)

-Leverages the DC-Class Technologies of Cisco Nexus Switching

External DC Edge – (External Zoning)

-Boundary between the Data Center and the rest of the corporate

network (or Internet) (North-South)

Internal DC Zones – Stateful Internal separation

-Allows Secure Zones or Trust Enclaves to be established within the DC

Network Fabric, establishing secure separation via External DC Zones

or other Internal DC Zones (North-South)

-Should inherently take advantage of the optimized network infrastructure

without violating proper Data Center Design objectives

High-Availability / Zero Downtime

Scalability / Massive Workload Processing

Survivability / Redundancy

Low Latency / No Packet Loss

Asymmetric Traffic Flows

1

A

B

1 2 1


Traditional Secure Data Center Design – Basic and Simplified


External DC Edge

Internal DC Zoning


‘Secure’ Virtual

Workloads

Virtual Security Services

Data Center

1 2

A A

B B

1. Virtual Fabric and Compute–

-Creates the shared virtual infrastructure for moving packets within the

Virtualized Data Center

-Leverages Virtualization & Compute Technologies of Cisco Nexus /

Unified Compute System (UCS) and Virtualization Software e.g.

VMWare, Citrix, etc.

Secure Virtual Workloads -

-Securing the sum of the requests made by users and applications of a

‘virtual system’

-Typically defined as a self-contained unit: an integrated stack consisting

of application, middleware, database, and operating system devoted to a

specific computing task

Virtual Security Services -

-The Virtual services defined to successfully secure and optimize a Virtual

Workload - Virtual Firewalls, Virtual Routing, Network Management,

Virtual Load Balancers, Cloud Interconnect, VPN, etc.

2

A

B

1 2 2


Secure DC: Traditional Use Cases

Cisco VXI

Secure Internal Zone From External Zone Secure Data in a Compliance Scenario [PCI, FISMA, HIPAA, etc.]

Secure Application Tiers Secure Multi-Tenancy

VDC1

VDC2

vPC vPC

CTX1

CTX2

Internet

Campus / Data Center

CTX2

CTX1 Vendor

Partner

vPC

CTX1

CTX2

Extranet

Web Tier (business logic)

DB Tier (data access)

Front-End (Presentation)

DMZ

1 2

3 4

Architecture


Secure DC: Evolving Deployment Use Cases

Physical Public Cloud Virtual Private Cloud

1 Traditional (Physical) DC

2 Virtual DC

3 Virtual Desktop

Cisco VXI

4 Internal Private Cloud

Internet

VDC1

VDC2

vPC

IPsec/SSL

VMDC

Custom DC

5 Virtual Private Cloud

SaaS

PaaS 6 Public Cloud

Architecture


The Evolving Data Center Architecture

Goal #1: Understand the current approach (De-Couple the Elements of the Design)

Goal #2: Understand the options we have to build a more efficient architecture (Re-assemble the elements into a more flexible design)

9

Aggregation Layer • Workload is localized to the Aggregation Block

• Centralized point for ingress and egress data center

flows

• Can be demarcation point for L2 and L3

• Services can be scaled as data center grows

Services Layer (option) • Additional services location for server farm specific

protection / optimization

• Services localized to the applications running on the

servers connected to the physical pod – SLB, Monitors,

etc.

• Offloads port utilization from Aggregation Layer

Virtual Network & Access • Physical and virtual form factor for server connectivity

• Top of rack provides port density for server connections

• Merging point between physical and virtual networks

UCS Virtual

Access

Storage

Data Center Core Layer

DC Access Layer

Data security

authenticate &

access control

Port security

authentication,

QoS features

Virtual Firewall

Real-time

Monitoring

Firewall Rules

DC Aggregation Layer

DC Service Layer

Layer 3

Layer 2

Architecture


The Evolving Data Center Architecture

Adding Layered Security Services

10

Aggregation Layer

Services Layer (option)

Virtual Network & Access UCS Virtual

Access

Storage

Data security

authenticate &

access control

Port security

authentication,

QoS features

Virtual Firewall

Real-time

Monitoring

Firewall Rules

• Initial filter for all ingress and egress to DC services & compute -

“North-South” protection • Stateful filtering and logging for all ingress and egress traffic flows • Physical appliances can be virtualized and applied to server enclaves

• Virtual firewall, zone/enclave based filtering

• IP-Based Access Control Lists • VM attribute-based policies – Should Follow VM

• “East-West” protection

Data Center Edge • Physical Delineation for all ingress and egress into the ‘CORE’ of

the DC – Traditional Security Models apply to North-South

Protection

• Additional services location for server farm specific protection and

other potential zones

Architecture


VDC and VPC Designs


Traditional Secure DC Design – Network Fabric Best Practices


External DC Edge

Internal DC Zoning


Virtual Workloads

Virtual Services

Data Center

1 2

A A

B B

1. Physical Network Fabric –

-Leverage the full capacity of the Cisco Nexus Switching infrastructure

-Security is pervasive, and while it has been known to ‘reduce

convenience’; decreasing required network functionality is unacceptable.

External DC Edge – (External Zoning)

-Leverage Edge connectivity (routing)

-Provide Edge Security (Firewall at minimum)

-Layer 3 Firewalling (with or without NAT) may be used successfully

-IPS and Next Generation Systems can add additional visibility and

protection

-If very high-speed firewalling / federations, etc. are desired at the DC

edge, ASR1K can deliver up to 100Gbps FW with Stateful HA

-Path diversity into the datacenter if you can. Stateless with Federation to

authenticate to the app, Stateful with Federation for compliance

Internal DC Zones – Stateful Internal separation

-Keep routing on the Routers (Firewalls implemented transparently)

-Leverage vPC/vPC+ and/or FabricPath technology to maximize DC traffic

flow capability

-All flows are expected to be asymmetric, therefore zone design

should support this

-No additional Packet-Loss penalties should be introduced

-Zero-downtime Firewall upgrades should be supported

-Survivability/HA on the Firewall / IPS devices is critical

1

A

B

1

1


Building an Efficient DC Fabric to Scale

Scaling the Network Fabric - Virtual Device Context (VDC)

13

Nexus 7000 VDC – Virtual Device Context (up to 8 VDCs plus 1 Management VDC – SUP2E w/ NXOS 6.04/6.1)

Flexible separation/distribution of hardware resources and software components

Complete data plane and control plane separation

Complete software fault isolation

Securely delineated administrative contexts

Each physical interface can only be active in one VDC

Layer 2 Protocols Layer 3 Protocols VLAN

PVLAN OSPF BGP

EIGRP

GLBP HSRP IGMP

UDLD CDP

802.1X STP LACP PIM CTS SNMP

… …

VDC 1

Layer 3 Protocols OSPF BGP

EIGRP

GLBP HSRP IGMP

PIM SNMP …

VDC 2

Layer 2 Protocols VLAN

PVLAN UDLD CDP

802.1X STP LACP CTS

…

VDCs

Connectivity


Access

Core Core

Agg Agg

Core

Agg

Using VDCs for Vertical Consolidation

• Allows Consolidation of Core, Aggregation while maintaining network hierarchy

• No reduction in port count or links but fewer physical switches

‒ Copper Twinax cables (CX-1) provide a low cost 10G interconnect option

One of the most common uses of VDCs

Connectivity


Using VDCs for Internet Edge/DMZ/Core

Option to meet multiple needs – XL VDC, DMZ and Core

Maintains security model with logical separation

Firewalls for Intra

or Inter-VDC

Traffic Flows

Internet

Edge(XL)

DMZ

Core

Internet

Edge(XL)

DMZ

Core

Internet Edge

(XL)

DMZ

Core

Internet

Connectivity


VDC Security Certification

16

VDC separation is industry certified ‘Leak-proof Security Mechanism’

NSS Labs for PCI Compliant Environments – http://www.nsslabs.com

FIPS 140-2 http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf

Common Criteria Evaluation and Validation Scheme – Certification #10349 - http://www.niap-ccevs.org/st/vid10349/

Connectivity

http://www.nsslabs.com/

http://www.nsslabs.com/

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf



http://www.niap-ccevs.org/st/vid10349/




Using VDCs for PCI Compliance Segmentation

• Maintains compliant security model with physical separation

‒ FW and IPS at the boundary of the CDE zone as required by PCI-DSS 2.0

Internet

Edge(XL)

PCI

Core

Internet Edge

(XL)

PCI

Core

Internet

Internet

Edge(XL)

PCI

Core

Connectivity


vPC Peers

vPC Peers

MCEC

Building an Efficient DC Fabric to Scale

• Allow a single device to use a port channel across two upstream

switches (aka MCEC)

• Eliminate STP blocked ports

• Simplify L2 Paths by supporting loopfree non-blocking concurrent L2 paths

• Dual-homed server operate in active-active mode

• Provide fast convergence upon link/device failure

Scaling the Network Fabric – Virtual Port Channel vPC)

18

Logical Topology without vPC

Logical Topology with vPC

Aggregation

Access

Aggregation

Access

MCEC

! Enable vpc on the switch

dc11-5020-1(config)# feature vpc

! Check the feature status

dc11-5020-1(config)# show feature | include vpc

vpc 1 enabled

Connectivity

19 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public

• vPC is a Port-channeling concept extending link aggregation to two separate physical switches

• vPC allows a single device to use a port channel

across two neighbor switches (vPC peers)

• vPC Peer link is used to synchronize state between

vPC peer devices, must be 10GE

• Eliminates STP blocked ports/STP delays/Calculations

and uses all available uplink bandwidth (active/active)

‒ Does not actually turn off STP – FabricPath does this

• Supported in NX-OS switches only

• Recommended to always use LACP for dynamic LAG

• vPC Design & Best Practices Guide:

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-

00_Agg_Dsgn_Config_DG.pdf

What is a Virtual Port Channel (vPC)?

VPC PEER LINK

Connectivity

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-00_Agg_Dsgn_Config_DG.pdf






Why use vPC? – Multi-Chassis Etherchannel (MEC)

VPC PEER LINK

No Port Channel: STP Allows only one active link Sub-optimal flows and resource usage

Single-Chassis LACP Port Channel: Both links active but no device redundancy (single switch)

vPC Multi-Chassis LACP Port Channel: Both links active, optimal redundancy, all links active

LACP Load Balance src-dst-IP (hash)

LACP Load Balance src-dst-IP (hash)

Connectivity


VPC with Multiple ASAs – A/S or A/A Failover

• Part of CVD architecture since in July 2011

• vPC ensures zero packet loss in the event of a link failure to the

firewall, a firewall failure, a switch failure, VDC reset, or vPC peer-

link loss

‒ Works with both A/S and A/A failover (and with ASA 9x Clustering)

• Allows ASA to participate in necessary DC redundancy technologies

with expected flow asymmetry

• ASA is only DC Firewall on market that can simultaneously:

1. Run standards-based LACP for Dynamic LAG to Nexus vPC/vPC+ or Cat6K

VSS with proper bundling semantics

no traffic black holes or loss of state due to expected flow asymmetry / out-of-order packets

2. Supports all of the same LACP load balancing hash values as the switch

fabric(s) [def. = src-dst IP]

3. Able to support dynamic LAG (LACP) in all modes: Routed / Transparent /

Multi-context / Mixed-context(s) / Clustering

4. Successfully handles the expected flow asymmetry and out-of-order packets

from Multiple chassis simultaneously

VPC PEER LINK

N7K VPC 41 N7K VPC 40

State and Failover links

ASA channel 32

Connectivity

North Zone

VLAN 200

South Zone

VLAN 201

Trunks

VPC

VLAN 200

Outside

VLAN 201

Inside

interface TenGigabitEthernet0/6

channel-group 32 mode active vss-id 1

no nameif

no security-level

!



no nameif

no security-level

!

interface BVI1

ip address 172.16.25.86 255.255.255.0

!

interface Port-channel32

no nameif

no security-level

!

interface Port-channel32.201

mac-address 3232.1111.3232

vlan 201

nameif inside

bridge-group 1

security-level 100

!


mac-address 3232.1a1a.3232

vlan 200

nameif outside

bridge-group 1

security-level 0

ASA Connecting to Nexus with vPC (basic)

Connectivity

VPC PEER LINK

interface Ethernet4/1

switchport mode trunk

channel-group 40 mode active

no shutdown

!

interface Ethernet4/2


channel-group 40 mode active

no shutdown

!

interface port-channel4 0

switchport


switchport trunk allowed vlan 1,200,201 vpc 40

!

vpc domain 10

role priority 50

peer-keepalive dest 10.1.1.2 source 10.1.1.1 vrf

vpc-mgmt

peer-gateway

N7K VPC 40

Note:

Example shows only one side of config: N7K1 and ASA1.

Full configuration would be assumed.

ASA connected to Nexus with vPC and establishing an

internal DC zone pair between VL200 (N) and VL201(S).

ASA is deployed using transparent (L2) mode in this

example to minimize network fabric modification(s) – Will

be discussed in detail later

ASA channel 32

ASA Connecting to Nexus with vPC (Best Practices Shown)

Connectivity

Aggregation Layer

L2

L3

FW HA

VPC VPC

VPC

DC Core / EDGE

VPC VPC

FHRP FHRP

SVI VLAN200 SVI VLAN200

North Zone

VLAN 200

South Zone

VLAN 201

Trunks

VLAN 200

Outside

VLAN 201

Inside

• ASA connected to Nexus using multiple

physical interfaces on vPC

‒ ASA can be configured to failover after a

certain number of links lost (when using HA)

• Note that vPC identifiers are different

for each ASA on the Nexus switch (this

changes with ASA clustering feature

and cLACP [not yet shown])

N7K VPC 40 N7K VPC 41

ASA channel 32

VPC PEER LINK

VPC PEER LINK

Access Layer


Secure Design Building Blocks


Security Building Block: Segmentation

• While not a security technology, segmentation has long been used as a means for

grouping similar resources in order to apply specific configuration or policy

• Sometimes there is a technical benefit with segmentation

• An example is using VLANs to reduce the L2 broadcast domain and improve network

efficiency

• VRF (Virtual Routing and Forwarding) typically used for virtualizing L3 services

• VDCs (Virtual Device Context) on the Nexus platforms allow multiple, independent

virtualized switches inside of a single physical switch

• Zones are a common term to refer to units in the data centre that share a common trait and

can reduce operational complexity with both physical and virtualized hosts and services

25

Segmentation


Security Building Block: Segmentation

Nexus 7000

1. Virtual Device Context

2. Virtual Routing/Forwarding (VRF)

VRF-Lite can be easily used as it does not require MPLS

3. VLANs

4. Security Group Tags (SGT in packet)

5. 802.1AE MACSEC Encryption

ASA

6. Virtual Firewall Context (Virtualized Firewall)

6 Degrees of Separation

Nexus 7K

ASA

CTX1 CTX2 CTX3

VLANx1

VLANx2

VLANy1

VLANy2

VLANz1

VLANz2

SGT

802.1AE (encrypt)

SGT SGT SGT SGT SGT

Segmentation Building Blocks

Segmentation



Firewall Design: Modes of Operation

• Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains

• Transparent Mode is where the firewall acts as a bridge functioning mostly at L2

• Multi-context mode involves the use of virtual firewalls, which can be either routed or transparent mode

• Mixed mode is the concept of using virtualization to combine routed and transparent mode virtual firewalls

• Transparent mode firewall offers some unique benefits in the DC

28

Segmentation


Why Deploy Transparent Mode?

• Existing Nexus Network Fabric does not need to be modified to employ L2 Firewall!

• Simple as changing host(s) VLAN ID

• Firewall does not need to run routing protocols / become a segment gateway

• Firewalls are more suited to flow-based inspection (not packet forwarding like a router)

• Routing protocols can establish adjacencies through the firewall

• Protocols such as HSRP, VRRP, GLBP can cross the firewall

• Multicast streams can traverse the firewall

• Non-IP traffic can be allowed (IPX, MPLS, BPDUs)

• (CVD) 9 of 10 internal zoning scenarios recommends Transparent FW (L2) deployed

versus Routed Firewall (L3)

29

Segmentation


Firewall - Transparent Mode

• Firewall functions like a bridge (“bump in the wire”) at L2, only ARP packets pass without an explicit ACL

• Uses traditional ACLs on the firewall

• Does not forward Cisco Discovery Protocol (CDP)

• Same subnet exists on all interfaces in the bridge-group

• Different VLANs on inside and outside interfaces

• In addition to Extended ACLs, use an EtherType ACL to restrict or allow L2 protocols

L2 Firewall

30

Segmentation

North Zone

VLAN 200

South Zone

VLAN 201

VPC

VLAN 200

Outside

VLAN 201

Inside



no nameif

no security-level

!



no nameif

no security-level

!

interface BVI1

ip address 172.16.25.86 255.255.255.0

!

interface Port-channel32

no nameif

no security-level

!


mac-address 3232.1111.3232

vlan 201

nameif inside

bridge-group 1

security-level 100

!


mac-address 3232.1a1a.3232

vlan 200

nameif outside

bridge-group 1

security-level 0

Server in

VLAN 201

VPC

Trunk Allowed 1,201

Transparent Mode Configuration in the DC (2 interfaces)

SVI VLAN200 172.16.25.253 FHRP – 172.16.25.1

SVI VLAN200 172.16.25.254 FHRP – 172.16.25.1

172.16.25.86/24


Firewall - Mixed Mode vFW Contexts

• Mixed Mode is the concept of using virtual firewalls, some in routed mode and some in transparent (L2)

mode

• This is only supported on the ASA running at least v9.0 or any ASA-SM version

• Up to 8 pairs of physical interfaces are supported per context

• This could conceivably allow both the Edge (L3) firewall and Internal (L2) firewall to live on the same set of

physical appliances

mode multiple

context context1

firewall transparent

allocate-interface vlan99 outside

allocate-interface vlan100 inside

config-url disk0:/ctx1.cfg

member gold

context context2

allocate-interface vlan200 outside

allocate-interface vlan210 inside

config-url disk0:/ctx2.cfg

Segmentation


Physical and Virtual Internal Zoning

Example Internal Zoning for DEV – Option 1

Physical Separation

Model could provide for Application load testing.

If dedicated path through Core is required,

consider using a DEV vRF

If dedicated Edge is required, consider using

vFW Contexts on edge ASAs or a separate

(lower-end) ASA PAir

DEV VDC Created on Nexus 7K, attached to

CORE VDC and supporting its own PoD

ASAs in Aggregation layer could be oriented in

several ways.

1- Single ASA Cluster with separate vFW

Contexts for the DEV zones – Would require

ports on the ASA are physically connected to

each VDC

2- Separate ASA Clusters with or without vFW

Contexts

Compute structure creates a mirrored server

environment for DEV operating on it own PoD

DC Edge

Internet /

Extranet

DC Core VDC (Routed)

Prod Aggregation Layer

VDC

L2

L3

FW CLUSTER(s)

PoD

BGP/OSPF

Core

ASA A/S HA

Virtual

Access Layer

Virtual Switch

Hypervisor

Dev Aggregation Layer

VDC

PoD

CTX CTX

Virtual Switch

Hypervisor

DEV VRF

DEV VRF

DEV VRF

DEV Compute Zone PROD Compute Zone

CTX

Internal Zoning

DC Edge

Internet / Extranet


Aggregation Layer VDC L2

L3

FW CLUSTER

BGP/OSPF Core

ASA A/S HA

Virtual Access Layer

Example Internal Zoning for DEV – Option 2

Virtual Separation

Virtual Separation model uses a shared

Physical Infrastructure (Nexus) for routing and

transport

ASAs are used to separate DEV and PROD

traffic

Virtual resources can share physical Server

Hardware and PoD. Security implemented

similarly than to a Secure Multi Tenant

environment

Internal Zoning


Virtualization Security Concerns

Policy Enforcement

‒ Applied at physical server—not the individual VM

‒ Impossible to enforce policy for VMs in motion

Operations and Management

‒ Lack of VM visibility, accountability, and consistency

‒ Difficult management model and inability to effectively troubleshoot

Roles and Responsibilities

‒ Muddled ownership as server admin must configure virtual network

‒ Organizational redundancy creates compliance challenges

Machine Segmentation

‒ Server and application isolation on same physical server

‒ No separation between compliant and non-compliant systems…

Internal Zoning

Internal Zoning

Cisco Virtual Networking and Cloud Network Services

WAN Router Servers

Tenant A ASA 1000V

Cloud Firewall

Nexus 1000V Physical Infrastructure

Virtualized/Cloud Data Center

vWAAS

Cisco Virtual Security Gateway

Switches

Cloud Network Services

Citrix NetScaler

VPX

Imperva SecureSphere

WAF Cloud Services Router 1000V

Zone A

Zone B

vPath VXLAN

Multi-Hypervisor (VMware, Microsoft*, RedHat*, Citrix*)

Nexus 1000V (Dist. Virtual Switch)

• Distributed switch

• NX-OS consistency

VSG (Zone-based FW)

• VM-level controls

• Zone-based FW

ASA 1000V (Cloud FW)

• Edge firewall, VPN

• Protocol Inspection

vWAAS (WAN Optimization)

• WAN optimization

• Application traffic

7000+ Customers Available Now Available Now Available Now

CSR 1000V (Cloud Router)

• WAN L3 gateway

• Routing and VPN

1H 2013

Ecosystem Services

• Citrix NetScaler VPX virtual ADC

• Imperva Web App. FW

N1110: 1H CY2013 vPath: 2H CY2013

vNAM (Network Analytics)

• App Visibility (L2-L7)

• Overlay Intelligence (OTV, VXLAN, FP**)

PoC: 1H 2013

**FP: FabricPath **MSFT: 2Q CY2013; Open-source: In PoC

Network

Analysis

Module

(vNAM)


Managing Virtual Networking Policy

Network

Team

Server

Team

Management and

Monitoring Roles and

Responsibilities

Isolation and

Segmentation

Security

Team Nexus 1000V (1110/1010)

Non-disruptive operation model to maintain

current workflows using Port Profiles

Maintain network security policies with

isolation and segmentation via VLANs,

Private VLANs, Port-based Access Lists,

Cisco Integrated Security Features

Ensure visibility (VM Introspection) into

virtual machine traffic flows using traditional

network features such as ERSPAN and

NetFlow

Nexus 1000V

Internal Zoning

Cisco’s Virtual Security Portfolio

• Secures traffic between virtual

machines within a tenant

• Layer 2 and 3 firewall to secure

east-to-west traffic

• ACLs using network attributes

and virtual machine attributes

• First-packet lookup and

performance acceleration using

vPath

• Secures the tenant edge

• Default gateway; Layer 3 firewall

to secure north-to-south traffic

• Edge firewall capabilities including

network attribute-based ACLs,

site-to-site VPN, NAT, DHCP,

inspections, and IP audit

• All packets go through the Cisco

ASA 1000V

Cisco® VSG Cisco ASA 1000V

Intra-Tenant

Security

Tenant-Edge

Security

Internal Zoning


Virtual Security Gateway

ASA 1000V

Nexus 1000V

Ingress/Egress multi-tenant edge

deployment

Zone based intra-tenant

segmentation of VMs

Nexus 1000V

Virtual Service Nodes

Hypervisor

vPATH

Network Admin Security Admin Server Admin

vCenter Nexus 1KV VNMC

Security for Virtualization Internal Zoning


Microsegmenation

Policy Per Zone, Per VM, Per vNIC

Zone A

vApp

vApp

Nexus 1000V vPath

VSG VSG

VSG

Virtual ASA

Virtual ASA

vSphere Nexus 1000V

vPath

vSphere

Zone B Zone C

Control ingress/egress & inter-VM traffic Firewall, ACL, VM Attributes

Enable Dynamic Provisioning

Mobility Transparent Enforcement

Administrative Segregation

Server • Network • Security

Internal Zoning


Physical to Virtual

48

Virtual Switch

Hypervisor

Virtual Switch

Hypervisor

• Zones used define policy

enforcement

• Unique policies and traffic

decisions applied to each zone

• Physical Infrastructure mapped

per zone

‒ VRF, Virtual Context

• Merging physical and virtual

infrastructure

Steer VM traffic to Firewall

Context

Segment pools of

blade resources per

Zone

Internal Zoning


vPath Intelligence: Service Chaining

• vservice node ASA1 type asa

ip address 172.31.2.11

adjacency l2 vlan 3770

• vservice node VSG1 type vsg

ip address 10.10.11.202

adjacency l3

• vservice path chain-VSG-ASA

node VSG1 profile sp-web order 10

node ASA1 profile sp-edge order 20

• port-profile type vethernet Tenant-1

org root/Tenant-1

vservice path chain-VSG-ASA

ASA 1000V and VSG

49

Defining the Service Node on Nexus 1000V

Chain the Service Nodes Order is inside to outside

Enable the Service Chain Per Port-Profile

Internal Zoning


Virtual Firewall and Physical Network

ASA 1000V Deployment

50

Hypervisor Nexus 1000V

vPath

Hypervisor

Nexus 1000V vPath

Hypervisor

Protected VRF

Sub Zones

10.1.1.252 10.1.1.253

10.1.2.254

Nexus 1000V vPath

ASA 1000V

ASA 5585 Layer 3

10.1.1.254 Layer 3

10.1.3.254

Layer 3

10.1.2.254

Layer 2

Core

Aggregation

ASA 5585

Internal Zoning


Multi-Tier Application Architecture

• Tier Deployment

• Multi-Tier application architectures

• Application vendor often has specific recommendations on

how to deploy an application

• Can consist of

• Web (presentation) tier

• Application tier

• Database tier

• Web and Application services can be on physically separate

servers or collapsed into single in some cases

• Normal flow is often client->web->application->database

• No direct client to database communication

• Servers may be clustered for high availability. Often uses

layer 2 multicast protocol for state exchange

Edge Firewall

51

Web

Server Web

Server

Permit Only Port

80(HTTP) of Web Servers

Permit Only Port 22

(SSH) to application

servers

Only Permit Web servers

access to Application servers

Web

Client

Web-zone

DB

server DB

server

Database-zone

App

Server App

Server

Application-zone

Only Permit Application servers

access to Database servers

Block all external access

to database servers

ASA 1000V

Internal Zoning


Edge ASAs may implement a specific context for

Compliance needs or a distinct pair of ASA s may be

used

Nexus 7K carries traffic from ASA Context across

vRF – PCI VRF – Moves packets across routed Core

to PCI Distribution VDC

Security Group Access with MACSEC can be used on

the Nexus 7000 to provide hop-by-hop encryption

Dedicated ASAs (or vFW Context(s)) in Distribution

Layer VDC invoke North-South Security Policy,

possibly even enforcing using the SGT (via SXP)

limiting compliant access to only the PCI Zone

Servers by network, service or application

Within Virtual Access Layer dedicated Server

hardware is recommended for Security (compliance)

Additional port profiles may be created and leverage

the Virtual Security Gateway (VSG) for East-West

zoning between VMs in the DMZ

ASA1000v can also be used to implement a Secure

IPSec VPN to another secure destination

DC Edge

Internet /

Extranet


Prod Aggregation Layer

VDC

L2

L3

FW CLUSTER(s)

PoD

Production Servers

BGP/OSPF

Core

ASA A/S HA

Virtual

Access Layer

Virtual Switch

Hypervisor

PCI Aggregation Layer

VDC

PoD

CTX CTX

Virtual Switch

Hypervisor

PCI VRF

PCI VRF

PCI VRF

Compliance Zone Servers

PCI VRF

CTX CTX

SGT

802.1AE

(encrypt) SGT SGT

SGT

IPSec

PCI Compliance Design Option –

Physical Separation with VDC

Compliance

© 2012 Cisco and/or its affiliates. All rights reserved. 54 CISCO CONFIDENTIAL INTERNAL USE ONLY

Thank you.

Date post:	19-Jan-2015
Category:	Technology
Upload:	cisco-russia
View:	2,761 times
Download:	8 times

Designing Secure Cisco Data Centers

Technology