SECURE DATA CENTER DESIGN Piotr Wojciechowski (CCIE #25543)

ABOUT ME ¢ Senior Network Engineer MSO at VeriFone Inc. ¢ Previously Network Solutions Architect at one of top

polish IT integrators ¢ CCIE #25543 (Routing & Switching) ¢ Blogger – http://ccieplayground.wordpress.com ¢ Administrator of CCIE.PL board

�  The biggest Cisco community in Europe �  Over 6800 users �  3 admin, 7 moderators �  58 polish CCIEs as members, 20 of them actively posting �  About 150 new topics per month �  About 1000 posts per month �  English section available

AGENDA ¢ What we want to protect? ¢ Physical DC security ¢ Secure Network Design ¢  Internet Edge Protection ¢ Security Audits

WHAT WE WANT TO PROTECT?

WHAT WE WANT TO PROTECT? ¢ Sensitive data ¢ Business-related processes ¢ Network services ¢ Applications ¢ Hardware

WHAT WE WANT TO PROTECT?

WHAT WE WANT TO PROTECT?

WHERE WE PROTECT?

WHERE WE PROTECT?

SECURITY AS A PROCESS

1.  Subject matter experts define policies 2.  Policies used to create application templates 3.  Application templates used to create application profiles 4.  Associated profiles creates resources automatically

PHYSICAL DC SECURITY

DATA CENTER PHYSICAL SECURITY ¢ Site location

�  Risk of natural disasters on acceptable level (fires, lightning storms, hurricanes, earthquakes etc.)

�  Man-made disasters on low level (plane crashes, riots, fires, explosions etc.) ¢  Site should not be adjacent to airports, prisons, freeways,

banks, rafineries etc.) �  Data center should not share the same building with

other offices, especially offices not owned by organization

DATA CENTER PHYSICAL SECURITY ¢ Site location

�  Electrical utility powering the site should have 99,9% or better reliability of service. ¢  It must be delivered from at least two separate substations ¢  Backup power generators

�  Water should be delivered from more than one source

DATA CENTER PHYSICAL SECURITY ¢ Perimiters

�  Fence around the facility �  Guard kiosks at each access point �  Automatic authentication method for employees

(badges) �  CCTV �  Parking not align to the building �  No clear advertisement that Data Center is located at

this facility

DATA CENTER PHYSICAL SECURITY ¢ Surveillance

�  Monitoring of property as well as neighborhood �  Guards on patrol �  Parking permits for vehicles �  Separate parking areas for employees and visitors

DATA CENTER PHYSICAL SECURITY ¢ Entry points

�  Loading docks and all outside doors should have automatic authentication methods (ie. badges)

�  Each entrance should have physical barriers and CCTV cameras

�  Engineers must be required to use badges with pictures �  Track equippment being placed in and removed

DATA CENTER PHYSICAL SECURITY ¢ NOC (Network Operation Centre)

�  Must have power, temperature, fire and humidity monitoring systems in place

�  Redundant methods of communication with outside (analog phones, IP phones, cell phones etc.)

�  Manned 24/7

DATA CENTER PHYSICAL SECURITY ¢ Disaster Recovery

�  It’s a must have! �  Must contain – definition of disaster, who gets notified,

who conduct damage assessment, where backups are located and what to do to maintain them

�  Plan must be updated and reviewed

DATA CENTER PHYSICAL SECURITY

DATA CENTER PHYSICAL SECURITY

DATA CENTER PHYSICAL SECURITY

DATA CENTER PHYSICAL SECURITY

DATA CENTER PHYSICAL SECURITY

DATA CENTER PHYSICAL SECURITY

DATA CENTER PHYSICAL SECURITY

SECURE NETWORK DESIGN

MULTI-LAYER DC PROTECTION ¢ No single solution for all data centers ¢ Security should be deployed basing on application

requirement, certification requirement as well as traffic flow

¢ To much protection can be worse than no protection ¢ Virtualization – new challenges for security

SECURITY ZONES ¢ A security zone is an area within a network

occupied by a group of systems and components with similar requirements for the protection of information and the attendant characteristics associated with those requirements.

¢ Security zones are often layered as trust zones such that resources in higher trust zones may communicate with resource in lower trust zones, but not the other way around. 

SECURITY ZONES

SECURITY ZONES ¢ Goal of security zones:

�  Control inter-zone communication �  Monitor inter-zone communication using IDP/IPS �  Control management access into, out of and within the

zone (jump servers) �  Enforce data confidential and integrity rules for data

stored within a zone, as well as for replication and backup.

SECURITY ZONES ¢ How to establish security zone?

IPS DEPLOYMENT ¢ The Intrusion Prevention System (IPS) provides

deep packet and anomaly inspection to protect against both common and complex embedded attacks.

¢ Because of the nature of IPS and the intense inspection capabilities, the amount of overall throughput varies depending on the active policy.

¢ The IPS deployment in the data center usually leverages EtherChannel load balancing from the service switch. This method is recommended for the data center because it allows the IPS services to scale to meet the data center requirements

IPS DEPLOYMENT ¢ Usually deployed in service

layer (part or DMZ and high security zones)

¢ A port channel is configured on the services switch to forward traffic

IPS DEPLOYMENT ¢ Spanning tree plays an

important role for IPS redundancy in this design �  Under normal operating

conditions traffic, a VLAN will always follow the same active Layer-2 path

IPS DEPLOYMENT ¢ Spanning tree plays an

important role for IPS redundancy in this design �  If a failure occurs (service

switch failure or a service switch link failure), spanning tree would converge and the active Layer-2 traffic path would change to the redundant service switch and Cisco IPS appliances.

IPS DEPLOYMENT – SECURE TRAFFIC FLOW

VIRTUALIZATION CHALLENGES - VISIBILITY ¢ New challenges for

visibility into what is occurring at the virtual network level

¢ Traffic flows can now occur within the server between virtual machines without needing to traverse a physical access switch

VIRTUALIZATION CHALLENGES - VISIBILITY ¢  If a virtual machine

is infected or compromised it might be more difficult for administrators to spot without the traffic forwarding through security appliances

VIRTUALIZATION CHALLENGES - VISIBILITY ¢ ERSPAN forwards

copies of the virtual machine traffic to the Cisco IPS appliance and the Cisco Network Analysis Module (NAM)

VIRTUALIZATION CHALLENGES - ISOLATION ¢ Server-to-server filtering can be

performed using ACLs on the Cisco Nexus 1000V

¢ Because the server-to-server traffic never leaves the physical server, the ACL provides an excellent method for segmenting this traffic.

VIRTUALIZATION CHALLENGES - ISOLATION ¢  There are two options for adding an

access list to the virtual Ethernet interfaces to block communication: �  The ACL can be defined and the access

group can be applied to a port profile. All interfaces configured for the port profile will inherit the access-group setting.

�  Specific ACLs on an interface can be applied directly to the virtual Ethernet interface in addition to the port profile. The port profile will still apply but the access group will only be applied to the specific interface instead of all interfaces that have inherited the particular port profile.

VIRTUALIZATION CHALLENGES - FIREWALLING ¢ An additional virtual

context is created on the Cisco ASA and designated to reside between the servers and an Oracle database

¢  It can also be virtual firewall ASA 1000V

VIRTUALIZATION CHALLENGES - FIREWALLING ¢ The goal is not to prevent

any server from communicating with the database, but rather to control which servers can access the database

¢ Context firewalls can run in routed and transparent modes

VIRTUALIZATION CHALLENGES – WEB APPLICATION FIREWALL ¢ WAF can protect

servers from a number of highly damaging application-layer attacks—including command injection, directory traversal attacks, and cross-site (XSS) attacks

VIRTUALIZATION CHALLENGES – WEB APPLICATION FIREWALL ¢ Can be used also for

SSL offloading

VIRTUALIZATION CHALLENGES – VM-TO-VM IDS ¢ ERSPAN on the Cisco

Nexus 1000V is leveraged to forward a copy of virtual machine-to-virtual machine traffic to the IDS at the services layer

¢ Both virtual machines reside on the same physical server

VIRTUALIZATION CHALLENGES – VM-TO-VM IDS ¢ The attempt triggers a

signature on the IDS and is logged for investigation

VIRTUALIZATION CHALLENGES – SUMMARY

  Botnets DoS Unauthorized Access

Spyware, Malware

Network Abuse

Data Leakage

Visibility Control

Routing Security   Yes Yes   Yes   Yes Yes

Service Resiliency   Yes Yes         Yes

Network Policy Enforcement

Yes   Yes   Yes Yes   Yes

Application Control Engine (ACE)

  Yes Yes       Yes Yes

Web Application Firewall (WAF)

    Yes Yes   Yes Yes Yes

IPS Integration Yes     Yes Yes   Yes Yes

Switching Security   Yes Yes   Yes Yes    

Endpoint Security Yes Yes Yes Yes Yes Yes Yes Yes

Secure Device Access     Yes   Yes Yes Yes Yes

Telemetry Yes Yes Yes   Yes   Yes  

INTERNET EDGE PROTECTION

INTERNET EDGE PROTECTION

INTERNET EDE PROTECTION ¢ The Internet edge is a public-facing network

infrastructure and is particularly exposed to large array of external threats. Some of the expected threats are as follows: �  Denial-of-service (DoS), distributed DoS (DDoS) �  Spyware, malware, and adware �  Network intrusion, takeover, and unauthorized network

access �  E-mail spam and viruses �  Web-based phishing, viruses, and spyware �  Application-layer attacks (XML attacks, cross scripting,

and so on) �  Identity theft, fraud, and data leakage

FIREWALL PHYSICAL INTERFACES LAYOUT

The different logical interfaces on the Cisco ASA can be used to separate the DMZ, SP-facing interfaces, and the inside corporate infrastructure

WEB APPLICATION FIREWALL

WEB APPLICATION FIREWALL ¢ Configure the web application firewall to retain the

source IP address if the traffic is directed to appliances in the data center.

¢  It is recommended that HTTPS traffic directed to the data center, not be encrypted as the Cisco ACE module in data center will perform the load-balancing and decryption while also providing higher performance.

¢ The web application firewall in the Internet edge and the web application firewall in data center to be configured in the same cluster.

SERVICE PROVIDER EDGE ¢ Use BGP as the routing protocol for all dynamic

routing—both between the border routers and between the border routers and SP.

¢ Have an independent autonomous system number. This will give the flexibility of advertising the Internet prefix to different SPs.

¢ Use PfR as path-optimization mechanism. This will ensure that the optimal path is selected between the SPs—thereby increasing the application performance.

SECURITY AUDITS

SECURITY AUDITS ¢ There is no one template of security audit that will

fit everyone ¢ Some security audits are cerification related (in

example PCI-DSS) ¢ Audits does not cover only networking aspects ¢  If performed correctly, a security audit can reveal

weakness in technology, practices, employees and other key areas

¢ Usually is semi-automated

SECURITY AUDITS ¢ Audit components (some, not all):

�  Vulnerability scans �  Examination of OS settings �  Examination of application settings �  Network analyses �  Employee interview �  Logs studying �  Security policies review

SECURITY AUDITS ¢ Some of the key questions that auditor must ask

include: �  Who is in charge of security, and who does this person

report to? �  Have ACLs (Access Control Lists) been placed on

network devices to control who has access to shared data?

�  How are passwords created and managed? �  Are there audit logs to record who accesses data? �  Who reviews the audit logs, and how often are they

examined? �  Are the security settings for OSes and applications in

accordance with accepted industry security practices?

SECURITY AUDITS ¢ Some of the key questions that auditor must ask

include: �  Have unnecessary applications and services been purged

from systems? How often does this task take place? �  Are all OSes and applications updated to current levels? �  How is backup media stored? Who has access to it? Is it

up-to-date? �  How is email security addressed? �  How is Web security addressed? �  How is wireless security addressed?

SECURITY AUDITS ¢ Some of the key questions that auditor must ask

include: �  Are remote workers covered by security policies? �  Is a disaster-recovery plan in place? Has the plan ever

been rehearsed? �  Have custom applications been tested for security flaws? �  How are configuration and code changes documented?

How often are these records reviewed? Many other questions pertaining to the exact nature of the business's operations also must be addressed.

INERNAL AUDITS ¢ BAU audits:

�  Checking current status of maintained platform and software

�  Should be regular ¢ On-demand audits

�  Test if procedures are working �  Test if team is prepared for emergency situation �  Test third-party responsibility

SECURITY AUDITS ¢  „Off-the-shelf” auditis:

�  Ineffective �  More costly in long term �  Are not showing results management and security

teams are requesting �  Usually 99% software-based

SECURITY AUDITS ¢ Audit time:

Stage % of Total Time

Preparation 10

Reviewint Policy/Docs 10

Talking/Interviewing 10

Technical Investigation 15

Reviewing Data 20

Writing Up Documentation 20

Report Presentation 5

Post Audit Actions 10

QUESTIONS?

THANK YOU