SlideShare ist ein Scribd-Unternehmen logo

Security and Virtualization in the Data Center

Cisco Canada
Cisco Canada

This presentation will discuss, effectively integrating security, core Data Center fabric technologies and features, secutiry as part of the core design, designs to enforce micro segmentation in the data center, enforce separation of duties in virtualized and cloud environments and security to enforce continuous compliance.

Technologie
1 von 66
Downloaden Sie, um offline zu lesen
Security and Virtualization in the Data Center
Speaker information • Contact information: – David Anderson – Solutions Architect – Borderless Security team – US – E-mail: dma1@cisco.com • Focus areas: – Data Center Security – Virtualization – Secure Mobility – Security Design – Compliance (PCI, Federal)
Takeaways • To effectively integrate security must understand the core data center fabric technologies and features: VDC, vPC, VRF, server virtualization, traffic flows • Security as part of the core design • Designs to enforce microsegmentation in the data center • Enforce separation of duties in virtualized and cloud environments • Security to enforce continuous compliance
Secure Data Center Data Center Primer Secure Data Center Components Secure Data Center Design Fundamentals Secure Data Center Design Details
Data Center Primer: Terms and Technology
Cisco Datacenter Terms Primer Know the lingo • VDC – Virtual Device Context • VPC – Virtual Port Channel • VSS & MEC – Virtual Switching System & Multi-chassis Ether-channel • VSL & Peer Link – Virtual Switch Link • ECMP – Equal cost Multi-Path • VSD – Virtual Service Domain • VBS – Virtual Blade Switching • VRF – Virtual Routing & Forwarding • FabricPath
Data Center Architecture Application Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Fabric-Hosted Storage Virtualization Virtual Device Contexts Internet IP-NGN Service Profiles Port Profiles & VN- Virtual Machine Link Application Control Optimization (SLB+) Port Profiles & VN- Partners Link Service Control Fibre Channel Forwarding Fabric Extension
Secure Data Center Architecture Application Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Firewall Services Fabric-Hosted Storage Virtualization Intrusion Detection Virtual Device Contexts Internet Storage Media Secure Domain Encryption Routing IP-NGN Service Profiles Port Profiles & VN- Port Profiles & Link VN-Link Virtual Machine Optimization Virtual Firewall Edge and VM Partners Fibre Channel Forwarding Fabric Extension Line-Rate NetFlow Application Control (SLB+) Service Control Virtual Contexts for FW & SLB
Data Center Security Challenges
Security Threats & Considerations  Denial of Service i.e. (Google, Twitter, Facebook)  APT – Targeted Attacks / Nation State Attacks  Data Protection for Privacy and Data Compliance  Application Exploits (SQL Injection)  Malware / Botnets  Mobile Malicious Code  Virtualization Concerns
Secure the Platform Add Security Services Network security best practices  VRF, VLAN, Access control Lists • Network device hardening • Defense in Depth  Stateful Network Firewalls • AAA  Intrusion Detection and Prevention • NetFlow • Separation of duties and least privileges  Web firewalls Virtualization specifics  Load Balancers • Follow hypervisor hardening recommendations  SSL Offloading • Access Controls (production vs. management) • Secure and harden Guest OS  Virtual security appliances • Segmentation  Management and Visibility tools
Data Center Security Components: What’s in our toolbox
Physical and Virtual Service Nodes Redirect VM traffic via VLANs to Apply hypervisor-based 1 external (physical) appliances 2 network services Web App Database Web App Database Server Server Server Server Server Server Hypervisor Hypervisor VLANs VSN Virtual Contexts VSN Virtual Service Nodes Traditional Service Nodes
Physical Firewalls ASA Services Module Web App Database Server Server Server Hypervisor VLANs ASA 5585 Appliance Virtual Contexts Traditional Service Nodes
Features in ASA Firewalls EtherChannel  ASA supports Link Aggregation Control Protocol (LACP), an IEEE 802.3ad standard  Each port-channel supports up to 8 active and 8 standby links  Supported methods of aggregation: Active, Passive & On  EtherChannel ports are treated just like physical and logical interfaces on ASA • ASA can tie-in directly to vPC (Nexus 7000) or VSS (6500) enabled switch Up to 32 interfaces per Virtual Context (formerly 2) – - 4 Interfaces per bridge group 8 bridge groups per Virtual Context
Catalyst 6500 VSS and Nexus 7000 vPC • Dual Active Forwarding Paths VSS • Loop-Free Design vPC VSL peer link MCEC MCEC vPC vPC EC EC EC EC Active Standby Active Standby Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
ASA Integration with vPC & VSS vPC VSS peer link VSL MCEC MCEC vPC vPC EC EC EC EC Active Standby Active Standby Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Virtualization Concerns • Policy Enforcement –Applied at physical server—not the individual VM –Impossible to enforce policy for VMs in motion • Operations and Management –Lack of VM visibility, accountability, and consistency –Difficult management model and inability to effectively troubleshoot • Roles and Responsibilities –Muddled ownership as server admin must configure virtual network Web App DB –Organizational redundancy creates compliance challenges Server Server Server Hypervisor • Machine Segmentation VLANs –Server and application isolation on same physical server Virtual Contexts –No separation between compliant and non-compliant systems…
Virtualization & Virtual Service Nodes Virtual Security Gateway Web App Database Server Server Server Zone based intra-tenant segmentation of VMs Hypervisor Nexus 1000V ASA 1000V VSN VSN Ingress/Egress multi- Virtual Service Nodes tenant edge deployment
Cisco‘s Virtual Security Architecture Orchestration / Cloud Portals Virtual Network Management Center Extending existing operational workflows to virtualized environments VSG ASA 1000V Extending network services to virtualized environments Extending networking to virtualized environments Nexus 1000V vPath
vPath— The intelligent virtual network • vPath is intelligence build into Virtual Ethernet Module (VEM) of Nexus 1000V (1.4 and above) • vPath has two main functions: a. Intelligent Traffic Steering b. Offload processing via Fastpath from virtual Service Nodes to VEM • Dynamic Security Policy Provisioning (via security profile) • Leveraging vPath enhances the service performance by moving the processing to Hypervisor vPath Nexus 1000V-VEM
vPath: Fast Path Switching for Virtualization VM VM VM VNMC VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM 4 Nexus 1000V vPath Distributed Virtual Switch 3 Decision Caching ASA VSG 2 1000V 1 Initial Packet Flow Access Control Flow (policy evaluation)
Cisco Virtual Security Gateway Context aware Security VM context aware rules Zone based Virtual Controls Establish zones of trust Security Dynamic, Agile Policies follow vMotion Gateway (VSG) Best-in-class Architecture Efficient, Fast, Scale-out SW Non-Disruptive Virtual Network Operations Security team manages security Management Policy Based Central mgmt, scalable deployment, Center Administration multi-tenancy Designed for (VNMC) Automation XML API, security profiles
Virtual Security Gateway • Context based rule engine, where ACLs can be expressed using any combination of network (5-tuple), custom and VM attributes. It’s extensible so other types of context/attributes can be added in future • No need to deploy on every physical server (this is due to 1000V vPath intelligence) • Hence can be deployed on a dedicated server, or hosted on a Nexus 1010 appliance • Performance optimization via enforcement off-load to 1000V vPath • High availability
ASA 1000v • Runs same OS as ASA appliance and blade • Maintains ASA Stateful Inspection Engines Tenant A VDC Tenant B VDC vApp • IPSEC site-to-site VPN VSG VSG VSG vApp • Collaborative Security Model VSG VSG for intra-tenant secure zones Virtual ASA Virtual ASA vPath Virtual ASA for tenant edge controls Nexus 1000V vSphere • Integration with Nexus 1000V & vPath
Nexus 1000V Port Profiles Port Profile –> Port Group port-profile vm180 vCenter API vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown state enabled interface Vethernet9 inherit port-profile vm180 interface Vethernet10 inherit port-profile vm180 Support Commands Include:  Port management  Port-channel  VLAN  ACL  PVLAN  Netflow  Port Security  QoS
Security Policy to Port Profile
Design Fundamentals
Secure Data Center • Network security can be mapped and applied to both the physical and virtual DC networks • Zones can be used to provide data centric security policy enforcement • Steer VM traffic to Firewall Context • Segment pools of blade resources per Zone • Segment Network traffic w/in the Zone –System Traffic –VM Traffic –Management Traffic • Lockdown elements w/in a Zone • Unique policies and traffic decisions can be applied to each zone creating very flexible designs • Foundation for secure private cloud
Understand Network and Application Flows • Understand how the applications are deployed and accessed both internally and externally • Understand the North-South, East-West flow patterns • Adjacency of services to servers is important. Adding services to existing flow patterns minimizes packet gymnastics! • Again, design with the maximum amount of high availability: know your failover and failback times, traffic paths during failover scenarios Web App DB Web App DB Server Server server Server Server server Web Client Web-zone Application-zone Database-zone Only Permit Web Only Permit Application servers access to servers access to Database Application servers servers
Important • Careful attention should be given to where the server‘s default gateway resides • Can be disruptive to introduce changes to where the gateway resides. Non-greenfield designs require flexibility for deploying new services. Ex. From switch to service appliance • Service introduction ie. Firewall, Web security, load balancing, can all have an impact on data center traffic flows • Design with the maximum amount of high availability: know your failover and failback times, traffic paths during failover scenarios • Multicast support considerations for L2 vs L3 services
Traditional North-South Traffic Flow Internet Control Aggregation • Ingress and Egress traffic is from each ASA zone is routed and filtered appropriately w/ IPS • Physical firewall, IPS, etc deployed for each zone Access: • Physical devices for each zone Top of Rack Zone A sometimes required but can be expensive B Zone Zone C solution vApp vApp vSphere vSphere
Network Virtualization and Zones Acme Co. - Control Traffic and Apply Policy per Zone • Zones used to provide data centric security policy enforcement Unique policies and traffic decisions applied to each • Physical network security zone mapped per zone – VRF, Virtual Context • Lockdown elements in Zone Steer VM traffic to Firewall Context Segment Network traffic in the Zone Segment pools of -System Traffic blade resources -VM Traffic Virtual Switch per Zone Virtual Switch -Management Traffic vSphere vSphere 34
North-South Traffic with Network Virtualization Internet Physical ASA Aggregation VLAN 10 VLAN 20 192.168.10.1 VRF 192.168.20.1 ASA Virtual Context (Layer 2) Access Zone A Zone B Zone C vApp vApp vSphere vSphere
Microsegmenation: Per Zone, Per VM, Per vNIC Aggregation VLAN 10 VLAN 20 IPSEC Virtual ASA Virtual ASA Zone B Zone C Zone A • Stateful filtering for VDC Tenant B VDC ingress/egress for Zone. vApp Near East: VSG VSG • VM segmentation based on VSG vApp VM attributes or ACL vPath • Zone to zone can be Nexus 1000V encrypted via IPSEC vPath Demonstrable segmentation Nexus 1000V vSphere and encryption for vSphere virtualization compliance
Segmentation of Production and Non-Production Traffic VMkernal VSG vEth vEth vEth vEth Mgmt Storage vPath Production Nexus 1000V ASA 1000V VMNIC 1 VMNIC 2 VMNIC 3 VMNIC 4 Management Network Production Network Production vCenter VNMC Storage Network
Visibility: Monitor VM to VM Traffic Aggregation ID:2 ERSPAN DST Intrusion Detection NetFlow Analyzer ID:1 NetFlow Nexus 1000V supports SPAN • NetFlow v9 • ERSPAN/SPAN monitor session 1 type erspan- Zone B Zone C source • Permit protocol type description N1k ERSPAN – session 1 header “0x88BE” for monitor session 3 type erspan- VDC VDC destination vApp ERSPAN GRE description N1k ERSPAN to NAM • ERSPAN does not VSG VSG support fragmentation vApp monitor session 2 type erspan-source • 1000V requires Netflow description N1k ERSPAN –session 2 source interface monitor session 4 type erspan- vPath destination Defaults to Mgmt0 description N1k ERSPAN to IDS1 Nexus 1000V vSphere
Virtualization & Compliance: PCI DSS 2.0 Guidance • PCI security requirements apply to all ‗system components.‘  All virtual components in scope • System components are defined as: – Any network component, server, or application that  All virtual communications is included in or connected to the cardholder data and data flows must be identified and environment. documented – Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual  Virtualized environment must maintain applications/desktops, and hypervisors. proper segmentation • The cardholder data environment is that part of the network that possesses cardholder data or sensitive  Must meet intent of all 12 PCI authentication data. requirements • Adequate network segmentation, which isolates VMkernal systems that store, process, or transmit cardholder VSG data from those that do not, may reduce the scope of vEth vEth vEth vEth Mgmt Storage the cardholder data environment. Production vPath Nexus 1000V Source PCI DSS 2.0 ASA 1000V VMNIC 1 VMNIC 2 VMNIC 3 VMNIC 4
Design Details
Secure Data Center Reference Architecture • 2x Nexus 7010s with VDCs (Core and Aggregation) (NX-OS 5.1(3)) • 2x Nexus 5Ks for top of rack • 2x ASA 5585-60 with IPS • 2x 6500-E with ASA-SMs • 2x Virtual Security Gateway (VSG) in HA mode • 2x Nexus 1000V with redundant VSMs • Identity Services Engine (ISE) for 802.1x user AAA • Standard VMWare ESXi Infrastructure with multiple service domains (Active Directory, DNS, VDI, etc)
Traditional Model • Services are Aggregated at the Distribution Layer L3 • Single or Multi-Tenant zone based Routed segmentation L2 Boundary Core L2 Boundary • Virtual Context create security zones from the DC edge to the Virtual Machine • VRF->Firewall->VLAN->Virtual Switch->Virtual Firewall->vNIC->VM • EtherChannel and vPC provide loop-free Layer 2 environment • Visibility and control for vm-to-vm flows
ASA Details v201 - Outside v205 – Service-Out BVI-1 BVI-2 10.1.204.199 10.1.200.199 [Po1.204] [Po1.200] [Po1.201] [Po1.205] v200 – Inside v204 – Service-In channel-group 1 mode passive 5585-1 5585-2 Twain Voltaire vPC10 vPC9 7k-1 7k-2 AGG- AGG- VDC VDC Port Channel Load-Balancing Configuration: channel-group 1 mode active System: src-dst ip
Secure Service Pod Model • Services Pod centralizes security services L3 • Traffic forwarded via service-specific Routed VLANs Core L2 Boundary • Modules (Cat 6500) and appliances L2 Boundary supported • Highly scalable module design 1/ 7 • Single or Multi-Tenant zone based segmentation • Security zones from the DC edge to the Virtual Machine
Nexus 7000 & Cat 6500 Channel Group Modes Nexus 7000 Nexus 7000 Channel-Group 1 mode active 7k-1 7k-2 Channel-Group 2 mode active AGG-VDC AGG-VDC vPC2 vPC1 6506-1 6506-2 Catalyst 6500 ASA-SM WestJet ASA-SM Airbus Catalyst 6500 Channel-Group 1 mode on Channel-Group 2 mode on ASA SM ASA SM
ASA SM Layer 2 and 3 v221 - Outside interface BVI2 ASA SM description bvi for 221 and 220 ip address 10.1.221.199 255.255.255.0 v220 – Inside
ASA SM Details interface Vlan221 interface Vlan221 mac-address mac-address b414.89e1.2222 b414.89e1.3333 ip address ip address 10.1.221.252/24 10.1.221.253/24 hsrp 21 hsrp 21 preempt preempt priority 105 priority 100 ip 10.1.221.254 ip 10.1.221.254 interface port-channel1 switchport interface port-channel2 switchport mode trunk 7k-1 7k-2 switchport AGG-VDC AGG-VDC vpc 1 switchport mode trunk vPC2 vpc 2 vPC1 BVI2 6506-1 6506-2 ASA-SM ASA-SM ip address WestJet Airbus 10.1.221.199 ASA SM ASA SM interface Vlan220 nameif inside bridge-group 2 security-level 100 ! failover lan interface Failover Vlan44 interface Vlan221 failover link State Vlan45 nameif outside failover interface ip Failover 10.90.44.1 255.255.255.0 standby 10.90.44.2 bridge-group 2 failover interface ip State 10.90.45.1 255.255.255.0 standby 10.90.45.2199 security-level 0
Server Gateway Outside of Firewall: Design #1 ASA HA pair in transparent mode with SVI on Aggregation VDC. Server gateway on outside of firewall Aggregation VDC v201 - Outside v200 – Inside GW: 10.1.200.254 Layer 3 Layer 2 Simple design. Firewall part of layer 2 failure domain.
ASA in the Data Center: Design #2 Firewall Between Inter-VDC Traffic VRF VRF Core VDC North Aggregation ASA HA Pair 1 South VDC v200 VRF GW: VRF ASA HA Pair 2 VRF 10.1.200.254 North South • Transparent (L2) firewall services are • Useful for topologies that require a FW ―sandwiched‖ between Nexus VDCs between aggregation and core • Allows for other services (IPS, LB, etc) to • Downside is that most/all traffic destined be layered in as needed for Core traverses FW; possible • ASAs can be virtualized to for 1x1 mapping bottleneck, etc to VRFs
Design Details and Benefits • Zone based differentiation, building blocks with VLANs and VRFs Inter-VM firewalling via VSG/ASA 1000V Intra-zone firewalling via both VSG/ASA 1000V and ASA/ASA-SM Inter-zone firewalling via ASA 1000V, ASA, or ASA-SM
Server Access and VM Network Details To Agg switch To Agg switch 1/1 1/2 1/2 1/1 PortChannel111 1/17 1/17 1/18 1/18 5k-1 5k-2 Inara 1/12 Jayne 1/11 1/11 1/12 VMNIC VMNIC VMNIC VMNIC #3 #2 #3 #2 ESX1 ESX2 ESX Host 1 vEth vEth vEth vEth ESX Host 2 192.168.100.199 192.168.100.198 VNMC VSG-2 192.168.100.20 192.168.100.31 Domain 90 VSG-1 VSM-2 192.168.100.30 HR Finance HR Finance 192.168.100.51 VSM-1 Server #1 Server #2 Server #2 Server #1 Domain 1 192.168.100.50 10.1.200.50 10.1.200.101 10.1.200.5 10.1.200.100 1
Deny HR to Finance VMNIC VMNIC VMNIC VMNIC #3 #2 #3 #2 ESX1 ESX2 vEth vEth vEth vEth VSM-2 HR Finance 192.168.100.51 Server #2 Server #1 Domain 1 HR Finance Server 10.1.200.5 10.1.200.100 Server #1 #2 1 10.1.200.50 10.1.200.101
Policy Hierarchy
VNMC Policy: Deny HR to Finance Requests
Policy Summary on VSG Nexus 1000V VSG
Syslog from VSG
Adding Identity and Access Control Services : ISE and TrustSec
ISE Traffic Flow SXP IP Address 10.1.204.126 = SGT 5 ISE RADIUS (Access Request) EAPOL (dot1x) 10.1.204.126 RADIUS (Access Accept, SGT = 5) 6506 10.1.204.254 SG ACL Matrix IP Address to SGT Mapping HR Nexus 7000 Server #1 Core VDC 10.1.200.254 10.1.200.50 Nexus 7000 Agg VDC ASA Finance ✓ Finance VSG Finance Server #1 Finance HR 10.1.200.100
ISE Configuration Highlights ISE
ISE Authentication 6506-2-airbus#sho authen sess int g3/1 Interface: GigabitEthernet3/1 MAC Address: 0027.0e15.578e IP Address: 10.1.204.126 User-Name: finance1 Status: Authz Success Domain: DATA Oper host mode: multi-auth Catalyst Oper control dir: both Authorized By: Authentication Server 6500 Vlan Policy: N/A SGT: 0005-0 Session timeout: N/A Idle timeout: N/A ISE Common Session ID: 0A01CC950000000D0EDFC178 Acct Session ID: 0x0000001E Handle: 0xC500000D Runnable methods list: Method State mab Failed over dot1x Authc Success
Driving Simplicity: Data Center Design – Resources from Cisco
Validated Design Guides A Cisco Competitive Differentiator • Cisco Validated Designs are recommended, validated, end-to- end designs for next-generation networks. • The validated designs are tested and fully documented to help ensure faster, more reliable, and more predictable customer deployments. • 3 types of guides •Design Guides – comprehensive design/implementation •Application Deployment Guides - Third-party applications •System Assurance Guides - intensive, ongoing system assurance test programs targeted at major network architectures or technologies.
Cisco Validated Designs for the DC •CVD > SAFE •http://www.cisco.com/en/US/docs/solutions/Enter prise/Security/SAFE_RG/SAFE_rg.pdf •CVD >Virtualized Multi-Tenant Data Center (VMDC) •http://www.cisco.com/en/US/partner/docs/solutio ASA 5585-X ns/Enterprise/Data_Center/VMDC/1.1/design.html vPC vPC VSS •CVD > Secure Multi Tennant CVD SERVICES Catalyst •http://www.cisco.com/en/US/solutions/ns340/ns4 6500 Firewall ACE ESA 14/ns742/ns743/ns1050/landing_dcVDDC.html NAM IPS WSA Centralized Security and Application Service Modules and Appliances can be applied per zone
Cisco Secure Internet Edge Network Foundation Protection Infrastructure Security features are enabled to protect device, traffic Data Center plane, and control plane. Device virtualization provides control, data, and Data Center Core management plane segmentation. TrustSec VDC Consistent enforcement of security policies Data Center Nexus 7018 Nexus 7018 with Security Group ACL, and to control SAN Distribution access to resources based on user identity and group membership.Link level data v integrity and confidentiality with standard encryption. vPC vPC VSS vPC vPC vPC vPC vPC vPC Nexus SERVICES 5000 Series Unified Catalyst Computing 6500 ASA ACE Nexus Nexus 7000 System Virtual Service 2100 Nexus IPS Series NAM Nodes Series 1000V Zone Zone Multi-Zone Centralized Security and Application 10Gig Server Rack 10Gig Server Rack Unified Compute Service Modules and Appliances can be applied per zone Stateful Packet Network Intrusion Server Load Web and Email Access Edge Security Flow Based Traffic Analysis Filtering Prevention Balancing Security ACL, Dynamic ARP NAM virtual blade. Traffic analysis Additional Application IPS/IDS: provides Masks servers and Security and filtering Inspection, DHCP Snooping, and reporting, Application Firewall Services for traffic analysis and applications and for Web and Email IP Source Guard, Port performance monitoring. VM-level Server Farm zone forensics provides scaling applications Security, Private VLANs, QoS interface statistics
Q&A #CiscoPlusCA
We value your feedback. Please be sure to complete the Evaluation Form for this session. Access today‘s presentations at cisco.com/ca/plus Follow @CiscoCanada and join the #CiscoPlusCA conversation

Empfohlen

Secure your network - Segmentation and segregation
Secure your network - Segmentation and segregationSecure your network - Segmentation and segregation
Secure your network - Segmentation and segregationMagnus Jansson
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Osama Salah
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxingNick Straughan
 
Data Center Security
Data Center SecurityData Center Security
Data Center SecurityCisco Canada
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architectureBirendra Negi ☁️
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Amazon Web Services
 
Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Sabreen Irfana
 

Empfohlen

Secure your network - Segmentation and segregation
Secure your network - Segmentation and segregationSecure your network - Segmentation and segregation
Secure your network - Segmentation and segregationMagnus Jansson
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Osama Salah
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxingNick Straughan
 
Data Center Security
Data Center SecurityData Center Security
Data Center SecurityCisco Canada
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architectureBirendra Negi ☁️
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Amazon Web Services
 
Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Sabreen Irfana
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint ProtectionSophos
 
Fortinet
FortinetFortinet
FortinetPetre-doru Dragus
 
Checkpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online CourseCheckpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online CourseGlobal Online Trainings
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model PresentationGowdhaman Jothilingam
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
What is zero trust model of information security?
What is zero trust model of information security?What is zero trust model of information security?
What is zero trust model of information security?Ahmed Banafa
 
Telecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTTelecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTPositiveTechnologies
 
Cloud security
Cloud securityCloud security
Cloud securityFrançois Boucher
 
Admincenter
AdmincenterAdmincenter
AdmincenterRajiv Pandey
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Presentation fortinet securing the cloud
Presentation fortinet securing the cloudPresentation fortinet securing the cloud
Presentation fortinet securing the cloudxKinAnx
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationNCS Computech Ltd.
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptxAjit Wadhawan
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
IT and OT Convergence
IT and OT ConvergenceIT and OT Convergence
IT and OT ConvergenceOpsRamp
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongRobert Clark
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint ProtectionSophos
 
Checkpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online CourseCheckpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online CourseGlobal Online Trainings
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
What is zero trust model of information security?
What is zero trust model of information security?What is zero trust model of information security?
What is zero trust model of information security?Ahmed Banafa
 
Telecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTTelecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTPositiveTechnologies
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Presentation fortinet securing the cloud
Presentation fortinet securing the cloudPresentation fortinet securing the cloud
Presentation fortinet securing the cloudxKinAnx
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationNCS Computech Ltd.
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
IT and OT Convergence
IT and OT ConvergenceIT and OT Convergence
IT and OT ConvergenceOpsRamp
 

Was ist angesagt? (20)

Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint Protection
 
Fortinet
FortinetFortinet
Fortinet
 
Checkpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online CourseCheckpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online Course
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
What is zero trust model of information security?
What is zero trust model of information security?What is zero trust model of information security?
What is zero trust model of information security?
 
Telecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTTelecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoT
 
Cloud security
Cloud securityCloud security
Cloud security
 
Admincenter
AdmincenterAdmincenter
Admincenter
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Presentation fortinet securing the cloud
Presentation fortinet securing the cloudPresentation fortinet securing the cloud
Presentation fortinet securing the cloud
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 Presentation
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
 
IT and OT Convergence
IT and OT ConvergenceIT and OT Convergence
IT and OT Convergence
 

Andere mochten auch

Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongRobert Clark
 
6. Live VM migration
6. Live VM migration6. Live VM migration
6. Live VM migrationHwanju Kim
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Securitysyrinxtech
 
Challenges in Cloud Computing – VM Migration
Challenges in Cloud Computing – VM MigrationChallenges in Cloud Computing – VM Migration
Challenges in Cloud Computing – VM MigrationSarmad Makhdoom
 
Virtualization 101: Everything You Need To Know To Get Started With VMware
Virtualization 101: Everything You Need To Know To Get Started With VMwareVirtualization 101: Everything You Need To Know To Get Started With VMware
Virtualization 101: Everything You Need To Know To Get Started With VMwareDatapath Consulting
 

Andere mochten auch (7)

Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit Perspectives
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong Kong
 
6. Live VM migration
6. Live VM migration6. Live VM migration
6. Live VM migration
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Security
 
Challenges in Cloud Computing – VM Migration
Challenges in Cloud Computing – VM MigrationChallenges in Cloud Computing – VM Migration
Challenges in Cloud Computing – VM Migration
 
Virtualization security and threat
Virtualization security and threatVirtualization security and threat
Virtualization security and threat
 
Virtualization 101: Everything You Need To Know To Get Started With VMware
Virtualization 101: Everything You Need To Know To Get Started With VMwareVirtualization 101: Everything You Need To Know To Get Started With VMware
Virtualization 101: Everything You Need To Know To Get Started With VMware
 

Ähnlich wie Security and Virtualization in the Data Center

OpenStack Quantum Network Service
OpenStack Quantum Network ServiceOpenStack Quantum Network Service
OpenStack Quantum Network ServiceLew Tucker
 
Federal VMUG - March - Reflex VMC Overview
Federal VMUG - March - Reflex VMC OverviewFederal VMUG - March - Reflex VMC Overview
Federal VMUG - March - Reflex VMC Overviewlangonej
 
Layer 7 & Burton Group: New Cloud Security Model Requirements
Layer 7 & Burton Group: New Cloud Security Model RequirementsLayer 7 & Burton Group: New Cloud Security Model Requirements
Layer 7 & Burton Group: New Cloud Security Model RequirementsCA API Management
 
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformDavid Chou
 
The unified data center for cloud david yen
The unified data center for cloud david yenThe unified data center for cloud david yen
The unified data center for cloud david yendeepersnet
 
Managing Cloud Security: Intrusion Detection Services in a Public Cloud
Managing Cloud Security: Intrusion Detection Services in a Public CloudManaging Cloud Security: Intrusion Detection Services in a Public Cloud
Managing Cloud Security: Intrusion Detection Services in a Public CloudRightScale
 
Cloud Computing, SDN, Big Data and Internet of Everything - Lew Tucker
Cloud Computing, SDN, Big Data and Internet of Everything - Lew TuckerCloud Computing, SDN, Big Data and Internet of Everything - Lew Tucker
Cloud Computing, SDN, Big Data and Internet of Everything - Lew TuckerLew Tucker
 
Nevmug Green Pages Cisco Nexus January 2009
Nevmug Green Pages Cisco Nexus January 2009Nevmug Green Pages Cisco Nexus January 2009
Nevmug Green Pages Cisco Nexus January 2009csharney
 
PHP Day 2011 PHP goes to the cloud
PHP Day 2011 PHP goes to the cloudPHP Day 2011 PHP goes to the cloud
PHP Day 2011 PHP goes to the cloudpietrobr
 
Kappa data corporate preso v2 luxembourg 2013
Kappa data corporate preso v2 luxembourg 2013Kappa data corporate preso v2 luxembourg 2013
Kappa data corporate preso v2 luxembourg 2013Kappa Data
 
The Ever Changing Cloud, CloudExpo 2012
The Ever Changing Cloud, CloudExpo 2012The Ever Changing Cloud, CloudExpo 2012
The Ever Changing Cloud, CloudExpo 2012Lew Tucker
 
What virtualization means to the branch office
What virtualization means to the branch officeWhat virtualization means to the branch office
What virtualization means to the branch officeInterop
 
Choosing Your Windows Azure Platform Strategy
Choosing Your Windows Azure Platform StrategyChoosing Your Windows Azure Platform Strategy
Choosing Your Windows Azure Platform Strategydrmarcustillett
 
Emulex OneCommand Management Framework
Emulex OneCommand Management Framework Emulex OneCommand Management Framework
Emulex OneCommand Management Framework Emulex Corporation
 
Building reliable systems from unreliable components
Building reliable systems from unreliable componentsBuilding reliable systems from unreliable components
Building reliable systems from unreliable componentsArnon Rotem-Gal-Oz
 
Value Networks and Business Models of Information-centric Networking
Value Networks and Business Models of Information-centric NetworkingValue Networks and Business Models of Information-centric Networking
Value Networks and Business Models of Information-centric NetworkingTapio Levä
 
Virtual Data Centers with OpenStack Quantum
Virtual Data Centers with OpenStack QuantumVirtual Data Centers with OpenStack Quantum
Virtual Data Centers with OpenStack Quantumlaurabeckcahoon
 
Virtual data centers with OpenStack Quantum
Virtual data centers with OpenStack QuantumVirtual data centers with OpenStack Quantum
Virtual data centers with OpenStack QuantumLew Tucker
 

Ähnlich wie Security and Virtualization in the Data Center (20)

OpenStack Quantum Network Service
OpenStack Quantum Network ServiceOpenStack Quantum Network Service
OpenStack Quantum Network Service
 
Federal VMUG - March - Reflex VMC Overview
Federal VMUG - March - Reflex VMC OverviewFederal VMUG - March - Reflex VMC Overview
Federal VMUG - March - Reflex VMC Overview
 
Layer 7 & Burton Group: New Cloud Security Model Requirements
Layer 7 & Burton Group: New Cloud Security Model RequirementsLayer 7 & Burton Group: New Cloud Security Model Requirements
Layer 7 & Burton Group: New Cloud Security Model Requirements
 
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services Platform
 
The unified data center for cloud david yen
The unified data center for cloud david yenThe unified data center for cloud david yen
The unified data center for cloud david yen
 
Managing Cloud Security: Intrusion Detection Services in a Public Cloud
Managing Cloud Security: Intrusion Detection Services in a Public CloudManaging Cloud Security: Intrusion Detection Services in a Public Cloud
Managing Cloud Security: Intrusion Detection Services in a Public Cloud
 
Guard Era Corp Brochure 2008
Guard Era Corp Brochure 2008Guard Era Corp Brochure 2008
Guard Era Corp Brochure 2008
 
Cloud Computing, SDN, Big Data and Internet of Everything - Lew Tucker
Cloud Computing, SDN, Big Data and Internet of Everything - Lew TuckerCloud Computing, SDN, Big Data and Internet of Everything - Lew Tucker
Cloud Computing, SDN, Big Data and Internet of Everything - Lew Tucker
 
Nevmug Green Pages Cisco Nexus January 2009
Nevmug Green Pages Cisco Nexus January 2009Nevmug Green Pages Cisco Nexus January 2009
Nevmug Green Pages Cisco Nexus January 2009
 
Prodware wa college - marcel meijer
Prodware wa college - marcel meijerProdware wa college - marcel meijer
Prodware wa college - marcel meijer
 
PHP Day 2011 PHP goes to the cloud
PHP Day 2011 PHP goes to the cloudPHP Day 2011 PHP goes to the cloud
PHP Day 2011 PHP goes to the cloud
 
Kappa data corporate preso v2 luxembourg 2013
Kappa data corporate preso v2 luxembourg 2013Kappa data corporate preso v2 luxembourg 2013
Kappa data corporate preso v2 luxembourg 2013
 
The Ever Changing Cloud, CloudExpo 2012
The Ever Changing Cloud, CloudExpo 2012The Ever Changing Cloud, CloudExpo 2012
The Ever Changing Cloud, CloudExpo 2012
 
What virtualization means to the branch office
What virtualization means to the branch officeWhat virtualization means to the branch office
What virtualization means to the branch office
 
Choosing Your Windows Azure Platform Strategy
Choosing Your Windows Azure Platform StrategyChoosing Your Windows Azure Platform Strategy
Choosing Your Windows Azure Platform Strategy
 
Emulex OneCommand Management Framework
Emulex OneCommand Management Framework Emulex OneCommand Management Framework
Emulex OneCommand Management Framework
 
Building reliable systems from unreliable components
Building reliable systems from unreliable componentsBuilding reliable systems from unreliable components
Building reliable systems from unreliable components
 
Value Networks and Business Models of Information-centric Networking
Value Networks and Business Models of Information-centric NetworkingValue Networks and Business Models of Information-centric Networking
Value Networks and Business Models of Information-centric Networking
 
Virtual Data Centers with OpenStack Quantum
Virtual Data Centers with OpenStack QuantumVirtual Data Centers with OpenStack Quantum
Virtual Data Centers with OpenStack Quantum
 
Virtual data centers with OpenStack Quantum
Virtual data centers with OpenStack QuantumVirtual data centers with OpenStack Quantum
Virtual data centers with OpenStack Quantum
 

Mehr von Cisco Canada

Cisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco Canada
 
Cisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco Canada
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco Canada
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco Canada
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco Canada
 
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco Canada
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Canada
 
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybridesCisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybridesCisco Canada
 
Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018Cisco Canada
 
Cisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v finalCisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v finalCisco Canada
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco Canada
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco Canada
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Canada
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Canada
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...Cisco Canada
 
Cisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet OverviewCisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet OverviewCisco Canada
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Canada
 
Cisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicingCisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicingCisco Canada
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Canada
 
Cisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zeroCisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zeroCisco Canada
 

Mehr von Cisco Canada (20)

Cisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devops
 
Cisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic fr
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dc
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
 
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse locale
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
 
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybridesCisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybrides
 
Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018
 
Cisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v finalCisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v final
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
 
Cisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet OverviewCisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet Overview
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assurance
 
Cisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicingCisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicing
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
 
Cisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zeroCisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zero
 

Kürzlich hochgeladen

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Security and Virtualization in the Data Center

  • 2. Speaker information • Contact information: – David Anderson – Solutions Architect – Borderless Security team – US – E-mail: dma1@cisco.com • Focus areas: – Data Center Security – Virtualization – Secure Mobility – Security Design – Compliance (PCI, Federal)
  • 3. Takeaways • To effectively integrate security must understand the core data center fabric technologies and features: VDC, vPC, VRF, server virtualization, traffic flows • Security as part of the core design • Designs to enforce microsegmentation in the data center • Enforce separation of duties in virtualized and cloud environments • Security to enforce continuous compliance
  • 4. Secure Data Center Data Center Primer Secure Data Center Components Secure Data Center Design Fundamentals Secure Data Center Design Details
  • 6. Cisco Datacenter Terms Primer Know the lingo • VDC – Virtual Device Context • VPC – Virtual Port Channel • VSS & MEC – Virtual Switching System & Multi-chassis Ether-channel • VSL & Peer Link – Virtual Switch Link • ECMP – Equal cost Multi-Path • VSD – Virtual Service Domain • VBS – Virtual Blade Switching • VRF – Virtual Routing & Forwarding • FabricPath
  • 7. Data Center Architecture Application Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Fabric-Hosted Storage Virtualization Virtual Device Contexts Internet IP-NGN Service Profiles Port Profiles & VN- Virtual Machine Link Application Control Optimization (SLB+) Port Profiles & VN- Partners Link Service Control Fibre Channel Forwarding Fabric Extension
  • 8. Secure Data Center Architecture Application Virtual Storage Aggregation IP-NGN VSwitch Compute Access Core Edge Software Machines & SAN and Services Backbone Virtual Device Contexts Firewall Services Fabric-Hosted Storage Virtualization Intrusion Detection Virtual Device Contexts Internet Storage Media Secure Domain Encryption Routing IP-NGN Service Profiles Port Profiles & VN- Port Profiles & Link VN-Link Virtual Machine Optimization Virtual Firewall Edge and VM Partners Fibre Channel Forwarding Fabric Extension Line-Rate NetFlow Application Control (SLB+) Service Control Virtual Contexts for FW & SLB
  • 9. Data Center Security Challenges
  • 10. Security Threats & Considerations  Denial of Service i.e. (Google, Twitter, Facebook)  APT – Targeted Attacks / Nation State Attacks  Data Protection for Privacy and Data Compliance  Application Exploits (SQL Injection)  Malware / Botnets  Mobile Malicious Code  Virtualization Concerns
  • 11. Secure the Platform Add Security Services Network security best practices  VRF, VLAN, Access control Lists • Network device hardening • Defense in Depth  Stateful Network Firewalls • AAA  Intrusion Detection and Prevention • NetFlow • Separation of duties and least privileges  Web firewalls Virtualization specifics  Load Balancers • Follow hypervisor hardening recommendations  SSL Offloading • Access Controls (production vs. management) • Secure and harden Guest OS  Virtual security appliances • Segmentation  Management and Visibility tools
  • 12. Data Center Security Components: What’s in our toolbox
  • 13. Physical and Virtual Service Nodes Redirect VM traffic via VLANs to Apply hypervisor-based 1 external (physical) appliances 2 network services Web App Database Web App Database Server Server Server Server Server Server Hypervisor Hypervisor VLANs VSN Virtual Contexts VSN Virtual Service Nodes Traditional Service Nodes
  • 14. Physical Firewalls ASA Services Module Web App Database Server Server Server Hypervisor VLANs ASA 5585 Appliance Virtual Contexts Traditional Service Nodes
  • 15. Features in ASA Firewalls EtherChannel  ASA supports Link Aggregation Control Protocol (LACP), an IEEE 802.3ad standard  Each port-channel supports up to 8 active and 8 standby links  Supported methods of aggregation: Active, Passive & On  EtherChannel ports are treated just like physical and logical interfaces on ASA • ASA can tie-in directly to vPC (Nexus 7000) or VSS (6500) enabled switch Up to 32 interfaces per Virtual Context (formerly 2) – - 4 Interfaces per bridge group 8 bridge groups per Virtual Context
  • 16. Catalyst 6500 VSS and Nexus 7000 vPC • Dual Active Forwarding Paths VSS • Loop-Free Design vPC VSL peer link MCEC MCEC vPC vPC EC EC EC EC Active Standby Active Standby Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  • 17. ASA Integration with vPC & VSS vPC VSS peer link VSL MCEC MCEC vPC vPC EC EC EC EC Active Standby Active Standby Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  • 18. Virtualization Concerns • Policy Enforcement –Applied at physical server—not the individual VM –Impossible to enforce policy for VMs in motion • Operations and Management –Lack of VM visibility, accountability, and consistency –Difficult management model and inability to effectively troubleshoot • Roles and Responsibilities –Muddled ownership as server admin must configure virtual network Web App DB –Organizational redundancy creates compliance challenges Server Server Server Hypervisor • Machine Segmentation VLANs –Server and application isolation on same physical server Virtual Contexts –No separation between compliant and non-compliant systems…
  • 19. Virtualization & Virtual Service Nodes Virtual Security Gateway Web App Database Server Server Server Zone based intra-tenant segmentation of VMs Hypervisor Nexus 1000V ASA 1000V VSN VSN Ingress/Egress multi- Virtual Service Nodes tenant edge deployment
  • 20. Cisco‘s Virtual Security Architecture Orchestration / Cloud Portals Virtual Network Management Center Extending existing operational workflows to virtualized environments VSG ASA 1000V Extending network services to virtualized environments Extending networking to virtualized environments Nexus 1000V vPath
  • 21. vPath— The intelligent virtual network • vPath is intelligence build into Virtual Ethernet Module (VEM) of Nexus 1000V (1.4 and above) • vPath has two main functions: a. Intelligent Traffic Steering b. Offload processing via Fastpath from virtual Service Nodes to VEM • Dynamic Security Policy Provisioning (via security profile) • Leveraging vPath enhances the service performance by moving the processing to Hypervisor vPath Nexus 1000V-VEM
  • 22. vPath: Fast Path Switching for Virtualization VM VM VM VNMC VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM 4 Nexus 1000V vPath Distributed Virtual Switch 3 Decision Caching ASA VSG 2 1000V 1 Initial Packet Flow Access Control Flow (policy evaluation)
  • 23. Cisco Virtual Security Gateway Context aware Security VM context aware rules Zone based Virtual Controls Establish zones of trust Security Dynamic, Agile Policies follow vMotion Gateway (VSG) Best-in-class Architecture Efficient, Fast, Scale-out SW Non-Disruptive Virtual Network Operations Security team manages security Management Policy Based Central mgmt, scalable deployment, Center Administration multi-tenancy Designed for (VNMC) Automation XML API, security profiles
  • 24. Virtual Security Gateway • Context based rule engine, where ACLs can be expressed using any combination of network (5-tuple), custom and VM attributes. It’s extensible so other types of context/attributes can be added in future • No need to deploy on every physical server (this is due to 1000V vPath intelligence) • Hence can be deployed on a dedicated server, or hosted on a Nexus 1010 appliance • Performance optimization via enforcement off-load to 1000V vPath • High availability
  • 25. ASA 1000v • Runs same OS as ASA appliance and blade • Maintains ASA Stateful Inspection Engines Tenant A VDC Tenant B VDC vApp • IPSEC site-to-site VPN VSG VSG VSG vApp • Collaborative Security Model VSG VSG for intra-tenant secure zones Virtual ASA Virtual ASA vPath Virtual ASA for tenant edge controls Nexus 1000V vSphere • Integration with Nexus 1000V & vPath
  • 26. Nexus 1000V Port Profiles Port Profile –> Port Group port-profile vm180 vCenter API vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown state enabled interface Vethernet9 inherit port-profile vm180 interface Vethernet10 inherit port-profile vm180 Support Commands Include:  Port management  Port-channel  VLAN  ACL  PVLAN  Netflow  Port Security  QoS
  • 27. Security Policy to Port Profile
  • 29. Secure Data Center • Network security can be mapped and applied to both the physical and virtual DC networks • Zones can be used to provide data centric security policy enforcement • Steer VM traffic to Firewall Context • Segment pools of blade resources per Zone • Segment Network traffic w/in the Zone –System Traffic –VM Traffic –Management Traffic • Lockdown elements w/in a Zone • Unique policies and traffic decisions can be applied to each zone creating very flexible designs • Foundation for secure private cloud
  • 30. Understand Network and Application Flows • Understand how the applications are deployed and accessed both internally and externally • Understand the North-South, East-West flow patterns • Adjacency of services to servers is important. Adding services to existing flow patterns minimizes packet gymnastics! • Again, design with the maximum amount of high availability: know your failover and failback times, traffic paths during failover scenarios Web App DB Web App DB Server Server server Server Server server Web Client Web-zone Application-zone Database-zone Only Permit Web Only Permit Application servers access to servers access to Database Application servers servers
  • 31. Important • Careful attention should be given to where the server‘s default gateway resides • Can be disruptive to introduce changes to where the gateway resides. Non-greenfield designs require flexibility for deploying new services. Ex. From switch to service appliance • Service introduction ie. Firewall, Web security, load balancing, can all have an impact on data center traffic flows • Design with the maximum amount of high availability: know your failover and failback times, traffic paths during failover scenarios • Multicast support considerations for L2 vs L3 services
  • 32. Traditional North-South Traffic Flow Internet Control Aggregation • Ingress and Egress traffic is from each ASA zone is routed and filtered appropriately w/ IPS • Physical firewall, IPS, etc deployed for each zone Access: • Physical devices for each zone Top of Rack Zone A sometimes required but can be expensive B Zone Zone C solution vApp vApp vSphere vSphere
  • 33. Network Virtualization and Zones Acme Co. - Control Traffic and Apply Policy per Zone • Zones used to provide data centric security policy enforcement Unique policies and traffic decisions applied to each • Physical network security zone mapped per zone – VRF, Virtual Context • Lockdown elements in Zone Steer VM traffic to Firewall Context Segment Network traffic in the Zone Segment pools of -System Traffic blade resources -VM Traffic Virtual Switch per Zone Virtual Switch -Management Traffic vSphere vSphere 34
  • 34. North-South Traffic with Network Virtualization Internet Physical ASA Aggregation VLAN 10 VLAN 20 192.168.10.1 VRF 192.168.20.1 ASA Virtual Context (Layer 2) Access Zone A Zone B Zone C vApp vApp vSphere vSphere
  • 35. Microsegmenation: Per Zone, Per VM, Per vNIC Aggregation VLAN 10 VLAN 20 IPSEC Virtual ASA Virtual ASA Zone B Zone C Zone A • Stateful filtering for VDC Tenant B VDC ingress/egress for Zone. vApp Near East: VSG VSG • VM segmentation based on VSG vApp VM attributes or ACL vPath • Zone to zone can be Nexus 1000V encrypted via IPSEC vPath Demonstrable segmentation Nexus 1000V vSphere and encryption for vSphere virtualization compliance
  • 36. Segmentation of Production and Non-Production Traffic VMkernal VSG vEth vEth vEth vEth Mgmt Storage vPath Production Nexus 1000V ASA 1000V VMNIC 1 VMNIC 2 VMNIC 3 VMNIC 4 Management Network Production Network Production vCenter VNMC Storage Network
  • 37. Visibility: Monitor VM to VM Traffic Aggregation ID:2 ERSPAN DST Intrusion Detection NetFlow Analyzer ID:1 NetFlow Nexus 1000V supports SPAN • NetFlow v9 • ERSPAN/SPAN monitor session 1 type erspan- Zone B Zone C source • Permit protocol type description N1k ERSPAN – session 1 header “0x88BE” for monitor session 3 type erspan- VDC VDC destination vApp ERSPAN GRE description N1k ERSPAN to NAM • ERSPAN does not VSG VSG support fragmentation vApp monitor session 2 type erspan-source • 1000V requires Netflow description N1k ERSPAN –session 2 source interface monitor session 4 type erspan- vPath destination Defaults to Mgmt0 description N1k ERSPAN to IDS1 Nexus 1000V vSphere
  • 38. Virtualization & Compliance: PCI DSS 2.0 Guidance • PCI security requirements apply to all ‗system components.‘  All virtual components in scope • System components are defined as: – Any network component, server, or application that  All virtual communications is included in or connected to the cardholder data and data flows must be identified and environment. documented – Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual  Virtualized environment must maintain applications/desktops, and hypervisors. proper segmentation • The cardholder data environment is that part of the network that possesses cardholder data or sensitive  Must meet intent of all 12 PCI authentication data. requirements • Adequate network segmentation, which isolates VMkernal systems that store, process, or transmit cardholder VSG data from those that do not, may reduce the scope of vEth vEth vEth vEth Mgmt Storage the cardholder data environment. Production vPath Nexus 1000V Source PCI DSS 2.0 ASA 1000V VMNIC 1 VMNIC 2 VMNIC 3 VMNIC 4
  • 40. Secure Data Center Reference Architecture • 2x Nexus 7010s with VDCs (Core and Aggregation) (NX-OS 5.1(3)) • 2x Nexus 5Ks for top of rack • 2x ASA 5585-60 with IPS • 2x 6500-E with ASA-SMs • 2x Virtual Security Gateway (VSG) in HA mode • 2x Nexus 1000V with redundant VSMs • Identity Services Engine (ISE) for 802.1x user AAA • Standard VMWare ESXi Infrastructure with multiple service domains (Active Directory, DNS, VDI, etc)
  • 41. Traditional Model • Services are Aggregated at the Distribution Layer L3 • Single or Multi-Tenant zone based Routed segmentation L2 Boundary Core L2 Boundary • Virtual Context create security zones from the DC edge to the Virtual Machine • VRF->Firewall->VLAN->Virtual Switch->Virtual Firewall->vNIC->VM • EtherChannel and vPC provide loop-free Layer 2 environment • Visibility and control for vm-to-vm flows
  • 42. ASA Details v201 - Outside v205 – Service-Out BVI-1 BVI-2 10.1.204.199 10.1.200.199 [Po1.204] [Po1.200] [Po1.201] [Po1.205] v200 – Inside v204 – Service-In channel-group 1 mode passive 5585-1 5585-2 Twain Voltaire vPC10 vPC9 7k-1 7k-2 AGG- AGG- VDC VDC Port Channel Load-Balancing Configuration: channel-group 1 mode active System: src-dst ip
  • 43. Secure Service Pod Model • Services Pod centralizes security services L3 • Traffic forwarded via service-specific Routed VLANs Core L2 Boundary • Modules (Cat 6500) and appliances L2 Boundary supported • Highly scalable module design 1/ 7 • Single or Multi-Tenant zone based segmentation • Security zones from the DC edge to the Virtual Machine
  • 44. Nexus 7000 & Cat 6500 Channel Group Modes Nexus 7000 Nexus 7000 Channel-Group 1 mode active 7k-1 7k-2 Channel-Group 2 mode active AGG-VDC AGG-VDC vPC2 vPC1 6506-1 6506-2 Catalyst 6500 ASA-SM WestJet ASA-SM Airbus Catalyst 6500 Channel-Group 1 mode on Channel-Group 2 mode on ASA SM ASA SM
  • 45. ASA SM Layer 2 and 3 v221 - Outside interface BVI2 ASA SM description bvi for 221 and 220 ip address 10.1.221.199 255.255.255.0 v220 – Inside
  • 46. ASA SM Details interface Vlan221 interface Vlan221 mac-address mac-address b414.89e1.2222 b414.89e1.3333 ip address ip address 10.1.221.252/24 10.1.221.253/24 hsrp 21 hsrp 21 preempt preempt priority 105 priority 100 ip 10.1.221.254 ip 10.1.221.254 interface port-channel1 switchport interface port-channel2 switchport mode trunk 7k-1 7k-2 switchport AGG-VDC AGG-VDC vpc 1 switchport mode trunk vPC2 vpc 2 vPC1 BVI2 6506-1 6506-2 ASA-SM ASA-SM ip address WestJet Airbus 10.1.221.199 ASA SM ASA SM interface Vlan220 nameif inside bridge-group 2 security-level 100 ! failover lan interface Failover Vlan44 interface Vlan221 failover link State Vlan45 nameif outside failover interface ip Failover 10.90.44.1 255.255.255.0 standby 10.90.44.2 bridge-group 2 failover interface ip State 10.90.45.1 255.255.255.0 standby 10.90.45.2199 security-level 0
  • 47. Server Gateway Outside of Firewall: Design #1 ASA HA pair in transparent mode with SVI on Aggregation VDC. Server gateway on outside of firewall Aggregation VDC v201 - Outside v200 – Inside GW: 10.1.200.254 Layer 3 Layer 2 Simple design. Firewall part of layer 2 failure domain.
  • 48. ASA in the Data Center: Design #2 Firewall Between Inter-VDC Traffic VRF VRF Core VDC North Aggregation ASA HA Pair 1 South VDC v200 VRF GW: VRF ASA HA Pair 2 VRF 10.1.200.254 North South • Transparent (L2) firewall services are • Useful for topologies that require a FW ―sandwiched‖ between Nexus VDCs between aggregation and core • Allows for other services (IPS, LB, etc) to • Downside is that most/all traffic destined be layered in as needed for Core traverses FW; possible • ASAs can be virtualized to for 1x1 mapping bottleneck, etc to VRFs
  • 49. Design Details and Benefits • Zone based differentiation, building blocks with VLANs and VRFs Inter-VM firewalling via VSG/ASA 1000V Intra-zone firewalling via both VSG/ASA 1000V and ASA/ASA-SM Inter-zone firewalling via ASA 1000V, ASA, or ASA-SM
  • 50. Server Access and VM Network Details To Agg switch To Agg switch 1/1 1/2 1/2 1/1 PortChannel111 1/17 1/17 1/18 1/18 5k-1 5k-2 Inara 1/12 Jayne 1/11 1/11 1/12 VMNIC VMNIC VMNIC VMNIC #3 #2 #3 #2 ESX1 ESX2 ESX Host 1 vEth vEth vEth vEth ESX Host 2 192.168.100.199 192.168.100.198 VNMC VSG-2 192.168.100.20 192.168.100.31 Domain 90 VSG-1 VSM-2 192.168.100.30 HR Finance HR Finance 192.168.100.51 VSM-1 Server #1 Server #2 Server #2 Server #1 Domain 1 192.168.100.50 10.1.200.50 10.1.200.101 10.1.200.5 10.1.200.100 1
  • 51. Deny HR to Finance VMNIC VMNIC VMNIC VMNIC #3 #2 #3 #2 ESX1 ESX2 vEth vEth vEth vEth VSM-2 HR Finance 192.168.100.51 Server #2 Server #1 Domain 1 HR Finance Server 10.1.200.5 10.1.200.100 Server #1 #2 1 10.1.200.50 10.1.200.101
  • 53. VNMC Policy: Deny HR to Finance Requests
  • 54. Policy Summary on VSG Nexus 1000V VSG
  • 56. Adding Identity and Access Control Services : ISE and TrustSec
  • 57. ISE Traffic Flow SXP IP Address 10.1.204.126 = SGT 5 ISE RADIUS (Access Request) EAPOL (dot1x) 10.1.204.126 RADIUS (Access Accept, SGT = 5) 6506 10.1.204.254 SG ACL Matrix IP Address to SGT Mapping HR Nexus 7000 Server #1 Core VDC 10.1.200.254 10.1.200.50 Nexus 7000 Agg VDC ASA Finance ✓ Finance VSG Finance Server #1 Finance HR 10.1.200.100
  • 59. ISE Authentication 6506-2-airbus#sho authen sess int g3/1 Interface: GigabitEthernet3/1 MAC Address: 0027.0e15.578e IP Address: 10.1.204.126 User-Name: finance1 Status: Authz Success Domain: DATA Oper host mode: multi-auth Catalyst Oper control dir: both Authorized By: Authentication Server 6500 Vlan Policy: N/A SGT: 0005-0 Session timeout: N/A Idle timeout: N/A ISE Common Session ID: 0A01CC950000000D0EDFC178 Acct Session ID: 0x0000001E Handle: 0xC500000D Runnable methods list: Method State mab Failed over dot1x Authc Success
  • 60.
  • 61. Driving Simplicity: Data Center Design – Resources from Cisco
  • 62. Validated Design Guides A Cisco Competitive Differentiator • Cisco Validated Designs are recommended, validated, end-to- end designs for next-generation networks. • The validated designs are tested and fully documented to help ensure faster, more reliable, and more predictable customer deployments. • 3 types of guides •Design Guides – comprehensive design/implementation •Application Deployment Guides - Third-party applications •System Assurance Guides - intensive, ongoing system assurance test programs targeted at major network architectures or technologies.
  • 63. Cisco Validated Designs for the DC •CVD > SAFE •http://www.cisco.com/en/US/docs/solutions/Enter prise/Security/SAFE_RG/SAFE_rg.pdf •CVD >Virtualized Multi-Tenant Data Center (VMDC) •http://www.cisco.com/en/US/partner/docs/solutio ASA 5585-X ns/Enterprise/Data_Center/VMDC/1.1/design.html vPC vPC VSS •CVD > Secure Multi Tennant CVD SERVICES Catalyst •http://www.cisco.com/en/US/solutions/ns340/ns4 6500 Firewall ACE ESA 14/ns742/ns743/ns1050/landing_dcVDDC.html NAM IPS WSA Centralized Security and Application Service Modules and Appliances can be applied per zone
  • 64. Cisco Secure Internet Edge Network Foundation Protection Infrastructure Security features are enabled to protect device, traffic Data Center plane, and control plane. Device virtualization provides control, data, and Data Center Core management plane segmentation. TrustSec VDC Consistent enforcement of security policies Data Center Nexus 7018 Nexus 7018 with Security Group ACL, and to control SAN Distribution access to resources based on user identity and group membership.Link level data v integrity and confidentiality with standard encryption. vPC vPC VSS vPC vPC vPC vPC vPC vPC Nexus SERVICES 5000 Series Unified Catalyst Computing 6500 ASA ACE Nexus Nexus 7000 System Virtual Service 2100 Nexus IPS Series NAM Nodes Series 1000V Zone Zone Multi-Zone Centralized Security and Application 10Gig Server Rack 10Gig Server Rack Unified Compute Service Modules and Appliances can be applied per zone Stateful Packet Network Intrusion Server Load Web and Email Access Edge Security Flow Based Traffic Analysis Filtering Prevention Balancing Security ACL, Dynamic ARP NAM virtual blade. Traffic analysis Additional Application IPS/IDS: provides Masks servers and Security and filtering Inspection, DHCP Snooping, and reporting, Application Firewall Services for traffic analysis and applications and for Web and Email IP Source Guard, Port performance monitoring. VM-level Server Farm zone forensics provides scaling applications Security, Private VLANs, QoS interface statistics
  • 65. Q&A #CiscoPlusCA
  • 66. We value your feedback. Please be sure to complete the Evaluation Form for this session. Access today‘s presentations at cisco.com/ca/plus Follow @CiscoCanada and join the #CiscoPlusCA conversation