New Threats, New Approaches in Modern Data Centers - A Presentation by NPS at CENIC conference 11:00 am - 12:00 pm, Wednesday, March 22, 2017 – in San Diego, California
The standard approach to securing data centers has historically emphasized strong perimeter protection to keep threats on the outside of the network. However, this model is ineffective for handling new types of threats—including advanced persistent threats, insider threats, and coordinated attacks. A better model for data center security is needed: one that assumes threats can be anywhere and probably are everywhere and then, through automation, acts accordingly. Using micro-segmentation, fine-grained network controls enable unit-level trust, and flexible security policies can be applied all the way down to a network interface. In this joint presentation between customer, partner, and VMware, the fundamental tenants of micro-segmentation will be discussed. Presenters will describe how the Naval Postgraduate School has incorporated these principles into the architecture and design of a multi-tenant Cybersecurity Lab environment to deliver security training to national and international government personnel.
Edgar Mendoza, IT Specialist, Information Technology and Communications Services (ITACS) Naval Postgraduate School
Eldor Magat, Computer Specialist, ITACS, Naval Postgraduate School
Mike Monahan, Network Engineer, ITACS, Naval Postgraduate School
Iben Rodriguez, Brocade Resident SDN Delivery Consultant, ITACS, Naval Postgraduate School
Brian Recore, NSX Systems Engineer, VMware, Inc.
https://youtu.be/mYBbIbfKkGU?t=1h7m16s
Copied from the program with corrections - https://adobeindd.com/view/publications/b9fbbdf0-60f1-41dc-8654-3d2141b0bf54/nh4h/publication-web-resources/pdf/Conference_Agenda_2017_v1.pdf
3. Why did we re-architect our Data
Center
• Understand the architecture and design
requirements of multi-tenancy environment
• Isolate threats through micro-segmentation
and granular network controls
• Apply flexible security policies at the VM
level
4. Center for Cyberwarfare - CCW
The lab is used to conduct research
and education to provide the modern
warfighter with tactical and
operational responses to cyber threats.
5.
6. • Built by CCW with pizza box servers using
various adhoc storage systems.
• ITACS took over responsibilities of maintaining
the cyberlab project in late 2014.
• Inadequate resources – not scalable.
• Many single points of failure.
• Missing adequate licensing for some services.
• Not in a data center environment.
Legacy lab implementation
7. Why have lab isolation?
• Advanced Persistent Threats
• Human error – Insider Threat
• Protection against coordinated attacks
• Provide researchers with sandbox for malware
inspection
• Offer a clean slate for each class room from quarter
to quarter
8. Challenges overcome
• Cyberlab 2.0 addresses the following issues:
– Single points of failure removed
– Replaced AD Controller and Load Balancer physical
devices with virtual to decrease total cost of
ownership
– 2 racks of equipment consolidated to 2u HCI
– Reduced time required to provision labs for classes
each quarter
– Ability to customize networks for class differences
such as: firewall rules, student permissions, threat
types
10. Adding VDI increased the security surface area
• The converged infrastructure means virtual desktops run on the
same infrastructure as servers.
Data Center
Perimeter
Internet
EastWest
11. Haven’t We Learned Anything from a
Perimeter-Centric Focus?
“The Empire doesn't consider a small
one-man fighter to be any threat, or
they'd have a tighter defense. An analysis
of the plans provided by Princess Leia has
demonstrated a weakness in the battle
station. …The shaft leads directly to the
reactor system. A precise hit will start a
chain reaction which should destroy the
station.”
--General Dodanna
A Long Time Ago…In a Galaxy Far Far Away...
14
12. The M&M Approach to Security
15
“In today’s new threat
landscape, this M&M and
‘trust but verify’ is no longer
an effective way of enforcing
security.”
Forrester Research
In Response to NIST RF 130208119-3119-01I
“Developing a Framework to Improve Critical Infrastructure
Cyber-Security”
13. Trading Off Context and Isolation
16
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
SDDC Platform
High Context
Low Isolation
High Isolation
Low Context
No Ubiquitous Enforcement
Traditional Approach
14. The Compromise Between Desired End
State & Operational Feasibility
17
WAN
…
“X” firewalls
“X” + “1000
workloads
vs
A typical data center has:
Directing all traffic (virtual + physical) through chokepoint
firewalls is inefficient
And a physical firewall per workload is cost
prohibitive
15. SDDC Virtualization Layer – Delivers Both
Context and Isolation
18
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
High Context
High Isolation
Ubiquitous Enforcement
SDDC Approach
Secure Host Introspection
16. Micro-segmentation with NSX
SegmentationIsolation Advanced services
Controlled communication path within a
single network
Advanced services: addition of 3rd
party security, as needed by policy
No communication path between unrelated
networks
19
17. Move from “Network Centric” to “Class
Centric” Deployments
20
DMZ/Web VLAN
App VLAN
Class-A
Class-B
Services/Management VLAN
DB VLAN
Class-AClass-B
Services Mgmt
Class-A Class-B
Perimeter
firewall
Inside firewall
Perimeter
firewall
DMZ/Web
App
DB
Class-A
App
DMZ/Web
DB
Class-B
Services Mgmt
Services/Management
Group
Traditional Data Center NSX Data Center
CONFIDENTIAL
18. FY16 House NDAA Report
Cyber Defense Network Segmentation
The committee is aware that the Department of Defense is looking at modifying the way it builds,
maintains, and upgrades data center, including increased use of commercial cloud capabilities and public-
private partnerships. The committee is aware that as the Department increasingly looks at software-
defined networking, it could potentially reduce the mobility of cyber threats across data center and other
networks by increasing the compartmentalization and segmentation between systems, and providing a
mix of security techniques to enable access to those compartments. Such actions have the potential to
lessen the chance of a widespread or catastrophic breach, including breaches caused by insider threats.
The committee encourages the Department to explore ways to use compartmentalization or segmentation
as part of a software-defined networking approach in order to increase the security of its networks.
The Beginning of Policy Shifts….again
19. Combining Organic Capabilities with Best
of Breed across the Larger Ecosystem
Apply and visualize security
policies for workloads, in
one place.
Automate workflows across
best-of-breed services,
without custom integration.
Provision and monitor uptime
of different services, using one
method.
NSX Network Virtualization Platform
Deploy Apply Automate
Built-In Services
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Third-Party Services
Antivirus DLP Firewall
Vulnerability
Management
Intrusion
Prevention
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
External Network
VDS
Guest VM
Partner
Service 1 VM
Slot
2
Slot
4
Traffic
Redirection
Module
Slot
5
Partner
Service 2 VM
20. High Scale NSX Topology
• High scale multi-tenancy is enabled with
multiple tiers of Edge interconnected via
VxLAN transit uplink
• Two tier Edges allow better scaling with
administrative control based on traffic
generated.
• NSX Edge can scale up to 8 ECMP Edges for
scalable routing
• Support for overlapping IP addresses
between Tenants connected to different
first tier NSX Edges
23
External Network
Tenant 1
Desktop Pool Logical
Switch
App LS DB LS
…
Desktop Pool Logical
Switch
Edge with HA
NAT/LB features
Single Adjacency
to ECMP Edge
ECMP Based
NSX Edge X-Large
(Route Aggregation Layer)
ECMP NSX Edge
VXLAN Uplinks VXLAN Uplinks
VXLAN 5100
Transit
App LS DB LS
… E8E1
21. • Automation, Automation, Automation
• Brocade Workflow Composer
• Cloud Management Platform - OpenStack on VMware (VIO)
• Plan to integrate physical devices (IoT, Robotics,
Weather Sensors, etc) into virtual cyberlab
• Dynamic routing
• Hardware VTEP to bridge VLAN to VXLAN
• Integration with NSX and Palo Alto Networks Virtual FW
• Leverage Public Cloud - Amazon AWS
Plans for 2017 and beyond
23. VMware Integrated OpenStack
VMware Integrated OpenStack (VIO)
VMware SDDC
Standard OpenStack
Nova Neutron Cinder
Keystone HeatHorizon Ceilometer
Glance
• VIO is an “Integrated Product” Approach to OpenStack
• Standard DefCore Compliant OpenStack Distribution (delivered as OVA)
• Deploys & Manages Proven Production Architecture on VMware SDDC
• Fully Supported by VMware
VIO Management Server
(Deploy, configure, patch,
upgrade …OpenStack)
vSphere NSX
vSphere Datastores:
3rd-party / Virtual SAN
24. The Need for a Comprehensive Security Solution
VMware NSX Platform
NSX Distributed Firewall
VM level zoning without
VLAN/VXLAN
dependencies
Line rate access control
traffic filtering
Distributed enforcement at
Hypervisor level
Palo Alto Networks Next
Generation Security
Next Generation Firewall
Protection against known
and unknown threats
Visibility and safe
application enablement
User, device, and
application aware policies
Sophisticated Security
Challenges
Applications are not linked to
port & protocols
Distributed user and device
population
Modern Malware
25. AWS Global Infrastructure
VMware Cloud™ on AWS
Powered by VMware Cloud Foundation
28
AWS Global InfrastructureCustomer Datacenter
vSphere vSAN NSX
TECHNICAL PREVIEW
Operational Management Native AWS Services
Amazon
EC2
Amazon
S3
Amazon
RDS
AWS Direct
Connect
AWS IAMAWS IoT
…
…
…
…
vRealize Suite, vSphere Integrated Containers, ISV ecosystem
Availability expected in mid-2017 timeframe
Technical
Preview
vCentervCenter
VMware CloudTM on AWS
VMware vSphere-based service, running on the AWS Cloud
• ESXi on Dedicated
Hardware
• Support for VMs and
Containers
• vSAN on Flash and EBS
Storage
• Replication and DR
Orchestration
• NSX Spanning on-
premises and cloud
• Advanced Networking
& Security Services
New Threats, New Approaches in Modern Data Centers
Presented at CENIC conference 11:00 am - 12:00 pm, Wednesday, March 22, 2017 – in San Diego, California
Edgar Mendoza, IT Specialist, Information Technology and Communications Services (ITACS) Naval Postgraduate School
Eldor Magat, Computer Specialist, ITACS, Naval Postgraduate School
Mike Monahan, Network Engineer, ITACS, Naval Postgraduate School
Iben Rodriguez, Brocade Resident SDN Delivery Consultant, ITACS, Naval Postgraduate School
Brian Recore, NSX Systems Engineer, VMware, Inc.
Copied from the program with corrections - https://adobeindd.com/view/publications/b9fbbdf0-60f1-41dc-8654-3d2141b0bf54/nh4h/publication-web-resources/pdf/Conference_Agenda_2017_v1.pdf
The standard approach to securing data centers has historically emphasized strong perimeter protection to keep threats on the outside of the network. However, this model is ineffective for handling new types of threats—including advanced persistent threats, insider threats, and coordinated attacks. A better model for data center security is needed: one that assumes threats can be anywhere and probably are everywhere and then, through automation, acts accordingly. Using micro-segmentation, fine-grained network controls enable unit-level trust, and flexible security policies can be applied all the way down to a network interface. In this joint presentation between customer, partner, and VMware, the fundamental tenants of micro-segmentation will be discussed. Presenters will describe how the Naval Postgraduate School has incorporated these principles into the architecture and design of a multi-tenant Cybersecurity Lab environment to deliver security training to national and international government personnel.
from the NPS 2015 Annual Report
https://my.nps.edu/web/ccw
Many classes are using this lab with students from all over the world.
The Center for Cyber Warfare (CCW) is an interdisciplinary problem solving research center in the Department of Electrical and Computer Engineering (ECE) at the Naval Postgraduate School (NPS) in Monterey, California. The CCW faculty work in collaboration with other universities and innovative commercial companies to deliver basic and applied research solutions to the Navy, U.S. government, DoD, and intelligence communities.
Mission
Approved by the NPS Research Board on October 5, 2009, the CCW conducts a mix of classified and unclassified research and offers unique educational programs designed to provide the modern warfighter with tactical and operational responses to immediate and anticipated threats in U.S. and allied cyber space.
At one point the room with the servers got too hot and they had opened the windows.
Wires were all over the place, cables not labeled. No structured cable management
Even with UPS Battery backups there were extended power outages that caused system downtime due to lack of generator power.
Lots of space and power used - 2 racks consolidated to 2U Hyper Converged Server Infrastructure with built-in software defined storage.
At one point the room with the servers got too hot and they had opened the windows.
Wires were all over the place, cables not labeled. - structured cable management
Even with UPS Battery backups there were extended power outages that caused downtime. Now on generator.
2 racks consolidated to 2U Hyper Converged Server Infrastructure with built-in software defined storage.
Amazon AWS design for NROTC Cyber Lab
NSX – OSPF, DHCP, Firewall, Load Balancers
Virtual appliances – Scalability, High Availability
Centralized support with power, cooling
Improved monitoring, physical, and operational security
SDDC can span across multiple data centers and into hybrid service providers, independent of physical infrastructure
Power NSX
Orchestrator
http://community.brocade.com/t5/Federal-Insights/CLI-is-Dead/ba-p/91358
Code NSX . com
VMware Cloud on AWS will be powered by VMware Cloud Foundation™, a unified SDDC platform that integrates VMware vSphere, VMware Virtual SAN™ and NSX™ virtualization technologies, and will provide access to the broad range of AWS services, together with the functionality, elasticity, and security customers have come to expect from the AWS Cloud.
Integrates VMware’s flagship compute, storage and network virtualization products (vSphere, VSAN and NSX) along with vCenter management, and optimizes it to run on next-generation, elastic, bare-metal AWS infrastructure.
The result is a complete, no compromise, turn-key solution, that works seamlessly with both on-premises private clouds and advanced AWS Public Cloud services.
VMware SDDC stack running on AWS
Compute (vSphere), storage (VSAN), networking (NSX)
Direct access to vCenter, including full API/CLI support
Delivered as-a-service (VMware lifecycle fully managed)
Access to AWS services
Consistent operational model enables Hybrid Cloud
Full support for existing and new applications
Existing management tooling layers on top
Hybrid and Cloud-only deployment options
Leverage cloud economics, aligning capacity & demand
Single bill for VMware software + AWS infrastructure
Consume elastically scalable SDDC clusters
On-demand or subscription
Leverage global AWS footprint