Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Micro Segmentation Security: Securing IT Through Macro-segmentation

521 Aufrufe

Veröffentlicht am

Securing IT Through Macro-segmentation

As the very core of modern business, today's data center networks must provide a level of service and security like never before. It’s no longer a test of whether raw packets can move from one point to another, but really a function of how resources can be shared by various applications, without compromising security through errant or unauthorized access.

Join us for this 50-minute On-Demand Webinar where we will describe how Pluribus Virtualization-Centric switching solutions can be deployed across the data center to offer new services based on pools of distributed resources, without introducing added risks or compliance issues.

The Pluribus VCF architecture makes ‘touch of a button’ macro-segmentation possible, and is found in all switches powered by Netvisor or Open Netvisor Linux.

In these slides, we'll discuss the use of Macro-Segmentation found in all Netvisor powered switches including:

*How to quickly allocate distributed resources to specific applications, without adding risk or compliance issues
*Understanding the best practices associated with Macro-Segmentation including examples of deployment
*How to visualize resource consumption, to assist with capacity planning

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Micro Segmentation Security: Securing IT Through Macro-segmentation

  1. 1. Proprietary & ConfidentialProprietary & Confidential Security IT Through Macro- Segmentation November 15th, 2016 Marco Pessi Sr. Technical Product Manager Pluribus Networks
  2. 2. Proprietary & ConfidentialProprietary & Confidential Agenda  How to Secure Network Fabric ‒ Fabric Management ‒ Multi-tenancy/Private Virtual Networks ‒ Secure Control Plane ‒ Security Service Insertion ‒ Putting it all together: Fabric Security Architecture ‒ Analytics 2
  3. 3. Proprietary & ConfidentialProprietary & Confidential Securing Scale Out Fabrics 3 1 2 100 VXLAN L2 Extension Across All 100 Racks IP underlay VTEP Ext Network VTEPVTEP … Spine Layer VTEP 101 BGP/OSPF …
  4. 4. Proprietary & ConfidentialProprietary & Confidential Virtualization Centric Fabric – VCF Built-in Fabric Controller L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking Built-in Fabric Controller Built-in Fabric Controller Built-in Fabric ControllerDistributed Peer-to-Peer Cluster – Configuration State Consistency (with rollback) Singe CLI/API To Manage All Nodes  Built-in, no taps, no brokers, no expensive tools Application Visibility Virtual Private Networks for holistic multi-tenancy Security Service Insertion Granular flow control for conditional security insertion policies TCP TCP TCP TCP Secure Multi Tenancy No controllers, No new protocols  100% interoperable
  5. 5. Proprietary & ConfidentialProprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Rapid provisioning of Private Virtual Networks (VNETs) as virtual PODs (vPODs) with management, control and data plane isolation  Independent tenant networks ‒ Overlapping subnets (VLANs and IP prefixes) ‒ Independent vRouter on each VNET  Independent Management Plane ‒ Independent Provisioning ‒ Per tenant visibility of flows, services, VMs 5 VNET-A 172.10.0.0/16 VLAN1-4K VNET-B 172.0.0.0/8 VLAN1-4K VNET-C 172.0.16.0/20 VLAN1-4K VMs VMs VMs
  6. 6. Proprietary & ConfidentialProprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Secure access to infrastructure network ‒ Simplified Tenant Network View isolates common transport network from tenant network  Data Plane Isolation ‒ Automatic orchestration of VLAN, VRF and VXLAN VNI space to prevent leaking between tenants ‒ Anti-spoofing mechanism 6 VNET-A 172.10.0.0/16 VLAN 1-4K VNET-B 172.0.0.0/8 VLAN 1-4K VNET-C 172.0.16.0/20 VLAN 1-4K
  7. 7. Proprietary & ConfidentialProprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Secure access to infrastructure network ‒ Simplified Tenant Network View isolates common transport network from tenant network  Data Plane Isolation ‒ Automatic orchestration of VLAN, VRF and VXLAN VNI space to prevent leaking between tenants ‒ Anti-spoofing mechanism 7 VNET-A 172.10.0.0/16 VLAN 1-4K VNET-B 172.0.0.0/8 VLAN 1-4K VNET-C 172.0.16.0/20 VLAN 1-4K Proprietary & Confidential Anti-Spoofing Mechanism vFlow Technology for comprehensive uRPF 6 CLI> vflow-create vlan <amber> src-ip 10.1.11.0/27 name amber-urpf-permit action none table System-VCAP-table-1-0 CLI> vflow-create vlan <amber> src-ip 0.0.0.0/0 name amber-urpf-deny action drop table System-VCAP-table-1-0 § vFlow can be used to prevent servers belonging to a logical tenant from sourcing IP traffic with illegitimate prefix ‒ vFlow stats are provided to monitor uRPF violations ‒ Independent dedicated TCAM space § Support all types of traffic: ‒ Bridged ‒ Routed ‒ VXLAN tunneled (terminated on switch) ‒ VXLAN tunneled (pass-through) Enforce server traffic to use consistent VLAN/IP address:
  8. 8. Proprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Secure access to infrastructure network ‒ Simplified Tenant Network View isolates common transport network from tenant network  Data Plane Isolation ‒ Automatic orchestration of VLAN, VRF and VXLAN VNI space to prevent leaking between tenants ‒ Anti-spoofing mechanism  Control Plane Isolation ‒ Tenant Routers run in dedicated containers of the switch OS 9 VNET-A 172.10.0.0/16 VLAN 1-4K VNET-B 172.0.0.0/8 VLAN 1-4K VNET-C 172.0.16.0/20 VLAN 1-4K
  9. 9. Proprietary & Confidential Netvisor Private Virtual Networks Agile, Secure Multi-Tenancy  Secure access to infrastructure network ‒ Simplified Tenant Network View isolates common transport network from tenant network  Data Plane Isolation ‒ Automatic orchestration of VLAN, VRF and VXLAN VNI space to prevent leaking between tenants ‒ Anti-spoofing mechanism  Control Plane Isolation ‒ Tenant Routers run in dedicated containers of the switch OS 10 VNET-A 172.10.0.0/16 VLAN 1-4K VNET-B 172.0.0.0/8 VLAN 1-4K VNET-C 172.0.16.0/20 VLAN 1-4K Proprietary & Confidential VCF Containers Secure Multi-Tenant Control Plane 10 § vRouters ‒ Independent OSPF/BGP/BFD Speakers ‒ Each vRouter has a simple tenant view § OVSDB Interface ‒ Synchronize fabric endpoint database (vPort) with Hypervisor system for end-to-end VTEP auto- provisioning § OpenDayLight § NSX § VNET Manager ‒ Provides a dedicated/isolated management interface for a vPOD with provisioning/visibility capability only for assigned resources ‒ Can run any vPOD custom application § simple example: WireShark vRouter Tenant Crimson vNICs vRouter Tenant Blue vNICs vRouter Tenant Amber vNICs VNET MGR vNICs vRouter Tenant Crimson vNICs vRouter Tenant Blue vNICs vRouter Tenant Amber vNICs OVSDB Tenant Amber vNICs
  10. 10. Proprietary & ConfidentialProprietary & Confidential Virtualization Centric Fabric – VCF vFlow Technology Built-in Fabric Controller L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking L2/L3/VXLAN Open Networking Built-in Fabric Controller Built-in Fabric Controller Built-in Fabric ControllerDistributed Cluster – Pluribus Management Fabric Security Service Insertion Granular flow control for conditional security insertion policies TCP TCP TCP TCP
  11. 11. Proprietary & ConfidentialProprietary & Confidential Conditional Security Insertion Configurable line rate redirection of E-W traffic 13 VM-10 VM-11 VM-20 VM-41 VL10 VL20 1. Default Behavior: no inspection • Fabric normally bridges and routes E-W traffic 2. Configurable Security Insertion • Fabric redirects to security appliance selected traffic (configurable L1-L4 parameters) VM-10 VM-11 VM-41 VL10 HTTP VM-20 VL20 HTTP
  12. 12. Proprietary & ConfidentialProprietary & Confidential Conditional Security Insertion Provide Inspection only to non-secure N-S traffic 14 1. Firewall Service Insertion for default traffic Perimeter Firewall Cluster HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL10 VL100 VXLAN VNI10 10.0.100.5/29VTEP NON-SECURESECURE 10.10.0.1/16
  13. 13. Proprietary & ConfidentialProprietary & Confidential Conditional Security Insertion Provide Inspection only to non-secure N-S traffic 15 1. Firewall Service Insertion for default traffic Perimeter Firewall Cluster HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL10 VL100 VXLAN VNI10 10.0.100.5/29VTEP NON-SECURESECURE 10.10.0.1/16 2. Firewall Bypass for Secure Traffic Perimeter Firewall Cluster HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL10 VL100 VNI10 VXLAN 10.0.100.5/29VTEP NON-SECURESECURE 10.10.0.1/16
  14. 14. Proprietary & ConfidentialProprietary & Confidential vFlow Filtering For Security Actions Provide Line Rate Redirection & Policy Enforcement 16 vFlow Structure Scope Switch local or Fabric-wide L1-L4 Match Rule Match rule deployed in HW TCAMs Actions Switch HW assisted drop to-cpu copy-to-cpu setvlan tunnel-pkt set-tunnel-id to-span cpu-rx cpu-rx-tx set-dscp decap set-dmac set-dmac-to-port to-port to-ports-and-cpu set-vlan-pri l3-to-cpu-switch 2. Firewall Bypass for Secure Traffic Perimeter Firewall Cluster HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL10 VL100 VNI10 VXLAN 10.0.100.5/29VTEP 10.10.0.1/16 NON-SECURESECURE 3. Line Rate Policy Enforcement
  15. 15. Proprietary & ConfidentialProprietary & Confidential Conditional Security Insertion for E-W & N-S traffic 17 Security Appliances (IPS, FW, etc.) HA Services Leaf Cluster VXLAN Routing + FW Insertion Ext Network VL10 VL20 VL10 VL20 VL100 VNI10,VNI20 VXLAN 10.0.100.5/29VTEP 10.10.0.1/16 10.20.0.1/16 NON-SECURESECURE 1 2 VTEPVTEP 100 VTEP … VM-10 VM-41 10.10.0.10 MAC-10 10.10.0.41 MAC-11 VM-11 10.10.0.11 MAC-11 VM-20 10.20.0.11 MAC-20 • Leaf switches perform selective Security Insertion for bridged/routed E-W traffic using programmable fabric-wide policies
  16. 16. Proprietary & ConfidentialProprietary & Confidential Fabric scope programmability Policy enforcement E-W / N-S Mgmt domain Virtualization Centric Fabric Putting It All Together: Fabric Security Architecture 18 1 2 100 Edge Security Services Rack  Grey vRouter for VTEP, Red vRouter to DC network 101 VXLAN L2 Extension Across All 100 Racks IP underlay VTEP HA Leaf Services  HA VTEP  Active-Active LAG towards servers Ext Network  Spine is simple L3 non-blocking interconnect  Underlay provides inter-rack reachability  All links are active BGP/OSPF VTEPVTEP … Spine Layer VTEP
  17. 17. Proprietary & ConfidentialProprietary & Confidential Mgmt domain Putting It All Together: Fabric Security Architecture 19 HA Leaf Services 1 2 100 Edge Security Services Rack 101 VXLAN L2 Extension Across All 100 Racks IP underlay Ext Network BGP/OSPF … Spine Layer VTEP Virtual Private Networks Holistic multi-tenancy Secure Multi Tenancy VTEPVTEPVTEP
  18. 18. Proprietary & ConfidentialProprietary & Confidential Mgmt domain Putting It All Together: Fabric Security Architecture 20 HA Leaf Services 1 2 100 Edge Security Services Rack  Grey vRouter for VTEP, Red vRouter to DC network Load Balancers  Firewall on-a-stick in L2 mode for non mission-critical traffic with bypass service option  vFlow security ACL for N-S Policy Enforcement 101 VXLAN L2 Extension Across All 100 Racks IP underlay VTEP  HA VTEP  Active-Active LAG towards servers  Global E-W vFlow security service insertion Ext Network BGP/OSPF VTEPVTEP … Spine Layer VTEP Granular flow control for conditional security insertion policies Security Service Insertion
  19. 19. Proprietary & ConfidentialProprietary & Confidential Mgmt domain Putting It All Together: Fabric Security Architecture 21 HA Leaf Services 1 2 100 Edge Security Services Rack  Grey vRouter for VTEP, Red vRouter to DC network Load Balancers  Firewall on-a-stick in L2 mode for non mission-critical traffic with bypass service option  vFlow security ACL for N-S Policy Enforcement 101 VXLAN L2 Extension Across All 100 Racks IP underlay VTEP  HA VTEP  Active-Active LAG towards servers  Global E-W vFlow security service insertion Ext Network BGP/OSPF VTEPVTEP … Spine Layer VTEP Built-in: no taps, no brokers, no expensive tools Application Visibility  Pluribus VCF Analytics for mission-critical flow visibility
  20. 20. Proprietary & ConfidentialProprietary & Confidential Connection Flow Analytics 22 VCF Center Big Data Engine Cluster of 1…N server nodes Flow Metadata  Integrated in the fabric = simple to deploy  Always on, zero touch = simple to use  No sampling…every EAST-WEST connection  TCP connection state machine tracking  Tenant aware
  21. 21. Proprietary & ConfidentialProprietary & Confidential Packet Analytics 23 VCF Center Big Data Engine Cluster of 1…N server nodesMirrored Packets  On-demand packet filtering L1-L4 header fields  Terabit filtering with offload on Broadcom silicon  Manage mirror sessions and PCAP files  Analytics on packet metadata extracted from PCAP  Bring-your-own PCAP Program packet filters in hardware Start&Stop PCAP and Mirror sessions
  22. 22. Proprietary & ConfidentialProprietary & Confidential24 Summary/Recap 1. Macro-Segmentation secures E-W traffic 2. Scalable HW Accelerated, cover P & V 3. Holistic multi-tenancy = Complete Isolation 4. Granular flow control for conditional security insertion policies 5. Analytics/Visibility allows for continual policy improvements
  23. 23. Proprietary & ConfidentialProprietary & Confidential Thank You, Questions? 25
  24. 24. Proprietary & ConfidentialProprietary & Confidential26 pluribusnetworks.com/resources/#webinars Fall Webinar Series

×