You are on page 1of 20

Architecting DMZ Virtualization

v1.5

Brad Hedlund Solutions Architect, Data Center CCIE #5530, VCP February 2010 bhedlund@cisco.com
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

1

Policy Driven Network Design: Physical

Each network switch has independent code, control plane, data plane, interfaces & configuration. Isolation provided by physical cabling

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

2

MPLS © 2008 Cisco Systems. Cisco Confidential 3 . Common switch with discrete forwarding tables Isolation provided by switch configuration VN-Tag.Network Virtualization: Logical Partitions Security zones share a common network switch infrastructure. VRF. All rights reserved. VLAN. Inc.

Cisco Confidential 4 . Inc.H/W scheduled Control Plane isolation © 2008 Cisco Systems. All rights reserved.

Inconsistent Isolation Policies Attaching differing isolation policies together results in the lowest common denominator policy Physical partitions merely become extensions of what is a logical policy architecture Considered “Out of Policy” with Physical Isolation © 2008 Cisco Systems. Cisco Confidential 5 . All rights reserved. Inc.

All rights reserved. Inc. Cisco Confidential 6 .Server Virtualization with Physical Isolation How is a physical isolation policy preserved with server virtualization? © 2008 Cisco Systems.

a virtual network. All rights reserved. Inc.Network policy moves into the Server (Host) Server virtualization creates a network inside the Host. © 2008 Cisco Systems. Attempts are made to keep the virtual and physical network policy consistent Conventional thinking: “physically separate vSwitches” is the solution. Cisco Confidential 7 .

Cisco Confidential 8 . Inc. All rights reserved.The false sense of “vSwitch” security… © 2008 Cisco Systems.

they provide equivalent separation” -Mark Bakke.What is a vSwitch? "Each vSwitch is just a data structure saying what ports are connected to it (along with other information). Inc. Cisco Confidential 9 . All rights reserved.” “So while using vSwitches sounds more compartmentalized than VLANs. Nexus 1000V Principal Architect. Cisco Source: http://faz1.com/blog/2009/08/20/two-vswitches-are-better-than-1-right/ © 2008 Cisco Systems.

Cisco Confidential 10 . All rights reserved. Inc.Simple Example: Host Memory Footprint: 1 vSwitch Each network switch has its own independent code and control plane… Adding multiple vSwitches should add multiple copies of unique vSwitch code. Lets add 11 vSwitches and see what happens… © 2008 Cisco Systems.

Cisco Confidential 11 .11 “vSwitches” same footprint 11. 20. or 200 “vSwitches” is really 1 switch Each “vSwitch” is just a unique logical partition of a single software switch Delivers the same concept of logical forwarding partitions of a VLAN © 2008 Cisco Systems. All rights reserved. Inc.

The consequential architecture based on an illusion… Consequences Many adapters required per server (1) per DMZ (2) per DMZ for redundancy … even more to scale BW … and even more for mgmt Many adapters in one server force 1GE and prohibits 10GE adoption Less BW from 1GE requires more servers with fewer VMs to scale I/O Lower physical to virtual consolidation ratios Larger 4U rackmount servers required for adapter real estate – blade server prohibitive Cannot leverage DVS © 2008 Cisco Systems. Cisco Confidential 12 . All rights reserved. Inc.

The Result: Inconsistent Policy … and missed opportunities. All rights reserved. © 2008 Cisco Systems. Cisco Confidential 13 . Inc.

Cisco Confidential 14 . All rights reserved. Inc.Consistent Policy of Logical Separation Server + Network Virtualization Physical switch uses logical isolation consistent with the virtual switch Fewer adapters 10GE & Unified I/O Higher consolidation ratios Right sized 1RU-2RU servers Blade server inclusive DVS inclusive © 2008 Cisco Systems.

Cisco Confidential 15 .Consistent Physical Policy Virtual network physical isolation consistent with the physical network Fewer adapters per server 10GE & Unified I/O Higher consolidation ratios Right sized 2RU/1RU servers Blade server inclusive DVS inclusive © 2008 Cisco Systems. Inc. All rights reserved.

Switch Consolidation Nexus 7000 VDC © 2008 Cisco Systems. Cisco Confidential 16 .H/W Scheduled Control Plane Isolation Physical Network switch uses similar H/W scheduling to VMware Host. All rights reserved. Inc.

Spoofed IP protection Private VLAN (source enforced) -stop denied frames at source host DHCP Snooping -Rouge DHCP server protection Dynamic ARP Inspection -Man-in-the-middle protection VEM   IP access control (Per VM) filtering -TCP bits/flags (FIN. ACK. PSH. Inc.Securing the Virtual Switch Nexus 1000V Security Features Not available in vSwitch or vDS IP Source Guard -duplicate IP. RST. etc) -TCP/UDP ports -ICMP types & codes MAC ACL’s Port Security Nexus  1000V  VSM   © 2008 Cisco Systems. Cisco Confidential 17 . All rights reserved.

Securing the Physical Switch for Network Virtualization Securing against Physical switch attacks Attack: MAC Overflow (macof) Solution: Port Security Attack: VLAN Hopping Solution: Best Practice Configuration . All rights reserved.VLAN tag all frames (including native) . Spoofed MAC Solution: Dynamic ARP Inspection IP Source Guard Port Security Attack: Rouge DHCP Solution: DHCP Snooping Attack: Spanning Tree Spoofing Solution: Root Guard BPDU Guard © 2008 Cisco Systems.disable auto trunking .dedicated VLAN ID for trunks Attack: Spoofed IP. Cisco Confidential 18 . Inc.

maintain consistent policy in both the virtual and physical network   The ILLUSION of “vSwitch” physical separation   Consequences of the vSwitch illusion 10GE. just to gain: Inconsistent Policy   Physically separate networks should be paired with physically separate Hosts to be policy consistent   The Logical separation policy with Server+Network virtualization can be secured with security built in to the physical and virtual network © 2008 Cisco Systems. All rights reserved.Summary   Whatever your policy: Physical or Logical separation. Inc. Cisco Confidential 19 . large servers. & blade server prohibitive. DVS. excessive adapters/cables.

Cisco Confidential 20 .© 2008 Cisco Systems. Inc. All rights reserved.