Virtualization & tipping point

Virtualization & TippingPoint

Finto Thomas, CISSP, TOGAFfthomas1@in.ibm.com

AgendaPart 1 - Virtualization & Server

• Virtualization basics (Hypervisor)

• Virtual (VM) Switch Vs Physical Switch • vSwitch & dvSwitch & port group

• VMware -vSphere Components

• HP BladeSystem matrix• C7000 and OA vs iLO • vConnect Part 2 – Network & TippingPoint

• North South & East West Communication (Datacenter traffic flow architect)

• TippingPoint

• SVF – Secure Virtual Framework• Digital Vaccine – DV• VMC and SMS Servers• vController + vFirewall

VM-Tipping 2

Self Intro

Disclaimer :Here I’m trying to couple between Virtual machine to you network skills (Intermediate Level).Only theoretical discussions , not covered practical / lab environment. The materials are gathered from WW Internet.To view the detailed contents run the slide show

Part 1 - Virtualization & Server

In computing, virtualization refers to the act of creating a virtual (rather than actual) version of something, including (but not limited to) a virtual computer hardware platform, operating system (OS), storage device, or computer network resources. Wiki

VM-Tipping 3

Virtualization !!!

VM-Tipping 4

Virtual Machine• A virtual machine is a software computer that, like a physical computer, runs an operating system and applications. The hypervisor serves as a platform

for running virtual machines and allows for the consolidation of computing resources. Each virtual machine contains its own virtual, or software-based hardware, including a virtual CPU, memory, hard disk, and network interface card.

• A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor is running one or more virtual machines is defined as a host machine. Each virtual machine is called a guest machine.

• Because virtual machines are decoupled from specific underlying physical hardware, virtualization allows you to consolidate physical computing resources such as CPUs, memory, storage, and networking into pools of resources that can be dynamically and flexibly made available to virtual machines. With appropriate management software, such as vCenter Server, you can also use a number of features that increase the availability and security of your virtual infrastructure.

VM-Tipping 5

Virtual Machine (Hypervisor Type 1 & 2)

Picture 2 : VM workstation or Virtual Box or KVMPicture 1: ESXi or Hyper-V or KVM 1 . Type 2 – Software-based Virtualization

2. Better hardware compatibility 3. Single point of failure ?4. Host OS impact the performance

1 . Type 1 – Bare Metal Hypervisor2. Better Performance3. Single point of failure ? Really ? 4. Hardware, Expertise and Cost

Type 1 hypervisors are commonly considered bare metal hypervisors, in that the hypervisor code itself runs directly on top of your hardware. Type 1 hypervisors tend to enjoy much better performance than type 2 hypervisors, due in part to their direct positioning on top of hardware. Unlike type 1 hypervisors, a type 2 hypervisor must be installed on top of an existing OS. These hypervisors tend to have better hardware compatibility because they use software-based virtualization.

VM-Tipping 6

Virtual Machine Product Lines

VM-Tipping 7

Physical Topology of vSphere (Components)A typical VMware vSphere datacenter consists of basic physical building blocks such as x86 virtualization servers, storage networks and arrays, IP networks, a management server, and desktop clients.

The vSphere datacenter topology includes the following components.

• Compute servers : Industry standard x86 servers that run ESXi on the bare metal. ESXi software provides resources for and runs the virtual machines. Each computing server is referred to as a standalone host in the virtual environment. You can group a number of similarly configured x86 servers with connections to the same network and storage subsystems to provide an aggregate set of resources in the virtual environment, called a cluster.

• Storage networks and arrays : Fibre Channel SAN arrays, iSCSI SAN arrays, and NAS arrays are widely used storage technologies supported by VMware vSphere to meet different datacenter storage needs. The storage arrays are connected to and shared between groups of servers through storage area networks.

• IP networks : Each compute server can have multiple physical network adapters to provide high bandwidth and reliable networking to the entire VMware vSphere datacenter.

• vCenter Server : vCenter Server (Its Service !!) provides a single point of control to the datacenter. It provides essential datacenter services such as access control, performance monitoring, and configuration. It unifies the resources from the individual computing servers to be shared among virtual machines in the entire datacenter. It does this by managing the assignment of virtual machines to the computing servers and the assignment of resources to the virtual machines within a given computing server based on the policies that the system administrator sets.

• Management clients : VMware vSphere provides several interfaces for datacenter management and virtual machine access. These interfaces include VMware vSphere Client (vSphere Client), vSphere Web Client for access through a web browser, or vSphere Command-Line Interface (vSphere CLI).

VM-Tipping 8

Architectures – VMWare || Hyper-V || KVM

Picture 3 : VMware Architect Picture 5 : Hyper-V Architect

Only for reference , no explanation

Picture 4 : KVM Architect

VM & Hyper V for x86 processer architects , KVM can support x86, power and other + its Open sourceVM-Tipping 9

Physical Vs Virtual switch

VM-Tipping 10

vSwitch Vs dvSwitch Features Standard Switch Distributed Switch

Management

Standard switch needs to managed at each individualhost level

Provides centralized management and monitoring of the network configuration of all the ESXi hosts that areassociated with the dvswitch.

LicensingStandard Switch is available for all Licensing Edition

Distributed switch is only available forenterprise edition of licensing

Creation & configuration

Standard switch can be created and configured at ESX/ESXi host level

Distributed switch can be created and configured at the vCenter server level

Layer 2 Switch Yes, can forward Layer 2 frames Yes, can forward Layer 2 framesVLAN segmentation Yes Yes

802.1Q taggingCan use and understand 802.1qVLAN tagging

Can use and understand 802.1qVLAN tagging

NIC teamingYes, can utilize multiple uplink to form NIC teaming

Yes, can utilize multiple uplink to form NIC teaming

Outbound Traffic Shaping

Can be achieved using standard switch

Can be achieved using distributed switch

Inbound Traffic ShapingNot available as part of standardswitches Only possible at distributed switch

VM port blockingNot available as part of standard switches Only possible at distributed switch

Private VLAN Not available

PVLAN can be created as part of dvswitch. 3 types of PVLAN(Promiscuous, Community and Isolated)

Load based Teaming Not availableCan be achieved using distributed switch

Network vMotion Not availableCan be achieved using distributed switch

Per Port policy settingPolicy can be applied at switchand port group

Policy can be applied at switch, port group and even per port level

NetFlow Not available YesPort Mirroring Not available YesPicture 9: dvSwitch

Picture 8 : vSwitch

VM-Tipping 11

• Each (Virtual) port group is identified by a network label, which is unique to the current host. Network labels are used to make virtual machine configuration portable across hosts. All port groups in a datacenter that are physically connected to the same network (in the sense that each can receive broadcasts from the others) are given the same label. Conversely, if two port groups cannot receive broadcasts from each other, they have distinct labels.

• A VLAN ID, which restricts port group traffic to a logical Ethernet segment within the physical network, is optional. If you use VLAN IDs, you must change the port group labels and VLAN IDs together so that the labels properly represent connectivity.

Port Groups and VLAN

VM-Tipping 12

ESX vSwitch : Capabilities

VM-Tipping 13

vSphere

VM-Tipping 14

vSphere Network Setting

VM-Tipping 15

HP BladeSystem Matrix• It is built upon the core technologies of HP BladeSystem, HP Virtual Connect, HP Insight software and

implementation services. It also includes optimized support for HP Storage Works and factory integration and onsite services.

• BladeSystem Matrix delivers a converged infrastructure built on well-established HP technologies and functionality including:• HP BladeSystem c-Class c7000 enclosure, server blades (ex: DL360 G8 – half blade), Virtual Connect with

Flex-10, and Thermal Logic• HP Insight software• Factory Integration, Factory Express, and Technology Services• HP Storage Works 4400 Enterprise Virtual Array Starter kit

• Onboard Administration (OA) for enclosure : HP Onboard Administrator for BladeSystem delivers unmatched Blade enclosure power and remote management capability, now with KVM capability.

• iLO : HP Integrated Lights-Out (iLO) provides the automated intelligence to maintain complete server control from any place. HP iLO functions out-of-the-box without additional software installation regardless of the servers' state of operation giving you complete access to your server from any location via a web browser or the iLO Mobile App.

VM-Tipping 16

HP c7000 enclosure view

• Single-phase AC input, 3-phase AC input, -48V DC input, and high voltage DC input.

• With Onboard Administrator, iLO remote management, and HP OneView you can manage your servers and take complete control regardless of the state of the server operating system.

• Hot plug redundant standard

• Form factor - 10U

• BladeSystem supportedVM-Tipping 17

HP Onboard Administration -OA vs iLO

VM-Tipping 18

HP vConnect and Flex-ConnectReduce costs and simplify connections to SANs, consolidate your network connections, and enable administrators to add, replace and recover server resources on-the-fly. Being standards-based, it looks like a pass-thru device to the Fibre Channel network, yet provides all the key benefits of integrated switching including high performance 16 Gb uplinks to the SAN. VCM / VCEM used to manage vConnect.

VM-Tipping 19

Part1 Recap …• Have you downloaded and played around VM machine trails provided by VMware !

• What is vMotion and why required dedicated EW communication?

• What are the draw back of Virtualization ?

• Any security breach noticed , How Inter VM communication Secured!

• What is vShield, vApp,

• ToR !! The onion Router ? No… it’s Top of Rack!!!

• How many vSS /dvS in 16 blade enclosure , as minimum ?

VM-Tipping 20

Part 2 – Network & Tipping Point

VM-Tipping 21

North-South & East-West

VM-Tipping 22

Datacenter Traffic Data centers have grown to become more modular, reaching up to thousands of VMs over the host, and networks are shifting from the traditional three-tier model (top-of-rack/aggregation/core) to flattened (leaf/TOR-spine/core) topology. These changes imply a change in traffic from a north-south orientation to an east-west orientation and consequently, 75% of data center traffic is now east-west.

VM-Tipping 23

• TippingPoint now functions as a part of HP Enterprise Security Products business in the HP Software Division. Originally, TippingPoint was an American software company with roots back to 1999 focused on network security products, particularly intrusion prevention systems for networks. Until September 2011, TippingPoint was within HP Networking, the networking division of HP. It transferred to the HP Software Division.

• HP maintains the TippingPoint name today. In September 2013, HP announced that it entered the next-generation firewall market with a new line of TippingPoint firewalls. The new line extends TippingPoint's existing intrusion prevention system (IPS) appliances with traditional stateful packet filtering and application control.

• Security (S) Product Lines (8) • NG Intrusion prevention system• NG Firewall• TippingPoint DV labs• APT – Advance Thread Appliance• Security management System (SMS)• Digital Vaccine ToolKit• Thread DV (Reputation Service)• ThreadLinQ

• Where is vConnect in product!

HP TippingPoint

VM-Tipping 24

HP TippingPoint Product

VM-Tipping 25

SVF – Secure Virtual Framework• The HP TippingPoint Secure Virtualization Framework (SVF) is designed specifically for implementing threat protection for the virtualized infrastructure.

• The HP TippingPoint Virtual Controller + Virtual Firewall (vController+vFW) extends our leading IPS Platform for data center security from the physical to the virtual data center enforcing security policies in VMs and mobile VMs. The vController+vFW and Virtual Management Center are purpose built software solutions designed to enable and enforce full data center firewall segmentation and IPS inspection between trust zones for physical hosts, virtual machines (VMs) and even mobile VMs. vController+vFW+vFW intercepts all packets within the hypervisor and based upon user defined policies permits traffic, blocks traffic, or tunnels packets to a HP TippingPoint N-Platform IPS for inspection.

Key features• Single solution for physical & virtual data center• Purpose-built for virtualization security• Real-time visibility of entire virtual data center• VMware certified, VMsafe compatible• Security policies follow VMs

Components• HP TippingPoint

• IPS Platform• vController +vFirewall• vConnect & VCM/VECM(optional)• SMS

• VMware vSphere• ESXi – Hypervisor• vCenter Server• vSphere Client• vSafe

VM-Tipping 26

SVF Component overview• Purpose-built data center segmentation solution: The HP TippingPoint vController and vMC are purpose-built software

solutions designed to enable the physical IPS platform to enforce full data center segmentation of trust zones for physical hosts, virtual machines (VMs), and even mobile VMs. The vController intercepts all packets within the hypervisor and based upon user-defined policies, tunnels packets to an HP N Series IPS for inspection.

• The vController provides a direct path to the TippingPoint IPS Platform (appliance) to inspect and control VM-to-VM communications. Using the VMSafe API, the vController efficiently directs appropriate traffic to TippingPoint’s appliance and its leading threat suppression engine (TSE) ensures the optimal performance and control required in the virtual data center. The vController and IPS Platform also operate in unison to support HA capabilities, including fail over of the vController when HA requirements and configured policy dictate.

• The TippingPoint SMS is an enterprise class management platform that provides administration, configuration, monitoring and reporting for multiple TippingPoint IPS platforms. Because the TippingPoint SMS provides a scalable, policy-based operational model, it enables straightforward management of large scale IPS deployments across both physical and virtualized infrastructure.

• This is in addition to the TippingPoint Security Management System (SMS), which provides a valuable tool for configuring security policy management, monitoring and reporting. TippingPoint’s integration with VMware’s Vmsafe APIs via Reflex System’s vTrust and Reflex’s Virtual Management Center (VMC) provides many advantages.• Automatic discovery and graphical mapping of virtual infrastructure topology• Supports Separation of Duties (SOD) between operations and network/security teams• Security teams can monitor vSwitch and VM changes to identify tampering or disablement of security controls• Upgradeable and compatible with full Reflex VMC• Complete visibility and control over entire virtual infrastructureVM-Tipping 27

• Digital Vaccine Filter Service — New filters are continuously fed to the IPS device to keep it up to date against the latest vulnerabilities

• ThreatLinQ Portal — Easy to use, real time, threat monitoring allows user to optimize their network security

• Reputation Digital Vaccine Service — Allows organizations to recognize and block "bad traffic" at the network perimeter

• Application Digital Vaccine — Provides granular application control and bandwidth rate limiting

• Digital Vaccine Toolkit — Allows users in sensitive environments to build their own filters

• Web App Digital Vaccine — Identifies and remedies vulnerabilities within custom built applications without affecting network performance.

TippingPoint NG IPS

VM-Tipping 28

TippingPoint NG IPS Initial setup1. Connect cables into the IPS segments(pair of ingress / egress ports)

2. Serial Cable to setup the IP and user credentials at ‘Security level two’• Level 0 - Weak Security checking• Level 1 - Basic Security checking• Level 2 - Recommended Maximum Security checking

3. Connect Web GUI - LSM (Local Security Manager) IP address set in previous setup

4. TOS update, TippingPoint Operating System update to latest

5. DV update , Digital Vaccine update to latest to get the inspection packages and enable

6. Apply the profile / filter to the Segment connected.• IPS Digital Vaccine (DV) Filters monitor traffic passing between network segments. Based on the Security Profiles configured

on the device, the IPS applies the filters to traffic on each segment included in the profile. Each Security Profile has its own filter settings. Within a Security Profile, you can accept the recommended settings for a filter category, or, if necessary, customize individual filters based on your network environment and security needs.

• You configure filters separately for each Security Profile configured on the IPS device. When a profile is initially created, all filters are set to the default Category Settings. You can change the Category Settings for filters or edit individual filters from the Edit Security Profile page in the LSM.

VM-Tipping 29

LSM & SMS Servers

VM-Tipping 30

SMS : IPS integration

VM-Tipping 31

SMS – Security management System

• SMS Event page• SMS Profile• SMS \ filter• SMS Device \ log

VM-Tipping 32

vController + vFirewall + VMC

• vMC show real time stat of vCenter• Topology view

• Easy to deploy vController in VM• Inventory view

• vController Workspace ; Zone creation with VQL (read-only)• Pg.name=Department project

vm• vController Policy editor; Policy

creation by VQL• Vm.name contain ‘Bugzilla

web’• To direct specific traffic to IPS

inspection or allow/ block by firewall

• Monitor SMS for events

VM-Tipping 33

Part 2 Recap…• ASICs and Multi-Core processors have traditionally been used with IPS applications. This luxury is not available in virtualized environments

because virtualization technologies typically do not allow direct hardware access to the underlying application-specific hardware. Virtualization is well suited for general purpose applications which would otherwise be underutilized on dedicated hosting hardware. Overcompensating for the loss of specific hardware by using larger than normal amounts of compute cycles for encryption, or memory for state maintenance, defeats the purpose of server virtualization.

• How vCenter and vController Connected and where intial vController service run!

• Which Firewall is really working vshield or vController !

• How SMS Identify real event from the ocean of events from IPS !

VM-Tipping 34

Thank youFinto Thomas, CISSP, TOGAF

fthomas1@in.ibm.com