Embed Size (px)
Citation preview
NAVAL POSTGRADUATE SCHOOL
New Threats, New Approaches in Modern Data Centers
Why did we re-architect our Data Center• Understand the architecture and design
requirements of multi-tenancy environment• Isolate threats through micro-segmentation
and granular network controls• Apply flexible security policies at the VM
level
Center for Cyberwarfare - CCW
The lab is used to conduct research and education to provide the modern warfighter with tactical and operational responses to cyber threats.
• Built by CCW with pizza box servers using various adhoc storage systems.
• ITACS took over responsibilities of maintaining the cyberlab project in late 2014.
• Inadequate resources – not scalable.• Many single points of failure.• Missing adequate licensing for some services.• Not in a data center environment.
Legacy lab implementation
Why have lab isolation?
• Advanced Persistent Threats• Human error – Insider Threat• Protection against coordinated attacks• Provide researchers with sandbox for malware
inspection• Offer a clean slate for each class room from quarter
to quarter
Challenges overcome
• Cyberlab 2.0 addresses the following issues:– Single points of failure removed– Replaced AD Controller and Load Balancer physical
devices with virtual to decrease total cost of ownership– 2 racks of equipment consolidated to 2u HCI– Reduced time required to provision labs for classes
each quarter– Ability to customize networks for class differences such
as: firewall rules, student permissions, threat types
HOW WE DID IT
Adding VDI increased the security surface area
• The converged infrastructure means virtual desktops run on the same infrastructure as servers.
Data Center Perimeter
InternetEastWest
VDI
VDIVDI
14
Haven’t We Learned Anything from a Perimeter-Centric Focus?
“The Empire doesn't consider a small one-man fighter to be any threat, or they'd have a tighter defense. An analysis of the plans provided by Princess Leia has demonstrated a weakness in the battle station. …The shaft leads directly to the reactor system. A precise hit will start a chain reaction which should destroy the station.”
--General Dodanna
A Long Time Ago…In a Galaxy Far Far Away...
15
The M&M Approach to Security
“In today’s new threat landscape, this M&M and ‘trust but verify’ is no longer an effective way of enforcing security.”
Forrester ResearchIn Response to NIST RF 130208119-3119-01I
“Developing a Framework to Improve Critical Infrastructure Cyber-Security”
Hypervisor
Trading Off Context and Isolation
16
Software DefinedData Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
SDDC Platform
OS
Application High Context Low Isolation
High IsolationLow Context
No Ubiquitous Enforcement
Traditional Approach
vSwitch
17
The Compromise Between Desired End State & Operational Feasibility
WAN
…
“X” firewalls
“X” + “1000 workloads
vs
A typical data center has:
Directing all traffic (virtual + physical) through chokepoint firewalls is inefficient
And a physical firewall per workload is cost prohibitive
Hypervisor
SDDC Virtualization Layer – Delivers Both Context and Isolation
18
Software DefinedData Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
OS
Application
vSwitch
High ContextHigh IsolationUbiquitous Enforcement
SDDC Approach
Secure Host Introspection
19
Micro-segmentation with NSX
SegmentationIsolation Advanced services
ProductionTest
Dev Network
Controlled communication path within a single network
Advanced services: addition of 3rd party security, as needed by policy
No communication path between unrelated networks
DBApp
Web
DBApp
Web
20
Move from “Network Centric” to “Class Centric” Deployments
DMZ/Web VLAN
App VLAN
VM VM
Class-A
VM VM
Class-B
Services/Management VLAN
DB VLAN
Class-A
VM VM
Class-B
VM VM
Services
VMVM
Mgmt
Class-A
VM VM VM VM
Class-B
Perimeterfirewall
Inside firewall
Perimeterfirewall
DMZ/Web
VM VM
App
VM VM
DB
VM VM
Class-A
VM VM
App
VM VM
DMZ/Web
VM VM
DB
Class-B
Services
VMVM
Mgmt
Services/Management Group
Traditional Data Center NSX Data Center
CONFIDENTIAL
FY16 House NDAA Report Cyber Defense Network Segmentation
The committee is aware that the Department of Defense is looking at modifying the way it builds, maintains, and upgrades data center, including increased use of commercial cloud capabilities and public-private partnerships. The committee is aware that as the Department increasingly looks at software-defined networking, it could potentially reduce the mobility of cyber threats across data center and other networks by increasing the compartmentalization and segmentation between systems, and providing a mix of security techniques to enable access to those compartments. Such actions have the potential to lessen the chance of a widespread or catastrophic breach, including breaches caused by insider threats. The committee encourages the Department to explore ways to use compartmentalization or segmentation as part of a software-defined networking approach in order to increase the security of its networks.
The Beginning of Policy Shifts….again
Combining Organic Capabilities with Best of Breed across the Larger Ecosystem
Apply and visualize security policies for workloads, in
one place.
Automate workflows across best-of-breed services,
without custom integration.
Provision and monitor uptime of different services, using one
method.
NSX Network Virtualization Platform
Deploy Apply Automate
Built-In Services
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Third-Party Services
Antivirus DLP Firewall
Vulnerability Management
Intrusion Prevention
Identity and Access Mgmt
…and more in progress
Security Policy Management
External Network
VDS
Guest VM
Partner Service 1 VM
Slot 2
Slot 4
Traffic RedirectionModule
Slot 5
Partner Service 2 VM
High Scale NSX Topology • High scale multi-tenancy is enabled with
multiple tiers of Edge interconnected via VxLAN transit uplink
• Two tier Edges allow better scaling with administrative control based on traffic generated.
• NSX Edge can scale up to 8 ECMP Edges for scalable routing
• Support for overlapping IP addresses between Tenants connected to different first tier NSX Edges
23
External Network
Tenant 1Desktop Pool Logical Switch
App LS DB LS
…
Desktop Pool Logical Switch
Edge with HANAT/LB featuresSingle Adjacency
to ECMP Edge
ECMP BasedNSX Edge X-Large
(Route Aggregation Layer)
ECMP NSX Edge
VXLAN Uplinks VXLAN Uplinks
VXLAN 5100 Transit
App LS DB LS
… E8E1
• Automation, Automation, Automation • Brocade Workflow Composer• Cloud Management Platform - OpenStack on VMware (VIO)
• Plan to integrate physical devices (IoT, Robotics, Weather Sensors, etc) into virtual cyberlab • Dynamic routing• Hardware VTEP to bridge VLAN to VXLAN
• Integration with NSX and Palo Alto Networks Virtual FW• Leverage Public Cloud - Amazon AWS
Plans for 2017 and beyond
Stackstorm
VMware Integrated OpenStack
VMware Integrated OpenStack (VIO)
VMware SDDC
Standard OpenStack
Nova Neutron Cinder
Keystone HeatHorizon Ceilometer
Glance
• VIO is an “Integrated Product” Approach to OpenStack• Standard DefCore Compliant OpenStack Distribution (delivered as OVA)• Deploys & Manages Proven Production Architecture on VMware SDDC• Fully Supported by VMware
VIO Management Server(Deploy, configure, patch,
upgrade …OpenStack)
vSphere NSX vSphere Datastores:3rd-party / Virtual SAN
The Need for a Comprehensive Security Solution
VMware NSX Platform
NSX Distributed Firewall
VM level zoning without VLAN/VXLAN dependencies
Line rate access control traffic filtering
Distributed enforcement at Hypervisor level
Palo Alto Networks Next Generation Security
Next Generation Firewall
Protection against known and unknown threats
Visibility and safe application enablement
User, device, and application aware policies
Sophisticated Security Challenges
Applications are not linked to port & protocols
Distributed user and device population
Modern Malware
28
AWS Global Infrastructure
VMware Cloud™ on AWSPowered by VMware Cloud Foundation
AWS Global InfrastructureCustomer Datacenter
vSphere vSAN NSX
TECHNICAL PREVIEW
Operational Management Native AWS Services
Amazon EC2
AmazonS3
AmazonRDS
AWS Direct Connect
AWS IAMAWS IoT
…
…
…
…
vRealize Suite, vSphere Integrated Containers, ISV ecosystem
Availability expected in mid-2017 timeframe
Technical
Preview
vCentervCenter
VMware CloudTM on AWSVMware vSphere-based service, running on the AWS Cloud
• ESXi on Dedicated Hardware• Support for VMs and
Containers
• vSAN on Flash and EBS Storage
• Replication and DR Orchestration
• NSX Spanning on-premises and cloud
• Advanced Networking & Security Services
Questions
NAVAL POSTGRADUATE SCHOOL
