© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1

Architecting DMZ Virtualization

Brad Hedlund Solutions Architect, Data Center CCIE #5530, VCP February 2010 bhedlund@cisco.com

v1.5

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2

Policy Driven Network Design: Physical

Each network switch has independent code, control plane, data plane, interfaces & configuration.

Isolation provided by physical cabling

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3

Network Virtualization: Logical Partitions

Security zones share a common network switch infrastructure.

Common switch with discrete forwarding tables

Isolation provided by switch configuration

VN-Tag, VLAN, VRF, MPLS

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4

H/W scheduled Control Plane isolation

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5

Inconsistent Isolation Policies

Attaching differing isolation policies together results in the lowest common denominator policy

Physical partitions merely become extensions of what is a logical policy architecture

Considered “Out of Policy” with Physical Isolation

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6

Server Virtualization with Physical Isolation

How is a physical isolation policy preserved with server virtualization?

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7

Network policy moves into the Server (Host)

Server virtualization creates a network inside the Host, a virtual network.

Attempts are made to keep the virtual and physical network policy consistent

Conventional thinking: “physically separate vSwitches” is the solution.

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8

The false sense of “vSwitch” security…

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9

What is a vSwitch?

"Each vSwitch is just a data structure saying what ports are connected to it (along with other information).”

“So while using vSwitches sounds more compartmentalized than VLANs, they provide equivalent separation”

-Mark Bakke, Nexus 1000V Principal Architect, Cisco

Source: http://faz1.com/blog/2009/08/20/two-vswitches-are-better-than-1-right/

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10

Simple Example: Host Memory Footprint: 1 vSwitch

Each network switch has its own independent code and control plane…

Adding multiple vSwitches should add multiple copies of unique vSwitch code.

Lets add 11 vSwitches and see what happens…

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11

11 “vSwitches” same footprint

11, 20, or 200 “vSwitches” is really 1 switch

Each “vSwitch” is just a unique logical partition of a single software switch

Delivers the same concept of logical forwarding partitions of a VLAN

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12

The consequential architecture based on an illusion…

Consequences

Many adapters required per server (1) per DMZ (2) per DMZ for redundancy … even more to scale BW … and even more for mgmt

Many adapters in one server force 1GE and prohibits 10GE adoption

Less BW from 1GE requires more servers with fewer VMs to scale I/O

Lower physical to virtual consolidation ratios

Larger 4U rackmount servers required for adapter real estate – blade server prohibitive

Cannot leverage DVS

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13

The Result: Inconsistent Policy

… and missed opportunities.

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14

Consistent Policy of Logical Separation

Server + Network Virtualization

Physical switch uses logical isolation consistent with the virtual switch

Fewer adapters

10GE & Unified I/O

Higher consolidation ratios

Right sized 1RU-2RU servers

Blade server inclusive

DVS inclusive

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15

Consistent Physical Policy

Virtual network physical isolation consistent with the physical network

Fewer adapters per server

10GE & Unified I/O

Higher consolidation ratios

Right sized 2RU/1RU servers

Blade server inclusive

DVS inclusive

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16

H/W Scheduled Control Plane Isolation

Physical Network switch uses similar H/W scheduling to VMware Host.

Switch Consolidation

Nexus 7000 VDC

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17

Securing the Virtual Switch

Nexus  1000V  VSM  

VEM  

Nexus 1000V Security Features Not available in vSwitch or vDS

IP Source Guard -duplicate IP, Spoofed IP protection

Private VLAN (source enforced) -stop denied frames at source host

DHCP Snooping -Rouge DHCP server protection

Dynamic ARP Inspection -Man-in-the-middle protection

IP access control (Per VM) filtering -TCP bits/flags (FIN, ACK, RST, PSH, etc) -TCP/UDP ports -ICMP types & codes

MAC ACL’s

Port Security

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18

Securing the Physical Switch for Network Virtualization

Securing against Physical switch attacks

Attack: MAC Overflow (macof) Solution: Port Security

Attack: VLAN Hopping Solution: Best Practice Configuration - disable auto trunking - VLAN tag all frames (including native) - dedicated VLAN ID for trunks

Attack: Spoofed IP, Spoofed MAC Solution: Dynamic ARP Inspection IP Source Guard Port Security

Attack: Rouge DHCP Solution: DHCP Snooping

Attack: Spanning Tree Spoofing Solution: Root Guard BPDU Guard

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19

Summary  Whatever your policy: Physical or Logical separation,

maintain consistent policy in both the virtual and physical network

 The ILLUSION of “vSwitch” physical separation

 Consequences of the vSwitch illusion 10GE, DVS, & blade server prohibitive, large servers, excessive adapters/cables, just to gain: Inconsistent Policy

 Physically separate networks should be paired with physically separate Hosts to be policy consistent

 The Logical separation policy with Server+Network virtualization can be secured with security built in to the physical and virtual network

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20