Micro Segmentation Security: Securing IT Through Macro-segmentation
-
Upload
pluribus-networks -
Category
Technology
-
view
119 -
download
4
Transcript of Micro Segmentation Security: Securing IT Through Macro-segmentation
Proprietary & ConfidentialProprietary & Confidential
Security IT Through Macro-Segmentation
November 15th, 2016
Marco Pessi
Sr. Technical Product Manager
Pluribus Networks
Proprietary & ConfidentialProprietary & Confidential
Agenda
How to Secure Network Fabric
‒ Fabric Management
‒ Multi-tenancy/Private Virtual Networks
‒ Secure Control Plane
‒ Security Service Insertion
‒ Putting it all together: Fabric Security Architecture
‒ Analytics
2
Proprietary & ConfidentialProprietary & Confidential
Securing Scale Out Fabrics
3
1 2 100
VXLAN L2 Extension Across All 100 Racks
IP
underlay
VTEP
Ext Network
VTEPVTEP
…
Spine Layer
VTEP
101
BGP/OSPF
…
Proprietary & ConfidentialProprietary & Confidential
Virtualization Centric Fabric – VCF
Built-in Fabric Controller
L2/L3/VXLAN Open Networking
L2/L3/VXLAN Open Networking
L2/L3/VXLAN Open Networking
L2/L3/VXLAN Open Networking
Built-in Fabric Controller Built-in Fabric Controller Built-in Fabric ControllerDistributed Peer-to-Peer Cluster – Configuration State Consistency (with rollback)
Singe CLI/API To Manage All Nodes
Built-in, no taps, no
brokers, no expensive
tools
Application Visibility Virtual Private Networks for holistic
multi-tenancy
Security Service Insertion
Granular flow control for
conditional security
insertion policies
TCP TCP TCP TCP
Secure Multi Tenancy
No controllers, No new protocols
100% interoperable
Proprietary & ConfidentialProprietary & Confidential
Netvisor Private Virtual NetworksAgile, Secure Multi-Tenancy
Rapid provisioning of Private Virtual
Networks (VNETs) as virtual PODs (vPODs)
with management, control and data plane
isolation
Independent tenant networks
‒ Overlapping subnets (VLANs and IP prefixes)
‒ Independent vRouter on each VNET
Independent Management Plane
‒ Independent Provisioning
‒ Per tenant visibility of flows, services, VMs
5
VNET-A172.10.0.0/16
VLAN1-4K
VNET-B172.0.0.0/8
VLAN1-4K
VNET-C172.0.16.0/20
VLAN1-4K
VMs VMs VMs
Proprietary & ConfidentialProprietary & Confidential
Netvisor Private Virtual NetworksAgile, Secure Multi-Tenancy
Secure access to infrastructure network
‒ Simplified Tenant Network View isolates
common transport network from tenant
network
Data Plane Isolation
‒ Automatic orchestration of VLAN, VRF and
VXLAN VNI space to prevent leaking between
tenants
‒ Anti-spoofing mechanism
6
VNET-A172.10.0.0/16
VLAN 1-4K
VNET-B172.0.0.0/8
VLAN 1-4K
VNET-C172.0.16.0/20
VLAN 1-4K
Proprietary & ConfidentialProprietary & Confidential
Netvisor Private Virtual NetworksAgile, Secure Multi-Tenancy
Secure access to infrastructure network
‒ Simplified Tenant Network View isolates
common transport network from tenant
network
Data Plane Isolation
‒ Automatic orchestration of VLAN, VRF and
VXLAN VNI space to prevent leaking between
tenants
‒ Anti-spoofing mechanism
7
VNET-A172.10.0.0/16
VLAN 1-4K
VNET-B172.0.0.0/8
VLAN 1-4K
VNET-C172.0.16.0/20
VLAN 1-4K
Proprietary & Confidential
Anti-Spoofing Mechanism vFlow Technology for comprehensive uRPF
6
CLI>vflow-createvlan<amber>src-ip10.1.11.0/27nameamber-urpf-permitactionnonetableSystem-VCAP-table-1-0CLI>vflow-createvlan<amber>src-ip0.0.0.0/0nameamber-urpf-denyactiondroptableSystem-VCAP-table-1-0
§ vFlow can be used to prevent servers
belonging to a logical tenant from
sourcing IP traffic with illegitimate prefix
‒ vFlow stats are provided to monitor uRPF violations
‒ Independent dedicated TCAM space
§ Support all types of traffic:
‒ Bridged
‒ Routed
‒ VXLAN tunneled (terminated on switch)
‒ VXLAN tunneled (pass-through)
Enforce server traffic to use consistent VLAN/IP address:
Proprietary & Confidential
Netvisor Private Virtual NetworksAgile, Secure Multi-Tenancy
Secure access to infrastructure network
‒ Simplified Tenant Network View isolates
common transport network from tenant
network
Data Plane Isolation
‒ Automatic orchestration of VLAN, VRF and
VXLAN VNI space to prevent leaking between
tenants
‒ Anti-spoofing mechanism
Control Plane Isolation
‒ Tenant Routers run in dedicated containers of
the switch OS
9
VNET-A172.10.0.0/16
VLAN 1-4K
VNET-B172.0.0.0/8
VLAN 1-4K
VNET-C172.0.16.0/20
VLAN 1-4K
Proprietary & Confidential
Netvisor Private Virtual NetworksAgile, Secure Multi-Tenancy
Secure access to infrastructure network
‒ Simplified Tenant Network View isolates
common transport network from tenant
network
Data Plane Isolation
‒ Automatic orchestration of VLAN, VRF and
VXLAN VNI space to prevent leaking between
tenants
‒ Anti-spoofing mechanism
Control Plane Isolation
‒ Tenant Routers run in dedicated containers of
the switch OS
10
VNET-A172.10.0.0/16
VLAN 1-4K
VNET-B172.0.0.0/8
VLAN 1-4K
VNET-C172.0.16.0/20
VLAN 1-4K
Proprietary & Confidential
VCF Containers Secure Multi-Tenant Control Plane
10
§ vRouters
‒ Independent OSPF/BGP/BFD Speakers
‒ Each vRouter has a simple tenant view
§ OVSDB Interface
‒ Synchronize fabric endpoint database (vPort) with
Hypervisor system for end-to-end VTEP auto-
provisioning
§ OpenDayLight
§ NSX
§ VNET Manager
‒ Provides a dedicated/isolated management
interface for a vPOD with provisioning/visibility
capability only for assigned resources
‒ Can run any vPOD custom application
§ simple example: WireShark
vRouter
Tenant
Crimson
vNICs
vRouter
Tenant
Blue
vNICs
vRouter
Tenant
Amber
vNICs
VNET
MGR
vNICs
vRouter
Tenant
Crimson
vNICs
vRouter
Tenant
Blue
vNICs
vRouter
Tenant
Amber
vNICs
OVSDB
Tenant
Amber
vNICs
Proprietary & ConfidentialProprietary & Confidential
Virtualization Centric Fabric – VCFvFlow Technology
Built-in Fabric Controller
L2/L3/VXLAN Open Networking
L2/L3/VXLAN Open Networking
L2/L3/VXLAN Open Networking
L2/L3/VXLAN Open Networking
Built-in Fabric Controller Built-in Fabric Controller Built-in Fabric ControllerDistributed Cluster – Pluribus Management Fabric
Security Service Insertion
Granular flow control for
conditional security
insertion policies
TCP TCP TCP TCP
Proprietary & ConfidentialProprietary & Confidential
Conditional Security InsertionConfigurable line rate redirection of E-W traffic
13
VM-10
VM-11 VM-20
VM-41
VL10 VL20
1. Default Behavior: no inspection
• Fabric normally bridges and routes E-W traffic
2. Configurable Security Insertion
• Fabric redirects to security appliance
selected traffic (configurable L1-L4
parameters)
VM-10
VM-11
VM-41
VL10
HTTP
VM-20
VL20
HTTP
Proprietary & ConfidentialProprietary & Confidential
Conditional Security InsertionProvide Inspection only to non-secure N-S traffic
14
1. Firewall Service Insertion for default traffic
Perimeter
Firewall
Cluster
HA Services Leaf ClusterVXLAN Routing + FW Insertion
Ext Network
VL10 VL10
VL100VXLAN
VNI10
10.0.100.5/29VTEP
NON-SECURESECURE
10.10.0.1/16
Proprietary & ConfidentialProprietary & Confidential
Conditional Security InsertionProvide Inspection only to non-secure N-S traffic
15
1. Firewall Service Insertion for default traffic
Perimeter
Firewall
Cluster
HA Services Leaf ClusterVXLAN Routing + FW Insertion
Ext Network
VL10 VL10
VL100VXLAN
VNI10
10.0.100.5/29VTEP
NON-SECURESECURE
10.10.0.1/16
2. Firewall Bypass for Secure Traffic
Perimeter
Firewall
Cluster
HA Services Leaf ClusterVXLAN Routing + FW Insertion
Ext Network
VL10 VL10
VL100
VNI10
VXLAN
10.0.100.5/29VTEP
NON-SECURESECURE
10.10.0.1/16
Proprietary & ConfidentialProprietary & Confidential
vFlow Filtering For Security ActionsProvide Line Rate Redirection & Policy Enforcement
16
vFlow Structure
Scope
Switch local or Fabric-wide
L1-L4 Match Rule
Match rule deployed in
HW TCAMs
Actions
Switch HW assisted
drop
to-cpu
copy-to-cpu
setvlan
tunnel-pkt
set-tunnel-id
to-span
cpu-rx
cpu-rx-tx
set-dscp
decap
set-dmac
set-dmac-to-port
to-port
to-ports-and-cpu
set-vlan-pri
l3-to-cpu-switch
2. Firewall Bypass for Secure Traffic
Perimeter
Firewall
Cluster
HA Services Leaf ClusterVXLAN Routing + FW Insertion
Ext Network
VL10 VL10
VL100
VNI10
VXLAN
10.0.100.5/29VTEP
10.10.0.1/16
NON-SECURESECURE
3. Line Rate Policy Enforcement
Proprietary & ConfidentialProprietary & Confidential
Conditional Security Insertion for E-W & N-S traffic
17
Security
Appliances
(IPS, FW,
etc.)
HA Services Leaf ClusterVXLAN Routing + FW Insertion
Ext Network
VL10
VL20
VL10
VL20
VL100
VNI10,VNI20
VXLAN
10.0.100.5/29VTEP
10.10.0.1/16
10.20.0.1/16
NON-SECURESECURE
1 2
VTEPVTEP
100
VTEP
…
VM-10 VM-41
10.10.0.10
MAC-10
10.10.0.41
MAC-11
VM-11
10.10.0.11
MAC-11
VM-20
10.20.0.11
MAC-20
• Leaf switches perform selective Security Insertion for bridged/routed
E-W traffic using programmable fabric-wide policies
Proprietary & ConfidentialProprietary & Confidential
Fabric scope programmability
Policy enforcement E-W / N-S
Mgmt
domain
Virtualization Centric Fabric
Putting It All Together: Fabric Security Architecture
18
1 2 100
Edge Security Services Rack
Grey vRouter for VTEP, Red vRouter to DC network
101
VXLAN L2 Extension Across All 100 Racks
IP
underlay
VTEPHA Leaf Services HA VTEP
Active-Active LAG
towards servers
Ext Network Spine is simple L3 non-blocking
interconnect
Underlay provides inter-rack reachability
All links are active
BGP/OSPF
VTEPVTEP
…
Spine Layer
VTEP
Proprietary & ConfidentialProprietary & Confidential
Mgmt
domain
Putting It All Together: Fabric Security Architecture
19
HA Leaf Services
1 2 100
Edge Security Services Rack
101
VXLAN L2 Extension Across All 100 Racks
IP
underlay
Ext Network
BGP/OSPF
…
Spine Layer
VTEP
Virtual Private Networks
Holistic multi-tenancy
Secure Multi Tenancy
VTEPVTEPVTEP
Proprietary & ConfidentialProprietary & Confidential
Mgmt
domain
Putting It All Together: Fabric Security Architecture
20
HA Leaf Services
1 2 100
Edge Security Services Rack
Grey vRouter for VTEP, Red vRouter to DC network Load
Balancers
Firewall on-a-stick in L2 mode for non mission-critical
traffic with bypass service option
vFlow security ACL for N-S Policy Enforcement
101
VXLAN L2 Extension Across All 100 Racks
IP
underlay
VTEP HA VTEP
Active-Active LAG
towards servers
Global E-W vFlow
security service insertion
Ext Network
BGP/OSPF
VTEPVTEP
…
Spine Layer
VTEP
Granular flow control for conditional
security insertion policies
Security Service Insertion
Proprietary & ConfidentialProprietary & Confidential
Mgmt
domain
Putting It All Together: Fabric Security Architecture
21
HA Leaf Services
1 2 100
Edge Security Services Rack
Grey vRouter for VTEP, Red vRouter to DC network Load
Balancers
Firewall on-a-stick in L2 mode for non mission-critical
traffic with bypass service option
vFlow security ACL for N-S Policy Enforcement
101
VXLAN L2 Extension Across All 100 Racks
IP
underlay
VTEP HA VTEP
Active-Active LAG
towards servers
Global E-W vFlow
security service insertion
Ext Network
BGP/OSPF
VTEPVTEP
…
Spine Layer
VTEP
Built-in:
no taps,
no brokers,
no expensive tools
Application Visibility
Pluribus VCF Analytics for mission-critical flow visibility
Proprietary & ConfidentialProprietary & Confidential
Connection Flow Analytics
22
VCF Center
Big Data Engine
Cluster of 1…N
server nodes
Flow Metadata
Integrated in the fabric = simple to deploy
Always on, zero touch = simple to use
No sampling…every EAST-WEST connection
TCP connection state machine tracking
Tenant aware
Proprietary & ConfidentialProprietary & Confidential
Packet Analytics
23
VCF Center
Big Data Engine
Cluster of 1…N
server nodesMirrored Packets
On-demand packet filtering L1-L4 header fields
Terabit filtering with offload on Broadcom silicon
Manage mirror sessions and PCAP files
Analytics on packet metadata extracted from PCAP
Bring-your-own PCAP
Program packet filters
in hardware
Start&Stop PCAP and
Mirror sessions
Proprietary & ConfidentialProprietary & Confidential24
Summary/Recap
1. Macro-Segmentation secures E-W traffic
2. Scalable HW Accelerated, cover P & V
3. Holistic multi-tenancy = Complete Isolation
4. Granular flow control for conditional security
insertion policies
5. Analytics/Visibility allows for continual policy
improvements
Proprietary & ConfidentialProprietary & Confidential
Thank You, Questions?
25
Proprietary & ConfidentialProprietary & Confidential26
pluribusnetworks.com/resources/#webinars
Fall Webinar Series