Ensuring Privacy & Transparency within Hybrid Clouds
- 1. CASE STUDY Ensuring Privacy & Transparency within Hybrid Clouds Marcin Kotlarski Head of Product Development
- 2. AGENDA • About GTS CE • Examination of corporate customer demand • Cloud for business customer • Challenges • GTS approach to cloud over Ethernet
- 3. GTS CE – Unmatched regional fiber footprint Leading infrastructure-based alternative provider of fixed-line communications to corporate and carrier customers in Central and Eastern Europe (CEE) • Focused on CEE region (CZ, HU, PL, SK and RO) • Diverse product offerings: Ethernet | IP VPN | Leased Lines | Colocation | Voice | Server Hosting | Cloud Computing • Unique combination and breadth of fiber long-haul and local access: − 17,000 kilometers of long-haul fiber and 29 cities with metro fiber − 12,000 on-net buildings − 13,000 square meters of colocation space in 14 locations − Extensive range of wireless frequencies • Primary operations in contiguous geographies of Czech Republic, Poland, Hungary, Slovakia, and Romania
- 4. Cloud Computing hits 31% of IT budgets in EMEA* Data processing in the cloud is a priority for action within 84% the next 18 months 41% Increase of IT efficiency 36% Increase of business agility * Researches made for VMWare, IDG in 2012 year across CIO in EMEA region.
- 5. Key drivers for outsourcing approach Cloud market will be driven by demand for outsourcing. Assessing the opportunity for enabling XaaS services within CEE region we must understand key drivers… By far, the strongest driver of data center services growth Business Growth Regulatory requirements Increase the amount and storage IT Architecture time for data, stimulate model development of continuity services Complexity of IT Price Point architecture Trade-off vs doing it themselves Competitive pricing within market Competitiveness across markets
- 6. Top 5 concerns 26% of IT budget is allocated to 52% Security vulnerabilities Cloud with the split Other 41% Lost of control on data 10% Hosting 17% Trainings 12% 25% Trust in performance and reliability Outsourcing 16% 23% Solutions’ Compatibility Software 27% IT department 18% 19% Lost of control on server utilization in external cloud External expenditures hits only ~ 33% of IT budget
- 7. Cloud for business customer Majority of available Cloud Solutions do not meet business customer requirements • Lack of enough control on security • Complex implementation and configuration of interworking between internal and external resources • Limited control and flexibility of network resources
- 8. Issue #1: Security vulnerabilities Transition to Cloud Service Providers rises up challenges: • WAN latency - application created for LAN is available via WAN / Public Internet • Very often communication is held via public internet • Ecosystem dynamism – it requires adaptive security policy configuration Openness to public world opens the application to all Application users in LAN Threats within and outside Internet ATTACK the cloud Complicated FW policy management VPS Data processing on Service Provider Cloud provider side
- 9. Issue #2: Compatibility Both Hybrid Cloud approach and partial migration to Cloud rises up: • The need to provide efficient access to hundreds/thousands of LAN users • Need for sharing a lot of middleware application – Active Directories, Integration BUS • Reconfiguration and protection of network elements in communication with Cloud • Communication on the public IP addresses Application changes Application users in LAN GW Internet Infrastructure reconfiguration Changes in the LAN topologies VPS VPS VPS Data processing on Service Provider Cloud provider side
- 10. Hybrid Cloud Business requires complete solution Outsourced All resources visible in the Access – user experience PRIVATE CLOUD PUBLIC CLOUD same way within common like from corporate LAN EXTERNAL management tool CE Cloud Connector Security – end-to-end Performance Guaranteed PRIVATE CLOUD consolidated and multilayer and Monitored round-the- INTERNAL approach clock On-premises CE will play important role in adoption of hybrid cloud approach
- 11. Ethernet Cloud Carrier - ecosystem Outsourced On-premises PRIVATE CLOUD PRIVATE CLOUD PUBLIC CLOUD VPS VPS EXTERNAL VHE INTERNAL VHE FC / iSCSI Data synchronization Low latency demand High Capacity for bandwidth Secure consuming access to XaaS VLAN applications Internal On-net world, Applications’ Eyeballs users
- 12. Ethernet Cloud Carrier - challenges L2 loops in bridged network Despite, that standard is well defined CE connectivity rises up new set of security challenges which may seriously affect customers hosted on multitenant ecosystem: • Accidental and deliberate attacks ( via ARP, flood storms ) • Stability issues - size of STP* domain • Scale (ARP caches, MAC address table size) • L2 loops – Broadcasts storms * STP – Spanning Tree Protocol
- 13. Reasons of L2 loops ● Redundant connection between L2 bridges ● When redundant links exists between bridges exists ● All ports are flooded by broadcasts packets Examples of different loop topologies
- 14. Workaround – Spanning Tree Protocol • Network protocol that ensures loop free technology for any bridged Ethernet LAN • Prevent loops and limits broadcast radiation • Allow spare redundant links between bridge However there a bunch of risks related to STP application Incorrect configuration of STP, or not configured any loop free mechanism on customer side may cause broadcast storms in the Cloud LAN Frequent topology changes may cause storms It is very important to isolate customer L2 domain from provider L2 domain
- 15. Problem Solution #1 - EVPL is connected to subineterface of cust L3 GTS DC Customer premise vPC status ---------------------------------------------------------------------------- id Port Status Consistency Reason Active vlans ------ ----------- ------ ----------- -------------------------- ----------- 500 Po500 up success success 500 nx1 Vlan rewrite Cust L3 Cust L2 10G sw2 GTS L2 ethernet network Vlan Y Vlan X Active PE1 PE2 10G Vlan X Acc sw1 Vlan Z 1G 1G vPC vPC No STP ALU EVPL stp peer Link LAG Vlan Y sw3 nx2 10G Standby 10G Vlan X – customer vlan vPC status ---------------------------------------------------------------------------- Vlan Y – GTS PE vlan range id Port Status Consistency Reason Active vlans ------ ----------- ------ ----------- -------------------------- ----------- 500 Po500 down* success success - Vlan Z – GTS virtual hosting vlan range • Logical separation of STP L2 domains • EVPL is connected to customer router sub-interface, customer L2 switch • Customer must route traffic between his LAN traffic and DataCenter traffic • Customer shall run rapid-PVST in his network • Customer can use private IP range 15
- 16. Problem Solution #2 – EVPL connected to directly Customer‘s L2 GTS DC Customer premise vPC status ---------------------------------------------------------------------------- id Port Status Consistency Reason Active vlans ------ ----------- ------ ----------- -------------------------- ----------- 500 Po500 up success success 500 nx1 Vlan rewrite Cust L2 10G sw2 GTS L2 ethernet network Vlan Y Vlan X Active PE1 PE2 10G Acc Vlan X sw1 Vlan Z 1G 1G vPC vPC No STP ALU EVPL stp peer Link LAG Vlan Y sw3 nx2 10G Standby 10G Vlan X – customer vlan vPC status Vlan Y – GTS PE vlan range ---------------------------------------------------------------------------- id Port Status Consistency Reason Active vlans ------ ----------- ------ ----------- -------------------------- ----------- Vlan Z – GTS virtual hosting vlan range 500 Po500 down* success success - • EVPL is connected directly to customers L2 domain • Customer traffic is bridged between his LAN traffic and Data Center traffic • L2 CPE will be connected to customer‘s Root bridge • Customer can use private IP range • Customer shall: − run rapid-PVST in his network − enable Root Guard on his Root bridge to prevent any topology change in his network 16
- 17. Limitations • Only one primary L2 EVPL connection can be configured between virtual hosting and single customer site • No redundancy (Backup) on L2 circuit can be configured between virtual hosting and single customer site • In case, that customer requires separate and fully redundant connectivity between virtual hosting and Customer site, it must be configured only via L3 network
- 18. Summary • The wide area network is critical to meet the requirements for delivering external private cloud and hybrid cloud services. • Enterprises shall not rely only on the Internet to provide connectivity to their mission-critical applications • Carrier Ethernet will be coherent part of the Cloud market development: − Technology is at least 4 times more efficient for an equivalent quantity of bandwidth − Guarantees the lowest latency (10G/100G interfaces) − Flexibility in delivery for XaaS services – inherent support for VLAN − Perfectly suit to the virtualization layer security requirement
- 19. Thank you! One Region – One Network – One Offer WWW.GTSCE.COM
Editor's Notes
- #3: • Allowing portability of data across any device withoutcompromising security• Establishing security benchmarks and tackling concernsover transparency • Moving from private Ethernet clouds to the public domain:where is the data?