Tech r33

Session ID:
Session Classification:
Eric Hanselman
451 Research
TECH-R33
Intermediate
The Cloud Ate My Network!
Security for Virtual Networks

► Definition is foggy
► Cloud versus virtualization
► They do some wacky things to networks.
► Obscuration is an issue
► Flexibility should be a plus
► Scale should be a plus
Clouds Are Wonderful

► Cloud and virtual networking
► Some conflating of issues
► Traditional enterprise architecture migration
► Network security focus
► An overview of the options
► There won’t be time to cover them all in depth
► Mostly focusing on monitoring and segregation
► Might accidently talk about availability…
► Q&A
What This Session Covers

► Network Security Tasks
► Confidentiality/Access control
► Firewalls, VPN’s, ACL’s
► Integrity/Regulatory
► More firewalls, WAF
► IDS/IPS
► Monitoring, recording
► Availability
► Monitoring and recording
► Proactive
► Capacity/trending
► Reactive
► Troubleshooting
Typical Enterprise Goals

► Expectations of physical access
► Natural aggregation
► Fixed location
► Techniques have been built around cables and ports
► Access controls
► Network segmentation
► Isolation
► Monitoring and recording
► Lots of SPAN ports
Traditional Approaches

► Host-based capabilities could be simpler
► In a cloudy world
► Historic reasons still matter
► It’s independent
► It’s activity based
► It’s the only thing I own!
Why Use Network Security?

► A typical monitoring architecture
How To Replicate This

► More flexible configuration
► Connection automation
► Tied to orchestration
► Locality
► Tied to compute instances
► No more span ports!
Virtual Networks Offer Hope

► There’s a gap!
► Transitioning is complex
► Physical infrastructure
► Existing tools and techniques
► Virtual networks
► Limited tools
► Limited access
► Convergence/consolidation
► Scale
What Could Possibly Go Wrong?

► Replicate capabilities locally
► Equivalent functionality
► Replicate capabilities externally
► Coverage and scale
► Push traffic somewhere else
► Reconnecting the tubes
► Change tactics
► Some answers can be found in clouds
► Or hosts…
How to Cope?

► Firewalls and ACL’s
► Finding equivalents
► Vendor specific functionality
► Managing different implementations
► Aligning policies
► Correlating events
► IDS/IPS
► Scale in virtual implementation
► More instances
► Managing different implementations
► Aligning policies
► Correlating events
Replicate Capabilities Locally

► Access networks
► Can work for external access controls
► WAF
► Some malicious behavior
► Harder to make application specific
► No internal visibility
► Cloud-based monitoring
► Might be closer (topologically)
► Potential to scale
Replicate Capabilities Externally

► Clouds
► Hard to do
► Hypervisors
► Finding virtual edges
► Physical network access
► Build conduits
► Assigned VLAN’s
► Virtual taps
Push Traffic Somewhere Else

► Long live span ports!
► Still the most universal mechanism
► Don’t forget physical network!
► Routing monitoring traffic
► VLANs
► Dedicated for monitoring
► Works at low scale
► Virtual monitoring
► Management scale
► Have to manage sprawl
► Data access monitoring
► Better filtering
► Helping to manage scale
Span Ports Are Dead!

Platform Notes
VMware VDS Span ports
Cisco Nexus 1000v SPAN, ERSPAN
Virtual Security Gateway
Juniper vGateway Kernel module
IBM 5000v SPAN, ERSPAN
Microsoft Hyper-V Extensible Switch
Open source Open vSwitch Mirroring, SPAN, RSPAN
HP vController Kernel module
NetOptics Virtual Tap Kernel module
Gigamon GigaVUE-VM VM based
Reestablishing Paths

► Where do they integrate?
► Switch port taps
► Switch integration
► VM integration
► Hypervisor kernel
► Deployed footprint
► Management VM’s
► Per host
► Hypervisor support
► IPv6 support…
General Concepts

► Simple capabilities
► vShield provides screening functionality
► No traffic mirroring
VMware
vSphere Distributed Switch Details
Type Switch integration
Support RSPAN, ERSPAN
Sources VLAN, port

► Nexus 1000v
► Supported on vSphere, announced support for Hyper-V
► Virtual Security Gateway
► Independent control VM
► Dedicated VLANs required
Cisco
Virtual Security Gateway Details
Type Nexus 1000v VEM integration
Support Internal traffic routing
Sources VEM connections
Nexus 1000v Details
Type Mirroring switch integration
Sources VLAN, port

► Security Design VM for management
► Security VM and kernel module per ESX host
► Physical/virtual support
► Support on vSphere
► IPv6 support
Juniper
vGateway Details
Type Hypervisor kernel module
Support Traffic redirection, ERSPAN
Sources Firewall filtering

► Separate controller VM
► Support on vSphere
IBM
Distributed Switch 5000V Details
Support SPAN (mirror), ERSPAN
Sources VLAN, port

► Rules per instance
► Only port to port
► Not mobile
► IPv6 support
► Future possibilities with extensions, Nexus 1000v
Microsoft
Hyper-V Extensible Switch Details
Type Hypervisor integration
Support Simple mirroring
Sources port

► Xen and KVM support
► Basic mirroring
Open vSwitch
Open vSwitch Details
Support SPAN, RSPAN
Sources VLAN, port

► VM per ESX host
► External monitoring support
► Supported on vSphere
HP
vController Details
Type Kernel module, control VM
Sources VLAN, port

► Better for existing users
► Gigamon release expected soon
Data Access Approaches
NetOptics Details
Type Hypervisor module
Support Redirection
Sources Filtering
Gigamon Details
Type Monitoring VM
Support Redirection
Sources Filtering

► Infrastructure statistics
► Clouds allow agentless monitoring
► Instrument hosts
► Integration concerns
► Overlay networks
► Have to be designed in
► Shift to activity-based (logs)
► A more dramatic change
Change Tactics

► Cloudy networks
► Amazon
► Fully virtual
► Google Compute Engine
► Rackspace et al
► Mixed possibilities
► VMware-based clouds
► See below
► OpenStack
► Virtual platforms
► VMware
► Citrix/Xen
► Microsoft
► KVM/Red Hat
What’s Out There Today?

► Virtual Private Cloud offers the best options
► Network segmentation
► Multiple interfaces per instance
► Virtual appliance support
► Firewalls
► IDS
► APM
► Recording not practical
Through the Amazon

Capability Options
Network segmentation Within VPC
Firewall
ACL Security Groups in VPC for egress
Traffic inspection (IDS) Appliance-based
Traffic capture Statistics through CloudWatch
Host agents
Amazon Overview

► Google Compute Engine holds promise
► Similar to early VPC
► Four network segments
► Inbound firewalling
► Still in “limited preview”
► No appliance support
Google

► Cloud and managed hosting
► Cloud is evolving with OpenStack and Nicira support
► Promise of more flexible future
► Cloud Networks just rolling out
► Instances perform routing
► 3 networks with 64 servers each
► Hardware front ends
► F5 LTM
► Cisco ASA
► Software, too
► Zeus ADC
Rackspace

Capability Options
Network segmentation Cloud Networking only
Firewall Physical Cisco, virtual option
ACL Inbound
Traffic inspection (IDS) Limited
Traffic capture Host agents
Rackspace Overview

► Software Defined Networking could help
► Someday…
► Automated packet replication
► Automated identification and forwarding
► Better scale than virtual SPAN ports
► Different technology platforms
► OpenFlow
► OpenStack/CloudStack/Quantum
► Networking vendors
► Cisco ONE, onePK
► Arista DANZ
A Shiny SDN Future

► Many goals can be achieved
► Access tools are available
► Isolation can work
► Within scaling considerations
► Monitoring
► Full recording remains a challenge
► SDN could help
► Where available…
Seeing Through the Mists

Questions?
eric.hanselman@451research.com
@e_hanselman

Tech r33

More Related Content

What's hot (20)

Viewers also liked (18)

Similar to Tech r33 (20)

More from SelectedPresentations (20)

Tech r33