Designing Secure Cisco Data Centers

Михаил Кадер,
mkader@cisco.com
security-request@cisco.com

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Validated Designs Deliver Results
Data Center / Secure Data Center CVD – www.cisco.com/go/vmdc

“59% of organizations lack the lab resources or test environments to validate
vendor claims for themselves.”
—SANS Institute

“Organizations clearly lack well-defined standards, processes, and
resources for determining the resiliency of their critical network devices and
systems.... Need methodical resiliency validation using a combo of real
traffic, heavy load and security attacks.”
—SANS and TOGAG


Setting the Foundation for the Secure
Designs

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Architecture
Traditional Data Center Architecture

Items of note:

- Both Physical Network Fabric and Virtualization components
are represented
- Well defined DC Edge (layer 3) providing connectivity and
security services to/from DC and Internet/Extranet
- DMZ network (physical or virtual workload) on DC edge that
could securely leverage physical workloads or virtual
workloads
- DC Core is Routed (OSPF, BGP, EIGRP) with ECMP
- DC Aggregation layer contains Physical Security Services
allowing the creation of internal zones / trust enclaves without
crossing core (East-West) and crossing core (North-South)
only when required
- Various End-of-Row/Top-of-Rack options represented between
Aggregation and Compute/Access Layer
- Virtual Security services represented with Nexus 1000v


Traditional Secure Data Center Design – Basic and Simplified
Data Center 1.
1
1 Physical Network Fabric –
1
1 2
2 -Creates the shared physical infrastructure for moving packets within the
Physical Network Virtual Fabric & Data Center (North, South, East and West)
Fabric Compute
-Leverages the DC-Class Technologies of Cisco Nexus Switching
A
A External DC Edge – (External Zoning)
A
External DC Virtual -Boundary between the Data Center and the rest of the corporate
Edge Workloads network (or Internet) (North-South)
B Internal DC Zones – Stateful Internal separation
B B
-Allows Secure Zones or Trust Enclaves to be established within the DC
Internal DC
Zoning
Virtual
Services
Network Fabric, establishing secure separation via External DC Zones
or other Internal DC Zones (North-South)
-Should inherently take advantage of the optimized network infrastructure
without violating proper Data Center Design objectives
High-Availability / Zero Downtime
Scalability / Massive Workload Processing
Survivability / Redundancy
Low Latency / No Packet Loss
Asymmetric Traffic Flows


Traditional Secure Data Center Design – Basic and Simplified
Data Center 1.
22 Virtual Fabric and Compute–
1
1 2
2 -Creates the shared virtual infrastructure for moving packets within the
Physical Network Virtual Fabric & Virtualized Data Center
Fabric Compute
-Leverages Virtualization & Compute Technologies of Cisco Nexus /
Unified Compute System (UCS) and Virtualization Software e.g.
A A
External DC
‘Secure’ VMWare, Citrix, etc.
Virtual
Edge
Workloads
A Secure Virtual Workloads -
-Securing the sum of the requests made by users and applications of a
B B ‘virtual system’
Virtual
Internal DC
Security -Typically defined as a self-contained unit: an integrated stack consisting
Zoning
Services of application, middleware, database, and operating system devoted to a
specific computing task
B
Virtual Security Services -
-The Virtual services defined to successfully secure and optimize a Virtual
Workload - Virtual Firewalls, Virtual Routing, Network Management,
Virtual Load Balancers, Cloud Interconnect, VPN, etc.


Architecture
Secure DC: Traditional Use Cases
1 Secure Internal Zone From External Zone Secure Data in a Compliance Scenario [PCI, FISMA, HIPAA, etc.]
2

Internet VDC1
CTX1
DMZ
CTX2 VDC2

Cisco VXI
vPC
vPC

Campus / Data Center

3 Secure Application Tiers
4 Secure Multi-Tenancy
Extranet
Front-End
(Presentation)
Vendor
CTX1 CTX1

CTX2 Partner
Web Tier
(business logic)

CTX2 vPC

DB Tier
(data access)


Architecture
Secure DC: Evolving Deployment Use Cases
VDC1
VDC2

1 Traditional (Physical) DC vPC
VMDC
2 Virtual DC Custom DC
IPsec/SSL
5 Virtual Private Cloud
3 Virtual Desktop Internet

Cisco VXI

PaaS
6 Public Cloud

4 Internal Private Cloud

SaaS

Physical Virtual Private Cloud Public Cloud

Architecture
The Evolving Data Center Architecture

Aggregation Layer Data Center Core
• Workload is localized to the Aggregation Block Layer
• Centralized point for ingress and egress data center
flows Layer 3
• Can be demarcation point for L2 and L3
• Services can be scaled as data center grows
Layer 2
DC Aggregation
Services Layer (option) Layer

• Additional services location for server farm specific
protection / optimization
• Services localized to the applications running on the DC Service Layer
servers connected to the physical pod – SLB, Monitors,
etc.
• Offloads port utilization from Aggregation Layer
DC Access Layer
Virtual Network & Access
• Physical and virtual form factor for server connectivity
Storage Virtual UCS
• Top of rack provides port density for server connections
Access
• Merging point between physical and virtual networks
Data security Virtual Firewall Port security
authenticate & Real-time authentication,
access control Monitoring QoS features
Firewall Rules
 Goal #1: Understand the current approach (De-Couple the Elements of the Design)
 Goal #2: Understand the options we have to build a more efficient architecture (Re-assemble the elements into a more flexible design)

Architecture
The Evolving Data Center Architecture
Adding Layered Security Services
Data Center Edge
• Physical Delineation for all ingress and egress into the ‘CORE’ of
the DC – Traditional Security Models apply to North-South
Protection

Aggregation Layer
• Initial filter for all ingress and egress to DC services & compute -
“North-South” protection
• Stateful filtering and logging for all ingress and egress traffic flows
• Physical appliances can be virtualized and applied to server enclaves

Services Layer (option)
• Additional services location for server farm specific protection and
other potential zones

Virtual Network & Access Storage Virtual UCS
Access
• Virtual firewall, zone/enclave based filtering
• IP-Based Access Control Lists Data security Virtual Firewall Port security
authenticate & Real-time authentication,
• VM attribute-based policies – Should Follow VM access control Monitoring QoS features
Firewall Rules
• “East-West” protection


VDC and VPC Designs


Traditional Secure DC Design – Network Fabric Best Practices
Data Center 1
1.
1 Physical Network Fabric –
1
1 2 -Leverage the full capacity of the Cisco Nexus Switching infrastructure
Physical Network Virtual Fabric & -Security is pervasive, and while it has been known to ‘reduce
Fabric Compute
convenience’; decreasing required network functionality is unacceptable.
A
A External DC Edge – (External Zoning)
A
External DC Virtual -Leverage Edge connectivity (routing)
Edge Workloads -Provide Edge Security (Firewall at minimum)
-Layer 3 Firewalling (with or without NAT) may be used successfully
B B
-IPS and Next Generation Systems can add additional visibility and
Internal DC Virtual
Zoning Services protection
-If very high-speed firewalling / federations, etc. are desired at the DC
edge, ASR1K can deliver up to 100Gbps FW with Stateful HA
-Path diversity into the datacenter if you can. Stateless with Federation to
authenticate to the app, Stateful with Federation for compliance
B
Internal DC Zones – Stateful Internal separation
-Keep routing on the Routers (Firewalls implemented transparently)
-Leverage vPC/vPC+ and/or FabricPath technology to maximize DC traffic
flow capability
-All flows are expected to be asymmetric, therefore zone design
should support this
-No additional Packet-Loss penalties should be introduced
-Zero-downtime Firewall upgrades should be supported
-Survivability/HA on the Firewall / IPS devices is critical

Connectivity
Building an Efficient DC Fabric to Scale
Scaling the Network Fabric - Virtual Device Context (VDC)
VDC 1
Layer 2 Protocols Layer 3 Protocols
VLAN UDLD OSPF GLBP
PVLAN CDP BGP HSRP
STP 802.1X EIGRP IGMP
LACP CTS PIM SNMP
VDCs … …

VDC 2
Layer 2 Protocols Layer 3 Protocols
VLAN UDLD OSPF GLBP
PVLAN CDP BGP HSRP
STP 802.1X EIGRP IGMP
LACP CTS PIM SNMP
… …

Nexus 7000 VDC – Virtual Device Context (up to 8 VDCs plus 1 Management VDC – SUP2E w/ NXOS
6.04/6.1)
 Flexible separation/distribution of hardware resources and software components
 Complete data plane and control plane separation
 Complete software fault isolation
 Securely delineated administrative contexts
 Each physical interface can only be active in one VDC

Connectivity
Using VDCs for Vertical Consolidation
One of the most common uses of VDCs
• Allows Consolidation of Core, Aggregation while maintaining network hierarchy
• No reduction in port count or links but fewer physical switches
‒ Copper Twinax cables (CX-1) provide a low cost 10G interconnect option

Core

Core Core

Agg
Agg Agg

Access


Connectivity
Using VDCs for Internet Edge/DMZ/Core

 Option to meet multiple needs – XL VDC, DMZ and Core
 Maintains security model with logical separation

Internet

Internet
Edge(XL) Internet Internet Edge
Edge(XL) (XL)

Firewalls for Intra
or Inter-VDC
DMZ DMZ DMZ Traffic Flows

Core Core

Core


Connectivity
VDC Security Certification

 VDC separation is industry certified ‘Leak-proof Security Mechanism’
 NSS Labs for PCI Compliant Environments – http://www.nsslabs.com
 FIPS 140-2 http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
 Common Criteria Evaluation and Validation Scheme – Certification
#10349 - http://www.niap-ccevs.org/st/vid10349/


Connectivity
Using VDCs for PCI Compliance Segmentation

• Maintains compliant security model with physical separation
‒ FW and IPS at the boundary of the CDE zone as required by PCI-DSS 2.0

Internet

Internet
Edge(XL) Internet Internet Edge
Edge(XL) (XL)

PCI PCI PCI

Core Core

Core


Connectivity
Building an Efficient DC Fabric to Scale
Logical Topology without vPC
Scaling the Network Fabric – Virtual Port Channel vPC)
Aggregation
• Allow a single device to use a port channel across two upstream
switches (aka MCEC)
• Eliminate STP blocked ports
Access
• Simplify L2 Paths by supporting loopfree non-blocking concurrent
L2 paths
• Dual-homed server operate in active-active mode
• Provide fast convergence upon link/device failure
Logical Topology with vPC vPC Peers
! Enable vpc on the switch Aggregation
dc11-5020-1(config)# feature vpc
MCEC
! Check the feature status
dc11-5020-1(config)# show feature | include vpc
vpc 1 enabled vPC Peers
Access

MCEC


Connectivity
What is a Virtual Port Channel (vPC)?
• vPC is a Port-channeling concept extending link aggregation to two separate physical switches
• vPC allows a single device to use a port channel
across two neighbor switches (vPC peers)
• vPC Peer link is used to synchronize state between
vPC peer devices, must be 10GE
• Eliminates STP blocked ports/STP delays/Calculations
and uses all available uplink bandwidth (active/active)
‒ Does not actually turn off STP – FabricPath does this
• Supported in NX-OS switches only
• Recommended to always use LACP for dynamic LAG
VPC PEER LINK
• vPC Design & Best Practices Guide:
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-
00_Agg_Dsgn_Config_DG.pdf

19

Connectivity
Why use vPC? – Multi-Chassis Etherchannel (MEC)

No Port Channel: Single-Chassis LACP Port
STP Allows only one active link Channel: vPC Multi-Chassis LACP Port
Sub-optimal flows and resource Both links active but no Channel:
usage device redundancy (single Both links active, optimal
switch) redundancy, all links active

LACP Load Balance
LACP Load Balance src- src-dst-IP (hash)
dst-IP (hash)

VPC PEER LINK

20

Connectivity
VPC with Multiple ASAs – A/S or A/A Failover
• Part of CVD architecture since in July 2011
• vPC ensures zero packet loss in the event of a link failure to the ASA channel 32
firewall, a firewall failure, a switch failure, VDC reset, or vPC peer- State and Failover links
link loss
‒ Works with both A/S and A/A failover (and with ASA 9x Clustering)
• Allows ASA to participate in necessary DC redundancy technologies
with expected flow asymmetry
• ASA is only DC Firewall on market that can simultaneously:
1. Run standards-based LACP for Dynamic LAG to Nexus vPC/vPC+ or Cat6K
VSS with proper bundling semantics N7K VPC 40 N7K VPC 41

no traffic black holes or loss of state due to expected flow asymmetry / out-of-order packets VPC PEER LINK

2. Supports all of the same LACP load balancing hash values as the switch
fabric(s) [def. = src-dst IP]
3. Able to support dynamic LAG (LACP) in all modes: Routed / Transparent /
Multi-context / Mixed-context(s) / Clustering
4. Successfully handles the expected flow asymmetry and out-of-order packets
from Multiple chassis simultaneously
21

Connectivity
ASA Connecting to Nexus with vPC (basic)
interface Ethernet4/1
switchport mode trunk
channel-group 40 mode active
no shutdown
!
interface Ethernet4/2 VPC PEER LINK
switchport mode trunk North Zone
channel-group 40 mode active
no shutdown VLAN 200
!
interface port-channel4 0 N7K VPC 40
switchport interface TenGigabitEthernet0/6
switchport mode trunk channel-group 32 mode active vss-id 1
switchport trunk allowed vlan 1,200,201 vpc 40 no nameif Trunks
! no security-level VPC
vpc domain 10 !
role priority 50 interface TenGigabitEthernet0/7
peer-keepalive dest 10.1.1.2 source 10.1.1.1 vrf channel-group 32 mode active vss-id 2 ASA channel 32
VLAN 200
vpc-mgmt no nameif Outside
peer-gateway no security-level
!
interface BVI1
ip address 172.16.25.86 255.255.255.0 VLAN 201
! Inside
interface Port-channel32
no nameif
no security-level
! South Zone
Note: interface Port-channel32.201 VLAN 201
mac-address 3232.1111.3232
vlan 201
Example shows only one side of config: N7K1 and ASA1. nameif inside
Full configuration would be assumed. bridge-group 1
security-level 100
!
ASA connected to Nexus with vPC and establishing an interface Port-channel32.200
internal DC zone pair between VL200 (N) and VL201(S). mac-address 3232.1a1a.3232
vlan 200
ASA is deployed using transparent (L2) mode in this nameif outside
example to minimize network fabric modification(s) – Will bridge-group 1
security-level 0
be discussed in detail later

Connectivity
ASA Connecting to Nexus with vPC (Best Practices Shown)
• ASA connected to Nexus using multiple
physical interfaces on vPC DC Core /
EDGE
‒ ASA can be configured to failover after a
certain number of links lost (when using HA)
L3
SVI VLAN200 SVI VLAN200 Aggregation Layer
• Note that vPC identifiers are different FHRP
VPC PEER LINK
FHRP
L2
for each ASA on the Nexus switch (this
VLAN 200
changes with ASA clustering feature N7K VPC 40
Trunks
N7K VPC 41 Outside
VPC
and cLACP [not yet shown]) VPC
North Zone
FW HA VLAN 200
ASA channel 32
VPC VPC VLAN 201
Inside

VPC PEER LINK

Access Layer

VPC

South Zone
VLAN 201

Secure Design Building Blocks


Segmentation
Security Building Block: Segmentation

• While not a security technology, segmentation has long been used as a means for
grouping similar resources in order to apply specific configuration or policy
• Sometimes there is a technical benefit with segmentation
• An example is using VLANs to reduce the L2 broadcast domain and improve network
efficiency
• VRF (Virtual Routing and Forwarding) typically used for virtualizing L3 services
• VDCs (Virtual Device Context) on the Nexus platforms allow multiple, independent
virtualized switches inside of a single physical switch
• Zones are a common term to refer to units in the data centre that share a common trait and
can reduce operational complexity with both physical and virtualized hosts and services


Segmentation
Security Building Block: Segmentation
6 Degrees of Separation

Nexus 7000 Segmentation Building Blocks

Nexus 7K
1. Virtual Device Context
2. Virtual Routing/Forwarding (VRF)
VRF-Lite can be easily used as it does not require MPLS
3. VLANs
4. Security Group Tags (SGT in packet) ASA

5. 802.1AE MACSEC Encryption
CTX1 CTX2 CTX3
ASA
6. Virtual Firewall Context (Virtualized Firewall)
VLANx1 VLANy1 VLANz1
VLANx2 VLANy2 VLANz2
SGT SGT SGT SGT SGT SGT

802.1AE
(encrypt)


Segmentation
Firewall Design: Modes of Operation

• Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate
L3 domains
• Transparent Mode is where the firewall acts as a bridge functioning mostly at L2
• Multi-context mode involves the use of virtual firewalls, which can be either routed or
transparent mode
• Mixed mode is the concept of using virtualization to combine routed and transparent mode
virtual firewalls
• Transparent mode firewall offers some unique benefits in the DC


Segmentation
Why Deploy Transparent Mode?

• Existing Nexus Network Fabric does not need to be modified to employ L2 Firewall!
• Simple as changing host(s) VLAN ID
• Firewall does not need to run routing protocols / become a segment gateway
• Firewalls are more suited to flow-based inspection (not packet forwarding like a router)
• Routing protocols can establish adjacencies through the firewall
• Protocols such as HSRP, VRRP, GLBP can cross the firewall
• Multicast streams can traverse the firewall
• Non-IP traffic can be allowed (IPX, MPLS, BPDUs)
• (CVD) 9 of 10 internal zoning scenarios recommends Transparent FW (L2) deployed
versus Routed Firewall (L3)


Segmentation
Firewall - Transparent Mode
L2 Firewall

• Firewall functions like a bridge (“bump in the wire”) at L2, only ARP packets pass without an explicit ACL
• Uses traditional ACLs on the firewall
• Does not forward Cisco Discovery Protocol (CDP)
• Same subnet exists on all interfaces in the bridge-group
• Different VLANs on inside and outside interfaces
• In addition to Extended ACLs, use an EtherType ACL to restrict or allow L2 protocols


Transparent Mode Configuration in the DC (2 interfaces)

interface TenGigabitEthernet0/6
SVI VLAN200 172.16.25.253 SVI VLAN200 172.16.25.254
channel-group 32 mode active vss-id 1 FHRP – 172.16.25.1 FHRP – 172.16.25.1
no nameif
no security-level North Zone
! VLAN 200
interface TenGigabitEthernet0/7
channel-group 32 mode active vss-id 2
no nameif
no security-level
!
interface BVI1
ip address 172.16.25.86 255.255.255.0 VPC
! VLAN 200
interface Port-channel32 Outside
no nameif
no security-level VLAN 201
! Inside
interface Port-channel32.201 VPC 172.16.25.86/24
mac-address 3232.1111.3232
vlan 201
nameif inside
bridge-group 1
security-level 100
! Trunk Allowed 1,201 South Zone
interface Port-channel32.200
VLAN 201
mac-address 3232.1a1a.3232
vlan 200
nameif outside
bridge-group 1
security-level 0
Server in
VLAN 201

Segmentation
Firewall - Mixed Mode vFW Contexts

• Mixed Mode is the concept of using virtual firewalls, some in routed mode and some in transparent (L2)
mode
• This is only supported on the ASA running at least v9.0 or any ASA-SM version
• Up to 8 pairs of physical interfaces are supported per context
• This could conceivably allow both the Edge (L3) firewall and Internal (L2) firewall to live on the same set of
physical appliances

mode multiple

context context1
firewall transparent
allocate-interface vlan99 outside
allocate-interface vlan100 inside
config-url disk0:/ctx1.cfg
member gold
context context2
allocate-interface vlan200 outside
allocate-interface vlan210 inside
config-url disk0:/ctx2.cfg


Physical and Virtual Internal Zoning


Example Internal Zoning for DEV – Option 1 Internal Zoning
Physical Separation Internet /
Extranet

Model could provide for Application load testing. ASA A/S HA CTX

If dedicated path through Core is required,
consider using a DEV vRF DC Edge

If dedicated Edge is required, consider using
DC Core VDC (Routed) DEV VRF
vFW Contexts on edge ASAs or a separate
(lower-end) ASA PAir BGP/OSPF DEV VRF

Core DEV VRF
L3
L2
DEV VDC Created on Nexus 7K, attached to Prod Aggregation Layer Dev Aggregation Layer
CORE VDC and supporting its own PoD VDC VDC

FW CLUSTER(s)
ASAs in Aggregation layer could be oriented in
several ways. CTX CTX
1- Single ASA Cluster with separate vFW
Contexts for the DEV zones – Would require
ports on the ASA are physically connected to Virtual
each VDC Access Layer
2- Separate ASA Clusters with or without vFW
Contexts PoD PoD

Compute structure creates a mirrored server
environment for DEV operating on it own PoD
Virtual Switch
Virtual Switch
Hypervisor
Hypervisor
PROD Compute Zone DEV Compute Zone

Example Internal Zoning for DEV – Option 2 Internal Zoning
Virtual Separation Internet /
Extranet

ASA A/S HA

DC Edge
Virtual Separation model uses a shared
Physical Infrastructure (Nexus) for routing and
transport DC Core VDC (Routed)

BGP/OSPF
ASAs are used to separate DEV and PROD Core
traffic L3
L2
Virtual resources can share physical Server Aggregation Layer VDC
Hardware and PoD. Security implemented
similarly than to a Secure Multi Tenant
environment

FW CLUSTER

Virtual
Access Layer

Internal Zoning
Virtualization Security Concerns
Policy Enforcement
‒ Applied at physical server—not the individual VM
‒ Impossible to enforce policy for VMs in motion
Operations and Management
‒ Lack of VM visibility, accountability, and consistency
‒ Difficult management model and inability to effectively troubleshoot
Roles and Responsibilities
‒ Muddled ownership as server admin must configure
virtual network
‒ Organizational redundancy creates compliance challenges
Machine Segmentation
‒ Server and application isolation on same physical server
‒ No separation between compliant and non-compliant systems…


Internal Zoning
Cisco Virtual Networking and Cloud Network Services
Cloud Network Services
Tenant A
Virtualized/Cloud Imperva
SecureSphere
Cloud Services Network
ASA 1000V
Cloud
Cisco Virtual
Security
Data Center WAF
Citrix Router 1000V Analysis
Module
Firewall Gateway
NetScaler
Servers VPX
vWAAS
(vNAM)
WAN Router Switches
Zone A

Zone B

Physical Infrastructure vPath VXLAN Nexus 1000V

Multi-Hypervisor (VMware, Microsoft*, RedHat*, Citrix*)

Nexus 1000V VSG ASA 1000V vWAAS CSR 1000V vNAM Ecosystem
(Dist. Virtual Switch) (Zone-based FW) (Cloud FW) (WAN Optimization) (Cloud Router) (Network Analytics) Services
• Distributed switch • VM-level controls • Edge firewall, VPN • WAN optimization • Citrix NetScaler VPX
• WAN L3 gateway • App Visibility (L2-L7)
virtual ADC
• NX-OS consistency • Zone-based FW • Protocol Inspection • Application traffic • Routing and VPN • Overlay Intelligence
• Imperva Web App. FW
(OTV, VXLAN, FP**)
N1110: 1H CY2013
7000+ Customers Available Now Available Now Available Now 1H 2013 PoC: 1H 2013 vPath: 2H CY2013

**MSFT: 2Q CY2013; Open-source: In PoC **FP: FabricPath

Internal Zoning
Managing Virtual Networking Policy

Server
Network Team
Security
Team
Team
Nexus 1000V (1110/1010)
 Non-disruptive operation model to maintain
current workflows using Port Profiles
Nexus 1000V  Maintain network security policies with
isolation and segmentation via VLANs,
Private VLANs, Port-based Access Lists,
Cisco Integrated Security Features
 Ensure visibility (VM Introspection) into
virtual machine traffic flows using traditional
network features such as ERSPAN and
NetFlow

Isolation and Management and Roles and
Segmentation Monitoring Responsibilities


Internal Zoning
Cisco’s Virtual Security Portfolio

Cisco® VSG Cisco ASA 1000V

Intra-Tenant Tenant-Edge
Security Security
• Secures traffic between virtual
• Secures the tenant edge
machines within a tenant
• Default gateway; Layer 3 firewall
• Layer 2 and 3 firewall to secure to secure north-to-south traffic
east-to-west traffic
• Edge firewall capabilities including
• ACLs using network attributes network attribute-based ACLs,
and virtual machine attributes site-to-site VPN, NAT, DHCP,
inspections, and IP audit
• First-packet lookup and
performance acceleration using • All packets go through the Cisco
vPath ASA 1000V

Internal Zoning
Security for Virtualization
Virtual Security Gateway

Zone based intra-tenant
segmentation of VMs
Nexus 1000V

ASA 1000V
Virtual Service Nodes
vPATH
Nexus 1000V

Hypervisor

Ingress/Egress multi-tenant edge
deployment
vCenter Nexus 1KV VNMC

Server Network Admin Security Admin
Admin


Internal Zoning
Microsegmenation
Policy Per Zone, Per VM, Per vNIC

Control ingress/egress & inter-VM traffic
Firewall, ACL, VM Attributes
Virtual ASA
Virtual ASA

Zone A Enable Dynamic Provisioning
Zone B Zone C

Mobility Transparent Enforcement
vApp

VSG Administrative Segregation VSG
Server • Network • Security
vApp
VSG

vPath
Nexus 1000V
vSphere vPath
Nexus 1000V
vSphere


Internal Zoning
Physical to Virtual

• Zones used define policy
enforcement
• Unique policies and traffic
decisions applied to each zone
• Physical Infrastructure mapped
per zone Steer VM traffic to Firewall
‒ VRF, Virtual Context Context

• Merging physical and virtual
infrastructure
Segment pools of
blade resources per
Zone
Virtual Switch Virtual Switch
Hypervisor Hypervisor

48

Internal Zoning
vPath Intelligence: Service Chaining
ASA 1000V and VSG

• vservice node ASA1 type asa
ip address 172.31.2.11 Defining the Service Node
adjacency l2 vlan 3770 on Nexus 1000V
• vservice node VSG1 type vsg
ip address 10.10.11.202
adjacency l3

• vservice path chain-VSG-ASA Chain the Service Nodes
node VSG1 profile sp-web order 10 Order is inside to outside
node ASA1 profile sp-edge order 20

• port-profile type vethernet Tenant-1 Enable the Service Chain
org root/Tenant-1 Per Port-Profile
vservice path chain-VSG-ASA

Internal Zoning
Virtual Firewall and Physical Network
ASA 1000V Deployment

Core

Aggregation 10.1.2.254

Layer 3
Protected VRF 10.1.2.254
ASA 5585
ASA 5585
Layer 3
10.1.1.254 Layer 3
Layer 2 10.1.3.254

10.1.1.252 10.1.1.253
ASA 1000V

vPath vPath
vPath
Nexus 1000V Nexus 1000V Nexus 1000V
Hypervisor Hypervisor
Hypervisor Sub Zones


Internal Zoning
Multi-Tier Application Architecture
Edge Firewall Web
Client

• Tier Deployment
• Multi-Tier application architectures
• Application vendor often has specific recommendations on ASA 1000V
how to deploy an application
• Can consist of
Permit Only Port Permit Only Port 22 Block all external access
• Web (presentation) tier 80(HTTP) of Web Servers (SSH) to application to database servers
servers
• Application tier
• Database tier
Web App DBDB
Web App
• Web and Application services can be on physically separate Server
Server
Server
Server
server
server
servers or collapsed into single in some cases
Web-zone Application-zone Database-zone
• Normal flow is often client->web->application->database
• No direct client to database communication Only Permit Web servers Only Permit Application servers
access to Application servers access to Database servers
• Servers may be clustered for high availability. Often uses
layer 2 multicast protocol for state exchange


Compliance
PCI Compliance Design Option –
Physical Separation with VDC
Internet /
Extranet
Edge ASAs may implement a specific context for IPSec
Compliance needs or a distinct pair of ASA s may be
used

ASA A/S HA CTX CTX

PCI VRF
DC Edge
SGT
Nexus 7K carries traffic from ASA Context across
vRF – PCI VRF – Moves packets across routed Core DC Core VDC (Routed) PCI VRF
802.1AE
to PCI Distribution VDC (encrypt)
SGT VRF
PCI
SGT
BGP/OSPF
Security Group Access with MACSEC can be used on Core PCI VRF
the Nexus 7000 to provide hop-by-hop encryption L3
L2
Dedicated ASAs (or vFW Context(s)) in Distribution Prod Aggregation Layer PCI Aggregation Layer
Layer VDC invoke North-South Security Policy, VDC VDC
possibly even enforcing using the SGT (via SXP)
limiting compliant access to only the PCI Zone
Servers by network, service or application
FW CLUSTER(s)

CTX CTX SGT

Within Virtual Access Layer dedicated Server Virtual
hardware is recommended for Security (compliance) Access Layer

Additional port profiles may be created and leverage PoD PoD
the Virtual Security Gateway (VSG) for East-West
zoning between VMs in the DMZ

ASA1000v can also be used to implement a Secure
IPSec VPN to another secure destination Virtual Switch
Virtual Switch
Hypervisor
Hypervisor

Production Servers Compliance Zone Servers

Designing Secure Cisco Data Centers

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Designing Secure Cisco Data Centers

Similar to Designing Secure Cisco Data Centers (20)

More from Cisco Russia

More from Cisco Russia (20)

Recently uploaded

Recently uploaded (20)

Designing Secure Cisco Data Centers