Što nam spremaju hackeri i kako zaštiti mrežu? Goran Peteh Enterprise Systems Engineer gopeteh@cisco.com VM_security © 2006 Cisco Systems, Inc. All rights reserved. 1 Partneri Medijski pokrovitelji Cisco Nexus 1000V Cisco Nexus 1000V Software Based VM Industry’s first 3rd-party vNetwork Distributed Switch for VMware vSphere Built on Cisco NX-OS Compatible with all switching platforms VM VM Nexus 1000V vSphere Nexus 1000V Policy-Based VM Connectivity © 2009 Cisco Systems, Inc. All rights reserved. Mobility of Network & Security Properties Non-Disruptive Operational Model VM VN-Link Brings VM Level Granularity VMotion VLAN 101 Cisco VN-Link Switch © 2009 Cisco Systems, Inc. All rights reserved. Problems: • VMotion may move VMs across physical ports—policy must follow • Impossible to view or apply policy to locally switched traffic • Cannot correlate traffic on physical links—from multiple VMs VN-Link: •Extends network to the VM •Consistent services •Coordinated, coherent management 4 Cisco Nexus 1000V Architecture VM VM VM VM Nexus 1000V VEM VM VM VM Nexus 1000V VEM vSphere VM VM VM VM VM Nexus 1000V VEM vSphere vSphere Virtual Supervisor Module (VSM) Virtual or Physical appliance running Virtual Ethernet Module Cisco NXOS (supports HA) (VEM) Enables advanced networking Performs management, monitoring, & Cisco capability Nexus hypervisor Installation configuration on the1000V Provides VMVMware with dedicated ESX &each ESXi Tight integration with vCenter “switch port” VUM & Manual Installation Collection of VEMs = 1 vNetwork Distributed VEM is installed/upgraded like an ESX Switch patch © 2009 Cisco Systems, Inc. All rights reserved. Nexus 1000V VSM vCenter 5 Virtualizing the DMZ Mapping the Roles and Responsibilities n1000v# show port-profile name WebServers port-profile WebProfile description: status: enabled capability uplink: no system vlans: port-group: WebProfile config attributes: switchport mode access switchport access vlan 110 no shutdown evaluated config attributes: switchport mode access switchport access vlan 110 no shutdown assigned interfaces: Veth10 Separation of duties for virtualization, security, and network administrators Implement existing policies and procedures Identical tools for physical network: Minimize miscommunication © 2009 Cisco Systems, Inc. All rights reserved. 6 Virtualize the DMZ Access Control List Restrict production VM access to sensitive parts of data center VMKernel VM FTP WWW Segregate Traffic To/From Web Server Protect Management Traffic vSphere Protect Servers dcvsm(config)# ip access-list deny-vm-traffic-to-ftp-server dcvsm(config-acl)# deny tcp host 10.10.10.10 eq ftp any dcvsm(config-acl)# permit ip any any © 2009 Cisco Systems, Inc. All rights reserved. 7 Increase DMZ Visibility with ERSPAN Port Mirroring ERSPAN allows VM traffic to be mirrored to traffic analyzer VM VM VM VM Mirrored traffic can traverse through Layer 3 Network Visibility through centralized L4-7 services Firewall Intrusion Detection System Intrusion Detection © 2009 Cisco Systems, Inc. All rights reserved. Firewall 8 Increase DMZ Visibility with NetFlow Network Statistics NetFlow allows network statistics to be exported VM Anomaly detection VM VM VM vSphere Across virtual to physical servers Distributed network application monitoring Both physical and virtual application Network planning Assist with growth and scaling of data center © 2009 Cisco Systems, Inc. All rights reserved. Network Analysis 9 PCI Compliance and Nexus1000v © 2009 Cisco Systems, Inc. All rights reserved. 10 Monitor a High Density VM Deployment with the Nexus 1000V Intrusion Detection Network Analysis Select individual VM traffic to review Mirror traffic for further inspection using ERSPAN Analyze network traffic patterns and export it to a collector using NetFlow © 2009 Cisco Systems, Inc. All rights reserved. 11 Cisco Integrated Security Features Mitigates Network Attacks Rogue VM: Send ARP to Announce VM Location VM VM Port Security IP Source Guard Rogue VM: Change/Add MAC Address Rogue VM: Change/Add IP Address VM VM VM VM VM VM Rogue DHCP Server VM VM VM VMotion Dynamic ARP Inspection DHCP Snooping © 2009 Cisco Systems, Inc. All rights reserved. 12 Loop Prevention without STP X Eth4/2 Eth4/1 Cisco VEM Cisco VEM Cisco VEM X VM1 VM2 VM3 VM4 BPDU are dropped © 2009 Cisco Systems, Inc. All rights reserved. VM5 VM6 VM7 VM7 No Switching From Physical NIC to NIC VM9 VM10 VM11 VM12 Local MAC Address Packets Dropped on Ingress (L2) 13 Port Profile Configuration n1000v# show port-profile name WebProfile port-profile WebProfile description: status: enabled capability uplink: no system vlans: port-group: WebProfile config attributes: switchport mode access switchport access vlan 110 no shutdown evaluated config attributes: switchport mode access switchport access vlan 110 no shutdown assigned interfaces: Veth10 © 2009 Cisco Systems, Inc. All rights reserved. Support Commands Include: Port management VLAN PVLAN Port-channel ACL Netflow Port Security QoS 14 Cisco NAC NAC Manager and Server (Required) NAC Manager NAC Server Centralized management, configuration, reporting, and policy store NAC Profiler, Guest Server and ACS (Optional) NAC Profiler Profiles unmanaged devices Posture, services and enforcement NAC Guest Server Full-featured guest provisioning server ACS Server Access policy system for 802.1x termination SSC Endpoint Components (Optional) © 2009 Cisco Systems, Inc. All rights reserved. NAC Agent No-cost client: Persistent, dissolvable, or web 802.1x Supplicant CSSC or Vista embedded supplicant How Cisco NAC Works THE GOAL 1 End user attempts to access network Authentication Server Initial access is blocked Single-sign-on or web login NAC Manager 2 NAC Server gathers and assesses user/device information NAC Server Intranet/ Network Username and password Device configuration and vulnerabilities 3a Noncompliant device or incorrect login Access denied Placed to quarantine for remediation © 2009 Cisco Systems, Inc. All rights reserved. Quarantine Role 3b Device is compliant Placed on “certified devices list” Network access granted Device Profiling Automate inventory collection NAC Profiler NAC Manager Mac Identify all endpoints Windows AD AAA Server NAC Server Real time monitoring and profiling © 2009 Cisco Systems, Inc. All rights reserved. Cover All Use Cases Wireless Compliance Endpoint Compliance Secured network access only for compliant wireless devices Network access only for compliant devices Campus Building 1 802.1Q Governance Compliance Ensure user compliance to governance and risk user acceptable policies Wireless Building 2 Guest Compliance Restricted internet access only for guest users Conference Room in Building 3 VPN User Compliance Internet IPSec © 2009 Cisco Systems, Inc. All rights reserved. Intranet access only for compliant remote access users What is a WAF? Web Application Firewalls intercept, inspect and deny/reject/allow Layer-7 traffic Browser ` WAF devices protect web applications from specific vulnerabilities that IDS/IPS/FW do not see. Web Servers WAF devices intercept all traffic bound for the web server. Application Servers WAF devices are complex devices with sophisticated features: actually, they have to be as complex as web applications © 2009 Cisco Systems, Inc. All rights reserved. Database Servers Protecting the web © 2009 Cisco Systems, Inc. All rights reserved. DDoS protection Cisco Anomaly Guard Module Cisco Traffic Anomaly Detector Module (or Cisco IDS or third- party system) Protected Zone 1: Web © 2009 Cisco Systems, Inc. All rights reserved. Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Dynamic Diversion At Work Cisco Anomaly Guard Module Cisco Traffic Anomaly Detector Module 1. Detect Protected Zone 1: Web © 2009 Cisco Systems, Inc. All rights reserved. Target Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Dynamic Diversion At Work Cisco Anomaly Guard Module 2. Activate: Auto/Manual Cisco Traffic Anomaly Detector Module 1. Detect Protected Zone 1: Web © 2009 Cisco Systems, Inc. All rights reserved. Target Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Dynamic Diversion At Work Route update: RHI internal, or BGP/other external 3. Divert only target’s traffic Cisco Anomaly Guard Module 2. Activate: Auto/Manual Cisco Traffic Anomaly Detector Module 1. Detect Protected Zone 1: Web © 2009 Cisco Systems, Inc. All rights reserved. Target Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Dynamic Mitigation At Work 4. Identify and filter malicious traffic Traffic Destined to the Target 3. Divert only target’s traffic Cisco Anomaly Guard Module 2. Activate: Auto/Manual Cisco Traffic Anomaly Detector Module 1. Detect Protected Zone 1: Web © 2009 Cisco Systems, Inc. All rights reserved. Target Protected Zone 2: Name Servers Protected Zone 3: E-Commerce Application Dynamic Mitigation At Work 4. Identify and filter malicious traffic Traffic Destined to the Target 3. Divert only target’s traffic Cisco Anomaly Guard Module Legitimate Traffic to Target 2. Activate: Auto/Manual Cisco Traffic Anomaly Detector Module 1. Detect Protected Zone 1: Web © 2009 Cisco Systems, Inc. All rights reserved. Target Protected Zone 2: Name Servers 5. Forward legitimate traffic Protected Zone 3: E-Commerce Application Dynamic Mitigation At Work 4. Identify and filter malicious traffic 6. Nontargeted traffic flows freely Traffic Destined to the Target 3. Divert only target’s traffic Cisco Anomaly Guard Module Legitimate Traffic to Target 2. Activate: Auto/Manual Cisco Traffic Anomaly Detector Module 1. Detect Protected Zone 1: Web © 2009 Cisco Systems, Inc. All rights reserved. Target Protected Zone 2: Name Servers 5. Forward legitimate traffic Protected Zone 3: E-Commerce Application © 2009 Cisco Systems, Inc. All rights reserved. 28