Što nam
spremaju hackeri
i kako zaštiti
mrežu?
Goran Peteh
Enterprise Systems Engineer
gopeteh@cisco.com
VM_security
© 2006 Cisco Systems, Inc. All rights reserved.
1
Partneri
Medijski pokrovitelji
Cisco Nexus 1000V
Cisco Nexus 1000V
Software Based

VM
Industry’s first 3rd-party vNetwork
Distributed Switch for VMware
vSphere

Built on Cisco NX-OS

Compatible with all switching
platforms
VM
VM
Nexus
1000V
vSphere
Nexus 1000V
Policy-Based
VM Connectivity
© 2009 Cisco Systems, Inc. All rights reserved.
Mobility of Network &
Security Properties
Non-Disruptive
Operational Model
VM
VN-Link Brings VM Level Granularity
VMotion
VLAN
101
Cisco VN-Link Switch
© 2009 Cisco Systems, Inc. All rights reserved.
Problems:
• VMotion may move VMs
across physical ports—policy
must follow
• Impossible to view or apply
policy to locally switched
traffic
• Cannot correlate traffic on
physical links—from multiple
VMs
VN-Link:
•Extends network to the VM
•Consistent services
•Coordinated, coherent
management
4
Cisco Nexus 1000V Architecture
VM
VM
VM
VM
Nexus
1000V
VEM
VM
VM
VM
Nexus
1000V
VEM
vSphere
VM
VM
VM
VM
VM
Nexus
1000V
VEM
vSphere
vSphere
Virtual Supervisor Module (VSM)



Virtual or Physical appliance running
Virtual
Ethernet
Module
Cisco
NXOS
(supports
HA) (VEM)
 Enables
advanced networking
Performs
management,
monitoring, &
Cisco
capability
Nexus
hypervisor
Installation
configuration on the1000V
 Provides
VMVMware
with dedicated
ESX &each
ESXi
Tight
integration
with
vCenter
“switch port”
 VUM & Manual Installation
 Collection of VEMs = 1 vNetwork
Distributed
VEM is installed/upgraded
like an ESX
Switch
patch
© 2009 Cisco Systems, Inc. All rights reserved.
Nexus 1000V VSM
vCenter
5
Virtualizing the DMZ
Mapping the Roles and Responsibilities
n1000v# show port-profile name WebServers
port-profile WebProfile
description:
status: enabled
capability uplink: no
system vlans:
port-group: WebProfile
config attributes:
switchport mode access
switchport access vlan 110
no shutdown
evaluated config attributes:
switchport mode access
switchport access vlan 110
no shutdown
assigned interfaces:
Veth10
 Separation of duties for virtualization, security, and network
administrators
 Implement existing policies and procedures
 Identical tools for physical network: Minimize miscommunication
© 2009 Cisco Systems, Inc. All rights reserved.
6
Virtualize the DMZ
Access Control List
 Restrict production VM
access to sensitive parts of
data center
VMKernel
VM
FTP
WWW
Segregate Traffic To/From Web
Server
Protect Management Traffic
vSphere
Protect Servers
dcvsm(config)# ip access-list deny-vm-traffic-to-ftp-server
dcvsm(config-acl)# deny tcp host 10.10.10.10 eq ftp any
dcvsm(config-acl)# permit ip any any
© 2009 Cisco Systems, Inc. All rights reserved.
7
Increase DMZ Visibility with ERSPAN
Port Mirroring
 ERSPAN allows VM
traffic to be mirrored to
traffic analyzer
VM
VM
VM
VM
 Mirrored traffic can
traverse through Layer
3 Network
 Visibility through
centralized L4-7
services
Firewall
Intrusion Detection
System
Intrusion
Detection
© 2009 Cisco Systems, Inc. All rights reserved.
Firewall
8
Increase DMZ Visibility with NetFlow
Network Statistics
 NetFlow allows network
statistics to be exported
VM
 Anomaly detection
VM
VM
VM
vSphere
Across virtual to physical
servers
 Distributed network
application monitoring
Both physical and virtual
application
 Network planning
Assist with growth and
scaling of data center
© 2009 Cisco Systems, Inc. All rights reserved.
Network
Analysis
9
PCI Compliance and Nexus1000v
© 2009 Cisco Systems, Inc. All rights reserved.
10
Monitor a High Density VM Deployment with the Nexus 1000V
Intrusion Detection
Network Analysis
 Select individual VM traffic to review
 Mirror traffic for further inspection using ERSPAN
 Analyze network traffic patterns and export it to a collector using
NetFlow
© 2009 Cisco Systems, Inc. All rights reserved.
11
Cisco Integrated Security Features Mitigates Network Attacks
Rogue VM:
Send ARP to
Announce
VM Location
VM
VM
Port Security
IP Source Guard
Rogue VM:
Change/Add
MAC Address
Rogue VM:
Change/Add
IP Address
VM
VM
VM
VM
VM
VM
Rogue DHCP
Server
VM
VM
VM
VMotion
Dynamic ARP
Inspection
DHCP Snooping
© 2009 Cisco Systems, Inc. All rights reserved.
12
Loop Prevention without STP
X
Eth4/2
Eth4/1
Cisco VEM
Cisco VEM
Cisco VEM
X
VM1
VM2
VM3
VM4
BPDU are dropped
© 2009 Cisco Systems, Inc. All rights reserved.
VM5
VM6
VM7
VM7
No Switching From
Physical NIC to NIC
VM9
VM10
VM11
VM12
Local MAC Address
Packets Dropped on
Ingress (L2)
13
Port Profile Configuration
n1000v# show port-profile name WebProfile
port-profile WebProfile
description:
status: enabled
capability uplink: no
system vlans:
port-group: WebProfile
config attributes:
switchport mode access
switchport access vlan 110
no shutdown
evaluated config attributes:
switchport mode access
switchport access vlan 110
no shutdown
assigned interfaces:
Veth10
© 2009 Cisco Systems, Inc. All rights reserved.
Support Commands Include:
 Port management
 VLAN
 PVLAN
 Port-channel
 ACL
 Netflow
 Port Security
 QoS
14
Cisco NAC
NAC Manager
and Server
(Required)
NAC Manager
NAC Server
Centralized management, configuration,
reporting, and policy store
NAC Profiler, Guest
Server and ACS
(Optional)
NAC Profiler
Profiles unmanaged
devices
Posture, services
and enforcement
NAC Guest Server
Full-featured guest
provisioning server
ACS Server
Access policy system for
802.1x termination
SSC
Endpoint
Components
(Optional)
© 2009 Cisco Systems, Inc. All rights reserved.
NAC Agent
No-cost client: Persistent,
dissolvable, or web
802.1x Supplicant
CSSC or Vista
embedded supplicant
How Cisco NAC Works
THE GOAL
1
End user attempts to
access network
Authentication
Server

Initial access is blocked
 Single-sign-on or web login
NAC Manager
2
NAC Server gathers
and assesses
user/device information


NAC Server
Intranet/
Network
Username and password
Device configuration and vulnerabilities
3a Noncompliant device
or incorrect login

Access denied
 Placed to quarantine for remediation
© 2009 Cisco Systems, Inc. All rights reserved.
Quarantine
Role
3b Device is compliant
Placed on “certified devices list”
 Network access granted

Device Profiling
Automate inventory collection
NAC Profiler
NAC Manager
Mac
Identify all endpoints
Windows AD
AAA Server
NAC Server
Real time monitoring and profiling
© 2009 Cisco Systems, Inc. All rights reserved.
Cover All Use Cases
Wireless Compliance
Endpoint Compliance
Secured network access only
for compliant wireless devices
Network access only for
compliant devices
Campus Building 1
802.1Q
Governance Compliance
Ensure user compliance
to governance and risk
user acceptable policies
Wireless Building 2
Guest Compliance
Restricted internet access
only for guest users
Conference Room
in Building 3
VPN User Compliance
Internet
IPSec
© 2009 Cisco Systems, Inc. All rights reserved.
Intranet access only for compliant
remote access users
What is a WAF?
Web Application Firewalls intercept, inspect and deny/reject/allow Layer-7 traffic
Browser
`
WAF devices protect web
applications from specific
vulnerabilities that IDS/IPS/FW do
not see.
Web
Servers
WAF devices intercept all traffic
bound for the web server.
Application
Servers
WAF devices are complex devices
with sophisticated features:
actually, they have to be as
complex as web applications
© 2009 Cisco Systems, Inc. All rights reserved.
Database
Servers
Protecting the web
© 2009 Cisco Systems, Inc. All rights reserved.
DDoS protection
Cisco Anomaly
Guard Module
Cisco Traffic Anomaly
Detector Module (or Cisco IDS
or third- party system)
Protected
Zone 1: Web
© 2009 Cisco Systems, Inc. All rights reserved.
Protected
Zone 2: Name
Servers
Protected Zone 3:
E-Commerce Application
Dynamic Diversion At Work
Cisco Anomaly
Guard Module
Cisco Traffic Anomaly
Detector Module
1. Detect
Protected
Zone 1: Web
© 2009 Cisco Systems, Inc. All rights reserved.
Target
Protected
Zone 2: Name
Servers
Protected Zone 3:
E-Commerce Application
Dynamic Diversion At Work
Cisco Anomaly
Guard Module
2. Activate: Auto/Manual
Cisco Traffic Anomaly
Detector Module
1. Detect
Protected
Zone 1: Web
© 2009 Cisco Systems, Inc. All rights reserved.
Target
Protected
Zone 2: Name
Servers
Protected Zone 3:
E-Commerce Application
Dynamic Diversion At Work
Route update:
RHI internal, or BGP/other external
3. Divert only
target’s traffic
Cisco Anomaly
Guard Module
2. Activate: Auto/Manual
Cisco Traffic Anomaly
Detector Module
1. Detect
Protected
Zone 1: Web
© 2009 Cisco Systems, Inc. All rights reserved.
Target
Protected
Zone 2: Name
Servers
Protected Zone 3:
E-Commerce Application
Dynamic Mitigation At Work
4. Identify and filter
malicious traffic
Traffic Destined
to the Target
3. Divert only
target’s traffic
Cisco Anomaly
Guard Module
2. Activate: Auto/Manual
Cisco Traffic Anomaly
Detector Module
1. Detect
Protected
Zone 1: Web
© 2009 Cisco Systems, Inc. All rights reserved.
Target
Protected
Zone 2: Name
Servers
Protected Zone 3:
E-Commerce Application
Dynamic Mitigation At Work
4. Identify and filter
malicious traffic
Traffic Destined
to the Target
3. Divert only
target’s traffic
Cisco Anomaly
Guard Module
Legitimate
Traffic to
Target
2. Activate: Auto/Manual
Cisco Traffic Anomaly
Detector Module
1. Detect
Protected
Zone 1: Web
© 2009 Cisco Systems, Inc. All rights reserved.
Target
Protected
Zone 2: Name
Servers
5. Forward legitimate
traffic
Protected Zone 3:
E-Commerce Application
Dynamic Mitigation At Work
4. Identify and filter
malicious traffic
6. Nontargeted
traffic
flows
freely
Traffic Destined
to the Target
3. Divert only
target’s traffic
Cisco Anomaly
Guard Module
Legitimate
Traffic to
Target
2. Activate: Auto/Manual
Cisco Traffic Anomaly
Detector Module
1. Detect
Protected
Zone 1: Web
© 2009 Cisco Systems, Inc. All rights reserved.
Target
Protected
Zone 2: Name
Servers
5. Forward legitimate
traffic
Protected Zone 3:
E-Commerce Application
© 2009 Cisco Systems, Inc. All rights reserved.
28