STORMY WEATHER SECURING CLOUD COMPUTING. Russell Skingsley Director of Advanced Technology Data Centre and Cloud, APAC Juniper Networks

Transcription

1 STORMY WEATHER SECURING CLOUD COMPUTING Russell Skingsley Director of Advanced Technology Data Centre and Cloud, APAC Juniper Networks

2 DISCLAIMER These are not necessarily the views of Juniper Networks even though I have pilfered some of their slides for my own nefarious purposes. 2 Copyright 2012 Juniper Networks, Inc.

3 TRADITIONAL DC NETWORK SECURITY Big Bad World Security Complex 802.1Q Switching Complex VLAN A VLAN B VLAN C Server 1 Server 2 Server 3 3 Copyright 2012 Juniper Networks, Inc.

4 THE PRINCIPLE OF CONSOLIDATION PER SERVER Waste Waste Waste Waste Waste Physical Servers Virtualised Server 4 Copyright 2012 Juniper Networks, Inc.

5 LARGER POOL, MORE CONSOLIDATION Waste Waste Waste Waste Waste Physical Servers Virtualised Servers 5 Copyright 2012 Juniper Networks, Inc.

6 SAME PRINCIPLE, FOR WHOLE DATA CENTERS Small DCs Consolidated DCs 6 Copyright 2012 Juniper Networks, Inc.

7 THE ECONOMICS OF THE DATA CENTER Physical Server Installed Base (Millions) Logical Server Installed Base (Millions) Complexity and Operating Costs Capital Savings Millions Installed Servers Source: IDC 7 Copyright 2012 Juniper Networks, Inc.

8 THE ECONOMICS OF THE DATA CENTER 8 Copyright 2012 Juniper Networks, Inc.

9 THE NEW EDGE Physical Network 802.1Q 802.1Q 802.1Q VMKernel VMKernel VMKernel vds VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9 ESX1 ESX2 ESX3 9 Copyright 2012 Juniper Networks, Inc.

10 VLAN LIMITATIONS DA SA 802.1Q Type or Length Data FCS 32 Bits Tag Protocol Identifier (0x8100) Priority (802.1p) Canonical Format Indicator VLAN ID 16 Bits 3 Bits 1 Bit 12 Bits 10 Copyright 2012 Juniper Networks, Inc.

11 SCALING BEYOND 4K TENANTS BRIDGE DOMAINS VDC 1 Core VDC Switch 2 VDC Distribution Switch Distribution Switch Distribution Switch Access Switch Access Switch Access Switch Access Switch Access Switch Access Switch Mobility Extent Mobility Extent Mobility Extent 11 Copyright 2012 Juniper Networks, Inc.

12 SCALING BEYOND 4K TENANTS VCD-NI DC Switching Access Access Access Access VLAN 5 VLAN 5 VLAN 5 VLAN 5 MAC 1 MAC 2 MAC 3 MAC 4 ESXi ESXi ESXi ESXi MAC 1:1 MAC 1:2 MAC 2:1 MAC 3:1 MAC 4:1 MAC 4:2 VM1 VM1 VM2 VM2 VM3 VM3 Mobility Extent 12 Copyright 2012 Juniper Networks, Inc.

13 VCD-NI PORTGROUP LABELS dvs.<vcenterid><ds#><vcd#><vlan><network ID><Name> <Network ID> is a 24 bit value expressed in Hexadecimal (This is sometime referred to as a fence ID) For Example: dvs.vc dvs3cm1-v32-c2e-coke Org1 13 Copyright 2012 Juniper Networks, Inc.

14 THE NEW EDGE WITH TUNNELS Physical Network 802.1Q 802.1Q 802.1Q VMKernel VMKernel VMKernel vds VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9 ESX1 ESX2 ESX3 14 Copyright 2012 Juniper Networks, Inc.

15 THE BROADCAST RADIATION WILL KILL US ALL Physical Network 802.1Q 802.1Q 802.1Q X VMKernel X VMKernel X VMKernel vds X X VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9 ESX1 ESX2 ESX3 15 Copyright 2012 Juniper Networks, Inc.

16 REMEMBER THESE RULES OF THUMB? Max IP hosts per subnet 500 Max IPX Hosts per subnet 256 Max Appletalk hosts per subnet Copyright 2012 Juniper Networks, Inc.

17 TIMES CHANGE SparcStation 2 28 MIPS MIPS used per host 500 Hosts Cost 0.7% of CPU Ivy Bridge Xeon 180,000 MIPS MIPS used per host 3.2 Million Hosts cost 0.7% of CPU 17 Copyright 2012 Juniper Networks, Inc.

18 THE BROADCAST RADIATION WONT KILL US ALL Physical Network 802.1Q 802.1Q 802.1Q X VMKernel X VMKernel X VMKernel vds X X VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9 ESX1 ESX2 ESX3 18 Copyright 2012 Juniper Networks, Inc.

19 SECURITY IMPLICATION OF VIRTUALIZATION Physical Network Virtual Network VM1 VM2 VM3 Virtual Switch ESX Host HYPERVISOR Security Complex Sees/Protects All Traffic Between Servers Physical Security is Blind to Traffic Between Virtual Machines 19 Copyright 2012 Juniper Networks, Inc.

20 THIS IS HOW WE HAVE BUILT DATA CENTRES WAN Routing 3840 Gbps Security 120 Gbps Switching Gbps Compute Gbps 20 Copyright 2012 Juniper Networks, Inc.

21 NETWORK THROUGHPUT IS A DIFFERENT STORY WAN Routing Switching Compute 21 Copyright 2012 Juniper Networks, Inc.

22 APPROACHES TO SECURING VIRTUAL NETWORKS 1. VLAN Segmentation 2. Agent-based 3. Kernel-based VMs segmented into separate VLANs; Inter-VM communications must route through the firewall Drawbacks: Complex VLAN networking; Lacks hypervisor visibility; High overhead VM1 VM2 VM3 Each VM has a software firewall Drawbacks: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs VM1 VM2 VM3 Inter-VM traffic always protected; Micro-segmenting capabilities High-Performance from implementing firewall in the kernel Secures Hypervisor connections VM1 VM2 VM3 VS ESX Host VS ESX Host FW as Kernel Module ESX Host HYPERVISOR HYPERVISOR VS HYPERVISOR FW Agents 22 Copyright 2012 Juniper Networks, Inc.

23 THE NEW EDGE OPPORTUNITIES AND CHALLENGES FOR ALL Physical Network 802.1Q 802.1Q 802.1Q VMKernel VMKernel VMKernel vds VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9 ESX1 ESX2 ESX3 23 Copyright 2012 Juniper Networks, Inc.

24 Russell Skingsley