STORMY WEATHER SECURING CLOUD COMPUTING Russell Skingsley Director of Advanced Technology Data Centre and Cloud, APAC Juniper Networks
DISCLAIMER These are not necessarily the views of Juniper Networks even though I have pilfered some of their slides for my own nefarious purposes. 2 Copyright 2012 Juniper Networks, Inc. www.juniper.net
TRADITIONAL DC NETWORK SECURITY Big Bad World Security Complex 802.1Q Switching Complex VLAN A VLAN B VLAN C Server 1 Server 2 Server 3 3 Copyright 2012 Juniper Networks, Inc. www.juniper.net
THE PRINCIPLE OF CONSOLIDATION PER SERVER Waste Waste Waste Waste Waste Physical Servers Virtualised Server 4 Copyright 2012 Juniper Networks, Inc. www.juniper.net
LARGER POOL, MORE CONSOLIDATION Waste Waste Waste Waste Waste Physical Servers Virtualised Servers 5 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SAME PRINCIPLE, FOR WHOLE DATA CENTERS Small DCs Consolidated DCs 6 Copyright 2012 Juniper Networks, Inc. www.juniper.net
THE ECONOMICS OF THE DATA CENTER Physical Server Installed Base (Millions) Logical Server Installed Base (Millions) Complexity and Operating Costs Capital Savings Millions Installed Servers 80 60 40 20 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 0 Source: IDC 7 Copyright 2012 Juniper Networks, Inc. www.juniper.net
THE ECONOMICS OF THE DATA CENTER 8 Copyright 2012 Juniper Networks, Inc. www.juniper.net
THE NEW EDGE Physical Network 802.1Q 802.1Q 802.1Q VMKernel VMKernel VMKernel vds VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9 ESX1 ESX2 ESX3 9 Copyright 2012 Juniper Networks, Inc. www.juniper.net
VLAN LIMITATIONS DA SA 802.1Q Type or Length Data FCS 32 Bits Tag Protocol Identifier (0x8100) Priority (802.1p) Canonical Format Indicator VLAN ID 16 Bits 3 Bits 1 Bit 12 Bits 10 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SCALING BEYOND 4K TENANTS BRIDGE DOMAINS VDC 1 Core VDC Switch 2 VDC 3 1-4000 1-4000 1-4000 Distribution Switch Distribution Switch Distribution Switch Access Switch Access Switch Access Switch Access Switch Access Switch Access Switch Mobility Extent Mobility Extent Mobility Extent 11 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SCALING BEYOND 4K TENANTS VCD-NI DC Switching Access Access Access Access VLAN 5 VLAN 5 VLAN 5 VLAN 5 MAC 1 MAC 2 MAC 3 MAC 4 ESXi ESXi ESXi ESXi MAC 1:1 MAC 1:2 MAC 2:1 MAC 3:1 MAC 4:1 MAC 4:2 VM1 VM1 VM2 VM2 VM3 VM3 Mobility Extent 12 Copyright 2012 Juniper Networks, Inc. www.juniper.net
VCD-NI PORTGROUP LABELS dvs.<vcenterid><ds#><vcd#><vlan><network ID><Name> <Network ID> is a 24 bit value expressed in Hexadecimal (This is sometime referred to as a fence ID) For Example: dvs.vc1012345678dvs3cm1-v32-c2e-coke Org1 13 Copyright 2012 Juniper Networks, Inc. www.juniper.net
THE NEW EDGE WITH TUNNELS Physical Network 802.1Q 802.1Q 802.1Q VMKernel VMKernel VMKernel vds VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9 ESX1 ESX2 ESX3 14 Copyright 2012 Juniper Networks, Inc. www.juniper.net
THE BROADCAST RADIATION WILL KILL US ALL Physical Network 802.1Q 802.1Q 802.1Q X VMKernel X VMKernel X VMKernel vds X X VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9 ESX1 ESX2 ESX3 15 Copyright 2012 Juniper Networks, Inc. www.juniper.net
REMEMBER THESE RULES OF THUMB? Max IP hosts per subnet 500 Max IPX Hosts per subnet 256 Max Appletalk hosts per subnet - 128 http://docwiki.cisco.com/wiki/internetwork_design_guide_--_broadcasts_in_switched_lan_internetworks 16 Copyright 2012 Juniper Networks, Inc. www.juniper.net
TIMES CHANGE SparcStation 2 28 MIPS 0.000392 MIPS used per host 500 Hosts Cost 0.7% of CPU Ivy Bridge Xeon 180,000 MIPS 0.000392 MIPS used per host 3.2 Million Hosts cost 0.7% of CPU 17 Copyright 2012 Juniper Networks, Inc. www.juniper.net
THE BROADCAST RADIATION WONT KILL US ALL Physical Network 802.1Q 802.1Q 802.1Q X VMKernel X VMKernel X VMKernel vds X X VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9 ESX1 ESX2 ESX3 18 Copyright 2012 Juniper Networks, Inc. www.juniper.net
SECURITY IMPLICATION OF VIRTUALIZATION Physical Network Virtual Network VM1 VM2 VM3 Virtual Switch ESX Host HYPERVISOR Security Complex Sees/Protects All Traffic Between Servers Physical Security is Blind to Traffic Between Virtual Machines 19 Copyright 2012 Juniper Networks, Inc. www.juniper.net
THIS IS HOW WE HAVE BUILT DATA CENTRES WAN Routing 3840 Gbps Security 120 Gbps Switching 40900 Gbps Compute 122000 Gbps 20 Copyright 2012 Juniper Networks, Inc. www.juniper.net
NETWORK THROUGHPUT IS A DIFFERENT STORY WAN Routing Switching Compute 21 Copyright 2012 Juniper Networks, Inc. www.juniper.net
APPROACHES TO SECURING VIRTUAL NETWORKS 1. VLAN Segmentation 2. Agent-based 3. Kernel-based VMs segmented into separate VLANs; Inter-VM communications must route through the firewall Drawbacks: Complex VLAN networking; Lacks hypervisor visibility; High overhead VM1 VM2 VM3 Each VM has a software firewall Drawbacks: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs VM1 VM2 VM3 Inter-VM traffic always protected; Micro-segmenting capabilities High-Performance from implementing firewall in the kernel Secures Hypervisor connections VM1 VM2 VM3 VS ESX Host VS ESX Host FW as Kernel Module ESX Host HYPERVISOR HYPERVISOR VS HYPERVISOR FW Agents 22 Copyright 2012 Juniper Networks, Inc. www.juniper.net
THE NEW EDGE OPPORTUNITIES AND CHALLENGES FOR ALL Physical Network 802.1Q 802.1Q 802.1Q VMKernel VMKernel VMKernel vds VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9 ESX1 ESX2 ESX3 23 Copyright 2012 Juniper Networks, Inc. www.juniper.net
Russell Skingsley skingsrw@juniper.net