SECURE DATA CENTER DESIGN Piotr Wojciechowski (CCIE #25543)
ABOUT ME Senior Network Engineer MSO at VeriFone Inc. Previously Network Solutions Architect at one of top polish IT integrators CCIE #25543 (Routing & Switching) Blogger http://ccieplayground.wordpress.com Administrator of CCIE.PL board The biggest Cisco community in Europe Over 6800 users 3 admin, 7 moderators 58 polish CCIEs as members, 20 of them actively posting About 150 new topics per month About 1000 posts per month English section available
AGENDA What we want to protect? Physical DC security Secure Network Design Internet Edge Protection Security Audits
WHAT WE WANT TO PROTECT?
WHAT WE WANT TO PROTECT? Sensitive data Business-related processes Network services Applications Hardware
WHAT WE WANT TO PROTECT?
WHAT WE WANT TO PROTECT?
WHERE WE PROTECT?
WHERE WE PROTECT?
SECURITY AS A PROCESS 1. Subject matter experts define policies 2. Policies used to create application templates 3. Application templates used to create application profiles 4. Associated profiles creates resources automatically
PHYSICAL DC SECURITY
DATA CENTER PHYSICAL SECURITY Site location Risk of natural disasters on acceptable level (fires, lightning storms, hurricanes, earthquakes etc.) Man-made disasters on low level (plane crashes, riots, fires, explosions etc.) Site should not be adjacent to airports, prisons, freeways, banks, rafineries etc.) Data center should not share the same building with other offices, especially offices not owned by organization
DATA CENTER PHYSICAL SECURITY Site location Electrical utility powering the site should have 99,9% or better reliability of service. It must be delivered from at least two separate substations Backup power generators Water should be delivered from more than one source
DATA CENTER PHYSICAL SECURITY Perimiters Fence around the facility Guard kiosks at each access point Automatic authentication method for employees (badges) CCTV Parking not align to the building No clear advertisement that Data Center is located at this facility
DATA CENTER PHYSICAL SECURITY Surveillance Monitoring of property as well as neighborhood Guards on patrol Parking permits for vehicles Separate parking areas for employees and visitors
DATA CENTER PHYSICAL SECURITY Entry points Loading docks and all outside doors should have automatic authentication methods (ie. badges) Each entrance should have physical barriers and CCTV cameras Engineers must be required to use badges with pictures Track equippment being placed in and removed
DATA CENTER PHYSICAL SECURITY NOC (Network Operation Centre) Must have power, temperature, fire and humidity monitoring systems in place Redundant methods of communication with outside (analog phones, IP phones, cell phones etc.) Manned 24/7
DATA CENTER PHYSICAL SECURITY Disaster Recovery It s a must have! Must contain definition of disaster, who gets notified, who conduct damage assessment, where backups are located and what to do to maintain them Plan must be updated and reviewed
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
SECURE NETWORK DESIGN
MULTI-LAYER DC PROTECTION No single solution for all data centers Security should be deployed basing on application requirement, certification requirement as well as traffic flow To much protection can be worse than no protection Virtualization new challenges for security
SECURITY ZONES A security zone is an area within a network occupied by a group of systems and components with similar requirements for the protection of information and the attendant characteristics associated with those requirements. Security zones are often layered as trust zones such that resources in higher trust zones may communicate with resource in lower trust zones, but not the other way around.
SECURITY ZONES
SECURITY ZONES Goal of security zones: Control inter-zone communication Monitor inter-zone communication using IDP/IPS Control management access into, out of and within the zone (jump servers) Enforce data confidential and integrity rules for data stored within a zone, as well as for replication and backup.
SECURITY ZONES How to establish security zone?
IPS DEPLOYMENT The Intrusion Prevention System (IPS) provides deep packet and anomaly inspection to protect against both common and complex embedded attacks. Because of the nature of IPS and the intense inspection capabilities, the amount of overall throughput varies depending on the active policy. The IPS deployment in the data center usually leverages EtherChannel load balancing from the service switch. This method is recommended for the data center because it allows the IPS services to scale to meet the data center requirements
IPS DEPLOYMENT Usually deployed in service layer (part or DMZ and high security zones) A port channel is configured on the services switch to forward traffic
IPS DEPLOYMENT Spanning tree plays an important role for IPS redundancy in this design Under normal operating conditions traffic, a VLAN will always follow the same active Layer-2 path
IPS DEPLOYMENT Spanning tree plays an important role for IPS redundancy in this design If a failure occurs (service switch failure or a service switch link failure), spanning tree would converge and the active Layer-2 traffic path would change to the redundant service switch and Cisco IPS appliances.
IPS DEPLOYMENT SECURE TRAFFIC FLOW
VIRTUALIZATION CHALLENGES - VISIBILITY New challenges for visibility into what is occurring at the virtual network level Traffic flows can now occur within the server between virtual machines without needing to traverse a physical access switch
VIRTUALIZATION CHALLENGES - VISIBILITY If a virtual machine is infected or compromised it might be more difficult for administrators to spot without the traffic forwarding through security appliances
VIRTUALIZATION CHALLENGES - VISIBILITY ERSPAN forwards copies of the virtual machine traffic to the Cisco IPS appliance and the Cisco Network Analysis Module (NAM)
VIRTUALIZATION CHALLENGES - ISOLATION Server-to-server filtering can be performed using ACLs on the Cisco Nexus 1000V Because the server-to-server traffic never leaves the physical server, the ACL provides an excellent method for segmenting this traffic.
VIRTUALIZATION CHALLENGES - ISOLATION There are two options for adding an access list to the virtual Ethernet interfaces to block communication: The ACL can be defined and the access group can be applied to a port profile. All interfaces configured for the port profile will inherit the access-group setting. Specific ACLs on an interface can be applied directly to the virtual Ethernet interface in addition to the port profile. The port profile will still apply but the access group will only be applied to the specific interface instead of all interfaces that have inherited the particular port profile.
VIRTUALIZATION CHALLENGES - FIREWALLING An additional virtual context is created on the Cisco ASA and designated to reside between the servers and an Oracle database It can also be virtual firewall ASA 1000V
VIRTUALIZATION CHALLENGES - FIREWALLING The goal is not to prevent any server from communicating with the database, but rather to control which servers can access the database Context firewalls can run in routed and transparent modes
VIRTUALIZATION CHALLENGES WEB APPLICATION FIREWALL WAF can protect servers from a number of highly damaging application-layer attacks including command injection, directory traversal attacks, and crosssite (XSS) attacks
VIRTUALIZATION CHALLENGES WEB APPLICATION FIREWALL Can be used also for SSL offloading
VIRTUALIZATION CHALLENGES VM-TO-VM IDS ERSPAN on the Cisco Nexus 1000V is leveraged to forward a copy of virtual machineto-virtual machine traffic to the IDS at the services layer Both virtual machines reside on the same physical server
VIRTUALIZATION CHALLENGES VM-TO-VM IDS The attempt triggers a signature on the IDS and is logged for investigation
VIRTUALIZATION CHALLENGES SUMMARY Botnets DoS Unauthoriz ed Access Spyware, Malware Network Abuse Data Leakage Visibility Routing Security Yes Yes Yes Yes Yes Control Service Resiliency Yes Yes Yes Network Policy Enforcement Application Control Engine (ACE) Web Application Firewall (WAF) Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes IPS Integration Yes Yes Yes Yes Yes Switching Security Yes Yes Yes Yes Endpoint Security Yes Yes Yes Yes Yes Yes Yes Yes Secure Device Access Yes Yes Yes Yes Yes Telemetry Yes Yes Yes Yes Yes
INTERNET EDGE PROTECTION
INTERNET EDGE PROTECTION
INTERNET EDE PROTECTION The Internet edge is a public-facing network infrastructure and is particularly exposed to large array of external threats. Some of the expected threats are as follows: Denial-of-service (DoS), distributed DoS (DDoS) Spyware, malware, and adware Network intrusion, takeover, and unauthorized network access E-mail spam and viruses Web-based phishing, viruses, and spyware Application-layer attacks (XML attacks, cross scripting, and so on) Identity theft, fraud, and data leakage
FIREWALL PHYSICAL INTERFACES LAYOUT The different logical interfaces on the Cisco ASA can be used to separate the DMZ, SP-facing interfaces, and the inside corporate infrastructure
WEB APPLICATION FIREWALL
WEB APPLICATION FIREWALL Configure the web application firewall to retain the source IP address if the traffic is directed to appliances in the data center. It is recommended that HTTPS traffic directed to the data center, not be encrypted as the Cisco ACE module in data center will perform the loadbalancing and decryption while also providing higher performance. The web application firewall in the Internet edge and the web application firewall in data center to be configured in the same cluster.
SERVICE PROVIDER EDGE Use BGP as the routing protocol for all dynamic routing both between the border routers and between the border routers and SP. Have an independent autonomous system number. This will give the flexibility of advertising the Internet prefix to different SPs. Use PfR as path-optimization mechanism. This will ensure that the optimal path is selected between the SPs thereby increasing the application performance.
SECURITY AUDITS
SECURITY AUDITS There is no one template of security audit that will fit everyone Some security audits are cerification related (in example PCI-DSS) Audits does not cover only networking aspects If performed correctly, a security audit can reveal weakness in technology, practices, employees and other key areas Usually is semi-automated
SECURITY AUDITS Audit components (some, not all): Vulnerability scans Examination of OS settings Examination of application settings Network analyses Employee interview Logs studying Security policies review
SECURITY AUDITS Some of the key questions that auditor must ask include: Who is in charge of security, and who does this person report to? Have ACLs (Access Control Lists) been placed on network devices to control who has access to shared data? How are passwords created and managed? Are there audit logs to record who accesses data? Who reviews the audit logs, and how often are they examined? Are the security settings for OSes and applications in accordance with accepted industry security practices?
SECURITY AUDITS Some of the key questions that auditor must ask include: Have unnecessary applications and services been purged from systems? How often does this task take place? Are all OSes and applications updated to current levels? How is backup media stored? Who has access to it? Is it up-to-date? How is email security addressed? How is Web security addressed? How is wireless security addressed?
SECURITY AUDITS Some of the key questions that auditor must ask include: Are remote workers covered by security policies? Is a disaster-recovery plan in place? Has the plan ever been rehearsed? Have custom applications been tested for security flaws? How are configuration and code changes documented? How often are these records reviewed? Many other questions pertaining to the exact nature of the business's operations also must be addressed.
INERNAL AUDITS BAU audits: Checking current status of maintained platform and software Should be regular On-demand audits Test if procedures are working Test if team is prepared for emergency situation Test third-party responsibility
SECURITY AUDITS Off-the-shelf auditis: Ineffective More costly in long term Are not showing results management and security teams are requesting Usually 99% software-based
SECURITY AUDITS Audit time: Stage % of Total Time Preparation 10 Reviewint Policy/Docs 10 Talking/Interviewing 10 Technical Investigation 15 Reviewing Data 20 Writing Up Documentation 20 Report Presentation 5 Post Audit Actions 10
QUESTIONS?
THANK YOU