The "cloud” and virtualization are driving the way data centers are being architected. Everyone knows that server virtualization is the key for consolidation, power savings and cost reduction. However, what about isolation, monitoring, and policy enforcement? How can these be done efficiently? In the past, firewalls, intrusion prevention systems (IPS), and other policy enforcement mechanisms in the network have acted as the first line of defense against security threats on the network. Is it the same for virtualized environments? Probably? Probably not…
As you know, virtualized environments are very dynamic in nature. There are frequent additions, deletions, and changes across virtual machines (VMs) and tenants. In the past, each physical server was connected to an access port on a switch. Subsequently, all traffic between servers or to the corporate network traveled through a physical access switch and firewalls, IPS devices, load balancers, etc. However, traffic flows within virtualized environments sometimes do not even touch physical devices. For example, traffic between the following VMs do not even leave the physical hardware.
So how do we provide segmentation, policy enforcement and other security services? Cisco has introduced the Cisco Virtual Security Gateway (VSG) for the Cisco Nexus 1000V Series. It is a virtual firewall that allows you to enforce policy and segmentation virtual and cloud environments. The Cisco VSG operates in conjunction with the Cisco Nexus 1000V (and vPath) in order to support a dynamic VM environment. All security profiles are associated to a Cisco Nexus 1000V port profile. These are authored on the Cisco Nexus 1000V Virtual Supervisor Module and published to the VMWare Virtual Center. A tenant is created with the Cisco VSG and on the Cisco Virtual Network Management Center (VNMC). All associated security profiles are configured to include trust zone definitions and access control rules. When a new VM is instantiated, you assign the respective port profile to the virtual Ethernet port of the VM.
When a vMotion events occurs, VMs move across physical servers. The Cisco Nexus 1000V ensures that port profile policies and associated security profiles follow the VMs. Security enforcement and monitoring remain transparent to vMotion events. The Cisco VSG operates with the Cisco Nexus 1000V distributed virtual switch in the VMWare vSphere hypervisor. The Cisco VSG leverages the virtual network service data path (vPath) that is embedded in the Cisco Nexus 1000V Virtual Ethernet module (VEM). vPath steers traffic, whether external-to-VM or VM-to-VM, to the Cisco VSG of a tenant. A split-processing model is applied where initial packet processing occurs in the Cisco VSG for policy evaluation and enforcement. After the policy decision is made, the Cisco VSG off-loads policy enforcement of remaining packets to vPath.
What happens to the firewall and security administrators? They have to collaborate more than ever with the switch and the server administrators. In small-to-medium organizations this may be the same team. However, in large enterprises these are often separate teams; and sometimes, their rational will be a LOT different. Collaboration between security, switching and server teams is crucial! Specially, since they are always forced to maintain administrative separation and reduce errors via a consistent and repeatable deployment model. How can we achieve that with this complex environment and across different mentalities?
*Coordination and correlation for programmatic provisioning and management of security policies is not an easy task unless you use strong APIs and (again) complete collaboration within teams. The good news is that provides several visual and programmatic controls /APIs to manage security policies. However, is this sufficient? This is where processes, metrics, and technology need to meet. You can have the most sophisticated security device/software and if you do not have the appropriate processes in place you will fail. Let's take a look at a few metrics that can help you evaluate if you have the correct processes in place for both, the physical and virtualized world within your infrastructure.
How long *does it take for you to positively identify that a virtual "device" is compromised in comparison to how long does it take when a physical device is compromised? Have you ever made that comparison?
What is the frequency of audits conducted against your "virtual infrastructure"? How can you maintain visibility into network operations? You must adjust your processes and procedures and audit the virtualized environment the same way you do for your physical network. By doing these audits/checks you will *reveal important errors or omissions *in the virtualized environment that probably are not present in the legacy physical world. What is the the average (mean) time elapsing between audits of the firewall systems and rules (for both virtual and physical firewalls)?
Additionally, what is the *percent of the virtualized network that is documented and understood *by the security team? The lack of virtual topologies will contribute to delays in the incident response process, if/when your virtual network is compromised.
May I challenge you a little further? Measure* how long does it take for you to detect an event *occurring on the physical network vs. in the virtualized environment. I am assuming that you already have complete visibility of both, physical and virtual devices. How long does it take for you to obtain and correlate alerts that originate from software, hardware, or human observation?
You may think that this does not have anything to do about security, but it does. *What is the number or ratio of physical and virtual devices that do not confirm to a standard build template? *Go ahead and compare both of them. You should have standard build templates for all physical and virtual assets with all the respective security considerations.
Please share what are some other processes or metrics that security administrators should pay attention in this "somewhat-new virtualized world".
Dear experts, I've setup a DVTI with IKEv2 to get remote access into my 2901. However, the IKE session establishes, without any errors, the interface comes up, but no IP address is assigned to the Virtual-access interface. The client is a C881 runnin...
I am trying to setup my Stratix 5950 switch for Many to One NAT configuration using NAT rules in ASDM wizard.My Inside1 interface is already configured for VLAN 10 with IP 192.168.10.xx. The Outside Interface1 at 192.168.20. xx has a PC connected with IP ...
After upgrading to the last firmware available in your repository (22.214.171.124) to a RV110W, this notice is logged after the router start up: "Linux version 2.6.22 (zls@cybertan-team2) (gcc version 4.2.3) #47 Wed May 27 10:33:03 CST 2020"A quick search r...
Hi everyone, I have a bunch of Cisco 4321 Routers that I want to configure ACL on but I am running into some difficulties. I have an Internal Server connected to Router 3 that is using the Windows Time Service which acts as the NTP Server for the 3 R...