White paper summary : DMZ Virtualization Using VMware vSphere 4 and the Cisco Nexus 1000V Virtual Switch

http://www.vmware.com/files/pdf/dmz-vsphere-nexus-wp.pdf








My notes on the white paper above: using it for review and jotting down things I find important.
Please read the white paper for concepts I may gloss over since it’s a review for myself.
The reason I am going over this is even though vsphere5.x Is out, the concepts are probably relevant.




This document discusses DMZ visualization and security.


DMZ Virtualization
1. The virtualized DMZ takes advantage of virtualization technologies to reduce the DMZ footprint, (fig1 vs fig2)
2. Security requirements for the physical DMZ design remain applicable in the virtual design.
3. *some virtualization-specificconsiderations need to be taken into account.
4. In a virtualized environment, [appsare on vms], andmultiple [vms] may reside within the same physical server. Traffic may not need to leave
5. the physical server In this environment, a virtual network (vnet) is created within each server.Multiple VLANs, IP subnets, and access ports can all reside within the server as part of a virtualnetwork. (Vswitches)


Vswitch:
6. Traditional methods for gaining visibility into server and application traffic flows may not function for inter-virtual machine traffic that resides within a physical server, and enforcement of network policies can become difficul
7. Cisco Nexus 1000V Series Switches address these concerns by allowing network and server teams to maintain their traditional roles and responsibilities in a virtual networking environment through features and functions comparable to those in today’s physical network switches
8. The virtual switch provides connectivity between a vm's  vNIC physical NICs of the server.


1000v
9. 1000V is a Virtual network Distributed Switch (vDS) consists of two components:
10. virtual supervisor module (VSM) and the virtual Ethernet module (VEM).
11. VSM  acts in a similarfashion to a traditional Cisco® supervisor module. The networking and policy configurations areperformed on the VSM and applied to the ports on each VEM.
12. VEM is similar to a traditionalCisco line card and provides the ports for host (virtual machine) connectivity. The VEM resides in the physical server as the virtual switching component.
13. The physical NICs areconfigured as uplink ports on the Cisco Nexus 1000V Series.




following sections describe some of the Cisco Nexus 1000V Series features


Port Profiles and Port Groups
14. some of the network functions now reside in the virtual server platform. VLAN assignment, port mapping, and inter-virtual machine communication
15. The above brings some contention as to who is responsible for the networking and security policies and this virtualized layer
16. server teams rather applying a predefined network policy to their servers.
17. When a network policy is defined on the Cisco Nexus 1000V Series, it is updated in VMware vCenter and displayed as an option on the Port Group drop-down list
18. 1000V Series policies are defined through a feature called port profiles.
19. Port profiles allow you to configure network and security features in a single profile, which can be applied to multiple switch interfaces.
20. apply that profile and any settings defined to one or more interfaces. Multiple profiles can be defined and assigned to individual interfaces




Isolation and Protection
21. VLANs, Private VLANs, ACLs, Anti-Spoofing
22. VLANs with applied ACLs can be used to control traffic to different virtual machines and applications.
23. VLANs provide a reliable and proven method for segmenting traffic flows in the network.
24. Private VLANs provide a means for isolation of machines within the same VLAN ::
25. Private Vlan :Originally developed for service providers as a means of scaling IP addresses in a hosting environment,
26. Two types of VLANs are used in private VLANs: primary and secondary.
27. The primary VLAN is usually the current VLAN being used for access and is the VLAN carried throughout the infrastructure.
28. The secondary VLAN is known only within the physical or virtual switch in which it is configured. Each secondary VLAN is associated with a primary
29. Three types of ports are available when configuring private VLANs: promiscuous, isolated, and community
30. Isolated ports can communicate only with the promiscuous port and cannot communicate directly with other isolated ports on the switch
31. promiscuous port is the aggregation point for access to and from each of the secondary VLANs. The promiscuous port is usually the uplink port for the switch and carries the primary VLAN.
32. Community ports can communicate with other ports in the same community and the promiscuous port.
33. If direct virtual machine-to-virtual machine communication is required or if server clustering is being used, a community VLAN can be a valuable feature.
34. anti-spoofing features on the Cisco Catalyst switching platform. :: Dynamic Address Resolution Protocol (ARP) inspection; IP source guard; Dynamic Host Configuration Protocol (DHCP) snooping
35. ARP inspection is being used to map each default gateway to the associated MAC address. This mapping helps ensure that the default gateway IP address is always associated with the correct MAC address.




Increasing Visibility
SPAN and ERSPAN are very useful tools for gaining visibility into network traffic flows.
Traffic flows can now occur within the server between virtual machines without needing to traverse a physical access switch. Administrators may have a more difficult time identifying a virtual machine that is infected or compromised
 NetFlow defines flows as records and exports these records to collection devices. NetFlow provides information about the use of the applications in the data center network.
host-based IPS is one of the most effective ways to protect an endpoint against exploitation attempts and malicious software.
By looking at the behavioral aspects of an attack, Cisco Security Agent (IPS)can detect and stop new attacks without first needing installation of a signature before it can identify the particular attack


Consolidated DMZ Architecture
Traditionally, DMZ designs make use of a separate infrastructure:: requires the use of dedicated servers to host DMZ-based applications.\
Consolidation of a mix of internal and DMZ virtual machines on the same physical server does support a better use of resources, but a strict security policy must be followed to maintain proper isolation