Angels Technology

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, June 26, 2013

White paper summary : DMZ Virtualization Using VMware vSphere 4 and the Cisco Nexus 1000V Virtual Switch

Posted on 12:29 PM by Unknown

    http://www.vmware.com/files/pdf/dmz-vsphere-nexus-wp.pdf




    My notes on the white paper above: using it for review and jotting down things I find important.
    Please read the white paper for concepts I may gloss over since it’s a review for myself.
    The reason I am going over this is even though vsphere5.x Is out, the concepts are probably relevant.


    This document discusses DMZ visualization and security.

    DMZ Virtualization
  1. The virtualized DMZ takes advantage of virtualization technologies to reduce the DMZ footprint, (fig1 vs fig2)
  2. Security requirements for the physical DMZ design remain applicable in the virtual design.
  3. *some virtualization-specificconsiderations need to be taken into account.
  4. In a virtualized environment, [appsare on vms], andmultiple [vms] may reside within the same physical server. Traffic may not need to leave
  5. the physical server In this environment, a virtual network (vnet) is created within each server.Multiple VLANs, IP subnets, and access ports can all reside within the server as part of a virtualnetwork. (Vswitches)

    6. Vswitch:
  6. Traditional methods for gaining visibility into server and application traffic flows may not function for inter-virtual machine traffic that resides within a physical server, and enforcement of network policies can become difficul
  7. Cisco Nexus 1000V Series Switches address these concerns by allowing network and server teams to maintain their traditional roles and responsibilities in a virtual networking environment through features and functions comparable to those in today’s physical network switches
  8. The virtual switch provides connectivity between a vm's  vNIC physical NICs of the server.

    9. 1000v
  9. 1000V is a Virtual network Distributed Switch (vDS) consists of two components:
  10. virtual supervisor module (VSM) and the virtual Ethernet module (VEM).
  11. VSM  acts in a similarfashion to a traditional Cisco® supervisor module. The networking and policy configurations areperformed on the VSM and applied to the ports on each VEM.
  12. VEM is similar to a traditionalCisco line card and provides the ports for host (virtual machine) connectivity. The VEM resides in the physical server as the virtual switching component.
  13. The physical NICs areconfigured as uplink ports on the Cisco Nexus 1000V Series.


    14. following sections describe some of the Cisco Nexus 1000V Series features

    Port Profiles and Port Groups
  14. some of the network functions now reside in the virtual server platform. VLAN assignment, port mapping, and inter-virtual machine communication
  15. The above brings some contention as to who is responsible for the networking and security policies and this virtualized layer
  16. server teams rather applying a predefined network policy to their servers.
  17. When a network policy is defined on the Cisco Nexus 1000V Series, it is updated in VMware vCenter and displayed as an option on the Port Group drop-down list
  18. 1000V Series policies are defined through a feature called port profiles.
  19. Port profiles allow you to configure network and security features in a single profile, which can be applied to multiple switch interfaces.
  20. apply that profile and any settings defined to one or more interfaces. Multiple profiles can be defined and assigned to individual interfaces


    21. Isolation and Protection
  21. VLANs, Private VLANs, ACLs, Anti-Spoofing
  22. VLANs with applied ACLs can be used to control traffic to different virtual machines and applications.
  23. VLANs provide a reliable and proven method for segmenting traffic flows in the network.
  24. Private VLANs provide a means for isolation of machines within the same VLAN ::
  25. Private Vlan :Originally developed for service providers as a means of scaling IP addresses in a hosting environment,
  26. Two types of VLANs are used in private VLANs: primary and secondary.
  27. The primary VLAN is usually the current VLAN being used for access and is the VLAN carried throughout the infrastructure.
  28. The secondary VLAN is known only within the physical or virtual switch in which it is configured. Each secondary VLAN is associated with a primary
  29. Three types of ports are available when configuring private VLANs: promiscuous, isolated, and community
  30. Isolated ports can communicate only with the promiscuous port and cannot communicate directly with other isolated ports on the switch
  31. promiscuous port is the aggregation point for access to and from each of the secondary VLANs. The promiscuous port is usually the uplink port for the switch and carries the primary VLAN.
  32. Community ports can communicate with other ports in the same community and the promiscuous port.
  33. If direct virtual machine-to-virtual machine communication is required or if server clustering is being used, a community VLAN can be a valuable feature.
  34. anti-spoofing features on the Cisco Catalyst switching platform. :: Dynamic Address Resolution Protocol (ARP) inspection; IP source guard; Dynamic Host Configuration Protocol (DHCP) snooping
  35. ARP inspection is being used to map each default gateway to the associated MAC address. This mapping helps ensure that the default gateway IP address is always associated with the correct MAC address.


    36. Increasing Visibility
    SPAN and ERSPAN are very useful tools for gaining visibility into network traffic flows.
    Traffic flows can now occur within the server between virtual machines without needing to traverse a physical access switch. Administrators may have a more difficult time identifying a virtual machine that is infected or compromised
     NetFlow defines flows as records and exports these records to collection devices. NetFlow provides information about the use of the applications in the data center network.
    host-based IPS is one of the most effective ways to protect an endpoint against exploitation attempts and malicious software.
    By looking at the behavioral aspects of an attack, Cisco Security Agent (IPS)can detect and stop new attacks without first needing installation of a signature before it can identify the particular attack

    Consolidated DMZ Architecture
    Traditionally, DMZ designs make use of a separate infrastructure:: requires the use of dedicated servers to host DMZ-based applications.\
    Consolidation of a mix of internal and DMZ virtual machines on the same physical server does support a better use of resources, but a strict security policy must be followed to maintain proper isolation



Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Copy and paste clipboard items to and from your vsphere virtual machines and your pc
    Wanted to copy and paste text between your pc and a vm? Now you can. Power off your VM. Go to the vm properties->Options->Advanced-...
  • Interesting look at Win cpu usage vs Vmware CPU usage
    I came across this scenario: The windows task manager shows the cpu of the vm pegged at 100%. The vmware performance monitor says that ...
  • vCenter and Hosts Disconnected -- Reason: Cannot verify the SSL thumbprint
    Just saw this over on the forums, but if your hosts are getting this error: Cannot syncronize the host <hostname.fqdn>, Reason: Cannot...
  • Storage comparison
    One of Cormac Hogan s posts provides a good basis for compares of different storage types for vmware Vsphere and how they stack up. He dis...
  • Vmware DRS anti affinity rules wont let you enter maintenance mode for a esxi host
    You have a DRS rule that specifies that 2 vms need to be kept apart: In this case: 250-FT and 250sql3 For larger clusters with multiple...
  • Convert your physical RDM (rdmp) to a virtual RDM (rdmv)
    So you have a raw disk mapping on your virtual machine in esxi   and you wanted to convert it from a rdmp to a rdmv. Using the VMware cli...
  • Setting your esxi host to restart automatically after crash or purple screen aka psod
    The default and recommended setting is to leave the purple screen of death up to help you notice that het host has died and also leave t...
  • performance issues and problems: set Write back mode for your storage array for ideal performance
    For performance you should have a battery backed cache for write back mode, which tells the OS that a write happened before it does because ...
  • Vmware esxi : Intel Pro/1000 ET quad port adapter and ISCSI
    I've seen issues pop up with intel quad ports here and there on the forums so I thought it would be good to note down what worked here...
  • Browsing Vmware logs in the DCUI (view esxi logs via console)
    Why would you view your logs in the console? Well sometimes it's the only place that is accessible if there is an error. Go to your DC...

Categories

  • 5.1
  • backup
  • cloud
  • cluster
  • command line
  • console
  • converter
  • cpu
  • datacenter
  • datastore
  • datastore. rdm
  • DCUI
  • dell
  • disaster recovery
  • display
  • DR
  • e1000
  • e1000e
  • ec2
  • esx
  • esxi
  • esxtop
  • extent
  • Good for enterprise
  • HA
  • hcl
  • host
  • HP
  • ibm
  • iometer
  • iscsi
  • iso
  • linked mode
  • logs
  • MAC
  • memory
  • NFS
  • NIC
  • NTP
  • ova
  • ovf
  • p2v
  • pcie
  • performance
  • phone
  • powercli
  • powershell
  • PSOD
  • raid
  • RDM
  • resource pool
  • rvtools
  • scsi
  • sddc
  • snapshots
  • SQL
  • SRM
  • ssh
  • storage
  • svmotion
  • syslog collector
  • v2v
  • vapp
  • vcenter
  • vcloud
  • vcp
  • veeam
  • VI console
  • vm
  • vmdk
  • VMFS
  • vmkfstools
  • vmotion
  • VMUG
  • vmware
  • vmware tools
  • vmware.esxi
  • vmxnet3
  • vsphere
  • vum
  • web client
  • windows

Blog Archive

  • ▼  2013 (28)
    • ►  October (2)
    • ►  September (1)
    • ►  August (1)
    • ►  July (1)
    • ▼  June (14)
      • White paper summary :: Deploying 10 Gigabit Ether...
      • White paper summary : DMZ Virtualization Using VMw...
      • Personal : Whats next in IT for me
      • whitepaper summary: SAN Conceptual and Design Bas...
      • Vmware commercial : virutalze the datacenter
      • video : vmware commercial : Total Cost of Ownershi...
      • Video : vmware commercial VMware’s “Built for the ...
      • video : vmware commercial Maximum Uptime vs Microsoft
      • video: : VMware’s “Virtualize Everything” video
      • white paper review : Hyper-V vs. vSphere Understan...
      • white paper review: VMware vSphere Vs. Microsoft H...
      • vcloud : thoughts on the vcloud service
      • vcloud : thought on the vcloud and SDDC
      • VMUG NYC was a great show
    • ►  May (1)
    • ►  April (1)
    • ►  March (5)
    • ►  February (1)
    • ►  January (1)
  • ►  2012 (138)
    • ►  December (2)
    • ►  November (13)
    • ►  October (26)
    • ►  September (19)
    • ►  August (35)
    • ►  July (34)
    • ►  June (9)
Powered by Blogger.

About Me

Unknown
View my complete profile