830 likes | 1.39k Views
Programmable Network Architecture in Cloud Computing. Slides Contributor: Dijiang Huang Chun-Jen Chung. Agenda. Overview of Virtualization Overview of Virtual Networking Solutions Overview of OpenFlow Switch and Programmable Networking
E N D
Programmable Network Architecture in Cloud Computing Slides Contributor: Dijiang Huang Chun-Jen Chung
Agenda • Overview of Virtualization • Overview of Virtual Networking Solutions • Overview of OpenFlow Switch and Programmable Networking • Cloud-Based Security Measurement • CloudDefender: A Virtual Network Security Solution
Hypervisor-based Virtualization • A small virtual machine monitor (known as a hypervisor or VMM) runs on top of machine’s hardware and provides two basic functions. • it identifies, traps, and responds to protected or privileged CPU operations made by each virtual machine. • It handles queuing, dispatching, and returning the results of hardware requests from your virtual machines. • Two type of Hypervisor: • Type 1: native, bare metal • Xen, VMWare ESXi, Hyper-V • Type 2: hosted • VirtualBox, VirtualPC, VMWare Workstation
Type of Virtualization • Paravirtualization (PV) • Uses a modified Linux kernel to support it’s administrative environment (dom0). • Guest loads Dom0’s pygrub or Dom0’s kernel. • Cannot run Windows. • Primary model used by Xen. • Full virtualization • Incorporate code into the hypervisor that emulate the underlying hardware. • Can run unmodified OS. • Model used by VMWare ESX server. • Hardware Virtualization • Only available on the systems that provide hardware support for virtualization (Intel VT and AMD-V processors). • Can run unmodified OS. • Use hardware support to handle privileged and protected operations and hardware access requests. • Xen, VMWare ESX, and KVM (non-hypervisor based kernel-level virtualization)
Overview of Virtual Switch Solutions • General • Linux Bridging • VMware • VMware Infrastructure 3 (VI3) • VMware vSphere vNetwork Distributed Switch (vDS) • Cisco’s • Cisco Nexus 1000V • Cisco’s TN-Tag • Citrix’s • Citrix Open vSwitch • HP • HP VEPA
Linux Bridge • The old version of Citrix XenServer (before v5.6 FP1) using simple Linux Bridge. • Many hypervisor based virtualization also apply Linux Bridge model, such as KVM, libvirt. • All of bridging work are done by ‘brctl’. • Provide simple L2 switching functions.
VMware Infrastructure 3 • VMware Infrastructure 3 provides a rich set of networking capabilities that integrate well with sophisticated enterprise networks. • These networking capabilities are provided by VMware ESX Server (3.0 and 3.5) and managed by VMware VirtualCenter.
Components of VI3 • There are 5 different type of virtual network devices. • vmxnet (VMware tools), vlance (AMD), e1000 (Intel), vswif (service console), vmknic(vmkernel). • All 5 virtual network devices share the following characteristics: • They have their own MAC addresses and unicast/multicast/broadcast filters. • They are strictly Layer 2 Ethernet adapter devices. • Virtual switches are the key networking components, up to 248 virtual switches on each ESX Server 3 host. Key functional units are: • The core Layer 2 forwarding engine. • VLAN tagging, stripping, and filtering units. • Layer 2 security, checksum, and segmentation offload units. • Physical Ethernet adapters (uplinks) serve as bridges between virtual and physical networks. • A single host may have a maximum of 32 uplinks, which may be on one switch or distributed among a number of switches.
VMware vSphere’s vDS • vSphere’svNetwork distributed switch (vDS) functions as a single switch across all associated hosts. • This enables you to set network configurations that span across all member hosts, and allows virtual machines to maintain consistent network configuration as they migrate across multiple hosts (the vDScentrally managed by vCenter). • vNic is logically connected to a dvPort shown as black squares. • Each dvPort is implemented by the proxy switch on the host where the VM runs.
Features of vSphere 5 vDS • Distributed Virtual Port Groups (DV Port Groups) • VLAN, traffic shaping parameters, port security, teaming and load balancing configuration. • Distributed Virtual Uplinks (dvUplinks) • Provide a level of abstraction for the physical NICs (vmnics) on each host. All functions of DV Port Groups are applied to the dvUplinks. • Private VLANS • 3 private vlans configured with DV Port Group – Promiscuous PVLAN, Community PVLAN, Isolated PVLAN • Network VMotion • Tracking of VM’s networking state as the VM moves from host to host on a vDS. • 3rd Party Virtual Switch support with the Cisco Nexus 1000V Series Virtual Switch • Network monitoring (New) • NetFlow • Port mirror (SPAN) • Network I/O control (New) • User-defined resource pool - reserve I/O resources for certain critical apps. • IEEE 802.1p tagging (QoS at MAC level)
Virtual Ethernet Module • Virtual Ethernet Module (VEM) • Run as part of the VMware ESX or ESXi kernel and replaces the VMware virtual switch functionality. • VEM leverages VMware vDS API to provide advanced networking capability to VMs. • Support functions • L2 switching, PortChannels, QoS • Security: Private VLAN, ACLs, and port security • Monitoring: NetFlow, SPAN, ERSPAN • Nonstop Forwarding (NSF) capability • To continue to switch traffic based on the last known configuration.
Virtual Supervisor Module • Virtual Supervisor Module (VSM) • Controls multiple VEMs as one logical modular switch. • Define configurations for immediate use on all VEMs being managed by the VSM from a single interface. • Provide functions by using the capability of Cisco NX-OS: • Flexibility and scalability: Port Profiles • High availability: Synchronized, redundant VEMs. • Manageability: CLI, SNMP, XML API, and CiscoWorks LAN Management Solution (LMS) • Integrated with VMware vCenter Server.
Cisco’s VN-Tag • The VN-Tag standard was proposed by Cisco. • VN-Tag is the basis of 802.1qbh ‘Bridge Port Extension.’ • Using VN-Tag an additional header is added into the Ethernet frame which allows individual identification for virtual interfaces (VIF.)
VN-Tag’s Feature • It’s possible to utilize it for both bridge extension and virtual networking awareness. • VN-tag aware switch devices are still fully compatible with traditional Ethernet switching devices because the VN-tag is only used within the local system. • VN-tags would be written on ingress to the VN-tag aware switch for frames destined for a VIF. • VN-tags would be stripped on egress for frames destined for the traditional network. • Advantage: • Allowing for individual configuration of each virtual interface as if it were a physical port. • Disadvantage: • Because it utilizes additions to the Ethernet frame the hardware itself must typically be modified to work with it. • Requires a Nexus switch to manage switching of VN-Tagged packets. • Incompatible with All current switch hardware, except Nexus.
EVB: VEPA or VN-Tag • Edge Virtual Bridging (EVB) – IEEE 802.1Qbg • Proposed set of new/enhanced IEEE 802.1 protocols that solve the virtual network edge challenges. • How external bridges and VEBs (vswitch) can talk to each other to exchange configuration information. • Two proposals were made to the IEEE 802.1 Work Group • VN-Tag – Virtual Network Tag (Cisco) • VEPA – Virtual Ethernet Port Aggregator (HP) • VEPA vs. VN-Tag • VN-Tag was viewed as proprietary • VN-Tag required significant hardware updates to support • VN-Tag required a lot of new standards work • VEPA was more graceful and could be implemented in many of today’s hardware components as a firmware change • VEPA maximizes & leverage existing IEEE standards
HP’s VEPA • VEPA = Virtual Ethernet Port Aggregator • Allows VEPAs, VEBs (Virtual Ethernet Bridges), and isolated vPorts to share a single physical port. • Uses identifiers (S-VIDs within a frame) allowing a port to identify multiple virtual switch ports on a single physical switch port. • Each virtual switch port may then be associated with a VEB and/or VEPA within the host. • Reflective Relay • Enables hairpin forwarding on a per port basis when VEPA is directly attached. • Relies on the upstream switch for L2 switching. • Multi-Channel VEPA • Allows a single Ethernet connection (switchport/NIC port) to be divided into multiple independent channels or tunnels. • Each channel or tunnel acts as an unique connection to the network. • Utilizes a tagging mechanism commonly known as Q-in-Q (defined in 802.1ad) which uses a service tag ‘S-Tag’ in addition to the standard 802.1q VLAN tag.
Virtual Network Security Solutions • VMware • vShield • Cisco • Nexus 1000 Family • Juniper • Virtual Firewall (vGW) • Vyatta • Network OS • Citrix + Vyatta • vNetworkStack
VMware vShield Products • vShield App: Protects application in the virtual datacenter against network-based threats. • vShield App with Data Security: Adds to vShield App Sensitive Data Discovery across virtualized resources. • vShield Edge: Enhances protection for the virtual datacenter perimeter. • vShield Endpoint: Improves performance by offloading key antivirus and anti-malware functions to a security virtual machine, eliminating the antivirus agent footprint in virtual machines. • vShield Manager: Security management framework included with all vShield products.
vShield EdgeSecure the Edge of the Virtual Data Center Features VMware vShield Edge VMware vShield Edge VMware vShield Edge • Multiple edge security services in one appliance • Stateful inspection firewall • Network Address Translation (NAT) • Dynamic Host Configuration Protocol (DHCP) • Site to site VPN (IPsec) • Web Load Balancer • Network isolation(edge port group isolation) • Detailed network flow statistics for chargebacks, etc • Policy management through UI or REST APIs • Logging and auditing based on industry standard syslog format Tenant A Tenant C Tenant X Load balancer Secure Virtual Appliance Secure Virtual Appliance Secure Virtual Appliance VMware vSphere Benefits • Lower cost and complexity by eliminating multiple special purpose appliances • Ensure policy enforcement with network isolation • Simplify management with vCenter integration and programmable interfaces • Easier scalability with one edge per org/tenant • Rapid provisioning of edge security services • Simplify IT compliance with detailed logging Firewall VPN
vShield AppApplication Protection for Network Based Threats Features • Hypervisor-level firewall • Inbound, outbound connection control applied at vNIC level • Elastic security groups - “stretch” as virtual machines migrate to new hosts • Robust flow monitoring • Policy Management • Simple and business-relevant policies • Managed through UI or REST APIs • Logging and auditing based on industry standard syslog format • vShield App provides firewalling capability between virtual machines by placing a firewall filter on every virtual network adapter. Benefits • Increase visibility for inter-VM communications • Eliminate dedicated hardware and VLANs for different security groups • Optimize resource utilization while maintaining strict security • Simplified compliance with comprehensive logging of inter VM activity
vShield EndpointOffload Anti-virus Processing for Endpoints Features • Eliminate anti-virus agents in each VM; anti-virus off-loaded to a security VM delivered by AV partners • Enforce remediation using driver in VM • Policy and configuration Management: through UI or REST APIs • Logging and auditing Benefits • Improve performance by offloading anti-virus functions in tandem with AV partners • Improve VM performance by eliminating anti-virus storms • Reduce risk by eliminating agents susceptible to attacks and enforced remediation • Satisfy audit requirements with detailed logging of AV tasks
Service Provider - Offering Multi-Tenant Hosting Service Requirements Vmware vCloud Director vShield Edge • Host potentially hundreds or thousands of tenants in shared infrastructure with: • Traffic Isolation between the tenants • Complete protection and confidentiality of tenant apps and data • Integration with enterprise directory services (e.g. Active Directory) • Complying with various audit requirements Company A Company B Company C VMware vSphere + vCenter + vShield Solution – vShield Edge, VMware Cloud Director • Guarantee full confidentiality and protection of tenant apps and data with built-in firewall and VPN • Use enterprise directory services for security policies • Accelerate compliance by logging all traffic information on per-tenant basis • Lower cost of security by 100+% by eliminating purpose built appliances and by increasing utilization and VM density Checkpoint VPN Juniper VPN Company B Company A Company C
Enterprise - Securing Business Critical Applications Requirements Development VMware vShield App • Deploy production and development applications in a shared infrastructure with: • Traffic segmentation between applications • Authorized access to applications • Strict monitoring and enforcement of rules on inter-VM communications • Ability to maintain security policies with VM movement • Compliance to various audit requirements Finance DMZ VMware vSphere + vShield Solution - vShield App + Edge • Protect data and applications with hypervisor level firewall • Create and enforce security policies with virtual machine migration • Facilitate compliance by monitoring all application traffic • Improve performance and scalability with load balancer and software based solution Development Finance
Enterprise - Secure View Deployments VMware vShield App Requirements DMZ View Desktops • Support thousands of internal and external View users with: • Comprehensive security for View servers • Anti virus agents to protect client data and applications • Optimal performance and scalability VMware vSphere + vShield Solution - vShield Endpoint+App+Edge Private Network Public Network • Improve performance by offloading AV processing • Reduce costs by freeing up virtual machine resources and eliminating agents • Improve security by streamlining AV functions to a hardened security virtual machine(SVM) • Protect View application servers from threats • Demonstrate compliance and satisfy audit requirements with detailed logging of offloaded AV tasks Local User Remote User
Cisco Nexus 1000 Family • Nexus 1000V: Release 1.4a • Comprises two components: VEM and VSM • Optimize the use of layer 4-7 services in a virtual machine environment through Cisco vPath architecture services. • vPath: is aware of all layer 4-7 polices associated with individual virtual machines. Once the data packets of a specific virtual machine have been identified and policies applied, the remaining data packets flow directly to the virtual machines. • Nexus 1010: Release 1.3 • A virtual services appliance offers a dedicated hardware platform for the deployment of services critical to virtualization infrastructure. • Instantiate up to 6 VSMs (from 4 earlier), Now also instantiate Virtual Security Gateway (up to 6 VSGs) • Virtual Security Gateway (VSG) : Release 1.2 • A virtual appliance integrated with the Cisco Nexus 1000V Switch provides trusted multitenant access with granular zone-based security policies for virtual machines • delivers security policies across multiple servers, supporting virtual machine mobility across physical servers for workload balancing, availability, or scale for business growth in cloud computing • Virtual Network Management Center: Release 1.2.1 • Single-page policy editor • Per-tenant dashboard • Ability to export policy objects into a pdf/xls document (in addition to xml)
Cisco Nexus 1010 • Cisco Nexus 1010 hosts up to six virtual service blades (VSBs) that can be configured as a Cisco Network Analysis Module (NAM), a Virtual Supervisor Module (VSM), or a Cisco VSG.
Juniper vGW • vGW provides complete virtual network protection. • Its VMsafe-certified virtualization security approach. • In combination with “x-ray” level knowledge of each virtual machine through virtual machine introspection, gives vGW a unique vantage point in the virtualized environment. • vGW can monitor each VM and apply protections adaptively as changes to the VM configuration and security posture make enforcement and alerts necessary. • Features: • Stateful virtual firewall • VMsafe implementation • VM introspection • VM image Enforcer • Virtualization-specific antivirus (AV) • Intrusion detection system (IDS) • Smart groups • Network monitoring • Highly scalable central management
Vyatta Network OS • Vyatta Network OS for virtualization is designed for complex security requirements of virtual datacenters and cloud computing architectures using most common hypervisors including Citrix XenServer, VMware, Xen and Red Hat KVM. • Key Benefits of Vyatta Network OS Virtualization Machines
Citrix + Vyatta = vNetworkStack • The vNetworkstack solution transforms router, load balancer, network firewall, application acceleration, VPN, and intrusion prevention, into software that can run on virtualized servers that can now be integrated on the same physical resource machine or logically provisioned on demand to provide an end-to-end L2- L7 software networking stack. • Citrix and Vyatta have joined together to offer the industry’s first end-to-end L2-L7 virtualized networking services and application delivery stack.
vNetworkStack Architectures • Virtual Branch: • Routing & Security • Routing – BGP, RIP, OSPF • Firewall – Stateful firewall • IPSec VPN • Intrusion Prevention • WAN Optimization • Protocol acceleration – TCP, CIFS, MAPI, SSL, ICA, HTTP, FTP • Compression and de-duplication • Traffic prioritization and QoS • Virtual Datacenter: • All of functions from Virtual Branch • SSL VPN: Clientless secure access to app & files • Application Delivery • L4-L7 load balancing • App Firewall protects applications • Accelerate Web apps • Open CloudBridge: • All of functions from Virtual Branch • All of functions from Virtual Datacenter • Layer 2 Bridging & Tunneling • LAN to LAN Bridging • GRE / IPSec Tunneling • Secure VM Migration
Linux Bridge • The old version of Citrix XenServer (before v5.6 FP1) using simple Linux Bridge. • Many hypervisor based virtualization also apply Linux Bridge model, such as KVM, libvirt. • All of bridging work are done by ‘brctl’. • Provide simple L2 switching functions.
Switching at the Edge • Strengths • Greater context • Enforce policies early • Inter-VM traffic has less overhead • Weaknesses • CPU overhead • Additional switches to configure and monitor • Advanced Edge Switches • Hardware-offloading • Centralized management • Approaching feature-parity with hardware switches • Visibility, ACLs, QoS • Examples: Vmware vSwitch, Cisco Nexus 1000V, Open vSwitch
Open vSwitch Features • Visibility: • NetFlow, sFlow, Mirroring (SPAN/RSPAN/ERSPAN) • Control: • Centralized control through OpenFlow • Missed flows go to central controller • Fine-grained ACL and QoS(Quality of Service) policies • L2-L4 matching • Actions to forward, drop, modify, and queue • HTB and HFSC queuing disciplines • Forwarding: • LACP (Link Aggregate Control Protocol) • Port bonding (Source-Mac load-balancing, TCP load-balancing, Active/backup) • Standard 802.1Q VLAN model with trunk and access ports • 802.1ag connectivity fault management • GRE, GRE over IPSEC, Ethernet-over-GRE and CAPWAP tunneling • Compatibility layer for Linux bridging code • High-performance forwarding using a Linux kernel module