1 / 27

The Datacenter Firewall

The Datacenter Firewall. A New Model. The Datacenter Stake Holders. Network Team Server Team Application Team Security Team Storage Area Network Team. The Datacenter Stake Holders. Network Team The data must get from point A to B. Packet dropping is an anathema.

velvet
Download Presentation

The Datacenter Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Datacenter Firewall A New Model

  2. The Datacenter Stake Holders • Network Team • Server Team • Application Team • Security Team • Storage Area Network Team

  3. The Datacenter Stake Holders • Network Team • The data must get from point A to B. • Packet dropping is an anathema. • Maintain minimal latency across the network. • Security Team • The data should not necessarily get from point A to B. • The only packets that should go through are ones that meet standards. • Inspection is more important than latency minimization.

  4. Datacenter Stake Holders • Server Team • Ease of server deployment. • Ease of server management. • Ease of server maintenance. • Usually the first line of defense when there are datacenter problems. • Application Team • Does the application work? • Is it fast? • Is it accessible by everyone who needs to access it?

  5. Datacenter Stake Holders • Storage Area Network Team • Do we have 100% Uptime? • Are 0% of frames being dropped? • Are my storage arrays fast enough?

  6. Two Firewall Concepts • North/South Firewall • Data from outside firewalled network • Usually a discrete set of ports • Also usually layer 3 communication • Normally for client server application • East/West Firewall • Intra-server communication • Some communication possible across random ports • Can be layer 2 or 3 communication

  7. Two Firewall Concepts • North/South Firewall • Big Iron Box • Usually hardware of some sort • Cisco ASA • Juniper SRX • Data Center Speeds • Expensive Hardware • East/West Firewall • Usually Software • Provided by OS manufacturer • Iptables • Windows Firewall • Speed limited by server hardware and processor

  8. Classic Firewall Configuration • Advantages • Tried and true • Single point of management • Separation of outward facing machines from data containing machines

  9. Classic Firewall Configuration • Disadvantages • Machines in an area are not protected from other machines in the same area. • As speeds go up the firewall gets prohibitively expensive. • Modern server room design does not fit this model.

  10. Modern Datacenter Reality

  11. Modern Datacenter Reality • Virtualization of the network. • VLANs • MPLS • Layer 3 switches • Shared network resources • Virtualization of Servers • VMware • Citrix • Microsoft Hyper-V • Shared server Resources

  12. Modern Datacenter Reality • Datacenters are running multiple 10G links in and out of them and are starting to move to 40G and 100G links as price for equipment comes down. • Firewalls that even have 10G throughput capability are expensive.

  13. Ultimate Goal of Datacenter Firewall • Protect servers from internal and external users and malicious programs, • Protect servers from each other. • Minimize user impact. • Maximize compartmentalization.

  14. Alternate Firewall Placement

  15. Alternate Firewall Placement • Can we move the firewall closer to the server being protected? • Can we separate firewalls to make them for a separate and smaller subset of servers, requiring more slower firewalls over a single faster one?

  16. Alternate Firewall Placement • Can we get a handle on east/west firewalls to make them easier to manage? • Can we virtualize them? • Ideally can we get them as close to the server as possible in the network?

  17. Firewall Virtualization • Two methods of virtualization • Contexts on a single hardware firewall • Still expensive for speeds we are talking about. • Software firewall running in a virtual machine • Individual firewalls cheap • Individual firewalls slow compared to hardware firewall

  18. Firewall Virtualization • Advantages • New firewall takes few minutes to spin up. • All DR features that come along with favorite virtualization host. • Hardware maintenance decoupled from software maintenance. • Disadvantages • Are software firewalls truly secure? • Do I trust virtualization kernel? • Do I trust the firewall OS? • Speed limited to host resources.

  19. North/South Firewall • Protects communication from Userland to servers. • Usually layer 3 implementation, but can be in a transparent configuration if desired. • Not implemented very differently than classic big iron firewalls.

  20. Firewall Implementation North/South • No DMZs • All servers are on flat VLANs • East/West firewall will handle intra-server communication • Break up servers into application groups • Group all servers together which runs a single application • Virtualization has allowed us to have more single use servers.

  21. Firewall Implementation North/South • Put application groups behind single firewall. • Bandwidth limitations will define how many you can put behind a single firewall. • If the group is designed correctly intra server traffic should not go through the firewall as that is the east/west firewall’s job. • What is an application group? • Web application for example • Web Server • Database Server • Both servers should be on the same VLAN.

  22. East/West Firewall • Implemented at the virtual host level. • Monitors intra-virtual machine layer 2 traffic. • If implemented correctly can essentially put each virtual host into their own DMZ. • Limited functionality for non-virtual hosts. • Traffic has to cross the virtual switch to be monitored.

  23. East/West Firewall Implementation • Not unlike north/south configuration. • Source IP • Destination IP • Port • With some implementations it is source virtual machine and destination virtual machine. • Mirror North/South rules • The biggest mistake is usually forgetting to allow access to your front end servers from Userland.

  24. Some Current Implementations • North/South • Cisco ASA1000V • Requires the Nexus 1000V • Juniper Firefly • East/West • Cisco VSG • Requires the Nexus 1000V • Juniper VGW • VMware vShield

  25. Money where my mouth is • NKU is currently implementing this model across our entire datacenter • For high speed applications we are using our load balancer to manage the firewalling.

  26. Questions? Thank you Chris Johnson johnsonch@nku.edu Presentation can be downloaded at: http://www.bytesofchris.com

More Related