380 likes | 749 Views
The Datacenter Firewall. A New Model. The Datacenter Stake Holders. Network Team Server Team Application Team Security Team Storage Area Network Team. The Datacenter Stake Holders. Network Team The data must get from point A to B. Packet dropping is an anathema.
E N D
The Datacenter Firewall A New Model
The Datacenter Stake Holders • Network Team • Server Team • Application Team • Security Team • Storage Area Network Team
The Datacenter Stake Holders • Network Team • The data must get from point A to B. • Packet dropping is an anathema. • Maintain minimal latency across the network. • Security Team • The data should not necessarily get from point A to B. • The only packets that should go through are ones that meet standards. • Inspection is more important than latency minimization.
Datacenter Stake Holders • Server Team • Ease of server deployment. • Ease of server management. • Ease of server maintenance. • Usually the first line of defense when there are datacenter problems. • Application Team • Does the application work? • Is it fast? • Is it accessible by everyone who needs to access it?
Datacenter Stake Holders • Storage Area Network Team • Do we have 100% Uptime? • Are 0% of frames being dropped? • Are my storage arrays fast enough?
Two Firewall Concepts • North/South Firewall • Data from outside firewalled network • Usually a discrete set of ports • Also usually layer 3 communication • Normally for client server application • East/West Firewall • Intra-server communication • Some communication possible across random ports • Can be layer 2 or 3 communication
Two Firewall Concepts • North/South Firewall • Big Iron Box • Usually hardware of some sort • Cisco ASA • Juniper SRX • Data Center Speeds • Expensive Hardware • East/West Firewall • Usually Software • Provided by OS manufacturer • Iptables • Windows Firewall • Speed limited by server hardware and processor
Classic Firewall Configuration • Advantages • Tried and true • Single point of management • Separation of outward facing machines from data containing machines
Classic Firewall Configuration • Disadvantages • Machines in an area are not protected from other machines in the same area. • As speeds go up the firewall gets prohibitively expensive. • Modern server room design does not fit this model.
Modern Datacenter Reality • Virtualization of the network. • VLANs • MPLS • Layer 3 switches • Shared network resources • Virtualization of Servers • VMware • Citrix • Microsoft Hyper-V • Shared server Resources
Modern Datacenter Reality • Datacenters are running multiple 10G links in and out of them and are starting to move to 40G and 100G links as price for equipment comes down. • Firewalls that even have 10G throughput capability are expensive.
Ultimate Goal of Datacenter Firewall • Protect servers from internal and external users and malicious programs, • Protect servers from each other. • Minimize user impact. • Maximize compartmentalization.
Alternate Firewall Placement • Can we move the firewall closer to the server being protected? • Can we separate firewalls to make them for a separate and smaller subset of servers, requiring more slower firewalls over a single faster one?
Alternate Firewall Placement • Can we get a handle on east/west firewalls to make them easier to manage? • Can we virtualize them? • Ideally can we get them as close to the server as possible in the network?
Firewall Virtualization • Two methods of virtualization • Contexts on a single hardware firewall • Still expensive for speeds we are talking about. • Software firewall running in a virtual machine • Individual firewalls cheap • Individual firewalls slow compared to hardware firewall
Firewall Virtualization • Advantages • New firewall takes few minutes to spin up. • All DR features that come along with favorite virtualization host. • Hardware maintenance decoupled from software maintenance. • Disadvantages • Are software firewalls truly secure? • Do I trust virtualization kernel? • Do I trust the firewall OS? • Speed limited to host resources.
North/South Firewall • Protects communication from Userland to servers. • Usually layer 3 implementation, but can be in a transparent configuration if desired. • Not implemented very differently than classic big iron firewalls.
Firewall Implementation North/South • No DMZs • All servers are on flat VLANs • East/West firewall will handle intra-server communication • Break up servers into application groups • Group all servers together which runs a single application • Virtualization has allowed us to have more single use servers.
Firewall Implementation North/South • Put application groups behind single firewall. • Bandwidth limitations will define how many you can put behind a single firewall. • If the group is designed correctly intra server traffic should not go through the firewall as that is the east/west firewall’s job. • What is an application group? • Web application for example • Web Server • Database Server • Both servers should be on the same VLAN.
East/West Firewall • Implemented at the virtual host level. • Monitors intra-virtual machine layer 2 traffic. • If implemented correctly can essentially put each virtual host into their own DMZ. • Limited functionality for non-virtual hosts. • Traffic has to cross the virtual switch to be monitored.
East/West Firewall Implementation • Not unlike north/south configuration. • Source IP • Destination IP • Port • With some implementations it is source virtual machine and destination virtual machine. • Mirror North/South rules • The biggest mistake is usually forgetting to allow access to your front end servers from Userland.
Some Current Implementations • North/South • Cisco ASA1000V • Requires the Nexus 1000V • Juniper Firefly • East/West • Cisco VSG • Requires the Nexus 1000V • Juniper VGW • VMware vShield
Money where my mouth is • NKU is currently implementing this model across our entire datacenter • For high speed applications we are using our load balancer to manage the firewalling.
Questions? Thank you Chris Johnson johnsonch@nku.edu Presentation can be downloaded at: http://www.bytesofchris.com