SECURE DATA CENTER DESIGN

Piotr Wojciechowski (CCIE #25543)

ABOUT ME
¢  Senior Network Engineer MSO at VeriFone Inc.
¢  Previously Network Solutions Architect at one of top
polish IT integrators
¢  CCIE #25543 (Routing & Switching)
¢  Blogger – http://ccieplayground.wordpress.com
¢  Administrator of CCIE.PL board
—  The biggest Cisco community in Europe
—  Over 6800 users
—  3 admin, 7 moderators
—  58 polish CCIEs as members, 20 of them actively posting
—  About 150 new topics per month
—  About 1000 posts per month
—  English section available
AGENDA
¢  What we want to protect?
¢  Physical DC security

¢  Secure Network Design

¢  Internet Edge Protection

¢  Security Audits

WHAT WE WANT TO PROTECT?
WHAT WE WANT TO PROTECT?
¢  Sensitive data
¢  Business-related processes

¢  Network services

¢  Applications

¢  Hardware
WHAT WE WANT TO PROTECT?
WHAT WE WANT TO PROTECT?
WHERE WE PROTECT?
WHERE WE PROTECT?
 SECURITY AS A PROCESS

1.  Subject matter experts define policies

2.  Policies used to create application templates
3.  Application templates used to create application profiles
4.  Associated profiles creates resources automatically
PHYSICAL DC SECURITY
DATA CENTER PHYSICAL SECURITY
¢  Site location
—  Risk of natural disasters on acceptable level (fires,
lightning storms, hurricanes, earthquakes etc.)
—  Man-made disasters on low level (plane crashes, riots,
fires, explosions etc.)
¢  Site should not be adjacent to airports, prisons, freeways,
banks, rafineries etc.)
—  Data center should not share the same building with
other offices, especially offices not owned by organization
DATA CENTER PHYSICAL SECURITY
¢  Site location
—  Electrical utility powering the site should have 99,9% or
better reliability of service.
¢  It must be delivered from at least two separate substations
¢  Backup power generators

—  Water should be delivered from more than one source

DATA CENTER PHYSICAL SECURITY
¢  Perimiters
—  Fence around the facility
—  Guard kiosks at each access point
—  Automatic authentication method for employees
(badges)
—  CCTV
—  Parking not align to the building
—  No clear advertisement that Data Center is located at
this facility
DATA CENTER PHYSICAL SECURITY
¢  Surveillance
—  Monitoring of property as well as neighborhood
—  Guards on patrol
—  Parking permits for vehicles
—  Separate parking areas for employees and visitors
DATA CENTER PHYSICAL SECURITY
¢  Entry points
—  Loading docks and all outside doors should have
automatic authentication methods (ie. badges)
—  Each entrance should have physical barriers and CCTV
cameras
—  Engineers must be required to use badges with pictures
—  Track equippment being placed in and removed
DATA CENTER PHYSICAL SECURITY
¢  NOC (Network Operation Centre)
—  Must have power, temperature, fire and humidity
monitoring systems in place
—  Redundant methods of communication with outside
(analog phones, IP phones, cell phones etc.)
—  Manned 24/7
DATA CENTER PHYSICAL SECURITY
¢  Disaster Recovery
—  It’s a must have!
—  Must contain – definition of disaster, who gets notified,
who conduct damage assessment, where backups are
located and what to do to maintain them
—  Plan must be updated and reviewed
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
DATA CENTER PHYSICAL SECURITY
SECURE NETWORK DESIGN
MULTI-LAYER DC PROTECTION
¢  No single solution for all data centers
¢  Security should be deployed basing on application
requirement, certification requirement as well as
traffic flow
¢  To much protection can be worse than no protection

¢  Virtualization – new challenges for security

SECURITY ZONES
¢  A security zone is an area within a network
occupied by a group of systems and components
with similar requirements for the protection of
information and the attendant characteristics
associated with those requirements.
¢  Security zones are often layered as trust zones such
that resources in higher trust zones may
communicate with resource in lower trust zones, but
not the other way around. 
SECURITY ZONES
SECURITY ZONES
¢  Goal of security zones:
—  Control inter-zone communication
—  Monitor inter-zone communication using IDP/IPS
—  Control management access into, out of and within the
zone (jump servers)
—  Enforce data confidential and integrity rules for data
stored within a zone, as well as for replication and
backup.
SECURITY ZONES
¢  How to establish security zone?
IPS DEPLOYMENT
¢  The Intrusion Prevention System (IPS) provides
deep packet and anomaly inspection to protect
against both common and complex embedded
attacks.
¢  Because of the nature of IPS and the intense
inspection capabilities, the amount of overall
throughput varies depending on the active policy.
¢  The IPS deployment in the data center usually
leverages EtherChannel load balancing from the
service switch. This method is recommended for the
data center because it allows the IPS services to
scale to meet the data center requirements
IPS DEPLOYMENT
¢  Usually deployed in service
layer (part or DMZ and high
security zones)
¢  A port channel is configured
on the services switch to
forward traffic
IPS DEPLOYMENT
¢  Spanning
tree plays an
important role for IPS
redundancy in this design
—  Under normal operating
conditions traffic, a VLAN
will always follow the same
active Layer-2 path
IPS DEPLOYMENT
¢  Spanning
tree plays an
important role for IPS
redundancy in this design
—  If a failure occurs (service
switch failure or a service
switch link failure), spanning
tree would converge and the
active Layer-2 traffic path
would change to the
redundant service switch and
Cisco IPS appliances.
IPS DEPLOYMENT – SECURE TRAFFIC
FLOW
VIRTUALIZATION CHALLENGES -
VISIBILITY
¢  New challenges for
visibility into what
is occurring at the
virtual network
level
¢  Traffic flows can
now occur within
the server between
virtual machines
without needing to
traverse a physical
access switch
VIRTUALIZATION CHALLENGES -
VISIBILITY
¢  Ifa virtual machine
is infected or
compromised it
might be more
difficult for
administrators to
spot without the
traffic forwarding
through security
appliances
VIRTUALIZATION CHALLENGES -
VISIBILITY
¢  ERSPAN forwards
copies of the virtual
machine traffic to
the Cisco IPS
appliance and the
Cisco Network
Analysis Module
(NAM)
VIRTUALIZATION CHALLENGES -
ISOLATION
¢  Server-to-server filtering can be
performed using ACLs on the Cisco
Nexus 1000V
¢  Because the server-to-server traffic
never leaves the physical server,
the ACL provides an excellent
method for segmenting this traffic.
VIRTUALIZATION CHALLENGES -
ISOLATION
¢  There are two options for adding an
access list to the virtual Ethernet
interfaces to block communication:
—  The ACL can be defined and the access
group can be applied to a port profile. All
interfaces configured for the port profile
will inherit the access-group setting.
—  Specific ACLs on an interface can be
applied directly to the virtual Ethernet
interface in addition to the port profile.
The port profile will still apply but the
access group will only be applied to the
specific interface instead of all interfaces
that have inherited the particular port
profile.
VIRTUALIZATION CHALLENGES -
FIREWALLING
¢  An additional virtual
context is created on the
Cisco ASA and designated
to reside between the
servers and an Oracle
database
¢  It can also be virtual
firewall ASA 1000V
VIRTUALIZATION CHALLENGES -
FIREWALLING
¢  The goal is not to prevent
any server from
communicating with the
database, but rather to
control which servers can
access the database
¢  Context firewalls can run
in routed and transparent
modes
VIRTUALIZATION CHALLENGES – WEB
APPLICATION FIREWALL
¢  WAFcan protect
servers from a
number of highly
damaging
application-layer
attacks—including
command injection,
directory traversal
attacks, and cross-
site (XSS) attacks
VIRTUALIZATION CHALLENGES – WEB
APPLICATION FIREWALL
¢  Can
be used also for
SSL offloading
VIRTUALIZATION CHALLENGES –
VM-TO-VM IDS
¢  ERSPAN on the Cisco
Nexus 1000V is
leveraged to forward a
copy of virtual machine-
to-virtual machine
traffic to the IDS at the
services layer
¢  Both virtual machines
reside on the same
physical server
VIRTUALIZATION CHALLENGES –
VM-TO-VM IDS
¢  The
attempt triggers a
signature on the IDS
and is logged for
investigation
 VIRTUALIZATION CHALLENGES –
SUMMARY
  Botnets DoS Unauthoriz Spyware, Network Data Visibility Control
ed Access Malware Abuse Leakage
Routing Security   Yes Yes   Yes   Yes Yes

Service Resiliency   Yes Yes         Yes

Network Policy Yes   Yes   Yes Yes   Yes

Enforcement
Application Control Engine   Yes Yes       Yes Yes
(ACE)
Web Application Firewall     Yes Yes   Yes Yes Yes
(WAF)
IPS Integration Yes     Yes Yes   Yes Yes

Switching Security   Yes Yes   Yes Yes    

Endpoint Security Yes Yes Yes Yes Yes Yes Yes Yes

Secure Device Access     Yes   Yes Yes Yes Yes

Telemetry Yes Yes Yes   Yes   Yes  

INTERNET EDGE PROTECTION
INTERNET EDGE PROTECTION
INTERNET EDE PROTECTION
¢  TheInternet edge is a public-facing network
infrastructure and is particularly exposed to large
array of external threats. Some of the expected
threats are as follows:
—  Denial-of-service (DoS), distributed DoS (DDoS)
—  Spyware, malware, and adware
—  Network intrusion, takeover, and unauthorized network
access
—  E-mail spam and viruses
—  Web-based phishing, viruses, and spyware
—  Application-layer attacks (XML attacks, cross scripting,
and so on)
—  Identity theft, fraud, and data leakage
FIREWALL PHYSICAL INTERFACES LAYOUT

The different logical

interfaces on the
Cisco ASA can be used
to separate the DMZ,
SP-facing interfaces,
and the inside corporate
infrastructure
WEB APPLICATION FIREWALL
WEB APPLICATION FIREWALL
¢  Configure the web application firewall to retain the
source IP address if the traffic is directed to
appliances in the data center.
¢  It is recommended that HTTPS traffic directed to
the data center, not be encrypted as the Cisco ACE
module in data center will perform the load-
balancing and decryption while also providing
higher performance.
¢  The web application firewall in the Internet edge
and the web application firewall in data center to be
configured in the same cluster.
SERVICE PROVIDER EDGE
¢  Use BGP as the routing protocol for all dynamic
routing—both between the border routers and
between the border routers and SP.
¢  Have an independent autonomous system number.
This will give the flexibility of advertising the
Internet prefix to different SPs.
¢  Use PfR as path-optimization mechanism. This will
ensure that the optimal path is selected between the
SPs—thereby increasing the application
performance.
SECURITY AUDITS
SECURITY AUDITS
¢  There is no one template of security audit that will
fit everyone
¢  Some security audits are cerification related (in
example PCI-DSS)
¢  Audits does not cover only networking aspects

¢  If performed correctly, a security audit can reveal

weakness in technology, practices, employees and
other key areas
¢  Usually is semi-automated
SECURITY AUDITS
¢  Audit components (some, not all):
—  Vulnerability scans
—  Examination of OS settings
—  Examination of application settings
—  Network analyses
—  Employee interview
—  Logs studying
—  Security policies review
SECURITY AUDITS
¢  Someof the key questions that auditor must ask
include:
—  Who is in charge of security, and who does this person
report to?
—  Have ACLs (Access Control Lists) been placed on
network devices to control who has access to shared
data?
—  How are passwords created and managed?
—  Are there audit logs to record who accesses data?
—  Who reviews the audit logs, and how often are they
examined?
—  Are the security settings for OSes and applications in
accordance with accepted industry security practices?
SECURITY AUDITS
¢  Someof the key questions that auditor must ask
include:
—  Have unnecessary applications and services been purged
from systems? How often does this task take place?
—  Are all OSes and applications updated to current levels?
—  How is backup media stored? Who has access to it? Is it
up-to-date?
—  How is email security addressed?
—  How is Web security addressed?
—  How is wireless security addressed?
SECURITY AUDITS
¢  Someof the key questions that auditor must ask
include:
—  Are remote workers covered by security policies?
—  Is a disaster-recovery plan in place? Has the plan ever
been rehearsed?
—  Have custom applications been tested for security flaws?
—  How are configuration and code changes documented?
How often are these records reviewed?

Many other questions pertaining to the exact nature of the

business's operations also must be addressed.
INERNAL AUDITS
¢  BAU audits:
—  Checking current status of maintained platform and
software
—  Should be regular
¢  On-demand audits
—  Test if procedures are working
—  Test if team is prepared for emergency situation
—  Test third-party responsibility
SECURITY AUDITS
¢  „Off-the-shelf” auditis:
—  Ineffective
—  More costly in long term
—  Are not showing results management and security
teams are requesting
—  Usually 99% software-based
SECURITY AUDITS
¢  Audit time:

Stage % of Total Time

Preparation 10
Reviewint Policy/Docs 10
Talking/Interviewing 10
Technical Investigation 15
Reviewing Data 20
Writing Up Documentation 20
Report Presentation 5
Post Audit Actions 10
QUESTIONS?
THANK YOU