Microsegment and secure your networks with the Azure inspired

Download Report

Transcript Microsegment and secure your networks with the Azure inspired

$ 3.0
TRILLION
Impact of lost productivity
and growth
$4
MILLION
Average cost of a data breach
(15% YoY increase)
$ 500
Corporate liability coverage.
CYBER THREATS ARE A M A T E R I A L R I S K TO YOUR BUSINESS
Source: McKinsey, Ponemon Institute, Verizon
MILLION
2005 to July 12, 2016
Number of Breaches = 6,333
Number of Records = 864,236,208
Hacking/Skimming/Phishing Breaches
350
300
250
200
150
100
50
0
2007
2008
2009
2010
2011
2012
2013
2014
2015
Traditional security boundaries
N
N
N
N
N
Attack timeline
First host
compromised
Domain admin
compromised
24–48 hours
Attack
discovered
Mean dwell time 150+ days
(varies by industry)
Monitoring/Detection
Manage privileged identities
Secure the OS: host & guest
Host Integrity
Prevent credential theft
Guest Integrity
Secure virtualization
Agility
“I need to onboard workloads with complex policies across my own datacenter and/or the
public cloud in days – not weeks – to remain competitive.”
Security
“I must stop a compromised node from attacking other nodes on my network”
Costs
“I need to reduce the number of operator interventions and efficiently meet network
growth demands. Current practices just won’t scale.”
Internet
Datacenter
Management
tool (SCVMM, PowerShell, Azure Stack)
Network
controller
VM
VM
Hyper-V Host
VM
VM
Hyper-V Host
VM
VM
Hyper-V Host
VM
VM
Hyper-V Host
VM
NIC
vNIC
VM
vNIC
VM Switch
VFP
ACLs, Metering, Security
VNET
SLB (NAT)
VNet Description
Workload Description
Controller
VNet Routing
Policy
NAT
Endpoints
ACLs
VFP
Physical
NIC
Host: 10.4.1.5
Blue VM1
Flow Tables
Match
Action
TO: 10.2/16 Encap to GW
TO: 10.1.1.5 Encap to 10.5.1.7
TO: !10/8 NAT out of VNET
VNET
Match
Action
TO: 79.3.1.2 DNAT to 10.1.1.2
TO: !10/8 SNAT to 79.3.1.2
LB NAT
Match
TO: 10.1.1/24
10.4/16
TO: !10/8
ACLS
Action
Allow
Block
Allow
Blue VM1
10.1.1.2
3 Hyper-V hosts (Full, Core or Nano)
3 Network Controller VMs
If using virtual networking
2 Software Load Balancer Mux VMs, and/or
2 Multi-tenant gateway VMs
1
• Virtual Networking
Virtual network isolation
Application Agility
Virtual network isolation
1
• Virtual Networking
2
• SDN Firewall
Dynamic Security
Name
Priority Source IP
Source Port Destination IP
DENY ALL INBOUND
65500
*
Name
Priority
ALLOW ALL OUTBOUND 65500
*
*
Destination
Port
*
Protocol
Access
*
DENY
Source IP
Source
Port
Destination IP
Destination
Port
Protocol Access
*
*
*
*
*
Default rules block software load balancer health probe!
ALLOW
Name
Priority Source IP
Source Port Destination IP
ALLOW ALL INBOUND
101
*
Name
Priority
ALLOW ALL OUTBOUND 101
*
*
Destination
Port
*
Protocol
Access
*
ALLOW
Source IP
Source
Port
Destination IP
Destination
Port
Protocol Access
*
*
*
*
*
ALLOW
Source
Port
*
*
Priority Source IP
Inbound
DENY ALL INBOUND
101
65500
Name
Priority Source IP
Source
Port
Destination IP
Destination
Port
Protocol
Access
Outbound
101
*
*
*
*
*
ALLOW
DENY ALL OUTBOUND
65500
*
*
*
*
*
ALLOW
*
*
Destination IP
Destination
Port
*
*
Name
*
*
Protocol
Access
*
*
ALLOW
DENY
Name
Priority Source IP Source Port Destination IP Destination Port Protocol Access
Inbound 101
*
*
*
*
*
ALLOW
Name
Priority Source IP
Source Port
Destination IP
Destination Port
Protocol
Access
Outbound
101
*
*
*
*
ALLOW
*
For default ACLs use this instead:
$vsubnet.Properties.AccessControlList = $null
Source IP
Destination IP
Protocol
Source
Port
Destination
Direction
Port
Action
Priority
AZURELOADBLANCER
*
All
*
*
Inbound
Allow
101
All
*
*
Inbound
Deny
103
192.168.0.0/24
*
*
All
*
*
Inbound
Allow
105
*
AZURELOADBLANCER
All
*
*
Outbound
Allow
102
*
192.168.0.0/24
All
*
*
Outbound
Deny
104
*
*
All
*
*
Outbound
Allow
106
Source IP
Destination IP
Protocol
Source Destination
Port
Port
Direction
Action
Priority
*
192.168.1.0/24
TCP
*
1433
Outbound
Allow
101
*
192.168.0.1
All
*
*
Outbound
Allow
102
*
192.168.3.10
TCP
*
53
Outbound
Allow
103
*
192.168.3.10
UDP
*
53
Outbound
Allow
104
*
*
All
*
*
Outbound
Deny
108
*
*
All
*
3389
Inbound
Allow
105
AZURELOADBALANCER
*
All
*
*
Inbound
Allow
106
*
*
All
*
*
Inbound
Deny
107
1
• Virtual Networking
2
• SDN Firewall
3
• Virtual appliances with user defined routing
Dynamic Security
Virtual Appliances
Dynamic Security
Virtual Appliances
VMs that perform specific network functions
Typically Linux or FreeBSD-based platforms
Does not need to be SDN or SCVMM aware
ANY Hyper-V appliance
Not just for security!
First deploy your virtual appliance VM and give it an IP address on the virtual network
Configure Virtual Appliance to forward (or drop) packets on same or different interface
Host Cluster
1
• Virtual Networking
2
• SDN Firewall
3
• Virtual appliances with user defined routing
4
• Virtual appliances with SDN port mirroring
Dynamic Security
Virtual Appliances
Feature
VMM UI
VMM PowerShell
Network Controller
Powershell/REST
Virtual Networks
Yes
Yes
No
VM Creation
Yes
Yes
No
ACLs
No
Yes
No
Load Balancer
No
Yes
No
UDR
No
No
Yes
Port Mirroring
No
No
Yes
Name
Priority Source IP
Source Port Destination IP
ALLOW ALL INBOUND
DENY ALL INBOUND
65000
65500
*
*
Name
Priority
ALLOW ALL OUTBOUND 65500
*
*
*
*
Destination
Port
*
*
Protocol
Access
*
*
ALLOW
DENY
Source IP
Source
Port
Destination IP
Destination
Port
Protocol Access
*
*
*
*
*
VMM reserves priorities 64900 – 65000 for itself
ALLOW
1
• Virtual Networking
2
• SDN Firewall
3
• Virtual appliances with user defined routing
4
• Virtual appliances with SDN port mirroring
Day
Date
Time
Tuesday
9/27/2016
9:00
Tuesday
9/27/2016
10:45
Thursday
9/29/2016
14:15
Friday
9/30/2016
12:30
Title
Explore Windows Server 2016
Software Defined Datacenter
Deploy complex workloads with
Azure Agility - from zero to
SDN in 60 minutes
Microsegment and secure your
networks with the Azure
inspired Software Defined
Networking
Dig into cloud networking
performance, monitoring, and
diagnostics
Day
Tuesday
Tuesday
Thursday
Friday
Don’t forget about the SDN Hands-On-Lab using SC VMM!
www.microsoft.com/itprocareercenter
www.microsoft.com/itprocloudessentials
www.microsoft.com/mechanics
https://techcommunity.microsoft.com
http://myignite.microsoft.com
https://aka.ms/ignite.mobileapp