1 / 22

On route to a Trusted Cloud Proof points, not Promises

The Shared Virtual Data Centre (SVDC) Pathfinder Project based on the Yorkshire & Humberside Metropolitan-Area-Network (YHMAN) for Business Continuity & Disaster Recovery Ed Carter - YHMAN Business Manager issejc@leeds.ac.uk. On route to a Trusted Cloud Proof points, not Promises.

mingan
Download Presentation

On route to a Trusted Cloud Proof points, not Promises

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Shared Virtual Data Centre (SVDC) Pathfinder Project based on the Yorkshire & Humberside Metropolitan-Area-Network (YHMAN) for Business Continuity & Disaster Recovery Ed Carter - YHMAN Business Manager issejc@leeds.ac.uk On route to a Trusted CloudProof points, not Promises

  2. A multi-tenancy, shared inter-university service based on the Yorkshire & Humberside Metropolitan-Area-Network YHMAN Shared Virtual Data CentrePathfinder Project

  3. Joint Venture University Teaching & Research

  4. Since 1998 YHMAN has managed a Backbone Regional Network University of York University of Leeds University of Bradford Leeds Met University University of Huddersfield University of Hull JANET & Internet Sheffield Hallam Univ University of Sheffield

  5. S-t-r-e-t-c-h-e-d Data Centre Network for BCDR comprising a Resilient Ring Shared Virtual Data Centre Overlay Network University of York University of Leeds University of Leeds University of Leeds University of Bradford Leeds Met University Leeds Met University University of Huddersfield University of Hull JANET & Internet 80km Sheffield Hallam Univ University of Sheffield University of Sheffield

  6. SVDC Agility University of York University of York University of Leeds University of Bradford Leeds CoLo Bradford CoLo Leeds Met University University of Huddersfield Huddersfield CoLo University of Hull JANET & Internet Sheffield Hallam Univ University of Sheffield

  7. Secure Shared Services ‘Cloud’ computing promises to change the economics and increase the agility of corporate IT/IS. However, IT executives want these benefits with the same level of trust as their existing Data Centre Services. The SVDC pathfinder project deploys virtualised security solutions to provide scalability, operational resilience (where protection migrates with VMs) to build trusted multi-tenancy Virtualisation & Cloud based services.

  8. Internet Univ/Corp Security Concerns Typical Architecture Boundary DMZ Finance PCI-DSS Replicable with Virtual Security Appliances from VMware with vShield & API partners University/Corporate Layered Firewall Topology Boundary Internet Firewall Internal Department / Application Firewall Architecture Stateful Firewall Intrusion Management VPN Support for NAT and RIPE

  9. Endpoint Streamline and accelerate anti-virus protection solutions Edge App Data Security Security & Compliance for Trusted Virtualisation & Cloud Protect Apps from Threats Protect against Data Leaks + Compliance Secure the edge of the VDC & Tenants Node Servers Virtual DC1 Virtual DC2 vCentre + Net Administration Credit Card Corp Web Multi-Tenancy Tenant 1 VMware vShield Manager

  10. Physical DC 1 Physical DC 2 Physical DC 3 VDC 1 VDC 2 VDC 3 Virtual Security & VM Migration SVDC Overlay Network

  11. Physical DC 1 Physical DC 2 Physical DC 3 VDC 1 VDC 2 VDC 3 VDC Optimised Access Routing Assigned Affinity VDC SVDC Overlay Network VDC1 Route VDC3 Route VDC2 Route YHMAN Core access nodes Internet Transit Internet Transit VDC1 campus users VDC 3 campus users VDC2 campus users

  12. vShield Edge Based Security vShield Edge Based Security Vmware vSphere + vShield Vmware vSphere + vShield HYPER-V vSehere vSphere Increased Confidence with Virtualisation and Virtualisation Security Shared-Provision pooled resources with Edge Security YHMAN Core YHMAN SVDC - Roadmap YHMAN Core Self-Provision by each University connected to YHMAN SVDC Cluster1 Uni 2 Web Uni 1 Web Uni 1 DB SVDC Cluster1 YHMAN Core Uni 2 Web Uni 1 SMTP Uni 3 Mail Shared-Provision pooled resources with ‘layered’ Virtual Security (Edge. App, Data, Endpoint) Uni 1 Uni 2 Uni 3 XEN

  13. Thank YouEd Carter - YHMAN Business Managerissejc@leeds.ac.ukwww.yhman.ja.netwww.yhman.net

  14. SVDC Pathfinder Implementation Kevin BarrassYHMAN Network Development & Support OfficerSVDC Project Engineer

  15. VMware vSphere + vShield SVDC Use Case Demonstration • University 2 VM running SSH service • Allow SSH from public VM to University 2 VM • Debug traffic flow from public VM to University 2 VM University 2 VDC Legend : 10.1.1.1 192.168.1.1 Public VM – 10.1.1.2 10.1.1.2 192.168.1.10 University 2 VM - 192.168.1.10 PG-UNI2(vlan1000) PG-PUBLIC(vlan100) vShield Edge VM intif 192.168.1.1/24 extif 10.1.1.1/24 Public Port Group – VLAN 100 PG-PUBLIC University 2 Port Group – VLAN 1000 PG-UNI2

  16. Deploy vShield Edge for University 2

  17. Verify vShield Edge Configuration

  18. Set Default Firewall Policy to Deny Add DHCP Pool for University 2 Port Group

  19. Configure DNAT to translate 10.1.1.1-TCP-22192.168.1.10-TCP-22 Configure SNAT to translate Pool 192.168.1.10-10010.1.1.1

  20. Port scan to verify University 2 VM is protected by vShield Edge Configure firewall rule to allow 10.1.1.2 SSH access to University 2 VM

  21. Port scan and SSH session to verify University 2 VM is now accessible via SSH vShield Edge Console Commands Debug traffic from 10.1.1.2 to TCP Port 22 on external interface

  22. “show iptables nat” – shows matches on DNAT rule “show iptables filter” – shows matches on firewall rule

More Related