1 / 26

VMware vSphere Data Protection and Security with Emulex and Cisco SANs

VMware vSphere Data Protection and Security with Emulex and Cisco SANs . Cisco, Emulex and VMware present The SAN Virtuosity Series.

pekelo
Download Presentation

VMware vSphere Data Protection and Security with Emulex and Cisco SANs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VMware vSphere Data Protection and Security with Emulex and Cisco SANs

  2. Cisco, Emulex and VMware presentThe SAN Virtuosity Series • The SAN Virtuosity Series enables data centers to enhance their implementation a Fibre Channel SAN using Emulex HBAs, Cisco MDS switches, and VMware vSphere 4 • Series of Webcasts and Papers • Today’s Presenters: • Dean Coza, Director of Security Product Management (VMware) • Security and Virtualization • Bob Nusbaum, Software Product Line Manager (Cisco) • Securing Your SAN • Bill Fields, Director Systems Engineering (Emulex) • Advanced Topics Visit: www.sanvirtuosity.com

  3. Session Logistics • During the Session you will be placed on mute • Use Webex Q&A and Chat features to raise questions • Questions will be monitored during the presentation and answered at the conclusion of the presentation • The winner of the Beats Headset will be announced at the close of today’s webcast • If you would like a copy of the presentation, please email your request to judi.uttal@emulex.com

  4. Security and Virtualization Dean Coza Director of Security Product Management VMware

  5. Best Practices • Responsibility of the Chief Information and Security Officer (CISO) • Standards and Regulations • Sarbanes-Oxley • GLBA • HIPAA • FERC, NERC • (SB1386, etc.) • PCI DSS • ISO 27002 • STIGS • Etc

  6. Virtualized Infrastructure Risks and Perceptions • Gartner Says 60% of Virtualized Servers Will Be Less Secure Than the Physical Servers They Replace Through 2012 • Immature controls, training and processes • A compromise of the virtualization layer could result in the compromise of all hosted workloads • The lack of visibility and controls on internal virtual networks created for VM-to-VM communications blinds physical security solutions • Adequate controls on administrative access to the Hypervisor/VMM layer and to administrative tools are lacking • Lack of SOD instrumentation for network and security controls Inhibitor to platform adoption or opportunity for emerging segment leadership?

  7. IT Security Market Overview • One market, many segment leaders • Mix of mature and emerging technologies • Compliance is a major budget driver • Current investment in virtualization security disproportionately low compared to % assets virtualized

  8. Virtualization Security Challenges the Status Quo • Innovation opportunity – virtualization “breaks” security controls and their management • Business model changes and significantly lower pricing for users – counterproductive for incumbent leaders • Appliances  Software (lower ASPs) • Agent consolidation (lower volume and ASPs) • Appliances  SaaS (deferred revenue streams) • Buying center changes – battle for control • Undefined boundary between VI and Security Ops • Where’s the budget coming from – VI, Security, Compliance? • New entrants • Unencumbered by legacy technology and business models • Acquisitions could rapidly change the landscape *Neil MacDonald, Gartner

  9. Securing Your SAN Bob Nusbaum Software Product Line Manager Cisco Systems

  10. Why Is SAN Security Important? • See Dean’s list of regulations • Many of the regulations and legislation require ‘countermeasures against internal and external threats’ • In an audit or a breach, your best defense is that you have already been proactive!

  11. Securing Fibre Channel • ‘FC Zoning’ provides segregation between Storage devices • ‘Port Mode Security’ prevents edge ports coming up as ISLs • ‘Port Security’ / ‘Port Binding’ protect against WWN Spoofing • Lock WWNs to specific ports • Virtual SANs(VSANs) provide segregation between (virtual) fabrics • FC Security Protocol(FC-SP) is the final step required to secure FC • Device authentication, per message secrecy and integrity protection, policy management

  12. Securing Storage Management Storage Management Security includes: • Authentication, Authorization and Accounting (AAA) of management actions • RADIUS/TACACS+ • Syslog • SNMP Traps • Call Home (SMTP) • Role Based management Access Control (“RBAC”) • Secure transport of management actions • SSH, SNMPv3, SSL/TLS • Access control to management interfaces • Secure design of the network management module • Consistent Security Policy across all devices

  13. IP Storage Security: FC-over-IP (FCIP) • FCIP allows for interconnection of SAN islands via IP networks • The FCIP standard doesn’t provide for any in-band security mechanisms • Per message origin authentication, integrity, anti-replay protection, and privacy are provided, where required, by independent IPsec tunnels • FCIP tunnel is a virtual ISL—can leverage existing FC Fabric security mechanisms • FC Port Security • FC-based FC-SP DH-CHAP switch-to-switch authentication

  14. Cisco TrustSec:Link-Level Data Integrity and Encryption 8G modules • Preserve integrity and confidentiality of: • FC traffic over MAN, campus, or within data center • LAN traffic over Ethernet, wireless, etc. (for VMotion, LAN backup, etc.) • Integrated, high performance functionality • No change to existing SAN, enable functionality only on edge switches MAN (DWDM/SONET) FC Data Integrity & Encryption

  15. Encryption SolutionsFor Data At Rest • Host / Software Based • Keys stored on database or application servers where data resides • CPU Intensive • SAN Appliances • Scalable by adding more appliances • Rewire and reconfigure SAN ports and zoning • Tape Drives • High Performance • New Drives and possibly new media needed • Could be costly • Fabric Based • Ease of installation • Scalable • Integrated with Key Management Solutions

  16. Delivering Encryption as a SAN Service MDS 9500Series MDS9200Series Name: XYZ SSN: 1234567890 Amount: $123,456 Status: Gold @!$%!%!%!%%^& *&^%$#&%$#$%*!^ @*%$*^^^^%$@*) %#*@(*$%%%%#@ @!$%!%!%!%%^& *&^%$#&%$#$%*!^ @*%$*^^^^%$@*) %#*@(*$%%%%#@ Name: XYZ SSN: 1234567890 Amount: $123,456 Status: Gold Storage Media Encryption Service • Insert Cisco SSN-16 or MSM-18/4 modules or MDS 9222i switches • Enable Cisco SME and set up encryption service • Provision encryption for specific storage devices

  17. Cisco SME – Secure, Integrated Solution • Encrypts storage media (data at rest) • Strong, Std. IEEE AES-256 encryption • Integrates as transparent fabric service • Handles traffic from any virtual SAN (VSAN) in fabric • Supports heterogeneous, SAN attached tape devices and virtual tape libraries • Includes secure key management • Open API integrates with enterprise-wide, lifecycle key managers, including RSA • Compresses tape data • Allows offline, software only media recovery Application Server Name: XYZ SSN: 1234567890 Amount: $123,456 Status: Gold Encrypt TCP/IP RKM Name: XYZ SSN: 1234567890 Amount: $123,456 Status: Gold @!$%!%!%!%%^& *&^%$#&%$#$%*!^ @*%$*^^^^%$@*) %#*@(*$%%%%#@ Virtual Tape Library TapeDevices

  18. Services-Oriented SANs are Future-Proof MDS 9000 I/O Accelerator Secure Erase FCoE Storage Media Encryption (SME) Data Mobility Manager (DMM) RecoverPoint FC iSCSI 16-port Storage Services Node 18/4-port Multiservice Module MDS 9222i • Provides services independent of SAN speed or transport • Heterogeneous solution for various types of storage arrays and servers • Clustering architecture scales to support Unified I/O fan-in • Open platform for enabling partner applications Cisco Applications Partner Applications

  19. Application Servers MSM-18/4 MSM-18/4 Storage Array Summary Security Services-Oriented SANs Investment Protection *Neil MacDonald, Gartner

  20. Advanced Concepts Bill Fields Director Systems Engineering Emulex Corporation

  21. TrustedHosts RADIUSServer FC-SP (DH-CHAP) FC-SP (DH-CHAP) Fabric Unauthorized Hosts Storage Subsystems FC-SP Authentication • FC-SP defines DH-CHAP as the baseline authentication scheme • DH-CHAP is used for switch-to-switch authentication to lock down fabric configuration (secure fabric building) • Extending level of trust from fabric core to the fabric edge, protecting access points to the SAN • Authentication handshake between HBA and fabric switch • At fabric login time (FLOGI) before the host can join the fabric • Additional layer of protection above and beyond physical security, fabric zoning, and LUN masking • Local, host-to-fabric authentication • End-to-end, host-to-target authentication

  22. What is N-Port ID Virtualization • N-Port ID Virtualization (NPIV): an ANSI T11 standard • T11 is the ANSI committee defining Fibre Channel (www.t11.org) • Emulex and IBM invented NPIV in 2001, sponsored it through T11 in 2003 • Enables a single endpoint (HBA) to register multiple fabric addresses corresponding to each VM • NPIV provides security, QoS, provisioning to individual VMs • NPIV is now widely adopted: • A feature in every major operating system/hypervisor • Increasing application portfolio, user implementations • #4 on the InfoPro user-based “heat Index ” of storage technologies:

  23. Benefits of NPIV • Higher performance, increased consolidation • Server: RDM or fixed VHD on FC provide thinner host stack, best I/O performance • Fabric: QOS and prioritization ensures VM-level bandwidth assignment • Storage: Dedicated LUN enhances array cache utilization, RAID/HD selection • Data protection: • Zoning: restores best practices (one server, one zone), auditable data security • Array-level LUN masking: control access at individual LUN level. Use the same tools and practices for virtualized servers as for hardware-based servers • Simplified management: • Storage pre-provisioning: provision storage to WWNs you create ahead of time. Instantiate these Vports at the time of VM creation. • Accelerated VMotion or Live Migration (portable attachment parameters) • VSAN integration and routing (isolation, scalability) • Eliminates server/storage duplicate administration

  24. Emulex Advanced Security Availability • NPIV and FC-SP are available today • ALL Emulex HBAs and FCoE CNAs offer FC-SP Support • ALL Emulex FCoE CNAs and 4Gb/s and 8Gb/s HBAs support NPIV (Vports) • NPIV and FC-SP Management is supported with HBAnyware® and OneCommand™ Manager • OS Support: Windows, Linux, VMware and Solaris  • Free download off www.emulex.com LPe12002 OCe-10102-F

  25. Questions • Please use the Q&A and Chat features in WebEx to submit questions to the presenters

  26. SAN Virtuosity Site • Visit sanvirtuosity.com to: • View prior webcasts • Download white papers • View Emulex Training video ondeploying Emulex HBAs with vSphere 4

More Related