Hello,
I was hoping someone could clarify/explain, in more detail, security architecture as it relates to a Data Center environment for an enterprise hosting a business application for external customers, especially having to do with securing east-west traffic vs securing north-south traffic, and various deployments.
Obviously every business is different and I realize that different business have different requirements for things like, latency, availability and security among other requirements.
Typically I've just been exposed to the traditional Core/Distribution/Access layer with a Firewall holding the gateway for all applications and services, and the Firewall controlling via 5 tuple ACLs what and who can talk to what.
I've been learning more and more about modern Data Center architectures (ie VXLAN over MP-BGP EVPN), but one area with that I haven't been either able to understand fully or haven't been able to get a good explanation for designing for security to protect east-west traffic.
For simplicities sake, lets assume topologies within this whitepaper by Cisco: https://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/white-paper-c11-735015.pdf
In my specific scenario (in my head), there are two tenants. Obviously in this case each tenant would be assigned their own VRF (A & B) and VNIs would be assigned to each tenant's VRF. By default, a Tenant's VNIs would be isolated from other Tenants in this architecture by the way of the VRF.
Moving on, protecting north-south traffic with a standard NBFW that is context aware seems to be a simple and effective solution (again disregarding other business requirements).
What about east-west traffic? Where and how do you protect various services/applications/databases from each other within the Data Center? I'm imaging that in my scenario, the database would live on a separate subnet, a group of applications on another subnet, another group of related applications on another subnet and lastly webservers/proxies in a DMZ.
I've read about deploying virtual firewalls on each host (seems expensive especially as you scale out), and passing through the NIC(s) directly to the firewall VM, then bridging the vSwitch to the LAN ports of the virtual firewall appliance (may have said that wrong). But I also have read about the bandwidth limitations these virtual firewalls have. Mostly that a lot of firewalls are limited in their throughput compared to their baremetal cousins.
I've read about deploying services like iptables on the servers themselves (using automation tools like chef to set this up/manage). However, this seems like a no-go or very risky at the least simply because if someone were to gain root access to the application (well you have other problems then but still), they could just simply disable the iptables.
Among other designs/scenarios.
What are some of the ways people go about properly protecting east-west traffic between services/applications/databases in the Data Center? Especially lets say if those services belong to the same tenant and reside on the same physical host, but are in two different subnets.
No comments:
Post a Comment