Cloud Security - Network Isolation PDF
Document Details
Uploaded by CushyGriffin
Harvard University
Ramesh Nagappan
Tags
Related
- Chapter 10 - 03 - Discuss the Insights of Cloud Security and Best Practices - 07_ocred_fax_ocred.pdf
- Cloud & Network Security Cheatsheet PDF
- Cloud Security Lecture Notes PDF
- Protocol, App, and Cloud Security PDF
- Practical Cloud Security (2023, 2nd Edition) PDF
- Cloud Concepts and Connectivity Options (PDF)
Summary
This document is a lecture note on Cloud Security, focusing on network isolation strategies. It covers workload isolation, network isolation, storage isolation, and application/data isolation in cloud environments.
Full Transcript
Cloud Security 1 Copyright © Ramesh Nagappan. All rights reserved. Cloud Security Week 4 – Lecture 1 Ramesh Nagappan Harvard University 2 Copyright © Ramesh Nagappan. All ri...
Cloud Security 1 Copyright © Ramesh Nagappan. All rights reserved. Cloud Security Week 4 – Lecture 1 Ramesh Nagappan Harvard University 2 Copyright © Ramesh Nagappan. All rights reserved. § Evolving Cloud Security Architecture § Building Secure Multitenancy Week 4 Lecture - 1 § Secure Isolation Strategies – Workload Isolation – Network Isolation – Storage Isolation – Application & Data isolation 3 Copyright © Ramesh Nagappan. All rights reserved. Multitenant Cloud Security Secure Isolation Access APPS COMPUTE STORAGE NETWORK Control DATA Data Protection Monitoring & Auditing 4 Copyright © Ramesh Nagappan. All rights reserved. Quick Recap Compute/Workload Isolation options § Physical Isolation Dedicated hosts § Virtual Machines Type 1 Hypervisor Type 2 Hypervisor § Containerization (Microservices) OCI Standard CRI Standard § Serverless Functions (Nanoservices) API Endpoints Accessible via API Gateway 5 Copyright © Ramesh Nagappan. All rights reserved. Quick Recap Multi-tenancy using Compute Isolation Isolation Options Servers/VMs Containerization API Functions 3R Availability Options Datacenters Availability Zone Regions 6 Copyright © Ramesh Nagappan. All rights reserved. Cloud Security Architecture : Building Blocks Compute Network Storage Application/Data Physical § Type 1 Hypervisor (VM) Secure § Type 2 Hypervisor (VM) Isolation § Application Containers § Functions Data Protection Access Control Monitoring and Auditing 7 Copyright © Ramesh Nagappan. All rights reserved. Cloud Infrastructure - Tenant Isolation Critical Requirements Workload Isolation o Applications running in the cloud as workloads that share the system's resources, such as CPU, memory, and networking. Workloads must be isolated from each other so that the tenants remain autonomous and secure within the hosted infrastructure requiring secure implementation of runtime environment and virtual systems isolation. Network Isolation o The application data flow on the network transit share the Cloud network infrastructure and allow clients or other hosts to connect to a particular endpoint. Network traffic and endpoints must be segmented and isolated to protect from unauthorized/unwanted access so that the clients and communicating peers can securely access the tenant. Storage Isolation All guest tenants must have a dedicated storage for storing application data. The storage assignment must remain isolated and it cannot be accessible to co-residents. The dedicated tenant storage can be a slice or group disks as logical volumes or virtual hard disk, volume storage but it must be secure and isolated for use with the target guest. Application/Data Isolation All application and data pertaining to a guest tenant on the cloud must remain secure and isolated during transit, in use and at rest. Application and data isolation must be maintained at the platform with controls that can help isolation of application and data instances at runtime or Operating System environment. 8 Copyright © Ramesh Nagappan. All rights reserved. Network Isolation Why it is important ? þ In a cloud configuration tenants share compute, network and storage resources from the same underlying physical infrastructure. Without network isolation, tenants could intentionally or unintentionally consume a large part of the network, intrusively see data on the network that does not belong to them or invoke side-channel tenant attacks. þ Cloud Providers typically want network isolation for resource management or network security. In most cases, these Cloud Providers choose to combine both as a means to satisfy tenant requirements. 9 Copyright © Ramesh Nagappan. All rights reserved. Network Isolation in Cloud Types of Network Isolation options § Network Traffic Isolation – In a Cloud environment there are many cases where consumer traffic needs to be isolated from untrusted network. Traffic isolation can be used to provide an initial layer of security, higher bandwidth for specific tenants, implement specialized chargeback policies, or to support tiered networks. § Network Security Isolation (Data Protection) – Networks in a consolidated environment must be secure and authenticated against trusted clients. Network traffic can be implemented using encryption (SSL/TLS, IPSec) or authentication; i.e., allow or deny tenant service access using validation rules. 10 Copyright © Ramesh Nagappan. All rights reserved. Network Isolation Physical vs. Virtualization Traditional Network Virtual Network (using Physical) (After Virtualization) 11 Copyright © Ramesh Nagappan. All rights reserved. Image Courtesy : CSA Security Physical Network Traffic Isolation Technologies available to provide Network traffic isolation þ Physical Segmentation § Uses separate “Network Interface cards” to carry traffic for logically grouped applications. § Note that all network traffic is still carried across the same set of switches and router, thus network convergence still exists. To have a completely isolated network, a silo’ed network with separate networks and routes needs to be in place. þ A completely isolated network is not recommended as it does not promote optimal sharing of cloud resources and adds significant management overhead. 12 Copyright © Ramesh Nagappan. All rights reserved. Does Virtualization help Network Isolation ? þ With Virtual Networking, hypervisors can provide networking capabilities, allowing the individual guest OSs to communicate with one another while simultaneously limiting access to the external physical network. Network interfaces that the guest OSs see may be virtual, physical, or both. þ Typical hypervisors offer three primary forms of network access: § Network Bridging: Guest OS is given direct access via Host OS to the host’s network interface cards (NIC). § Network Address Translation (NAT). Guest OS is given a virtual NIC connected to a simulated NAT inside the hypervisor. All outbound network traffic is sent through the virtual NIC to host OS for forwarding to a physical NIC. § Host Only Networking The guest OS is given a virtual NIC that does not directly route to a physical NIC In this scenario, guest OSs can be configured to communicate with one another and, potentially, with the host OS. þ Virtual networks can be built through logical isolation using VLANs in switches, overlay networks and using Software-Defined Network (SDN) solutions. 13 Copyright © Ramesh Nagappan. All rights reserved. Virtualized Network Traffic Isolation Technologies available to provide Network traffic isolation þ vNIC (Virtual Network Interface Controllers) § In a Virtualized environment, VNICs are the fundamental building block of network virtualization. VNICs are created and assigned IP addresses as communication end points. § A physical NIC is divided into multiple virtual interfaces (vNICs) to create kernel isolated and dedicated network stacks. These physical network interfaces can be presented as vNICs and shared between one or more VMs. However, each vNIC interface is assigned a unique IP and MAC address, thus from a layer 2 perspective each vNIC is distinct. 14 Copyright © Ramesh Nagappan. All rights reserved. vNIC Example configuration § VNICs are created on top of physical interfaces (ex. link0) § From the application's point of view, VNICs appear exactly like physical interfaces § Typically, vNICs will be used in conjunction with VLANs. Operating System / Hypervisor 15 Copyright © Ramesh Nagappan. All rights reserved. vNIC Example configuration – Bandwidth control § vNICs can be created in both hypervisor type-1 and virtualized guest OS configurations. § Bandwidth can also be assigned to vNICs to make certain that each vNIC will have a minimum bandwidth available, regardless of the bandwidth usage of other virtual machines sharing the same physical NIC. Operating System / Hypervisor 16 Copyright © Ramesh Nagappan. All rights reserved. Virtual Switch § Virtual switch work typical to Ethernet Switch – Processes Layer 2 headers and perform Layer 2 forwarding using Hypervisor – The ports on a virtual switch provide logical connection points among virtual devices and between virtual and physical devices. – Allow creating Virtual LAN (VLAN) segmentation at the port level VM1 VM2 – VLAN tagging, stripping and filtering Host / Operating System / Hypervisor – Access to a single VLAN is like an access port in physical switch – With access to multiple VLANs, leaving tags intact, similar to trunk port in physical switch 17 Copyright © Ramesh Nagappan. All rights reserved. Image source: VMWare VLAN - Physical Network Traffic Isolation Network segmentation for traffic isolation þ VLAN (Virtual LAN) § In a Virtual LAN (an IEEE 802.1q standard), is a method for segregating network traffic within a bridged LAN infrastructure. VLANs allow two logically separated networks to use the same physical medium, while not allowing them to intercommunicate without a layer 3 device (router). § This VLAN configuration is done at a “Physical Switch” and defines mapping between VLANs and ports - referred to as “VLAN tagging”. § VLAN Tagging enables segmentation can be defined in the host server to further isolate network traffic. Packets sent by a vNIC on a VLAN cannot be seen by vNICs on other VLANs. 18 Copyright © Ramesh Nagappan. All rights reserved. VLAN Topology Understanding VLAN configuration and tagging § VLANs using Physical NICs or vNICs on host computers/VMs helps to isolate and segment on-premise physical or virtual network resources. § VLAN configuration and tagging is done at the switch and defines mapping between VLANs and ports. § VLAN tagging helps isolation of network traffic to a specific network group. § In the context of VLANs, the term "trunk" denotes a network link carrying multiple VLANs, which are identified by labels (or "tags") inserted into their packets. 19 Copyright © Ramesh Nagappan. All rights reserved. Image Courtesy : Lantech VLAN – Known Limitations “NOT” make sense to use in Cloud hosted Network ? ⌧ VLAN presents several limitations, which include: o Broadcast limitations o Device limitations – Most VLANs can only support about 500 ethernet addresses per device o Port limitations – All ports on the switch must be connected to VLAN o Less efficient in terms of controlling network latency, requires decreasing the network traffic in WAN/LAN ⌧ VLANs are ideal for on-premise data center and not suitable for cloud-based network deployments as they lack critical isolation capabilities for multitenancy 20 Copyright © Ramesh Nagappan. All rights reserved. On-Premise Network Isolation With VLAN Deployment Scenario within an On-premise Datacenter Firewall net2 Virtualization Layer Hardware Layer 21 Copyright © Ramesh Nagappan. All rights reserved. VXLAN - Cloud Overlay Networks Overlay technology for building Layer 2 Network on Layer 3 þ VXLANs (Virtual eXtensible Local Area Networks) is a network virtualization technology that helps to overlay Layer 2 networks over Layer 3 networks. § Enables building a scalable and flexible network segmentation in cloud environments § Assures Scalability supporting up to 16 million logical network segments (VXLAN segments) § Enables seamless workload mobility within and across data center § Works across different vendors' networking hardware and software § Traffic Isolation: Allows for secure “network” multi-tenancy in cloud environment to build Virtualized data centers to accommodate multiple tenants and multiple virtual networks per tenant þ VXLAN encapsulates Layer 2 Ethernet frames into UDP Packets over a Layer 3 network - Utilizing MAC-in-UDP encapsulation. § Adds a VXLAN header with a 24-bit VNID (VXLAN Network Identifier) § VXLAN packets are forwarded based on the inner MAC address, enabling communication between virtual machines across VXLAN segments. 22 Copyright © Ramesh Nagappan. All rights reserved. VXLAN - Cloud Overlay Networks Overlay technology for building Layer 2 Network on Layer 3 By enabling Layer 2 on Layer 3, VXLAN enables connect two or more “Layer 3 network domains” and make them look like a common layer two domain and across physical networks. Makes it ideal for building Cloud network infrastructure allowing centralized control and policy enforcement through Software-Defined Network controllers 23 Copyright © Ramesh Nagappan. All rights reserved. Image source: ARISTA Virtual Extensible LAN (VXLAN) Overlay technology for building Layer 2 Network on Layer 3 þ VXLAN enables you to create a logical network for your physical and virtual machines across different networks without VLAN limitations. § Devices that support VXLANs are called Virtual Tunnel Endpoints (VTEPs)—they can be end hosts or network switches or routers. VTEPs encapsulate VXLAN traffic and de-encapsulate that traffic when it leaves the VXLAN tunnel. § The transport protocol over the physical data center network is IP plus UDP. § VxLAN provides isolation by segmenting the traffic is limited to VxLAN network identifier (VNI) § This helps in creating multi-tenant network architectures, where a single infrastructure must be shared. 24 Copyright © Ramesh Nagappan. All rights reserved. Input/Output (I/O) Virtualization § Input/Output virtualization abstracts physical I/O devices, such as network interface cards (NICs), storage controllers, and graphics cards, into virtual entities. – Enables sharing among multiple virtual machines (VMs) or workloads. – Enables the efficient utilization and management of I/O resources in virtualized environments by decoupling the physical hardware through Emulation via Hypervisor – Not Scalable. – Modern servers run about 50-100 virtual machines, but only have around 5-10 I/O devices. This is clearly a problem - Solution : SR-IOV (Single Root I/O virtualization) 25 Copyright © Ramesh Nagappan. All rights reserved. Image Courtesy: Ramin Moazani SR-IOV : Single Root I/O Virtualization High-performance I/O and Networking for Cloud § SR-IOV specification ratified by PCI-SIG. – Defines a high-performance path bypasses the host computer or VM from the datapath, reducing latency, jitter, and CPU utilization. § For example, a single physical network interface card (NIC) or other I/O device to appear as multiple virtual devices, each with its own dedicated resources and direct access to the underlying hardware. § SR-IOV allows PCIe devices to present itself as multiple virtual interfaces. – Introduces the idea of physical functions (PFs) and virtual functions (VFs) for delivering high-performance and scalable I/O devices. – For example, in a networking scenario SR-IOV addresses the I/O limitation by offloading the networking tasks directly to the NIC hardware. § It enables the NIC to create multiple virtual functions (VFs), each with its own unique MAC address, VLAN tag, and other parameters. – SR-IOV is used to improve Cloud hosted VM network performance, reduce latency, and enhance the scalability of virtualized workloads 26 Copyright © Ramesh Nagappan. All rights reserved. SR-IOV Advantages SR-IOV Enabled § Removing the virtual switch from the datapath removes the time packets spend in the host enabling more data to be pushed at once. – Offloading the policy enforcement to the hardware removing the host to VM communication and all software interrupts and context switches, which is better for streaming data. – SRIOV typically results in lower CPU utilization (by up to 50%), lower network latency (by up to 50%), and higher network throughput (by up to 30%) 27 Copyright © Ramesh Nagappan. All rights reserved. Courtesy: Microsoft Azure Container Networking – Isolation Model Containers rely on “Container Network Interface (CNI)” standard that provides a simple contract between the container runtime and network plugins. – CNI is a Cloud Native Computing Foundation (CNCF) standard interface – CNI establishes network isolation and connectivity via the container runtime that allocates a “network namespace” to the container and assigns it with container id. – The underlying network driver attaches the container to the network and reports the assigned IP address back to the container via Container runtime. 28 Copyright © Ramesh Nagappan. All rights reserved. Cloud Networking - Container vs Virtualization * * Container Runtime (e.g., Containerd, CRI-O) 29 Copyright © Ramesh Nagappan. All rights reserved. Software Defined Networking (SDN) § Software-defined networking (SDN) is a new approach to networking that provides high-level abstraction of Networking functionality – Allows Network administrators to manage Network services through abstraction of high-level APIs for applications. § SDN essentially acts a virtual software switch or router and attempts to replace traditional physical switches and routers from making traffic decisions. – SDN introduces the notion of Network OS (NOS) that interacts with the switches. – Decouples the Network devices with a control plane for making traffic decisions. § OpenFlow is the specification and implementation standard for SDN. 30 Copyright © Ramesh Nagappan. All rights reserved. OpenFlow § OpenFlow platform allows for the de-coupling of a network device’s control plane from the data plane – In a network device, Control plane is considered as the brain and data plane is the packet forwarding engine. – OpenFlow APIs directly interface with the hardware tables (example: Forwarding Information Base, or FIB) that exist on networking devices instructing the device how to forward traffic. – The data can be flow level data, routing tables, FIB tables, interface statistics, MAC tables, VLAN tables, serial numbers, and the list can go on. – Google Cloud builds on OpenFlow platform 31 Copyright © Ramesh Nagappan. All rights reserved. Image source: OpenFlow SDN driven Network Virtualization SDN abstracts the network management plane from the underlying physical infrastructure, removing many typical networking constraints. Overlay multiple networks, even ones that completely overlap their address ranges, over the same physical hardware, with all traffic properly segregated and isolated. Enables Cloud provider to deliver self- service provisioning of network resources. Global network view Protocol-independent configuration of network device Abstraction hides details of forwarding hardware using software settings and API calls, which supports orchestration and agility. 32 Copyright © Ramesh Nagappan. All rights reserved. Virtual Networking Isolated Network running Isolated tenants in a Public cloud q Software Defined Networking (SDN) provides the mechanisms to centrally, dynamically and programmatically configure “Virtual networks”. The notion of Virtual network defines the ability to deploy, manage and control an autonomous tenant. (10.0.2.0/24) Popularly called as Virtual Private Cloud (VPC) it subnet is a logically isolated datacenter from all other cloud subnet (10.0.1.0/24) tenants. Ex. AWS VPC, Azure Virtual Network, Google VPC q Logical isolation of network rely on the virtual network functions and security features that (10.0.0.0/16) gives the Cloud customer control over network bound resources A group of IP addresses or services that establish an isolated address space in cloud and further divided into automatically routed subnets. 34 Copyright © Ramesh Nagappan. All rights reserved. Image: Azure Virtual Network Virtual Networking in Cloud The Virtual Private Cloud (VPC) - Scope of IP addressing þ A Virtual Network (or VPC) is a logical data center typically deployed in a Public cloud bound to a datacenter in a region. § Within the region, the network may span in multiple availability zones (independent fault domains) § Virtual networks are identified with IP Addressing prefixes (CIDR blocks) enable communication between the availability zones a VPC spans. § The size of a prospective Virtual network is based on the IP addressing scheme - CIDR (For ex. 10.0.0.0/16 represents 65,536 addresses in IPv4) þ Subnets can be created within the scope of an IP address prefix. § Typically, a subnet must be contained completely within a single, existing IP address prefix. § The Cloud provider will use an implicit router to establish connectivity between all subnets created within a Virtual network. 35 Copyright © Ramesh Nagappan. All rights reserved. Understanding IPv4 and IPv6 Scope of IP addressing þ The two most common versions of IP in use today are Internet Protocol version 4(IPv4) and Internet Protocol version 6 (IPv6). § Both IPv4 (32 bit) and IPv6 (128 bit) addresses come from finite pools of numbers. § For IPv4, the address space is 32-bits (232) in size which contains 4,294,967,296 IPv4 addresses theoretically has more than 4.3 billion IP addresses § Only 3.7 billion are available for public use because the rest is reserved for special purposes (e.g. 224/4 for multicast) or future use (240/4) § For IPv6, the address space is 128-bits (2128) in size, containing (approximately 340 Undecillion) 340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 addresses. § In a typical network, not every IP address in the IPv4 or IPv6 pool can be assigned to the machines and devices used to access the Internet – Some are reserved. § IP addresses can be taken from the IPv4 or the IPv6 pool and are divided into two parts, a “network section” and a “host section”. § The network section identifies the particular network, and the host section identifies the particular node. 37 Copyright © Ramesh Nagappan. All rights reserved. IPv4 – IP Version 4 Anatomy of an IPv4 Packet Communication 38 Copyright © Ramesh Nagappan. All rights reserved. IPv4 Address How it looks like ? § An IP address is a 32-bit (4 bytes) long identifier – Encodes a network number (network prefix) and a host number § IP addresses are written in four ”octets” each using 8-bit so-called quad dotted decimal notation § Each byte is identified by a decimal number in the range [0..255]: 39 Copyright © Ramesh Nagappan. All rights reserved. IPv4 : Network Prefix & Host Number How it looks like ? § The network prefix identifies a “network prefix” and the “host number” identifies a specific host (actually, interface on the network). 128.143 137.144 § How do we know how long the network prefix is? – The network prefix used to be implicitly defined (unlike classful-based addressing - A,B,C,D…) – With CIDR, the network prefix now is flexible and is indicated by a prefix/netmask (classless). 40 Copyright © Ramesh Nagappan. All rights reserved. IPv6 – IP Version 6 Anatomy of IPv6 comparing IPv4 41 Copyright © Ramesh Nagappan. All rights reserved. IPv6 – IP Version 6 Understanding IPv6 ? § IPv6 is a significant increase in size of the IP address to 128 bits (16 bytes) written using hexadecimal digits for each integer. – Can represent more than 340 short-scale undecillion different values – IPv6 can provide 2128 = (232)4 » 4 billion x 4 billion x 4 billion x 4 billion addresses § IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length. – The basic IPv6 packet header has a fixed length of 40 bytes to simplify IPv6 packet handling and to improve the forwarding efficiency. – Although an IPv6 address size is four times larger than an IPv4 address, the basic IPv6 packet header size is only twice the size of the option-less IPv4 packet header. § Larger address space: The source and destination IPv6 addresses are 128 bits long. 42 Copyright © Ramesh Nagappan. All rights reserved. IPv6 Addressing & Classes Role of Network addressing in IPv6 þ An IPv6 address is a 128-bit hexadecimal address used to uniquely identify devices on a network. § Represented in eight groups of four hexadecimal digits separated by colons § For example - a valid IPv6 address will be: 2001:0DB8:7654:0010:FEDC:0000:0000:3210 þ A hexadecimal number can reflect 16 (24) different values (0-9, A-F) which corresponds to exactly 4 bit. Since every group consists of four hexadecimal numbers, each group has 16 bit (216) þ Major difference an IPv4 host and an IPv6 host. § An IPv4 host typically uses one IP address; but an IPv6 host can have more than one IP address 43 Copyright © Ramesh Nagappan. All rights reserved. IPv6 Allocation and Address Formats § The IPv6 addresses identifies allocation plans to registry, provider, subscriber, subnetwork and interfaces. § Registry: identifies the agency that registered the address § Provider: Id of Internet access provider § Subscriber: Id of the organization at provider § Subnetwork: Id of subnet within organization § Interface: identifies an interface at a node – IPv6 addresses are separated into two 64-bit parts - the first on the left is the subnet prefix and the second on the right is the interface identifier (IID), which is 64-Bit Extended Unique Identifier (EUI-64) – IPv6 provides address formats for: § Unicast – identifies a single interface § Multicast – identifies a group. Datagrams sent to multicast address are sent to all members of the group § Anycast – identifies a group. Datagrams sent to an anycast address are sent to one of the members in the group. 44 Copyright © Ramesh Nagappan. All rights reserved. IP Addressing - Classes Classful Inter-domain Routing in IPv4 (Educational Purposes) þ IP Network Addressing & Classes (1981 – 1993) Divides the IP address for Internet Protocol (IPv4) into five address classes (Classful Inter-domain Routing). o Class A address has the first octet as the network portion 192 168 1 15 and remaining 3 are the host portions IP address - Ex. 192.168.1.15 Ø Address are in the range of 1 – 126.xxx.xxx.xxx and its network mask is defined as 255.0.0.0 Ø 127.0.0.1 is the loop back IP address for localhost. o Class B address has the first & second octets as the network portion and remaining 2 are the host portions Ø Address are in the range of 128 – 191.xxx.xxx.xxx and its network mask is defined as 255.255.0.0 o Class C address has the first, second and third octets as the network portion and remaining one is the host portion Ø Address are in the range of 192 – 223.xxx.xxx.xxx and its network mask is defined as 255.255.255.0 o Class D (multicast applications) & Class E are special purpose network addresses not assigned and reserved. 45 Copyright © Ramesh Nagappan. All rights reserved. IP Addressing - CIDR (pronounced CIDER or CEDER) Classless Inter-Domain Routing þ CIDR is a packet routing system used to allocate IP address blocks. þ An IP address can be considered to have a network address and a host identifier. þ Helps describing a block of IP addresses that can be applied to network configurations. q CIDR helps to identify the number of IP addresses available in the block including first IP, last IP and the Subnet Mask o For example (using IPv4): 192.168.1.0/24 46 Copyright © Ramesh Nagappan. All rights reserved. Image source: cidr.xyz CIDR – Classless Inter-Domain Routing Why it is important? § Restructure IP address assignment to support Subnetting and increase Routing efficiency § Hierarchical routing aggregation with “Group of IP addresses” and minimizing route table entries § CIDR helps to identify the length of the network id (Prefix) in IP addresses – Routers use the IP address and the length of the prefix (CIDR) for forwarding – All advertised IP addresses must include a CIDR prefix § The CIDR notation of a IPv4 network address : 192.0.2.0/18 – The CIDR prefix /18 states the first “18” bits are the network part of the IP address 47 Copyright © Ramesh Nagappan. All rights reserved. IPv4 Addressing using CIDR Example § host101.east.Harvard.edu – IP address is 128.143.137.144 – Is that enough info to route packets ? § No, need netmask or prefix at every IP device (host and router) § CIDR Prefix notation for IP address is: 128.143.137.144/16 – Network prefix is 16 bits long § Network mask is: 255.255.0.0 or hex format: ffff0000 -----> Network id (IP address AND Netmask) is: 128.143.0.0 -----> Host number (IP address AND inverse of Netmask) is: 137.144 128.143 137.144 48 Copyright © Ramesh Nagappan. All rights reserved. CIDR IPv4 Example: 10.0.0.0/16 þ What does it mean ? § The /16 in the CIDR notation represents how many of the bits locked down. § The unlocked bits can change between 1 and 0, allowing the full range of possible values o Lowest possible IP: 10.0.0.0 o Highest possible IP: 10.0.255.255 o i.e 65,536 addresses 49 Copyright © Ramesh Nagappan. All rights reserved. CIDR þ CIDR § The CIDR notation is calculated from the number of ones in the subnet mask when it is converted to binary. § For ex., subnet mask of 192.168.1.0 is 255.255.255.0 – The CIDR will be /24 § it converts to 11111111.11111111.11111111.00000000 in binary. § Add those ones up, and you get 24 § For quick reference, use: https://cidr.xyz § Download this chart q https://www.ripe.net/about-us/press-centre/IPv4CIDRChart_2015.pdf 50 Copyright © Ramesh Nagappan. All rights reserved. Using CIDR in IPv4 Networks How does it work in creating IPv4 Networks? § Create blocks of IP address space using CIDR and allocate them as address blocks to a network. § Example: 206.0.64.0/18 § Assume the Cloud customer owns the address block 206.0.64.0/18 – It represents 16,384 (232-18=214) IP host addresses – 214 means 262,144 host addresses § Suppose a Subnet needs to host 800 IP devices Ø Assigning a /22 block, i.e., 206.0.64.0/22 -> gives a block of 1,024 (210) IP addresses to client. 51 Copyright © Ramesh Nagappan. All rights reserved. Subnetting and CIDR How it helps in IPv4 networks? § In subnetting, the network prefix and the subnet number make up an extended network prefix (for specifying network allocation space). – The extended prefix can be expressed in terms of using CIDR notation, by adding the length of the extended subnet mask after the IP address. For example, with 128.143.137.144/16. 128.143.0.0/16 is the IP address of the primary network (say VPC) 65,236 addresses 255.255.0.0 is the netmask of the primary network (or network prefix /16) For example, 128.143.137.0/24 is the IP address of the subnet 256 addresses 255.255.255.0 is the subnet mask (or subnet prefix /24) For example, 128.143.137.144/32 is the IP address of the host 1 address 52 Copyright © Ramesh Nagappan. All rights reserved. Introduction to IP Subnets Network isolation using IPv4 Ranges in Cloud þ IP Subnetting is logical partitioning and segmentation of an IP network to separate a larger network into smaller multiple networks for reorganization and security purposes. o All nodes (hosts) in a subnet would see all packets transmitted by any node in a network. þ Host belonging to an IP subnet are addressed with a logical division of an IP address with two fields – “Host/Network Interface” and “Routing Prefix” o Routing prefix is expressed in Classless Inter-Domain Routing (CIDR) notation written with first IP address of a network, followed by / character, and ending with the bit-length of the prefix. q ex. 192.168.1.0/24 53 Copyright © Ramesh Nagappan. All rights reserved. Using CIDR in Practice - VPC and Subnets Creating VPC and Subnets (AWS example) § Choose a Master CIDR for the VPC that determines the number of subnets and IP addresses that you can create inside your VPC – Master CIDR is irreversible. – For example, 10.0.0.0/16 = all IP addresses from 10.0.0.0 to 10.0.255.255 – you can choose a CIDR block that is as small as a /28 or as large as a /16. A /28 will provide you with 16 IP addresses and a /16 will provide you with 65,536 IP addresses Example showing a Master CIDR – § To create subnets, you must avoid overlapping 10.10.0.0/16 for VPC that hosts 5 subnets. addresses with the VPC, co-existing subnet and Each subnet uses /24 that allows to host your on-premise network (in case of hybrid services using 256 IP addresses cloud) 54 Copyright © Ramesh Nagappan. All rights reserved. VPC and Subnets Applying the CIDR ranges § Typically, a cloud provider will allow to use CIDR ranges between /16 and /28 – For every step, a CIDR increase will decrease the number of IP addresses in the range cut in half. § Let’s assume you are tasked to use a Master CIDR 10.0.0.0/16 for your VPC – 10.0.0.0/16 allows for 65,536 IP address § Using the VPC with Master CIDR 10.0.0.0/16, if you are tasked to create 2 subnets with equally allocated IP addresses – Subnet 1 with 10.0.0.0/17 allows for 32,768 addresses – Subnet 2 with 10.0.128/0 allows for 32,768 addresses 55 Copyright © Ramesh Nagappan. All rights reserved. Virtual Private Cloud (VPC) Networks Logical Isolation of Networks in Public Cloud þ VPC or Virtual Network § An isolated private network on Public Cloud, where customers (Cloud consumers) can attach compute VM instances and other services. o Assures logical network isolation and segmentation for VM instances and services residing in a VPC from other VM instances and services residing in another VPC. Network traffic cannot be exchanged between VPCs unless explicit permissions are granted. Allows for IP address reuse among VPCs in a Cloud infrastructure. Same CIDR block range can be used by multiple VPCs without conflict. o Each VPC defines an implicit router that will get packets for Subnets residing within the VPC o By default, each VPC is created with a single routing table that gets bound to every subnet residing within a VPC 56 Copyright © Ramesh Nagappan. All rights reserved. Network Isolation with VPCs and Subnets Running Multi-tier Architectures (Web & Database Applications) Load balancer Load balancer Note: Network traffic cannot be exchanged between VPCs unless explicit permissions are granted. 57 Copyright © Ramesh Nagappan. All rights reserved. Virtual Private Cloud (VPC) Networks Logical Isolation of Networks in Public Cloud 10.0.0.0/16 10.0.0.0/16 58 Copyright © Ramesh Nagappan. All rights reserved. Image source: AWS, Microsoft, Google Network Isolation with VPC & Subnets (High Resiliency) Running Subnets on different Availability Zones for Fault Isolation Load balancer Load balancer Availability Zone A Availability Zone B Availability Zone A Availability Zone B Note: Network traffic cannot be exchanged between VPCs unless explicit permissions are granted. 59 Copyright © Ramesh Nagappan. All rights reserved. Subnet based Network Isolation Partitioning Networks using CIDR Ranges þ Build Data Centers by partitioning Networks. þ Create and Partition Logical data centers in Cloud Ex. Virtual Private Cloud (VPC) in AWS 10.5.0.0/16 þ Let’s assume we use a Master CIDR block of 10.5.0.0/16 for our VPC 10.5.1.0/24 (Public DMZ Subnet) § 65,536 addresses § First IP address will be 10.5.0.1 10.5.2.0/24 (Private App Subnet) § Last IP address will be 10.5.255.254 § Netmask will be 255.255.0.0 10.5.3.0/24 (Private App Subnet) o Using the Master CIDR, now we can create Isolated Subnets – ex. 3 subnets Virtual Private Cloud o 10.5.1.0/24 (Subnet 1 – Public DMZ) AWS cloud o 10.5.2.0/24 (Subnet 2 - Private App) o 10.5.3.0/24 (Subnet 3 - Private DB) 60 Copyright © Ramesh Nagappan. All rights reserved. Organizing Subnets Internet Partitioning Networks based on Functional Tiers Users þ Public Subnet þ Subnet privileged with Internet accessibility allowing Inbound/Outbound network traffic Internet Includes a Routing Table entry to support Public Internet 10.5.0.0/16 gateway access via an Internet Gateway or VPN Gateway Ex. Public DMZ Subnet (10.5.1.0/24) 10.5.1.0/24 (Public DMZ Subnet) þ Private Subnet 10.5.2.0/24 (Private App Subnet) þ Subnets NOT accessible from Internet þ Do not have a routing table entry to access 10.5.3.0/24 (Private DB Subnet) Internet gateway or Outbound only access þ Access granted via a Bastion host or NAT proxy) Virtual Private Cloud to ensure restricted access AWS Cloud o Private App Subnet (10.5.2.0/24) o Private DB Subnet (10.5.3.0/24) 61 Copyright © Ramesh Nagappan. All rights reserved. Building Multiple VPCs (AWS) Hosting Multiple VPCs in AWS (Isolated Data Centers) 10.5.0.0/16 10.6.0.0/16 10.6.0.0/16 10.5.1.0/24 (Public DMZ Subnet) 10.6.1.0/24 (Public DMZ Subnet) 10.6.1.0/24 (Public DMZ Subnet) 10.5.2.0/24 (Private App Subnet) 10.6.2.0/24 (Private App Subnet) 10.6.2.0/24 (Private App Subnet) 10.5.3.0/24 (Private App Subnet) 10.6.3.0/24 (Private App Subnet) 10.6.3.0/24 (Private App Subnet) Virtual Private Cloud - Production Virtual Private Cloud - QA Virtual Private Cloud - Development AWS Cloud – XYZ Company 62 Copyright © Ramesh Nagappan. All rights reserved. AWS VPC – Example Network CIDR/16 VPC with CIDR/24 Subnets Internet Users þ VPC Virtual network dedicated to your AWS account and logically isolated from other Internet gateway virtual networks in AWS. 10.5.0.0/16 þ CIDR/16 u 10.5.0.0/16 (65,236 addresses) 10.5.1.0/24 (Public DMZ Subnet) Web NAT Servers þ Public Subnet gateway Ex. 10.5.1.0/24 (256 addresses) 10.5.3.0/24 Database þ Private Subnet (Private DB Subnet) Servers Ex. 10.5.3.0/24 (256 addresses) Note: Virtual Private Cloud § AWS reserves 5 addresses per subnet (First 4 addresses AWS Cloud and last IP address of the subnet) – For management purposes – VPC router, DNS, Last IP address to restrict 63 network broadcast in VPC). Copyright © Ramesh Nagappan. All rights reserved. Directing Network Traffic Securing Inbound and Outbound Traffic Flows on Functional Tiers Internet Users þ Public Subnet þ Use Internet Gateway to allow Inbound network traffic Internet gateway þ Use a NAT Gateway to allow 10.5.0.0/16 outbound traffic (without disclosing Private IP addresses) 10.5.1.0/24 (Public DMZ Subnet) NAT Web Servers gateway Prevents Private instances getting direct Internet requests Protects Private IP disclosures 10.5.3.0/24 Database (Private DB Subnet) (vulnerable to DoS/DDoS attacks) Servers þ Private Subnet þ Use NAT Gateway to securely allow Virtual Private Cloud Outbound traffic for applications AWS Cloud requiring external Internet access. 64 Copyright © Ramesh Nagappan. All rights reserved. Directing Network Traffic Scope of Gateways on Inbound and Outbound Traffic Flows Internet Users þ Internet Gateway allow Ingress (Inbound) Internet gateway and Egress (Outbound) access 10.5.0.0/16 þ Typically, accessible from Public Subnet 10.5.1.0/24 § In the case of IPv4, when traffic is sent from a (Public DMZ Subnet) NAT Web Servers host instance, the Internet gateway maintains gateway one-to-one mapping of the host instance Private IP address to Public IPv4 address. 10.5.3.0/24 Database (Private DB Subnet) Servers § In case of IPv6, when traffic is sent from the host instance to the Internet, the Internet gateway forwards the instance’s source IPv6 Virtual Private Cloud address unchanged. AWS Cloud 65 Copyright © Ramesh Nagappan. All rights reserved. Directing Network Traffic Scope of Gateways on Inbound and Outbound Traffic Flows Internet Users þ NAT Gateway securely allows Outbound traffic for applications requiring Internet external Internet access without exposing gateway IP addresses of Private subnet hosted 10.5.0.0/16 instances. 10.5.1.0/24 þ Allows outbound traffic securely means... (Public DMZ Subnet) NAT Web Servers gateway § Connections originating from outside your VPC cannot reach host instances 10.5.3.0/24 residing in your Private subnet. (Private DB Subnet) Database Servers q NAT is not supported in IPv6, instead the host instance send traffic to a Virtual Private Cloud ”Egress/Outbound traffic only” Internet AWS Cloud Gateway. 66 Copyright © Ramesh Nagappan. All rights reserved. CIDR in IPv6 þ Identifies the network portion of an IPv6 address and its associated prefix length allowing for representation and management of IPv6 networks þ Creating CIDR notation for IPv6 addresses involves specifying the network prefix length in bits after the IPv6 address. § An IPv6 address consists of eight groups of four hexadecimal digits separated by colons § For example: a valid IPv6 address will look like: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 § For example, a prefix length of 64 indicates that the first 64 bits of the address are the network portion, while the remaining 64 bits are reserved for host addresses. if you want to create a network with a prefix length of 64 bits: 2001:0db8:85a3:0000::/64 § Optionally, you can abbreviate the IPv6 address by removing leading zeros in each group and replacing consecutive groups of zeros with double colons (::) 2001:db8:85a3::/64 Reference: https://www.cidr.eu/en/ipv6 67 Copyright © Ramesh Nagappan. All rights reserved. Using CIDR in IPv6 based Cloud VPC How does it work in creating IPv6 Networks? § Create the VPC allocating the CIDR block of IPv6 address space to a network. – Example: 2600:1f16:23d1:7b00::/56 – IPv6 CIDR blocks are typically represented using the /64 prefix length. Some cloud providers may allow you to allocate larger or smaller CIDR blocks § Create subnets, route tables, security groups, and other networking resources within the VPC. – Assign IPv6 addresses to the subnets within the VPC § For example: Subnet 1: 2600:1f16:23d1:7b00::/64 Subnet 2: 2600:1f16:23d1:7b01::/64 Subnet 3: 2600:1f16:23d1:7b02::/64 § Enable IPv6 DNS and VM support – Enable IPv6 DNS support using Cloud-DNS servers to resolve IPv6 address enabled VM instances. – For the VMs, allow automatic assignment of IPv6 addresses using stateless address auto-configuration (SLAAC) or DHCPv6 68 Copyright © Ramesh Nagappan. All rights reserved. Bastion Host / Jumpserver - Network Isolation Dedicated Private Connection from Cloud to On-premises / Trusted peers SSH / RDP Bastion Trusted Client § Bastion hosts are dedicated hosts or virtual machines that reside in Public subnet for supporting remote access from on-premises or trusted peers § Helps to isolate and establish connection § Typically accessed using SSH or Windows RDP Once remote connection established with the Bastion host it allows to use SSH or RDP to login to other instances with in your VPC § Inbound and outbound access must be restricted at the protocol level using Network and Host- based firewalls (Security groups) § Inbound access must be restricted to specific IP addresses 69 Copyright © Ramesh Nagappan. All rights reserved. Border Gateway Protocol (BGP) Exchange routes between On-premises router to Cloud Provider § BGP (Border Gateway Protocol) is an Exterior Gateway “Routing Protocol” (EGP) designed to exchange path prefix information between different autonomous networks. § Enables fully-isolated dedicated private connectivity between on-premises datacenter and Cloud providers § Assures enabling private connectivity in Hybrid Cloud scenarios § BGP neighbors build peering connections over TCP and exchange routing information (prefixes). § In BGP, a set of routers inside a single administrator authority form an Autonomous System (AS). § BGP uses Autonomous System Number (ASNs) which is a number between 1 and 64,511 (public) and 64,512 and 65,535 (private) assigned to an AS for the purpose of identifying a specific BGP domain. § Allocated by a Regional Internet Registry (RIR), who also handle allocation of IP addresses to networks. § BGP enables your traffic flows between on-premises locations and Public Cloud providers. § Examples: AWS Direct Connect, Azure Express Route, Google Interconnect 70 Copyright © Ramesh Nagappan. All rights reserved. Direct Connect to Public Cloud Services (AWS) Direct Connect Routing - On-premises Data Center and AWS Public Services To bridge an on-premises data center connectivity to AWS Public service via BGP Build a BGP session to a Public VIF of AWS service The on-prem router will now learn the all the public prefixes that belong to AWS This means that a user/server on-prem will access ‘public services’ (such as an S3 bucket) via the Direct Connect instead of going over the Internet. § Establishes private dedicated connection from datacenter VLANs to AWS backbone via Public VIF § Reliable connectivity and network performance to connect to AWS endpoints (ex. S3) 71 Copyright © Ramesh Nagappan. All rights reserved. Source: Nicovibert Direct Connect to VPC (AWS) Private Connection between On-premises Data Center and AWS VPC § To bridge an on-premises data center connectivity to AWS VPC via BGP Build a BGP session to a Private VIF of AWS service The on-prem router will now learn the all the public prefixes that belong to AWS This means that a user/server on-prem will access ‘VPC hosted services’ (such asEC2) via the Direct Connect. § Establishes private dedicated connection from datacenter VLANs to AWS backbone via Private VIF 72 Copyright © Ramesh Nagappan. All rights reserved. Source: Nicovibert Hybrid Cloud: Private Connection Hybrid Cloud AWS and On-premise Datacenter - Deployment Scenario Support Direct Connect Support BGP Channel Direct Connect Provider ISP HR HR Engineering Engineering Development Development teams VLANS VIFs On-premise (Accessible from Datacenter public & private subnets) *VIF refers Virtual NIC (Ethernet) – Which can be Private or Public accessible 73 Copyright © Ramesh Nagappan. All rights reserved. Immutable Networks Read-Only Network configurations - “Infrastructure as Code” þ Immutable network infrastructure is a software-defined read-only network configuration. § Builds on the concept of “Infrastructure as Code”, where the configuration is performed entirely through code and configuration files, with validation checks ensuring that the running configuration always matches the defined desired state. § Ex. AWS CloudFormation, Azure Resource Manager (ARM), Terraform § Widely adopted in DevOps environment þ Achieving immutability means that there is no difference between settings defined in the configuration and those implemented – Any changes to the setting is flagged as “Configuration Drift”. þ Periodic checks need to take place to detect configuration drift and trigger remediation tasks or alerts upon finding a drift. 74 Copyright © Ramesh Nagappan. All rights reserved. Dedicated Network Tenancy Single Tenant Network, Dedicated VMs and Dedicated Hosts þ Single Tenant Network (Dedicated Tenancy) § This network assures all virtual machine instances are run on hardware specific to a Cloud customer. § Typically operates on dedicated racks and network segment providing the customer with their own isolated hosts and network. § Dedicated tenancy helps to ensure data confidentiality and data residency to meet compliance requirements (e.g HIPAA) þ Dedicated VMs § Dedicated virtual machines and virtual storage allocated to the customer þ Dedicated Hosts & Storage § An entire physical host and storage unit allocated for the “Cloud Customer” but the customer may share other multi-tenant resources. 75 Copyright © Ramesh Nagappan. All rights reserved. Compute vs Network Isolation § By Design, Host Virtualization and Virtual Networking are intended to provide workload and network isolation securely while isolated from one another. – Isolation enables multiple virtual machines to run securely while sharing host and network boundaries ensures both their ability to access service with uninterrupted performance. § Even a user with administrator privileges on a VM’s guest OS cannot breach this layer of isolation to access another VM in or outside network without privileges explicitly granted by the Hypervisor. § If a VM crashes, all other virtual machines on the same host infrastructure continue to run. – Although VMs share physical resources exposed by hypervisor, a guest OS on a VM cannot detect any device other than the Virtual machine available to it. § Resource capping by setting limits to System resource utilization (CPU, Memory, Network etc) helps VM from performance degradation if another VM consumed excessive hardware resources. – The guest OS failure has no effect on: § Ability of users to access the other virtual machines within or outside the network § Ability of the operational VMs to access the network resources they need. 76 Copyright © Ramesh Nagappan. All rights reserved. Management and Client Access Network Isolation § Management Network Isolation must be enforced to carry out all management operations (for Host/Network hardware/software, Hypervisors) securely by using a dedicated network segment. – All management interface of the hypervisor and host hardware should be placed in a dedicated virtual network segment and access to that interface should only be allowed from designated subnets in the enterprise network privileged to Cloud provider administrators. – All applications and guest OS installation and provisioning must be carried out using a dedicated virtual network segment privileged to Application and VM/Guest OS administrators. – Management Network services must be decoupled from Cloud consumer/Guest access network. § Client Access Network Isolation must be enforced to assure that all Cloud consumer tenant traffic are isolated to dedicated network connections (ex. SSH, VPN, TLS) hosting the target resources dedicated to the tenant (ex. VMs/Hosts, Virtual Network and Application resources. 77 Copyright © Ramesh Nagappan. All rights reserved. Cloud Security Architecture : Building Blocks Compute Storage Network Application/Data § VNIC, vSwitch Physical § VLAN, PVLAN, VXLAN § Type 1 Hypervisor (VM) Secure § IPv4/IPv6 addressing § Type 2 Hypervisor (VM) Isolation § VPC, Subnet, Gateways § Application Container § SDN, SR/IOV § Functions § Bastion Host, BGP Data Protection Access Control Monitoring and Auditing 78 Copyright © Ramesh Nagappan. All rights reserved. § Evolving Cloud Security Architecture § Building Secure Multitenancy Week 4 Lecture - 2 § Secure Isolation Strategies – Workload Isolation – Network Isolation – Storage Isolation – Application & Data isolation 79 Copyright © Ramesh Nagappan. All rights reserved. References / Work Cited Network Virtualization http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf http://www.lantechcom.co.za/global/eng/Support/TT_VLAN.html http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVL ANs.html https://www.arista.com/assets/data/pdf/Whitepapers/Arista_Networks_VXLAN_White_Paper.pdf http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/Network_Virtualization/sccsolover.html https://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdf Software Defined Networking https://www.opennetworking.org/sdn-resources/openflow https://www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf CIDR & Subnets http://cidr.xyz https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#vpc-subnet-basics SR-IOV http://www.intel.com/content/www/us/en/pci-express/pci-sig-sr-iov-primer-sr-iov-technology-paper.html 80 Copyright © Ramesh Nagappan. All rights reserved. References / Work Cited Border Gateway Protocol http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf Container Networking https://www.opennetworking.org/sdn-resources/openflow https://www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf CIDR & Subnets http://cidr.xyz https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#vpc-subnet-basics SR-IOV http://www.intel.com/content/www/us/en/pci-express/pci-sig-sr-iov-primer-sr-iov-technology-paper.html 81 Copyright © Ramesh Nagappan. All rights reserved.