Seguridad de alta disponibilidad

Data Center Security
Rally Tecnológico
Pablo Mollinger

Systems Engineer
© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Chile – Abril 2011

Cisco Confidential

1

• Tendencias y Amenazas de Seguridad en el Data

Center
• Seguridad en Capa de Acceso del Data Center
Ambientes Físicos
Ambientes Virtualizados

• Seguridad en la Capa de Distribución/Core del DataCenter

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

2

• Support key DC switching virtualization Features

• Optimal Integration of Network Security Services • Understanding Security & Server Virtualization • Data Centric Policy Enforcement with Zones • Data Center Compliance

© 2010 Cisco and/or its affiliates. All rights reserved.

CiscoConfidential

3

Highly Scalable Processes Massive Workloads Dynamic Delivers On-Demand Services Intelligent Supports Different Applications and Data Types
Security:
Requires the Same Demands

Partner Solution Elements

App

App

App

Desktop O/S Desktop Virtualization

Storage

VDI Broker

Hypervisor

Unified Fabric

Unified Network Services

Unified Computing

Cisco DataCenter Business Advantage Framework

Consolidation, Virtualization, Automation, and Cloud
© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

4

Legacy
 Accidental Architectures  Applications deployed in fixed positions (ex. multi-tier deployment)  Predictable traffic flows  Security often deployed to each pod or silo

Virtual
    Data Center andServer Consolidation Server Virtualization “Any workload on any server” Unpredictable traffic flows as workloads migrate  Security becomes more data centric (no silos)

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

5

• Virtualization

• Applications • Data Loss • Compliance • Availability

© 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential

6

Web Servers

Component servers
Application Server

Data base servers

webservers

webservers

Application Server

Transactional Domain

Backup

• The server farm uses load distribution and security for

transactional applications which are applicable to typical DMZ applications: SMTP servers / DNS servers

© 2010 Cisco and/or its affiliates. All rightsreserved.

Cisco Confidential

Cluster Interconnect
7

OWASP = Open Web Application Security Project http://www.owasp.org
• •

A1: Injection Flaws A2: Cross Site Scripting (XSS)

Percentage of Websites Vulnerable by Class (Top 5)

• • • • •
• • •

A3: Broken Authentication and Session Management A4: Insecure Direct Object Reference A5: Cross Site Request Forgery (CSRF) A6:Security Misconfiguration A7: Insecure Cryptografics Storage
A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

Source: WhiteHat Security
© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

8

OWASP = Open Web Application Security Project http://www.owasp.org
• •

A1: Injection Flaws A2: CrossSite Scripting (XSS)

Percentage of Websites Vulnerable by Class (Top 5)

• • • • •
• • •

A3: Broken Authentication and Session Management A4: Insecure Direct Object Reference A5: Cross Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptografics Storage
A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects andForwards

Source: WhiteHat Security
© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

9

Hacking the Web/Application Server
Layer 2 Segment
HTTP
Web Server Web Server

Layer 2 Segment

Web/Application

Database

• After a phase of probing/scanning, the hacker detects the

vulnerability of the web/application server • The hacker exploits the...