He writes about “the VLAN leaking myth” and how it encourages clients to utilize physically separate network infrastructure in the DMZ’s. Now first things first, I wouldn’t call VLAN leaking a myth. At one time it was a very real and serious vulnerability that was exploited by overflowing the capacity of the switch you were attacking, and causing it to “downgrade” from switch to a hub. Once this happened you now had access to previously protected devices, as well as having the ability to sniff data as it passed through the shared hub backplane.

As he mentions though, this is 8 years ago. Most switches have evolved to the point where backplanes far exceed the traffic that could ever be injected into their switchports. Even beyond backplane enhancements there are many ways to further firm up your security stance – Virtual Device Contexts, not using Layer 3 SVI’s on a DMZ VLAN, utilizing PVLANs, using port security, virtual routing instances, and many more. Of course, there are still many other attack vectors that still remain, but can be mitigated by utilizing features built into the majority of enterprise switches available today.

I think the real question is not “are VLANs safe in a DMZ”. The important question is have you mitigated the probability of compromise (the actual threat) to levels that are acceptable to your business. This question remains whether you have a standalone switch or not. So many times we hear about risk risk and more risk. But risk alone is meaningless in a business context. What is important is combining risk with likelihood. For that I like to use a simple table to come up with the true threat.

For example, as I drive to Fry’s there is the risk of me dying due to a car crash. The impact of me dying is very high (risk) however the likelihood of an accident is low, and furthermore I reduce (mitigate) the latent risk (threat) by wearing my seat belt. So all in all the threat of me dying on my way to Fry’s is pretty darn low.

In a business context this may be that I have public facing web servers and network devices in my DMZ. The impact of them being compromised is that my public image may be tarnished for a short time, and my end users may lose productivity if they are not able to VPN into work, or access the Internet while on premise. I mitigate this risk by using firewalls and both host and network based Intrusion Prevention Systems as well as implementing best security practices on my network and systems devices. The latent risk (threat) remaining is at a level that is acceptable to the business leaders, so the system is allowed.

One question that I have seen coming up more often as we move towards fully virtualized data centers is centered around commingling of virtual infrastructure. There are some hard questions which challenge some practices that we have held true over the years.

• Should you allow sharing of physical memory on a host virtual machine between an internal and DMZ server?
• Should you allow virtual infrastructure from multiple security zones to share a storage array or cluster of arrays?
• Should you allow multiple virtual switches in different security zones commingling on the same ESX or Hyper-V cluster?
• Should you allow virtual firewall and load balancing instances protecting internal and external zones to reside on the same hardware?
• Should you allow virtual routing instances from multiple zones to share a physical infrastructure?

In the past world of standalone systems, the additional cost of providing a wholly separate infrastructure for DMZ environments was relatively low. Each system generally had internal disk, or at most direct attached storage. Network devices themselves were scaled down to support one chassis one function. This fit quite neatly into the Enterprise Composite Network model that was quite common from 1999-2003.

Now, many data centers have moved to the Service Oriented Network Architecture (SONA). In this model the cost of a virtualized data center is primarily focused on foundation elements such as the virtual storage and virtual fabrics, virtualized network, and virtual systems elements. The cost of providing additional virtualized services off these elements is low, however the cost of duplicating the physical infrastructure is quite high on both the capital and operational levels. This is forcing the technical and executive leadership at many companies to take a long hard look at the true threats they are facing in previously physically separate security zones such as DMZ’s, Financial and other secure zones. In the end, they are having to decide whether the threat remaining after their security controls is worth duplicating hundreds of thousands of dollars worth of infrastructure or not.

These are hard questions, with really no single good answer. My gut feel is that over the next few years we will continue the move towards the fully virtualized data center where components such as memory, PCI-X buses, storage and network devices are even further decentralized. This will make the cost of duplicating the infrastructure more and more significant, causing consolidated data center (or compute) fabrics to be the norm. At this point the discussion will move away from securing zones by creating separate infrastructure, to providing end to end security, starting integrated application level security, maybe with TrustSec or a dirivative, all the way down to securing the data at rest on disk. For the time being however, the best we can do is sit down and do an honest appraisel of our security stances, mitigate what we can, and do our best to design data center architectures that provide the flexibility of implementing whatever choice the technical and business leaders agree on.Similar Posts:

• Moving towards a Green Data Center – Truth behind the hype
• Cisco’s Cloud Computing Offering
• About Colin McNamara
• Vote for my VMworld presentation – #3221 Built to fail (shameless pandering)
• Simplifying remote site security with Cisco’s new video surveillance modules on the ISR
• Interesting TechWise TV episode on virtualization

--Colin McNamara

Measuring and mitigating risk involved with sharing virtual infrastructure between DMZ and Internal environments

Legal implications of a breach

Losing control of personal data means means more then just replacing a tape in your backup rotation. Laws vary from state to state, however generally you are required to contact the identity holders who were breached, as well as fund some sort of remediation. This has huge implications on consumer confidence, and at the end of the day stock price of your company. In some cases, such as ChoicePoint a company can be completely decimated by a breach.

Data protection regulations

There are an ever increasing number of regulations that concern the control of sensitive data. These can vary from laws focused on patient data, to financial data, to personal identification data. The most most well known laws are HIPPA, GLBA, and Sarbanes Oxley (SOX). Past that there are laws that pop up every day at the state and municipality level that further increase the requirements and expense of dealing with a breach. In short, it is becoming an expensive and in some cases criminal offense to lose control of your sensitive.

What you can do to protect your backup tapes

First things first, putting a lock on that Iron Mountain box is just not good enough. You must assume that no matter what, a determined attacker will get physical access to your tapes. So many times companies thing that just because their data format is unique or proprietary that an attacker won’t be able to access it. The cold reality is that any format can be read, and yours is not that special.

The only way to be assured that your data is safe is to encrypt it with a complex cipher. In short, you need to treat your data the same way on tape as you would if it was sitting on a public ftp site (with anonymous access enabled). Luckily Cisco has a technology that allows you to encrypt and decrypt your data coming on and off tape. This technology is storage media encryption.

Cisco Storage Media Encryption (SME)

Cisco’s Storage Media Encryption (SME) technology allows for the seamless encryption of your data flows on and off your backup tapes using AES256 standard encryption. Whether you have VSANS segregating your data, a core / edge architecture, or Virtual Tape Libraries (VTL), you can use SME to protect your data at rest, removing the possibility of an attacker getting access to your critical data.

Storage Media Encryption works by leveraging a multifunction chipset available in the 18/4 module that comes default with the 9222i and is an option for the 9500 series director class SAN switches. Chipset has a couple functions, including line rate encryption of iSCSI and FCIP data streams at gigabit speeds, as well as line rate encryption of data as it streams your tape or virtual tape library’s (VTL).

Want to learn more ?

SAN and NAS, Oreilly Press – In the classic Oreilly style by W. Curtis Preston, this book is a great starting place to understanding the fundamentals of San and Nas architectures that many people are likely to face.

Storage Media Encryption for Cisco MDS SAN Switches – http://www.cisco.com/en/US/products/ps8502/index.html . Cisco has lumped together a couple good data sheets here, though I may have to write a future article taking a deap dive on what really drives SME.Similar Posts:

• Identity aware networking using Cisco TrustSec
• Cisco Nexus 7000 DataCenter switch released – Welcome to DataCenter 3.0
• My CCIE Storage Shopping List
• Cisco is using Linux virtualization and 40 core CPU’s for its next generation routers
• Why was Storage Networking my first CCIE? And What did I do to prepare?
• How to succede in 2007 – By Tim O’Reilly

--Colin McNamara

Encrypting your backup tapes with Cisco Storage Media Encryption (SME)

On the fire maps of the San Diego Witch fire, we are pretty much under the big red spot (directly under lake hodges, to the west of the 15). We moved to 4s ranch in June , on the intersection of rancho bernardo and ralphs ranch road. (pretty much right under the big red spot). We left on on monday at around 10 am with fire on 3 sides of our community.We got out with a couple changes of clothes, important documents, and the kids. Almost everything else is replaceable.

the fire directly upwind of us, coming up the ridge -

Getting out of 4s ranch was crazy though, traffic was jammed up through camino del sur, and the police were not helping. We ended up sneaking out through a backroad and coming out through Del Mar. Our final destination (and temporary home base) is the Ramada plaza hotel in Anaheim.

The winds were blowing 60 mph +

While it is rough having to flee from our home, we are much more fortunate then those people stuck at Qualcom, or Del Mar, etc. While they have been sleeping on the cold cement for two days my family has enjoyed two queen size beds + a fold out couch. Kylie is a little shell shocked, I think fleeing from her home was a bit much, while Chris is just being a normal little two year old terror.

Fireman going after the fire where it wrapped around our neighborhood -

We have also been very fortunate to have many supportive friends. I thank everyone of them for all the support and help they have given. It makes things much easier when you know that you aren’t alone in this struggle. We have a couple standing offers of homes to stay in, a home cooked meal (from the best mexican food cook I have ever met) waiting for us tonight, clothes / diapers for Chris, pretty much everything we could have wanted.

The view as we were leaving (sorry about the blur, we were in the truck)

During this whole ordeal I there have of course been challenges, but I am amazed how everyone is pulling together. In the hour before the police forced the evacuation neighbors were helping each other with information, people were grabbing hopping in trucks and running to help with the fire lines. While it was a post apocalyptic scene with the choking smoke, ash everyone, and blood red sun, people were helping each other. It is to see the best of people when they are under the worst conditions.

The blood red Sun

The two big questions every day are – Is my home still there ? and If it is there, when can I go back? As of right now the evacuation order still stands for my neighborhood. It is directly downwind (about 1 kilometer) from the homes in Rancho Bernardo they have been showing on the news. When we left, fire was coming up the Ridge that separates our neighborhoods. On signonsandiego.com ‘s firemap it looks like we may have been spared, but we are still in the middle and downwind of the major fire. The only thing that will signal a change an all clear is for the santa anna winds to subside.

neighbor checking taking pictures of the fire prior to the evacuation order

One thing that is important in any emergency is to go through a lessons learned.

The things that worked well were -

1. Having a 4×4, it allowed us to choose creative escape routes, and avoid the possibility of getting stuck in traffic with the fire behind us.

2. Having decent non-perishable snacks (granola, raisins, etc)

3. Having lots of water bottles laying around – dehydration is a big issue with the dry air.

4. having travel kits ready – because I travel a bit, I normally have my carry-on bags prepped.

5. Bringing a toy, and a little video player for Chris – this saved lots of heartache for everyone

Things that I could have done better -

1. Inspected my wife, daughters, and sons bags before we left – they didn’t pack enough clothes, my daughter forgot things like underwear, socks, etc.

2. Had the key to the breachlock on my shotgun handy – i couldn’t find the key to unlock my weapon. If this would have devolved to Katrina standards then this would have been essential. In retrospect I would have done better with a semi-auto handgun. It is easier to transport and conceal while traveling.

3. I should have had better radios. I am a ham operator, have my license. But I have always used peoples base stations tethered through the Internet (basically a big ip based microphone / speaker connected to their transceiver. Ham operators are a godsend in situations like this, and having a mobile unit in my truck would have added valuable information in a time when we had none.

Colin McNamara
CCIE #18233

Copyright ©2008 | Colin McNamara | CCIE 18233 | All Rights Reserved”

Colin McNamara
CCIE #18233

http://www.2cups.com

“The difficult we do immediately, the impossible just takes a little longer.”Similar Posts:

• San Diego WildFIre Update
• How close did the fire come?
• How to succede in 2007 – By Tim O’Reilly
• Happy Birthday Marines!!
• The emergence of MDS features in Cisco’s datacenter networking equipment
• Interesting thoughts from Mark Cuban

--Colin McNamara

Witch fire in San Diego – Notes from an evacuee