network hosted kernel virtual machine - security day 2017 · pdf filecisco apps (waas, snort...

Network hosted kernel virtual machine

Redžinalds Knipš[email protected]

Sytems engineer

CISCO

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Motivation for Virtualization in the Branch

Physical Branch

Long, Expensive Roll-OutsUnder Utilization

Inflexibility

Virtualized Branch

Service AgilityEfficient Resource Utilization

Opex Savings

2


Increase revenue by accelerating delivery of new and differentiated services

Provide on-demand service delivery through customer self-service portals

Reduce Op-Ex & time-to-service from months to weeks

NFV Benefits

Reduction of network elements to manage & deploy

Operational efficiencies through virtualization

Service Elasticity &Automated Network Operations

Deployment of best-of-breed

Reduce upfront Cap-ExImprove Asset Utilization

Enterprise Service Provider

3


Levels of Network Function VirtualizationIntegrated Services• ISR4K + Service Containers (KVM/LXC)• Native ISR Services + NFV Flexibility• Reliability with Open Service Hosting

Integrated Services with Dedicated Server• ISR4K + UCS C/E Series• Native ISR Services + NFV Hardware• Separate Administration Domains

Fully Virtualized Branch• General Purpose X86 Compute• Full Service Virtualization• Best-of-Breed Service Options

4

KVM Hosting on IOS-XE RoutersISR 4K, ASR1K, CSR1Kv


Native Process

•Very Tight Integration

•Best Performance

LXC•Strict Kernel Requirements

•Good performance with some security

Docker•Emerging Industry Standard

•Future Support

KVM•Any OS•Complete separation

•Linux host OS normally – Type 2 hypervisor

Type 1 Hypervisor

•Service Module Only

•VMWare, HyperV, Zen…

Application Hosting SpectrumDifferent models for different application needs.

6


Native Process

•Very Tight Integration

•Best Performance

LXC•Strict Kernel Requirements

•Good performance with some security

Docker•Emerging Industry Standard

•Future Support

KVM•Any OS•Complete separation

•Linux host OS normally – Type 2 hypervisor

Type 1 Hypervisor

•Service Module Only

•VMWare, HyperV, Zen…

Cisco Service ContainersLinux ContainersOpen Service ContainersApplication Hosting Spectrum

7


What are Cisco platforms doing?

Support RPM package installation directly to the system.

IOS XR

Support for 3rd party LXC containers. Support for Guest Shell LXC. Future support for Docker containers.

Nexus OS

Open to any 3rd party or custom KVM application on routing platforms. Future plans for Docker support and alignment with IOX. Ultimate flexibility with UCS-E module.

IOS XE

IOX program provides an IOT focused “app store” for KVM applications and scripts as well as Fog Director GUI manager.

Classic IOS

8


What is a Service Container?Service Containers use virtualization technology (LXC and KVM) to provide a hosting environment on Cisco routers/switches for applications which may be developed and released independent of platform release cycles. Virtualized environment on a cisco device.

Use Case Cisco Virtual Services:• Work/Appliance Consolidation• Lightweight Application Hosting• Example: ISR4451X-WAAS

Use Case Third Party Services:• KVM Hosted Applications

Container

Network OS

Virtual Service

Service Containers

9


Linux OS

KVM/LXC

IOS-XE Software Architecture

IOSdControl Plane

Cisco Apps (WAAS, Snort) Customer and 3rd Party Applications

Platform-Specific Data Plane AppNav

Internal Services Blade (UCS® E-Series)

External Services Blade (UCS)

Virtual Ethernet

10


Cisco ISR 4400 Series Architecture

Control Plane (1 core) and Services

Plane (3 cores)

Data Plane (6 or 10 cores)

Multigigabit Fabric

FPGE

ISC

SM-X

NIMService Plane

(control plane CPU)

KVM - Hypervisor

Service Container

Service containers live here:75% CPU

IOS-XE25% CPU

11


Cisco ISR 4300 Series Architecture

Service Plane (control plane CPU)

KVM - Hypervisor

Service Container

IOS

Service Container

Multigigabit Fabric

FPGE

ISC

SM-X

NIM

Data Plane Cores

Note:4321 uses 2DP, 1CP & 1SC cores

12


Cisco WAASImprove application performance and user experience

Virtual WAAS• Application acceleration from Private/Virtual Private Cloud• VMWare ESX/ESXi and UCSdeployments• Agile, elastic, multi-tenant deployment• vCM: common virtualized management for physical/virtual WAAS

ISR-WAAS on ISR 4K• Integrated on platform• Full Feature Parity• Software on-demand provisioning• No fork lift upgrade

WAAS Appliance• Application acceleration• Virtual blades in branch offices• Scalable platforms for range of deployments

13


Introducing

Product Overview§ Open source intrusion prevention system for real-time traffic analysis § Lightweight threat defense for price sensitive customers§ Integrated in ISR 4K service container § IPS/IDS functionality with an IOS IPS look and feel

14


Positioning IPS/IDS Solution for the WAN

ISR 4321Up to 50 Mbps

ISR 433160 – 140 Mbps

ISR 4351 75 – 170 Mbps

ISR 4451 115 – 270 Mbps

Regulatory/ PCI Compliance

Internet guest access

MSSP

Direct Internet access to partner sites or public cloud (i.e. Office365, Salesforce.com)

Full DIA

Full DIA

15


StealthWatch Learning Network-SLNHQISE

SCA

Branch 1Branch 2

DLAISR

DLAISR

Distributed Learning Agent

• Data collection. Netflow, DPI (control and data plane, local states)

• Analytics and Learning• Edge Mitigation

programmed/autonomous (police, shape, recolor, redirect) etc.)

• G2 -> UCS-E blade• 4K -> container-based

SLN Control Agent

• Orchestration and interaction with remote DLAs

• Advanced visualizations• Centralized policy

Secu

rity

Man

agem

ent

Priv

ate/

Publ

ic

Net

wor

kN

etw

ork

Edge

Admin

• Reputation• IoCs• ThreatGRID

PCAP/Honeypot

Context

ISE pxGrid

16


Common KVM Use Cases

General purpose virtual machine with custom and open-source troubleshooting tools. (Wireshark, Speedtest, etc.)

Troubleshooting VM

Common network functions such as Print Server, Domain Controller, File Storage, etc.

Network Functions

Network Analysis and Application Performance Monitoring without a dedicated probe.

Analytics

Augment the capabilities of the host platform in some way. (Custom encryption, business-based routing, specialized API interface)

Device Customization

17


ThousandEyesView Across Internal and External Networks

Hosting / SaaS Provider

3 App Delivery:Website, CDN, DNS, ISP

4 Internet Security: DNS, BGP, DDoS

EnterpriseAgents

Branch

Data Center

Internet

Consumers

Cloud Agent

1 Network Ops: WAN, VoIP, DCs

2 Cloud Migration:SaaS and IaaS

18


ThousandEyesTroubleshoot, Monitor, Resolve

• Hop-by-hop path visualization from monitoring agents to cloud hosted or internal services

• Actively monitor and troubleshoot any network including branch offices, data centers

• Visualize network and application performance to detect trends and anomalies

19


STORAGE

POWER&COOLING

SERVERNETWORK

DATABASE

CLOUD

USEREXPERIENCE

APPLICATION

MONITOR

• PredictiveAnalytics

• SLACompliance

• Dashboards&

Reporting

• IntelligentAlerts

VIRTUALIZATION

BIG DATA MAINFRAME

Aunifiedviewandarchitecturetomanage

yourinternalandexternalinfrastructure.

CA Unified Infrastructure ManagementUnified IT Monitoring Providing Broad Coverage

20


CA Unified Infrastructure Management Multi-Site Deployment

Relay Hub

Servers w/ Robots

Relay Hub

Servers w/ Robots

Remote Site 2Remote Site 1

Primary Datacenter

Primary Hub

Secondary Hub

Data Repository

UNIFIED MONITORING OF PUBLIC AND PRIVATE IT ENVIRONMENTS

21


UIM Reference Architecture

KVMRelay Hub

KVMPolling Robot

ISR 4400/4300KVMRelay Hub

KVMPolling Robot

ISR 4400/4300KVMRelay Hub

KVMPolling Robot

ISR 4400/4300

Location 1 Location 2 Location 3

Servers w/Robots

Network Infrastructure

Servers w/Robots


Servers w/Robots


UIM CORE

UIM Portal

UIM DB

UIM Primary HUB

Recommended Probe Technologies included with ISR UIM OVAs:• CDM/RSP• SNMPC• UCS• URL Response• Net Connect• DNS Response• XenApp• e2e appmon

Virtual Image Requirements:• Relay Hub: 1 CPU – Quad

Core, 8GB Memory. Redhat/CentOS 6 or 7.

• Polling Robot: 1 CPU –Quad Core, 8GB Memory. Redhat/CentOS 6 or 7.

22


• Network Discovery, Operation and Management

• Open application built without any Cisco involvement.

• Terrific option for low-footprint branch management.

Ned.io – Open Source Service Containerhttp://www.nedi.ch/running-nedi-on-a-cisco-router/

23


ISR4K Services Core SpecificationsPlatform Service Cores Speed

(GHz)Relative Compute

PowerMin Additional

DRAMMin Additional

SSDMin Additional

HDDISR4451(Gladden) 3 2 6P 4GB 200GB 1TB

ISR4431 (Gladden) 3 1 3P 4GB 200GB 1TB

ISR4351 (Rangeley) 3 2.4 3 P 4GB 50GB 1TB

ISR4331(Rangeley) 3 2.0 2.5 P 4GB 50GB 1TB

ISR4321 (Rangeley) 1 2.4 P 4GB 50GB 1TB

UCS-E NIM 4 1.6 2.6 P N/A N/A N/A

UCS-E EHWIC 2 1.6 1.3 P N/A N/A N/A

Normalize to Rangley 2.4 GHz core = 1PGladden 1GHz = Rangley 2.4 GHz

For YourReference

24


What do I need to add to an ISR4K system?

• Service Containers (currently) REQUIRE additional DRAM beyond the 4GB system default• Additional DRAM beyond 4GB will be available to a KVM application

• Example: 8GB DRAM will have 4GB available to Service Containers• Example: 16GB DRAM will have 12GB available to Service Containers

Memory

• No storage is included by default and applications do not have access to bootflash.• Options include internal MSATA SSD on 4300 Series, NIM-SSD or NIM-HD on all ISR4K.• Smaller sizes and lower reliability SSD options at lower price will be available in CY15.

Storage

Note: ASR1K/CSR requirements will be different.25


NIM-SSD:

• 1 or 2 hot-swappable 200GB SSD drives

• 100GB and 400GB options

SSD-MSATA-50G & SSD-MSATA-200G :

• Doesn’t consume a NIM slot!

• Embedded 50GB/200GB SSD storage

• Not available on 4431/4451

Storage Options

26


Unique Requirements for IOS XE Service Containers

• YAML (derived from LibVirt XML) header file(s) within the OVA• Outlines the resource requirements for the application so the system knows

what to do with it.• Memory, storage, CPU shares, CDROM ISO, etc.

• Properly formatted disk image• Supported formats are qcow2, raw and raw with Cisco capacity XML tag

• IDE virtio driver within the VM kernel for disk access• Optional TTY0 and TTY1 specification for console/aux connection

27


• YAML Descriptor File Defining:• Number of VCPUs and Share of CPU cycles• Memory• Disks including size and source image if applicable• Virtual NICs• Console/Aux connectivity

• Disk Image – One or more disk image files. • ISO: Supported for read-only file systems like a CDROM.• RAW: Supported for read-write file systems.• QCOW2: Supported for read-write with compression. Longer initial install time but much

smaller disk images as a result of compression. Generally the recommended format for standard disk images.

• Manifest File – Simple text file with the SHA1 hash for all files in the OVA.

• Version File – Simple text file with application version number.

Mandatory Service Container OVA Contents

28


Example YAML File

disk:- target dev: hdcfile: montavista.iso

- target dev: sdafile: kvm_storage_4000MB.imgupgrade-model: ha-sync

interfaces:- target-dev: net1alias: net1

- target-dev: net2type: management

serial:- serial- console

# Specify runtime and startupstartup:runtime: kvmboot-dev: cdrom

manifest-version: 1.0

info:name: kvm_prof_2description: "KVM Montavista Test Distroversion: 1.0author-name: Cisco Systems, Inc.author-link: "http://www.cisco.com"

app:# Indicate app type (vm, paas, lxc etc.,)apptype: vm

resources:cpu: 6memory: 262144vcpu: 1

App Info & Definition

Memory/CPU Reservation

Disk(s) Definition

Ethernet Interfaces

Serial Devices

Boot Details

29


Example libvirt.xml File <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0' id='1'><name>ubuntuserver</name><uuid>cdc7b1e3-4a61-8452-98cd-2932f8d781da</uuid>

<memory>262144</memory><currentMemory>262144</currentMemory>

<vcpu>1</vcpu>

<os><type arch='x86_64' machine='pc-0.12'>hvm</type><bootdev='hd'/>

</os>

<features><acpi/><pae/>

</features><clock offset='localtime'/><on_poweroff>destroy</on_poweroff><on_reboot>restart</on_reboot><on_crash>destroy</on_crash>

<devices><emulator>/usr/bin/qemu-kvm</emulator>

<disk type='file' device='disk'><driver name='qemu' type='qcow2'/><source file='UbuntuServer.qcow2'/><target dev='hdb' bus='virtio'/><alias name='virtio-0-0-4'/><address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>

</disk><controller type='ide' index='0'>

<alias name='ide0'/><address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>

</controller>

<interface type='network'><mac address='52:54:00:89:c4:96'/><source network='default'/><target dev='net1'/><model type='virtio'/><alias name='net1'/><address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>

</interface>

<serial type='tcp'><source mode='bind' host='' service='4444'/><target port='0'/><protocol type='telnet'/><alias name='serial0'/>

</serial><serial type='tcp'>

<source mode='bind' host='' service='4445'/><target port='1'/><protocol type='telnet'/><alias name='serial1'/>

</serial><serial type='unix'>

<source mode='bind' path='syslog'/><target port='2'/><alias name='serial2'/>

</serial><serial type='unix'>

<source mode='bind' path='logger'/><target port='3'/><alias name='serial3'/>

</serial>

</devices><qemu:commandline><qemu:arg value='-cpu'/>

<qemu:arg value='host'/><qemu:arg value='-device'/><qemu:arg value='usb-tablet'/>

</qemu:commandline>

</domain>

Potential Security Holes

Same VM Definition as Previous Slide

30


Useful Open Source Tools for Developers

virt-manager – GUI Linux tool for creating and managing VMs.qemu-img – Useful tool for converting disk images

Example: qemu-img convert -p -c -f raw -O qcow2 <raw.img> <qcow2.img> openssl – Generates manifest file.

Example: openssl sha1 *.qcow2 *.ver *.yaml > vm.mftar – An OVA is nothing more than a tar file with a fancy name.

Example: tar -cvf VM.ova vm.qcow2 platform.xml 4300.xml 4400.xml vm.mf

create_ova.sh – Cisco script to help build an ova in one step.

31


Service Container Install/Monitor Commands

Virtual-Service Install/Monitor:ISR4K# virtual-service install name testapp package bootflash:testapp.ovaISR4K# show virtual-service listISR4K# show virtual-service detail name testappISR4K# virtual-service connect name testapp aux|console

Install an OVA to disk

Show current status including application install progress

Connect a virtual terminal to the application serial port (if supported)

32


Service Container Configure & Activate Commands

Virtual-Service Configuration:virtual-servicesigning level unsigned!interface virtualportgroup 1ip address 10.0.0.1 255.255.255.0!virtual-service testappvnic gateway virtualportgroup 1guest ip address 10.0.0.2activate

New Global-Level Structure

Single command to disable signing

Up to 32 virtual interfaces to OVS

Application Instance Configuration

One or more interfaces per application

Optional guest interface configuration

Activate an installed & configured App

33


Easy to use•Simplified application lifecycle management•Stand Alone UI or may be integrated into 3rd party applications restful APIs

Managing Application Resources•Tracks IOx resource utilization (CPU, Memory, BW)•Display per application and per device historical trends•Establish per application status frequency from the onboard agent

Manage Application Lifecycle•Stage the application image within the local application catalog•Push changes to end-points•Detailed application rollout tracking

Cisco Fog Director: App Life Cycle Management, App Management & Monitoring at Scale

34


Cisco Fog Director: Application Dashboard

View of installed Apps

Instant status of Apps running

Resource consumption dashboard

Apps that are ready to deploy

Apps that have not cleared deployment

readiness yet

Enables management of application deployment to the edge devices at scale

35


Cisco Fog Director: Application DashboardDrilling down on deployed applications

36


Cisco Fog Director: Application Monitoring view

App Deployed on devices

Apps Success & Failure view

App Device monitor

Monitor deployed applications at scale

Apps resource monitor

37


Cisco Fog Director: Trouble shootingDrilling down in to devices and application logs

38


Cisco Fog Director: Device-centric Dashboard

Device Resource view

Last heard status

Device IP & Configuration

Device View and association

Adding new devices

BRKARC-2014 39


Open Service Container Support Model

Linux OSKVM/LXC

IOSdControl Plane

WAAS Customer and 3rd

Party Applications

Platform-Specific Data Plane

Virtual Ethernet

Cisco Support: Call TAC and they’ll help you out.Third Party & Community Support:TAC will redirect you.

Cisco Devnet Provides:• Community support for developers

• Documentation• Developer Tools• Access to Cisco Engineers

• Sample open source VMs• Share open source projects• Examples from Cisco Engineers

40


Future Development• RAM Disks – will allow apps with low storage requirements to keep their

disk images on bootflash• Default DRAM – Support for lightweight applications in default 4GB memory.• VM Configuration – User can overwrite the VM specifications from the YAML

file (CPU, DRAM, NICS, etc) through configuration commands.• Docker – Support standard Docker containers in addition to KVM.• Fog Director – Support the same app-store model and deployment GUI as

IOX applications in IOS XE 16.3.• VBO/NSO Orchestration – Integration with Elastic Service Controller and

NSO for consistent orchestration with other Cisco NFV products.• Layer 2 Redirect/Chaining – Bridging/Redirect from data plane interfaces as

well as L2 VLAN switching between Service Containers.

41

UCS E-Series


Cisco UCS E-Series DC-class Servers

Cisco® UCS E160D

§ Double-Wide Service Module§ VMware, Hyper-V,

Citrix certified§ Intel E5 6 core processor§ 96GB DRAM

Cisco UCS E180D

§ Double-Wide Service Module§ VMware, Hyper-V,


Cisco UCS® E140S

§ Service module§ VMware, Hyper-V,


Performance

Scal

abilit

y

Cisco UCS® E160S

§ Single-Wide Service module§ VMware, Hyper-V,

Citrix certified§ Intel Broadwell 6 core

processor§ 32GB DRAM§ USB 3.0 & 10Gb Interface

Intel Broadwell

Intel Ivy Bridge

Intel Ivy Bridge

Intel Ivy Bridge

43


Cisco UCS E-Series Network Compute EngineCompact, Multipurpose Blade Housed in 4000 Series ISR -Cisco UCS EN140N M2

Up to 8 GB RAM

Intel® Atom quad-core processor

One 2GB SD cardfor CIMC

50, 100, 200 GB mSATASSD options

Dedicated management port

One external Gigabit Ethernet port/ Two internal Gigabit Ethernet ports

KVM console connectorUSB 2.0 port for

external device connectivity

44


Cisco UCS E-Series Servers Support ModelHardware Support Provided by Cisco§ Cisco UCS® E-Series hardware supported under ISR G2 SMARTnet® at no additional cost§ Hypervisor and OS supported by hypervisor and OS vendor

ISR

Cisco® UCS E-Series Server Module

Hypervisor

§ Supported by Cisco SMARTnet

§ Attached to ISR G2

§ Supported by OS / hypervisor vendor

§ Purchased separately

45

Enterprise NFV


Cisco 4000 Series ISR + UCS® E-Series

Cisco® UCS C-Series

Network Functions Virtualization Infrastructure Software (NFVIS)

Cisco Enterprise Service Automation (ESA) on APIC-EM

Introducing Cisco Enterprise NFVNetwork Services in Minutes, on Any Platform

Virtual Router(ISRv)

Virtual Firewall(ASAv)

Virtual WAN Optimization

(vWAAS)

Virtual Wireless LAN Controller

(vWLC)Third-Party VNFs

47


• Zero-touch deployment• Automated orchestration of platform and VNFs• Service chaining and licensing

• Health monitoring• Dynamic scaling of services• Operational SLA management

• Create standard profiles for different types of branches• Cisco® tested and validated designs• Embedded approval process and versioning

Automated Orchestration, Management, PolicyCisco Enterprise Service Automation (ESA)

48


LinksWAY MORE INFO:

What the Heck is a Service Container?http://cs.co/9001BnlDN

Fundamentals of Service Containers (Techwise Video)http://cs.co/9004BnlDA

Wireshark on the Catalyst 4500http://cs.co/9002BnlD4

Virtual Service Container Config Guide (NXOS &IOSXE)http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus/openflow/b_openflow_agent_nxos_1_3/Virtual_Services_Container.pdf

Dcloud demo platformhttp://dcloud.cisco.com

49


More Information Cisco DevNet

• Online community for developers• Direct access to Cisco Engineers and

Product Teams• Repository of how-to guides, best

practices and sample code• This will be the primary source for Service

Container information and sample OVAs• Due to Cisco support requirements, VMs will

not be posted to Cisco.com directly.• Keep an eye out for a Service Container

Hackathon with fabulous prizes!

50

https://developer.cisco.com/site/kvm


ISR 4000 Series with Container

ISR 4000 Series with UCS-E ENCS 5400 Series

Architecture Embedded IOS-XE Container for light-weight applications Dedicated x86 blade server for applications Shared x86 platform for Routing &

hosted applications

Legacy WAN Multiple Multiple Single

4G / LTE Support Yes Yes Yes

TDM Voice Yes Yes No

Switch-ports 72 64 8

Routing Throughput 2 Gbps 2 Gbps 1 Gbps

Resources for Applications

CPU Cores 1-3 8 9

RAM 12 GB 96 GB 64 GB

Disk 800 GB 6 TB 4 TB disks +400 GB SSD

OS / Hypervisors IOS-XE with embedded KVM VMware ESXi, Microsoft HyperV & Citrix XenServer and more… NFVIS with embedded KVM

Product Specifications Comparison For YourReference

51


Enterprise Networks Joins Customer Connection ProgramVirtual Customer User Group Program

52

19,000+Members

Strong

• Who can join: Cisco customers & partners

• Private online community to connect customers with peers & Cisco’s Enterprise Networking product teams

• Monthly technical & roadmap briefings via WebEx

• Opportunities to influence product direction

• New member thank you gift* & badge ribbon when you join in the Digital Arcade

• Other CCP tracks: Security & Collaboration

Join in World of SolutionsDigital Arcade à Customer Connection stand

Ø Learn about CCP and Join Ø New member thank-you gift*Ø Customer Connection Member badge ribbon

Join Onlinewww.cisco.com/go/ccp

Come to Digital Arcade to get your new member gift* and ribbon

* While supplies last


Other Sessions

BRKARC-3001 Cisco Integrated Services Router - Architectural Overview Monday 1:30PM

BRKARC-3111 Deploying Cisco Smart Software Licensing Enabled Products Monday 1:30PM

LTRRST-3003 Dr. Evil's secret VIRL hands-on Lab Tuesday 1PM

BRKRST-2041 WAN Architectures and Design Principles Wednesday 8AM

BRKCRS-2006 Creating the Virtual Edge: Cisco Enterprise NFV Wednesday 8AM

BRKCRS-3447 Network Function Virtualization for Enterprise Networks Thursday 8AM

BRKARC-2091 Emerging Trends in Branch Office Architectures Thursday 10:30AM

BRKRST-3336 WAN Virtualization Using Over-the-Top (OTP) Thursday 10:30AM

53

Thank you

network hosted kernel virtual machine - security day 2017 · pdf filecisco apps (waas, snort...

Documents