NWS Cha 7: Virtualization and Cloud Computing
NFV (Network Functions Virtualization)
-Merging physical and virtual network architecture We've seen how a single workstation can host many VM workstations or servers, each with its own network connection, operating system, and applications. Networking devices can also be virtualized. For example, instead of purchasing an expensive hardware firewall to protect a LAN, suppose you were to install a firewall's operating system in a VM on an inexpensive server. Suppose you also install a router VM on that server instead of purchasing an expensive hardware router. You've now provided your network with two sophisticated, virtualized devices—a virtual firewall and a virtual router—on one, inexpensive server instead of paying for two, expensive, dedicated devices
Pros and Cons of Virtualization
-efficient use of resources -cost and energy savings -fault and threat isolation -simple backups, recovery, and replication -compromised performance -increased complexity -increased licensing costs -single point of failur
hybrid cloud
A combination of the other service models into a single deployment, or a collection of services connected within the cloud. In the real world, the hybrid cloud infrastructure is a common result of transitory solutions. (In IT, "solution" refers to a product, service, or combination of products and services, and often includes extra features such as ongoing customer service.) An example of a hybrid cloud by design might arise when a company stores data in a private cloud, but uses a public cloud email service.
digital certificate
A person or a business can request a digital certificate, which is a small file containing that user's verified identification information and the user's public key. The digital certificate is issued, maintained, and validated by an organization called a CA (certificate authority). The use of certificate authorities to associate public keys with certain users is known as PKI (Public-key Infrastructure).
console server or console router
A single device, such as a console server or console router, provides centralized management of all linked devices.
DTLS (Datagram Transport Layer Security)
A variant of TLS is DTLS (Datagram Transport Layer Security), which is designed specifically for streaming communications. As the name implies, DTLS relies on UDP instead of TCP, which minimizes delays. However, applications using DTLS must provide their own means of packet reordering, flow control, and reliability assurance. DTLS includes security levels that are comparable to TLS and is commonly used by delay-sensitive applications such as VoIP and tunneling applications such as VPN. You'll learn more about VPNs later in this chaptrt
RAS (remote access server)
All types of remote access techniques connecting to a network require some type of RAS (remote access server) to accept a remote connection and grant it privileges to the network's resources. Also, software must be installed on both the remote client and the remote access server to negotiate and maintain this connection.
FTPS (FTP Security or FTP Secure)—
An added layer of protection for FTP using SSL/TLS that can encrypt both the control and data channels. Recall that FTP listens at port 21, which is the command channel. Data is usually transferred over port 20, which is the data channel. FTPS is typically configured to listen at port 21, like FTP, but requires two data channels. By default, those data channels are at ports 989 and 990. However, FTPS can also be configured to negotiate its data ports within a predefined range each time it makes a connection. FTPS can be difficult to configure through a firewall. You can configure the vsftpd app to support FTPS, as they are both based on the original FTP standards
DMVPN (Dynamic Multipoint VPN)
An enterprise-wide VPN can include elements of both the client-to-site and site-to-site models. A particular type of enterprise VPN using Cisco devices, called DMVPN (Dynamic Multipoint VPN), dynamically creates VPN tunnels between branch locations as needed rather than requiring constant, static tunnels for site-to-site connections. In this configuration, as shown in Figure 7-27, a hub router sits at the headquarters location, and each remote office has a spoke router. Usually, when hosting enterprise VPN connections, the involved gateways all need static IP addresses from the ISP. With DMVPN, however, only the hub router needs a static public IP address. The spoke routers can communicate with the hub router to create VPN tunnels as needed, even from a spoke router to a spoke router
SaaS (Software as a Service)
Applications are provided through an online user interface and are compatible with a variety of devices and operating systems. Online email services such as Gmail and Yahoo! are good examples of SaaS, as are CRM (customer relationship management) apps, such as Salesforce and Zoho. Google offers an entire suite of virtual software applications through Google Drive and their other embedded products. Except for the interface itself (the device and whatever browser software is required to access the website), the vendor provides every level of support from network infrastructure through data storage and application implementation. Here we see the full capability of pizza provider services. The restaurant provides the crust and all the ingredients, bakes it for us, and serves it directly to the table that they also have provided. We had to get ourselves to the restaurant, but we didn't need to bring anything to make it all work (except our payment, of course), and they do the cleanup after we leave. This is similar to applications you run online, like email, office productivity apps, or CRM software
remote access
As a remote user, you can connect to a network and its resources via remote access, which is a service that allows a client to connect with and log on to a server, LAN, or WAN in a different geographical location. After connecting, a remote client can access files, applications, and other shared resources, such as printers, like any other client on the server, LAN, or WAN. To communicate via remote access, the client and host need a transmission path plus the appropriate software to complete the connection and exchange data.
vSwitch (virtual switch
As soon as the virtual machine's vNIC is selected, the hypervisor creates a connection between that VM and the host. Depending on the hypervisor, this connection might be called a bridge or a switch. This vSwitch (virtual switch) or bridge is a logically defined device that operates at the Data Link layer to pass frames between nodes. Thus, it can allow VMs to communicate with each other and with nodes on a physical LAN or WAN.
PaaS (Platform as a Service)
Developers often require access to multiple platforms during the development process. A platform in this context includes the operating system, the runtime libraries or modules the OS provides to applications, and the hardware on which the OS runs. Rather than purchasing and maintaining a separate device for each platform, another option is to subscribe to PaaS services. Developers can build and test their applications within these virtual, online environments, which are tailored to the specific needs of the project. Alternatively, an organization's entire network might be built on platform services provided by a vendor. Any platform managed by a vendor resides on the vendor's hardware and relies on their uptime and accessibility to meet performance parameters. However, the customers are responsible for their own applications and/or data storage, including maintaining backups of the data. In our pizza analogy, this is the delivery option. You decide on the crust and toppings, the restaurant bakes it for you, and then they bring it to your front door within 30 minutes. You provide your own table and do the cleanup after dinner. Google Cloud Platform (cloud.google.com) is a good example of PaaS. They offer pre-built VMs where you can immediately start installing and testing so
vNIC (virtual NIC)
Every VM has its own virtual network adapter, or vNIC (virtual NIC), that can connect the VM to other machines, both virtual and physical. Just like a physical NIC, a vNIC operates at the Data Link layer and provides the computer with network access. Each VM can have several vNICs, no matter how many NICs the host machine has. The maximum number of vNICs on a VM depends on the limits imposed by the hypervisor. For example, VirtualBox allows up to eight vNICs per VM. Upon creation, each vNIC is automatically assigned a MAC address.
VPN concentrator
For large organizations where more than a few simultaneous VPN connections must be maintained, a specialized device known as a VPN concentrator can be used as the VPN server (see Figure 7-26). A VPN concentrator performs the following tasks: • Authenticates VPN clients • Establishes tunnels for VPN connections • Manages encryption for VPN transmission
IaaS (Infrastructure as a Service)
Hardware services are provided virtually, including network infrastructure devices such as virtual servers and end user interfaces such as HVDs (hosted virtual desktops). HVDs are desktop operating environments running on a different physical computer than the one the user interacts with. These devices rely on the network infrastructure at the vendor's site, but customers are responsible for their own application installations, data management and backup, and possibly operating systems. For example, customers might use the vendor's servers to store data, host websites, and provide email, DNS, or DHCP services, but could provide their own NOS licenses and productivity software, such as customer tracking, sales management, and an office suite. In our pizza analogy, this would be like a take-and-bake restaurant. You decide the type of crust you want and the toppings; the restaurant puts it all together for you. Then you take the unbaked pizza home, bake it yourself, and eat it at your own table. In the IT world, AWS (Amazon Web Services) is a good example of an IaaS. Amazon provides the processing power, storage space, and deployment services. You create VMs and choose OSes to install on them. You load applications, databases, etc., and run Internet and other network services on them
NAT mode,
In NAT mode, a vNIC relies on the host machine to act as a NAT device. In other words, the VM obtains IP addressing information from its host, rather than a server or router on the physical network. To accomplish this, the hypervisor acts as a DHCP server. A vNIC operating in NAT mode can still communicate with other nodes on the network and vice versa. However, other nodes communicate with the host machine's IP address to reach the VM; the VM itself is invisible to nodes on the physical network. Figure 7-9 illustrates a VM operating in NAT mode
host-only mode
In host-only mode, VMs on one host can exchange data with each other and with their host, but they cannot communicate with any nodes beyond the host. In other words, the vNICs never receive or transmit data via the host machine's physical NIC. In host-only mode, as in NAT mode, VMs use the DHCP service in the host's virtualization software to obtain IP address assignments. Obviously, because host-only mode prevents VMs from exchanging data with a physical network, this configuration cannot work for virtual servers that need to be accessed by clients across a LAN. Nor can it be used for virtual workstations that need to access LAN or WAN services, such as email or web pages. Host-only networking is less commonly used than NAT or bridged mode netw
management URL
Increasingly, networking devices are configured through a connected computer's browser that navigates to a management URL, where the user can make changes directly to the device. In the port forwarding Applying Concepts project, you used a web browser to configure a SOHO router (refer back to Figures 7-22 and 7-23). You also used a browser to configure a SOHO router in Hands-On Project 6-1 in Chapter 6. To do this, you entered the router's IP address into the address bar. All of the device's configurations were completed through the web browser. Ideally, these device consoles will require an encrypted connection over HTTPS, although this is not always the case.
Type 2 hypervisor
Installs in a host OS as an application and is called a hosted hypervisor. Client Hyper-V and VirtualBox, which you've seen in the Capstone Projects, are examples of Type 2 hypervisors, as are the popular VMware Player and Linux KVM. A Type 2 hypervisor is not as powerful as a Type 1 hypervisor because it is dependent on the host OS to allot its computing power. VMs hosted by a Type 2 hypervisor also are not as secure or as fast as a Type 1 hypervisor's VMs.
Type 1 hypervisor
Installs on a computer before any OS and is therefore called a bare-metal hypervisor. It partitions the hardware computing power to multiple VMs, each with their own OS. Popular examples include XenServer by Citrix, ESXi by VMware, and Hyper-V by Micr
IKE (Internet Key Exchange)
Negotiates the exchange of keys, including authentication of the keys; the current version is IKEv2, which you'll see again in the discussion on VPNs later in this chapter
control plane
On the left side of Figure 7-12, you see a traditionally configured network infrastructure. Each physical and virtual device, whether it's a router, switch, firewall, or load balancer, makes its own decisions about where transmissions should be sent based upon the protocols and other configurations on that device. That decision- making process is called the control plane. The outcome of those decisions—actual transmissions on the network—is called the data plane. Traditionally, each device handles its own control plane and data plane.
SSH (Secure Shell)
SSH (Secure Shell) is a collection of protocols that does both authentication and encryption. With SSH, you can securely log on to a host, execute commands on that host, and copy files to or from that host. SSH encrypts data exchanged throughout the session. It guards against a number of security threats, including unauthorized access to a host, IP spoofing, interception of data in transit (even if it must be transferred via intermediate hosts), and DNS spoofing, in which a hacker forges name server records to falsify his host's identity. Depending on the version, SSH may use Triple DES, AES, Blowfish, or other, less-common encryption schemes or techniques
port forwarding
SSH listens at port 22, and is highly configurable. For example, you can choose among several types of encryption methods and it can also be configured to perform port forwarding, which means it can redirect traffic that would normally use an insecure port (such as FTP) to a SSH-secured port. This allows you to use SSH for more than simply logging on to a host and manipulating files. With port forwarding, you could, for example, exchange HTTP traffic with a web server via a secured SSH connection. Later in this chapter, you'll configure port forwarding on a SOHO router.
private cloud—
Service established on an organization's own servers in its own data center, or established virtually for a single organization's private use and made available to users over a WAN connection through some type of remote access. If hosted internally, this arrangement allows an organization to use existing hardware and connectivity, potentially saving money. If hosted virtually, the organization benefits from the usual advantages of virtual services, such as scalability and accessibility
public cloud
Service provided over public transmission lines,such as the Internet. Most of the examples discussed in this part of the chapter take place in public clouds
PoP (Points of Presence)
Some of the larger cloud service providers maintain multiple PoP (Points of Presence) around the world. This means the provider rents space at a data center facility, called a colocation facility or carrier hotel that is shared by a variety of providers. In many cases, ISPs can provide dedicated access from a customer's premises to a cloud provider's PoP. This is more cost effective when an organization subscribes to multiple cloud providers who all use the same colocation. Amazon's AWS Direct Connect and Microsoft's Azure ExpressRoute both offer dedicated connection services.
SSL/TLS handshake
Step 1—The browser, representing the client computer in this scenario, sends a client_hello message to the web server, which contains information about what level of security the browser is capable of accepting and what type of encryption the browser can decipher. The client_hello message also establishes a randomly generated number that uniquely identifies the client and another number that identifies the session. Step 2—The server responds with a server_hello message that confirms the information it received from the browser and agrees to certain terms of encryption based on the options supplied by the browser. Depending on the web server's preferred encryption method, the server might choose to issue to the browser a public key or a digital certificate. Step 3—If the server requests a certificate from the browser, the browser sends it. Any data the browser sends to the server is encrypted using the server's public key. Session keys used only for this one session are also established.
out-of-Band Management
Telnet, SSH, RDP, VNC, and a management URL all rely on the existing network infrastructure for a network administrator to remotely control the device. Before he or she can configure these devices, they must already be booted up, and they must already have configuration software installed. This is called in-band management, and inherently limits troubleshooting capabilities. Out-of-band management, however, relies on a dedicated connection (either wired or wireless) between the network administrator's computer and each critical network device, such as routers, firewalls, servers, power supplies, applications, and security cameras. These dedicated connections allow network administrators to remotely: • Power up a device • Change firmware settings • Reinstall operating systems • Monitor hardware sensors • Troubleshoot boot problems • Limit network users' access to management functions • Manage devices even when other parts of the network are down
Terminal Emulation
Terminal emulation, also called remote virtual computing, allows a user on one computer, called the client, to control another computer, called the host or server, across a network connection. Examples of command-line software that can provide terminal emulation include Telnet and SSH, and some GUI-based software examples are Remote Desktop for Windows, join.me, VNC, and TeamViewer. A host may allow clients a variety of privileges, from merely viewing the screen to running programs and modifying data files on the host's hard disk. After connecting, if the remote user has sufficient privileges, she can send keystrokes and mouse clicks to the host and receive screen output in return. In other words, to the remote user, it appears as if she is working on the LAN- or WAN-connected host. For example, a traveling salesperson can use her laptop to "remote in" to her desktop computer at corporate headquarters. This way, she can remotely update a workbook stored on her desktop computer using Excel, also installed on the desktop
Key Encryption
The most popular kind of encryption encodes the original data's bits using a key, or a random string of characters—sometimes several times in different sequences—to scramble the data and from it, generate a unique and consistently sized data block called ciphertext. The key is created according to a specific set of rules, or algorithms.
key management
Through a key management process, two nodes agree on common parameters for the keys they will use. This phase primarily includes two services IKE (Internet Key Exchange) ISAKMP (Internet Security Association and Key Management Protocol)
site-to-site VPN
Tunnels connect multiple sites on a WAN, as shown in Figure 7-24. At each site, a VPN gateway on the edge of the LAN establishes the secure connection. Each gateway is a router or remote access server with VPN software installed and encrypts and encapsulates data to exchange over the tunnel. Meanwhile, clients, servers, and other hosts on the protected LANs communicate through the VPN gateways as if they were all on the same, private network and do not themselves need to run special VPN software. Site-to-site VPNs require that each location have a static public IP address
PPPoE (PPP over Ethernet).
When PPP is used over an Ethernet network (no matter the connection type), it is known as PPPoE (PPP over Ethernet)
ISAKMP (Internet Security Association and Key Management Protocol)
Works within the IKE process to establish policies for managing the keys
PPP (Point-to-Point Protocol)
a Data Link layer protocol that directly connects two WAN endpoints. One example might be when a DSL or cable modem connects to a server at the ISP. PPP headers and trailers create a PPP frame that encapsulates Network layer packets. The frames total only 8 or 10 bytes, the difference depending on the size of the FCS field (recall that the FCS field ensures the data is received intact). Here's what PPP can do: • Negotiate and establish a connection between the two endpoints. • Use an authentication protocol, such as MS-CHAPv2 or EAP, to authenticate a client to the remote system. • Support several Network layer protocols, such as IP, that might use the connection. • Encrypt the transmissions, although PPP encryption is considered weak by today's standards.
L2TP (Layer 2 Tunneling Protocol)
a VPN tunneling protocol based on technology developed by Cisco and standardized by the IETF. L2TP encapsulates PPP data in a similar manner to PPTP, but differs in a few key ways. Unlike PPTP, L2TP is a standard accepted and used by multiple vendors, so it can connect a VPN that uses a mix of equipment types—for example, a Juniper router, a Cisco router, and a NETGEAR router. Also, L2TP can connect two routers, a router and a remote access server, or a client and a remote access server. Typically, L2TP is implemented with IPsec for security, and this L2TP/IPsec combination is considered secure and acceptable for most situations
SDN (Software-Defined Networking)
a centralized approach to networking that removes most of the decision-making power from network devices and instead handles that responsibility at a software level with a product called an SDN controller, or network controller.
client-to-site VPN,
also called host-to-site VPN or remote-access VPN—Remote clients, servers, and other hosts establish tunnels with a private network through a VPN gateway at the edge of the LAN, as shown in Figure 7-25. Each remote client on a client-to-site VPN must run VPN software to connect to the VPN gateway.
IPsec (Internet Protocol Security)
an encryption protocol suite that defines a set of rules for encryption, authentication, and key management for TCP/IP transmissions. It is an enhancement to IPv4 and is native to IPv6. IPsec works at the Network layer of the OSI model—it adds security information to the headers of all IP packets and encrypts the data payload.
CIA (confidentiality, integrity, and availability) triad
confidentiality—Data can only be viewed by its intended recipient or at its intended destination. • integrity—Data is not modified in the time after the sender transmits it and before the receiver picks it up. • availability—Data is available and accessible to the intended recipient when needed, meaning the sender is accountable for successful delivery of the data. Together, these three principles form the standard security model called the CIA (confidentiality, integrity, and availability) triad. Encryption can happen at various layers of the OSI model. Let's first begin with a brief description of what key encryption is, and then we'll explore some of the most common encryption protocols used to protect data stored on or traveling across networks. We'll start at Layer 3 and then work our way up the OSI layers.
hypervisor
creates and manages a VM, and manages resource allocation and sharing between a host and any of its guest VMs. Together, all the virtual devices on a single computer share the same CPU, hard disks, memory, and physical network interfaces. Yet each VM can be configured to use a different operating system, and can emulate a different type of CPU, storage drive, or NIC, than the physical computer it resides on. Meanwhile, to users, a VM appears and acts no differently from a physical computer running the same software. Figure 7-1 illustrates some of the elements of virtualization.
GRE (Generic Routing Encapsulation)
developed by Cisco, is a Layer 3 protocol used to transmit PPP, IP, and other kinds of messages through a tunnel. Like L2TP, GRE is used in conjunction with IPsec to increase the security of the transmissions.
bridged mode
in bridged mode a vNIC accesses a physical network using the host machine's NIC, as shown in Figure 7-7. In other words, the virtual interface and the physical interface are bridged. If your host machine contains multiple physical adapters—for example, a wireless NIC and a wired NIC—you can choose which physical adapter to use as the bridge when you configure the virtual adapter.
SDN controller
integrates configuration and management control of all network devices, both physical and virtual, into one cohesive system that is overseen by the network administrator through a single dashboard. Instead of reconfiguring each network device individually, the SDN controller can be used to reconfigure groups of network devices all at one time. It can even make configuration changes automatically in response to changing network conditions. -For example, if a streaming video call needs additional bandwidth, the SDN controller can temporarily assign a higher priority to that traffic across the network, and then cancel that configuration when the call is finished. At no point in this process does a network administrator have to access any networking device's management console to make any changes to the device's configuration. The SDN controller handles all the changes at a more abstracted level, and informs the affected networking devices of what to do with the relevant data on the physical level.
Virtualization
n is a virtual, or logical, version of something rather than the actual, or physical, version. For example, when you create an Ubuntu server VM on a Windows PC, the Windows machine is the physical computer, or host, and the Ubuntu machine is a logical computer, or guest, that is hosted by the physical computer. The Ubuntu operating system acts as if it is installed on a separate, physical machine. How is this possible?
VNC (Virtual Network Computing
n) uses the cross-platform protocol RFB (remote frame buffer) to remotely control a workstation or server. VNC is slower than Remote Desktop and requires more network bandwidth
cloud computing
refers to the flexible provision of data storage, applications, or services to clients over the Internet. You might already be familiar with cloud storage services such as Dropbox, OneDrive, and Google Drive, which let you store your own data on web-based servers. Web-based email is another example of cloud computing. Most cloud service providers use virtualization software to supply multiple platforms to multiple users. For example, industry leaders Rackspace (in its Private, Public, or Hybrid Cloud products) and Amazon (in its Elastic Compute Cloud, or EC2, service) use Xen virtualization software by Citrix to create virtual environments for their customer
OpenVPN
s an open-source VPN protocol that uses a custom security protocol called OpenSSL for encryption. OpenVPN has the ability to cross many firewalls where IPsec might be blocked. It is both highly secure and highly configurable.
IKEv2
which as you learned earlier is a component of the IPsec protocol suite, offers fast throughput and good stability when moving between wireless hotspots. It's compatible with a wide variety of devices and is often recommended by VPN providers as the most secure option among the VPN protocols they support.
VPN (virtual private network)
which is a virtual connection that remotely accesses resources between a client and a network, two networks, or two hosts over the Internet or other types of networks.
AH (authentication header) encryption or ESP (Encapsulating Security Payload)
—After parameters and encryption techniques are agreed upon, a secure channel is created, which can be used for secure transmissions until the channel is broken. Data is encrypted and then transmitted. Either AH (authentication header) encryption or ESP (Encapsulating Security Payload) encryption may be used. Both types of encryption provide authentication of the IP packet's data payload through public key techniques. In addition, ESP encrypts the entire IP packet for added security.
private key encryption
—Data is encrypted using a single key that only the sender and the receiver know. Private key encryption is also known as symmetric encryption because the same key is used during both the encryption and decryption of the data. A potential problem with private key encryption is that the sender must somehow share the key with the recipient without it being intercepted.
public key encryption
—Data is encrypted with a private key known only to the user, and decrypted with a mathematically related public key that can be made available through a third-party source, such as a public key server. This ensures data integrity, as the sender's public key will only work if the data has not been tampered with. Alternatively, data can be encrypted with the public key, and then can only be decrypted with the matching private key. This ensures data confidentiality, as only the intended recipient (the owner of the keys) can decrypt the data. A public key server is a publicly accessible host (such as a server on the Internet) that freely provides a list of users' public keys, much as a telephone book provides a list of peoples' phone numbers. The combination of a public key and a private key is known as a key pair. Because public key encryption requires the use of two different keys, one to encrypt and the other to decrypt, it is also known as asymmetric encryption.
XaaS (Anything as a Service or Everything as a Service)
—In this broader model, the "X" represents an unknown, just as it does in algebra. (And you thought you would never again use algebra.) Here, the cloud can provide any combination of functions depending on a client's exact needs. This includes, for example, monitoring, storage, applications, and virtual desktops. onsider the service models as they're shown in Figure 7-16. The smaller, upper end of the pyramid indicates how little a SaaS customer needs to understand and interact with a cloud provider's infrastructure in order for the customer to perform his work. In contrast, an IaaS customer interacts more heavily with her service provider's infrastructure for every aspect of her computing needs. IaaS is much more pervasively integrated with a client's computer network than is SaaS.
community cloud
—Service shared between multiple organizations, but not available publicly. Organizations with common interests, such as regulatory requirements, performance requirements, or data access, might share resources in this way. For example, a medical database might be made accessible to all hospitals in a geographic area. In that case, the community cloud could be hosted internally by one or more of the organizations involved, or hosted by a third-party provider. But it would not be made available to the public.
