Your company is a well-known global cloud service provider serving millions of customers. Which of the following best supports the multi-tenancy feature mentioned in ISO/IEC 17888? (Wentz QOTD)
A. EAP over LAN (EAPoL) based on 802.1X
B. Virtual LAN (VLAN) based on IEEE 802.1Q
C. Virtual eXtensible Local Area Network (VXLAN) based on RFC 7348
D. Spanning Tree Protocol based on 802.1D

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Virtual eXtensible Local Area Network (VXLAN) based on RFC 7348.

The current VLAN has a limited number of 4094, that cannot meet the requirements of data centers or cloud computing with a common feature where networks are isolated based on tenants. For example, Azure or AWS has far more customers than 4094.

VXLAN Problem Statement

VXLAN (RFC 7348) is designed to solve this problem. VXLAN problem statement highlights the following issues:

1. Limitations Imposed by Spanning Tree and VLAN Ranges
2. Multi-tenant Environments
3. Inadequate Table Sizes at ToR (Top-of-Rack) Switch

It also reads: “VXLAN (Virtual eXtensible Local Area Network) addresses the above requirements of the Layer 2 and Layer 3 data center network infrastructure in the presence of VMs in a multi-tenant environment.”

VXLAN as Overlay Network

VXLAN encapsulates the traditional VLAN frame as an IP payload or MAC-over-IP to support communication between spine switches and leaf switches. The leaf-spine architecture employs a two-layer network topology composed of leaf switches and spine switches.

Overlay and Underlay Networks

Underlay networks or so-called Physical networks where traditional protocols are working. Underlay Network is physical infrastructure above which overlay network is built. It is the underlying network responsible for delivery of packets across networks.

• Underlay Protocols: BGP, OSPF, IS-IS, EIGRP

An overlay network is a virtual network which is routed on top of underlay network infrastructure, routing decision would take place with the help of software.

• Overlay Protocols: VXLAN, NVGRE, GRE, OTV, OMP, mVPN

Overlay networking is a method of using software to create layers of network abstraction that can be used to run multiple separate, discrete virtualized network layers on top of the physical network, often providing new applications or security benefits.

Source: Underlay Network and Overlay Network

Attack Vector

VXLAN is a MAC-over-IP overlay network that inherits both layer 2 and layer 3 attack vectors, so it extends the attack vector of Layer 2 networks.

Traditionally, Layer 2 networks can only be attacked from ‘within’ by rogue end points — either:

• by having inappropriate access to a LAN and snooping on traffic,
• by injecting spoofed packets to ‘take over’ another MAC address, or
• by flooding and causing denial of service.

A MAC-over-IP mechanism for delivering Layer 2 traffic significantly extends this attack surface. This can happen by rogues injecting themselves into the network:

• by subscribing to one or more multicast groups that carry broadcast traffic for VXLAN segments and also
• by sourcing MAC-over-UDP frames into the transport network to inject spurious traffic, possibly to hijack MAC addresses.

This document does not incorporate specific measures against such attacks, relying instead on other traditional mechanisms layered on top of IP. This section, instead, sketches out some possible approaches to security in the VXLAN environment.

• Traditional Layer 2 attacks by rogue end points can be mitigated by limiting the management and administrative scope of who deploys and manages VMs/gateways in a VXLAN environment. In addition, such administrative measures may be augmented by schemes like 802.1X for admission control of individual end points. Also, the use of the UDP-based encapsulation of VXLAN enables configuration and use of the 5-tuple-based ACL (Access Control List) functionality in physical switches.
• Tunneled traffic over the IP network can be secured with traditional security mechanisms like IPsec that authenticate and optionally encrypt VXLAN traffic. This will, of course, need to be coupled with an authentication infrastructure for authorized end points to obtain and distribute credentials.
• VXLAN overlay networks are designated and operated over the existing LAN infrastructure. To ensure that VXLAN end points and their VTEPs are authorized on the LAN, it is recommended that a VLAN be designated for VXLAN traffic and the servers/VTEPs send VXLAN traffic over this VLAN to provide a measure of security.
• In addition, VXLAN requires proper mapping of VNIs and VM membership in these overlay networks. It is expected that this mapping be done and communicated to the management entity on the VTEP and the gateways using existing secure methods.

Source: RFC  7348

Reference

• VXLan – What Is it & Quick Tutorial
• IEEE 802.1Q
• SDN, ACI, And Micro-Segmentation, Oh My!
• Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks
• Understanding the Two Terms: EVPN vs VXLAN

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

您的公司是一家知名的全球雲服務提供商(CSP)，為數百萬客戶提供服務。 以下哪一項最能支持ISO / IEC 17888中提到的多租戶功能(multi-tenancy)？(Wentz QOTD)
A. EAP over LAN (EAPoL) based on 802.1X
B. Virtual LAN (VLAN) based on IEEE 802.1Q
C. Virtual eXtensible Local Area Network (VXLAN) based on RFC 7348
D. Spanning Tree Protocol based on 802.1D