This presentation includes the concept of cloud security domains, flaws in security approaches, Datacenter requirement,
VMware NSX limitations and a new solution that should have a complete solution. Finally, a guideline to describe how to assessment of micro-segmentation.
2. Agenda
• Cloud security domains
• Flaws in security approaches
• Data center requirement
• VMware NSX
• Good to have
• Functions of the Ideal Solution
• Smart Solution
• Micro-segmentation
• Assessment of micro-segmentation
3. Data Center Concerns
• Cloud security can be divided into four categories
Cloud data protection Cloud Data Governance
Cloud access policy and
intelligence
Cloud workload Security
audit and Management
• Cloud Application security concerns
– Cloud access policy and intelligence
– Cloud Data protection
– Cloud Data Governance
Categories : CASB
Gap1: CASB doesn’t address workload security or infrastructure!
Only focuses on
- User account and Data in the SaaS application
- Web and mobile
• Workload security concerns
– Protecting of work loads
– Web, App and data-at-rest
4. Flaws in the security approaches
Next slides are going to address the security short
coming cloud security.
• Traditional approach in deployment
Deployment approach
• Protection is on perimeter
• Visibility inside data center
• Distributed security
5. Flaws in the security approaches
• Traditional approach in deployment
• Cloud Deployment
– Most people will add a set of VMs’ with firewall and so on.
– VFW’s shares same hypervisor with another servers
• The above approach is same as a physical data center
LB
VNGFW
Server
LB
App Web
Server
DB
Server
FW
With SDN and virtualization when workloads (VMs) are dynamically
created, moved between hypervisors, We need a differed security
solution
6. Flaws in the security approaches
• Type of traffic North-South vs East-West
– North-South traffic is defined by traffic from
enterprise to SaaS application /cloud
– East-west traffic is defined as traffic inside the data
center between different work loads
• Protection is on perimeter
– Most security emphasis is on North-South traffic
• All security devices are focused on perimeter
– App to App traffic monitoring is been ignore
– Once a breach is inside the data center, it is very hard
to detect. It is like lateral moment
7. Flaws in the security approaches
• Monitoring and tracking
– Traffic
• Monitor the east-to-west between App to App
• Apply L4 and L7 rules between traffic
• Insufficient logging and access control between traffic. In OWSP 2017, a new
new category was added called as “Insufficient logging and traffic”
– Workload VMs
• Remember VM’s are dynamically created, moved or destroyed
• Tracking and protecting a new instance of workload
– What about the logs
• For Elasticity the new VM’s are create and automatically teardown
• The logging history is lost
– VFW session
• When a VFW is been destroyed, the VFW sessions are lost.
– Drawback: Current solution don’t retain the history for breach
detection and analysis
8. Flaws in the security approaches
• What logs are important
– SIEMs have too much logs to process
– It is hard to collect the correct solution
– Some solution needs the end-point agent
– Some solution only send alert but doesn’t send
block it
9. Flaws in the security approaches
• Monitoring, Visibility and access control
– Visibility is the biggest issue in the data center
– VFW’s performance issues, VFW’s performance is depends
on the vCPUs
– Since most of the VFWs’ functionality is based on
traditional ones, they are not designed for modern data
center.
– Such as they are based on layer4 or applications, but not
on container or Docker
• VFWs has many flavors
– VFW vendors like PAN, Checkpoint and Fortinet, have
released based on public or private cloud provider, like
different FW for AWS, Azure, VmWare and more
10. VMware NSX(till 2017 Jan)
VMware NSX provides NFV and layer 2-4 security. It
automatically keeps track of workload creation and moves.
NSX solution
– Provide security tagging for workloads inside the data-center
– Automatically tracks the workload creation, movement and
deletion
– Layer2-4 security policies are inbuilt
– Layer7 security such as statful FW, NGFW, DLP, IDS are provided
by external vendors such as PAN, Fortinet, Juniper and
Checkpoint
• The VM is created and associated with a group of VM’s
• When any new member is added to that security group, those policies
is applied automatically.
• Any FW deployed on NSX has the maximum throughput of
650 Mbps
11. Flaws in the security approaches
• Private cloud, most of security vendors still depend on
VMware’s NSX for creating the new VFW instance when a
workload is created, moved and destroyed
– NSX = l4 + PAN (L7)
– NSX has started offering its own Application security solution
• Multi-layer security solution
– Need to use different VM for security protection.
• Some vendors have one product for each solution:
– Mail, Web, ADC, Auth and Gateway
• Some vendors product for all security services in one service
– Different flavor for AWS, Azure, ESXi, NSX , KVM, ZEN,
Hyper-V, Xen
12. Good to have
An ideal solution should have
• Visibility
• Monitoring (Tracking and logs )
• Prevention
• Automation of security profile when new
workload is provisioned
• Layer4 to Layer7 security
• Focused approach to filter out unnecessary alerts
• Ideal combination of signature based and
behavior based solution
13. Functions of the Ideal Solution
• Prevention
– Reduce the potential attack surface:
• Firewall policies, IPS, user segmentation, patch management, and infrastructure design
– Apply the policies inside the data center between workloads based on security tags
• Automation of security profile when new workload is provisioned
– Dynamic Security profile creation when workloads are moved, created or deleted
• For layer 2- layer 7
– AWS
• Has inbuilt security for LaaS
• Marketplace is used to buy security solutions
• Single vendor security solution for correlation between events
– It would be nice to have one vendor who can protect from layer4 to layer7 for the
workloads
– Centralized logs
14. Functions of the Ideal Solution
• Independent
• Maintain one flavor for Virtual Security solution rather than vIPS, vNGFW, vMAIL
• Solution that is independent of underlying technology such as ESXi , Rackspace, KVM...
• Workload
– Works for all kind of workload such as webserver, http server
– Only relevant functionality should be unzip and active
• DETECT
– IDS, WAF, anomaly detection, NIDS, HIDS,
• RESPOND
– report and communication to stack holders by email, alert, text
– Immediate Isolation of the workload
• PREDICT
– Regular scans, penetration testing
– Dynamically and continuously change the policy
– Updating the methods
15. CheckPoint vSEC(datasheet bases on 2016 Dec)
• Public Cloud
• AWS gateway R77.30
– vSEC NGTP (Firewall + IPS + Application Control +
URL Filter + Anti-Virus + Anti-Bot)
• c4.8xlarge (36 virtual core) :: estimation 1600 Mbps
• c4.4xlarge (16 virtual core) :: 1000 Mbps
• Private cloud
– vSEC for VMware NSX,Cisco ACI, openStack
• No published data
16. PAN V-100 (datasheet bases on 2016 Dec)
• Capacities
– VM-300: Max sessions 250,000
– VM-200: Max sessions 100,000
– VM-100: Max sessions 50,000
• Too many solutions for different requirements:
– VM-Series for AWS, Citrix, KVM & OpenStack
– VM-Series for Microsoft Azure, Microsoft Hyper-V
– VM-Series for VMware NSX, ESXi/vCloud Air
– VM-1000-HV, VM-300, VM-200 and VM-100
17. micro segmentation
• Agent approach
– A software that sits on top of Hypervisor
– Provide the monitoring, security control and
logging
– Deeper level security module based on
workload, i.e. if workload is Linux/https the only
web related service module should be loaded
DC
SLB
App Web
Server
DB
Server
Virtual
UTM
Hypervisor
SLB
App Web
Server
DB
Server
Virtual
UTM
Hypervisor
Single management
plane for Security points
18. Micro-Segmentation
• Ubiquity
– Apply to all workloads
– Different security levels based on VM type, such as
webserver, db, application server, mailserver
• Zero-attack prevention
– No trust between workloads
– IPS, DLP, agentless malware protections, SD
distributed FW
• Suppress the noise
– All logs /events are not useful
A typical kill chain will be
EXTERNAL RECON →Weaponries -> attack to less secure host ->internal reconn-> later movement ->installation ->data staging -> exfilteration
The prevention policy should include:
Patch management includes the new signature
Update blacklist of host, IP’s and URL’s