1. Alvaro Ferro CCSP – CISSP – CCIE Security Written 30de Junio. SECURITY IN THE DATACENTER
2. Data Center Virtualization Trends Security in virtual environment Challenges due to Virtualization Secure Virtualization Framework Virtual Controller and Virtual Management Center Agenda 30 June 2011 2
5. Source: Gartner, Oct 200950% ~ 58 million deployed x86 machines 16% 2010 2011 2012 30 June 2011 4
6. Do more with less Connect everyone to everything Present & Future Past Efficiency Drives Consolidation Virtualization, Blades, Increased Bandwidth Dispersed, Physical New Apps, Protocols & Traffic Legacy + Web, IPv4 + IPv6, Data + Voice + Video Legacy, Client Server, IPv4, Data Data Center Trends Threat Landscape Change Sophisticated Targeted Attacks, Re-Perimeterization Worms, Viruses, Trojans, DDoS 30 June 2011 5
7. Securing the Data Center Attack Surface Data at Rest Attack Surface Attack Traffic Web Apps Vulnerability Scanning Protects Web App Vulnerabilities Enterprise Apps IPS Platform Operating Systems Network Devices 30 June 2011 6
9. ENTENDAMOS LO SIGUIENTE “40% de los proyectos de implementación de ambientes virtualizados se llevaron a cabo sin la participación del equipo de seguridad en la arquitectura inicial y las etapas de planificación ” Riesgos mas comunes en proyectos de Virtualización La falta de visibilidad y controles en la comunicación entre VM-a-VM. Perdida potencial en la separación de deberes (SOD) entre las áreas de redes y seguridad cuando se virtualiza. Cargas de trabajo se consolidan en un servidor físico. Controles de acceso administrativo (Hypervisor/VMM). Source: MacDonald, Neal. Addressing the Most Common Security Risks in Data Center Virtualization Projects, Gartner, Inc. January 25, 2010
13. Convergencia en soluciones IPS (virtual & physical) para la segmentación de zonas de confianzasCore Virtualized Server VM VM VM Secure Network Fabric Switch App App App OS OS OS vNICs vNICs vNICs vSwitch Hypervisor pNICs Virtualized Servers Physical Servers
34. Physical IPS options are cost prohibitive for these uses1 IPS Platform 2 Top of Rack Switch 3 2 Virtualized Host Virtualized Host Virtualized Host 3 4 1 VM VM VM VM VM VM OS OS OS OS OS OS App App App App App App VMs moved to separate site 4 The Virtual Network Visibility Gap 30 June 2011 15
44. Protects VMs with out-of-date patching due to server/VM shut-downsSingle Set of Security Policies across Physical and Virtual DC TippingPoint IPS Top of Rack Switch Virtualized Hosts Physical Hosts Protect the High Value Data Center 30 June 2011 18
52. Untrusted VMs or zonesSingle Set of Security Policies for Entire DC Protection VMware vCenter Management Network Top of Rack Switch Virtualized Host Hypervisor vSwitch VMsafe Kernel Module Redirect Policy vController + vFW OS OS OS OS App App App App Application VMs Service VM Apply Security Policies Between DC Trust Zones 30 June 2011 20
53. VMware VMSafe Hypervisor Integration vController is fully integrated with VMware vSphere using the VMSafe API VMware vCenter Integration VMC is fully integrated with VMware’s vCenter management console Member of VMware Global Technology Alliance Partner (TAP) Program Certified per “VMware Ready” Program Supports VmwarevShere 4 (ESX / ESXi4) VmWARE Ready 30 June 2011 21
54. N-Platform IPS Top of Rack Switch Physical Finance Servers Physical R&D Servers Distributed vSwitch vController+vFW vController+vFW vController+vFW Finance Zone DMZ Zone R&D Zone OS OS OS OS OS OS OS OS OS OS OS OS App App App App App App App App App App App App Virtualized Servers Cluster Single security model for the physical AND virtual data center Data Center Security 30 June 2011 22
Slide 1:Hello, my name is ________________ and I am ___________________ for HP Networking’s security business unit. And today I’d like to talk to you about HP TippingPoint’s new Virtual Controller plus Virtual Firewall and our Virtual Management Center.
Slide 2:Specifically, I’ll go through:The Data Center Virtualization Trends that we seeChallenges enterprise organization face due to VirtualizationPresent HP TippingPoint’s Secure Virtualization Framework, andOur new Virtual Controller plus Virtual Firewall, and Virtual Management Center products
Slide 3:So first let’s look at today’s data center virtualization trends.
Slide 4:First let’s look at the increased IT focus on data center virtualization. Gartner conducted a CIO survey in early 2010 and found that the #1 technology priority for CIO’s is data center virtualization. This is a huge change given that virtualization wasn’t even on the list 2 years previously and it has displaced business intelligence which held the top spot for the last 5 years. But, it’s not just security of virtualization CIO’s are concerned about. They are interested in the business benefits of virtualization, ensuring their existing processes and procedures work with a virtualized environment, ensuing they are properly securing these virtual environments, and that they are maintaining the necessary separation of duties within IT. Second, in late 2009 Gartner estimated that 50% of enterprise workloads would be running on virtualized infrastructure by the end of 2012. This is again a huge increase from the 16% that were running on virtualized infrastructure at the beginning of 2010.
Slide 5:Next, let’s look how enterprise data centers are changing. In the past enterprises built out data centers in an effort to connect everyone in the organization to the applications and data they required. But in most companies the result was a dispersed data center infrastructure. Now the need to reduce costs and improve data center efficiency is driving a physical consolidation of the data center. Companies are simply trying to do more with less. And tools like virtualization software, and higher density blade servers are helping to drive this consolidation. All of this is resulting in higher bandwidth in these data centers. [Build 1]In addition, new applications, new protocols and new traffic types are all appearing in the data center. An increase in web applications, voice and video traffic and even IPv6 protocols are changing the data center environment from a security perspective. [Build 2]Finally, the threat landscape outside the data center is changing. Threats are now more sophisticated, targeted and mostly financially motivated. And because of this companies no longer rely on a single security perimeter around the enterprise network. Companies are now building separate security perimeters around individual assets in the network like the data center. This is a trend often referred to as Re-Perimeterization.
Slide 6:Now let’s look at what it takes to actually secure the data center and protect the entire Attack Surface of the data center. There are several components in today’s data center attack surface, each of which has vulnerabilities that we must protect.We have to prevent attacks on Network Device vulnerabilities,Vulnerabilities in Operating Systems running within the data center,Vulnerabilities in Enterprise Applications running within the data center, andEven vulnerabilities in Web Applications running within the data center. Fortunately, this is exactly what the Intrusion Prevention System or IPS is designed to accomplish. [Build 1]In fact, most people don’t even realize that that the HP TippingPoint IPS can be used to protect Web Application Vulnerabilities. [Build 2]Finally, when combined with vulnerability scanners, customers can scan the entire data center attack surface, identify all of the vulnerabilities that exist, and then ensure that the IPS protection profiles are configured to protect those vulnerabilities. So at the end of the day, the IPS is the best way to protect the entire data center attack surface.
Slide 7:Now let’s look at the security challenges posed by the implementation of virtualization in the data center.
Slide 8:There are several areas that security professionals are concerned about when it comes to securing the data center and specifically virtualized data center infrastructure. First is the introduction of the Hypervisor into the data center. The hypervisor becomes a mission critical component in the data center and is now also a new part of the data center attack surface that we must protect. Second companies need to be able to inspect traffic moving between one physical host and another to prevent one compromised host from attacking another. Third, we must also be able to inspect traffic moving from one Virtual Machine or VM to another VM, even if the VMs are on the same virtualized host. And fourth, virtualization makes it very easy for a VM and its applications to move from one physical host to another, to another within the data center. So we have to ensure that the security posture for that VM stays the same no matter where the VM moves within the data center.
Slide 9:Now let’s look at the HP TippingPoint Secure Virtualization Framework and how we address these virtualization challenges.
Slide 10:HP TippingPoint introduced the Secure Virtualization Framework in the spring of 2010. It is a combination of products designed to secure the entire data center including virtualized data center infrastructure, and it consists of 3 different products:The physical IPS Platform shown here hung off the Core SwitchThe Virtual Controller plus Virtual Firewall or vController+vFW, shown here installed on a virtualized hostAnd the Virtual Management Center or VMC shown here installed on a virtualized host on the management network The one point I want to make about the Secure Virtualization Framework, and I will emphasize this point in several places during this presentation, it that it is all about giving our customers a “Single Security Model for Securing Both the Physical and Virtualized Data Center”. So let’s now look at the Secure Virtualization Framework in more detail.
Slide 11:So the first thing we do is install the HP TippingPoint IPS at the perimeter of the data center as shown here. Not the perimeter of the network, but at the perimeter of the data center, isolating the data center from the rest of the network and the outside world. What we’re showing here is the IPS installed at the perimeter of a simple data center with both physical hosts and virtualized hosts, a top of rack switch and a core switch, which could also be a distribution switch. This gives us the ability to inspect all traffic moving into and out of the data center effectively segmenting the data center for the rest of the network. This is also where we protect the entire Data Center Attack Surface that we discussed earlier from outside attacks including attacks on vulnerabilities in the virtualization software or hypervisor and even virtual desktop infrastructure. This is also where our Virtual Patching concept comes in. HP TippingPoint has always been focused on providing vulnerability filters in our IPS to prevent attacks on entire vulnerabilities as opposed to individual exploits, and so once you enable our vulnerability filters on the IPS it is like having all of the systems in the data center fully patched against the latest vulnerabilities or in essence having a “Virtual Patch” in place. In fact, in many cases we have protection for undisclosed vulnerabilities well before the software vendor discloses the vulnerability or makes a patch available to the public. So with this step we have a single set of security polices at the perimeter protecting both the physical and virtual data center assets.
Slide 12:Next we need to visualize or discover the entire virtualized infrastructure and deploy the vController+vFW on each of the discovered virtualized hosts. [Build 1]The first step is the simple installation of the Virtual Management Center or vMC on a stand-alone server or virtual machine. In fact, it can be installed in a VM on the same server hosting VMware’s vCenter. Once vMC is installed on the Management Network it communicates with the VMware vCenter which is the VMware management console. [Build 2]At that point the vMC is able to auto-discover the entire virtualized data center including providing real-time visibility of every virtualized host, and every virtual machine on each host. In addition, it provides a logical overview of the network topology showing how all of the virtual machines are interconnected in the data center. This allows customers to get their hands around the entire virtual data center so they can easily start to visualize and control VM sprawl and can identify mis-configurations in the virtual network as well. [Build 3]Once vMC identifies all of the virtualized hosts, it can be used to auto-deploy a vController+vFW installation on each of the virtualized hosts. There is a single instance of vController installed on each virtualized host regardless of how many virtual machines are running on each host.
Slide 13:Now at this point we have all the pieces of the Secure Virtualization Framework in place. In the graphic here on the right, you can see the physical IPS installed at the perimeter, the vMC installed on the management network, and the vController+vFW installed in the Service VM on this exploded view of one of the virtualized hosts in the data center. Again, there is only a single installation of vController+vFW on each virtualized host. It is installed in the Service VM and plugs into the VMware hypervisor via the VMware VMsafe API. Once in place the vController+vFW essentially introduces a “firewall like policy ” into the hypervisor. Basically, vController+vFW can see all traffic coming from any of the application VMs on the virtualized host and allows us to apply a policy that allows us to do 3 things:First, is the traffic permitted or not? If it is allowed the traffic is allowed to pass.Second, if the traffic is not allowed, we can block it outright at the hypervisor level with the vFW capability.And third, if the traffic is permitted, should it be inspected? If we want to inspect the traffic, the vController redirects the traffic via a dedicated VLAN to the physical IPS for inspection. The IPS inspects the traffic, blocks any malicious content, and then passes the inspected traffic back to the vController via a dedicated VLAN where vController then directs the traffic to its original destination. So now we can completely enforce our security policies in the both the physical and virtual data center. This includes the ability to inspect:Traffic coming into and going out of the data center at the perimeter,Traffic between physical hosts in the data center,Traffic between physical host and VMs, and evenTraffic between two VMs on the same virtualized host. And because every vController+vFW in the data center has all of our security redirection policies, we have the same security posture in place for each VM or application no matter where it moves in the data center. We now have a single set of security policies and for the entire data center including the ability to enforce those policies in both the physical and virtual data center.
Slide 14:The components of our Secure Virtualization Framework are VMware certified per the VMware Ready program. First, the vController+vFW is fully integrated with the VMware hypervisor via the VMsafe API.Second, the vMC is fully integrated with the VMware management console vCenter. I should however mention that currently our solution is only compatible with the VMware virtualization solution, and not with Microsoft’s Hyper-V or with Citrix solutions.
Slide 15:So in conclusion, the Secure Virtualization Framework gives us the ability to deliver a single security model for the physical and virtual data center. We can use our physical IPS Platform to segment different physical trust zones in the network. For example, companies may want to require inspection for all traffic between their R&D applications and their Finance applications. This is easily accomplished by routing the traffic through the physical IPS Platform. But now, we can enforce the same security policies in the virtualized data center. We can completely segment or enforce inspection between the R&D applications and Finance applications even when those applications are running on VMs on the same virtualized host.
Slide 16:Thank you for your time today. May I answer any questions you have?
