Securing the virtualised datacentre<br />Trevor Dearing<br />Director Network Strategy, EMEA<br />
Some designs Are useful for a long time<br />
Cheaper raw materials offer incremental change<br />The vehicle to economics is to improve opex through architecture, not ...
New Architecturetransforms what's possible<br />
The Applications evolved<br />Client – Server Architecture<br />Service Oriented Architecture<br />Client<br />Client<br /...
The servers and storage evolved<br />Network services can be consolidated and virtualized<br />A single network to integra...
But, The network architecture has not changed<br />Today’s challenges:<br /><ul><li>Too complex
Impacts scale and agility
Too slow
Too expensive
Security scalability and agility</li></ul>Unnecessary layers add hops and latency<br />Data Center<br />Up to 50% of the p...
Typical tree configuration<br />DEFINING THE IDEAL NETWORK<br />Flat, any-to-any connectivity<br />
DEFINING THE IDEAL NETWORK<br />Flat, any-to-any connectivity<br />Single device<br />N=1<br />Switch<br />Fabric<br />Swi...
Any-to-any</li></ul>Control Plane<br /><ul><li>Single device
Shared state</li></ul>Simplicity of a single switch<br />Single switch does not scale<br />
Flat, any-to-any connectivity<br />Single device<br />N=1<br />Network Fabric<br />Data Plane<br /><ul><li>Flat – single l...
Any-to-any</li></ul>Control Plane<br /><ul><li>Single device
Shared state</li></ul>A Network Fabric has the….<br />DEFINING THE IDEAL NETWORK – A FABRIC<br />Simplicity of a single sw...
Security is impacted by two trends<br />Industry Trends<br />Mobile Workforce<br />Data Center Consolidation<br />Consumer...
The changing Data Center Leads to a Greater Security Challenge<br />Tomorrow<br />Yesterday<br />Today<br />Dispersed, phy...
Servers / Storage<br />HTTP/Web Services<br />Servers<br />A<br />The New Network Meets that challenge<br />Dynamic securi...
Secure – new model for the cloud<br />Keep Out!<br />Hotel Model<br />Castle Model<br />
Data/AppConsolidation<br />Consolidation of security services (everywhere)<br />Global High-Performance Network<br />NAT<b...
Where is security headed?<br />Consolidation of security services (everywhere)<br />Application Visibility and Control: “L...
Where is security headed?<br />Consolidation of security services (everywhere)<br />Application Visibility and Control: “L...
Where is security headed?<br />Data/AppConsolidation<br />Consolidation of security services (everywhere)<br />Application...
Secure – cloud enabled security<br />Data Centers<br />Clients<br />Global High-Performance Network<br />Client to DC<br /...
Upcoming SlideShare
Loading in...5
×

Security in A Virtualised World

472

Published on

The benefits of virtualisation are well known but it does create a few challenges. Historically we would implement security in a network by physically placing a device in the path of the traffic. In the virtual world the user, the application and even the network are dynamic. This means we need a new security model one that is as dynamic as the rest of the infrastructure. We need to realise that yesterday’s box is tomorrows service. In this session we will investigate he changes taking place in security to reflect the virtual world.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
472
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • What it is:A design for the way a set of materials or components come together to build something.What it does:An architecture improves the end user EXPERIENCE based on how the components fit together.Assumptions: Future-proofed No major inefficiencies Customer will pay for better experience Keywords: Value Breadth End to EndWorth switching vendors to obtain? Maybe, but only if incumbent is mucking up.Suspension bridge has served many well:- Can span a long distanceRequires anchors on either sidereqiures
  • What it is:A change in the price of goods based on lowering the cost of the input. (HP)Offering the same experience at a lower cost, may not be worth the risk – especially when the cost of operations is so high.
  • What it is:A fundamental change in the way a set of components are put together in order to improve the customer experience at a lower total cost that older solutions.The customer can intuitively see the savings and the benefits without a complicated ROI model. Server virtualization is a good example.What it does:Improves the customer experience while reducing the investment required to maintain the inferior legacy system. Keywords: Services opportunities Optimization / Efficiency Simplify / Reduce ParadigmAssumptions: Future-pressures Major inefficiencies profitable for incumbents
  • Slide 1: THE CHANGING DATACENTER LEADS TO A GREATER SECURITY CHALLENGE The consolidation of servers, storage, and applications drives increased east/west traffic which puts a significant strain on security infrastructure that has been traditionally dispersed throughout the datacenter. The old world of security appliances purpose built to run specific services does not scale to handle this new shift This change in architecture also drives to the movement of IP’s and hosts that impacts the overall security policy. Static rules are no longer applicable to managing overall security policy Evolving threat vectors into the application layer requires a new approach to handle the new threat landscape.
  • Slide 2: THE NEW NETWORK MEETS THAT CHALLENGE In order to handle these challenges the new datacenter security model must change: Dynamic Security at scale – Consolidation of services To handle the changing traffic patterns Application Visibility – To provide application visibility across the datacenterUser aware networking – To provide user level visibility from the flow of information across the datacenter
  • When implementing clouds into your infrastructure, there is new model of security. The old model looked like a castle. We had big thick walls, we had a deep moat, we had a drawbridge, and we had a perimeter defense to keep the barbarians outside of the gate.[click]The concept of the cloud is completely different. It’s more like a hotel. We need people to come in and share the facilities. The economic model is predicated upon sharing the infrastructure. So rather than locking people out, I am inviting them in. Now I am going to give each application or department its own room. I am going to give them a key so they can lock up their room and be secure. But I am going to coordinate the lock systems between the rooms. I am going to know who is going in and out, and when there is a problem I can address it. This type of security is more granular. I am carving things up inside the data center to make this work. A perimeter defense is no longer adequate. Thus in this section we will discuss how to secure the data center by securing the data flows.
  • User location, User Device, What Application, What user.
  • User information, Data Flows, Configuration information, Log information and place.
  • User information, Data Flows, Configuration information, Log information and place.
  • Securing the data center begins with securing the application data flows. If you look at the data center there are three key types of flows. There are flows from server to server which are actually flows between zones, there are flows between data centers, and there are flows between the client and the data center. In cloud model, we need to secure everything.
  • Security in A Virtualised World

    1. 1. Securing the virtualised datacentre<br />Trevor Dearing<br />Director Network Strategy, EMEA<br />
    2. 2. Some designs Are useful for a long time<br />
    3. 3. Cheaper raw materials offer incremental change<br />The vehicle to economics is to improve opex through architecture, not through dropping the price<br />
    4. 4. New Architecturetransforms what's possible<br />
    5. 5. The Applications evolved<br />Client – Server Architecture<br />Service Oriented Architecture<br />Client<br />Client<br />95%<br />25%<br />75%<br />Server<br />Server<br />Server<br />Server<br />Server<br />Server<br />B<br />B<br />A<br />C<br />A<br />C<br />DB<br />D<br />DB<br />D<br />A fundamental change in data flows<br />
    6. 6. The servers and storage evolved<br />Network services can be consolidated and virtualized<br />A single network to integrate the resource pools<br />Servers were consolidated<br />standardized<br />and virtualized<br />Storage was consolidated<br />and virtualized<br />
    7. 7. But, The network architecture has not changed<br />Today’s challenges:<br /><ul><li>Too complex
    8. 8. Impacts scale and agility
    9. 9. Too slow
    10. 10. Too expensive
    11. 11. Security scalability and agility</li></ul>Unnecessary layers add hops and latency<br />Data Center<br />Up to 50% of the ports interconnect switches,not servers or storage<br />N<br />Spanning Tree disables up to 50% of bandwidth<br />Up to 75% of traffic<br />E<br />W<br />S<br />
    12. 12. Typical tree configuration<br />DEFINING THE IDEAL NETWORK<br />Flat, any-to-any connectivity<br />
    13. 13. DEFINING THE IDEAL NETWORK<br />Flat, any-to-any connectivity<br />Single device<br />N=1<br />Switch<br />Fabric<br />Switch Fabric<br />Data Plane<br /><ul><li>Flat – single look up
    14. 14. Any-to-any</li></ul>Control Plane<br /><ul><li>Single device
    15. 15. Shared state</li></ul>Simplicity of a single switch<br />Single switch does not scale<br />
    16. 16. Flat, any-to-any connectivity<br />Single device<br />N=1<br />Network Fabric<br />Data Plane<br /><ul><li>Flat – single look up
    17. 17. Any-to-any</li></ul>Control Plane<br /><ul><li>Single device
    18. 18. Shared state</li></ul>A Network Fabric has the….<br />DEFINING THE IDEAL NETWORK – A FABRIC<br />Simplicity of a single switch<br />Scalability of a network<br />
    19. 19. Security is impacted by two trends<br />Industry Trends<br />Mobile Workforce<br />Data Center Consolidation<br />Consumerization<br /><ul><li>Security Trends</li></ul>Attacker behavior<br />New Attack Targets<br />Evolving Threat Vectors<br />
    20. 20. The changing Data Center Leads to a Greater Security Challenge<br />Tomorrow<br />Yesterday<br />Today<br />Dispersed, physical separation<br />Consolidation<br />Virtualization, increased bandwidth utilization<br />Legacy, client server, data, IPv4<br />Changing traffic<br />Movement of hosts, systems<br />Worms, viruses, trojans, DDoS<br />Evolving threats<br />Application targeted attacks<br />12<br />
    21. 21. Servers / Storage<br />HTTP/Web Services<br />Servers<br />A<br />The New Network Meets that challenge<br />Dynamic security at scale<br />Data Center<br />B<br />Application visibility<br />Network Core<br />C<br />Identity aware<br />networking<br />D<br />Automating security infrastructure<br />13<br />
    22. 22. Secure – new model for the cloud<br />Keep Out!<br />Hotel Model<br />Castle Model<br />
    23. 23. Data/AppConsolidation<br />Consolidation of security services (everywhere)<br />Global High-Performance Network<br />NAT<br />Firewall<br />IPS<br />IDS<br />UTM<br />VPN<br />NAT<br />Firewall<br />Anti-malware<br />IDS<br />IPS<br />VPN<br />LAN Acceleration<br />Anti-virus<br />Remote Access<br />Remote Lock/wipe<br />Backup & Restore<br />NAT<br />Anti-malware<br />IPS<br />Firewall<br />IDS<br />VPN<br />UAC<br />Firewall<br />Data Center<br />Branch<br />The Future of Security<br />Campus<br />Mobile Clients<br />
    24. 24. Where is security headed?<br />Consolidation of security services (everywhere)<br />Application Visibility and Control: “Location to Network” vs. “Source to Destination”<br />Global High-Performance Network<br />Data Center<br />What User<br />Branch<br />What Application<br />Source to Destination<br />Source to Destination<br />User Device<br />User Location<br />Campus<br />Mobile Clients<br />
    25. 25. Where is security headed?<br />Consolidation of security services (everywhere)<br />Application Visibility and Control: “Location to Network” vs. “Source to Destination”<br />Security Intelligence: “Security as an ecosystem” vs. “a collection of independent devices”<br />Global High-Performance Network<br />Data Center<br />What User<br />User Information<br />Branch<br />What Application<br />Data Flows<br />User Device<br />User Location<br />Configuration Information<br />Campus<br />Log Information and place<br />Mobile Clients<br />
    26. 26. Where is security headed?<br />Data/AppConsolidation<br />Consolidation of security services (everywhere)<br />Application Visibility and Control: “Location to Network” vs. “Source to Destination”<br />Security Intelligence: “Security as an ecosystem” vs. “a collection of independent devices”<br />Global High-Performance Network<br />Data Center<br />Branch<br />Broad enterprise security: “Breadth and depth” across the enterprise<br />Campus<br />Mobile Clients<br />
    27. 27. Secure – cloud enabled security<br />Data Centers<br />Clients<br />Global High-Performance Network<br />Client to DC<br />Server to Server<br />DC to DC<br />
    28. 28. Dynamic security at scale<br /><ul><li>Dynamic allocation of security services within a single platform
    29. 29. Scale to 130 Gbps / platform and 10M concurrent connections
    30. 30. Automated firewall changes based on user visibility and policy
    31. 31. Secure shifting traffic flows with a single platform</li></ul>MX Series<br />EX8216<br />SRX5800<br />Storage<br />Servers<br />FC SAN<br />20<br />
    32. 32. Service offerings continue to grow<br />Yesterday’s box is tomorrow’s feature<br />SRX5800<br />SRX5600<br />SRX3600<br />SRX650<br />SRX210<br />SRX100<br />SRX240<br />
    33. 33. Security Implications of Virtual servers<br />VIRTUAL NETWORK<br />PHYSICAL NETWORK<br />VM1<br />VM2<br />VM3<br />ESX Host<br />HYPERVISOR<br />Physical Security is “Blind” toTraffic Between Virtual Machines<br />Firewall/IPS InspectsAll Traffic Between Servers<br />
    34. 34. Approaches To Securing Virtual servers:Three Methods<br />3. Kernel-based Firewall<br />2. Agent-based<br />1. VLAN Segmentation<br />VMs can securely share VLANs<br />Inter-VM traffic always protected<br />High-performance from implementing firewall in the kernel<br />Micro-segmenting capabilities<br />Each VM in separate VLAN<br />Inter-VM communications must route through the firewall<br />Drawback: Possibly complex VLAN networking <br />Each VM has a software firewall<br />Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs<br />VM1<br />VM2<br />VM3<br />VM1<br />VM2<br />VM3<br />VM1<br />VM2<br />VM3<br />ESX Host<br />ESX Host<br />ESX Host<br />FW as Kernel Module<br />HYPERVISOR<br />HYPERVISOR<br />HYPERVISOR<br />FW Agents<br />
    35. 35. Hypervisor Kernel Stateful Firewall<br />Purpose-built virtual firewall<br />Secure Live-Migration (VMotion)<br />Security for each VM by VM ID<br />Fully stateful firewall <br />VMware “VMsafe Certified”<br />Tight Integration with Virtual Platform Management, e.g. VMware vCenter<br />Fault-Tolerant Architecture<br />VM1<br />VM2<br />VM3<br />ESX Host<br />ALTOR VF<br />Introducing The Altor VF<br />NSM<br />STRM<br />Network<br />Juniper SRX<br />Juniper Switch<br />
    36. 36. Integration with Juniper data center Security<br />VM1<br />VM2<br />VM3<br />ALTOR VM<br />Altor<br />Center<br />Policies<br />Altor Integration Point<br />Central Policy Management<br />Altor Virtual Firewall<br />Altor Integration Point<br />Firewall Event Syslogs<br />Netflow for Inter-VM Traffic<br />VMware vSphere<br />STRM<br />NSM<br />Altor Integration Point<br />Traffic Mirroring to IPS<br />Network<br />Juniper SRX with IPS<br />Juniper Switch<br />
    37. 37. Flat, any-to-any connectivity<br />Single device<br />with integrated security<br />Network Fabric<br />Data Plane<br /><ul><li>Flat – single look up
    38. 38. Any-to-any</li></ul>Control Plane<br /><ul><li>Single device
    39. 39. Shared state
    40. 40. Security policies</li></ul>A Network Fabric has the….<br />SECURING THE FABRIC<br />Simplicity of a single switch<br />Scalability of a network<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×