Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Copyright © 2009 Clavister AB. All rights reserved.
  • Traditional network security relies on physical segmentation of networks and servers. Physical firewalls / security gateways then form effective filters between communicating parties. In a virtual environment, however, a large amount of servers may be deployed within the boundaries of a single hardware. As a result, communication between servers does not necessarily need to leave the physical hardware.
  • One way of solving the problem today is through the use of traditional hardware security appliances, and let all communication flow through them. Clearly, the biggest disadvantage of this solution is that the environment still relies on external physical components, which is a total contradiction to the virtualization idea. With mixed solutions redundancy and Vmmotion becomes either to complex or does not work at all and it will not scale with the virtual environment which is very elusive by it’s nature. Furthermore it will become difficult to create identical lab environments and test the setup where security is considered an important aspect.
  • The most straight-forward way of solving the problem is to deploy also the security gateways as virtual nodes in the virtual environment.
  • The most straight-forward way of solving the problem is to deploy also the security gateways as virtual nodes in the virtual environment.
  • Transcript

    • 1. Virtual Security As Business Generator June 2009 Roberto Correnti Regional Manager, Clavister France & BeNeLux Tanguy Derriks Business Development Director, MMS-Secure
    • 2. Clavister Overview
      • Established in Sweden in 1997
      • Sales offices in the Europe and Asia
      • Team of 150 people
      • Evolved from a firewall specialist to a complete
      • security solution provider
      • Target markets:
        • Service Providers: Data Centers, Internet Service Providers, MSSPs
        • Enterprises
        • Telecom Operators
      • >100.000 installations world-wide, >20.000 customers
      Reference Customers:
    • 3. Clavister SSP Services Anti-Virus, Anti-Spam, Intrusion Detection & Prevention, Web Content Filtering Software Maintenance, Warranty, Technical Support, Training, Consulting, Licensing, SMS Hardware Software Virtual SSL Lifecycle Systems Lifecycle Services Network Elements
    • 4. Traffic Management VPN Application Layer Security Network Security Routing DHCP Authentication HA Management Troubleshooting Monitoring Log & Alarms
    • 5. Unique Virtual Security Clavister 32 MB 64 MB >100 Virtual Gateways per server* Designed for enterprises & datacenters Known OS Based Competitors 1200 MB 500 MB 12 Virtual Gateways per server* Designed for enterprises * Typical server with 12 GB RAM and 1TB Storage
    • 6. Virtual Security – For Enterprises
    • 7. VMware Virtualization Basics
    • 8. Virtualization Trends
      • So far, focus has been on deployment, maintenance and provisioning of virtual servers.
      • UK research firm YouGov states that 41% of IT managers using virtualization thought that security was built-into the virtualization softwares!
      • Security is a neglected yet highly emerging focus area in virtual environments!
      • Your investment in virtualization might be at risk! Act now, tomorrow it might be to late!
    • 9. Traditional Network Virtual Network
      • Multitude of network segments
      • Communication between zones are monitored and secured
      • Less network segments which divides the servers
      • Communication between virtual machines are not monitored or secured !
      • DANGER
      Internet Internet
    • 10. Communication Path Diagram Copyright © 2008 Clavister AB. All rights reserved. Web Front-End Zone Middleware / Business Logic Zone Back-End Database Zone Inter-communication traffic is limited by VLANs but not secured which is a critical security issue and one which nees to be addressed
    • 11. Mixed Solutions for Securing Virtual Environments
    • 12. Drawbacks With “Mixed Solutions”
      • Still relies on external security appliances
      • The virtual infrastructure is a dynamic world. Keeping up with changes from the “outside” is complex and time consuming
      • Does not benefit from Redundancy and Disaster Recovery tools
      • Makes lab/testing expensive and complex
      • Increases risk of costly service down time in case of security appliance hardware failures
    • 13. The fully virtualized solution
    • 14. The Clavister Virtual Security Gateway Solution
      • Pre-Configured Solutions
      • Easy to deploy
      • Easy to manage
      • Templates & workflows – Increase security and control
    • 15. Clavister Virtual Security Gateway Solution Virtual Machines (VMs) are not allowed to talk with each other without first going through the Virtual Securigy Gateway All security inspections which would have been performed by a physical security gateway in a physical structure are done ”in-line” in the virtual environment.
    • 16. Communication Path Diagram Web Front-End Zone Middleware / Business Logic Zone Back-End Database Zone All virtual machines and inter-communication is secured using best-in-class virtual security gatways and which enables mission critical applications to be virtualized without comprimises to the security policies
    • 17. Troubleshooting, Monitoring, Alarms & Auditing
      • Troubleshoot communication using:
        • Real-time monitoring with filters
        • PCAP & Memlog recording
        • Log analysis
      • Monitor behavior of traffic using:
        • SNMP
        • Real-Time monitoring
        • Real-Time KPI dashboards
      • Create custom and policy based alarms events (thresholds etc)
      • Full auditing capabilities using
        • Built-in log viewing applications
        • External SIEM systems
    • 18. Typical Enterprise Environment Traditional physical server network Virtualized production infrastructure Disaster Recovery or Lab/Test Network Internet
    • 19. Fully virtualized DMZ Network Diagram
    • 20. Virtual Security Gateway – Models & Dimensioning VSG21 VSG110 VSG510 VSG1100 Plaintext Performance (Mbit/s)* 50 200 500 1000 VPN Tunnels 25 200 500 1000 VLAN 4 64 128 512 Concurrent Connections 4000 16000 64000 256000 Recommended Application Test & Lab Networks with no or very low performance demands Small installations with a limited amount of protected VMs with low to medium performance demands Medium and Large installations with medium to high performance applications such as web/mail/citrix/databases and similar Large installations with medium to high performance applications such as web/mail/citrix/databases and similar
    • 21. Clavister Virtual Security Gateway Features
      • Protect Virtual Servers Segregate virtual machines from each other and avoid hackers from jumping from one machine to another with no or very little difficulties. All the features of an hardware appliance security gateway is available also for the virtual security gateways, including the UTM services!
      • Secure Inter-Communication Utilize the VPN encryption to secure communication between virtual machines.
      • Achieve Auditing and Regulatory Compliance Since the virtual security gateway can be run inside the virtual infrastructure security auditing can be achieved and thereby regulatory compliance requirements can be met.
      • No Security Policy Compromises for Virtual Environments Utilize your standard set of policies not only for physical machines but just as easily also for virtual ones.
    • 22. Benefits with Clavister Virtual Security Gateways
      • Scalability User can now extend security by simply deploying new security gateways as they go.
      • Lower CAPEX Virtualization opens up for new business models where CAPEX is minimized.
      • Simplified Maintenance Security components inherit all manageability features from a virtual environment, such as fail-over, provisioning, and so forth.
      • Minimized downtime Less hardware in combination with highly efficient disaster recovery and redundancy tools such as VMmotion reduces downtime and improves the overall in service performance of the security solution
      • Simplified Test/Lab testing Since the virtual security gateway is a part of the virtual infrastructure it becomes easier to create lab/test environments which decreases the complexity of security tests which in it’s turn improves the overall security
    • 23. Virtual Security for Service Providers
    • 24. xSPs / Telecom Operators- Market Situation
      • Competitive Market
      • Highly competitive and saturated market
      • Recruiting new customers is expensive
      • Operational efficiency is a must to remain competitive
      • Financials
      • Low and decreasing profit margins for traditional offerings
      • Increasing Average Revenue Per User (ARPU) is absolute key to growth & success
      • Financial crisis drives the need to offer cost-savings services to customers
      • First mover advantage
      • Time between visionary to market leadership is shorter than ever
    • 25. Clavister vSeries – Value Proposition for xSP´s
      • Opportunity to take first mover advantage
      • A value-adding and unique security offering
        • Create your own attractive security services portfolio: (Firewall, VPN, Content Filtering, IDP, Anti-Virus…)
      • Leverage existing virtual infrastrucutres
        • Extreme Scalability, Deployment, SLA, etc..
      • Increase your Average Revenue Per User (ARPU)
      • Low capital investment – Expands as you grow
    • 26. Clavister vSeries – What it is
      • Security Platform
        • Best-of-breed Security Gateway’s
        • Clavister Security Services Platform (SSP) our offering for Service Providers
      • Virtual for optimal scalability and financial benefits
        • Runs inside a virtual infrastructure (e.g VMware / Xen/ Microsoft)
        • Runs in your datacenter ( each customer gets a dedicated security gateways)
        • Extremely resource efficient - More gateways on less hardware
      • Designed for Operators
        • MSSP friendly Management & Operations
        • Extremely scalable - Provision 1 gateway just as easy as 100.000
    • 27. Business Case 1 – Internet Service Providers
    • 28. Security Services for Internet Subscribers
      • Value Add Services for Internet Subscribers
        • Added on top of internet connection bill
        • Increase ARPU - Offer the services to all existing customers
        • First mover advantage – Infrastructure as a Service (IaaS) already today
      • Plug-in Solution for the Broadband Network Datacenter
        • No need for End User Equipment
        • Efficient Management and Maintenance
        • Optimized Provisioning Capabilities
      • Customer Focused Service Packages
        • Small & Medium Business
        • Remote Office
        • Retail Stores…
    • 29. Security Service Network Diagram ADSL Customer #2 Access Network Datacenter Core Network Virtual Provisioning Infrastructure HW Layer VM Layer Firewall VPN Content Filtering IDP Anti-Virus Reporting ADSL Customer #1 B-RAS Core Switch Internet
    • 30. Customer Experience - Deployment 1. Choose Service 2. Automatic deployment ( < 1hour ) 3. Use the service €
    • 31. Summary – Virtual Security Services
      • New business opportunities
        • Offer cost-efficient security services
      • Financial Upsides
        • Increase Average Revenue Per User (ARPU)
        • Improve profit margin
      • First mover advantage
        • Gain or secure market leadership
        • Interesting product portfolio
      • Provisioning & Operations
        • Extremely efficient deployment (minutes instead of days & weeks)
        • Based on tested & proven industry standard technologies (Clavister, VMware, IBM/HP/Dell)
        • Extremely scalable
    • 32. Business Case 2 – Hosting Providers
    • 33. Business Case – Service Providers (Hosting)
      • Value Adding Offer a value-adding managed security services to hosting customers.
      • Tailor made service portfolio Use the pick-n-choose service packaging's
      • Operational Efficiency Automatic deployment without any human intervention
      • Accelerates hosting business Makes customers more comfortable hosting sensitive applications (Cloud and utility computing is specific)
      • Increase ARPU
      • Low investment - High profit margins
    • 34. SMB - Hosting Security Services
      • Hosted - Virtual Machines
      • (dedicated or part of a cloud) - Microsoft Exchange
      • Web Server
      • FTP Server
      Virtual Security Gateway Managed or self-managed Datacenter Core Network Customer #1 Customer #3 Customer #2 ESXi Internet Firewall VPN Content Filtering IDP Anti-Virus Reporting
    • 35. Customer Experience - Deployment 1. Choose Service 2. Automatic deployment ( < 1hour ) 3. Use the service €
    • 36. Business Benefits Copyright © 2008 Clavister AB. All rights reserved.
      • Price-efficiency
      • Use VMware and Clavister to provide dedicated firewall, VPN, IDP and reporting capabilities in a price efficient manner to customers of all sizes
      • Scalability
      • Start with a virtual gateway and grow to a dedicated platform when the need for performance and functionality increases
      • Deployment
      • Virtual appliances are turn-key solutions and can be deployed within minutes
      • Convergence and standardization on robust hardware
      • Utilize standardized hardware also for security services
      • Provide Improved SLAs
      • Utilize tested VMware redundancy and clustering in order to provide improved SLAs for security services
    • 37.
      • Les différentes machines virtuelles ne sont autorisées à communiquer entre-elles sans passer par Clavister
      • Toutes les inspections de sécurité qui auraient été faites par un équipement externe sont faites “en interne” nativement dans l’environnement virtuel
      Virtualization Layer Virtual Network Hardware Virtual Switch (VLANS) VM VM VM VM Virtual Security Gateway Conclusion Virtualisation: Exemple sur site client Administration Centrale via InControl Internet
    • 38. x 100 VSG peuvent être installé sur un hôte « standard » VMWare ESXi/ESX (12Go RAM & 1TB HD) 1 x VSG = 32 Mo Espace stockage 64 Mo Mémoire Vive Administration Centrale via InControl Conclusion Virtualisation: Hosting Provider (Sécurité ou/et SaaS) Internet
    • 39. Terremark - Reference Customer
      • About Terremark
      • Terremark Worldwide (NASDAQ:TMRK) acclaimed Infinistructure utility computing architecture has redefined industry standards for scalable and flexible computing infrastructure and its digitalOps service delivery platform combines end-to-end systems management workflow with a comprehensive customer portal.
      • NASDAQ: TMRK
      • Leader in managed IT infrastructure services (Gartner - Leaders Quadrant)
      • Datacenters in the United States, South America and Europe
      • SAS 70 Type II Certified
      • Microsoft Gold Certified Partner
      • United States General Services Administration (GSA) Schedule# GS35F0073U
    • 40. Thank You Tanguy Derriks – MMS-SECURE (Ditributor for BeNeLux) Email: Phone: +32 (0)2 767 93 03 Contact Information: Roberto Correnti - CLAVISTER Email: Phone: +33 (0)1 75 43 78 90 Mobile: +33 (0)6 11 17 66 71