SlideShare a Scribd company logo

S series presentation

Sergey Marunich
Sergey Marunich
1 of 25
Download to read offline
HP TIPPINGPOINT IPS AND VIRTUALIZATION SECURITY FOR THE DATA CENTER Sean Ennis Solutions Architect (HP TippingPoint) – Canada 1 ©2009 HP Confidential template rev. 12.10.09 ©2009 HP Confidential template rev. 12.10.09
AGENDA – Modern Threat Landscape – IPS Platform – Secure Virtualization Framework – Q&A 2
DATA CENTER TRENDS Connect Everyone to Everything Do More With Less Past Present & Future Efficiency Drives Virtualization, Blades, Dispersed, Physical, Consolidation Increased Bandwidth New Apps, Legacy, Client Server, Legacy + Web, IPv4 + IPv6, Protocols & IPv4, Data Data + Voice + Video Traffic Threat Worms, Viruses, Sophisticated Targeted Landscape Trojans, DDoS Attacks, Re-Perimeterization 3 Change
MODERN ATTACK LANDSCAPE APPLICATIONS ARE THE PRIMARY TARGETS Network / Server Social Enterprise and Web Downtime Engineering Application Attacks Attacks Attacks 2002-2004 2004-2007 2007-2010+ Worm Virus Trojan Social Media PHP File Include Botnet Malware Spyware Application Exploits P2P DDoS O/S Specific Attacks SQL Injection XSS Whaling Phishing Individual Online Credit Corporate Corporate Email Customer Account Click Card Confidential 4 Ransom ©2009 HP Confidential template rev. 12.10.09 Spamming Details Credentials Fraud Database Information
WHAT ABOUT THE FIREWALL? In simplest form…. • Separates distinct security zones • Designed to block or allow traffic based on a set of rules • Rejects all unauthorized ports/protocols at the edge of a security zone • Very good at ensuring network resources (servers, clients, etc.) only see required traffic • Can also be generally responsible for VPN,NAT, redirection, proxying, etc. 5
WHAT ABOUT THE FIREWALL? …Browser exploits …Drive-by DL …Adobe exploits SQL Injection … DDoS Spyware PHP File Include XSS … In simplest form…. • Separates distinct security zones • Designed to block or allow traffic based on a set of rules • Rejects all unauthorized ports/protocols at the edge of a security zone • Very good at ensuring network resources (servers, clients, etc.) only see required traffic • Can also be generally responsible for VPN,NAT, redirection, proxying, etc. 6
IPS PLATFORM INTRODUCTION Security Management System Unknown Traffic Clean Traffic Goes In Comes Out IPS Platform IPS Platform Designed for future security demands and services Proactive Security Costs • In-line reliability • Leading security • Quick to deploy research • In-line performance • Automated threat (throughput/latency) • Fastest coverage blocking • Filter accuracy • Broadest coverage • Easy to manage 7
HP TIPPINGPOINT S-SERIES PRODUCTS IPS Platform Solutions Security Intelligence 10GE Networks, Core, ROBO, Perimeter, Zone Management, Data Center, Service DVLabs Services isolation, MSPs… Accessories Providers… TippingPoint S10 TippingPoint S660N Core Controller Digital Vaccine 20Mbps • 2 Segments 750Mbps • 10 Segments 20Gbps • 3x10GbE Broadest Coverage • Evergreen Protection TippingPoint S110 TippingPoint S1400N Security Management System (SMS) Web App DV and Scanning 100Mbps • 4 Segments 1.5Gbps • 10 Segments Manage Multiple Units • Central Dashboard Web Scan• Custom Filters • PCI Report TippingPoint S330 TippingPoint S2500N SSL Appliance S1500 ThreatLinQ 300Mbps • 4 Segments 3Gbps • 11 Segments Transparent SSL Bridging and Off-Loading Real Time Threat Intelligence TippingPoint S5100N vController and VMC Reputation DV VIRTUAL CONTROLLER 8 ©2009 HP Confidential template rev. 12.10.09 5Gbps • 11 Segments Virtual Data Center Security & Visibility IP Reputation • DNS Reputation
TECHNICAL SPECIFICATION - N-PLATFORM SENSORS TippingPoint 660N TippingPoint 1400N TippingPoint 2500N TippingPoint 5100N Performance Network Throughput • 750 Mbps • 1.5 Gbps • 15 Gbps • 15 Gbps Inspection Throughput • 750 Mbps • 1.5 Gbps • 3 Gbps • 5 Gbps Typical Latency • < 80 microseconds • < 80 microseconds • < 80 microseconds • < 80 microseconds Concurrent Network • 6,500,000 • 6,500,000 • 10,000,000 • 10,000,000 Sessions Security Contexts • 1,200,000 • 1,200,000 • 2,600,000 • 2,600,000 Connections/Sec • 115,000 • 115,000 • 230,000 • 230,000 Interfaces • 10 x 1GbE Copper • 10 x 1GbE Copper • 1 x 10GbE XFP • 1 x 10GbE XFP • 10 x 1GbE SFP • 10 x 1GbE SFP • Internal ZPHA (10GbE) • Internal ZPHA (10GbE) • 10 Total Segments • 10 Total Segments • 10 x 1GbE Copper • 10 x 1GbE Copper • External ZPHA • External ZPHA • 10 x 1GbE SFP • 10 x 1GbE SFP • 10 Total Segments • 10 Total Segments • External ZPHA • External ZPHA Power • AC only • AC only • AC or DC • AC or DC 9
TSE Threat Suppression Engine Thread Thread Thread Tier 3,4 Tier 2 Load Balancer, Traffic Management (FW), Bypass Tier 1 10 ©2009 HP Confidential template rev. 12.10.09 10
HP TIPPINGPOINT 1200N EMBEDDED IPS PLATFORM – TippingPoint IPS module brings industry leading IPS, including Digital Vaccine and Reputation DV service to any A7500 series switch – 1.3 Gbps aggregate inspection throughput across 2 x 1Gb copper or 1 HP A7500 Switch Series x 10Gb backplane interface – A unified network and security management framework based on TippingPoint’s Security Management System (SMS) integrated and HP’s Intelligent Management Center (IMC) HP TippingPoint 1200N IPS 11
CORE CONTROLLER FOR 10GBE Core Controller Model Provides: • Three 10GbE segments • High Availability – Reliability and Redundancy • High Performance with Low Latency – 10Gbps inspection across IPS’s • 20Gbps aggregate inspection throughput • Ease of Management and Low TCO – Low cost of entry and pay-as-you-grow design • Scalability – Expand IPS capacity to meet high bandwidth demands • 24x iLink segments - Interconnects to IPSs - 48 1Gbps ports • Smart ZPHA modules (Optional) • Zero Power High Availability – bypass • Dual hot-swappable power supplies • System health and status panel 12 ©2009 HP Confidential template rev. 12.10.09 12
1500S – SSL INSPECTION High-performance, transparent SSL off-loading and bridging for IPS traffic inspection SSL Appliance 000100101010011110100100101 010101010110101010101010001 110101010101 1010101010101010101010 1010101010100100000110 1001010011010 v c Clean Encrypted Traffic c v OR Dirty Encrypted JOHNSONAMY>TEL21251>NU Traffic MBER0338-2934-051 QUE€2532.90>DOB09/19/ IPS Platform Clean Un-Encrypted Traffic › Key Benefits • Increased Web server and application security • Virtually no traffic bottlenecks or application performance penalty • Carrier-class reliability delivers high-availability / up-time • Contributes to regulatory compliance efforts • Reduced server utilization in off-loading configuration 13
LEADING SECURITY RESEARCH – DVLABS IPS Platform is Only as Good as its Security Intelligence 1,400+ Independent Researchers DV Labs Research & QA TippingPoint IPS Platform Leading security research and filter development with 30+ Dedicated Researchers 2,000+ Customers Participating DVLabs Services: › Digital Vaccine › App DV Partners › Web App DV › ThreatLinQ › Reputation DV › Lighthouse Program › Custom DV SANS, CERT, NIST, etc. Software & Reputation Vendors 14 14 ©2009 HP Confidential template rev. 12.10.09
PROVEN IN-LINE FILTER ACCURACY UNMATCHED ACCURACY FROM DVLABS AND DIGITAL VACCINE Vulnerability Term Definition Security flaw in a software Vulnerability program False Positives Attack on a vulnerability to: (coarse filter) Exploit • Gain unauthorized access • Create a denial of service Stops a single exploit • Easy to produce • Typically produced due to Exploit Filter IPS engine performance limitations Exploit B • Results in missed attacks (missed by Exploit Filter A) Exploit A and false positives Vulnerability Stops all exploits attacking Standard IPS Exploit Filter Filter the vulnerability for Exploit A TippingPoint’s vulnerability filter acts like a Virtual Software Patch, 15 eliminating false positives September 22, 2010 15
REPUTATION DIGITAL VACCINE Keep the bad guys and the botnets off your network Reputation Database • IPv4 & IPv6 Address • Geography • DNS Names • Merge with your data Access Switch Internet IPS Platform BLOCK OUTBOUND TRAFFIC BLOCK INBOUND TRAFFIC • Botnet Trojan downloads • Spam and phishing emails • Malware, spyware, & worm downloads • DDoS attacks from botnet hosts • Access to botnet CnC sites • Web App attacks from botnet hosts • Access to phishing sites Botnets Currently Being Tracked: Conficker, ZeuS, Kraken, Srizbi, Torpia, Storm, Asprox, Gumblar, Koobface, Mariposa, Dark Energy 16
2010: DATA CENTER VIRTUALIZATION REACHES THE TIPPING POINT Leading in Times of Transition: the 2010 CIO Agenda ~ 58 million Survey of 1,586 CIOs: deployed x86 50% machines • Virtualization becomes… #1 Technology Priority in 2010 •Displaces Business Intelligence 16% which held top position for the last 5 yrs! 2010 2011 2012 17 Source: Gartner Says 16% of Workloads are Running in Virtual Machines Today. Will grow to 50% by 2012(October 2009)
BUT WHAT ABOUT SECURITY? “60 Percent of Virtualized Servers Will Be Less Secure than the Physical Servers They Replace Through 2012” I. Information Security Isn't Initially Involved in the Virtualization Projects II. A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads III. Workloads of Different Trust Levels Are Consolidated onto a Single Physical Server Without Sufficient Separation IV. Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools are Lacking V. There Is a Potential Loss of SOD for Network and Security Controls ... Source: MacDonald, Neal. Addressing the Most Common Security Risks in Data Center Virtualization Projects, Gartner, Inc. January 25, 2010 18 SOD: Separation Of Duties
SECURE VIRTUALIZATION FRAMEWORK VIRTUALIZATION VISIBILITY GAPS APPLICATION VMs App App App App OS OS OS OS ? VMsafe Kernel Module Virtual Switch HYPERVISOR ESX Host ESX Host ? ? (1) Host to Host IPS inspection on each uplink is expensive/unmanageable IPS (2) VM to VM No way to insert physical IPS (3) VM Mobility What happens when a vm moves? Core 19
SECURE VIRTUALIZATION FRAMEWORK TIPPINGPOINT VCONTROLLER APPLICATION VMs APPLICATION VMs APPLICATION VMs • Utilizes same specialized hardware as App App App App App App App App App App App App physical network segments OS OS OS OS OS OS OS OS OS OS OS OS • Policy-based redirection ties IPS vController inspection to VMs Redirection Policies VMsafe VMsafe VMsafe • VMsafe kernel module integration provides deep insight into vm behavior Virtual Switch Virtual Switch Virtual Switch maintains low redirection latency HYPERVISOR HYPERVISOR HYPERVISOR (<80us) ESX Host • Manage all virtual and physical networks with the same tools • VMC console provides full visibility into logical VM connectivity Core IPS 20 http://www.bestofinterop.com/winners/#security
WHAT ABOUT VIRTUAL IPS? RESTRICTED SCALABILITY App APPLICATION VMs App App App vIPS ? • Can be effective in smaller environments OS OS OS OS • Cannot take advantage of specialized hardware VMsafe Kernel Module • Shares resources with other VMs Virtual Switch • Latency is typical due to lack of HYPERVISOR hardware acceleration ESX Host • Difficult to establish performance baselines IPS Core 21
VISUALIZE YOUR VIRTUALIZATION TIPPINGPOINT VIRTUALIZATION MANAGEMENT CENTER (VMC)  Empower network/security teams with real-time visibility into virtual environment  Integration with virtualization management  Topology mapping provides identification of virtual/physical 22 network paths
TIPPINGPOINT VMC IT’S ALL ABOUT THE INSPECTION POLICIES  Assign policies by VM and/or zone, not location or network connection  Automate trust zone assignmentfor new or untrusted workloads  Ensure policies follow VM regardless of state(in motion, powered on, powered off)  Cloned VMs must automatically inherit parent policies 23
SUMMARY S ecuring T he Next G eneration Data C enter S top T hreats P rotec ts Highes t Immediate, Always Up T o S ec ure V irtualization F as ter B andwidth Data C enters Date P rotec tion F ramework • Proactive Security Model • Highest performance • Protects in Minutes • vController • Best Inline Enforcement • 20Mbps to 16Gbps • Automated DV Updates • Visibility and control • Broadest Security • Latency in Microseconds • Most Timely Protection • Leverage existing hardware • DVLabs Leading Security • Protects Layer 2-7 • Leading Zero-Day Protection investments Research • Inline or out-of-band • Intuitive managment • No compromise to • Zero-Day Initiative deployment options consolidation ratio • Application Visibility • Deployment Options for • Vulnerability Intelligence Virtual Data Centers 24
THANK YOU 25 ©2009 HP Confidential template rev. 12.10.09

Recommended

Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?Cisco Canada
 
F5 beyond load balancer (nov 2009)
F5 beyond load balancer (nov 2009)F5 beyond load balancer (nov 2009)
F5 beyond load balancer (nov 2009)Information Technology
 
Top 10 Reasons Why F5 Makes Sense
Top 10 Reasons Why F5 Makes SenseTop 10 Reasons Why F5 Makes Sense
Top 10 Reasons Why F5 Makes SenseF5 Networks
 
Education webinar april 2012
Education webinar april 2012Education webinar april 2012
Education webinar april 2012Infoblox
 
Cisco Intelligent WAN: Enabling the Next-Generation Branch
Cisco Intelligent WAN: Enabling the Next-Generation BranchCisco Intelligent WAN: Enabling the Next-Generation Branch
Cisco Intelligent WAN: Enabling the Next-Generation BranchCisco Canada
 
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...F5 Networks
 
Enabling the Digital Leap: Strategies for K–12 Schools
Enabling the Digital Leap: Strategies for K–12 SchoolsEnabling the Digital Leap: Strategies for K–12 Schools
Enabling the Digital Leap: Strategies for K–12 SchoolsCisco Enterprise Networks
 
Wp ipam infoblox
Wp ipam infobloxWp ipam infoblox
Wp ipam infobloxislamet
 

Recommended

Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?Cisco Canada
 
F5 beyond load balancer (nov 2009)
F5 beyond load balancer (nov 2009)F5 beyond load balancer (nov 2009)
F5 beyond load balancer (nov 2009)Information Technology
 
Top 10 Reasons Why F5 Makes Sense
Top 10 Reasons Why F5 Makes SenseTop 10 Reasons Why F5 Makes Sense
Top 10 Reasons Why F5 Makes SenseF5 Networks
 
Education webinar april 2012
Education webinar april 2012Education webinar april 2012
Education webinar april 2012Infoblox
 
Cisco Intelligent WAN: Enabling the Next-Generation Branch
Cisco Intelligent WAN: Enabling the Next-Generation BranchCisco Intelligent WAN: Enabling the Next-Generation Branch
Cisco Intelligent WAN: Enabling the Next-Generation BranchCisco Canada
 
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...F5 Networks
 
Enabling the Digital Leap: Strategies for K–12 Schools
Enabling the Digital Leap: Strategies for K–12 SchoolsEnabling the Digital Leap: Strategies for K–12 Schools
Enabling the Digital Leap: Strategies for K–12 SchoolsCisco Enterprise Networks
 
Wp ipam infoblox
Wp ipam infobloxWp ipam infoblox
Wp ipam infobloxislamet
 
The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)F5 Networks
 
BIG-IP ADCs and ADF
BIG-IP ADCs and ADFBIG-IP ADCs and ADF
BIG-IP ADCs and ADFF5 Networks
 
Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011chaucheckpoint
 
Cloud computing
Cloud computingCloud computing
Cloud computingRohith Shankar
 
Transforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan servicesTransforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan servicesRehanShrivastav
 
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)IBM Software Defined Networking for Virtual Environments (IBM SDN VE)
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)IBM System Networking
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
Migrating To Cloud &amp; Security @ FOBE 2011
Migrating To Cloud &amp; Security @ FOBE 2011Migrating To Cloud &amp; Security @ FOBE 2011
Migrating To Cloud &amp; Security @ FOBE 2011commandersaini
 
CenturyLink SD-WAN Executive Brief -- Emily Pechal
CenturyLink SD-WAN Executive Brief -- Emily PechalCenturyLink SD-WAN Executive Brief -- Emily Pechal
CenturyLink SD-WAN Executive Brief -- Emily PechalEmily Pechal
 
RTI Data-Distribution Service (DDS) Master Class - 2010
RTI Data-Distribution Service (DDS) Master Class - 2010RTI Data-Distribution Service (DDS) Master Class - 2010
RTI Data-Distribution Service (DDS) Master Class - 2010Gerardo Pardo-Castellote
 
Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Zuora, Inc.
 
F5 Application Delivery Optimization
F5 Application Delivery OptimizationF5 Application Delivery Optimization
F5 Application Delivery OptimizationF5 Networks
 
IBM Relay 2015: Cloud is All About the Customer
IBM Relay 2015: Cloud is All About the Customer IBM Relay 2015: Cloud is All About the Customer
IBM Relay 2015: Cloud is All About the Customer IBM
 
CNISP - Platform Introduction 071511pks
CNISP - Platform Introduction 071511pksCNISP - Platform Introduction 071511pks
CNISP - Platform Introduction 071511pkslucpaquin
 
Scaling Mobile Network Security for LTE: A Multi-Layer Approach
Scaling Mobile Network Security for LTE: A Multi-Layer ApproachScaling Mobile Network Security for LTE: A Multi-Layer Approach
Scaling Mobile Network Security for LTE: A Multi-Layer ApproachF5 Networks
 
Vfm packetshaper presentation
Vfm packetshaper presentationVfm packetshaper presentation
Vfm packetshaper presentationvfmindia
 
Air defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAir defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAdvantec Distribution
 
OCS LIA
OCS LIAOCS LIA
OCS LIAsimoninsa
 
Cloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense ForcesCloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense Forcescommandersaini
 
Breakingpoint Application Threat and Intelligence (ATI) Program
Breakingpoint Application Threat and Intelligence (ATI) ProgramBreakingpoint Application Threat and Intelligence (ATI) Program
Breakingpoint Application Threat and Intelligence (ATI) ProgramIxia
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center SecuritySzymon Dowgwillowicz-Nowicki
 

More Related Content

What's hot

The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)F5 Networks
 
BIG-IP ADCs and ADF
BIG-IP ADCs and ADFBIG-IP ADCs and ADF
BIG-IP ADCs and ADFF5 Networks
 
Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011chaucheckpoint
 
Transforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan servicesTransforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan servicesRehanShrivastav
 
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)IBM Software Defined Networking for Virtual Environments (IBM SDN VE)
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)IBM System Networking
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
Migrating To Cloud &amp; Security @ FOBE 2011
Migrating To Cloud &amp; Security @ FOBE 2011Migrating To Cloud &amp; Security @ FOBE 2011
Migrating To Cloud &amp; Security @ FOBE 2011commandersaini
 
CenturyLink SD-WAN Executive Brief -- Emily Pechal
CenturyLink SD-WAN Executive Brief -- Emily PechalCenturyLink SD-WAN Executive Brief -- Emily Pechal
CenturyLink SD-WAN Executive Brief -- Emily PechalEmily Pechal
 
RTI Data-Distribution Service (DDS) Master Class - 2010
RTI Data-Distribution Service (DDS) Master Class - 2010RTI Data-Distribution Service (DDS) Master Class - 2010
RTI Data-Distribution Service (DDS) Master Class - 2010Gerardo Pardo-Castellote
 
Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Zuora, Inc.
 
F5 Application Delivery Optimization
F5 Application Delivery OptimizationF5 Application Delivery Optimization
F5 Application Delivery OptimizationF5 Networks
 
IBM Relay 2015: Cloud is All About the Customer
IBM Relay 2015: Cloud is All About the Customer IBM Relay 2015: Cloud is All About the Customer
IBM Relay 2015: Cloud is All About the Customer IBM
 
CNISP - Platform Introduction 071511pks
CNISP - Platform Introduction 071511pksCNISP - Platform Introduction 071511pks
CNISP - Platform Introduction 071511pkslucpaquin
 
Scaling Mobile Network Security for LTE: A Multi-Layer Approach
Scaling Mobile Network Security for LTE: A Multi-Layer ApproachScaling Mobile Network Security for LTE: A Multi-Layer Approach
Scaling Mobile Network Security for LTE: A Multi-Layer ApproachF5 Networks
 
Vfm packetshaper presentation
Vfm packetshaper presentationVfm packetshaper presentation
Vfm packetshaper presentationvfmindia
 
Air defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAir defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAdvantec Distribution
 
Cloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense ForcesCloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense Forcescommandersaini
 
Breakingpoint Application Threat and Intelligence (ATI) Program
Breakingpoint Application Threat and Intelligence (ATI) ProgramBreakingpoint Application Threat and Intelligence (ATI) Program
Breakingpoint Application Threat and Intelligence (ATI) ProgramIxia
 

What's hot (20)

The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)The F5 DDoS Protection Reference Architecture (Technical White Paper)
The F5 DDoS Protection Reference Architecture (Technical White Paper)
 
BIG-IP ADCs and ADF
BIG-IP ADCs and ADFBIG-IP ADCs and ADF
BIG-IP ADCs and ADF
 
Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Transforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan servicesTransforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan services
 
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)IBM Software Defined Networking for Virtual Environments (IBM SDN VE)
IBM Software Defined Networking for Virtual Environments (IBM SDN VE)
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Migrating To Cloud &amp; Security @ FOBE 2011
Migrating To Cloud &amp; Security @ FOBE 2011Migrating To Cloud &amp; Security @ FOBE 2011
Migrating To Cloud &amp; Security @ FOBE 2011
 
CenturyLink SD-WAN Executive Brief -- Emily Pechal
CenturyLink SD-WAN Executive Brief -- Emily PechalCenturyLink SD-WAN Executive Brief -- Emily Pechal
CenturyLink SD-WAN Executive Brief -- Emily Pechal
 
RTI Data-Distribution Service (DDS) Master Class - 2010
RTI Data-Distribution Service (DDS) Master Class - 2010RTI Data-Distribution Service (DDS) Master Class - 2010
RTI Data-Distribution Service (DDS) Master Class - 2010
 
Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)
 
F5 Application Delivery Optimization
F5 Application Delivery OptimizationF5 Application Delivery Optimization
F5 Application Delivery Optimization
 
IBM Relay 2015: Cloud is All About the Customer
IBM Relay 2015: Cloud is All About the Customer IBM Relay 2015: Cloud is All About the Customer
IBM Relay 2015: Cloud is All About the Customer
 
CNISP - Platform Introduction 071511pks
CNISP - Platform Introduction 071511pksCNISP - Platform Introduction 071511pks
CNISP - Platform Introduction 071511pks
 
Scaling Mobile Network Security for LTE: A Multi-Layer Approach
Scaling Mobile Network Security for LTE: A Multi-Layer ApproachScaling Mobile Network Security for LTE: A Multi-Layer Approach
Scaling Mobile Network Security for LTE: A Multi-Layer Approach
 
Vfm packetshaper presentation
Vfm packetshaper presentationVfm packetshaper presentation
Vfm packetshaper presentation
 
Air defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAir defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheet
 
OCS LIA
OCS LIAOCS LIA
OCS LIA
 
Cloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense ForcesCloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense Forces
 
Breakingpoint Application Threat and Intelligence (ATI) Program
Breakingpoint Application Threat and Intelligence (ATI) ProgramBreakingpoint Application Threat and Intelligence (ATI) Program
Breakingpoint Application Threat and Intelligence (ATI) Program
 

Similar to S series presentation

F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Bapinger Network Security
Bapinger Network SecurityBapinger Network Security
Bapinger Network SecurityDjadja Sardjana
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonPCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonIBM Danmark
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...Amazon Web Services
 
Ixia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsIxia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsresponsedatacomms
 
Ixia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsIxia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsresponsedatacomms
 
Trend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are youTrend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are youGlobal Business Events
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk managementAEC Networks
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence ServiceF5 Networks
 
BIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall SolutionBIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall SolutionF5 Networks
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesIşınsu Akçetin
 
Information Security
Information SecurityInformation Security
Information SecurityMohit8780
 

Similar to S series presentation (20)

F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
Bapinger Network Security
Bapinger Network SecurityBapinger Network Security
Bapinger Network Security
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009
 
Monetizing the Enterprise: Borderless Networks
Monetizing the Enterprise: Borderless NetworksMonetizing the Enterprise: Borderless Networks
Monetizing the Enterprise: Borderless Networks
 
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonPCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
 
Ixia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsIxia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsets
 
Ixia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsIxia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsets
 
Trend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are youTrend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are you
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk management
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi Verze
 
Enterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - IntelEnterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - Intel
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence Service
 
BIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall SolutionBIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall Solution
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded Devices
 
Information Security
Information SecurityInformation Security
Information Security
 
VSD Infotech
VSD InfotechVSD Infotech
VSD Infotech
 

S series presentation

  • 1. HP TIPPINGPOINT IPS AND VIRTUALIZATION SECURITY FOR THE DATA CENTER Sean Ennis Solutions Architect (HP TippingPoint) – Canada 1 ©2009 HP Confidential template rev. 12.10.09 ©2009 HP Confidential template rev. 12.10.09
  • 2. AGENDA – Modern Threat Landscape – IPS Platform – Secure Virtualization Framework – Q&A 2
  • 3. DATA CENTER TRENDS Connect Everyone to Everything Do More With Less Past Present & Future Efficiency Drives Virtualization, Blades, Dispersed, Physical, Consolidation Increased Bandwidth New Apps, Legacy, Client Server, Legacy + Web, IPv4 + IPv6, Protocols & IPv4, Data Data + Voice + Video Traffic Threat Worms, Viruses, Sophisticated Targeted Landscape Trojans, DDoS Attacks, Re-Perimeterization 3 Change
  • 4. MODERN ATTACK LANDSCAPE APPLICATIONS ARE THE PRIMARY TARGETS Network / Server Social Enterprise and Web Downtime Engineering Application Attacks Attacks Attacks 2002-2004 2004-2007 2007-2010+ Worm Virus Trojan Social Media PHP File Include Botnet Malware Spyware Application Exploits P2P DDoS O/S Specific Attacks SQL Injection XSS Whaling Phishing Individual Online Credit Corporate Corporate Email Customer Account Click Card Confidential 4 Ransom ©2009 HP Confidential template rev. 12.10.09 Spamming Details Credentials Fraud Database Information
  • 5. WHAT ABOUT THE FIREWALL? In simplest form…. • Separates distinct security zones • Designed to block or allow traffic based on a set of rules • Rejects all unauthorized ports/protocols at the edge of a security zone • Very good at ensuring network resources (servers, clients, etc.) only see required traffic • Can also be generally responsible for VPN,NAT, redirection, proxying, etc. 5
  • 6. WHAT ABOUT THE FIREWALL? …Browser exploits …Drive-by DL …Adobe exploits SQL Injection … DDoS Spyware PHP File Include XSS … In simplest form…. • Separates distinct security zones • Designed to block or allow traffic based on a set of rules • Rejects all unauthorized ports/protocols at the edge of a security zone • Very good at ensuring network resources (servers, clients, etc.) only see required traffic • Can also be generally responsible for VPN,NAT, redirection, proxying, etc. 6
  • 7. IPS PLATFORM INTRODUCTION Security Management System Unknown Traffic Clean Traffic Goes In Comes Out IPS Platform IPS Platform Designed for future security demands and services Proactive Security Costs • In-line reliability • Leading security • Quick to deploy research • In-line performance • Automated threat (throughput/latency) • Fastest coverage blocking • Filter accuracy • Broadest coverage • Easy to manage 7
  • 8. HP TIPPINGPOINT S-SERIES PRODUCTS IPS Platform Solutions Security Intelligence 10GE Networks, Core, ROBO, Perimeter, Zone Management, Data Center, Service DVLabs Services isolation, MSPs… Accessories Providers… TippingPoint S10 TippingPoint S660N Core Controller Digital Vaccine 20Mbps • 2 Segments 750Mbps • 10 Segments 20Gbps • 3x10GbE Broadest Coverage • Evergreen Protection TippingPoint S110 TippingPoint S1400N Security Management System (SMS) Web App DV and Scanning 100Mbps • 4 Segments 1.5Gbps • 10 Segments Manage Multiple Units • Central Dashboard Web Scan• Custom Filters • PCI Report TippingPoint S330 TippingPoint S2500N SSL Appliance S1500 ThreatLinQ 300Mbps • 4 Segments 3Gbps • 11 Segments Transparent SSL Bridging and Off-Loading Real Time Threat Intelligence TippingPoint S5100N vController and VMC Reputation DV VIRTUAL CONTROLLER 8 ©2009 HP Confidential template rev. 12.10.09 5Gbps • 11 Segments Virtual Data Center Security & Visibility IP Reputation • DNS Reputation
  • 9. TECHNICAL SPECIFICATION - N-PLATFORM SENSORS TippingPoint 660N TippingPoint 1400N TippingPoint 2500N TippingPoint 5100N Performance Network Throughput • 750 Mbps • 1.5 Gbps • 15 Gbps • 15 Gbps Inspection Throughput • 750 Mbps • 1.5 Gbps • 3 Gbps • 5 Gbps Typical Latency • < 80 microseconds • < 80 microseconds • < 80 microseconds • < 80 microseconds Concurrent Network • 6,500,000 • 6,500,000 • 10,000,000 • 10,000,000 Sessions Security Contexts • 1,200,000 • 1,200,000 • 2,600,000 • 2,600,000 Connections/Sec • 115,000 • 115,000 • 230,000 • 230,000 Interfaces • 10 x 1GbE Copper • 10 x 1GbE Copper • 1 x 10GbE XFP • 1 x 10GbE XFP • 10 x 1GbE SFP • 10 x 1GbE SFP • Internal ZPHA (10GbE) • Internal ZPHA (10GbE) • 10 Total Segments • 10 Total Segments • 10 x 1GbE Copper • 10 x 1GbE Copper • External ZPHA • External ZPHA • 10 x 1GbE SFP • 10 x 1GbE SFP • 10 Total Segments • 10 Total Segments • External ZPHA • External ZPHA Power • AC only • AC only • AC or DC • AC or DC 9
  • 10. TSE Threat Suppression Engine Thread Thread Thread Tier 3,4 Tier 2 Load Balancer, Traffic Management (FW), Bypass Tier 1 10 ©2009 HP Confidential template rev. 12.10.09 10
  • 11. HP TIPPINGPOINT 1200N EMBEDDED IPS PLATFORM – TippingPoint IPS module brings industry leading IPS, including Digital Vaccine and Reputation DV service to any A7500 series switch – 1.3 Gbps aggregate inspection throughput across 2 x 1Gb copper or 1 HP A7500 Switch Series x 10Gb backplane interface – A unified network and security management framework based on TippingPoint’s Security Management System (SMS) integrated and HP’s Intelligent Management Center (IMC) HP TippingPoint 1200N IPS 11
  • 12. CORE CONTROLLER FOR 10GBE Core Controller Model Provides: • Three 10GbE segments • High Availability – Reliability and Redundancy • High Performance with Low Latency – 10Gbps inspection across IPS’s • 20Gbps aggregate inspection throughput • Ease of Management and Low TCO – Low cost of entry and pay-as-you-grow design • Scalability – Expand IPS capacity to meet high bandwidth demands • 24x iLink segments - Interconnects to IPSs - 48 1Gbps ports • Smart ZPHA modules (Optional) • Zero Power High Availability – bypass • Dual hot-swappable power supplies • System health and status panel 12 ©2009 HP Confidential template rev. 12.10.09 12
  • 13. 1500S – SSL INSPECTION High-performance, transparent SSL off-loading and bridging for IPS traffic inspection SSL Appliance 000100101010011110100100101 010101010110101010101010001 110101010101 1010101010101010101010 1010101010100100000110 1001010011010 v c Clean Encrypted Traffic c v OR Dirty Encrypted JOHNSONAMY>TEL21251>NU Traffic MBER0338-2934-051 QUE€2532.90>DOB09/19/ IPS Platform Clean Un-Encrypted Traffic › Key Benefits • Increased Web server and application security • Virtually no traffic bottlenecks or application performance penalty • Carrier-class reliability delivers high-availability / up-time • Contributes to regulatory compliance efforts • Reduced server utilization in off-loading configuration 13
  • 14. LEADING SECURITY RESEARCH – DVLABS IPS Platform is Only as Good as its Security Intelligence 1,400+ Independent Researchers DV Labs Research & QA TippingPoint IPS Platform Leading security research and filter development with 30+ Dedicated Researchers 2,000+ Customers Participating DVLabs Services: › Digital Vaccine › App DV Partners › Web App DV › ThreatLinQ › Reputation DV › Lighthouse Program › Custom DV SANS, CERT, NIST, etc. Software & Reputation Vendors 14 14 ©2009 HP Confidential template rev. 12.10.09
  • 15. PROVEN IN-LINE FILTER ACCURACY UNMATCHED ACCURACY FROM DVLABS AND DIGITAL VACCINE Vulnerability Term Definition Security flaw in a software Vulnerability program False Positives Attack on a vulnerability to: (coarse filter) Exploit • Gain unauthorized access • Create a denial of service Stops a single exploit • Easy to produce • Typically produced due to Exploit Filter IPS engine performance limitations Exploit B • Results in missed attacks (missed by Exploit Filter A) Exploit A and false positives Vulnerability Stops all exploits attacking Standard IPS Exploit Filter Filter the vulnerability for Exploit A TippingPoint’s vulnerability filter acts like a Virtual Software Patch, 15 eliminating false positives September 22, 2010 15
  • 16. REPUTATION DIGITAL VACCINE Keep the bad guys and the botnets off your network Reputation Database • IPv4 & IPv6 Address • Geography • DNS Names • Merge with your data Access Switch Internet IPS Platform BLOCK OUTBOUND TRAFFIC BLOCK INBOUND TRAFFIC • Botnet Trojan downloads • Spam and phishing emails • Malware, spyware, & worm downloads • DDoS attacks from botnet hosts • Access to botnet CnC sites • Web App attacks from botnet hosts • Access to phishing sites Botnets Currently Being Tracked: Conficker, ZeuS, Kraken, Srizbi, Torpia, Storm, Asprox, Gumblar, Koobface, Mariposa, Dark Energy 16
  • 17. 2010: DATA CENTER VIRTUALIZATION REACHES THE TIPPING POINT Leading in Times of Transition: the 2010 CIO Agenda ~ 58 million Survey of 1,586 CIOs: deployed x86 50% machines • Virtualization becomes… #1 Technology Priority in 2010 •Displaces Business Intelligence 16% which held top position for the last 5 yrs! 2010 2011 2012 17 Source: Gartner Says 16% of Workloads are Running in Virtual Machines Today. Will grow to 50% by 2012(October 2009)
  • 18. BUT WHAT ABOUT SECURITY? “60 Percent of Virtualized Servers Will Be Less Secure than the Physical Servers They Replace Through 2012” I. Information Security Isn't Initially Involved in the Virtualization Projects II. A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads III. Workloads of Different Trust Levels Are Consolidated onto a Single Physical Server Without Sufficient Separation IV. Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools are Lacking V. There Is a Potential Loss of SOD for Network and Security Controls ... Source: MacDonald, Neal. Addressing the Most Common Security Risks in Data Center Virtualization Projects, Gartner, Inc. January 25, 2010 18 SOD: Separation Of Duties
  • 19. SECURE VIRTUALIZATION FRAMEWORK VIRTUALIZATION VISIBILITY GAPS APPLICATION VMs App App App App OS OS OS OS ? VMsafe Kernel Module Virtual Switch HYPERVISOR ESX Host ESX Host ? ? (1) Host to Host IPS inspection on each uplink is expensive/unmanageable IPS (2) VM to VM No way to insert physical IPS (3) VM Mobility What happens when a vm moves? Core 19
  • 20. SECURE VIRTUALIZATION FRAMEWORK TIPPINGPOINT VCONTROLLER APPLICATION VMs APPLICATION VMs APPLICATION VMs • Utilizes same specialized hardware as App App App App App App App App App App App App physical network segments OS OS OS OS OS OS OS OS OS OS OS OS • Policy-based redirection ties IPS vController inspection to VMs Redirection Policies VMsafe VMsafe VMsafe • VMsafe kernel module integration provides deep insight into vm behavior Virtual Switch Virtual Switch Virtual Switch maintains low redirection latency HYPERVISOR HYPERVISOR HYPERVISOR (<80us) ESX Host • Manage all virtual and physical networks with the same tools • VMC console provides full visibility into logical VM connectivity Core IPS 20 http://www.bestofinterop.com/winners/#security
  • 21. WHAT ABOUT VIRTUAL IPS? RESTRICTED SCALABILITY App APPLICATION VMs App App App vIPS ? • Can be effective in smaller environments OS OS OS OS • Cannot take advantage of specialized hardware VMsafe Kernel Module • Shares resources with other VMs Virtual Switch • Latency is typical due to lack of HYPERVISOR hardware acceleration ESX Host • Difficult to establish performance baselines IPS Core 21
  • 22. VISUALIZE YOUR VIRTUALIZATION TIPPINGPOINT VIRTUALIZATION MANAGEMENT CENTER (VMC)  Empower network/security teams with real-time visibility into virtual environment  Integration with virtualization management  Topology mapping provides identification of virtual/physical 22 network paths
  • 23. TIPPINGPOINT VMC IT’S ALL ABOUT THE INSPECTION POLICIES  Assign policies by VM and/or zone, not location or network connection  Automate trust zone assignmentfor new or untrusted workloads  Ensure policies follow VM regardless of state(in motion, powered on, powered off)  Cloned VMs must automatically inherit parent policies 23
  • 24. SUMMARY S ecuring T he Next G eneration Data C enter S top T hreats P rotec ts Highes t Immediate, Always Up T o S ec ure V irtualization F as ter B andwidth Data C enters Date P rotec tion F ramework • Proactive Security Model • Highest performance • Protects in Minutes • vController • Best Inline Enforcement • 20Mbps to 16Gbps • Automated DV Updates • Visibility and control • Broadest Security • Latency in Microseconds • Most Timely Protection • Leverage existing hardware • DVLabs Leading Security • Protects Layer 2-7 • Leading Zero-Day Protection investments Research • Inline or out-of-band • Intuitive managment • No compromise to • Zero-Day Initiative deployment options consolidation ratio • Application Visibility • Deployment Options for • Vulnerability Intelligence Virtual Data Centers 24
  • 25. THANK YOU 25 ©2009 HP Confidential template rev. 12.10.09