3. DATA CENTER TRENDS
Connect Everyone to Everything Do More With Less
Past Present & Future
Efficiency Drives Virtualization, Blades,
Dispersed, Physical,
Consolidation Increased Bandwidth
New Apps,
Legacy, Client Server, Legacy + Web, IPv4 + IPv6,
Protocols &
IPv4, Data Data + Voice + Video
Traffic
Threat
Worms, Viruses, Sophisticated Targeted
Landscape
Trojans, DDoS Attacks, Re-Perimeterization
3
Change
5. WHAT ABOUT THE FIREWALL?
In simplest form….
• Separates distinct security zones
• Designed to block or allow traffic based on a set of rules
• Rejects all unauthorized ports/protocols at the edge of a security zone
• Very good at ensuring network resources (servers, clients, etc.) only see required traffic
• Can also be generally responsible for VPN,NAT, redirection, proxying, etc.
5
6. WHAT ABOUT THE FIREWALL?
…Browser exploits
…Drive-by DL
…Adobe exploits
SQL Injection
…
DDoS Spyware PHP File Include XSS
…
In simplest form….
• Separates distinct security zones
• Designed to block or allow traffic based on a set of rules
• Rejects all unauthorized ports/protocols at the edge of a security zone
• Very good at ensuring network resources (servers, clients, etc.) only see required traffic
• Can also be generally responsible for VPN,NAT, redirection, proxying, etc.
6
7. IPS PLATFORM INTRODUCTION
Security Management
System
Unknown Traffic Clean Traffic
Goes In Comes Out
IPS Platform
IPS Platform
Designed for future security demands and services
Proactive Security Costs
• In-line reliability • Leading security • Quick to deploy
research
• In-line performance • Automated threat
(throughput/latency) • Fastest coverage blocking
• Filter accuracy • Broadest coverage • Easy to manage
7
11. HP TIPPINGPOINT 1200N
EMBEDDED IPS PLATFORM
– TippingPoint IPS module brings
industry leading IPS, including Digital
Vaccine and Reputation DV service to
any A7500 series switch
– 1.3 Gbps aggregate inspection
throughput across 2 x 1Gb copper or 1
HP A7500 Switch Series
x 10Gb backplane interface
– A unified network and security
management framework based on
TippingPoint’s Security Management
System (SMS) integrated and HP’s
Intelligent Management Center (IMC)
HP TippingPoint 1200N IPS
11
15. PROVEN IN-LINE FILTER ACCURACY
UNMATCHED ACCURACY FROM DVLABS AND DIGITAL VACCINE
Vulnerability Term Definition
Security flaw in a software
Vulnerability program
False Positives
Attack on a vulnerability to:
(coarse filter)
Exploit • Gain unauthorized access
• Create a denial of service
Stops a single exploit
• Easy to produce
• Typically produced due to
Exploit Filter IPS engine performance
limitations
Exploit B • Results in missed attacks
(missed by
Exploit Filter A) Exploit A and false positives
Vulnerability Stops all exploits attacking
Standard IPS Exploit Filter Filter the vulnerability
for Exploit A
TippingPoint’s vulnerability filter acts like a Virtual Software Patch,
15
eliminating false positives
September 22, 2010 15
16. REPUTATION DIGITAL VACCINE
Keep the bad guys and the botnets off your network
Reputation Database
• IPv4 & IPv6 Address • Geography
• DNS Names • Merge with your data
Access
Switch
Internet
IPS Platform
BLOCK OUTBOUND TRAFFIC BLOCK INBOUND TRAFFIC
• Botnet Trojan downloads • Spam and phishing emails
• Malware, spyware, & worm downloads • DDoS attacks from botnet hosts
• Access to botnet CnC sites • Web App attacks from botnet hosts
• Access to phishing sites
Botnets Currently Being Tracked:
Conficker, ZeuS, Kraken, Srizbi, Torpia, Storm, Asprox, Gumblar, Koobface, Mariposa, Dark Energy
16
17. 2010: DATA CENTER VIRTUALIZATION
REACHES THE TIPPING POINT
Leading in Times of Transition: the 2010 CIO Agenda
~ 58 million
Survey of 1,586 CIOs: deployed x86
50% machines
• Virtualization becomes…
#1 Technology Priority in 2010
•Displaces Business Intelligence 16%
which held top position for the last 5 yrs!
2010 2011 2012
17 Source: Gartner Says 16% of Workloads are Running in Virtual
Machines Today. Will grow to 50% by 2012(October 2009)
18. BUT WHAT ABOUT SECURITY?
“60 Percent of Virtualized Servers Will Be Less Secure
than the Physical Servers They Replace Through 2012”
I. Information Security Isn't Initially Involved in the Virtualization Projects
II. A Compromise of the Virtualization Layer Could Result in the
Compromise of All Hosted Workloads
III. Workloads of Different Trust Levels Are Consolidated onto a Single
Physical Server Without Sufficient Separation
IV. Adequate Controls on Administrative Access to the Hypervisor/VMM
Layer and to Administrative Tools are Lacking
V. There Is a Potential Loss of SOD for Network and Security Controls
...
Source: MacDonald, Neal. Addressing the Most Common Security Risks in
Data Center Virtualization Projects, Gartner, Inc. January 25, 2010
18 SOD: Separation Of Duties
19. SECURE VIRTUALIZATION FRAMEWORK
VIRTUALIZATION VISIBILITY GAPS
APPLICATION VMs
App App App App
OS OS OS OS
?
VMsafe Kernel Module
Virtual Switch
HYPERVISOR
ESX Host ESX Host
?
? (1) Host to Host
IPS inspection on each uplink is
expensive/unmanageable
IPS
(2) VM to VM
No way to insert physical IPS
(3) VM Mobility
What happens when a vm moves?
Core
19
20. SECURE VIRTUALIZATION FRAMEWORK
TIPPINGPOINT VCONTROLLER
APPLICATION VMs
APPLICATION VMs
APPLICATION VMs
• Utilizes same specialized hardware as
App
App
App App
App
App App
App
App App
App
App physical network segments
OS OS
OS OS OS
OS OS OS
OS OS OS
OS
• Policy-based redirection ties IPS
vController
inspection to VMs
Redirection Policies VMsafe
VMsafe
VMsafe
• VMsafe kernel module integration
provides deep insight into vm behavior
Virtual Switch
Virtual Switch
Virtual Switch
maintains low redirection latency
HYPERVISOR
HYPERVISOR
HYPERVISOR (<80us)
ESX Host
• Manage all virtual and physical
networks with the same tools
• VMC console provides full visibility into
logical VM connectivity
Core
IPS
20
http://www.bestofinterop.com/winners/#security
21. WHAT ABOUT VIRTUAL IPS?
RESTRICTED SCALABILITY
App
APPLICATION VMs
App App App vIPS
? • Can be effective in smaller
environments
OS OS OS OS
• Cannot take advantage of specialized
hardware
VMsafe Kernel Module
• Shares resources with other VMs
Virtual Switch
• Latency is typical due to lack of
HYPERVISOR
hardware acceleration
ESX Host
• Difficult to establish performance
baselines
IPS
Core
21
22. VISUALIZE YOUR VIRTUALIZATION
TIPPINGPOINT VIRTUALIZATION MANAGEMENT CENTER (VMC)
Empower network/security teams with
real-time visibility into virtual
environment
Integration with virtualization
management
Topology mapping provides
identification of virtual/physical
22 network paths
23. TIPPINGPOINT VMC
IT’S ALL ABOUT THE INSPECTION POLICIES
Assign policies by VM and/or
zone, not location or network
connection
Automate trust zone
assignmentfor new or untrusted
workloads
Ensure policies follow VM
regardless of state(in motion,
powered on, powered off)
Cloned VMs must automatically
inherit parent policies
23
24. SUMMARY
S ecuring T he Next G eneration Data C enter
S top T hreats P rotec ts Highes t Immediate, Always Up T o S ec ure V irtualization
F as ter B andwidth Data C enters Date P rotec tion F ramework
• Proactive Security Model • Highest performance • Protects in Minutes • vController
• Best Inline Enforcement • 20Mbps to 16Gbps • Automated DV Updates • Visibility and control
• Broadest Security • Latency in Microseconds • Most Timely Protection • Leverage existing hardware
• DVLabs Leading Security • Protects Layer 2-7 • Leading Zero-Day Protection investments
Research • Inline or out-of-band • Intuitive managment • No compromise to
• Zero-Day Initiative deployment options consolidation ratio
• Application Visibility • Deployment Options for
• Vulnerability Intelligence Virtual Data Centers
24