• Save
Campus jueves
Upcoming SlideShare
Loading in...5
×
 

Campus jueves

on

  • 4,306 views

 

Statistics

Views

Total Views
4,306
Views on SlideShare
1,190
Embed Views
3,116

Actions

Likes
0
Downloads
0
Comments
0

4 Embeds 3,116

http://www.dragonjar.org 3073
http://feeds.feedburner.com 41
http://127.0.0.1 1
http://www.bonweb.fr 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Slide 1:Hello, my name is ________________ and I am ___________________ for HP Networking’s security business unit. And today I’d like to talk to you about HP TippingPoint’s new Virtual Controller plus Virtual Firewall and our Virtual Management Center.  
  • Slide 2:Specifically, I’ll go through:The Data Center Virtualization Trends that we seeChallenges enterprise organization face due to VirtualizationPresent HP TippingPoint’s Secure Virtualization Framework, andOur new Virtual Controller plus Virtual Firewall, and Virtual Management Center products
  • Slide 3:So first let’s look at today’s data center virtualization trends.  
  • Slide 4:First let’s look at the increased IT focus on data center virtualization. Gartner conducted a CIO survey in early 2010 and found that the #1 technology priority for CIO’s is data center virtualization. This is a huge change given that virtualization wasn’t even on the list 2 years previously and it has displaced business intelligence which held the top spot for the last 5 years. But, it’s not just security of virtualization CIO’s are concerned about. They are interested in the business benefits of virtualization, ensuring their existing processes and procedures work with a virtualized environment, ensuing they are properly securing these virtual environments, and that they are maintaining the necessary separation of duties within IT. Second, in late 2009 Gartner estimated that 50% of enterprise workloads would be running on virtualized infrastructure by the end of 2012. This is again a huge increase from the 16% that were running on virtualized infrastructure at the beginning of 2010.  
  • Slide 5:Next, let’s look how enterprise data centers are changing. In the past enterprises built out data centers in an effort to connect everyone in the organization to the applications and data they required. But in most companies the result was a dispersed data center infrastructure. Now the need to reduce costs and improve data center efficiency is driving a physical consolidation of the data center. Companies are simply trying to do more with less. And tools like virtualization software, and higher density blade servers are helping to drive this consolidation. All of this is resulting in higher bandwidth in these data centers. [Build 1]In addition, new applications, new protocols and new traffic types are all appearing in the data center. An increase in web applications, voice and video traffic and even IPv6 protocols are changing the data center environment from a security perspective. [Build 2]Finally, the threat landscape outside the data center is changing. Threats are now more sophisticated, targeted and mostly financially motivated. And because of this companies no longer rely on a single security perimeter around the enterprise network. Companies are now building separate security perimeters around individual assets in the network like the data center. This is a trend often referred to as Re-Perimeterization.  
  • Slide 6:Now let’s look at what it takes to actually secure the data center and protect the entire Attack Surface of the data center. There are several components in today’s data center attack surface, each of which has vulnerabilities that we must protect.We have to prevent attacks on Network Device vulnerabilities,Vulnerabilities in Operating Systems running within the data center,Vulnerabilities in Enterprise Applications running within the data center, andEven vulnerabilities in Web Applications running within the data center. Fortunately, this is exactly what the Intrusion Prevention System or IPS is designed to accomplish. [Build 1]In fact, most people don’t even realize that that the HP TippingPoint IPS can be used to protect Web Application Vulnerabilities. [Build 2]Finally, when combined with vulnerability scanners, customers can scan the entire data center attack surface, identify all of the vulnerabilities that exist, and then ensure that the IPS protection profiles are configured to protect those vulnerabilities. So at the end of the day, the IPS is the best way to protect the entire data center attack surface.  
  • Slide 7:Now let’s look at the security challenges posed by the implementation of virtualization in the data center.  
  • Slide 8:There are several areas that security professionals are concerned about when it comes to securing the data center and specifically virtualized data center infrastructure. First is the introduction of the Hypervisor into the data center. The hypervisor becomes a mission critical component in the data center and is now also a new part of the data center attack surface that we must protect. Second companies need to be able to inspect traffic moving between one physical host and another to prevent one compromised host from attacking another. Third, we must also be able to inspect traffic moving from one Virtual Machine or VM to another VM, even if the VMs are on the same virtualized host. And fourth, virtualization makes it very easy for a VM and its applications to move from one physical host to another, to another within the data center. So we have to ensure that the security posture for that VM stays the same no matter where the VM moves within the data center.  
  • Slide 9:Now let’s look at the HP TippingPoint Secure Virtualization Framework and how we address these virtualization challenges.  
  • Slide 10:HP TippingPoint introduced the Secure Virtualization Framework in the spring of 2010. It is a combination of products designed to secure the entire data center including virtualized data center infrastructure, and it consists of 3 different products:The physical IPS Platform shown here hung off the Core SwitchThe Virtual Controller plus Virtual Firewall or vController+vFW, shown here installed on a virtualized hostAnd the Virtual Management Center or VMC shown here installed on a virtualized host on the management network The one point I want to make about the Secure Virtualization Framework, and I will emphasize this point in several places during this presentation, it that it is all about giving our customers a “Single Security Model for Securing Both the Physical and Virtualized Data Center”. So let’s now look at the Secure Virtualization Framework in more detail.
  • Slide 11:So the first thing we do is install the HP TippingPoint IPS at the perimeter of the data center as shown here. Not the perimeter of the network, but at the perimeter of the data center, isolating the data center from the rest of the network and the outside world. What we’re showing here is the IPS installed at the perimeter of a simple data center with both physical hosts and virtualized hosts, a top of rack switch and a core switch, which could also be a distribution switch. This gives us the ability to inspect all traffic moving into and out of the data center effectively segmenting the data center for the rest of the network. This is also where we protect the entire Data Center Attack Surface that we discussed earlier from outside attacks including attacks on vulnerabilities in the virtualization software or hypervisor and even virtual desktop infrastructure. This is also where our Virtual Patching concept comes in. HP TippingPoint has always been focused on providing vulnerability filters in our IPS to prevent attacks on entire vulnerabilities as opposed to individual exploits, and so once you enable our vulnerability filters on the IPS it is like having all of the systems in the data center fully patched against the latest vulnerabilities or in essence having a “Virtual Patch” in place. In fact, in many cases we have protection for undisclosed vulnerabilities well before the software vendor discloses the vulnerability or makes a patch available to the public. So with this step we have a single set of security polices at the perimeter protecting both the physical and virtual data center assets.  
  • Slide 12:Next we need to visualize or discover the entire virtualized infrastructure and deploy the vController+vFW on each of the discovered virtualized hosts. [Build 1]The first step is the simple installation of the Virtual Management Center or vMC on a stand-alone server or virtual machine. In fact, it can be installed in a VM on the same server hosting VMware’s vCenter. Once vMC is installed on the Management Network it communicates with the VMware vCenter which is the VMware management console. [Build 2]At that point the vMC is able to auto-discover the entire virtualized data center including providing real-time visibility of every virtualized host, and every virtual machine on each host. In addition, it provides a logical overview of the network topology showing how all of the virtual machines are interconnected in the data center. This allows customers to get their hands around the entire virtual data center so they can easily start to visualize and control VM sprawl and can identify mis-configurations in the virtual network as well. [Build 3]Once vMC identifies all of the virtualized hosts, it can be used to auto-deploy a vController+vFW installation on each of the virtualized hosts. There is a single instance of vController installed on each virtualized host regardless of how many virtual machines are running on each host.
  • Slide 13:Now at this point we have all the pieces of the Secure Virtualization Framework in place. In the graphic here on the right, you can see the physical IPS installed at the perimeter, the vMC installed on the management network, and the vController+vFW installed in the Service VM on this exploded view of one of the virtualized hosts in the data center. Again, there is only a single installation of vController+vFW on each virtualized host. It is installed in the Service VM and plugs into the VMware hypervisor via the VMware VMsafe API. Once in place the vController+vFW essentially introduces a “firewall like policy ” into the hypervisor. Basically, vController+vFW can see all traffic coming from any of the application VMs on the virtualized host and allows us to apply a policy that allows us to do 3 things:First, is the traffic permitted or not? If it is allowed the traffic is allowed to pass.Second, if the traffic is not allowed, we can block it outright at the hypervisor level with the vFW capability.And third, if the traffic is permitted, should it be inspected? If we want to inspect the traffic, the vController redirects the traffic via a dedicated VLAN to the physical IPS for inspection. The IPS inspects the traffic, blocks any malicious content, and then passes the inspected traffic back to the vController via a dedicated VLAN where vController then directs the traffic to its original destination. So now we can completely enforce our security policies in the both the physical and virtual data center. This includes the ability to inspect:Traffic coming into and going out of the data center at the perimeter,Traffic between physical hosts in the data center,Traffic between physical host and VMs, and evenTraffic between two VMs on the same virtualized host. And because every vController+vFW in the data center has all of our security redirection policies, we have the same security posture in place for each VM or application no matter where it moves in the data center. We now have a single set of security policies and for the entire data center including the ability to enforce those policies in both the physical and virtual data center. 
  • Slide 14:The components of our Secure Virtualization Framework are VMware certified per the VMware Ready program. First, the vController+vFW is fully integrated with the VMware hypervisor via the VMsafe API.Second, the vMC is fully integrated with the VMware management console vCenter. I should however mention that currently our solution is only compatible with the VMware virtualization solution, and not with Microsoft’s Hyper-V or with Citrix solutions.
  • Slide 15:So in conclusion, the Secure Virtualization Framework gives us the ability to deliver a single security model for the physical and virtual data center. We can use our physical IPS Platform to segment different physical trust zones in the network. For example, companies may want to require inspection for all traffic between their R&D applications and their Finance applications. This is easily accomplished by routing the traffic through the physical IPS Platform. But now, we can enforce the same security policies in the virtualized data center. We can completely segment or enforce inspection between the R&D applications and Finance applications even when those applications are running on VMs on the same virtualized host. 
  • Slide 16:Thank you for your time today. May I answer any questions you have?  

Campus jueves Campus jueves Presentation Transcript

  • Alvaro Ferro
    CCSP – CISSP – CCIE Security Written
    30de Junio.
    SECURITY IN THE DATACENTER
  • Data Center Virtualization Trends
    Security in virtual environment
    Challenges due to Virtualization
    Secure Virtualization Framework
    Virtual Controller and Virtual Management Center
    Agenda
    30 June 2011
    2
  • Data Center Virtualization Trends
    vController+vFW and vMC
    View slide
  • #1 Technology Priority in 2010
    Survey of 1,586 CIOs
    Displaces Business Intelligence which held top position for the last 5 years!
    Source: Gartner EXP, Jan 2010
    2010 – virtualization reaches a tipping point
    Increased Data Center Security Focus
    50% of Workloads by 2012
    • Today 16% of workloads are running in virtual machines View slide
    • Source: Gartner, Oct 2009
    50%
    ~ 58 million deployed x86 machines
    16%
    2010
    2011
    2012
    30 June 2011
    4
  • Do more with less
    Connect everyone to everything
    Present & Future
    Past
    Efficiency Drives
    Consolidation
    Virtualization, Blades,
    Increased Bandwidth
    Dispersed, Physical
    New Apps,
    Protocols & Traffic
    Legacy + Web, IPv4 + IPv6, Data + Voice + Video
    Legacy, Client Server,
    IPv4, Data
    Data Center Trends
    Threat Landscape
    Change
    Sophisticated Targeted Attacks, Re-Perimeterization
    Worms, Viruses,
    Trojans, DDoS
    30 June 2011
    5
  • Securing the Data Center Attack Surface
    Data at Rest
    Attack Surface
    Attack Traffic
    Web Apps
    Vulnerability Scanning
    Protects
    Web App Vulnerabilities
    Enterprise
    Apps
    IPS Platform
    Operating Systems
    Network
    Devices
    30 June 2011
    6
  • Security in virtual environment
    30 June 2011
    7
  • ENTENDAMOS LO SIGUIENTE
    “40% de los proyectos de implementación de ambientes virtualizados se llevaron a cabo sin la participación del equipo de seguridad en la arquitectura inicial y las etapas de planificación ”
    Riesgos mas comunes en proyectos de Virtualización
    La falta de visibilidad y controles en la comunicación entre VM-a-VM.
    Perdida potencial en la separación de deberes (SOD) entre las áreas de redes y seguridad cuando se virtualiza.
    Cargas de trabajo se consolidan en un servidor físico.
    Controles de acceso administrativo (Hypervisor/VMM).
    Source: MacDonald, Neal. Addressing the Most Common Security Risks in Data Center Virtualization Projects, Gartner, Inc. January 25, 2010
    • Hyper-jacking
    Son ataques de rootkit diseñados para tomar el control de las máquinas virtuales mientras están en funcionamiento.
    • VM Escape
    Es un exploit que permite moverse dentro de una máquina virtual.
    • VM Hopping
    Cuando una máquina virtual es capaz de acceder a otra máquina virtual.
    • VM Theft
    Acceso no autorizado para la adquisición de algún archivo que contiene el VM
    • VM Sprawl
    Proliferación de cargas de trabajo de los servidores virtualizados
    AMENAZAS: SEGURIDAD DE LA VIRTUALIZACIÓN
    Todas son posibilidades reales pero hay realidades prácticas!
  • CARACTERÍSTICAS: DEFENSA POR CAPAS
    • Implemente inspección y bloqueo de amenazas “in-line” contra ataques dirigidos “hypervisor”
    • Utilice programas de protección para Zeroday
    • Convergencia en soluciones IPS (virtual & physical) para la segmentación de zonas de confianzas
    Core
    Virtualized Server
    VM
    VM
    VM
    Secure Network Fabric Switch
    App
    App
    App
    OS
    OS
    OS
    vNICs
    vNICs
    vNICs
    vSwitch
    Hypervisor
    pNICs
    Virtualized Servers
    Physical Servers
  • HP Secure®Virtualization Framework
    • Que incluye
    • Plataforma IPS con VLAN translation
    • Virtual Controller (vController)
    • Virtual IPS (vIPS)
    • SMS / VMC
    TippingPontvIPS
    • Beneficios
    • Active la amenaza de bloqueo-para el centro de datos virtual
    • Coherente política de seguridad & cumplimiento-entre el centro de datos virtuales y físicos
    • Full aislamiento de seguridad VM- desde maquinas virtuales y hosts
    • Visibilidad y control
    - integración VMC
    • Protección y rendimiento optimizado con VmSafe-con opciones para la inspección
    • Seguridad para VMs (Móvil)- seguridad sigue VMs
    • Cobertura de amenazas de DVLabs– la mejor cobertura disponible
    TIPPINGPOINT vCONTROLLER
  • Operacion: Vcontroller
  • Operacion: Vcontroller
    Operacion: Vcontroller
  • Challenges Due to Virtualization
    vController+vFW and vMC
  • Core Switch
    Hypervisor Security
    • Mission critical
    • Can’t be secured with virtual IPS
    • Patches must be immediate
    Host to Host Threats
    • Can’t deploy IPS in front of every server
    • Also need VM to Host security
    VM to VM Threats
    • Virtual trust zones
    • Traffic does not enter the physical network for inspection
    • A victim VM can attack other VMs
    VM Mobility
    • vMotion launches VMs in separate sites for DR or other purposes
    • Physical IPS options are cost prohibitive for these uses
    1
    IPS Platform
    2
    Top of Rack Switch
    3
    2
    Virtualized Host
    Virtualized Host
    Virtualized Host
    3
    4
    1
    VM
    VM
    VM
    VM
    VM
    VM
    OS
    OS
    OS
    OS
    OS
    OS
    App
    App
    App
    App
    App
    App
    VMs moved to separate site
    4
    The Virtual Network Visibility Gap
    30 June 2011
    15
  • Secure Virtualization Framework, VController and vMC
    vController+vFW and vMC
  • VMC
    Core Switch
    What’s Included
    • IPS Platform
    • Virtual Controller + Virtual Firewall (vController+vFW)
    • SMS / Virtual Management Center (vMC)
    Securing Virtualization DC security solution
    • Single, purpose-built DC security solution
    Extend IPS solution into the virtual DC
    • Leverage previous IPS investments
    Flexibly Inspect Data in Both the Physical and Virtual DC
    TippingPoint IPS
    VMware vCenter
    Management Network
    Top of Rack Switch
    Virtualized Host
    Hypervisor
    vSwitch
    VMsafe Kernel Module
    Redirect Policy
    vController
    + vFW
    OS
    OS
    OS
    OS
    App
    App
    App
    App
    Application VMs
    Service VM
    Secure Virtualization Framework (SVF)
    30 June 2011
    17
  • Core Switch
    Start with DC Perimeter Protection
    • Inspect ingress / egress traffic
    Protect DC Attack Surface
    • Virtualization tools / hypervisor
    • Network infrastructure
    • Host servers and operating systems
    • Enterprise and Web applications
    • Virtual desktop infrastructure (VDI)
    Virtual Patching
    • Protects rolled-back VMs
    • Protects VMs with out-of-date patching due to server/VM shut-downs
    Single Set of Security Policies across Physical and Virtual DC
    TippingPoint IPS
    Top of Rack Switch
    Virtualized Hosts
    Physical Hosts
    Protect the High Value Data Center
    30 June 2011
    18
  • VMC
    Core Switch
    Visualize the DC and Deploy VController
    Simple VMC Installation
    • VMware vCenter integration
    TippingPoint IPS
    VMware vCenter
    VMC Auto-Discovery of Virtualized Hosts and VMs
    • Real time visibility of virtual DC
    • Topology mapping of network paths
    Management Network
    Top of Rack Switch
    VMC Auto-Deployment of vControllers to Virtualized Hosts
    • User initiated, auto-deployment
    Control VM Sprawl
    Virtualized Hosts
    Physical Hosts
    30 June 2011
    19
  • VMC
    Core Switch
    TippingPoint IPS
    Enforce Security Policies
    • Incoming DC traffic
    • Outgoing DC traffic
    • Physical host to physical host traffic
    • Physical host to VM traffic
    • VM to VM traffic
    Security Policies Follow VMs
    • Policies apply to mobile VMs
    Default Security Policies
    • Apply to all new VMs or copied VMs
    • Untrusted VMs or zones
    Single Set of Security Policies for Entire DC Protection
    VMware vCenter
    Management Network
    Top of Rack Switch
    Virtualized Host
    Hypervisor
    vSwitch
    VMsafe Kernel Module
    Redirect Policy
    vController
    + vFW
    OS
    OS
    OS
    OS
    App
    App
    App
    App
    Application VMs
    Service VM
    Apply Security Policies Between DC Trust Zones
    30 June 2011
    20
  • VMware VMSafe Hypervisor Integration
    vController is fully integrated with VMware vSphere using the VMSafe API
    VMware vCenter Integration
    VMC is fully integrated with VMware’s vCenter management console
    Member of VMware Global Technology Alliance Partner (TAP) Program
    Certified per “VMware Ready” Program
    Supports VmwarevShere 4 (ESX / ESXi4)
    VmWARE Ready
    30 June 2011
    21
  • N-Platform IPS
    Top of Rack Switch
    Physical Finance Servers
    Physical R&D Servers
    Distributed vSwitch
    vController+vFW
    vController+vFW
    vController+vFW
    Finance Zone
    DMZ Zone
    R&D Zone
    OS
    OS
    OS
    OS
    OS
    OS
    OS
    OS
    OS
    OS
    OS
    OS
    App
    App
    App
    App
    App
    App
    App
    App
    App
    App
    App
    App
    Virtualized Servers Cluster
    Single security model for the physical AND virtual data center
    Data Center Security
    30 June 2011
    22
  • Q&A
  • Outcomes that matter.