Clavister security for virtualized environment


Published on

we are network security

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Over the last 10 years virtualization has developed and matured significantly.What in the early days was the ability to partition one server into several virtual machines has now grown into a virtual infrastructure which not only involves one hardware being virtualized but a complete datacenter.As we look forward cloud computing infrastructure becomes more and more commoditized, especially since the hypervisors are complemented with a full scaled cloud management framework as a part of the standard offering.The reason why the evolution is imporant from a security aspect is due to the fact that as the size of the virtual network grows, the need for security products tailored for these new environments increased dramatically.Protecting a virtual infrastructure with a simple physical gateway on the outside of the infrastructure just won’t provide the level of control and insight into the virtual network traffic.
  • As the trend for virtualization moves forward, driven by the generic business needs and IT itself becomming more mature and an integrated part of any organization in the same way as power or telephony, new technologies has emerged and is now being used by companies who want to escape the reality of costly maintenance and cludgy solutions that doesn’t support the business process the way it should.This is where the cloud comes in. The cloud is designed to offer IT as a Service, much similar to power or telephony and transforms IT from being something introvert and resource demanding to a very scaleable model where you pay for what you get and as expands with you at your own pace.
  • Traditional network security relies on physical segmentation of networks and servers. Physical firewalls / security gateways then form effective filters between communicating parties.To achieve secure zones using old fashioned physical gateways the virtual traffic needs to exit the virtual infrastructure and you end up having to create multiple isolated islands, with all the extra administration and inability to use cloud like capabilities.In a virtual environment, however, a large amount of servers may be deployed within the boundaries of a single hardware. As a result, communication between servers does not necessarily need to leave the physical hardware.
  • If the isolated zones are not created still having one large infrastructure, companies are putting their infrastructure at large risk since threats can easily spread from one zone to another without any security gateways scanning the traffic and applying policies.
  • The mixed solution has many disadvantages and does not allow organizations to have one large pool of resources that scales seamlessly, instead, each zone becomes its own isolated island with all the additional administration this means. Furthermore, in cloud scenarios where the private cloud can either be housed on site or off site, the physical gateway will not be able to protect your virtual resources efficiently.Clearly, the biggest disadvantage of this solution is that the environment still relies on external physical components, which is a total contradiction to the virtualization idea.Furthermore it will become difficult to create identical lab environments and test the setup where security is considered an important aspect.
  • Mixing virtual infrastructures with traditional physical security appliances limits your capabilities to leverage the virtualization benefits in a very large extent. This is also why the virtual security gateway is superior to the physical security gateway for the virtual infrastructures.
  • The most straight-forward way of solving the problem is to deploy also the security gateways as virtual nodes in the virtual environment.
  • The most straight-forward way of solving the problem is to deploy also the security gateways as virtual nodes in the virtual environment.
  • The size of other vendors virtual machines are often very large. 500MB is very common and in some cases such as with Checkpoint it’s up to 12 GB.This means that the security application actually are depending on a very bulky standard operating system with millions of lines of code which are not optimized for security specifically and often has nothing to do with the actuall application itself. This bulky OS will need recurring patches which might cause interuptions in your network security infrastructure. With Clavister, every single line of code is optimized for the security gateway itself and patches only needs to be applied for the security function itself, thereby keeping maintenance and disurbances at an absolute minimum,Other aspects of a large and bulky underlying operating system is the potential risk of inheriting vulnerabilities from the OS to the security function since these are heavily dependant on each other. One such example is the sockstress attack framework which utalizes several weaknesses and vulnerabilities in common operating systems. When information about the sockstress attack framework was released, checkpoint and almost every other security vendor who had been using a standard operating system such as Linux, Unix, Windows, BSD, etc had to scamble very fast to try and provide a patch for the vulnerabilities since their solution was vulnerable for this attack. In the end, the result was that their customers had to go through an extensive patch management procedure in order to avoid having critical security Denial of Service breaches occuring in their network.Since Clavister has no underlying operating system, the vulnerabilities did not apply to Clavister and there was no need for a patch since it was not affected by the attack.Sockstress is just one example, the fact that large operating systems needs patch management and has vulnerabilities that can pose a potential threat to the security application itself is a much more fundamental issue which should not be overlooked.
  • Clavister security for virtualized environment

    1. 1. Clavister – Virtual Security May 2010 [Nicola Sotira, VP Sales Italia]
    2. 2. Company Overview • A leading European provider of network security solutions for Service Providers, Enterprise and Government customers • Our solutions protects against: – Hackers – Intrusions – Information theft – Eavesdropping – Viruses – Spam – Malicious content ... and more
    3. 3. Proven track record and industry experience • Long-term experience from securing some of the world’s most demanding networks • Protecting 100.000+ networks and 20.000+ customers • Customers include: • Complete and mature product portfolio designed for performance and scalability
    4. 4. Established market position • Recognized as one of the top 12 suppliers in the world by analyst Gartner Group • Several technology awards and product recognitions in magazines • Technology partnerships with leading industry partners including Cavium Networks, RadiSys, Kaspersky and VMware
    5. 5. Global Presence • About 70 employees • Headquarters in Örnsköldsvik, Sweden • Sales offices in Europe and Asia – Stockholm, Sweden – Hamburg, Germany – Paris, France – Torino, Italy – Singapore – China (5 locations) • 100+ Solution and Channel Partners worldwide
    6. 6. Clavister SSP – The Portfolio
    7. 7. CorePlus – The Core in our Products Secure & Robust • Our proprietary and purposely built network security operating system • No inheritance of vulnerabilities from an underlying Operating System • Minimal footprint and attack surface Compact, Optimized & Scaleable • Optimal resource utilization • High performance with high reliability • xPansion Lines Licensing offering scalability Fine granular Control • Seamless integration of all subsystems, in-depth administrative control
    8. 8. Technology – Complete Feature set • Clavister’s next-generation network security software, designed to meet NETWORK SECURITY L7 SECURITY PROXIES TRAFFIC MANAGEMENT the challenging requirements of modern•• IP networks. •• Traffic Shaping (Pipes) • DoS Prevention • Consistency Checking • Deep Inspection • Anti-virus HTTP FTP • TFTP • PPTP Policy-based • Stateful Inspection Firewalling • IDP / IDS • SIP • Rate Limiting • Multiple, chained, Rule-sets • Web Content Filtering • SMTP • Server Load Balancing • Address Translation • Anti-Spam • POP3 Clavister CorePlus TUNNELING AUTHENTICATION DHCP CLUSTERING • IPsec (IKEv1 / IKEv2) • RADIUS • Client • Fully state-synced HA • PPP • LDAP • Server • Virtualization & vmHA • L2TP (Client/Server) • Local Databases • Relayer • PPTP (Client/Server) • PAP / CHAP • IP Pools • GRE • Form (HTTP / HTTPS) • GTP • EAP-SIM / AKA / MD5 / TLS INTERFACES ROUTING MANAGEMENT • Gigabit Ethernet • Static • Load Balancing • InControl • SMTP Logging • Fast Ethernet • Policy-based • Fail-over • Web User Interface • SNMP Poll / Traps • VLAN • Transparent (L2) • OSPF • CLI (SSH / Console) • Real-time Counters • Proxy ARP • IGMP • Secure Copy (SCP) • Alarms • Virtual • PIM-SM • Syslog • PCAP Recording • Multicast • FWLog Copyright © 2009 Clavister AB. All rights 8 2010-05-17
    9. 9. Clavister Security Gateways Hardware Software Virtual Clavister xPansion Lines™
    10. 10. Virtual Security – For Enterprises
    11. 11. Evolution of Virtualization
    12. 12. Virtualization going forward Just like….. IT as a Service Inexpensive, usage based, pay-as-you-go Ubiquitously available Reliable Choice of providers
    13. 13. The virtual network – not just for the server guys Traditional Network Virtual Network • Multitude of network segments • Less network segments which divides the servers • Communication between zones are monitored and • Communication between virtual machines are not secured monitored or secured ! DANGER
    14. 14. Communication Path Diagram Inter-communication traffic is limited by VLANs but not Web Front-End secured which is a critical Zone security issue and one which nees to be addressed Virtual Switch Middleware / Business Logic Zone Back-End Database Zone Copyright © 2008 Clavister AB. All rights reserved. 15
    15. 15. Mixing physical security and virtual networks
    16. 16. Drawbacks With “Mixed Solutions” • Looks good at first glance but not as attractive in the longer run! • You will still have to rely on external, non virtual, appliances • Forces you to create isolated islands instead of a dynamic and scalable pool of resources • Virtual yes, cloud no! • Does not allow you to protect the private cloud which might be a mix of on site and off site resources • Does not benefit from Redundancy and Disaster Recovery tools • Creating team or project oriented silos which is very common in e.g. consulting and media companies very difficult
    17. 17. The fully virtualized solution
    18. 18. The Clavister Virtual Security Gateway Solution  No underlying Operating System – Only Clavister CorePlus  Runs in the virtual infrastructure and benefits from the virtualization itself:  Easy to deploy, highly redundant, scalable, simplified maintenance, etc.  Templates & workflows – Ideal for large installations e.g. Managed Services, Utilities such as smart grid, wind/solar power etc.
    19. 19. Clavister Virtual Security Gateway Solution Virtual Machines (VMs) are not allowed to talk with each All security inspections which would have been performed other without first going through the Virtual Securigy by a physical security gateway in a physical structure are Gateway done ”in-line” in the virtual environment.
    20. 20. Communication Path Diagram All virtual machines and inter-communication is secured using best-in-class virtual security gatways Web Front-End Zone and which enables mission critical applications to be virtualized without comprimises to the security policies ETH1 Clavister Virtual Security Gateway Middleware / Business Logic Zone Virtual Switch ETH2 Back-End Database Zone ETH2
    21. 21. Troubleshooting, Monitoring, Alarms & Auditing • Troubleshoot communication using: • Real-time monitoring with filters • PCAP & Memlog recording • Log analysis • Monitor behavior of traffic using: • SNMP • Real-Time monitoring • Real-Time KPI dashboards • Create custom and policy based alarms events (thresholds etc) • Full auditing capabilities using • Built-in log viewing applications • External SIEM systems
    22. 22. Typical Enterprise Environment Disaster Recovery or Lab/Test Network Virtualized production infrastructure Traditional physical server network
    23. 23. Fully virtualized DMZ Network Diagram
    24. 24. Clavister VSG Models & Dimensioning VSG21 VSG110 VSG510 VSG1100 Plaintext Performance (Mbit/s)* 50 200 500 1000 VPN Tunnels 25 200 500 1000 VLAN 4 64 128 512 Concurrent Connections 4000 16000 64000 256000 Recommended Application Test & Lab Networks Small installations with a Medium and Large Large installations with with no or very low limited amount of installations with medium medium to high performance protected VMs with low to to high performance performance applications demands medium performance applications such as such as demands web/mail/citrix/databases web/mail/citrix/databases and similar and similar
    25. 25. Features • Protect Virtual Servers Segregate virtual machines from each other and avoid hackers from jumping from one machine to another without having to use physical appliance and creating isolated islands. • Secure Cloud Infrastructures Enforce network security within the private cloud, both for the part of the cloud which is running in your datacenter and the part that you might have outsourced to a hosting provider. • Secure Inter-Communication Utilize the VPN encryption to secure communication between virtual machines • Achieve Auditing and Regulatory Compliance Since the virtual security gateway can be run inside the virtual infrastructure security auditing can be achieved and thereby regulatory compliance requirements can be met. • No Security Policy Compromises for Virtual Environments Utilize your standard set of policies not only for physical machines but just as easily also for virtual ones.
    26. 26. Benefits • Scalability User can now extend security by simply deploying new security gateways as they go. • Lower CAPEX Virtualization opens up for new business models where CAPEX is minimized. • Simplified Maintenance Security components inherit all manageability features from a virtual environment, such as fail- over, provisioning, and so forth. • Minimized downtime Less hardware in combination with highly efficient disaster recovery and redundancy tools such as VMmotion reduces downtime and improves the overall in service performance of the security solution • Simplified Test/Lab testing Since the virtual security gateway is a part of the virtual infrastructure it becomes easier to create lab/test environments which decreases the complexity of security tests which in it’s turn improves the overall security
    27. 27. Why Clavister VSG is better than physical UTMs • No need to create isolated islands Creating security zones inside the virtual infrastructure using physical gateways forces you to have all traffic routed out of the infrastructure and then back in. Thereby leaving you with isolated islands which turns into additional administration and limits the possibilities to leverage cloud like resource pools and many of the fundamental virtualization benefits • Improves the consolidation ratio By using the Clavister Virtual Security Gateway to create security zones within a homogeneous physical pool of resources and avoid creating the isolated islands which are necessary when using physical UTM gateways, the consolidation ratio can be improved since you do not have to have the extra performance overhead distributed on each island.This becomes especially important when using the Vmware Dynamic Resource Scheduler which can move VMs between physical hosts and and allocate more CPU and RAM memory in run-time using the hot-add functionality.
    28. 28. Why Clavister VSG is better than physical UTMs • Leverages virtualization benefits also for security gateways Virtualization offers many benefits such as 100% guaranteed availability, disaster recovery, ease of deployment, simplified administration. All these benefits the Clavister VSG can leverage as it runs as a part of the virtual infrastructure. These benefits the physical gateways can never leverage, it actually limits the possibilities for all the other IT infrastructure from benefitting from it as well • Improved SLAs and better control With the security gateway running inside the virtual infrastructure you can improve your SLAs and make the SLA reporting and prediction much more efficient since you do not have to rely on external equipment not under the control of the virtual infrastructure. Physical appliances used for protecting the “isolated” islands are often used also for the other physical infrastructure, thereby creating a structure where modifications in the physical infrastructure might disturb also your virtual datacenter.
    29. 29. Why Clavister VSG is better than other VSGs No Prooven Complete Scaleable Unified Operating & Security Licensing Management System Trusted Clavister VSG Advantages Next
    30. 30. Advantages – No OS No underlying Operating System Clavister Virtual Security Gateways does not have an underlying Footprint Operating System which is the case for most other virtual security 32 MB Clavister VSG gateways. The Clavister VSG only use Clavister CorePlus which is Clavister CorePlus our “bare-metal” security gateway application with built in operating system functionality. Virtual Machine The Size does matter! Hypervisor There are many benefits of not having an underlying operating system. Patch management is one of them. In many cases the underlying OS has a very large footprint (checkpoint has a footprint of more than 10 GB) which are made up of features and functions 500MB - 12 GB which does not have anything to do with the security function, non Other Vendors VSG Application Footprint the less, the OS needs recurring updates even if the patches does not have anything to do with the security itself. Equally often these patches requires restarts and reboots. In the end the result of Operating System having a bulky OS to run the security gateway is less predictable quality, additional administration, un-necessary maintenance, etc.. Virtual Machine Back Hypervisor
    31. 31. Advantages – No OS – Footprint Comparison Checkpoint VPN1-VE Min 12GB Storage CheckPoint VPN1-VE Min 512 MB RAM CorePlus 2MB actual footprint CorePlus Min 32MB Storage* Min 32MB RAM *The minimum storage size of a virtual machine in vmware ESXi is 32MB even if the application is smaller
    32. 32. Advantages – Proven and Trusted • Large Install base Clavister CorePlus, is today being used in more than 100.000 installations world-wide, ranging from small office/home office to large enterprises, military, government and telecom networks. • Mature Technology CorePlus has been on the market since 1997 and has a high level of maturity and does not suffer from child deceases which might be the case for newer products and technologies • Long term history and track record CorePlus is a mature product with a history that dates back to 1997, CorePlus also has an impressive track record of being used in some of the worlds most demanding networks, including the telecom operator networks and customers like France Telecom/Orange, Roger Wireless, Terremark, SAAB, French Navy/Military, etc. • Large Virtual Networks Experience CorePlus has been used as virtual security gateways in some of the worlds largest virtual infrastructures with more than 1000 sites/virtual machines and >100.000 users which probably makes it the worlds largest deployment of virtual security gateways.. Back
    33. 33. Advantages – Complete Security • Not only a firewall or an IDS Clavister CorePlus is a complete Unified Threat Management solution with comprehensive protection against modern attacks and security threats. Most other virtual security gateways are early to market solutions which only cover a limited set of protection features, such as only being a firewall, only being an IDS solution etc. • • Complete yet saleable and dynamic Even though Clavister Virtual Security Gateways has a very comprehensive set of feature’s, you as an administrator can orchestrate the solution to only run the features as you like. Thereby making the solution more adaptable to your real network with minimum overhead • Complete feature set – High Performance Thanks to the unique design of the Clavister Virtual Security Gateways and the CorePlus firmware which has a minimum overhead and is optimized for the security functions only, performance figures of multiple gigabit can be achieved even in the virtual infrastructure. Back
    34. 34. Advantages – Scaleable licensing • Licensing per Gateway – Not per Virtual Machine The Clavister Virtual Security Gateway’s are licensed based on a per gateway basis, not per virtual machine being protected. This means that you do not need the hassle with upgrading licenses for the security gateway every time you wish to add new virtual machines to your infrastructure. It also enables a much more cost effective setup in larger environments and provides a much more predicable Total Cost of Ownership. This is especially important in the scenarios where you expect an increased demand on new server and functions as IT becomes more available • Feature & Capacity Differentiated License Models The Clavister Virtual Security Gateway’s are offered in four different license model, each with different amount of performance, capacity and features. This enables you to choose the model that fit your needs best. Customized license models can also be offered for specific needs. E.g. power utilities, managed security services, etc. Back
    35. 35. Advantages – Unified Management • Software, Hardware Virtual The Clavister Virtual Security Gateway’s are managed using the exact same management software as the hardware and software based versions are, i.e. using Clavister InControl. This means that you can managed and administrate your entire network security architecture using the one and same system independently on the platform. This not only lower your administration costs but it also helps make your overall security stronger compared to other virtual machines which requires you to learn a completely new management interface for the virtual infrastructure alone. • Integrate with your business process and other IT systems The Clavister InControl management suite offers a full blown Application Programmatic Interface which enables you to integrate the management and administration of the Virtual Security gateway from your other core IT systems. Through this integration capability you are able to have your network operating central system manage the virtual security gateway, your IT support staff take care of simple tasks from the support systems and similar. The advantage of this is that you are able to lower administrative costs and become more reactive on your users and business demands Back
    36. 36. Virtual Security for Service Providers
    37. 37. xSPs / Telecom Operators- Market Situation Competitive Market • Highly competitive and saturated market • Recruiting new customers is expensive • Operational efficiency is a must to remain competitive Financials • Low and decreasing profit margins for traditional offerings • Increasing Average Revenue Per User (ARPU) is absolute key to growth & success • Financial crisis drives the need to offer cost-savings services to customers First mover advantage • Time between visionary to market leadership is shorter than ever
    38. 38. Clavister vSeries – Value Proposition for xSP´s • Opportunity to take first mover advantage • A value-adding and unique security offering • Create your own attractive security services portfolio: (Firewall, VPN, Content Filtering, IDP, Anti-Virus…) • Leverage existing virtual infrastrucutres • Extreme Scalability, Deployment, SLA, etc.. • Increase your Average Revenue Per User (ARPU) • Low capital investment – Expands as you grow
    39. 39. Clavister vSeries – What it is Security Platform • Best-of-breed Security Gateway’s • Clavister Security Services Platform (SSP) our offering for Service Providers Virtual for optimal scalability and financial benefits • Runs inside a virtual infrastructure (e.g VMware / Xen/ Microsoft) • Runs in your datacenter (each customer gets a dedicated security gateways) • Extremely resource efficient - More gateways on less hardware Designed for Operators • MSSP friendly Management & Operations • Extremely scalable - Provision 1 gateway just as easy as 100.000
    40. 40. Business Case 1 – Internet Service Providers
    41. 41. Security Services for Internet Subscribers • Value Add Services for Internet Subscribers • Added on top of internet connection bill • Increase ARPU - Offer the services to all existing customers • First mover advantage – Infrastructure as a Service (IaaS) already today • Plug-in Solution for the Broadband Network Datacenter • No need for End User Equipment • Efficient Management and Maintenance • Optimized Provisioning Capabilities • Customer Focused Service Packages • Small & Medium Business • Remote Office • Retail Stores…
    42. 42. Security Service Network Diagram Firewall VPN ADSL Customer #1 Content Filtering IDP HW VM Layer Layer Anti-Virus B-RAS Core Switch Virtual Reporting Provisioning Infrastructure ADSL Customer #2 Datacenter Core Network
    43. 43. Customer Experience - Deployment 1. 2. 3. Choose Service Automatic deployment Use the service ( < 1hour ) €
    44. 44. Summary – Virtual Security Services • New business opportunities • Offer cost-efficient security services • Financial Upsides • Increase Average Revenue Per User (ARPU) • Improve profit margin • First mover advantage • Gain or secure market leadership • Interesting product portfolio • Provisioning & Operations • Extremely efficient deployment (minutes instead of days & weeks) • Based on tested & proven industry standard technologies (Clavister, VMware, IBM/HP/Dell) • Extremely scalable
    45. 45. Business Case 2 – Hosting Providers
    46. 46. Business Case – Service Providers (Hosting) • Value Adding Offer a value-adding managed security services to hosting customers. • Tailor made service portfolio Use the pick-n-choose service packaging's • Operational Efficiency Automatic deployment without any human intervention • Accelerates hosting business Makes customers more comfortable hosting sensitive applications (Cloud and utility computing is specific) • Increase ARPU • Low investment - High profit margins
    47. 47. SMB - Hosting Security Services Hosted - Virtual Machines (dedicated or part of a cloud) - Microsoft Exchange - Web Server - FTP Server Firewall Customer #1 VPN Content Filtering Customer #2 IDP Anti-Virus Reporting Datacenter Core Network Customer #3 Virtual Security Gateway Managed or self-managed
    48. 48. Customer Experience - Deployment 1. 2. 3. Choose Service Automatic deployment Use the service ( < 1hour ) €
    49. 49. Business Benefits Price-efficiency – Use VMware and Clavister to provide dedicated firewall, VPN, IDP and reporting capabilities in a price efficient manner to customers of all sizes Scalability – Start with a virtual gateway and grow to a dedicated platform when the need for performance and functionality increases Deployment – Virtual appliances are turn-key solutions and can be deployed within minutes Convergence and standardization on robust hardware – Utilize standardized hardware also for security services Provide Improved SLAs – Utilize tested VMware redundancy and clustering in order to provide improved SLAs for security services Copyright © 2008 Clavister AB. All rights reserved.
    50. 50. Terremark - Reference Customer About Terremark Terremark Worldwide (NASDAQ:TMRK) acclaimed Infinistructure utility computing architecture has redefined industry standards for scalable and flexible computing infrastructure and its digitalOps service delivery platform combines end-to-end systems management workflow with a comprehensive customer portal. TERREMARK AT A GLANCE • NASDAQ: TMRK • Leader in managed IT infrastructure services (Gartner - Leaders Quadrant) • Datacenters in the United States, South America and Europe • SAS 70 Type II Certified • Microsoft Gold Certified Partner • United States General Services Administration (GSA) Schedule# GS35F0073U
    51. 51. Thank You Contact Information: Nicola Sotira Email: Phone: +39 011 5069369 Mobile: +39 335 7888968