Successfully reported this slideshow.

Security in A Virtualised World

652 views

Published on

The benefits of virtualisation are well known but it does create a few challenges. Historically we would implement security in a network by physically placing a device in the path of the traffic. In the virtual world the user, the application and even the network are dynamic. This means we need a new security model one that is as dynamic as the rest of the infrastructure. We need to realise that yesterday’s box is tomorrows service. In this session we will investigate he changes taking place in security to reflect the virtual world.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security in A Virtualised World

  1. 1. Securing the virtualised datacentre<br />Trevor Dearing<br />Director Network Strategy, EMEA<br />
  2. 2. Some designs Are useful for a long time<br />
  3. 3. Cheaper raw materials offer incremental change<br />The vehicle to economics is to improve opex through architecture, not through dropping the price<br />
  4. 4. New Architecturetransforms what's possible<br />
  5. 5. The Applications evolved<br />Client – Server Architecture<br />Service Oriented Architecture<br />Client<br />Client<br />95%<br />25%<br />75%<br />Server<br />Server<br />Server<br />Server<br />Server<br />Server<br />B<br />B<br />A<br />C<br />A<br />C<br />DB<br />D<br />DB<br />D<br />A fundamental change in data flows<br />
  6. 6. The servers and storage evolved<br />Network services can be consolidated and virtualized<br />A single network to integrate the resource pools<br />Servers were consolidated<br />standardized<br />and virtualized<br />Storage was consolidated<br />and virtualized<br />
  7. 7. But, The network architecture has not changed<br />Today’s challenges:<br /><ul><li>Too complex
  8. 8. Impacts scale and agility
  9. 9. Too slow
  10. 10. Too expensive
  11. 11. Security scalability and agility</li></ul>Unnecessary layers add hops and latency<br />Data Center<br />Up to 50% of the ports interconnect switches,not servers or storage<br />N<br />Spanning Tree disables up to 50% of bandwidth<br />Up to 75% of traffic<br />E<br />W<br />S<br />
  12. 12. Typical tree configuration<br />DEFINING THE IDEAL NETWORK<br />Flat, any-to-any connectivity<br />
  13. 13. DEFINING THE IDEAL NETWORK<br />Flat, any-to-any connectivity<br />Single device<br />N=1<br />Switch<br />Fabric<br />Switch Fabric<br />Data Plane<br /><ul><li>Flat – single look up
  14. 14. Any-to-any</li></ul>Control Plane<br /><ul><li>Single device
  15. 15. Shared state</li></ul>Simplicity of a single switch<br />Single switch does not scale<br />
  16. 16. Flat, any-to-any connectivity<br />Single device<br />N=1<br />Network Fabric<br />Data Plane<br /><ul><li>Flat – single look up
  17. 17. Any-to-any</li></ul>Control Plane<br /><ul><li>Single device
  18. 18. Shared state</li></ul>A Network Fabric has the….<br />DEFINING THE IDEAL NETWORK – A FABRIC<br />Simplicity of a single switch<br />Scalability of a network<br />
  19. 19. Security is impacted by two trends<br />Industry Trends<br />Mobile Workforce<br />Data Center Consolidation<br />Consumerization<br /><ul><li>Security Trends</li></ul>Attacker behavior<br />New Attack Targets<br />Evolving Threat Vectors<br />
  20. 20. The changing Data Center Leads to a Greater Security Challenge<br />Tomorrow<br />Yesterday<br />Today<br />Dispersed, physical separation<br />Consolidation<br />Virtualization, increased bandwidth utilization<br />Legacy, client server, data, IPv4<br />Changing traffic<br />Movement of hosts, systems<br />Worms, viruses, trojans, DDoS<br />Evolving threats<br />Application targeted attacks<br />12<br />
  21. 21. Servers / Storage<br />HTTP/Web Services<br />Servers<br />A<br />The New Network Meets that challenge<br />Dynamic security at scale<br />Data Center<br />B<br />Application visibility<br />Network Core<br />C<br />Identity aware<br />networking<br />D<br />Automating security infrastructure<br />13<br />
  22. 22. Secure – new model for the cloud<br />Keep Out!<br />Hotel Model<br />Castle Model<br />
  23. 23. Data/AppConsolidation<br />Consolidation of security services (everywhere)<br />Global High-Performance Network<br />NAT<br />Firewall<br />IPS<br />IDS<br />UTM<br />VPN<br />NAT<br />Firewall<br />Anti-malware<br />IDS<br />IPS<br />VPN<br />LAN Acceleration<br />Anti-virus<br />Remote Access<br />Remote Lock/wipe<br />Backup & Restore<br />NAT<br />Anti-malware<br />IPS<br />Firewall<br />IDS<br />VPN<br />UAC<br />Firewall<br />Data Center<br />Branch<br />The Future of Security<br />Campus<br />Mobile Clients<br />
  24. 24. Where is security headed?<br />Consolidation of security services (everywhere)<br />Application Visibility and Control: “Location to Network” vs. “Source to Destination”<br />Global High-Performance Network<br />Data Center<br />What User<br />Branch<br />What Application<br />Source to Destination<br />Source to Destination<br />User Device<br />User Location<br />Campus<br />Mobile Clients<br />
  25. 25. Where is security headed?<br />Consolidation of security services (everywhere)<br />Application Visibility and Control: “Location to Network” vs. “Source to Destination”<br />Security Intelligence: “Security as an ecosystem” vs. “a collection of independent devices”<br />Global High-Performance Network<br />Data Center<br />What User<br />User Information<br />Branch<br />What Application<br />Data Flows<br />User Device<br />User Location<br />Configuration Information<br />Campus<br />Log Information and place<br />Mobile Clients<br />
  26. 26. Where is security headed?<br />Data/AppConsolidation<br />Consolidation of security services (everywhere)<br />Application Visibility and Control: “Location to Network” vs. “Source to Destination”<br />Security Intelligence: “Security as an ecosystem” vs. “a collection of independent devices”<br />Global High-Performance Network<br />Data Center<br />Branch<br />Broad enterprise security: “Breadth and depth” across the enterprise<br />Campus<br />Mobile Clients<br />
  27. 27. Secure – cloud enabled security<br />Data Centers<br />Clients<br />Global High-Performance Network<br />Client to DC<br />Server to Server<br />DC to DC<br />
  28. 28. Dynamic security at scale<br /><ul><li>Dynamic allocation of security services within a single platform
  29. 29. Scale to 130 Gbps / platform and 10M concurrent connections
  30. 30. Automated firewall changes based on user visibility and policy
  31. 31. Secure shifting traffic flows with a single platform</li></ul>MX Series<br />EX8216<br />SRX5800<br />Storage<br />Servers<br />FC SAN<br />20<br />
  32. 32. Service offerings continue to grow<br />Yesterday’s box is tomorrow’s feature<br />SRX5800<br />SRX5600<br />SRX3600<br />SRX650<br />SRX210<br />SRX100<br />SRX240<br />
  33. 33. Security Implications of Virtual servers<br />VIRTUAL NETWORK<br />PHYSICAL NETWORK<br />VM1<br />VM2<br />VM3<br />ESX Host<br />HYPERVISOR<br />Physical Security is “Blind” toTraffic Between Virtual Machines<br />Firewall/IPS InspectsAll Traffic Between Servers<br />
  34. 34. Approaches To Securing Virtual servers:Three Methods<br />3. Kernel-based Firewall<br />2. Agent-based<br />1. VLAN Segmentation<br />VMs can securely share VLANs<br />Inter-VM traffic always protected<br />High-performance from implementing firewall in the kernel<br />Micro-segmenting capabilities<br />Each VM in separate VLAN<br />Inter-VM communications must route through the firewall<br />Drawback: Possibly complex VLAN networking <br />Each VM has a software firewall<br />Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs<br />VM1<br />VM2<br />VM3<br />VM1<br />VM2<br />VM3<br />VM1<br />VM2<br />VM3<br />ESX Host<br />ESX Host<br />ESX Host<br />FW as Kernel Module<br />HYPERVISOR<br />HYPERVISOR<br />HYPERVISOR<br />FW Agents<br />
  35. 35. Hypervisor Kernel Stateful Firewall<br />Purpose-built virtual firewall<br />Secure Live-Migration (VMotion)<br />Security for each VM by VM ID<br />Fully stateful firewall <br />VMware “VMsafe Certified”<br />Tight Integration with Virtual Platform Management, e.g. VMware vCenter<br />Fault-Tolerant Architecture<br />VM1<br />VM2<br />VM3<br />ESX Host<br />ALTOR VF<br />Introducing The Altor VF<br />NSM<br />STRM<br />Network<br />Juniper SRX<br />Juniper Switch<br />
  36. 36. Integration with Juniper data center Security<br />VM1<br />VM2<br />VM3<br />ALTOR VM<br />Altor<br />Center<br />Policies<br />Altor Integration Point<br />Central Policy Management<br />Altor Virtual Firewall<br />Altor Integration Point<br />Firewall Event Syslogs<br />Netflow for Inter-VM Traffic<br />VMware vSphere<br />STRM<br />NSM<br />Altor Integration Point<br />Traffic Mirroring to IPS<br />Network<br />Juniper SRX with IPS<br />Juniper Switch<br />
  37. 37. Flat, any-to-any connectivity<br />Single device<br />with integrated security<br />Network Fabric<br />Data Plane<br /><ul><li>Flat – single look up
  38. 38. Any-to-any</li></ul>Control Plane<br /><ul><li>Single device
  39. 39. Shared state
  40. 40. Security policies</li></ul>A Network Fabric has the….<br />SECURING THE FABRIC<br />Simplicity of a single switch<br />Scalability of a network<br />

×