Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Campus jueves

4,641 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Campus jueves

  1. 1. Alvaro Ferro<br />CCSP – CISSP – CCIE Security Written<br />30de Junio.<br />SECURITY IN THE DATACENTER<br />
  2. 2. Data Center Virtualization Trends<br />Security in virtual environment<br />Challenges due to Virtualization<br />Secure Virtualization Framework<br />Virtual Controller and Virtual Management Center<br />Agenda<br />30 June 2011<br />2<br />
  3. 3. Data Center Virtualization Trends<br />vController+vFW and vMC<br />
  4. 4. #1 Technology Priority in 2010<br />Survey of 1,586 CIOs<br />Displaces Business Intelligence which held top position for the last 5 years!<br />Source: Gartner EXP, Jan 2010<br />2010 – virtualization reaches a tipping point<br />Increased Data Center Security Focus<br />50% of Workloads by 2012<br /><ul><li>Today 16% of workloads are running in virtual machines
  5. 5. Source: Gartner, Oct 2009</li></ul>50%<br />~ 58 million deployed x86 machines<br />16%<br />2010<br />2011<br />2012<br />30 June 2011<br />4<br />
  6. 6. Do more with less<br />Connect everyone to everything<br />Present & Future<br />Past<br />Efficiency Drives<br />Consolidation<br />Virtualization, Blades,<br />Increased Bandwidth<br />Dispersed, Physical <br />New Apps,<br />Protocols & Traffic<br />Legacy + Web, IPv4 + IPv6, Data + Voice + Video<br />Legacy, Client Server,<br />IPv4, Data<br />Data Center Trends<br />Threat Landscape<br />Change<br />Sophisticated Targeted Attacks, Re-Perimeterization<br />Worms, Viruses,<br />Trojans, DDoS<br />30 June 2011<br />5<br />
  7. 7. Securing the Data Center Attack Surface<br />Data at Rest<br />Attack Surface<br />Attack Traffic<br />Web Apps<br />Vulnerability Scanning<br />Protects<br />Web App Vulnerabilities<br />Enterprise<br />Apps<br />IPS Platform<br />Operating Systems<br />Network <br />Devices<br />30 June 2011<br />6<br />
  8. 8. Security in virtual environment<br />30 June 2011<br />7<br />
  9. 9. ENTENDAMOS LO SIGUIENTE<br />“40% de los proyectos de implementación de ambientes virtualizados se llevaron a cabo sin la participación del equipo de seguridad en la arquitectura inicial y las etapas de planificación ”<br />Riesgos mas comunes en proyectos de Virtualización<br />La falta de visibilidad y controles en la comunicación entre VM-a-VM. <br />Perdida potencial en la separación de deberes (SOD) entre las áreas de redes y seguridad cuando se virtualiza. <br />Cargas de trabajo se consolidan en un servidor físico.<br />Controles de acceso administrativo (Hypervisor/VMM).<br />Source: MacDonald, Neal. Addressing the Most Common Security Risks in Data Center Virtualization Projects, Gartner, Inc. January 25, 2010<br />
  10. 10. <ul><li>Hyper-jacking</li></ul>Son ataques de rootkit diseñados para tomar el control de las máquinas virtuales mientras están en funcionamiento.<br /><ul><li>VM Escape </li></ul>Es un exploit que permite moverse dentro de una máquina virtual.<br /><ul><li>VM Hopping</li></ul>Cuando una máquina virtual es capaz de acceder a otra máquina virtual.<br /><ul><li>VM Theft</li></ul>Acceso no autorizado para la adquisición de algún archivo que contiene el VM<br /><ul><li>VM Sprawl</li></ul>Proliferación de cargas de trabajo de los servidores virtualizados<br />AMENAZAS: SEGURIDAD DE LA VIRTUALIZACIÓN<br />Todas son posibilidades reales pero hay realidades prácticas!<br />
  11. 11. CARACTERÍSTICAS: DEFENSA POR CAPAS<br /><ul><li>Implemente inspección y bloqueo de amenazas “in-line” contra ataques dirigidos “hypervisor”
  12. 12. Utilice programas de protección para Zeroday
  13. 13. Convergencia en soluciones IPS (virtual & physical) para la segmentación de zonas de confianzas</li></ul>Core<br />Virtualized Server<br />VM<br />VM<br />VM<br />Secure Network Fabric Switch<br />App<br />App<br />App<br />OS<br />OS<br />OS<br />vNICs<br />vNICs<br />vNICs<br />vSwitch<br />Hypervisor<br />pNICs<br />Virtualized Servers<br />Physical Servers<br />
  14. 14. HP Secure®Virtualization Framework<br /><ul><li>Que incluye
  15. 15. Plataforma IPS con VLAN translation
  16. 16. Virtual Controller (vController)
  17. 17. Virtual IPS (vIPS)
  18. 18. SMS / VMC</li></ul>TippingPontvIPS<br /><ul><li>Beneficios
  19. 19. Active la amenaza de bloqueo-para el centro de datos virtual
  20. 20. Coherente política de seguridad & cumplimiento-entre el centro de datos virtuales y físicos
  21. 21. Full aislamiento de seguridad VM- desde maquinas virtuales y hosts
  22. 22. Visibilidad y control</li></ul>- integración VMC<br /><ul><li>Protección y rendimiento optimizado con VmSafe-con opciones para la inspección
  23. 23. Seguridad para VMs (Móvil)- seguridad sigue VMs
  24. 24. Cobertura de amenazas de DVLabs– la mejor cobertura disponible</li></ul>TIPPINGPOINT vCONTROLLER<br />
  25. 25. Operacion: Vcontroller<br />
  26. 26. Operacion: Vcontroller<br />Operacion: Vcontroller<br />
  27. 27. Challenges Due to Virtualization<br />vController+vFW and vMC<br />
  28. 28. Core Switch<br />Hypervisor Security<br /><ul><li>Mission critical
  29. 29. Can’t be secured with virtual IPS
  30. 30. Patches must be immediate</li></ul>Host to Host Threats<br /><ul><li>Can’t deploy IPS in front of every server
  31. 31. Also need VM to Host security</li></ul>VM to VM Threats<br /><ul><li>Virtual trust zones
  32. 32. Traffic does not enter the physical network for inspection
  33. 33. A victim VM can attack other VMs</li></ul>VM Mobility<br /><ul><li>vMotion launches VMs in separate sites for DR or other purposes
  34. 34. Physical IPS options are cost prohibitive for these uses</li></ul>1<br />IPS Platform<br />2<br />Top of Rack Switch<br />3<br />2<br />Virtualized Host<br />Virtualized Host<br />Virtualized Host<br />3<br />4<br />1<br />VM<br />VM<br />VM<br />VM<br />VM<br />VM<br />OS<br />OS<br />OS<br />OS<br />OS<br />OS<br />App<br />App<br />App<br />App<br />App<br />App<br />VMs moved to separate site<br />4<br />The Virtual Network Visibility Gap<br />30 June 2011<br />15<br />
  35. 35. Secure Virtualization Framework, VController and vMC<br />vController+vFW and vMC<br />
  36. 36. VMC<br />Core Switch<br />What’s Included<br /><ul><li>IPS Platform
  37. 37. Virtual Controller + Virtual Firewall (vController+vFW)
  38. 38. SMS / Virtual Management Center (vMC)</li></ul>Securing Virtualization DC security solution<br /><ul><li>Single, purpose-built DC security solution</li></ul>Extend IPS solution into the virtual DC<br /><ul><li>Leverage previous IPS investments</li></ul>Flexibly Inspect Data in Both the Physical and Virtual DC<br />TippingPoint IPS<br />VMware vCenter<br />Management Network<br />Top of Rack Switch<br />Virtualized Host<br />Hypervisor<br />vSwitch<br />VMsafe Kernel Module<br />Redirect Policy<br />vController<br />+ vFW<br />OS<br />OS<br />OS<br />OS<br />App<br />App<br />App<br />App<br />Application VMs<br />Service VM<br />Secure Virtualization Framework (SVF)<br />30 June 2011<br />17<br />
  39. 39. Core Switch<br />Start with DC Perimeter Protection<br /><ul><li>Inspect ingress / egress traffic</li></ul>Protect DC Attack Surface<br /><ul><li>Virtualization tools / hypervisor
  40. 40. Network infrastructure
  41. 41. Host servers and operating systems
  42. 42. Enterprise and Web applications
  43. 43. Virtual desktop infrastructure (VDI)</li></ul>Virtual Patching<br /><ul><li>Protects rolled-back VMs
  44. 44. Protects VMs with out-of-date patching due to server/VM shut-downs</li></ul>Single Set of Security Policies across Physical and Virtual DC<br />TippingPoint IPS<br />Top of Rack Switch<br />Virtualized Hosts<br />Physical Hosts<br />Protect the High Value Data Center<br />30 June 2011<br />18<br />
  45. 45. VMC<br />Core Switch<br />Visualize the DC and Deploy VController<br />Simple VMC Installation<br /><ul><li>VMware vCenter integration</li></ul>TippingPoint IPS<br />VMware vCenter<br />VMC Auto-Discovery of Virtualized Hosts and VMs<br /><ul><li>Real time visibility of virtual DC
  46. 46. Topology mapping of network paths</li></ul>Management Network<br />Top of Rack Switch<br />VMC Auto-Deployment of vControllers to Virtualized Hosts<br /><ul><li>User initiated, auto-deployment</li></ul>Control VM Sprawl<br />Virtualized Hosts<br />Physical Hosts<br />30 June 2011<br />19<br />
  47. 47. VMC<br />Core Switch<br />TippingPoint IPS<br />Enforce Security Policies<br /><ul><li>Incoming DC traffic
  48. 48. Outgoing DC traffic
  49. 49. Physical host to physical host traffic
  50. 50. Physical host to VM traffic
  51. 51. VM to VM traffic</li></ul>Security Policies Follow VMs<br /><ul><li>Policies apply to mobile VMs</li></ul>Default Security Policies<br /><ul><li>Apply to all new VMs or copied VMs
  52. 52. Untrusted VMs or zones</li></ul>Single Set of Security Policies for Entire DC Protection<br />VMware vCenter<br />Management Network<br />Top of Rack Switch<br />Virtualized Host<br />Hypervisor<br />vSwitch<br />VMsafe Kernel Module<br />Redirect Policy<br />vController<br />+ vFW<br />OS<br />OS<br />OS<br />OS<br />App<br />App<br />App<br />App<br />Application VMs<br />Service VM<br />Apply Security Policies Between DC Trust Zones<br />30 June 2011<br />20<br />
  53. 53. VMware VMSafe Hypervisor Integration<br />vController is fully integrated with VMware vSphere using the VMSafe API<br />VMware vCenter Integration<br />VMC is fully integrated with VMware’s vCenter management console<br />Member of VMware Global Technology Alliance Partner (TAP) Program<br />Certified per “VMware Ready” Program<br />Supports VmwarevShere 4 (ESX / ESXi4)<br />VmWARE Ready<br />30 June 2011<br />21<br />
  54. 54. N-Platform IPS<br />Top of Rack Switch<br />Physical Finance Servers<br />Physical R&D Servers<br />Distributed vSwitch<br />vController+vFW<br />vController+vFW<br />vController+vFW<br />Finance Zone<br />DMZ Zone<br />R&D Zone<br />OS<br />OS<br />OS<br />OS<br />OS<br />OS<br />OS<br />OS<br />OS<br />OS<br />OS<br />OS<br />App<br />App<br />App<br />App<br />App<br />App<br />App<br />App<br />App<br />App<br />App<br />App<br />Virtualized Servers Cluster<br />Single security model for the physical AND virtual data center<br />Data Center Security<br />30 June 2011<br />22<br />
  55. 55. Q&A<br />
  56. 56. Outcomes that matter.<br />

×