Clavister – Virtual Security

May 2010
[Nicola Sotira, VP Sales Italia]
Company Overview




•   A leading European provider of network
    security solutions for Service Providers,
    Enterpri...
Proven track record and industry experience




 •   Long-term experience from securing some of the world’s most demanding...
Established market position




 •   Recognized as one of the top 12 suppliers
     in the world by analyst Gartner Group
...
Global Presence




 •   About 70 employees

 •   Headquarters in Örnsköldsvik, Sweden

 •   Sales offices in Europe and A...
Clavister SSP – The Portfolio
CorePlus – The Core in our Products




Secure & Robust
• Our proprietary and purposely built network security operating s...
Technology – Complete Feature set




 •                   Clavister’s next-generation network security software, designed...
Clavister Security Gateways




                            Hardware   Software   Virtual
Clavister xPansion Lines™
Virtual Security – For Enterprises
Evolution of Virtualization
Virtualization going forward




                         Just like…..


          IT
        as a
     Service           ...
The virtual network – not just for the server guys



Traditional Network                                  Virtual Network...
Communication Path Diagram




     Inter-communication traffic is
     limited by VLANs but not                          ...
Mixing physical security and virtual networks
Drawbacks With “Mixed Solutions”




•   Looks good at first glance but not as attractive in the longer run!

•   You will...
The fully virtualized solution
The Clavister Virtual Security Gateway Solution




                            No underlying Operating System – Only Cla...
Clavister Virtual Security Gateway Solution




Virtual Machines (VMs) are not allowed to talk with each   All security in...
Communication Path Diagram



                                                                                            ...
Troubleshooting, Monitoring, Alarms & Auditing



•   Troubleshoot communication using:
     • Real-time monitoring with f...
Typical Enterprise Environment




                                                                            Disaster Re...
Fully virtualized DMZ Network Diagram
Clavister VSG Models & Dimensioning



                                         VSG21                  VSG110             ...
Features



 •   Protect Virtual Servers
     Segregate virtual machines from each other and avoid hackers from jumping fr...
Benefits



 •   Scalability
     User can now extend security by simply deploying new security gateways as they go.


 • ...
Why Clavister VSG is better than physical UTMs



 •   No need to create isolated islands
     Creating security zones ins...
Why Clavister VSG is better than physical UTMs



 •   Leverages virtualization benefits also for security gateways
     V...
Why Clavister VSG is better than other VSGs




     No         Prooven
                                Complete          ...
Advantages – No OS



 No underlying Operating System
 Clavister Virtual Security Gateways does not have an underlying



...
Advantages – No OS – Footprint Comparison




                                                   Checkpoint VPN1-VE
      ...
Advantages – Proven and Trusted



 •    Large Install base
      Clavister CorePlus, is today being used in more than 100...
Advantages – Complete Security



 •    Not only a firewall or an IDS
      Clavister CorePlus is a complete Unified Threa...
Advantages – Scaleable licensing



 •    Licensing per Gateway – Not per Virtual Machine
      The Clavister Virtual Secu...
Advantages – Unified Management



 •    Software, Hardware Virtual
      The Clavister Virtual Security Gateway’s are man...
Virtual Security for Service Providers
xSPs / Telecom Operators- Market Situation
Competitive Market
• Highly competitive and saturated market
• Recruiting new c...
Clavister vSeries – Value Proposition for xSP´s
•   Opportunity to take first mover advantage

•   A value-adding and uniq...
Clavister vSeries – What it is
Security Platform
    • Best-of-breed Security Gateway’s
    • Clavister Security Services ...
Business Case 1 – Internet Service Providers
Security Services for Internet Subscribers
•   Value Add Services for Internet Subscribers
     • Added on top of internet...
Security Service Network Diagram



                                                                    Firewall

        ...
Customer Experience - Deployment
        1.                    2.                 3.
   Choose Service   Automatic deploym...
Summary – Virtual Security Services
•   New business opportunities
     •   Offer cost-efficient security services

•   Fi...
Business Case 2 – Hosting Providers
Business Case – Service Providers (Hosting)
•   Value Adding
    Offer a value-adding managed security services to hosting...
SMB - Hosting Security Services                                     Hosted - Virtual Machines
                            ...
Customer Experience - Deployment
        1.                    2.                 3.
   Choose Service   Automatic deploym...
Business Benefits
Price-efficiency
– Use VMware and Clavister to provide dedicated firewall, VPN, IDP and reporting
   cap...
Terremark - Reference Customer

About Terremark
Terremark Worldwide (NASDAQ:TMRK) acclaimed Infinistructure utility
comput...
Thank You

Contact Information:
Nicola Sotira
Email: nicola.sotira@clavister.it
Phone: +39 011 5069369
Mobile: +39 335 788...
Upcoming SlideShare
Loading in …5
×

Clavister security for virtualized environment

2,198 views

Published on

we are network security

Published in: Technology
  • Be the first to comment

Clavister security for virtualized environment

  1. 1. Clavister – Virtual Security May 2010 [Nicola Sotira, VP Sales Italia]
  2. 2. Company Overview • A leading European provider of network security solutions for Service Providers, Enterprise and Government customers • Our solutions protects against: – Hackers – Intrusions – Information theft – Eavesdropping – Viruses – Spam – Malicious content ... and more
  3. 3. Proven track record and industry experience • Long-term experience from securing some of the world’s most demanding networks • Protecting 100.000+ networks and 20.000+ customers • Customers include: • Complete and mature product portfolio designed for performance and scalability
  4. 4. Established market position • Recognized as one of the top 12 suppliers in the world by analyst Gartner Group • Several technology awards and product recognitions in magazines • Technology partnerships with leading industry partners including Cavium Networks, RadiSys, Kaspersky and VMware
  5. 5. Global Presence • About 70 employees • Headquarters in Örnsköldsvik, Sweden • Sales offices in Europe and Asia – Stockholm, Sweden – Hamburg, Germany – Paris, France – Torino, Italy – Singapore – China (5 locations) • 100+ Solution and Channel Partners worldwide
  6. 6. Clavister SSP – The Portfolio
  7. 7. CorePlus – The Core in our Products Secure & Robust • Our proprietary and purposely built network security operating system • No inheritance of vulnerabilities from an underlying Operating System • Minimal footprint and attack surface Compact, Optimized & Scaleable • Optimal resource utilization • High performance with high reliability • xPansion Lines Licensing offering scalability Fine granular Control • Seamless integration of all subsystems, in-depth administrative control
  8. 8. Technology – Complete Feature set • Clavister’s next-generation network security software, designed to meet NETWORK SECURITY L7 SECURITY PROXIES TRAFFIC MANAGEMENT the challenging requirements of modern•• IP networks. •• Traffic Shaping (Pipes) • DoS Prevention • Consistency Checking • Deep Inspection • Anti-virus HTTP FTP • TFTP • PPTP Policy-based • Stateful Inspection Firewalling • IDP / IDS • SIP • Rate Limiting • Multiple, chained, Rule-sets • Web Content Filtering • SMTP • Server Load Balancing • Address Translation • Anti-Spam • POP3 Clavister CorePlus TUNNELING AUTHENTICATION DHCP CLUSTERING • IPsec (IKEv1 / IKEv2) • RADIUS • Client • Fully state-synced HA • PPP • LDAP • Server • Virtualization & vmHA • L2TP (Client/Server) • Local Databases • Relayer • PPTP (Client/Server) • PAP / CHAP • IP Pools • GRE • Form (HTTP / HTTPS) • GTP • EAP-SIM / AKA / MD5 / TLS INTERFACES ROUTING MANAGEMENT • Gigabit Ethernet • Static • Load Balancing • InControl • SMTP Logging • Fast Ethernet • Policy-based • Fail-over • Web User Interface • SNMP Poll / Traps • VLAN • Transparent (L2) • OSPF • CLI (SSH / Console) • Real-time Counters • Proxy ARP • IGMP • Secure Copy (SCP) • Alarms • Virtual • PIM-SM • Syslog • PCAP Recording • Multicast • FWLog Copyright © 2009 Clavister AB. All rights 8 2010-05-17
  9. 9. Clavister Security Gateways Hardware Software Virtual Clavister xPansion Lines™
  10. 10. Virtual Security – For Enterprises
  11. 11. Evolution of Virtualization
  12. 12. Virtualization going forward Just like….. IT as a Service Inexpensive, usage based, pay-as-you-go Ubiquitously available Reliable Choice of providers
  13. 13. The virtual network – not just for the server guys Traditional Network Virtual Network • Multitude of network segments • Less network segments which divides the servers • Communication between zones are monitored and • Communication between virtual machines are not secured monitored or secured ! DANGER
  14. 14. Communication Path Diagram Inter-communication traffic is limited by VLANs but not Web Front-End secured which is a critical Zone security issue and one which nees to be addressed Virtual Switch Middleware / Business Logic Zone Back-End Database Zone Copyright © 2008 Clavister AB. All rights reserved. 15
  15. 15. Mixing physical security and virtual networks
  16. 16. Drawbacks With “Mixed Solutions” • Looks good at first glance but not as attractive in the longer run! • You will still have to rely on external, non virtual, appliances • Forces you to create isolated islands instead of a dynamic and scalable pool of resources • Virtual yes, cloud no! • Does not allow you to protect the private cloud which might be a mix of on site and off site resources • Does not benefit from Redundancy and Disaster Recovery tools • Creating team or project oriented silos which is very common in e.g. consulting and media companies very difficult
  17. 17. The fully virtualized solution
  18. 18. The Clavister Virtual Security Gateway Solution  No underlying Operating System – Only Clavister CorePlus  Runs in the virtual infrastructure and benefits from the virtualization itself:  Easy to deploy, highly redundant, scalable, simplified maintenance, etc.  Templates & workflows – Ideal for large installations e.g. Managed Services, Utilities such as smart grid, wind/solar power etc.
  19. 19. Clavister Virtual Security Gateway Solution Virtual Machines (VMs) are not allowed to talk with each All security inspections which would have been performed other without first going through the Virtual Securigy by a physical security gateway in a physical structure are Gateway done ”in-line” in the virtual environment.
  20. 20. Communication Path Diagram All virtual machines and inter-communication is secured using best-in-class virtual security gatways Web Front-End Zone and which enables mission critical applications to be virtualized without comprimises to the security policies ETH1 Clavister Virtual Security Gateway Middleware / Business Logic Zone Virtual Switch ETH2 Back-End Database Zone ETH2
  21. 21. Troubleshooting, Monitoring, Alarms & Auditing • Troubleshoot communication using: • Real-time monitoring with filters • PCAP & Memlog recording • Log analysis • Monitor behavior of traffic using: • SNMP • Real-Time monitoring • Real-Time KPI dashboards • Create custom and policy based alarms events (thresholds etc) • Full auditing capabilities using • Built-in log viewing applications • External SIEM systems
  22. 22. Typical Enterprise Environment Disaster Recovery or Lab/Test Network Virtualized production infrastructure Traditional physical server network
  23. 23. Fully virtualized DMZ Network Diagram
  24. 24. Clavister VSG Models & Dimensioning VSG21 VSG110 VSG510 VSG1100 Plaintext Performance (Mbit/s)* 50 200 500 1000 VPN Tunnels 25 200 500 1000 VLAN 4 64 128 512 Concurrent Connections 4000 16000 64000 256000 Recommended Application Test & Lab Networks Small installations with a Medium and Large Large installations with with no or very low limited amount of installations with medium medium to high performance protected VMs with low to to high performance performance applications demands medium performance applications such as such as demands web/mail/citrix/databases web/mail/citrix/databases and similar and similar
  25. 25. Features • Protect Virtual Servers Segregate virtual machines from each other and avoid hackers from jumping from one machine to another without having to use physical appliance and creating isolated islands. • Secure Cloud Infrastructures Enforce network security within the private cloud, both for the part of the cloud which is running in your datacenter and the part that you might have outsourced to a hosting provider. • Secure Inter-Communication Utilize the VPN encryption to secure communication between virtual machines • Achieve Auditing and Regulatory Compliance Since the virtual security gateway can be run inside the virtual infrastructure security auditing can be achieved and thereby regulatory compliance requirements can be met. • No Security Policy Compromises for Virtual Environments Utilize your standard set of policies not only for physical machines but just as easily also for virtual ones.
  26. 26. Benefits • Scalability User can now extend security by simply deploying new security gateways as they go. • Lower CAPEX Virtualization opens up for new business models where CAPEX is minimized. • Simplified Maintenance Security components inherit all manageability features from a virtual environment, such as fail- over, provisioning, and so forth. • Minimized downtime Less hardware in combination with highly efficient disaster recovery and redundancy tools such as VMmotion reduces downtime and improves the overall in service performance of the security solution • Simplified Test/Lab testing Since the virtual security gateway is a part of the virtual infrastructure it becomes easier to create lab/test environments which decreases the complexity of security tests which in it’s turn improves the overall security
  27. 27. Why Clavister VSG is better than physical UTMs • No need to create isolated islands Creating security zones inside the virtual infrastructure using physical gateways forces you to have all traffic routed out of the infrastructure and then back in. Thereby leaving you with isolated islands which turns into additional administration and limits the possibilities to leverage cloud like resource pools and many of the fundamental virtualization benefits • Improves the consolidation ratio By using the Clavister Virtual Security Gateway to create security zones within a homogeneous physical pool of resources and avoid creating the isolated islands which are necessary when using physical UTM gateways, the consolidation ratio can be improved since you do not have to have the extra performance overhead distributed on each island.This becomes especially important when using the Vmware Dynamic Resource Scheduler which can move VMs between physical hosts and and allocate more CPU and RAM memory in run-time using the hot-add functionality.
  28. 28. Why Clavister VSG is better than physical UTMs • Leverages virtualization benefits also for security gateways Virtualization offers many benefits such as 100% guaranteed availability, disaster recovery, ease of deployment, simplified administration. All these benefits the Clavister VSG can leverage as it runs as a part of the virtual infrastructure. These benefits the physical gateways can never leverage, it actually limits the possibilities for all the other IT infrastructure from benefitting from it as well • Improved SLAs and better control With the security gateway running inside the virtual infrastructure you can improve your SLAs and make the SLA reporting and prediction much more efficient since you do not have to rely on external equipment not under the control of the virtual infrastructure. Physical appliances used for protecting the “isolated” islands are often used also for the other physical infrastructure, thereby creating a structure where modifications in the physical infrastructure might disturb also your virtual datacenter.
  29. 29. Why Clavister VSG is better than other VSGs No Prooven Complete Scaleable Unified Operating & Security Licensing Management System Trusted Clavister VSG Advantages Next
  30. 30. Advantages – No OS No underlying Operating System Clavister Virtual Security Gateways does not have an underlying Footprint Operating System which is the case for most other virtual security 32 MB Clavister VSG gateways. The Clavister VSG only use Clavister CorePlus which is Clavister CorePlus our “bare-metal” security gateway application with built in operating system functionality. Virtual Machine The Size does matter! Hypervisor There are many benefits of not having an underlying operating system. Patch management is one of them. In many cases the underlying OS has a very large footprint (checkpoint has a footprint of more than 10 GB) which are made up of features and functions 500MB - 12 GB which does not have anything to do with the security function, non Other Vendors VSG Application Footprint the less, the OS needs recurring updates even if the patches does not have anything to do with the security itself. Equally often these patches requires restarts and reboots. In the end the result of Operating System having a bulky OS to run the security gateway is less predictable quality, additional administration, un-necessary maintenance, etc.. Virtual Machine Back Hypervisor
  31. 31. Advantages – No OS – Footprint Comparison Checkpoint VPN1-VE Min 12GB Storage CheckPoint VPN1-VE Min 512 MB RAM CorePlus 2MB actual footprint CorePlus Min 32MB Storage* Min 32MB RAM *The minimum storage size of a virtual machine in vmware ESXi is 32MB even if the application is smaller
  32. 32. Advantages – Proven and Trusted • Large Install base Clavister CorePlus, is today being used in more than 100.000 installations world-wide, ranging from small office/home office to large enterprises, military, government and telecom networks. • Mature Technology CorePlus has been on the market since 1997 and has a high level of maturity and does not suffer from child deceases which might be the case for newer products and technologies • Long term history and track record CorePlus is a mature product with a history that dates back to 1997, CorePlus also has an impressive track record of being used in some of the worlds most demanding networks, including the telecom operator networks and customers like France Telecom/Orange, Roger Wireless, Terremark, SAAB, French Navy/Military, etc. • Large Virtual Networks Experience CorePlus has been used as virtual security gateways in some of the worlds largest virtual infrastructures with more than 1000 sites/virtual machines and >100.000 users which probably makes it the worlds largest deployment of virtual security gateways.. Back
  33. 33. Advantages – Complete Security • Not only a firewall or an IDS Clavister CorePlus is a complete Unified Threat Management solution with comprehensive protection against modern attacks and security threats. Most other virtual security gateways are early to market solutions which only cover a limited set of protection features, such as only being a firewall, only being an IDS solution etc. • • Complete yet saleable and dynamic Even though Clavister Virtual Security Gateways has a very comprehensive set of feature’s, you as an administrator can orchestrate the solution to only run the features as you like. Thereby making the solution more adaptable to your real network with minimum overhead • Complete feature set – High Performance Thanks to the unique design of the Clavister Virtual Security Gateways and the CorePlus firmware which has a minimum overhead and is optimized for the security functions only, performance figures of multiple gigabit can be achieved even in the virtual infrastructure. Back
  34. 34. Advantages – Scaleable licensing • Licensing per Gateway – Not per Virtual Machine The Clavister Virtual Security Gateway’s are licensed based on a per gateway basis, not per virtual machine being protected. This means that you do not need the hassle with upgrading licenses for the security gateway every time you wish to add new virtual machines to your infrastructure. It also enables a much more cost effective setup in larger environments and provides a much more predicable Total Cost of Ownership. This is especially important in the scenarios where you expect an increased demand on new server and functions as IT becomes more available • Feature & Capacity Differentiated License Models The Clavister Virtual Security Gateway’s are offered in four different license model, each with different amount of performance, capacity and features. This enables you to choose the model that fit your needs best. Customized license models can also be offered for specific needs. E.g. power utilities, managed security services, etc. Back
  35. 35. Advantages – Unified Management • Software, Hardware Virtual The Clavister Virtual Security Gateway’s are managed using the exact same management software as the hardware and software based versions are, i.e. using Clavister InControl. This means that you can managed and administrate your entire network security architecture using the one and same system independently on the platform. This not only lower your administration costs but it also helps make your overall security stronger compared to other virtual machines which requires you to learn a completely new management interface for the virtual infrastructure alone. • Integrate with your business process and other IT systems The Clavister InControl management suite offers a full blown Application Programmatic Interface which enables you to integrate the management and administration of the Virtual Security gateway from your other core IT systems. Through this integration capability you are able to have your network operating central system manage the virtual security gateway, your IT support staff take care of simple tasks from the support systems and similar. The advantage of this is that you are able to lower administrative costs and become more reactive on your users and business demands Back
  36. 36. Virtual Security for Service Providers
  37. 37. xSPs / Telecom Operators- Market Situation Competitive Market • Highly competitive and saturated market • Recruiting new customers is expensive • Operational efficiency is a must to remain competitive Financials • Low and decreasing profit margins for traditional offerings • Increasing Average Revenue Per User (ARPU) is absolute key to growth & success • Financial crisis drives the need to offer cost-savings services to customers First mover advantage • Time between visionary to market leadership is shorter than ever
  38. 38. Clavister vSeries – Value Proposition for xSP´s • Opportunity to take first mover advantage • A value-adding and unique security offering • Create your own attractive security services portfolio: (Firewall, VPN, Content Filtering, IDP, Anti-Virus…) • Leverage existing virtual infrastrucutres • Extreme Scalability, Deployment, SLA, etc.. • Increase your Average Revenue Per User (ARPU) • Low capital investment – Expands as you grow
  39. 39. Clavister vSeries – What it is Security Platform • Best-of-breed Security Gateway’s • Clavister Security Services Platform (SSP) our offering for Service Providers Virtual for optimal scalability and financial benefits • Runs inside a virtual infrastructure (e.g VMware / Xen/ Microsoft) • Runs in your datacenter (each customer gets a dedicated security gateways) • Extremely resource efficient - More gateways on less hardware Designed for Operators • MSSP friendly Management & Operations • Extremely scalable - Provision 1 gateway just as easy as 100.000
  40. 40. Business Case 1 – Internet Service Providers
  41. 41. Security Services for Internet Subscribers • Value Add Services for Internet Subscribers • Added on top of internet connection bill • Increase ARPU - Offer the services to all existing customers • First mover advantage – Infrastructure as a Service (IaaS) already today • Plug-in Solution for the Broadband Network Datacenter • No need for End User Equipment • Efficient Management and Maintenance • Optimized Provisioning Capabilities • Customer Focused Service Packages • Small & Medium Business • Remote Office • Retail Stores…
  42. 42. Security Service Network Diagram Firewall VPN ADSL Customer #1 Content Filtering IDP HW VM Layer Layer Anti-Virus B-RAS Core Switch Virtual Reporting Provisioning Infrastructure ADSL Customer #2 Datacenter Core Network
  43. 43. Customer Experience - Deployment 1. 2. 3. Choose Service Automatic deployment Use the service ( < 1hour ) €
  44. 44. Summary – Virtual Security Services • New business opportunities • Offer cost-efficient security services • Financial Upsides • Increase Average Revenue Per User (ARPU) • Improve profit margin • First mover advantage • Gain or secure market leadership • Interesting product portfolio • Provisioning & Operations • Extremely efficient deployment (minutes instead of days & weeks) • Based on tested & proven industry standard technologies (Clavister, VMware, IBM/HP/Dell) • Extremely scalable
  45. 45. Business Case 2 – Hosting Providers
  46. 46. Business Case – Service Providers (Hosting) • Value Adding Offer a value-adding managed security services to hosting customers. • Tailor made service portfolio Use the pick-n-choose service packaging's • Operational Efficiency Automatic deployment without any human intervention • Accelerates hosting business Makes customers more comfortable hosting sensitive applications (Cloud and utility computing is specific) • Increase ARPU • Low investment - High profit margins
  47. 47. SMB - Hosting Security Services Hosted - Virtual Machines (dedicated or part of a cloud) - Microsoft Exchange - Web Server - FTP Server Firewall Customer #1 VPN Content Filtering Customer #2 IDP Anti-Virus Reporting Datacenter Core Network Customer #3 Virtual Security Gateway Managed or self-managed
  48. 48. Customer Experience - Deployment 1. 2. 3. Choose Service Automatic deployment Use the service ( < 1hour ) €
  49. 49. Business Benefits Price-efficiency – Use VMware and Clavister to provide dedicated firewall, VPN, IDP and reporting capabilities in a price efficient manner to customers of all sizes Scalability – Start with a virtual gateway and grow to a dedicated platform when the need for performance and functionality increases Deployment – Virtual appliances are turn-key solutions and can be deployed within minutes Convergence and standardization on robust hardware – Utilize standardized hardware also for security services Provide Improved SLAs – Utilize tested VMware redundancy and clustering in order to provide improved SLAs for security services Copyright © 2008 Clavister AB. All rights reserved.
  50. 50. Terremark - Reference Customer About Terremark Terremark Worldwide (NASDAQ:TMRK) acclaimed Infinistructure utility computing architecture has redefined industry standards for scalable and flexible computing infrastructure and its digitalOps service delivery platform combines end-to-end systems management workflow with a comprehensive customer portal. TERREMARK AT A GLANCE • NASDAQ: TMRK • Leader in managed IT infrastructure services (Gartner - Leaders Quadrant) • Datacenters in the United States, South America and Europe • SAS 70 Type II Certified • Microsoft Gold Certified Partner • United States General Services Administration (GSA) Schedule# GS35F0073U
  51. 51. Thank You Contact Information: Nicola Sotira Email: nicola.sotira@clavister.it Phone: +39 011 5069369 Mobile: +39 335 7888968

×