The document discusses the challenges of providing secure networking in public and private cloud environments. It notes that security is difficult because connectivity needs to be provided by default while preventing unwanted connections, and that security policies are harder to apply than just enabling connectivity. The document also examines issues like tenant isolation, application isolation, multitenant challenges, identity and location-based security approaches, and how to better integrate security capabilities into cloud platforms like OpenStack. It argues that security must be designed into networks from the beginning as an integrated system rather than added as an afterthought.
Security and Virtualization in the Data CenterCisco Canada
This presentation will discuss, effectively integrating security, core Data Center fabric technologies and features, secutiry as part of the core design, designs to enforce micro segmentation in the data center, enforce separation of duties in virtualized and cloud environments and security to enforce continuous compliance.
Data Center Security Now and into the FutureCisco Security
Understand all the latest Data Center trends and Data Center security requirements. Take a deep dive on Cisco’s value-added integrated approach on Data Center Security Strategy.
A breakdown of the top misconceptions enterprises are facing when assessing the security levels of cloud computing environments, and the realities behind them
Presented by Glen Roberts to the NCUA (National Credit Union Administration) and the OCCU (Office of Corporate Credit Unions) in Alexandria, VA on April 10, 2012.
Security and Virtualization in the Data CenterCisco Canada
This presentation will discuss, effectively integrating security, core Data Center fabric technologies and features, secutiry as part of the core design, designs to enforce micro segmentation in the data center, enforce separation of duties in virtualized and cloud environments and security to enforce continuous compliance.
Data Center Security Now and into the FutureCisco Security
Understand all the latest Data Center trends and Data Center security requirements. Take a deep dive on Cisco’s value-added integrated approach on Data Center Security Strategy.
A breakdown of the top misconceptions enterprises are facing when assessing the security levels of cloud computing environments, and the realities behind them
Presented by Glen Roberts to the NCUA (National Credit Union Administration) and the OCCU (Office of Corporate Credit Unions) in Alexandria, VA on April 10, 2012.
Coming to this issue we have Network Security in Tool Gyan which will put light on how to set up a secured network, Who wants to be a Millionaire in Tool Gyan, check out yourself of what exactly its all about ;)TOR in Mom's guide for all those who thought 'It sounds very complicated to use, I’m not a hacker! I can’t use it!' by our Author- Federico from Italy.
Sharing the Cloud by Glen Roberts, CISSP
Presented at CUISPA 2012 Conference in Austin, TX on 2/21/2012.
CUISPA (Credit Union Information Security Professionals Association) is a national association of credit union information technology professionals focused on improving security and risk management through cooperation.
Distributed firewalls have been developed to maintain the networks with a higher level of protection than conventional firewalling mechanisms like gateway and host-based fire-walls. even though distributed firewalls provide higher secu-rity, they too have boundaries. Toovercome those limitations we presenting the design & implementation of a new distrib-uted firewall model, based on stateful Cluster Security Gateway (CSG) architecture[1]. This distributed security model are implemented in bottom-up approach means each cluster of end-user hosts are secured first using the CSG architecture. These different CSGs are then centrally man-aged by the Network Administrator. A file-based firewall update mechanism is used for dynamic real- time security. IPsec protocol is used to secure the firewall policy update distribution while X.509 certificates cater for sender/receiver authentication. The major advantage of this approach is to distributed security include tamper resistance, anti-spoofing, anti-sniffing, secure up to date firewall updating, low overall network load, high scalability and low firewall junction times.
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Acrodex
Trend Micro Deep Security
#1 Security Platform for Virtualization and the cloud
Trend Micro Deep Discovery
Combating Advanced Persistent Treats (APT’s)
Trend Micro Mobile Security
Manage and control your mobile devices (BYOD)
Network Configuration Example: Deploying Scalable Services on an MX Series Ro...Juniper Networks
This document provides information about scalable services available on your Juniper Networks® MX Series 3D Universal Edge Router. Scalable services help you reduce operational and capital overhead. This document explains multiple services that run on the MX Series router, such as PPPoE subscribers, carrier grade NAT (CGN) with dual-stack lite (DS-Lite) subscribers, and dynamic application awareness with deep packet inspection (DPI).
Cloud Security Topics: Network Intrusion Detection for Amazon EC2Alert Logic
With the rapid growth of online commerce, the challenge to secure and monitor internal and customer-facing websites, card processing systems and other critical infrastructure has never been greater. Deploying full-featured intrusion detection in a public cloud has been challenging – the network models and multi-tenancy of public clouds do not make deep network services easy to deploy. Misha Govshteyn, VP of Emerging Products at Alert Logic will present a new approach for a an IDS solution in a public cloud.
Coming to this issue we have Network Security in Tool Gyan which will put light on how to set up a secured network, Who wants to be a Millionaire in Tool Gyan, check out yourself of what exactly its all about ;)TOR in Mom's guide for all those who thought 'It sounds very complicated to use, I’m not a hacker! I can’t use it!' by our Author- Federico from Italy.
Sharing the Cloud by Glen Roberts, CISSP
Presented at CUISPA 2012 Conference in Austin, TX on 2/21/2012.
CUISPA (Credit Union Information Security Professionals Association) is a national association of credit union information technology professionals focused on improving security and risk management through cooperation.
Distributed firewalls have been developed to maintain the networks with a higher level of protection than conventional firewalling mechanisms like gateway and host-based fire-walls. even though distributed firewalls provide higher secu-rity, they too have boundaries. Toovercome those limitations we presenting the design & implementation of a new distrib-uted firewall model, based on stateful Cluster Security Gateway (CSG) architecture[1]. This distributed security model are implemented in bottom-up approach means each cluster of end-user hosts are secured first using the CSG architecture. These different CSGs are then centrally man-aged by the Network Administrator. A file-based firewall update mechanism is used for dynamic real- time security. IPsec protocol is used to secure the firewall policy update distribution while X.509 certificates cater for sender/receiver authentication. The major advantage of this approach is to distributed security include tamper resistance, anti-spoofing, anti-sniffing, secure up to date firewall updating, low overall network load, high scalability and low firewall junction times.
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Acrodex
Trend Micro Deep Security
#1 Security Platform for Virtualization and the cloud
Trend Micro Deep Discovery
Combating Advanced Persistent Treats (APT’s)
Trend Micro Mobile Security
Manage and control your mobile devices (BYOD)
Network Configuration Example: Deploying Scalable Services on an MX Series Ro...Juniper Networks
This document provides information about scalable services available on your Juniper Networks® MX Series 3D Universal Edge Router. Scalable services help you reduce operational and capital overhead. This document explains multiple services that run on the MX Series router, such as PPPoE subscribers, carrier grade NAT (CGN) with dual-stack lite (DS-Lite) subscribers, and dynamic application awareness with deep packet inspection (DPI).
Cloud Security Topics: Network Intrusion Detection for Amazon EC2Alert Logic
With the rapid growth of online commerce, the challenge to secure and monitor internal and customer-facing websites, card processing systems and other critical infrastructure has never been greater. Deploying full-featured intrusion detection in a public cloud has been challenging – the network models and multi-tenancy of public clouds do not make deep network services easy to deploy. Misha Govshteyn, VP of Emerging Products at Alert Logic will present a new approach for a an IDS solution in a public cloud.
As you move your IT Infrastructure into the cloud, how secure can you expect your applications to be? Join Alert Logic and Internap on this webcast for an enlightening discussion on the state of cloud security and how it impacts security management decisions, especially in the context of deploying infrastructure to hosted and cloud environments.
In this webinar, we will review all important information for sponsors packages, add-ons, venue details, and how to become a sponsor.
Webinar recording: https://youtu.be/kUjMTNoX6yM
A few quick points for those who may be attending an OpenStack Summit for the first time. We are excited to see you in Barcelona, Spain October 25-28, 2016.
An overview of the 1H2016 OpenStack Marketing Plan shared with the marketing community during our regular calls. Learn more at https://wiki.openstack.org/wiki/Governance/Foundation/Marketing#Open_Marketing_Meetings_2016
The Foundation marketing team put together a high level overview of 2H 2015 plans in order to get input from the marketing community and provide more information on how marketers can take advantage of the work, as well as get involved and contribute.
This is a content overview of the important information and details for sponsors of the upcoming OpenStack Summit in Tokyo, Japan taking place October 27 - 30.
You can watch a recording of the webinar here: https://openstack.webex.com/openstack/ldr.php?RCID=d48605b7ca9fdccd990ab20eb9334be8
OpenStack celebrates its fifth birthday, July 19, 2015, and this presentation provides an update on the community momentum, as well as what's next. #openstack5bday
At OpenStack Day CEE 2015, we discuss the latest user survey results, some real-world OpenStack case studies and how new users and cloud operators can get involved with the community.
Integrating network virtualization security in OpenStack Deployments.pdf
1. The Role of Networking in building
Secure Public/Private Clouds
Pere Monclus
Oct 18th, 2012
pmonclus@plumgrid.com
2. Networking Dilemma
Prevent Unwanted Provide
Connectivity Connectivity
(default closed) (default open)
A matter of Policy
QoS ∞ QoS
QoS
2
3. Why so hard? (part 1)
Midsize Enterprise Network diagram (Cisco Safe guides)
WHERE to apply Security Policies is harder than Connectivity
3
4. The approach to Security
Designing Network Security
• Adding Security as a self contained element
Designing Secure Networks
• Incorporate Security from the beginning
Network Security is a System !!
4
5. Why so hard? (part 2)
The problem doesn’t start at Network Security …
Business Needs
Risk Analysis
Security Policies
Security System
… often is expected to be solved by a Network Service
5
6. And… what about Cloud?
Tenant 1 Tenant 2 Tenant 3
Business Needs Business Needs Business Needs
Risk Analysis Risk Analysis Risk Analysis
Security Policies Security Policies Security Policies
Security System Security System Security System
Users / Tenants
Infrastructure
Guarantees
Public / Private
Cloud provider Superset of
Business Needs
requirements
Risk Analysis
Security Policies
Security System
6
8. Tenant: Networking Application Isolation
Inbound/Outbound policies
10.0.1.0/24 10.0.2.0/24
VM VM VM VM
Interface attached network security policies
Services: FW, VPN, IPS, UTM, … (pics!)
Is this the right model in a virtual world?
8
9. What is Isolation? What SLA are we willing to sign up to?
• Subnet separation?
• Security rules?
• Security services (FW/IPS/UTM/…)
Tenant
• • Enforcement points?
Tenant Inbound/Outbound enforcement? owns?
• Common/Separate?
• …
• New types
• How to merge policies?
• Network separation? Physical? Virtual? Provider
• owns?
Transit Policies? • Policy definition vs. Policy Rendering?
• Data Leakage?
• Proper workflows
• Physical Placement?
• Traffic confidentiality?
• ...
9
10. Security Life Cycle
What about?
• System Monitoring and Maintenance
• Compliance Checks
• Incident Response
• Forensics / Visibility / Analysis tools
Who owns that?
How do we cross from Provider to Tenant and we still
provide simple operational models?
10
14. Spoofing/MiM v2.0 (Provider Worries)
Can I compromise/impersonate a VM/Server/Port?
• How to prevent the provisioning of a rogue Server
• How to prevent the provisioning of a rogue VM
• How to prevent the provisioning of a rogue Port / Taps
But… if it happens:
• How to prevent the ‘connectivity’ of a rogue Server / VM / Port to
a physical or logical network
* Not to enter into discussions about securing the Cloud Controller
14
16. Identity and Location to the rescue
Understanding the linkage between Physical and Virtual
Understanding the linkage between Identity and Address
16
17. Multisite Clouds
Physical/Virtual and Identity/Address expand across Datacenters
17
18. Possible steps to integrate Security in OpenStack
• Service Insertion (Choke points at the Operator and Tenant level)
• Physical Appliances
• Virtual Appliances
• Distributed Appliances
• New policy capabilities
• Applied at the VM ifc level (definition-rendering problem)
• Identity based
• Proper articulation of Virtual/Physical bindings
• Cloud Controller workflows for security
• Discussion on where to apply/attach global policies
• What SLAs and Certifications will the Tenants expect?
18
19. Conclusion
• No easy answer to Security
• Blurring the line between Virtual and Physical
networks brings many additional challenges and
OPPORTUNITIES
• Centralized control structures are more vulnerable.
Need proper workflows.
• Incorporate Security from early stages, it is difficult to
bolt it in
19
20. Questions?
Pere Monclus
pmonclus@plumgrid.com
www.plumgrid.com
20