This document discusses HP TippingPoint's IPS and virtualization security solutions for data centers. It provides an overview of the modern threat landscape facing applications, and introduces HP TippingPoint's IPS platform and product lines. Key details include the platform's performance capabilities, available models in the S-Series and N-Series, and the TippingPoint 1200N embedded IPS module for HP switches. Virtualization security solutions are also briefly mentioned.
Thinking about SDN and whether it is the right approach for your organization?Cisco Canada
Thinking about SDN and whether it is the right approach for your organization? Have you heard about Cisco’s Application Centric Infrastructure and F5 Synthesis yet? The path to radically simplify and accelerate application deployment and datacenter agility can be a phased approach that leverages your existing investment. Rapid delivery of applications to anyone, anywhere, at any time is complex—and many businesses struggle with it.
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...F5 Networks
CIOs want harmony. Security directors loathe point products. Network operations won’t buy into anything new. CIOs can get the harmony they need around DDoS mitigation by extending the F5 Application Delivery Controller into a hybrid solution: on-premises with a new cloud component.
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Paper)
Learn how you can use the CoSN SEND II Decision Tree for Education Technology to make sure that your K–12 technology initiatives create a more engaging learning experience that empowers students, teachers, and administrators alike.
View the Webcast: http://cs.co/9004B80G0
Thinking about SDN and whether it is the right approach for your organization?Cisco Canada
Thinking about SDN and whether it is the right approach for your organization? Have you heard about Cisco’s Application Centric Infrastructure and F5 Synthesis yet? The path to radically simplify and accelerate application deployment and datacenter agility can be a phased approach that leverages your existing investment. Rapid delivery of applications to anyone, anywhere, at any time is complex—and many businesses struggle with it.
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...F5 Networks
CIOs want harmony. Security directors loathe point products. Network operations won’t buy into anything new. CIOs can get the harmony they need around DDoS mitigation by extending the F5 Application Delivery Controller into a hybrid solution: on-premises with a new cloud component.
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Paper)
Learn how you can use the CoSN SEND II Decision Tree for Education Technology to make sure that your K–12 technology initiatives create a more engaging learning experience that empowers students, teachers, and administrators alike.
View the Webcast: http://cs.co/9004B80G0
The F5 DDoS Protection Reference Architecture (Technical White Paper)F5 Networks
F5 Networks offers guidance to security and network architects in designing, deploying, and managing architecture to protect against increasingly sophisticated, application-layer DDoS attacks.
The F5 DDoS Protection Reference Architecture (Technical White Paper)
Usage Based Metering in the Cloud (Subscribed13)Zuora, Inc.
CloudPassage - Rand Wacker, VP Products
Link Bermuda - Winston Morton, VP Technology
Want to move to a usage-based pricing model but afraid of how to accurately measure and bill your customers? Come and learn about the processes and technology used to manage this advanced pricing model from two leading cloud service providers.
F5 helps organizations improve user experience and simplify management with first integrated SPDY Gateway. F5’s Application Delivery Optimization (ADO) solutions accelerate applications across public and private clouds to better support remote and mobile users.
IBM Relay 2015: Cloud is All About the Customer IBM
Debuting new research data, Forrester's John Rymer discusses the rapid growth of "customer-centric" workloads in the cloud and the challenges many organizations have faced with private cloud.
Learn more by visiting our Bluemix Hybrid page: http://ibm.co/1PKN23h
Speaker: John Rymer (Analyst, Forrester)
Scaling Mobile Network Security for LTE: A Multi-Layer ApproachF5 Networks
Service providers know they need to protect the network, maintain stability, and manage millions of real-time sessions without costs spiraling out of control. In this paper, Patrick Donegan, Senior Analyst at Heavy Reading, outlines the new challenges introduced by LTE and the security architecture in the service provider network. He stresses the importance of implementing a dynamic, multi-layered security approach that makes use of virtualization, service chaining, and real-time subscriber awareness.
Security is a top priority for service providers, who must deliver superior network quality and customer experiences without adding complexity or cost. F5 Networks offers a suite of dynamic, multi-layered solutions that simplify delivery architectures, boost service availability, and enhance application awareness and control
OCS LIA. The intergration of the Enterasys NAC Solution and Siemens Enterprise Networking - Totally Intergrated Security Architecture
The first technical intergration that provides a truely unique proposition when combining an Enterasys NAC solution with a SEC UC solution
The F5 DDoS Protection Reference Architecture (Technical White Paper)F5 Networks
F5 Networks offers guidance to security and network architects in designing, deploying, and managing architecture to protect against increasingly sophisticated, application-layer DDoS attacks.
The F5 DDoS Protection Reference Architecture (Technical White Paper)
Usage Based Metering in the Cloud (Subscribed13)Zuora, Inc.
CloudPassage - Rand Wacker, VP Products
Link Bermuda - Winston Morton, VP Technology
Want to move to a usage-based pricing model but afraid of how to accurately measure and bill your customers? Come and learn about the processes and technology used to manage this advanced pricing model from two leading cloud service providers.
F5 helps organizations improve user experience and simplify management with first integrated SPDY Gateway. F5’s Application Delivery Optimization (ADO) solutions accelerate applications across public and private clouds to better support remote and mobile users.
IBM Relay 2015: Cloud is All About the Customer IBM
Debuting new research data, Forrester's John Rymer discusses the rapid growth of "customer-centric" workloads in the cloud and the challenges many organizations have faced with private cloud.
Learn more by visiting our Bluemix Hybrid page: http://ibm.co/1PKN23h
Speaker: John Rymer (Analyst, Forrester)
Scaling Mobile Network Security for LTE: A Multi-Layer ApproachF5 Networks
Service providers know they need to protect the network, maintain stability, and manage millions of real-time sessions without costs spiraling out of control. In this paper, Patrick Donegan, Senior Analyst at Heavy Reading, outlines the new challenges introduced by LTE and the security architecture in the service provider network. He stresses the importance of implementing a dynamic, multi-layered security approach that makes use of virtualization, service chaining, and real-time subscriber awareness.
Security is a top priority for service providers, who must deliver superior network quality and customer experiences without adding complexity or cost. F5 Networks offers a suite of dynamic, multi-layered solutions that simplify delivery architectures, boost service availability, and enhance application awareness and control
OCS LIA. The intergration of the Enterasys NAC Solution and Siemens Enterprise Networking - Totally Intergrated Security Architecture
The first technical intergration that provides a truely unique proposition when combining an Enterasys NAC solution with a SEC UC solution
As you move your IT Infrastructure into the cloud, how secure can you expect your applications to be? Join Alert Logic and Internap on this webcast for an enlightening discussion on the state of cloud security and how it impacts security management decisions, especially in the context of deploying infrastructure to hosted and cloud environments.
Meeting the business and technical challenges of today's organizations requires an architectural approach. The Cisco Borderless Network Architecture is the technical architecture that allows organizations to connect anyone, anywhere, anytime, and on any device - securely, reliably, and seamlessly. It is built on an infrastructure of scalable and resilient hardware and software. Components of the architecture come together to build network systems that span your organization from network access to the cloud. Intelligent network, endpoint, and user services provide the flexibility, speed, and scale to support new devices, applications, and deployment models.
The impact of the consumerization of IT and mobility cannot be understated. The impact that these two key business elements have on the evolution of Enterprise Architecture and for Service Provider's ability to offer services to Enterprises, Governments, and Consumers will be addressed in this webinar. We will talk about the importance of the shift and movement of the secure network edge leads to a very close examination of the changing threat vectors and vulnerabilities impacting your businesses today. We will also detail service delivery and consumption on the three 'service horizons,' (Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, and the Cloud).
F5 keeps customers protected with new IP Intelligence service. F5's BIG-IP solutions now offer a cloud-based service to guard against malicious activity, emerging threats, and IP address-related attacks.
F5’s certified firewall protects against large-scale cyber attacks on public-facing websites. F5 solution delivers significantly better price and performance than traditional firewalls. ICSA Labs certifies BIG-IP Application Delivery Controllers to defend against DDoS and multilayer attacks.
VSD Infotech (VSDi) is a technology services company specializing in Information Security Services and Networking solutions. We have been working with leaders in the Infrastructure management space, through a hybrid model combining technology and human expertise.
We offer a complete range of IT Services to our customers, focussing on delivery, technology and process excellence in providing top-notch infrastructure management and information security services.
3. DATA CENTER TRENDS
Connect Everyone to Everything Do More With Less
Past Present & Future
Efficiency Drives Virtualization, Blades,
Dispersed, Physical,
Consolidation Increased Bandwidth
New Apps,
Legacy, Client Server, Legacy + Web, IPv4 + IPv6,
Protocols &
IPv4, Data Data + Voice + Video
Traffic
Threat
Worms, Viruses, Sophisticated Targeted
Landscape
Trojans, DDoS Attacks, Re-Perimeterization
3
Change
5. WHAT ABOUT THE FIREWALL?
In simplest form….
• Separates distinct security zones
• Designed to block or allow traffic based on a set of rules
• Rejects all unauthorized ports/protocols at the edge of a security zone
• Very good at ensuring network resources (servers, clients, etc.) only see required traffic
• Can also be generally responsible for VPN,NAT, redirection, proxying, etc.
5
6. WHAT ABOUT THE FIREWALL?
…Browser exploits
…Drive-by DL
…Adobe exploits
SQL Injection
…
DDoS Spyware PHP File Include XSS
…
In simplest form….
• Separates distinct security zones
• Designed to block or allow traffic based on a set of rules
• Rejects all unauthorized ports/protocols at the edge of a security zone
• Very good at ensuring network resources (servers, clients, etc.) only see required traffic
• Can also be generally responsible for VPN,NAT, redirection, proxying, etc.
6
7. IPS PLATFORM INTRODUCTION
Security Management
System
Unknown Traffic Clean Traffic
Goes In Comes Out
IPS Platform
IPS Platform
Designed for future security demands and services
Proactive Security Costs
• In-line reliability • Leading security • Quick to deploy
research
• In-line performance • Automated threat
(throughput/latency) • Fastest coverage blocking
• Filter accuracy • Broadest coverage • Easy to manage
7
11. HP TIPPINGPOINT 1200N
EMBEDDED IPS PLATFORM
– TippingPoint IPS module brings
industry leading IPS, including Digital
Vaccine and Reputation DV service to
any A7500 series switch
– 1.3 Gbps aggregate inspection
throughput across 2 x 1Gb copper or 1
HP A7500 Switch Series
x 10Gb backplane interface
– A unified network and security
management framework based on
TippingPoint’s Security Management
System (SMS) integrated and HP’s
Intelligent Management Center (IMC)
HP TippingPoint 1200N IPS
11
15. PROVEN IN-LINE FILTER ACCURACY
UNMATCHED ACCURACY FROM DVLABS AND DIGITAL VACCINE
Vulnerability Term Definition
Security flaw in a software
Vulnerability program
False Positives
Attack on a vulnerability to:
(coarse filter)
Exploit • Gain unauthorized access
• Create a denial of service
Stops a single exploit
• Easy to produce
• Typically produced due to
Exploit Filter IPS engine performance
limitations
Exploit B • Results in missed attacks
(missed by
Exploit Filter A) Exploit A and false positives
Vulnerability Stops all exploits attacking
Standard IPS Exploit Filter Filter the vulnerability
for Exploit A
TippingPoint’s vulnerability filter acts like a Virtual Software Patch,
15
eliminating false positives
September 22, 2010 15
16. REPUTATION DIGITAL VACCINE
Keep the bad guys and the botnets off your network
Reputation Database
• IPv4 & IPv6 Address • Geography
• DNS Names • Merge with your data
Access
Switch
Internet
IPS Platform
BLOCK OUTBOUND TRAFFIC BLOCK INBOUND TRAFFIC
• Botnet Trojan downloads • Spam and phishing emails
• Malware, spyware, & worm downloads • DDoS attacks from botnet hosts
• Access to botnet CnC sites • Web App attacks from botnet hosts
• Access to phishing sites
Botnets Currently Being Tracked:
Conficker, ZeuS, Kraken, Srizbi, Torpia, Storm, Asprox, Gumblar, Koobface, Mariposa, Dark Energy
16
17. 2010: DATA CENTER VIRTUALIZATION
REACHES THE TIPPING POINT
Leading in Times of Transition: the 2010 CIO Agenda
~ 58 million
Survey of 1,586 CIOs: deployed x86
50% machines
• Virtualization becomes…
#1 Technology Priority in 2010
•Displaces Business Intelligence 16%
which held top position for the last 5 yrs!
2010 2011 2012
17 Source: Gartner Says 16% of Workloads are Running in Virtual
Machines Today. Will grow to 50% by 2012(October 2009)
18. BUT WHAT ABOUT SECURITY?
“60 Percent of Virtualized Servers Will Be Less Secure
than the Physical Servers They Replace Through 2012”
I. Information Security Isn't Initially Involved in the Virtualization Projects
II. A Compromise of the Virtualization Layer Could Result in the
Compromise of All Hosted Workloads
III. Workloads of Different Trust Levels Are Consolidated onto a Single
Physical Server Without Sufficient Separation
IV. Adequate Controls on Administrative Access to the Hypervisor/VMM
Layer and to Administrative Tools are Lacking
V. There Is a Potential Loss of SOD for Network and Security Controls
...
Source: MacDonald, Neal. Addressing the Most Common Security Risks in
Data Center Virtualization Projects, Gartner, Inc. January 25, 2010
18 SOD: Separation Of Duties
19. SECURE VIRTUALIZATION FRAMEWORK
VIRTUALIZATION VISIBILITY GAPS
APPLICATION VMs
App App App App
OS OS OS OS
?
VMsafe Kernel Module
Virtual Switch
HYPERVISOR
ESX Host ESX Host
?
? (1) Host to Host
IPS inspection on each uplink is
expensive/unmanageable
IPS
(2) VM to VM
No way to insert physical IPS
(3) VM Mobility
What happens when a vm moves?
Core
19
20. SECURE VIRTUALIZATION FRAMEWORK
TIPPINGPOINT VCONTROLLER
APPLICATION VMs
APPLICATION VMs
APPLICATION VMs
• Utilizes same specialized hardware as
App
App
App App
App
App App
App
App App
App
App physical network segments
OS OS
OS OS OS
OS OS OS
OS OS OS
OS
• Policy-based redirection ties IPS
vController
inspection to VMs
Redirection Policies VMsafe
VMsafe
VMsafe
• VMsafe kernel module integration
provides deep insight into vm behavior
Virtual Switch
Virtual Switch
Virtual Switch
maintains low redirection latency
HYPERVISOR
HYPERVISOR
HYPERVISOR (<80us)
ESX Host
• Manage all virtual and physical
networks with the same tools
• VMC console provides full visibility into
logical VM connectivity
Core
IPS
20
http://www.bestofinterop.com/winners/#security
21. WHAT ABOUT VIRTUAL IPS?
RESTRICTED SCALABILITY
App
APPLICATION VMs
App App App vIPS
? • Can be effective in smaller
environments
OS OS OS OS
• Cannot take advantage of specialized
hardware
VMsafe Kernel Module
• Shares resources with other VMs
Virtual Switch
• Latency is typical due to lack of
HYPERVISOR
hardware acceleration
ESX Host
• Difficult to establish performance
baselines
IPS
Core
21
22. VISUALIZE YOUR VIRTUALIZATION
TIPPINGPOINT VIRTUALIZATION MANAGEMENT CENTER (VMC)
Empower network/security teams with
real-time visibility into virtual
environment
Integration with virtualization
management
Topology mapping provides
identification of virtual/physical
22 network paths
23. TIPPINGPOINT VMC
IT’S ALL ABOUT THE INSPECTION POLICIES
Assign policies by VM and/or
zone, not location or network
connection
Automate trust zone
assignmentfor new or untrusted
workloads
Ensure policies follow VM
regardless of state(in motion,
powered on, powered off)
Cloned VMs must automatically
inherit parent policies
23
24. SUMMARY
S ecuring T he Next G eneration Data C enter
S top T hreats P rotec ts Highes t Immediate, Always Up T o S ec ure V irtualization
F as ter B andwidth Data C enters Date P rotec tion F ramework
• Proactive Security Model • Highest performance • Protects in Minutes • vController
• Best Inline Enforcement • 20Mbps to 16Gbps • Automated DV Updates • Visibility and control
• Broadest Security • Latency in Microseconds • Most Timely Protection • Leverage existing hardware
• DVLabs Leading Security • Protects Layer 2-7 • Leading Zero-Day Protection investments
Research • Inline or out-of-band • Intuitive managment • No compromise to
• Zero-Day Initiative deployment options consolidation ratio
• Application Visibility • Deployment Options for
• Vulnerability Intelligence Virtual Data Centers
24