Embed Size (px)
Citation preview
TÍTULO TÍTULO TITULOSubtítulo Subtítulo Subtítulo
3
4
Use Cases and Customer References
Product Specifications and SKUs
CloudHive: Micro-Segmentation Solution for the Cloud
Silvia Gutiérrez de Velasco Romo
TÍTULO TÍTULO TITULOSubtítulo Subtítulo Subtítulo
1 Who is Hillstone?
2 Security Challenges in the Cloud
3
4
CloudHive: Micro-Segmentation Solution
Product Specifications
Security That Works - Innovative, Effective, Affordable
Tenants
InternetTotal Cost of Ownership for the Whole Life Span
Secu
rity
Eff
ecti
ven
ess
an
d V
alu
es
Low (Value) High (Value)
High (TCO)
Low (TCO)
Total Cost of Ownership for the Whole Life Span
Security Effectiven
ess an
d V
alu
es
Hillstone at a Glance
• Founded in 2006 by founding engineers from Netscreen/Juniper
• 15,000+ customers in 50+ countries: financial, telecom, education etc.
• 700+ employees globally, >40% in engineering
Beijing
Singapore
Silicon Valley
Dubai
LatinAmerica
Czech
Suzhou • Experienced leadership
from Netscreen, Cisco,
Juniper, Intel
World Class Team
Mexico
Positioned in Three of Gartner Magic Quadrants for its vision of Layered Defense
“Hillstone firewalls are a good candidate for enterprises with hybrid networks, such as on-premises, cloud and virtualized
environments in the above mentioned regions.”…
“Hillstone CloudHive offers a micro-segmentation solution for virtual VMware networks along with CloudEdge virtual
firewallsfor the networks over the cloud. This offering makes Hillstone a strong vendor for cloud security use cases.”…
… ...
“Hillstone supports a wide range of detection and prevention options with signatures, behavioral analytics, anti-malware and
cloud-based sandboxing available as options..”…
Traditional Perimeter Security Fails
• No visibility of internal traffic and threats in cloud deployments
• No security of East-West workloads
• No scalability of security in cloud environments
N
S
Tenants
Internet
TenantsW E?
Sample Attack Scenarios and Security Checklist
• Targeted attacks with specific intentions
• Botnet attack through cloud resource
• Worm/Malware exhausts server resources
• Abnormal Behavior hidden in the cloud
Traffic Application Behavior Resource
• Traffic between
VMs or subnet?
• Is the traffic
necessary?
• Unknown
application?
• Illegal application?
• Frequency and time?
• Risky behavior?
• Abnormal traffic?
• Virus?
• Network?
• VM?
• Bandwidth?
• Session?
Your Security Checklist
TÍTULO TÍTULO TITULOSubtítulo Subtítulo Subtítulo
Product Specifications and SKUs
How many HW servers do you have?
How many VMs do you have?
How many networks do you have?
How much traffic on each VM?
Is there any traffic between VMs?
What kind of applications on each VM?
Which VM was compromised?
Which VM is being attacked?
CloudHive helps to answer these questions
Hypervisor
Virtual Networks
Designed for the Virtual Environment
Monitor and secure
each VM
No plug-in on hypervisor
No interruption to business
applications
No hardware needed
Down to virtual network, deployed on
each Physical server
Physical NetworksNo interruption to physical network
CloudHive Architecture
vSOM, virtual Security Orchestration Module:
Integrates with third-party CMP, manages service lifecycle
vSCM, virtual Security Control Module:
Centralized management and configuration for all vSSMs
vSSM, virtual Security Service Module:
Traffic monitor and security service enablement
vDSM, virtual Data Service Module:
High speed log forwarding
Vmware vCenter or
OpenStack Controller
HA
vDSM
Fully Distributed
Non- disruptive protection
Unified Management Interface,
Managed as a single appliance
Distributed
VM level
• Distributed deployment
• Centralized
management
• vSSM on each server
• Monitor traffic between
VMs
Scalability
• Scale up or down
• Ease of deployment
Synchronization
• Session
• Policy
Non-Disruptive
Non-Disruptive
• L2 deployment
• TAP or inline
transparent mode
Monitor and Protect
• VM traffic monitor
• Threat detection and
prevention
Virtualization Support
• Standard API
• Support major
virtualization platforms
Complete Security
• APP
• AD
• IPS
• AV
Virtual Switch
• APP
• AD
• IPS
• AV
VM L3Inline transparent
No interruption to
network
vSCM vSCM
Control Panel
vSOM
Management Panel
vCenter or Openstack
Fabric
• Add VM/Network
• Change VM name
• VM migration
• …
Identify change in cloud
assets
Policy and Session Change
Change Recognition in Cloud Assets
VMa VMcVMb
vSSM vSSM vSSM
vSOM
vSCM
vSCM
Independent Communication Channel• Separation of data and management/control communication channels
• Private proxy instead of IP for management
Separation of Data and Management Network
No-Sync
Distributed
Processing &
Non-Distributed
Architecture
Distributed
Processing &
Fully-
Distributed
Architecture
• vSOM “VM shutdown” does not affect the
CloudHive service
• Separation of management, control and service
plane ensures the service stability
• vSCM are deployed in pairs (Active/Passive) to
provide high availability
• Single vSSM “VM down” does not affect the
system; the user VM traffic can bypass the
vSSM
• vSCM can reboot and restart security service
automatically after “VM down”.
• vMotion support: security policy and flow
sessions automatically synchronize across
multiple service modules
• Support In Service Software Upgrade (ISSU)
Real-time Sync
Real-time Sync
High Available Distributed Architecture
Deep
Visibility
High Available Distributed Architecture
Micro-
Segmentation
Improved
Productivity
Display of Complex Interlocks
• Line stand for flow interaction
• Arrow stand for communication
direction
• Red Line stand for network threat
Application Visibility – Network View- What are they doing
Application
typeTraffic direction Traffic statistic
Network
Dimension
Application Visibility – Virtual Machine View
Application
typeTraffic direction Traffic statistic Policy
Virtual Machine
Dimension
Application View
Top 10 Application
Characteristic
Distribution Category top 10
Risk Distribution Subcategory top 10 Technology
Distribution
• Web attack
• Spoofing
• Hijacking
• DDoS flood
• Cross-site
scripting
Network Threat Visibility- What’s happened
Traffic
Direction
Threat
NameDetail
Network threat
tracking
Network Threat Statistic
Threat detailsThreat distribution
Network Traffic Tracking
Detecting abnormal
behavior based on
multi-dimensional
analysis of network
traffic
Visibility-Accurate Depiction of Threat
Select application/threat 2
Select view1
Where does particular
application/threat
happen?
3
Threat/Session Log Output at a High Speed
VMa VMcVMb
vSSM vSSM vSSM
vSOM
vSCM
vSCM
CloudHive
Network
Business network
vDSM
Log server
Cloud platform
network
Big data analysis
platform
Deep
Visibility
High Available Distributed Architecture
Micro-
Segmentation
High
Productivity
CloudHive Micro-Segmentation
Firewall
• Threat/ application/ traffic visibility Provide 2
layers of network control
• Provide L2-L7 security service for VMs
Virtual Switch
Firewall
Traditional perimeter
protection
You cannot manage
what you cannot see
• Internal communication is not visible
• Difficult to control internal risk propagation
• Perimeter protection has limits
• Limited endpoint protection
Virtual Switch
Security Protection Features
Integrated necessary security features to protect east-west traffic
IPS
FW
AV
ARP
AD
WAF
VM A
VM B
Multiple Dimension Security Control
Application/Service
Abnormal behavior
Antivirus
User
VM/Port group
SIP/D IP/SPort/Dport/Protocol
Network attack defense
3000+application identification
3.2 Million virus signature detection
8000+ IPS signatures
Attack Defense
Anti-DoS/DDoS, including SYN Flood, DNS
Query Flood defense
Combined with AD
authentication
account Automatic IP address change
Attack Defense
• Risk :
– Internal sniffing after VM is compromised
– Critical asset is not protected
– Abuse of cloud computing resources
• Influence:
– Provide feasible channels for authority control and data breach
– Using cloud resources, generate external attack
– Quality of cloud services are impacted
• Solution
– Limit high frequency visits of internal virtual machines
– Mitigate depth damage caused from proximal attack
• Highlights:
– Abnormal protocol attack defense
– Anti-DoS/DDoS, including SYN Flood, DNS Query Flood defense
– Port scan detect and defense
Firewall
• Risk:
– Lack internal segmentation
– Single access point problem easy to spread globally
– Does not meet classified data protection policies (China)
• Influence:
– Springboard access lead to limits in traditional security protection
– Flood attack is easy to spread internally, decreasing the quality and
security of network and application
• Solution:
– Low threshold - With unique drainage technology, achieve network
drainage without additional plugins
– No network changes necessary - deployed on the second layer,
– Multidimensional - based on traditional protection, provide virtual
machine and port group dimensions of access control for the cloud
environment
– Versatile - suitable for server virtualization scenarios, also applies to
VDI desktop virtualization scenarios
FirewallVirtual Switch
APPUser
VM/
Port
GroupService
IP Port Protocol
Micro-Segmentation · cloud firewallTailored cloud security protection
Intrusion Prevention
• Risk:
– Network layer attack:vulnerability scan, buffer overflows, and network
worm
– Application layer attack/spread:Trojan, SQL injection,XSS attack,CC
attack
• Influence:
– Abnormal access between VM
– Indirectly influencing network quality of service
• Solution:
– Recognize, locate and visualize VM with abnormal behavior, reduce
possibility of compromising internal VM
– Interception/blocking the spread of the abnormal behavior, mitigate
internal risk spread after the virtual machine is compromised
• Highlights:
– Distributed detection mechanism, avoid access bottlenecks
– 8000+abnormal behavior signature base
– NSS Labs recommended
– Forensics
Powerful and trustful abnormal behavior detection
• Detect malicious action
from compromised host
• Known vulnerability
attacking
• Unusual protocol access
• SQL injection,XSS
attack
• Network congestion
caused by internal
violation/exception
• Phishing
• Trojan
Anti-Virus
HTTP
IMAPPOP3
SMTP
FTP
File type:RAR、ZIP、GZIP、BZIP2、TAR
• Risk:
– Application layer threats: Worm, Trojan, malware, etc.
• Influence:
– Direct/indirect influence of network quality of service
– Compromised confidential data
– Damage to network assets
• Solution:
– Detect:Recognize, locate and visualize threats, reduce possibility of compromising internal VMs
– Control: Intercept virus transmission in network layer
– Assistant:Assist the host antivirus software solution to prevent the spread of the virus to the network
• Highlights:
– Distributed detection mechanism, high performance, low latency
– Virus detection on various file transmission protocols
– Virus detection on various file types
– Support for compressed file virus scanning
– 3.2 million virus signature library
– Forensics
Necessary feature for business assurance
CloudHive Components
Module Definition Function Description Deployment
vSOM
virtual Security
Orchestration
Module
Integrates with third-
party CMP, manages
service lifecycle
Management Plane:
• Manages the lifecycle of the CloudHive system
(System installation, stopping, deleting etc.)
• CMP connects with vSOM (Web UI/CLI/ North
interface)
One CloudHive system
deploys a single vSOM; it
can be installed on any
physical server
vSCMvirtual Security
Control Module
Centralized
management and
configuration for all
vSSMs
Control Plane:
• Security policy configuration
• Manages the lifecycle of the vSSMs (Monitors
starting and stopping of VMs)
• Collect logs/data
One CloudHive system
deploys two vSCMs in HA
mode; they must be
installed on two different
physical servers
vSSMvirtual Security
Service Module
Provides FW, IPS, AV,
APPID, AD and more
services
Security policy query (Slow path)
• Distributed storage for session status (Session)
• Packet forwarding based on session (Fast path)
• Security Service (L2-L7)
Each physical server
must be installed with a
vSSM; supports up to 200
vSSMs
vDSMvirtual Data
Service Module
High speed log
forwarding
Forward log from vSSM and vSCM modules to
3rd party log servers
One CloudHive system
can deploy 1 or multiple
vDSM depends on log
volume
CloudHive Performance
Specification Single vSSM (1 * vSSM) Maximum Extension (200 * vSSM)
FW Throughput 5 Gbps 1 Tbps
Max Concurrent Sessions 1.7 Million 340 Million
New sessions/sec (HTTP) 30,000 6 Million
IPS Throughput 1 Gbps 200 Gbps
AV Throughput 1 Gbps 200 Gbps
• vDSM: Max. performance is 200K PPS, 1 vDSM can support up to 7 vSSMs’ log forwarding requirement.
System Resource Requirement
Module Description System Resource Module #
vSOM Virtual Security Management Module2*vCPU, 2GB Memory, 12GB Hard
Disk1
vSCM Virtual Security Control Module2*vCPU, 6GB Memory, 17GB Hard
Disk1 Min., 2 Recommended
vSSM Virtual Security Service Module2*vCPU, 4GB Memory, 5GB Hard
Disk200 Max.
vDSM Virtual Data Service Module2*vCPU, 4GB Memory, 5GB Hard
DiskOptional, multiple mode supported
Mgt VLAN Inter-module communication Min. 1 VLAN, 5 Recommended
Mgt IP Remote management 1, multiple IP needed if vDSM enabled
Support for Multiple Virtualized Platform
Liberty version
Server
virtualization
Version
Application
30
v5.0
v5.1
v5.5
v6.0
v6.2
V6.3
V6.5
Mikata version
Ocata version
Desktop virtualization
Server virtualization
Application
Version
V6.4
