Upload
ixia
View
418
Download
1
Embed Size (px)
DESCRIPTION
BreakingPoint and Juniper presentation "Practical Advice for Securing the High Performance Cloud" at the 2011 RSA Conference.
Citation preview
Practical Advice for Securing the High-Performance CloudFebruary 16th at 4:30 PM
You Deal With An IT Firestorm Every Day…
…And Now You Are Moving To The Cloud
3
Can you stay compliant?
Will it be secure?
Will it remain high-performing?
Market DYNAMICS
50% of the world’s workloads will be virtualized by 2012
–CDW Survey
–Yankee Group
37% of large enterprises expect to adopt IaaS (cloud) in the next year
Security is a top concern for virtualization adoption
Virtualization is near de-facto architecture for clouds
–Gartner
–GigaOM
5
The Challenge & Opportunity
Page 6
How IS virtualization Different
Page 7
Virtualization/Cloud Security Challenges
• Monitoring and auditing breaks– Physical security is blind to traffic– VMs can “move” to low trust zones
• Continuous enforcement is very difficult– VM replicate on a click and sprawl– VM users can self provision– “Bad” configurations proliferate easily
• Separation of duties is lost– Server, network boundaries are blurred– Unified administration gives too
• Least privilege access policy enforcement is lost– VM access patterns can change with “migration”– Too much change means errors
Page 8
Goal: Enable Cloud/Retain Control
1. VLANs offer no granular security
2. Physical FWs are expensive
1. Agents are very costly to manage
2. Significant perfdegradation
1. Superior security2. “Wire-line” perf3. Minimal
overhead4. 10x cost
reduction
Page 9
The IDEAL MIX: Hypervisor-BASED Security1. Using a custom kernel enforcement embeds into the ESX hypervisor in “fast path” mode 2. All packets flow through the hypervisor-embedded security engine
vGW & The Hypervisor-based Architecture
Enterprise-gradeVMware “VMsafe Certified”Protects each VM and the hypervisorFault-tolerant architecture (i.e. HA)
Virtualization Aware“Secure VMotion” scales to 1,000+ ESX“Auto Secure” detects/protects new VMs
Granular, Tiered DefenseStateful firewall and integrated IDSFlexible Policy Enforcement – Zone, VM group, VM, Application, Port, Protocol, Security state
THE vGW ENGINE
Virtual Center VM
VM1 VM2 VM3
Partner Server(IDS, SIM,
Syslog, Netflow)
Packet Data
VMWARE DVFILTER
VMWARE VSWITCH OR CISCO 1000V
HYPERVISOR
ESX Kernal
ESX H
ost
Security Design
for VGW
Traditional Cloud Validation Approach
Application TrafficTest Software
FirewallRouter IPS
Load Balancer
Switch
SSL Accelerator
Virtual or Physical Server, Server
Farm, Data Center
• 100-1000+ servers• $ Millions in software licenses• Multiple products with
separate interfaces• Many disassociated reports • No security validation
• High total cost of ownership• Limited performance• Doesn’t effectively stress
infrastructure• Inaccurate and error-prone• Complex and labor intensive
BreakingPoint’s Approach• Stresses infrastructure with mix of stateful application traffic • Validates performance/effectiveness under extreme load conditions • Validates the integrity of server transactions• Integrates security for ability to assess performance under attack
Questions and Answers
13