hp networking secure virtualisation framework
DESCRIPTION
Secure Virtual Framework (SVF) for secure private and public cloud computing This session will present SVF as a solution for securing consolidating data centers. Through virtualization-specific security challenges and solution examples, you will learn how the SVF converges virtualisation, networking and security technologies to accelerate virtualisation and improve security for public and private cloud computing. A key take-away from this session will be a better understanding of how a converged solution increases security and automation throughout the data center, while reducing complexity and costsTRANSCRIPT
SECURE VIRTUAL FRAMEWORK
Glen Gibson, Solution Architect – HP ESSN
Gary Boniface, Solution Architect - HP TippingPoint
TECH AT WORK 2011 -- AGENDA
– DataCenter Trends => Cloud Computing
– HP Intrusion Prevention Systems Overview
– Virtual Visibility Gap
– vController Technology
– Automated Policy Enforcement
– VMware Partnership
Present & Future
Virtualisation, Blades,Increased Bandwidth
Do more with less
Past
Dispersed, Physical
Connect everyone to everything
DATA CENTER TRENDS
Efficiency DrivesConsolidation
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
11K
8.8K
6.6K
4.4K
2.2K
0K
OSVDB Data: Year
Tota
l vu
lnera
bili
ties
Over the last 5 years on average, roughly 8k vulnerabilities are disclosed each year
Flawed Software is developed almost daily
HP CLOUDSYSTEMINTEGRATED SYSTEM, PROVEN TECHNOLOGY
HP 3PAR
HP Cloud Service
Automation
HP BladeSystemMatrix
+ HP Networking
Service Provider Enhancements
Securing physical & virtual
Scalable utility storage
High performance fabric
Mission critical computing
SAAS aggregation
Security Zone 2 Security Zone 3Security Zone 1
Layer3-4 Filters are not enough to block common attacks
WHY NIPS?
FW
NIPS NIPS
Internet DMZ LANFW
Security Zone 2 Security Zone 3Security Zone 1
Layer3-4 Filters are not enough to block common attacks
WHY NIPS?
Remote LAN Productionrouter switch
NIPS NIPS
Layer3-4 Filters are not enough to block common attacks
WHY NIPS?
Security Zone 2 Security Zone 3Security Zone 1
Guest OS 1 vSwitchvSwitch
NIPS NIPS
Guest OS 2
Guest OS 3 - n
HP TIPPINGPOINT DVLABS LEADS THE INDUSTRY
Cumulative vulnerability discoveries(September 2005 to December 2010)
2010 vulnerability discoveries
Security research with real-world application
719
9453
8 70
200
400
600
800
1000319
48
10 0 70
50
100
150
200
250
300
350
HP TECHNOLOGY@WORK 2011THE INSTANT-ON ENTERPRISE IS HERE
VIRTUAL SECURITY GAP
Virtualised Host
VM
App
OS
VM
App
OS
Virtualised Host
VM
App
OS
VM
App
OS
Virtualised Host
VM
App
OS
VM
App
OS
VMs moved to separate site
2
4
1
3
Hypervisor Security
– Mission critical
Host to Host Threats
– Can‟t deploy IPS in front of every server
VM to VM Threats
– Virtual trust zones
– Traffic does not enter the physical network for inspection
– A victim VM can attack other VMs
VM Mobility
– vMotion launches VMs in separate sites for DR
– Physical IPS options are cost prohibitive for these uses
THE VIRTUAL NETWORK VISIBILITY GAP
TippingPoint IPS
VMCComponents– vController– Virtual Management Center (vMC)– IPS Platform
Flexibly Inspect Data in both the physical and virtual DC
Single set of security policies for entire DC protection.
VMware vCenter
Hypervisor
VMsafe Kernel Module
vSwitch
Redirect Policy
App App AppApp
Application VMs
OS OS OSOS vController
Service VM
ESX Virtual Hosts ESX Virtual Hosts ESX Virtual Hosts
SECURE VIRTUALISATION FRAMEWORK (SVF)
TippingPoint IPS
VMC
VMware vCenter
Hypervisor
VMsafe Kernel Module
vSwitch
Redirect Policy
App App AppApp
Application VMs
OS OS OSOS vController
Service VM
SECURE VIRTUALISATION FRAMEWORK (SVF)
It‟s all about the inspection policiesTIPPINGPOINT VMC
• Assign policies by VM and/or zone, not location or network connection
• Automate trust zone assignment for new or untrusted workloads
• Ensure policies follow VM regardless of state (in motion, powered on, powered off)
• Cloned VMs must automatically inherit parent policies
VQL BASED TRUST ZONE DEFINITION
Example – card data holder environment
– Automated and highly scalable zone/policy definition• All VMs residing on datastore „pci_ide‟ in zone
• Zone/Policy definitions follow VMs throughout lifecycle
– Visualise security policies• VMs in „pci_cde‟ zone prohibited from communicating
with „dmz‟ zone VMs
• VMs within „pci_cde‟ are allowed to communicate
• Assign policies by VM and/or zone, not location or network connection
• Automate trust zone assignment for new or untrusted workloads
• Ensure policies follow VM regardless of state (in motion, powered on, powered off)
• Cloned VMs must automatically inherit parent policies
VMware VMSafe Hypervisor Integration
– vController is fully integrated with VMware vSphereusing the VMSafe API
VMware vCenter Integration
– VMC is fully integrated with VMware‟s vCentermanagement console
Certified “VMware Ready”
– Supports Vmware vShere 4 (ESX / ESXi4)
VMWARE CERTIFIED
DEMO
HP TECHNOLOGY@WORK 2011THE INSTANT-ON ENTERPRISE IS HERE
HP TIPPINGPOINT AND
VMWARE PARTNERSHIP
HP TippingPoint and VMware Strategic Partnership
FEBRUARY 15 ANNOUNCEMENT
Strategic Development Partnership
VMware #1 Virtualization Platform
HP TippingPoint #1 Security Research/Architecture
Virtual Security Solutions today with vController and vShield
Building Next Generation Security APIs for Cloud Environments
Today:
HP TippingPoint‟s vController and VMware‟s vShield protect today‟s virtual environments
Tomorrow:
HP TippingPoint and VMware jointly develop next generationsecurity APIs to protect complex cloud environments
Traditional IT Private Cloud Public Cloud
VMware vSphere and vShield
Hybrid Cloud
Anchored Enterprise
HP TippingPoint Network Intrusion Prevention
Best of Breed UbiquitousPervasive
Instant-On Enterprise
HP TIPPINGPOINT & VMWARE: SECURE THE CLOUD
HP TECHNOLOGY@WORK 2011THE INSTANT-ON ENTERPRISE IS HERE
NEXT STEPS
Visit: The Cloud System Feature
Engage: See the HP Rep at rear of clinic
Seek more: Request follow up via Eval Form
Re-Live: www.hp.com.au/taw11post
HP TECHNOLOGY@WORK 2011THE INSTANT-ON ENTERPRISE IS HERE
QUESTIONS?
Eg: Mapped ModeVIRTUAL CONNECT – MAPPED & TUNNELED VLANS
Serverblades
VC Ethernet modules
Top of Rack Switch
T-40,50,60,190,191
VID 190
SUS
VID 191
tagged multiple VLANs
vNet-Out
vNIC
VID 40
T-40,50,60
vNIC
VID 50
vNIC
VID 60
VID 20 VID 30
SUS
UT UT
vNet2 vNet3
pNIC pNIC
vNet-In
pNIC
vSwitch
Multiple vNets
VIDs 40,50,60
T-190
T-191
23
VCONTROLLER
24
VCONTROLLER
25
VCONTROLLER
HP TECHNOLOGY@WORK 2011THE INSTANT-ON ENTERPRISE IS HERE