varmour dss distributed security system: scalable and ... · varmour dss distributed security...

©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.

InlineWorkload-levelSecurityforPhysical,Virtual,Cloud-based,andContainer-basedNetworksByTonyPalmer,SeniorESGLabAnalystMay2017ThisESGLabReportwascommissionedbyvArmourandisdistributedunderlicensefromESG.

EnterpriseStrategyGroup|Gettingtothebiggertruth.™

ESGLabValidation

vArmourDSSDistributedSecuritySystem:ScalableandSimpleSecurityfortheModernDataCenter

LabValidation:vArmourDSSDistributedSecuritySystem 2


Contents

Introduction...........................................................................................................................................................................3

Background........................................................................................................................................................................3

vArmourDSSDistributedSecuritySystem.........................................................................................................................4

ESGLabValidation.................................................................................................................................................................5

SimplifiedandEfficientSecurityOperations......................................................................................................................5

ESGLabTesting.............................................................................................................................................................5

HighlyScalableElasticPlatform.........................................................................................................................................8

ESGLabTesting..............................................................................................................................................................8

AutomatedandExtensibleSegmentation........................................................................................................................11

ESGLabTesting............................................................................................................................................................11

IntegratedDeceptionSecurityServices...........................................................................................................................13

ESGLabTesting............................................................................................................................................................14

TheBiggerTruth...................................................................................................................................................................17

Appendix..............................................................................................................................................................................18

ESGLabReportsThegoalofESGLabreportsistoeducateITprofessionalsaboutdatacentertechnologyproductsforcompaniesofalltypesandsizes.ESGLabreportsarenotmeanttoreplacetheevaluationprocessthatshouldbeconductedbeforemakingpurchasingdecisions,butrathertoprovideinsightintotheseemergingtechnologies.Ourobjectiveistogooversomeofthemorevaluablefeature/functionsofproducts,showhowtheycanbeusedtosolverealcustomerproblemsandidentifyanyareasneedingimprovement.ESGLab'sexpertthird-partyperspectiveisbasedonourownhands-ontestingaswellasoninterviewswithcustomerswhousetheseproductsinproductionenvironments.



Introduction

ESGLabvalidatedthevArmourDSSDistributedSecuritySystemwithafocusonitsabilitytosimplifyandefficientlyprotectapplicationsandworkloadsfromintrusion,regardlessofwherethoseassetsarelocated.AlsoofinterestwasvArmour’sabilitytoscalequicklyandeasily,thecapabilitytoautomatetheadditionofnewassets,theproduct’sdeceptioncapability,anditsoveralleaseofuseandefficiency.

Background

Traditionalnetworksecurityproductscanbecomplexandtime-consumingtodeploy,manage,andmaintain.Forexample,traditionalnext-generationfirewalls(NGFWs)sitatthenetworkordatacenterperimeterwithlimitedvisibilityinsidethedatacenter;theymustmanagetheirpoliciesacrossasprawlofmultiplesingleinstancesystems;andtheycanonlyscaleupbyaddingadditionalhardwaretoimproveperformance,whichaddsoperationalburden.Likewise,software-definednetworks(SDNs)requirenetworkreconfigurationandprovidebasiclayer-4policycontrols.Todeliverapplicationlayerpolicyatlayer7,organizationsmustbuildcomplextrafficsteeringmethodswithNGFWsjusttocollectapplication-layercontext.Thispresentssignificantcomplexityoftroubleshootingandmanagementfunctions.

Everytimeanewapplicationorsystemisaddedtothenetwork,everyaspectofthenewsystemmustbesecured.Untilrecently,newapplicationsandsystemswouldtakeweekstorollout,allowingtimeforathoroughsecurityanalysistobeperformed.Nowadays,systemsareoftenrolledoutveryquickly,sometimesinhours,andeventhoughsecurityrequirementsarestricterthanever,timethatwasoncededicatedtosecurityanalysisislostandITsecurityteamscanfindthemselvesforcedtoplaycatchupafterapplicationshavebeenreleased.

CybersecurityisconsistentlythemostoftencitedITPriorityinannualESGITspendingintentionsurveys1byawidemargin.ThechartinFigure12showshowrespondentsplantospendtheircybersecuritybudgetsoverthenext12-18months,includingnetworksecurity,endpointsecurity,andsecurityanalytics.

Figure1.SpecificSpendingPlansforCybersecurityOvertheNext12-18Months

Source:EnterpriseStrategyGroup,2017

1Source:ESGResearchReport,2017ITSpendingIntentionsSurvey,March2017.2Ibid.

20%22%23%23%

25%25%25%

29%30%

39%

Securityautomationandorchestration

Applicationanddatabasesecurity

Vulnerabilityscanning/patchmanagement

Cloudinfrastructuresecurity

Identityandaccessmanagement

Informationassurance

Cloudapplicationsecurity

Securityanalytics

Endpointsecurity

Networksecurity

Wewouldliketolearnmoreaboutyourspecificspendingplansforcybersecurity.Inwhichofthefollowingareaswillyourorganizationmakethemostsignificantinvestmentsoverthenext12-18

months?(Percentofrespondents,N=418,fiveresponsesaccepted)



vArmourDSSDistributedSecuritySystem

vArmourDSSisadistributedplatformwithintegratedsecurityservicesforthemoderncloudanddatacenter.Itdeliverssoftware-based,application-awaresegmentation,micro-segmentation,monitoring,centralizedpolicymodeling,andcyberdeceptiondesignedtohelporganizationsprotectcriticalapplicationsandworkloads.AsshowninFigure2,vArmourDSSisanAPI-driven,distributed,andagent-lesssecuritysystemengineeredtoprotectworkloadsandapplicationsinphysical,virtual,cloud,andcontainerenvironments,andisagnostictotheunderlyinginfrastructure.Allmanagementtakesplacethroughaweb-basedconsoleand/orCLI,andvArmour’sAPIsallowintegrationwithavarietyofthird-partytoolsandsystemsofrecord.

Figure2.vArmourDataCenterandCloudSecurity


vArmour’sapproachtosecurityisaboutreducingriskbylimitingnetworkcommunicationstoauthorizedsystemsandapplications,increasingoperationalefficiencybyenablingthepoolingofresourceswithdifferentsecurityrequirementsonthesamesharedinfrastructure,andimprovingcompliancebylogicallyseparatingregulatedfromunregulatedworkloadswithoutrelyingonhardware-boundzonesastheprimarypolicyconstruct.vArmourdeploysEnforcementPoints(EPs),whichsittransparentlyonthenetworkandmonitoralltrafficgoinginandoutofmanagedworkloads.Unliketraditionalnetworksecuritysystems,whichtypicallysitonthenetworkordatacenterperimeterandgettheirinformationfromswitchesandothernetworkdevices,vArmourcanseealltraffic,includingallinternal“east-west”traffic.TheEPsperformlayer-7deeppacketinspection,whichallowsvArmourtoassociatetrafficwithanapplicationratherthananetworkport(e.g.,httptrafficcanbeidentifiedevenifitisnotdirectedtoport80),andgeneratelayer-7metadataonallnetworktraffic,whichisleveragedforanalytics,policydesignandreporting.

Insteadofrequiringlabor-intensivetuningacrossmultiplesingle-instancetraditionalfirewalls,vArmourisadistributedsecurityplatformthatplaceslayer-7controlsdirectlyadjacenttotheworkloadsthemselves.vArmour’ssegmentationandmicro-segmentationcapabilitiesallownetworktraffictoberestrictedtothesystems,applications,users,andnetwork



segmentsitbelongsto,andmakeiteasiertoidentifyinappropriatetraffic.AsworkloadsaredeployedinlineaspartofthevArmourplatform,othersecurityservicessuchascyberdeceptioncanbecalled.vArmour’sdeceptionfunctionalityredirectsanytrafficmatchingaredirectpolicyaction,regardlessoftargetIPtoaDeceptionPoint,whereattackerscanbeidentifiedastheyattempttoinfiltratethenetwork.Attackeractivitycanalsoeasilybemonitored,investigated,quarantined,andremediatedusingvArmour’sanalyticsandsegmentationcapabilities.

ESGLabValidation

ESGLabtestedvArmourDSSwithagoalofvalidatingtheplatform’sabilitytoreducerisksandattacksurfaces,improveoperationalefficiency,andenableimprovedcomplianceadherenceinahighlyscalableandextensiblepackage.

SimplifiedandEfficientSecurityOperations

First,ESGLabexaminedeaseofinstallationandconfigurationoftheintegratedplatform,lookingathowpolicycontrolscanspanphysical,virtual,cloud,andcontainer-basedenvironmentswithasinglefabric.

ESGLabTesting

TestingbeganbysimplydownloadinganOVAfile,importingthefileintovCenter,andpoweringtheVMon.AfterloggingintotheinstallationwebbrowserinterfaceandpointingtheinstallertovCenter,vArmourquicklyingestedallvCenterobjects,promptedtheadministratortoselectthehypervisorstoinstallvArmouron,andchoosetheunderlyingswitchestotapintotogainvisibilityintotheapplicationtraffic.Thisinstallationprocesstooklessthan30minutes.

OnceDSSwasinstalled,ESGLabdeployedDSSintap—orlearning—modeasaguestVMtogetfulllayer-7application-levelvisibilityandbetterunderstandtherelationships,communications,anddependenciesoftheapplicationsontheworkloads.Next,ESGLablookedatapplication-leveltrafficflowsand,asseeninFigure3,DSSprovidesasimplevisualizationthatbreaksoutapplicationsbyrelevantattributesandenablesrapid,granularanalysisthatcaninformpolicyconstruction.

Figure3.Application-levelTrafficFlows

Next,ESGLabconstructedpolicies(seeFigure4)andtestedthemintapmodetotroubleshootandrefinethem.



Figure4.ConstructingPolicies

Finally,ESGLabtooktheenvironmentinlineandenabledmicro-segmentationwiththreejuststeps,seeninFigure5.First,ESGLabconnectedwiththeVMwarevSphereenvironmentandselectedthreeassets:ahost,aportgroup,andaVLAN.

Figure5.DeployingvArmourDSSUsingthevArmourInstaller

WeclickedtheStartMicro-Segmentationnowbuttonandwerepresentedwithadialogboxindicatingthatthreeworkloadscurrentlytappedwereavailableformicro-segmentation.WeclickedOK,andafewsecondslatermicro-segmentationwascompletedandthevArmourDSSEPswereinline,asseeninFigure6.

Figure6.Micro-segmentationComplete



Finally,ESGLabenabledautomatedmicro-segmentation,wherenewVMsaddedtovCenterareautomaticallymicro-segmentedandmovedinlinewithvArmour,providinginstantprotectionwithoutadministratorinteraction.Automicro-segmentationwasenabledforportgroupVLAN101withjustoneclick.

Figure7.SettingUpAutomaticMicro-Segmentation

3Source:ESGResearchReport,2017ITSpendingIntentionsSurvey,March2017.

WhyThisMattersOforganizationsprioritizingcybersecurityinitiativesin2017,39%expecttoallocatefundingtofortifyingnetworksecurity.3Inthesamesurvey,45%oforganizationsreportaproblematicshortageofcybersecurityskills.Thisthreatenstheimplementationoftheirnetworksecurityprojects.Smartorganizationswillconsiderbothinvestinginskillsdevelopmentandseekingproductsthatimproveoperationalefficiency.

ESGLabvalidatedthatvArmourDSScanbeinstalledandprotectingworkloadsinlessthananhouronanycombinationofphysical,virtual,cloud,orcontainer-basedplatforms.ESGLabtestingrevealedthatvArmourprovideslayer-7applicationidentificationandinspection,enablingoperatorstoidentifyrisks,policyviolations,andsuspiciousbehaviorsandrespondimmediately.vArmourprovidesdeepcontextforapplicationcommunicationtoexposenotonlytheconnectionsbetweenentities,butalsocanabstractrichmetadatafromthosesessions.

ESGLabalsosawvArmourglobalpolicyobjectsprotectphysicalandvirtualworkloads,providingconsistent,automatedpolicyenforcementacrossheterogeneousenvironments.FinallyESGLabconfirmedthatnewlyinstantiatedworkloadscanbeautomaticallymicro-segmentedtospeedandsimplifysecurityoperations.



HighlyScalableElasticPlatform

Next,ESGLabexaminedthesimplicity,elasticity,andscaleofthevArmourDSS.AnelasticplatformshouldenablebuildingsecurityintotheITinfrastructuresothatsecurityistiedtocompute.Ifahypervisorclusterreachescapacityandneedstoaddmorehypervisors,vArmourDSSfabricexpansioncanbeautomatedtospinupanddeploynewEPsthroughaseriesofAPIcalls.SincevArmourDSSusesasinglepolicy,thereisn’taneedtoconfiguretheexpandedassetswithpolicyaswouldbenecessarywithatypicalfirewall.Toputthatanotherway,thevArmourDSSscalesautomaticallytomatchthecomputeresourcesintheenvironment,whichmakesitmoreefficientandeasiertomanagethantraditionalapproacheswhereorganizationsscalebymanuallyaddingorreplacingsingle-instanceappliances,thenmanuallytuneandapplypoliciestothem.

Thealternativeapproachestodeliveringlayer-7controlrequireseveraladditionalstepscomparedtovArmour.ThefirststepisdeployinganSDNinorderachievetrafficinterceptionadjacenttotheworkloadtodelivermicro-segmentation.Next,redirectionpolicymustbeconfiguredontheSDNplatformtodirectthetrafficthroughthelayer-7singleinstancefirewall.Oncethelayer-4portshavebeenidentifiedandtheservicechainpolicyconfigurationiscomplete,theactuallayer-7firewallpoliciescanbecreated.Someofthebiggestchallengeswiththisarchitecturelieinmanagingtheaggregatedhypervisortraffic.Singleinstancefirewallsarenotdistributedinnaturewhichmeansloadmustbeengineeredandbalancedaccordingly.Whenloadcapacityismet,analysismustbedoneinordertoengineergrowthofthefirewallclusterorthefirewallsizemustbeincreased.Thisaddscostandcomplexityandcanalsopresentchallengesregardingworkloadmobility.Whendesigningthesesolutionsonemustaccountforthefactthataworkloadmovingfromonehypervisortoanothercouldmeantrafficwouldflowtoadifferentfirewallwithadifferentpolicyandstatetableinterruptingapplicationavailability.ThisisaverydifferentarchitecturefromthevArmoursolutionwherethelayer-7securityenforcementisalwayslocal,nativelylayer-7,anddirectlymatchedtothecomputeplatformensuringthatsecurityexpansionoccursnaturallywiththeadditionofcompute.Asthathypervisorisdeployed,thevArmourfabricandsinglepolicysimplyexpandstosupportthoseworkloadsoranyworkloadsthatmigratethere.

ESGLabTesting

BeforeinstallinganddeployingvArmourDSS,ESGLabgeneratedunauthorizedtraffictoillustratehowpacketstraverseanunfilterednetworkfreely.AsseeninFigure8,thegreenarrowrepresentsalegitimateSQLconnectionbetweenawebserveranddatabaseserverinthetestenvironment,whiletheredarrowsshowtwodifferenttypesofunauthorizedtraffic,aSQLinjectionattackandanICMPconnectionbetweentwointernalsystems.



Figure8.TrafficBetweenEndpointswithoutEnforcementPointProtection


ESGLabthenreranthetestafterenablingvArmourpolicies,includingworkloadattributesforSQLtrafficandalayer-7policytoblockICMPviaanaccesslist.Thepolicywasconstructedtoenableonlynecessaryapplicationtraffic.OnlythewebserverscouldquerytheSQLserver.Sincethephysicalserverwasnotawebserver,thephysicalserver’sSQLinjectionattackwasautomaticallyredirectedtotheDeceptionPoint,aswastheICMPstream.Thiswasaccomplishedwithoutusingsignaturesordetectionlogic.Itwasasimplefirewallpolicyviolationrulewitharedirecttodeceptionactionratherthanasimpledenyruleasatraditionalfirewallwould.Thisisanimportantdistinctionasitmeansthatvalidtrafficcan’tbeaccidentlyinterceptedbydeception.

Figure9.TrafficBetweenEndpointswithInspection,Enforcement,andDeception




ESGLabalsoauditedperformanceandscalabilitytestingofDSS.vArmourQualityAssurancetestingisexecutedforeachmajorandminorreleaseagainstindividualelementsandatthesystemlevel.Rawandapplicationthroughputismeasured,aswellasthesupportablenumberofconcurrentsessionsandlatency.Automationtestsareexecutedagainstthesystemtomeasurethetimeneededtoautomaticallymicro-segmentvariousnumbersofworkloads.TestingisperformedusingIxiaIxAutomateforUDPthroughputandIxLoadforTCPandapplicationthroughput.ESGLabanalyzedtheresultsofthemostrecentroundoftestingandtheresultsaresummarizedhere:

Table1.PerformanceDataPublishedbyvArmourQA

EnforcementPointsasTestedonInter-hypervisorVMwarevSphereConcurrentSessionsperEP 100,000

UDPThroughput(JumboFrames,9,018Bytes) 19.96GbpsUDPThroughput(1,518ByteFrames) 9.75Gbps

EnforcementPointsasTestedonIntra-hypervisorVMwarevSpherewithTSO/LROEnabledTCPThroughput(1,518ByteFrames) 18.7Gbps

TCPThroughput(AppID) 18.7GbpsUDPThroughput(JumboFrames,9,000Bytes) 19.5Gbps

FabricScalabilityConcurrentSessions 102.4million

NumberofHypervisors 1024NumberofWorkloadsProtected 102,400


It’simportanttonotethatthesenumbersrepresentapproximately5-10Gbpsoflayer-7trafficinspectionandenforcementpervCPU.vArmourrightfullyconsidersthisadifferentiator,consideringthatvirtualizedtraditionalNGFWscanrequireupto16vCPUstosupport10Gbps.4

4Basedonexaminationofdatasheetsanddocumentationofmultiplevendors’virtualNGFWofferings.5Source:ESGResearchReport,2017ITSpendingIntentionsSurvey,March2017.

WhyThisMattersWhenESGasked641ITprofessionalsandexecutivestoidentifytheconsiderationthatwouldbemostimportantinjustifyingITinvestments,improvedsecurityandriskmanagementwasthemostcitedresponse(34%).5Ascybersecuritythreatsincreaseinfrequencyandsophistication,ITstaffsandsecurityteamsmustimplementnumeroussecurityinitiatives,manywithmanualprocesses,whenthebusinessandtechnicalneedschange.It’scriticalforthesecuritysystemtorapidlyadapttotheever-changingneedsofthebusiness.Toaddressthesechallenges,thesecuritysystemmustbeintelligent,automated,andscalable.

ESGLabvalidatedthatvArmourusedasingleglobalpolicysettoinspecttrafficthroughoutallnodesinthedistributedsystem.Policieswereenforcedcorrectlyregardlessofthelocation.ESGlabalsoverifiedthatvArmourcouldrapidlyscaletheenvironmentfromasecurityperspectivetobetteraligntothechangingbusinessrequirementsoftheorganization.Astheenvironmentgrows—requiringmorecompute—andashypervisorsareadded,vArmourcaneasilyandautomaticallyprovisionanddeployEPstoexpandtheexistingvArmourDSSfabric.

ESGLabvalidatedthescalabilityandperformanceofvArmourDSS,confirmingsupportformorethan100,000concurrentsessionsperEnforcementPointand100millionconcurrentsessionssystem-widewiththeabilitytohandlenearly20GbpsoftrafficperEnforcementPoint.



AutomatedandExtensibleSegmentation

vArmourisanall-software,highlyprogrammableplatformdesignedtointegrateintoDevelopmentandOperations(DevOps)workflowsforsecurityautomation.vArmourisbuiltexclusivelyonopenAPIsthatenabletheplatformtointegrateintomanytypesofsystemsofrecord.Forexample,ESGLablookedatvArmourDSSintegrationswiththird-partyorchestrationandprovisioningsystemssuchasvCenter,CiscoISE,Puppet,andChef.Likewise,vArmourDSScanintegratewithSDNssuchasCiscoACItoprovidestatefullayer-7visibilityandsegmentation,anddynamicallyconsumepoliciesdefinedintheCiscoApplicationPolicyInfrastructureController(APIC).vArmourDSScanalsosenddatatoanalyticsystemssuchasSIEMtools.TheextensibilityoftheAPImakesintegrationwiththirdpartytoolssimple;acustomercancreateapythonscriptwithafewRESTfulAPIcallstovArmourandtheothersystem.

ESGLabTesting

vArmourcanbeintegratedwithanyAPIdrivensystemofrecordtosimplifypolicyautomation.Tovalidatethis,wetestedautomatedmicro-segmentationandvCenterpolicyintegration.WeexaminedtheconfigurationofavirtualdevelopmentserverforacreditcardapplicationcalledDev_CCApp_DB.AsshowninFigure10,theNotesfieldcontainedthestringFWPolicy=Dev,DBserverintheAnnotationssectionofthevSphereconfigurationscreenforthisVM.ThroughaRESTfulAPIintegrationthesefieldsarereadintotheDSSPolicyManagerasadevelopmentsystemrunningadatabaseserver.ThevArmourDirectorhadapreviouslyconfiguredpolicyinplace—Web2DB—toallowdatabaseserverssuchasDev_CCApp_DBtoconnecttowebservers.ThisintegrationenablesaworkflowwhereanewVMcanbeprovisionedinvCenter,automaticallymicro-segmented,andassociatedwithproperpolicywithoutanydirectinteractionfromvArmouradministratorstogettheworkloadcommunicatingandprotectedonthenetwork.

Figure10.SettingWorkloadAttributesinvCenter

Next,ESGLablookedataddressgroupsinsideDSStoseehowvArmourprocessesthatinformation.AsshowninFigure11,vArmourDSSautomaticallyrecognizesDev_CCApp_DBaspartoftheDevandDBservergroups.



Figure11.WorkloadAttributesAutomaticallyPopulatedintovArmourDSS

TochangethepolicythatwasappliedtoDev_CCApp_DB,ESGLabclickedtheEditbuttonfortheAnnotationssectiononthevCentermanagementscreen,removedDBserverfromtheFWPolicystring(changingittosimplyreadFWPolicy=Dev),andclickedtheOKbutton.WhenthevArmourAddressGroupscreenrefreshed,Dev_CCApp_DBdisappearedfromthelistDBserverswithnootheractionrequired.

vArmour’sRESTfulAPIsenableoperatorstobuildsecurityintotheirautomationworkflows—examplesincludeinteractingwithanincidentresponseworkflowforquarantiningfunctionality,coordinatingwithatroubleticketingsystemforautomatedworkloadprovisioning,orintegratingintoanIPaddressmanagementsolution.ESGLabalsolookedatexamplesofAPIintegrationswithorchestrationsystemsandsoftware-definednetworks,specificallyCiscoIdentityServiceEngin(ISE)andCiscoApplicationCentricInfrastructure(ACI).CiscoISEsecuritygroupsareautomaticallyimportedintovArmourDSSaswellasISEpolicies.WhenESGLabaddedausertoActiveDirectoryandincludedherinanADgroup,thatuserwasautomaticallyimported,includedintheappropriateaddressgroup,andassignedsecuritypolicieswithzeroadministratorinteraction.

ESGlookedathowvArmour’sintegrationwithCiscoACIprovidesscalable,statefullayer-7segmentationtoCiscoACI.vArmourcanconsumepolicydefinedintheCiscoAPICtodynamicallyandautomaticallyintegrateoperationalmodelswhileprovidinglayer-7visibilityandcontrol.



IntegratedDeceptionSecurityServices

Deceptionsecuritytechnologiesrepresentasignificantchangeinapproachtonetworksecurity.Insteadoftakingareactiveapproachtodefendinganetwork,deceptionenablesaproactiveapproach,whereattackersandotherbadactorsaredirectedawayfromcriticalassetsandtowardvirtualassets.Anattacker’sprogresscanbeslowed,enablingtheITorganizationtoidentifytheattackersandmitigatebeforetheycanreachanyrealassets.

Traditionally,deceptionishandledthroughhoneypots—systemsonthenetworkthatlookvaluablebutaren’t—andatrailisleftbynetworkadministratorsdesignedtoleadattackersthere.Generally,honeypotsandtheirtrailsrequiretime-consumingworktosetupandmaintain,andcoverageisproblematic,sinceattackersmustbeluredtothem.

vArmourDSSDeception,anintegratedsecurityserviceofthevArmourdistributedplatform,usesglobalpoliciestoenabledeception.TwokeyusecasesdifferentiatevArmourDSSdeception:

• UnusedIPaddressesthatdonotexistthatcanbeleveragedtolooklikevulnerableworkloadsbyredirectingtoaDeceptionPoint.

• ExistingrealworkloadslikeActiveDirectoryserversorpaymentapplications,wherepoliciescanbewrittentoredirectattackerswhotrytoaccessarealserviceorprotocolthatisnotallowedtoaDeceptionPointforfurtheranalysisabouttheattacker’sintent.

Inthisway,asingleDeceptionPointcanfilltheentireunusedaddressspacewiththeappearanceofvulnerableworkloads,asdepictedinFigure12,anddirectattackerstothem.TheDeceptionPointitselfissecuredthroughvArmourmicro-segmentationforaddedprotection.

WhyThisMattersMicro-segmentationenablesorganizationstogranularlyprotectcriticaldatabases,applicationserviceslikeDNSandActiveDirectory,andcompliance-boundworkloadslikePCI.Segmentingassetswithpoliciesthatcontrolcommunicationhasbeeninpracticeformorethanadecade.Thereasonmicro-segmentationismuchmorevaluableisbecauseitfreesorganizationsfromtheconstraintsoftheunderlyingnetworkandinfrastructure.Withtraditionalsegmentation,operatorscanonlycontroltrafficbasedonIPaddress,port,orVLANtag.Thus,anorganization’sarchitectureandsecuritycontrolsaredependentontheirIPaddressingandnetworkdesign.Withmicro-segmentation,policiesareappliedattheworkloadleveltoeverypacketthatentersorexitsthatworkload,withnodependenceonthenetworktopology,thesubnet,ortheVLAN.ThisoffersbothtremendousflexibilityandsimplicityintermsofpolicymanagementandapowerfulmethodofredesigningsecuritycontrolswithoutnetworkorIPaddressingchanges.

ESGLabverifiedthatreassigningavSphereclienttoanewsegment,andthereforetoanewpolicy,isaseasyaschangingonefieldonitsmanagementpage,withoutinterventionbyavArmouradministrator.vArmourcansupportnumerousorchestrationandprovisioningsystems,systemsofrecord,andsoftware-definednetworkssuchasvCenter,Puppet,Chef,andCiscoISEaswellasCiscoACI.

Whenadministratorsincludeautomicro-segmentationaspartoftheirvArmourconfiguration,newsystemscomingonlinecanbeautomaticallybroughtundermanagementasquicklyastheyarebroughtonline.Thisaddsvalueforsystemadministrators,whoneednotwaitforsecurityadministratorstoapproveeachsystemthatcomesonline,andforsecurityteams,whocanbeconfidentthatappropriatesecurityisbeingappliedtothesenewsystems.



ESGLabTesting

ESGLabbegantestingvArmour’sdeceptionfeaturesbyverifyingtheopennessofatestnetwork.Twoterminalwindowswereopened,onerunningacontinuousTCPdumponaservercalledcritical-assetonasimulatedproductionnetwork,andtheother,onthedevelopmentnetwork,displayingashellprompt.First,ESGLabenteredpingcritical-assettoverifyconnectivitybetweentheservers;theICMPrequestswereshownintheTCPdumpsessionandthepingreturnedsuccessfully.Next,thenetworksecuritytoolnmapwasinvokedtodetectportsopenandlisteningonthatserver.Asexpected,alistofopenportsappearedinthecommand-linesession,andtheTCPdumpsessionshowedtherelatedserveractivity.Finally,sshcritical-assetopenedacommandlinesessiontocritical-asset,andthatactivitywasalsoreflectedinTCPdump.

Next,tobegintoprotectthenetwork,adarknetwascreatedontheentire200.0.0.0/8subnetcontainingabout16millionIPaddresses.AdarknetisarangeofIPaddressesinwhichnoactiveservicesorserversreside;therangeisusedentirelyforredirectiontoavArmourDeceptionPoint.Thisisasimpleexampleoftheusecasedefinedabovetoincreasetheexposedsyntheticattacksurface.Toaccomplishthis,ESGLabclickedontheCreatebuttononthePolicyscreeninvArmourDirectorPolicyManager,andenteredtherangeofIPaddressesforwhichadarknetshouldbecreated.Thenapolicywascreatedonthesamescreensothatanytrafficoriginatingatanysourceonthenetworktargetedatthe200.0.0.0/8subnetwouldbeinterceptedbyvArmourandredirectedtotheDeceptionPoint.Oncethepolicywasenabled,thenetworkwascreated.Thus,thenetworkconsistedofabout3,000realactivenodes,andabout16millionsyntheticnodes,obscuringvaluablesystems,workloads,anddatafromanetworkscan.

Next,additionalpolicieswereaddedtodenyallconnectionattemptsbetweendevelopmentandproduction.Inthisconfiguration,atypicallayer-7firewallruleiscreatedinamicro-segmentationenvironment.Then,ESGLabre-initiatedapingcritical-asset,andasthatran,vArmourDirectorwasusedtocreateapolicyseparatingthesetwonetworks.Oncethepolicieswereinplace,thepingsbegantofail.Networkaccessbetweendevelopmentandproductionwasdenied.

Figure12.vArmour-protectedAddressSpacewithDeceptionEnabled




Afterpropervalidationofthenormaldenypolicy,wechangedthepolicyactionfromdenytoredirect—enablingdeception.Thepoliciesweremodifiedonceagain,thistimetosendtheonce-deniedtraffictotheDeceptionPoint.Assoonasthislatestpolicychangewasenabled,thepingpickeduprightwhereithadleftoff,makingitappearasthoughproductionaccesshadresumed.Runningnmapcritical-assetagainreturnedaperfectlyreasonablelistofopenports,andsshcritical-assetappearedtologintototheserver.Duringthesshsession,ESGLabenteredtouch ./filetocreateafile,followedbythelscommandtoverifythatthefilehadbeencreated.ItisworthnotingthatnoTCPdumpadditionaloutputhadbeengeneratedsincethefirstpolicieswereenabled.AllofthisactivitytookplaceontheDeceptionPoint,notoncritical-asset.Therealcriticalassetwasprotectedbehindthepolicyandnotreceivinganytrafficwhatsoever.

ESGLabexaminedvArmour’sDeceptionManagerDashboard,asshowninFigure14,toexaminetherecentDeceptionPointactivity.ClickingonAnalyticsbroughtupascreenthatlistedallrecentauthentication,port-scanning,andsshloginattempts.ClickingontheLogicononthefarrightbroughtupdetailedJSON-formattedlogentriesforeachattempt,asshowninFigure13.Thelogentriesfortherecentsshsessionincludeddetailsonthetouch./filecommand,includingthefullpathnameofthefilethatwascreated,plusthelscommandthatwasrunimmediatelyafterward.Finally,ESGLabclickedtheQuarantinebuttonontheDeceptionManagerDashboardtolockdownthesystemonwhichtheattackergainedaccess.Oncetherequestwasaffirmed,thatpresumablycompromisedsystemwasimmediatelycutofffromallnetworkcontact.

Figure13.vArmourDeceptionEventLog


Figure14.vArmourDSSDeceptionDashboard




WhyThisMattersDeceptiontechnologyhasbeeninthesecurityadministrator’stoolboxsincethe1990s,helpingtoslowdownattackers,wastetheirtime,andinsomecases,givethemworthlessdata.Butsetupandmanagementofhoneypotshasalwaysbeenverycomplicated,requiringongoingmaintenanceofboththehoneypotserverandofthetrailrequiredtoleadanattackerthere.Thus,despiteitspotentialvalue,deceptiontendstobeunderusedinmostorganizations.

ESGLabverifiedthatvArmourhasmadedeceptionmucheasierandmorereliable.vArmour’suniqueplacementofdeceptiontechnologyisdistinctlydifferentfromlegacydeceptionmethods.Insteadofrequiringamaintainedtrailof“breadcrumbs”thatwillhopefullyleadanattackertoahoneypot;globalpoliciescanbeusedtotransparentlyredirectattackerstoaDeceptionPoint.TheseserversrunafullversionofLinux,supportingavarietyofstandardservices,andappeartobeaworthwhiletargettoanattacker.vArmourDSSDeceptionallowssecurityadministratorstotrulyconfuseandfoolanattacker,whilecarefullymonitoringprogress,offeringnodataofvalue,andprotectingtherealnetworkfromfurtherincursions.It’simportanttonotethatvArmour’sarchitectureandmethodologyallowsorganizationstocoveranentirenetworkwithdeceptionservicesusingasingleDeceptionPoint.



TheBiggerTruth

InESG’s2017ITSpendingIntentionsSurvey,39%oforganizationsthatareprioritizingcybersecurityinitiativesin2017expecttoallocatefundingtofortifyingnetworksecurity,makingitthemostcitedresponse.Inthesamesurvey,45%oforganizationsreportaproblematicshortageofcybersecurityskills.Thisthreatenstheirabilitytoexecuteontheimplementationoftheseprojects.Smartorganizationswillconsiderbothinvestinginskillsdevelopmentandseekingproductsthatimproveoperationalefficiency.

vArmourDSSisadistributedplatformwithintegratedsecurityservicesforthemoderncloudanddatacenter.Itdeliverssoftware-based,application-awaresegmentation,micro-segmentation,monitoring,centralizedpolicymodeling,andcyberdeceptiondesignedtohelporganizationsprotectcriticalapplicationsandworkloads.ProvidingAPI-driven,distributed,andagent-lesssecurityengineeredtoprotectworkloadsandapplicationsinphysical,virtual,cloud,andcontainerenvironments,vArmourDSSisagnostictotheunderlyinginfrastructure.vArmour’sAPIsallowintegrationwithavarietyofthird-partyorchestrationtools,systemsofrecord,andothercustomintegrations.

SinceESG’sfirsttestingvArmourin2015,theplatformhasmaturedandevolvedquiteabit,withnumerousnewcapabilitiesandenhancements.Inthisroundoftesting,ESGLabvalidatedthatvArmourDSScanbeinstalledandprovidinglayer-7applicationidentification,inspection,andprotectionofworkloadsinlessthananhouronanycombinationofphysical,virtual,cloud-based,orcontainer-basedplatforms.ESGLabalsosawvArmourglobalpolicyobjectsprotectphysicalandvirtualworkloads,providingconsistent,automatedpolicyenforcementacrossheterogeneousenvironments.

ESGLabalsovalidatedthescalabilityandperformanceofvArmourDSS,confirmingsupportformorethan100,000concurrentsessionsperEnforcementPointand100millionconcurrentsessionssystem-widewiththeabilitytohandlenearly20GbpsoftrafficperEnforcementPoint.

ESGLabverifiedthatreassigningavSphereclienttoanewsegment,andthereforetoanewpolicy,isaseasyaschangingonefieldonitsmanagementpage,withoutinterventionbyavArmouradministrator.vArmoursupportsnumerousorchestrationandprovisioningsystemsincludingvCenter,Puppet,Chef,andCiscoISEaswellasCiscoACI.

vArmourhasmadedeceptionmucheasiertoexecuteandmorereliabletoo.vArmourDSScanuseglobalpoliciestotransparentlyredirectattackerstoDeceptionPointswheretheyarepresentedwithinteractiveservicescorrespondingtotheattemptedconnection,allinteractionsarecaptured,andalertsaregeneratedthatenablerapididentificationandmitigationofattacks.

ESGLabbelievesthatthevArmourDSSDistributedSecuritySystemoffersanapproachthathasalreadybeguntochangethewayorganizationsthinkaboutprotectingtheirvirtual,cloud,andphysicalassets.vArmourDSSprovidessimple,scalable,cost-effectivesecurityandvisualizationviaautomatedcoarse-grainedandmicro-segmentationandinnovativedeceptiontechniques.OrganizationsworkingtowardsimplifyingtheirsecurityoperationswhileimprovingtheirnetworkandapplicationcontrolsandtheiroverallsecurityposturewoulddowelltotakeacloselookatvArmourDSS.



Appendix

Table2.ESGLabTestBed

vArmourFabricComponents VersionvArmourDirector 3.1

vArmourEnforcementPoint(EP) 3.1vArmourDeceptionPoint(DP) 3.1

Analytics VersionvArmourAnalytics 3.1

Alltrademarknamesarepropertyoftheirrespectivecompanies.InformationcontainedinthispublicationhasbeenobtainedbysourcesTheEnterpriseStrategyGroup(ESG)considerstobereliablebutisnotwarrantedbyESG.ThispublicationmaycontainopinionsofESG,whicharesubjecttochangefromtimetotime.ThispublicationiscopyrightedbyTheEnterpriseStrategyGroup,Inc.Anyreproductionorredistributionofthispublication,inwholeorinpart,whetherinhard-copyformat,electronically,orotherwisetopersonsnotauthorizedtoreceiveit,withouttheexpressconsentofTheEnterpriseStrategyGroup,Inc.,isinviolationofU.S.copyrightlawandwillbesubjecttoanactionforcivildamagesand,ifapplicable,criminalprosecution.Shouldyouhaveanyquestions,pleasecontactESGClientRelationsat508.482.0188.

www.esg-global.com [email protected] P.508.482.0188

EnterpriseStrategyGroupisanITanalyst,research,validation,andstrategyfirmthatprovidesmarketintelligenceandactionableinsighttotheglobalITcommunity.


varmour dss distributed security system: scalable and ... · varmour dss distributed security...

Documents