varmour dss distributed security system: scalable and ... · varmour dss distributed security...
TRANSCRIPT
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
InlineWorkload-levelSecurityforPhysical,Virtual,Cloud-based,andContainer-basedNetworksByTonyPalmer,SeniorESGLabAnalystMay2017ThisESGLabReportwascommissionedbyvArmourandisdistributedunderlicensefromESG.
EnterpriseStrategyGroup|Gettingtothebiggertruth.™
ESGLabValidation
vArmourDSSDistributedSecuritySystem:ScalableandSimpleSecurityfortheModernDataCenter
LabValidation:vArmourDSSDistributedSecuritySystem 2
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
Contents
Introduction...........................................................................................................................................................................3
Background........................................................................................................................................................................3
vArmourDSSDistributedSecuritySystem.........................................................................................................................4
ESGLabValidation.................................................................................................................................................................5
SimplifiedandEfficientSecurityOperations......................................................................................................................5
ESGLabTesting.............................................................................................................................................................5
HighlyScalableElasticPlatform.........................................................................................................................................8
ESGLabTesting..............................................................................................................................................................8
AutomatedandExtensibleSegmentation........................................................................................................................11
ESGLabTesting............................................................................................................................................................11
IntegratedDeceptionSecurityServices...........................................................................................................................13
ESGLabTesting............................................................................................................................................................14
TheBiggerTruth...................................................................................................................................................................17
Appendix..............................................................................................................................................................................18
ESGLabReportsThegoalofESGLabreportsistoeducateITprofessionalsaboutdatacentertechnologyproductsforcompaniesofalltypesandsizes.ESGLabreportsarenotmeanttoreplacetheevaluationprocessthatshouldbeconductedbeforemakingpurchasingdecisions,butrathertoprovideinsightintotheseemergingtechnologies.Ourobjectiveistogooversomeofthemorevaluablefeature/functionsofproducts,showhowtheycanbeusedtosolverealcustomerproblemsandidentifyanyareasneedingimprovement.ESGLab'sexpertthird-partyperspectiveisbasedonourownhands-ontestingaswellasoninterviewswithcustomerswhousetheseproductsinproductionenvironments.
LabValidation:vArmourDSSDistributedSecuritySystem 3
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
Introduction
ESGLabvalidatedthevArmourDSSDistributedSecuritySystemwithafocusonitsabilitytosimplifyandefficientlyprotectapplicationsandworkloadsfromintrusion,regardlessofwherethoseassetsarelocated.AlsoofinterestwasvArmour’sabilitytoscalequicklyandeasily,thecapabilitytoautomatetheadditionofnewassets,theproduct’sdeceptioncapability,anditsoveralleaseofuseandefficiency.
Background
Traditionalnetworksecurityproductscanbecomplexandtime-consumingtodeploy,manage,andmaintain.Forexample,traditionalnext-generationfirewalls(NGFWs)sitatthenetworkordatacenterperimeterwithlimitedvisibilityinsidethedatacenter;theymustmanagetheirpoliciesacrossasprawlofmultiplesingleinstancesystems;andtheycanonlyscaleupbyaddingadditionalhardwaretoimproveperformance,whichaddsoperationalburden.Likewise,software-definednetworks(SDNs)requirenetworkreconfigurationandprovidebasiclayer-4policycontrols.Todeliverapplicationlayerpolicyatlayer7,organizationsmustbuildcomplextrafficsteeringmethodswithNGFWsjusttocollectapplication-layercontext.Thispresentssignificantcomplexityoftroubleshootingandmanagementfunctions.
Everytimeanewapplicationorsystemisaddedtothenetwork,everyaspectofthenewsystemmustbesecured.Untilrecently,newapplicationsandsystemswouldtakeweekstorollout,allowingtimeforathoroughsecurityanalysistobeperformed.Nowadays,systemsareoftenrolledoutveryquickly,sometimesinhours,andeventhoughsecurityrequirementsarestricterthanever,timethatwasoncededicatedtosecurityanalysisislostandITsecurityteamscanfindthemselvesforcedtoplaycatchupafterapplicationshavebeenreleased.
CybersecurityisconsistentlythemostoftencitedITPriorityinannualESGITspendingintentionsurveys1byawidemargin.ThechartinFigure12showshowrespondentsplantospendtheircybersecuritybudgetsoverthenext12-18months,includingnetworksecurity,endpointsecurity,andsecurityanalytics.
Figure1.SpecificSpendingPlansforCybersecurityOvertheNext12-18Months
Source:EnterpriseStrategyGroup,2017
1Source:ESGResearchReport,2017ITSpendingIntentionsSurvey,March2017.2Ibid.
20%22%23%23%
25%25%25%
29%30%
39%
Securityautomationandorchestration
Applicationanddatabasesecurity
Vulnerabilityscanning/patchmanagement
Cloudinfrastructuresecurity
Identityandaccessmanagement
Informationassurance
Cloudapplicationsecurity
Securityanalytics
Endpointsecurity
Networksecurity
Wewouldliketolearnmoreaboutyourspecificspendingplansforcybersecurity.Inwhichofthefollowingareaswillyourorganizationmakethemostsignificantinvestmentsoverthenext12-18
months?(Percentofrespondents,N=418,fiveresponsesaccepted)
LabValidation:vArmourDSSDistributedSecuritySystem 4
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
vArmourDSSDistributedSecuritySystem
vArmourDSSisadistributedplatformwithintegratedsecurityservicesforthemoderncloudanddatacenter.Itdeliverssoftware-based,application-awaresegmentation,micro-segmentation,monitoring,centralizedpolicymodeling,andcyberdeceptiondesignedtohelporganizationsprotectcriticalapplicationsandworkloads.AsshowninFigure2,vArmourDSSisanAPI-driven,distributed,andagent-lesssecuritysystemengineeredtoprotectworkloadsandapplicationsinphysical,virtual,cloud,andcontainerenvironments,andisagnostictotheunderlyinginfrastructure.Allmanagementtakesplacethroughaweb-basedconsoleand/orCLI,andvArmour’sAPIsallowintegrationwithavarietyofthird-partytoolsandsystemsofrecord.
Figure2.vArmourDataCenterandCloudSecurity
Source:EnterpriseStrategyGroup,2017
vArmour’sapproachtosecurityisaboutreducingriskbylimitingnetworkcommunicationstoauthorizedsystemsandapplications,increasingoperationalefficiencybyenablingthepoolingofresourceswithdifferentsecurityrequirementsonthesamesharedinfrastructure,andimprovingcompliancebylogicallyseparatingregulatedfromunregulatedworkloadswithoutrelyingonhardware-boundzonesastheprimarypolicyconstruct.vArmourdeploysEnforcementPoints(EPs),whichsittransparentlyonthenetworkandmonitoralltrafficgoinginandoutofmanagedworkloads.Unliketraditionalnetworksecuritysystems,whichtypicallysitonthenetworkordatacenterperimeterandgettheirinformationfromswitchesandothernetworkdevices,vArmourcanseealltraffic,includingallinternal“east-west”traffic.TheEPsperformlayer-7deeppacketinspection,whichallowsvArmourtoassociatetrafficwithanapplicationratherthananetworkport(e.g.,httptrafficcanbeidentifiedevenifitisnotdirectedtoport80),andgeneratelayer-7metadataonallnetworktraffic,whichisleveragedforanalytics,policydesignandreporting.
Insteadofrequiringlabor-intensivetuningacrossmultiplesingle-instancetraditionalfirewalls,vArmourisadistributedsecurityplatformthatplaceslayer-7controlsdirectlyadjacenttotheworkloadsthemselves.vArmour’ssegmentationandmicro-segmentationcapabilitiesallownetworktraffictoberestrictedtothesystems,applications,users,andnetwork
LabValidation:vArmourDSSDistributedSecuritySystem 5
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
segmentsitbelongsto,andmakeiteasiertoidentifyinappropriatetraffic.AsworkloadsaredeployedinlineaspartofthevArmourplatform,othersecurityservicessuchascyberdeceptioncanbecalled.vArmour’sdeceptionfunctionalityredirectsanytrafficmatchingaredirectpolicyaction,regardlessoftargetIPtoaDeceptionPoint,whereattackerscanbeidentifiedastheyattempttoinfiltratethenetwork.Attackeractivitycanalsoeasilybemonitored,investigated,quarantined,andremediatedusingvArmour’sanalyticsandsegmentationcapabilities.
ESGLabValidation
ESGLabtestedvArmourDSSwithagoalofvalidatingtheplatform’sabilitytoreducerisksandattacksurfaces,improveoperationalefficiency,andenableimprovedcomplianceadherenceinahighlyscalableandextensiblepackage.
SimplifiedandEfficientSecurityOperations
First,ESGLabexaminedeaseofinstallationandconfigurationoftheintegratedplatform,lookingathowpolicycontrolscanspanphysical,virtual,cloud,andcontainer-basedenvironmentswithasinglefabric.
ESGLabTesting
TestingbeganbysimplydownloadinganOVAfile,importingthefileintovCenter,andpoweringtheVMon.AfterloggingintotheinstallationwebbrowserinterfaceandpointingtheinstallertovCenter,vArmourquicklyingestedallvCenterobjects,promptedtheadministratortoselectthehypervisorstoinstallvArmouron,andchoosetheunderlyingswitchestotapintotogainvisibilityintotheapplicationtraffic.Thisinstallationprocesstooklessthan30minutes.
OnceDSSwasinstalled,ESGLabdeployedDSSintap—orlearning—modeasaguestVMtogetfulllayer-7application-levelvisibilityandbetterunderstandtherelationships,communications,anddependenciesoftheapplicationsontheworkloads.Next,ESGLablookedatapplication-leveltrafficflowsand,asseeninFigure3,DSSprovidesasimplevisualizationthatbreaksoutapplicationsbyrelevantattributesandenablesrapid,granularanalysisthatcaninformpolicyconstruction.
Figure3.Application-levelTrafficFlows
Next,ESGLabconstructedpolicies(seeFigure4)andtestedthemintapmodetotroubleshootandrefinethem.
LabValidation:vArmourDSSDistributedSecuritySystem 6
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
Figure4.ConstructingPolicies
Finally,ESGLabtooktheenvironmentinlineandenabledmicro-segmentationwiththreejuststeps,seeninFigure5.First,ESGLabconnectedwiththeVMwarevSphereenvironmentandselectedthreeassets:ahost,aportgroup,andaVLAN.
Figure5.DeployingvArmourDSSUsingthevArmourInstaller
WeclickedtheStartMicro-Segmentationnowbuttonandwerepresentedwithadialogboxindicatingthatthreeworkloadscurrentlytappedwereavailableformicro-segmentation.WeclickedOK,andafewsecondslatermicro-segmentationwascompletedandthevArmourDSSEPswereinline,asseeninFigure6.
Figure6.Micro-segmentationComplete
LabValidation:vArmourDSSDistributedSecuritySystem 7
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
Finally,ESGLabenabledautomatedmicro-segmentation,wherenewVMsaddedtovCenterareautomaticallymicro-segmentedandmovedinlinewithvArmour,providinginstantprotectionwithoutadministratorinteraction.Automicro-segmentationwasenabledforportgroupVLAN101withjustoneclick.
Figure7.SettingUpAutomaticMicro-Segmentation
3Source:ESGResearchReport,2017ITSpendingIntentionsSurvey,March2017.
WhyThisMattersOforganizationsprioritizingcybersecurityinitiativesin2017,39%expecttoallocatefundingtofortifyingnetworksecurity.3Inthesamesurvey,45%oforganizationsreportaproblematicshortageofcybersecurityskills.Thisthreatenstheimplementationoftheirnetworksecurityprojects.Smartorganizationswillconsiderbothinvestinginskillsdevelopmentandseekingproductsthatimproveoperationalefficiency.
ESGLabvalidatedthatvArmourDSScanbeinstalledandprotectingworkloadsinlessthananhouronanycombinationofphysical,virtual,cloud,orcontainer-basedplatforms.ESGLabtestingrevealedthatvArmourprovideslayer-7applicationidentificationandinspection,enablingoperatorstoidentifyrisks,policyviolations,andsuspiciousbehaviorsandrespondimmediately.vArmourprovidesdeepcontextforapplicationcommunicationtoexposenotonlytheconnectionsbetweenentities,butalsocanabstractrichmetadatafromthosesessions.
ESGLabalsosawvArmourglobalpolicyobjectsprotectphysicalandvirtualworkloads,providingconsistent,automatedpolicyenforcementacrossheterogeneousenvironments.FinallyESGLabconfirmedthatnewlyinstantiatedworkloadscanbeautomaticallymicro-segmentedtospeedandsimplifysecurityoperations.
LabValidation:vArmourDSSDistributedSecuritySystem 8
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
HighlyScalableElasticPlatform
Next,ESGLabexaminedthesimplicity,elasticity,andscaleofthevArmourDSS.AnelasticplatformshouldenablebuildingsecurityintotheITinfrastructuresothatsecurityistiedtocompute.Ifahypervisorclusterreachescapacityandneedstoaddmorehypervisors,vArmourDSSfabricexpansioncanbeautomatedtospinupanddeploynewEPsthroughaseriesofAPIcalls.SincevArmourDSSusesasinglepolicy,thereisn’taneedtoconfiguretheexpandedassetswithpolicyaswouldbenecessarywithatypicalfirewall.Toputthatanotherway,thevArmourDSSscalesautomaticallytomatchthecomputeresourcesintheenvironment,whichmakesitmoreefficientandeasiertomanagethantraditionalapproacheswhereorganizationsscalebymanuallyaddingorreplacingsingle-instanceappliances,thenmanuallytuneandapplypoliciestothem.
Thealternativeapproachestodeliveringlayer-7controlrequireseveraladditionalstepscomparedtovArmour.ThefirststepisdeployinganSDNinorderachievetrafficinterceptionadjacenttotheworkloadtodelivermicro-segmentation.Next,redirectionpolicymustbeconfiguredontheSDNplatformtodirectthetrafficthroughthelayer-7singleinstancefirewall.Oncethelayer-4portshavebeenidentifiedandtheservicechainpolicyconfigurationiscomplete,theactuallayer-7firewallpoliciescanbecreated.Someofthebiggestchallengeswiththisarchitecturelieinmanagingtheaggregatedhypervisortraffic.Singleinstancefirewallsarenotdistributedinnaturewhichmeansloadmustbeengineeredandbalancedaccordingly.Whenloadcapacityismet,analysismustbedoneinordertoengineergrowthofthefirewallclusterorthefirewallsizemustbeincreased.Thisaddscostandcomplexityandcanalsopresentchallengesregardingworkloadmobility.Whendesigningthesesolutionsonemustaccountforthefactthataworkloadmovingfromonehypervisortoanothercouldmeantrafficwouldflowtoadifferentfirewallwithadifferentpolicyandstatetableinterruptingapplicationavailability.ThisisaverydifferentarchitecturefromthevArmoursolutionwherethelayer-7securityenforcementisalwayslocal,nativelylayer-7,anddirectlymatchedtothecomputeplatformensuringthatsecurityexpansionoccursnaturallywiththeadditionofcompute.Asthathypervisorisdeployed,thevArmourfabricandsinglepolicysimplyexpandstosupportthoseworkloadsoranyworkloadsthatmigratethere.
ESGLabTesting
BeforeinstallinganddeployingvArmourDSS,ESGLabgeneratedunauthorizedtraffictoillustratehowpacketstraverseanunfilterednetworkfreely.AsseeninFigure8,thegreenarrowrepresentsalegitimateSQLconnectionbetweenawebserveranddatabaseserverinthetestenvironment,whiletheredarrowsshowtwodifferenttypesofunauthorizedtraffic,aSQLinjectionattackandanICMPconnectionbetweentwointernalsystems.
LabValidation:vArmourDSSDistributedSecuritySystem 9
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
Figure8.TrafficBetweenEndpointswithoutEnforcementPointProtection
Source:EnterpriseStrategyGroup,2017
ESGLabthenreranthetestafterenablingvArmourpolicies,includingworkloadattributesforSQLtrafficandalayer-7policytoblockICMPviaanaccesslist.Thepolicywasconstructedtoenableonlynecessaryapplicationtraffic.OnlythewebserverscouldquerytheSQLserver.Sincethephysicalserverwasnotawebserver,thephysicalserver’sSQLinjectionattackwasautomaticallyredirectedtotheDeceptionPoint,aswastheICMPstream.Thiswasaccomplishedwithoutusingsignaturesordetectionlogic.Itwasasimplefirewallpolicyviolationrulewitharedirecttodeceptionactionratherthanasimpledenyruleasatraditionalfirewallwould.Thisisanimportantdistinctionasitmeansthatvalidtrafficcan’tbeaccidentlyinterceptedbydeception.
Figure9.TrafficBetweenEndpointswithInspection,Enforcement,andDeception
Source:EnterpriseStrategyGroup,2017
LabValidation:vArmourDSSDistributedSecuritySystem 10
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
ESGLabalsoauditedperformanceandscalabilitytestingofDSS.vArmourQualityAssurancetestingisexecutedforeachmajorandminorreleaseagainstindividualelementsandatthesystemlevel.Rawandapplicationthroughputismeasured,aswellasthesupportablenumberofconcurrentsessionsandlatency.Automationtestsareexecutedagainstthesystemtomeasurethetimeneededtoautomaticallymicro-segmentvariousnumbersofworkloads.TestingisperformedusingIxiaIxAutomateforUDPthroughputandIxLoadforTCPandapplicationthroughput.ESGLabanalyzedtheresultsofthemostrecentroundoftestingandtheresultsaresummarizedhere:
Table1.PerformanceDataPublishedbyvArmourQA
EnforcementPointsasTestedonInter-hypervisorVMwarevSphereConcurrentSessionsperEP 100,000
UDPThroughput(JumboFrames,9,018Bytes) 19.96GbpsUDPThroughput(1,518ByteFrames) 9.75Gbps
EnforcementPointsasTestedonIntra-hypervisorVMwarevSpherewithTSO/LROEnabledTCPThroughput(1,518ByteFrames) 18.7Gbps
TCPThroughput(AppID) 18.7GbpsUDPThroughput(JumboFrames,9,000Bytes) 19.5Gbps
FabricScalabilityConcurrentSessions 102.4million
NumberofHypervisors 1024NumberofWorkloadsProtected 102,400
Source:EnterpriseStrategyGroup,2017
It’simportanttonotethatthesenumbersrepresentapproximately5-10Gbpsoflayer-7trafficinspectionandenforcementpervCPU.vArmourrightfullyconsidersthisadifferentiator,consideringthatvirtualizedtraditionalNGFWscanrequireupto16vCPUstosupport10Gbps.4
4Basedonexaminationofdatasheetsanddocumentationofmultiplevendors’virtualNGFWofferings.5Source:ESGResearchReport,2017ITSpendingIntentionsSurvey,March2017.
WhyThisMattersWhenESGasked641ITprofessionalsandexecutivestoidentifytheconsiderationthatwouldbemostimportantinjustifyingITinvestments,improvedsecurityandriskmanagementwasthemostcitedresponse(34%).5Ascybersecuritythreatsincreaseinfrequencyandsophistication,ITstaffsandsecurityteamsmustimplementnumeroussecurityinitiatives,manywithmanualprocesses,whenthebusinessandtechnicalneedschange.It’scriticalforthesecuritysystemtorapidlyadapttotheever-changingneedsofthebusiness.Toaddressthesechallenges,thesecuritysystemmustbeintelligent,automated,andscalable.
ESGLabvalidatedthatvArmourusedasingleglobalpolicysettoinspecttrafficthroughoutallnodesinthedistributedsystem.Policieswereenforcedcorrectlyregardlessofthelocation.ESGlabalsoverifiedthatvArmourcouldrapidlyscaletheenvironmentfromasecurityperspectivetobetteraligntothechangingbusinessrequirementsoftheorganization.Astheenvironmentgrows—requiringmorecompute—andashypervisorsareadded,vArmourcaneasilyandautomaticallyprovisionanddeployEPstoexpandtheexistingvArmourDSSfabric.
ESGLabvalidatedthescalabilityandperformanceofvArmourDSS,confirmingsupportformorethan100,000concurrentsessionsperEnforcementPointand100millionconcurrentsessionssystem-widewiththeabilitytohandlenearly20GbpsoftrafficperEnforcementPoint.
LabValidation:vArmourDSSDistributedSecuritySystem 11
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
AutomatedandExtensibleSegmentation
vArmourisanall-software,highlyprogrammableplatformdesignedtointegrateintoDevelopmentandOperations(DevOps)workflowsforsecurityautomation.vArmourisbuiltexclusivelyonopenAPIsthatenabletheplatformtointegrateintomanytypesofsystemsofrecord.Forexample,ESGLablookedatvArmourDSSintegrationswiththird-partyorchestrationandprovisioningsystemssuchasvCenter,CiscoISE,Puppet,andChef.Likewise,vArmourDSScanintegratewithSDNssuchasCiscoACItoprovidestatefullayer-7visibilityandsegmentation,anddynamicallyconsumepoliciesdefinedintheCiscoApplicationPolicyInfrastructureController(APIC).vArmourDSScanalsosenddatatoanalyticsystemssuchasSIEMtools.TheextensibilityoftheAPImakesintegrationwiththirdpartytoolssimple;acustomercancreateapythonscriptwithafewRESTfulAPIcallstovArmourandtheothersystem.
ESGLabTesting
vArmourcanbeintegratedwithanyAPIdrivensystemofrecordtosimplifypolicyautomation.Tovalidatethis,wetestedautomatedmicro-segmentationandvCenterpolicyintegration.WeexaminedtheconfigurationofavirtualdevelopmentserverforacreditcardapplicationcalledDev_CCApp_DB.AsshowninFigure10,theNotesfieldcontainedthestringFWPolicy=Dev,DBserverintheAnnotationssectionofthevSphereconfigurationscreenforthisVM.ThroughaRESTfulAPIintegrationthesefieldsarereadintotheDSSPolicyManagerasadevelopmentsystemrunningadatabaseserver.ThevArmourDirectorhadapreviouslyconfiguredpolicyinplace—Web2DB—toallowdatabaseserverssuchasDev_CCApp_DBtoconnecttowebservers.ThisintegrationenablesaworkflowwhereanewVMcanbeprovisionedinvCenter,automaticallymicro-segmented,andassociatedwithproperpolicywithoutanydirectinteractionfromvArmouradministratorstogettheworkloadcommunicatingandprotectedonthenetwork.
Figure10.SettingWorkloadAttributesinvCenter
Next,ESGLablookedataddressgroupsinsideDSStoseehowvArmourprocessesthatinformation.AsshowninFigure11,vArmourDSSautomaticallyrecognizesDev_CCApp_DBaspartoftheDevandDBservergroups.
LabValidation:vArmourDSSDistributedSecuritySystem 12
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
Figure11.WorkloadAttributesAutomaticallyPopulatedintovArmourDSS
TochangethepolicythatwasappliedtoDev_CCApp_DB,ESGLabclickedtheEditbuttonfortheAnnotationssectiononthevCentermanagementscreen,removedDBserverfromtheFWPolicystring(changingittosimplyreadFWPolicy=Dev),andclickedtheOKbutton.WhenthevArmourAddressGroupscreenrefreshed,Dev_CCApp_DBdisappearedfromthelistDBserverswithnootheractionrequired.
vArmour’sRESTfulAPIsenableoperatorstobuildsecurityintotheirautomationworkflows—examplesincludeinteractingwithanincidentresponseworkflowforquarantiningfunctionality,coordinatingwithatroubleticketingsystemforautomatedworkloadprovisioning,orintegratingintoanIPaddressmanagementsolution.ESGLabalsolookedatexamplesofAPIintegrationswithorchestrationsystemsandsoftware-definednetworks,specificallyCiscoIdentityServiceEngin(ISE)andCiscoApplicationCentricInfrastructure(ACI).CiscoISEsecuritygroupsareautomaticallyimportedintovArmourDSSaswellasISEpolicies.WhenESGLabaddedausertoActiveDirectoryandincludedherinanADgroup,thatuserwasautomaticallyimported,includedintheappropriateaddressgroup,andassignedsecuritypolicieswithzeroadministratorinteraction.
ESGlookedathowvArmour’sintegrationwithCiscoACIprovidesscalable,statefullayer-7segmentationtoCiscoACI.vArmourcanconsumepolicydefinedintheCiscoAPICtodynamicallyandautomaticallyintegrateoperationalmodelswhileprovidinglayer-7visibilityandcontrol.
LabValidation:vArmourDSSDistributedSecuritySystem 13
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
IntegratedDeceptionSecurityServices
Deceptionsecuritytechnologiesrepresentasignificantchangeinapproachtonetworksecurity.Insteadoftakingareactiveapproachtodefendinganetwork,deceptionenablesaproactiveapproach,whereattackersandotherbadactorsaredirectedawayfromcriticalassetsandtowardvirtualassets.Anattacker’sprogresscanbeslowed,enablingtheITorganizationtoidentifytheattackersandmitigatebeforetheycanreachanyrealassets.
Traditionally,deceptionishandledthroughhoneypots—systemsonthenetworkthatlookvaluablebutaren’t—andatrailisleftbynetworkadministratorsdesignedtoleadattackersthere.Generally,honeypotsandtheirtrailsrequiretime-consumingworktosetupandmaintain,andcoverageisproblematic,sinceattackersmustbeluredtothem.
vArmourDSSDeception,anintegratedsecurityserviceofthevArmourdistributedplatform,usesglobalpoliciestoenabledeception.TwokeyusecasesdifferentiatevArmourDSSdeception:
• UnusedIPaddressesthatdonotexistthatcanbeleveragedtolooklikevulnerableworkloadsbyredirectingtoaDeceptionPoint.
• ExistingrealworkloadslikeActiveDirectoryserversorpaymentapplications,wherepoliciescanbewrittentoredirectattackerswhotrytoaccessarealserviceorprotocolthatisnotallowedtoaDeceptionPointforfurtheranalysisabouttheattacker’sintent.
Inthisway,asingleDeceptionPointcanfilltheentireunusedaddressspacewiththeappearanceofvulnerableworkloads,asdepictedinFigure12,anddirectattackerstothem.TheDeceptionPointitselfissecuredthroughvArmourmicro-segmentationforaddedprotection.
WhyThisMattersMicro-segmentationenablesorganizationstogranularlyprotectcriticaldatabases,applicationserviceslikeDNSandActiveDirectory,andcompliance-boundworkloadslikePCI.Segmentingassetswithpoliciesthatcontrolcommunicationhasbeeninpracticeformorethanadecade.Thereasonmicro-segmentationismuchmorevaluableisbecauseitfreesorganizationsfromtheconstraintsoftheunderlyingnetworkandinfrastructure.Withtraditionalsegmentation,operatorscanonlycontroltrafficbasedonIPaddress,port,orVLANtag.Thus,anorganization’sarchitectureandsecuritycontrolsaredependentontheirIPaddressingandnetworkdesign.Withmicro-segmentation,policiesareappliedattheworkloadleveltoeverypacketthatentersorexitsthatworkload,withnodependenceonthenetworktopology,thesubnet,ortheVLAN.ThisoffersbothtremendousflexibilityandsimplicityintermsofpolicymanagementandapowerfulmethodofredesigningsecuritycontrolswithoutnetworkorIPaddressingchanges.
ESGLabverifiedthatreassigningavSphereclienttoanewsegment,andthereforetoanewpolicy,isaseasyaschangingonefieldonitsmanagementpage,withoutinterventionbyavArmouradministrator.vArmourcansupportnumerousorchestrationandprovisioningsystems,systemsofrecord,andsoftware-definednetworkssuchasvCenter,Puppet,Chef,andCiscoISEaswellasCiscoACI.
Whenadministratorsincludeautomicro-segmentationaspartoftheirvArmourconfiguration,newsystemscomingonlinecanbeautomaticallybroughtundermanagementasquicklyastheyarebroughtonline.Thisaddsvalueforsystemadministrators,whoneednotwaitforsecurityadministratorstoapproveeachsystemthatcomesonline,andforsecurityteams,whocanbeconfidentthatappropriatesecurityisbeingappliedtothesenewsystems.
LabValidation:vArmourDSSDistributedSecuritySystem 14
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
ESGLabTesting
ESGLabbegantestingvArmour’sdeceptionfeaturesbyverifyingtheopennessofatestnetwork.Twoterminalwindowswereopened,onerunningacontinuousTCPdumponaservercalledcritical-assetonasimulatedproductionnetwork,andtheother,onthedevelopmentnetwork,displayingashellprompt.First,ESGLabenteredpingcritical-assettoverifyconnectivitybetweentheservers;theICMPrequestswereshownintheTCPdumpsessionandthepingreturnedsuccessfully.Next,thenetworksecuritytoolnmapwasinvokedtodetectportsopenandlisteningonthatserver.Asexpected,alistofopenportsappearedinthecommand-linesession,andtheTCPdumpsessionshowedtherelatedserveractivity.Finally,sshcritical-assetopenedacommandlinesessiontocritical-asset,andthatactivitywasalsoreflectedinTCPdump.
Next,tobegintoprotectthenetwork,adarknetwascreatedontheentire200.0.0.0/8subnetcontainingabout16millionIPaddresses.AdarknetisarangeofIPaddressesinwhichnoactiveservicesorserversreside;therangeisusedentirelyforredirectiontoavArmourDeceptionPoint.Thisisasimpleexampleoftheusecasedefinedabovetoincreasetheexposedsyntheticattacksurface.Toaccomplishthis,ESGLabclickedontheCreatebuttononthePolicyscreeninvArmourDirectorPolicyManager,andenteredtherangeofIPaddressesforwhichadarknetshouldbecreated.Thenapolicywascreatedonthesamescreensothatanytrafficoriginatingatanysourceonthenetworktargetedatthe200.0.0.0/8subnetwouldbeinterceptedbyvArmourandredirectedtotheDeceptionPoint.Oncethepolicywasenabled,thenetworkwascreated.Thus,thenetworkconsistedofabout3,000realactivenodes,andabout16millionsyntheticnodes,obscuringvaluablesystems,workloads,anddatafromanetworkscan.
Next,additionalpolicieswereaddedtodenyallconnectionattemptsbetweendevelopmentandproduction.Inthisconfiguration,atypicallayer-7firewallruleiscreatedinamicro-segmentationenvironment.Then,ESGLabre-initiatedapingcritical-asset,andasthatran,vArmourDirectorwasusedtocreateapolicyseparatingthesetwonetworks.Oncethepolicieswereinplace,thepingsbegantofail.Networkaccessbetweendevelopmentandproductionwasdenied.
Figure12.vArmour-protectedAddressSpacewithDeceptionEnabled
Source:EnterpriseStrategyGroup,2017
LabValidation:vArmourDSSDistributedSecuritySystem 15
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
Afterpropervalidationofthenormaldenypolicy,wechangedthepolicyactionfromdenytoredirect—enablingdeception.Thepoliciesweremodifiedonceagain,thistimetosendtheonce-deniedtraffictotheDeceptionPoint.Assoonasthislatestpolicychangewasenabled,thepingpickeduprightwhereithadleftoff,makingitappearasthoughproductionaccesshadresumed.Runningnmapcritical-assetagainreturnedaperfectlyreasonablelistofopenports,andsshcritical-assetappearedtologintototheserver.Duringthesshsession,ESGLabenteredtouch ./filetocreateafile,followedbythelscommandtoverifythatthefilehadbeencreated.ItisworthnotingthatnoTCPdumpadditionaloutputhadbeengeneratedsincethefirstpolicieswereenabled.AllofthisactivitytookplaceontheDeceptionPoint,notoncritical-asset.Therealcriticalassetwasprotectedbehindthepolicyandnotreceivinganytrafficwhatsoever.
ESGLabexaminedvArmour’sDeceptionManagerDashboard,asshowninFigure14,toexaminetherecentDeceptionPointactivity.ClickingonAnalyticsbroughtupascreenthatlistedallrecentauthentication,port-scanning,andsshloginattempts.ClickingontheLogicononthefarrightbroughtupdetailedJSON-formattedlogentriesforeachattempt,asshowninFigure13.Thelogentriesfortherecentsshsessionincludeddetailsonthetouch./filecommand,includingthefullpathnameofthefilethatwascreated,plusthelscommandthatwasrunimmediatelyafterward.Finally,ESGLabclickedtheQuarantinebuttonontheDeceptionManagerDashboardtolockdownthesystemonwhichtheattackergainedaccess.Oncetherequestwasaffirmed,thatpresumablycompromisedsystemwasimmediatelycutofffromallnetworkcontact.
Figure13.vArmourDeceptionEventLog
Source:EnterpriseStrategyGroup,2017
Figure14.vArmourDSSDeceptionDashboard
Source:EnterpriseStrategyGroup,2017
LabValidation:vArmourDSSDistributedSecuritySystem 16
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
WhyThisMattersDeceptiontechnologyhasbeeninthesecurityadministrator’stoolboxsincethe1990s,helpingtoslowdownattackers,wastetheirtime,andinsomecases,givethemworthlessdata.Butsetupandmanagementofhoneypotshasalwaysbeenverycomplicated,requiringongoingmaintenanceofboththehoneypotserverandofthetrailrequiredtoleadanattackerthere.Thus,despiteitspotentialvalue,deceptiontendstobeunderusedinmostorganizations.
ESGLabverifiedthatvArmourhasmadedeceptionmucheasierandmorereliable.vArmour’suniqueplacementofdeceptiontechnologyisdistinctlydifferentfromlegacydeceptionmethods.Insteadofrequiringamaintainedtrailof“breadcrumbs”thatwillhopefullyleadanattackertoahoneypot;globalpoliciescanbeusedtotransparentlyredirectattackerstoaDeceptionPoint.TheseserversrunafullversionofLinux,supportingavarietyofstandardservices,andappeartobeaworthwhiletargettoanattacker.vArmourDSSDeceptionallowssecurityadministratorstotrulyconfuseandfoolanattacker,whilecarefullymonitoringprogress,offeringnodataofvalue,andprotectingtherealnetworkfromfurtherincursions.It’simportanttonotethatvArmour’sarchitectureandmethodologyallowsorganizationstocoveranentirenetworkwithdeceptionservicesusingasingleDeceptionPoint.
LabValidation:vArmourDSSDistributedSecuritySystem 17
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
TheBiggerTruth
InESG’s2017ITSpendingIntentionsSurvey,39%oforganizationsthatareprioritizingcybersecurityinitiativesin2017expecttoallocatefundingtofortifyingnetworksecurity,makingitthemostcitedresponse.Inthesamesurvey,45%oforganizationsreportaproblematicshortageofcybersecurityskills.Thisthreatenstheirabilitytoexecuteontheimplementationoftheseprojects.Smartorganizationswillconsiderbothinvestinginskillsdevelopmentandseekingproductsthatimproveoperationalefficiency.
vArmourDSSisadistributedplatformwithintegratedsecurityservicesforthemoderncloudanddatacenter.Itdeliverssoftware-based,application-awaresegmentation,micro-segmentation,monitoring,centralizedpolicymodeling,andcyberdeceptiondesignedtohelporganizationsprotectcriticalapplicationsandworkloads.ProvidingAPI-driven,distributed,andagent-lesssecurityengineeredtoprotectworkloadsandapplicationsinphysical,virtual,cloud,andcontainerenvironments,vArmourDSSisagnostictotheunderlyinginfrastructure.vArmour’sAPIsallowintegrationwithavarietyofthird-partyorchestrationtools,systemsofrecord,andothercustomintegrations.
SinceESG’sfirsttestingvArmourin2015,theplatformhasmaturedandevolvedquiteabit,withnumerousnewcapabilitiesandenhancements.Inthisroundoftesting,ESGLabvalidatedthatvArmourDSScanbeinstalledandprovidinglayer-7applicationidentification,inspection,andprotectionofworkloadsinlessthananhouronanycombinationofphysical,virtual,cloud-based,orcontainer-basedplatforms.ESGLabalsosawvArmourglobalpolicyobjectsprotectphysicalandvirtualworkloads,providingconsistent,automatedpolicyenforcementacrossheterogeneousenvironments.
ESGLabalsovalidatedthescalabilityandperformanceofvArmourDSS,confirmingsupportformorethan100,000concurrentsessionsperEnforcementPointand100millionconcurrentsessionssystem-widewiththeabilitytohandlenearly20GbpsoftrafficperEnforcementPoint.
ESGLabverifiedthatreassigningavSphereclienttoanewsegment,andthereforetoanewpolicy,isaseasyaschangingonefieldonitsmanagementpage,withoutinterventionbyavArmouradministrator.vArmoursupportsnumerousorchestrationandprovisioningsystemsincludingvCenter,Puppet,Chef,andCiscoISEaswellasCiscoACI.
vArmourhasmadedeceptionmucheasiertoexecuteandmorereliabletoo.vArmourDSScanuseglobalpoliciestotransparentlyredirectattackerstoDeceptionPointswheretheyarepresentedwithinteractiveservicescorrespondingtotheattemptedconnection,allinteractionsarecaptured,andalertsaregeneratedthatenablerapididentificationandmitigationofattacks.
ESGLabbelievesthatthevArmourDSSDistributedSecuritySystemoffersanapproachthathasalreadybeguntochangethewayorganizationsthinkaboutprotectingtheirvirtual,cloud,andphysicalassets.vArmourDSSprovidessimple,scalable,cost-effectivesecurityandvisualizationviaautomatedcoarse-grainedandmicro-segmentationandinnovativedeceptiontechniques.OrganizationsworkingtowardsimplifyingtheirsecurityoperationswhileimprovingtheirnetworkandapplicationcontrolsandtheiroverallsecurityposturewoulddowelltotakeacloselookatvArmourDSS.
LabValidation:vArmourDSSDistributedSecuritySystem 18
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.
Appendix
Table2.ESGLabTestBed
vArmourFabricComponents VersionvArmourDirector 3.1
vArmourEnforcementPoint(EP) 3.1vArmourDeceptionPoint(DP) 3.1
Analytics VersionvArmourAnalytics 3.1
Alltrademarknamesarepropertyoftheirrespectivecompanies.InformationcontainedinthispublicationhasbeenobtainedbysourcesTheEnterpriseStrategyGroup(ESG)considerstobereliablebutisnotwarrantedbyESG.ThispublicationmaycontainopinionsofESG,whicharesubjecttochangefromtimetotime.ThispublicationiscopyrightedbyTheEnterpriseStrategyGroup,Inc.Anyreproductionorredistributionofthispublication,inwholeorinpart,whetherinhard-copyformat,electronically,orotherwisetopersonsnotauthorizedtoreceiveit,withouttheexpressconsentofTheEnterpriseStrategyGroup,Inc.,isinviolationofU.S.copyrightlawandwillbesubjecttoanactionforcivildamagesand,ifapplicable,criminalprosecution.Shouldyouhaveanyquestions,pleasecontactESGClientRelationsat508.482.0188.
www.esg-global.com [email protected] P.508.482.0188
EnterpriseStrategyGroupisanITanalyst,research,validation,andstrategyfirmthatprovidesmarketintelligenceandactionableinsighttotheglobalITcommunity.
©2017byTheEnterpriseStrategyGroup,Inc.AllRightsReserved.