Top Banner
Practical Advice for Securing the High- Performance Cloud February 16 th at 4:30 PM
13

BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

Jul 02, 2015

Download

Technology

Ixia

BreakingPoint and Juniper presentation "Practical Advice for Securing the High Performance Cloud" at the 2011 RSA Conference.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

Practical Advice for Securing the High-Performance CloudFebruary 16th at 4:30 PM

Page 2: BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

You Deal With An IT Firestorm Every Day…

Page 3: BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

…And Now You Are Moving To The Cloud

3

Can you stay compliant?

Will it be secure?

Will it remain high-performing?

Page 4: BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

Market DYNAMICS

50% of the world’s workloads will be virtualized by 2012

–CDW Survey

–Yankee Group

37% of large enterprises expect to adopt IaaS (cloud) in the next year

Security is a top concern for virtualization adoption

Virtualization is near de-facto architecture for clouds

–Gartner

–GigaOM

Page 5: BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

5

The Challenge & Opportunity

Page 6: BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

Page 6

How IS virtualization Different

Page 7: BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

Page 7

Virtualization/Cloud Security Challenges

• Monitoring and auditing breaks– Physical security is blind to traffic– VMs can “move” to low trust zones

• Continuous enforcement is very difficult– VM replicate on a click and sprawl– VM users can self provision– “Bad” configurations proliferate easily

• Separation of duties is lost– Server, network boundaries are blurred– Unified administration gives too

• Least privilege access policy enforcement is lost– VM access patterns can change with “migration”– Too much change means errors

Page 8: BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

Page 8

Goal: Enable Cloud/Retain Control

1. VLANs offer no granular security

2. Physical FWs are expensive

1. Agents are very costly to manage

2. Significant perfdegradation

1. Superior security2. “Wire-line” perf3. Minimal

overhead4. 10x cost

reduction

Page 9: BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

Page 9

The IDEAL MIX: Hypervisor-BASED Security1. Using a custom kernel enforcement embeds into the ESX hypervisor in “fast path” mode 2. All packets flow through the hypervisor-embedded security engine

Page 10: BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

vGW & The Hypervisor-based Architecture

Enterprise-gradeVMware “VMsafe Certified”Protects each VM and the hypervisorFault-tolerant architecture (i.e. HA)

Virtualization Aware“Secure VMotion” scales to 1,000+ ESX“Auto Secure” detects/protects new VMs

Granular, Tiered DefenseStateful firewall and integrated IDSFlexible Policy Enforcement – Zone, VM group, VM, Application, Port, Protocol, Security state

THE vGW ENGINE

Virtual Center VM

VM1 VM2 VM3

Partner Server(IDS, SIM,

Syslog, Netflow)

Packet Data

VMWARE DVFILTER

VMWARE VSWITCH OR CISCO 1000V

HYPERVISOR

ESX Kernal

ESX H

ost

Security Design

for VGW

Page 11: BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

Traditional Cloud Validation Approach

Application TrafficTest Software

FirewallRouter IPS

Load Balancer

Switch

SSL Accelerator

Virtual or Physical Server, Server

Farm, Data Center

• 100-1000+ servers• $ Millions in software licenses• Multiple products with

separate interfaces• Many disassociated reports • No security validation

• High total cost of ownership• Limited performance• Doesn’t effectively stress

infrastructure• Inaccurate and error-prone• Complex and labor intensive

Page 12: BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

BreakingPoint’s Approach• Stresses infrastructure with mix of stateful application traffic • Validates performance/effectiveness under extreme load conditions • Validates the integrity of server transactions• Integrates security for ability to assess performance under attack

Page 13: BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

Questions and Answers

13