BreakingPoint & Juniper RSA Conference 2011 Presentation: Securing the High Performance Cloud

Practical Advice for Securing the High-Performance CloudFebruary 16th at 4:30 PM

You Deal With An IT Firestorm Every Day…

…And Now You Are Moving To The Cloud

3

Can you stay compliant?

Will it be secure?

Will it remain high-performing?

Market DYNAMICS

50% of the world’s workloads will be virtualized by 2012

–CDW Survey

–Yankee Group

37% of large enterprises expect to adopt IaaS (cloud) in the next year

Security is a top concern for virtualization adoption

Virtualization is near de-facto architecture for clouds

–Gartner

–GigaOM

5

The Challenge & Opportunity

Page 6

How IS virtualization Different

Page 7

Virtualization/Cloud Security Challenges

• Monitoring and auditing breaks– Physical security is blind to traffic– VMs can “move” to low trust zones

• Continuous enforcement is very difficult– VM replicate on a click and sprawl– VM users can self provision– “Bad” configurations proliferate easily

• Separation of duties is lost– Server, network boundaries are blurred– Unified administration gives too

• Least privilege access policy enforcement is lost– VM access patterns can change with “migration”– Too much change means errors

Page 8

Goal: Enable Cloud/Retain Control

1. VLANs offer no granular security

2. Physical FWs are expensive

1. Agents are very costly to manage

2. Significant perfdegradation

1. Superior security2. “Wire-line” perf3. Minimal

overhead4. 10x cost

reduction

Page 9

The IDEAL MIX: Hypervisor-BASED Security1. Using a custom kernel enforcement embeds into the ESX hypervisor in “fast path” mode 2. All packets flow through the hypervisor-embedded security engine

vGW & The Hypervisor-based Architecture

Enterprise-gradeVMware “VMsafe Certified”Protects each VM and the hypervisorFault-tolerant architecture (i.e. HA)

Virtualization Aware“Secure VMotion” scales to 1,000+ ESX“Auto Secure” detects/protects new VMs

Granular, Tiered DefenseStateful firewall and integrated IDSFlexible Policy Enforcement – Zone, VM group, VM, Application, Port, Protocol, Security state

THE vGW ENGINE

Virtual Center VM

VM1 VM2 VM3

Partner Server(IDS, SIM,

Syslog, Netflow)

Packet Data

VMWARE DVFILTER

VMWARE VSWITCH OR CISCO 1000V

HYPERVISOR

ESX Kernal

ESX H

ost

Security Design

for VGW

Traditional Cloud Validation Approach

Application TrafficTest Software

FirewallRouter IPS

Load Balancer

Switch

SSL Accelerator

Virtual or Physical Server, Server

Farm, Data Center

• 100-1000+ servers• $ Millions in software licenses• Multiple products with

separate interfaces• Many disassociated reports • No security validation

• High total cost of ownership• Limited performance• Doesn’t effectively stress

infrastructure• Inaccurate and error-prone• Complex and labor intensive

BreakingPoint’s Approach• Stresses infrastructure with mix of stateful application traffic • Validates performance/effectiveness under extreme load conditions • Validates the integrity of server transactions• Integrates security for ability to assess performance under attack

Questions and Answers

13