HP Networking Secure Virtualisation Framework

SECURE VIRTUAL FRAMEWORK

Glen Gibson, Solution Architect – HP ESSN

Gary Boniface, Solution Architect - HP TippingPoint

TECH AT WORK 2011 -- AGENDA

– DataCenter Trends => Cloud Computing

– HP Intrusion Prevention Systems Overview

– Virtual Visibility Gap

– vController Technology

– Automated Policy Enforcement

– VMware Partnership

Present & Future

Virtualisation, Blades,Increased Bandwidth

Do more with less

Past

Dispersed, Physical

Connect everyone to everything

DATA CENTER TRENDS

Efficiency DrivesConsolidation

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010

11K

8.8K

6.6K

4.4K

2.2K

0K

OSVDB Data: Year

Tota

l vu

lnera

bili

ties

Over the last 5 years on average, roughly 8k vulnerabilities are disclosed each year

Flawed Software is developed almost daily

HP CLOUDSYSTEMINTEGRATED SYSTEM, PROVEN TECHNOLOGY

HP 3PAR

HP Cloud Service

Automation

HP BladeSystemMatrix

+ HP Networking

Service Provider Enhancements

Securing physical & virtual

Scalable utility storage

High performance fabric

Mission critical computing

SAAS aggregation

Security Zone 2 Security Zone 3Security Zone 1

Layer3-4 Filters are not enough to block common attacks

WHY NIPS?

FW

NIPS NIPS

Internet DMZ LANFW



WHY NIPS?

Remote LAN Productionrouter switch

NIPS NIPS


WHY NIPS?


Guest OS 1 vSwitchvSwitch

NIPS NIPS

Guest OS 2

Guest OS 3 - n

HP TIPPINGPOINT DVLABS LEADS THE INDUSTRY

Cumulative vulnerability discoveries(September 2005 to December 2010)

2010 vulnerability discoveries

Security research with real-world application

719

9453

8 70

200

400

600

800

1000319

48

10 0 70

50

100

150

200

250

300

350

HP TECHNOLOGY@WORK 2011THE INSTANT-ON ENTERPRISE IS HERE

VIRTUAL SECURITY GAP

Virtualised Host

VM

App

OS

VM

App

OS

Virtualised Host

VM

App

OS

VM

App

OS

Virtualised Host

VM

App

OS

VM

App

OS

VMs moved to separate site

2

4

1

3

Hypervisor Security

– Mission critical

Host to Host Threats

– Can‟t deploy IPS in front of every server

VM to VM Threats

– Virtual trust zones

– Traffic does not enter the physical network for inspection

– A victim VM can attack other VMs

VM Mobility

– vMotion launches VMs in separate sites for DR

– Physical IPS options are cost prohibitive for these uses

THE VIRTUAL NETWORK VISIBILITY GAP

TippingPoint IPS

VMCComponents– vController– Virtual Management Center (vMC)– IPS Platform

Flexibly Inspect Data in both the physical and virtual DC

Single set of security policies for entire DC protection.

VMware vCenter

Hypervisor

VMsafe Kernel Module

vSwitch

Redirect Policy

App App AppApp

Application VMs

OS OS OSOS vController

Service VM

ESX Virtual Hosts ESX Virtual Hosts ESX Virtual Hosts

SECURE VIRTUALISATION FRAMEWORK (SVF)

TippingPoint IPS

VMC

VMware vCenter

Hypervisor

VMsafe Kernel Module

vSwitch

Redirect Policy

App App AppApp

Application VMs

OS OS OSOS vController

Service VM

SECURE VIRTUALISATION FRAMEWORK (SVF)

It‟s all about the inspection policiesTIPPINGPOINT VMC

• Assign policies by VM and/or zone, not location or network connection

• Automate trust zone assignment for new or untrusted workloads

• Ensure policies follow VM regardless of state (in motion, powered on, powered off)

• Cloned VMs must automatically inherit parent policies

VQL BASED TRUST ZONE DEFINITION

Example – card data holder environment

– Automated and highly scalable zone/policy definition• All VMs residing on datastore „pci_ide‟ in zone

• Zone/Policy definitions follow VMs throughout lifecycle

– Visualise security policies• VMs in „pci_cde‟ zone prohibited from communicating

with „dmz‟ zone VMs

• VMs within „pci_cde‟ are allowed to communicate

• Assign policies by VM and/or zone, not location or network connection

• Automate trust zone assignment for new or untrusted workloads

• Ensure policies follow VM regardless of state (in motion, powered on, powered off)

• Cloned VMs must automatically inherit parent policies

VMware VMSafe Hypervisor Integration

– vController is fully integrated with VMware vSphereusing the VMSafe API

VMware vCenter Integration

– VMC is fully integrated with VMware‟s vCentermanagement console

Certified “VMware Ready”

– Supports Vmware vShere 4 (ESX / ESXi4)

VMWARE CERTIFIED

DEMO


HP TIPPINGPOINT AND

VMWARE PARTNERSHIP

HP TippingPoint and VMware Strategic Partnership

FEBRUARY 15 ANNOUNCEMENT

Strategic Development Partnership

VMware #1 Virtualization Platform

HP TippingPoint #1 Security Research/Architecture

Virtual Security Solutions today with vController and vShield

Building Next Generation Security APIs for Cloud Environments

Today:

HP TippingPoint‟s vController and VMware‟s vShield protect today‟s virtual environments

Tomorrow:

HP TippingPoint and VMware jointly develop next generationsecurity APIs to protect complex cloud environments

Traditional IT Private Cloud Public Cloud

VMware vSphere and vShield

Hybrid Cloud

Anchored Enterprise

HP TippingPoint Network Intrusion Prevention

Best of Breed UbiquitousPervasive

Instant-On Enterprise

HP TIPPINGPOINT & VMWARE: SECURE THE CLOUD


NEXT STEPS

Visit: The Cloud System Feature

Engage: See the HP Rep at rear of clinic

Seek more: Request follow up via Eval Form

Re-Live: www.hp.com.au/taw11post


QUESTIONS?

Eg: Mapped ModeVIRTUAL CONNECT – MAPPED & TUNNELED VLANS

Serverblades

VC Ethernet modules

Top of Rack Switch

T-40,50,60,190,191

VID 190

SUS

VID 191

tagged multiple VLANs

vNet-Out

vNIC

VID 40

T-40,50,60

vNIC

VID 50

vNIC

VID 60

VID 20 VID 30

SUS

UT UT

vNet2 vNet3

pNIC pNIC

vNet-In

pNIC

vSwitch

Multiple vNets

VIDs 40,50,60

T-190

T-191

23

VCONTROLLER

24

VCONTROLLER

25

VCONTROLLER
