Infrastructure Consolidation : Understanding the security obstacles moving to Phase 2 Virtualization.

Infrastructure Consolidation:Understanding the security obstacles moving to Phase 2 Virtualization

Agenda

Presentation:– Defining the Problem– How is virtualization impacting our security?– Moving to Phase 2 Virtualization– Best practices

Open Discussion

2

Defining the Problem

33

New collaborative tools and business processes utilizing Web 2.0 technologies such as blogs, wikis, social networking services, etc.

International expansion

Research and development innovation/improvement

“Green” initiatives related to energy efficiency and/or reducing company-wide environmental impact

Improved business intelligence and delivery of real-time business information

Business growth via mergers, acquisitions, or organic expansion

Regulatory compliance

Security/risk management initiatives

Business process improvement initiatives

Cost reduction initiatives

0% 10% 20% 30% 40% 50% 60%

11%

13%

21%

18%

20%

19%

19%

25%

27%

54%

12%

13%

13%

20%

22%

24%

27%

25%

34%

54%

12%

13%

16%

19%

21%

22%

24%

25%

31%

54%

Total (N=492)

Enterprise (1,000 employees or more, N=305)

Midmarket (100 to 999 employ-ees, N=187)

Business Impact on 2009 IT

External force are driving changes

© 2009 Crossbeam Systems 5

Diversity of uses accessing on-line business services

Dramatic growth in number of financially driven security threats from around the globe

Increase growth of bandwidth on the network

6

It’s all about Risk Mitigation

Affordable malware tools are spawning a sophisticated hacker business community

2008 saw more Malware than the past 20 years combined

© 2008 Crossbeam Systems

Data is at Risk from all Vectors

Data is the most exposed attack surface

Can be reach by multiple attack vectors

“Defense in Depth” is no longer adequate

Vulnerabilities can exist in any area – look for the weakest link

Amount of Data is compounding the problem

© 2008 Crossbeam Systems- Confidential 8

Half a Zettabyte will cross the Internet in 2012Analysis & Detection is increasingly expensive


To combat this, a huge amount of Security segments are being created

1999Simple

Perimeter Security

Internal

DMZ

2004Multi-Zone Perimeter Security

Internal

DMZ 1

DMZ 2

DMZ 3

2009DistributedPerimeter Security

Partner 1 DMZ 2

Division X DMZ 5

10

Security Perimeters will continue to shrink and provide security between “Trust Boundaries”

1 Security Perimeter

3 Security Perimeters

9 Security Perimeters

N Security Perimeters


But Perimeters Continue to Shrink

11

Web Servers

Risk Level: Low

Risk Level: Medium

Application Servers

Risk Level: High

Database Servers


Securing Trust Boundaries


Expensive to architect perimeters with different security levels

Expensive to manage rule / topology changes

Necessary.. BUT Complex

13

Applying Trust Boundaries was managed through physical separation of

servers

Level 1 (Web Servers)

Level 3 (PeopleSoft)

Level 2 (Oracle)

Level 4 (Database)


Was simple in the physical world

14

Architecture provided monitoring between Trust

Boundaries

Level 1

Level 3


How about Virtualization?

1515


Virtualization – A great Tool..?

20%

20%

20%

Server 1

Server 2

Server 3

Virtualized Server

80%

Dramatically improved server utilization, power, cooling, space

17

Let’s Virtualize EVERYTHING!


“Everything should be made as simple as possible, but no simpler”

Albert Einstein

Huge Server Virtualization Usage

Using virtualization in production environment

Using virtualization in test environment only

Have not yet deployed virtualization but plan to

Have not deployed vir-tualization and have no

current plans to

0%

10%

20%

30%

40%

50%

60%

32%

24%21%

23%

54%

24%

14%

9%

Midmarket (100-999 employees, N=180) Enterprise (1,000 employees or more, N=292)


Server Virtualization

Is IT Infrastructure safe when virtualized?

eCommerce Web Site

Customer Credentials

Product Database

Credit Card System

20

“I’ll surround it with a lot of security…”


How do I protect it?

21

What happens if a worm breaks the perimeter?


22

Host OS

Hypervisor

Gue

st O

S

Gue

st O

S

Gue

st O

S

Vulnerabilities in the underlying

OS?

Gaining access between the Guest

and the Host?

How robust is the hypervisor?

Is this really a THREAT?

Capturing data between VMs – Man in the Middle Attacks?



Potentially….

But that is not the biggest problem!

Virtualization Phase 2

2424

Top Server Virtualization Initiatives for 2009

Purchase third-party management software for virtual envi-ronments

Deploy a storage virtualization solution to support virtual server environment

Integrate virtual environments into existing management software frameworks

Implement virtual machine mobility / HA (high availability) func-tionality

Move more applications from test/development to production envi-ronment

Improve operational processes for managing virtual environments

Improve backup and recovery of virtual machines

Make use of virtual machine replication for disaster recovery

Expand number of applications running on virtual machines

Consolidate more physical servers onto virtualization platforms

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

12%

16%

17%

18%

21%

21%

24%

31%

38%

39%

Transitioning from Phase 1 2

Phase 1 – Basic Workload Reduction

Phase 2 – Enterprise Efficiency

Virtualization Unit Server Application

Primary skill set Server administration Server, application, database, networking, security, storage . . .

Networking Simple virtual to physical

More complex physical and virtual connectivity with L2 and L3 virtualization

L4-L7 services Single or multiple physical domains

Multiple virtual domains

Security Single or multiple physical domains

Multiple virtual domains


What are the problems to be solved in moving to phase 2?

Still need to manage security between Trust Boundaries with the Virtual Infrastructure

28© 2009 Crossbeam Systems

How do you add security protection between services running on the same hardware?

Should we load a Virtual Security Appliance (VA) on each server?

29© 2009 Crossbeam Systems

30

What happens when you have hundreds of servers…


31

What happens when a SysAdmin spins down or moves a Virtual Appliance accidentally or maliciously?


32

What is the process to manage multiple VAs between VMs between Trust Boundaries


Firewall

IPS

Web Application Firewall

Database Firewall

--- Trust Levels ---

33

How do we achieve the right level of visibility between trust boundaries when applications are virtualized?


34

Just ensure you have assigned the correct Ethernet port to the trunked VLAN and have enabled the right security services to

secure Trust Boundaries between the right Virtual machines and tap the right VM to monitor the traffic


Best Practices

3535

36

We need centralized “process-driven” control of security services between trust

boundaries


37

That’s as easy to change as sliding in a server


38

Can enforce Trust Boundary policies with any combination of security services


39

Can monitor any traffic between any trust boundaries with a click of a mouse


What’s Needed for Network Security?

Simple configuration management– Implementation, moves-adds-changes

Virtual security stacks– Defenses based upon asset value and risk– Customized protection– Any-to-any secure connectivity rules set

Integrated networking– Switching, routing, load balancing . . .

Graceful scalability– Support 100s of trust zones

End-to-end visibility– Common logging service– Security reporting and analytics

Implementation Possibilities

Virtual appliances Physical appliances

Simple management and operations

No No

Virtual security stack Some No

Integrated networking No Sometimes

Graceful scalability No No

End-to-end visibility No No

Another Alternative

Network Security Platforms?– Carrier-class design– Massive amount of hardware– Multiple security services– Integrated networking– Scalable OS, networking, security, etc.– Simple configuration management– Built for network business processes

© 2008 Crossbeam Systems- Confidential 43

How would a “Network Security Platform” help?

43

44

Virtualizes Services together by RISK

LEVEL


Applications Servers

Database ServersWeb Servers

Maintain 99%+ efficiency from virtualization

45

Clients

Insert Network/Security Platform like Crossbeam




Create a security architecture for virtualized applications

FW

46

Policy-Driven security services between Trust Boundaries




FW IPS WAF

47

Centrally manage, enforce and change whenever you need




IPS

48

Client

Easily apply monitoring taps between trust boundaries




To-Do

Physical to virtual planning– Network, VM hosting, security– Determine skills weaknesses

Map security zones– Understand all threat vectors and vulnerability to data– VLANs– Traffic– Services

Create security/networking profiles– Align with other IT skills

Assess management needs– RBAC (Roll-based access control), alerts, reports . . .

A bit about Crossbeam…

5050


Crossbeam Systems

51

What We Do– Crossbeam delivers a scalable, high-performance, open network

security platform that allows large enterprises and carriers to– Consolidate security appliances and networking equipment– Virtualize implementation of security services– Choose security applications from best of breed ISVs

Proven Track Record– Over 860 global customers– Experience re-architecting security infrastructure for the global 2000– Strong and sustained year / year revenue growth 56%– Combined engineering innovation capacity of 3,100 engineers

52© 2009 Crossbeam Systems 52

Crossbeam Approach…The Next Generation Security Platform

FW

Internet

IPS

L2

L2

LB

LB

LB

LB

Network Processor Modules–Policy switching, load balancing

Application Processor Modules–Virtualized security application delivery

Control Processing Modules–High availability monitoring, fail over, self-healing

http://images.google.com/imgres?imgurl=www.trendmicro.co.uk/corporate/images/crlogo1dir.gif&imgrefurl=http://www.trendmicro.co.uk/corporate/directions.htm&h=273&w=260&prev=/images?q=trend+micro&svnum=100&hl=en&lr=&ie=UTF8&oe=UTF8&safe=off






Internet

Next Generation Security Platform

Security is no longer embedded, but delivered via a services layer– Multi-Dimension consolidation with > 50-70% power

reduction– A Change-Ready architecture dramatically extending

refresh cycles– Best-of-breed security – choice preserved– Carrier Grade High Availability– Linear scalability all the way to “real world” 40Gbps





XOS™ Software Architecture

Virtualized load-balancing

Virtual Application Processing

SecureFlow

Processing

Distributed Flow Management

SerializationParallelization

DoS Protection

Dynamic ResourceAllocation

Dynamic VAP Grouping

Self-Healing

Broad support of best-in-class security applications

Protects the protectors

Policy-based service processing

Creates a virtualized network

Virtualizes the application infrastructure

Automatic capacity restoration

Multiple blades act as one

Matches processing to capacity reqs.

Open Secure OS

Thank You.

Crossbeam Systems, Inc.80 Central StreetBoxborough, Massachusetts 01719

Via Tel: +1 978.318.7500Via Fax: +1 978.287.4210Via web: http://www.crossbeamsystems.comVia email: [email protected]

55

http://www.crossbeamsystems.com/

Infrastructure Consolidation : Understanding the security obstacles moving to Phase 2 Virtualization.

Documents

virtualization slide

expensive slide

network slide

space slide

complex slide

crossbeam systems expensive

trust boundaries slide

physical world slide