Virtual Security As Business Generator June 2009 Roberto Correnti Regional Manager, Clavister France & BeNeLux Tanguy Derriks Business Development Director, MMS-Secure
Virtual Security As Business GeneratorJune 2009
Roberto Correnti
Regional Manager, Clavister France & BeNeLux
Tanguy Derriks
Business Development Director, MMS-Secure
Clavister Overview
• Established in Sweden in 1997
• Sales offices in the Europe and Asia
• Team of 150 people • Evolved from a firewall specialist to a complete • security solution provider
• Target markets:– Service Providers: Data Centers, Internet Service Providers, MSSPs– Enterprises– Telecom Operators
• >100.000 installations world-wide, >20.000 customers
Reference Customers:
Services
Anti-Virus, Anti-Spam, Intrusion Detection & Prevention, Web Content FilteringSoftware Maintenance, Warranty, Technical Support, Training, Consulting, Licensing, SMS
Clavister SSP
Lifecycle Systems
Lifecycle Services
Hardware Software Virtual SSL
Network Elements
Traffic Management VPN Application Layer SecurityNetwork Security
Routing DHCP Authentication HA
Management Troubleshooting Monitoring Log & Alarms
Clavister
32 MB
64 MB
>100 Virtual Gateways
per server*
Designed for enterprises & datacenters
Unique Virtual Security
Known OS Based Competitors
1200 MB
500 MB
12 Virtual Gateways
per server*
Designed for enterprises* Typical server with 12 GB RAM and 1TB Storage
Virtual Security – For Enterprises
VMware Virtualization Basics
Virtualization Trends
• So far, focus has been on deployment, maintenance and provisioning of virtual servers.
• UK research firm YouGov states that 41% of IT managers using virtualization thought that security was built-into the virtualization softwares!
• Security is a neglected yet highly emerging focus area in virtual environments!
Your investment in virtualization might be at risk! Act now, tomorrow it might be to late!
Traditional Network Virtual Network
• Multitude of network segments• Communication between zones are monitored and
secured
• Less network segments which divides the servers• Communication between virtual machines are not
monitored or secured !
DANGER
Communication Path Diagram
Copyright © 2008 Clavister AB. All rights reserved. 10
Web Front-End Zone
Middleware / Business Logic
Zone
Back-End Database Zone
Inter-communication traffic is limited by VLANs but not secured which is a critical security issue and one which nees to be addressed
Mixed Solutions for Securing Virtual Environments
Drawbacks With “Mixed Solutions”
• Still relies on external security appliances
• The virtual infrastructure is a dynamic world. Keeping up with changes from the “outside” is complex and time consuming
• Does not benefit from Redundancy and Disaster Recovery tools
• Makes lab/testing expensive and complex
• Increases risk of costly service down time in case of security appliance hardware failures
The fully virtualized solution
Pre-Configured Solutions> Easy to deploy
> Easy to manage
> Templates & workflows – Increase security and control
The Clavister Virtual Security Gateway Solution
Clavister Virtual Security Gateway SolutionVirtual Machines (VMs) are not allowed to talk with each other without first going through the Virtual Securigy Gateway
All security inspections which would have been performed by a physical security gateway in a physical structure are done ”in-line” in the virtual environment.
Communication Path DiagramWeb Front-End Zone
Middleware / Business Logic Zone
Back-End Database Zone
All virtual machines and inter-communication is secured using best-in-class virtual security gatways and which enables mission critical applications to be virtualized without comprimises to the security policies
Troubleshooting, Monitoring, Alarms & Auditing
• Troubleshoot communication using:• Real-time monitoring with filters• PCAP & Memlog recording• Log analysis
• Monitor behavior of traffic using: • SNMP• Real-Time monitoring • Real-Time KPI dashboards
• Create custom and policy based alarms events (thresholds etc)
• Full auditing capabilities using • Built-in log viewing applications• External SIEM systems
Typical Enterprise Environment
Traditional physical server networkVirtualized production infrastructure
Disaster Recovery or Lab/Test Network
Fully virtualized DMZ Network Diagram
Virtual Security Gateway – Models & Dimensioning
VSG21 VSG110 VSG510 VSG1100
Plaintext Performance (Mbit/s)* 50 200 500 1000
VPN Tunnels 25 200 500 1000
VLAN 4 64 128 512
Concurrent Connections 4000 16000 64000 256000
Recommended Application Test & Lab Networks with no or very low performance demands
Small installations with a limited amount of protected VMs with low to medium performance demands
Medium and Large installations with medium to high performance applications such as web/mail/citrix/databases and similar
Large installations with medium to high performance applications such as web/mail/citrix/databases and similar
Clavister Virtual Security Gateway Features
• Protect Virtual Servers
Segregate virtual machines from each other and avoid hackers from jumping from one machine to
another with no or very little difficulties. All the features of an hardware appliance security gateway
is available also for the virtual security gateways, including the UTM services!
• Secure Inter-Communication
Utilize the VPN encryption to secure communication between virtual machines.
• Achieve Auditing and Regulatory Compliance
Since the virtual security gateway can be run inside the virtual infrastructure security auditing can be
achieved and thereby regulatory compliance requirements can be met.
• No Security Policy Compromises for Virtual Environments
Utilize your standard set of policies not only for physical machines but just as easily also for virtual
ones.
Benefits with Clavister Virtual Security Gateways
• ScalabilityUser can now extend security by simply deploying new security gateways as they go.
• Lower CAPEX Virtualization opens up for new business models where CAPEX is minimized.
• Simplified MaintenanceSecurity components inherit all manageability features from a virtual environment, such as fail-over, provisioning, and so forth.
• Minimized downtimeLess hardware in combination with highly efficient disaster recovery and redundancy tools such as VMmotion reduces downtime and improves the overall in service performance of the security solution
• Simplified Test/Lab testingSince the virtual security gateway is a part of the virtual infrastructure it becomes easier to create lab/test environments which decreases the complexity of security tests which in it’s turn improves the overall security
Virtual Security for Service Providers
xSPs / Telecom Operators- Market Situation
Competitive Market• Highly competitive and saturated market• Recruiting new customers is expensive • Operational efficiency is a must to remain competitive
Financials• Low and decreasing profit margins for traditional offerings• Increasing Average Revenue Per User (ARPU) is absolute key to
growth & success• Financial crisis drives the need to offer cost-savings services to
customers
First mover advantage • Time between visionary to market leadership is shorter than ever
Clavister vSeries – Value Proposition for xSP´s
• Opportunity to take first mover advantage
• A value-adding and unique security offering• Create your own attractive security services portfolio:
(Firewall, VPN, Content Filtering, IDP, Anti-Virus…)
• Leverage existing virtual infrastrucutres• Extreme Scalability, Deployment, SLA, etc..
• Increase your Average Revenue Per User (ARPU)
• Low capital investment – Expands as you grow
Clavister vSeries – What it is
Security Platform• Best-of-breed Security Gateway’s• Clavister Security Services Platform (SSP) our offering for Service
Providers
Virtual for optimal scalability and financial benefits• Runs inside a virtual infrastructure (e.g VMware / Xen/ Microsoft) • Runs in your datacenter (each customer gets a dedicated security
gateways)• Extremely resource efficient - More gateways on less hardware
Designed for Operators• MSSP friendly Management & Operations • Extremely scalable - Provision 1 gateway just as easy as 100.000
Business Case 1 – Internet Service Providers
Security Services for Internet Subscribers
• Value Add Services for Internet Subscribers• Added on top of internet connection bill• Increase ARPU - Offer the services to all existing customers• First mover advantage – Infrastructure as a Service (IaaS) already today
• Plug-in Solution for the Broadband Network Datacenter• No need for End User Equipment• Efficient Management and Maintenance• Optimized Provisioning Capabilities
• Customer Focused Service Packages• Small & Medium Business• Remote Office• Retail Stores…
Security Service Network Diagram
ADSLCustomer #2
Access Network
DatacenterCore Network
Virtual Provisioning Infrastructure
HW Layer
VMLayer
Firewall
VPN
Content Filtering
IDP
Anti-Virus
Reporting
ADSLCustomer #1
B-RASCore Switch
Customer Experience - Deployment
1. Choose Service
2.Automatic deployment
( < 1hour )
3.Use the service
€
Summary – Virtual Security Services
• New business opportunities• Offer cost-efficient security services
• Financial Upsides• Increase Average Revenue Per User (ARPU)
• Improve profit margin
• First mover advantage• Gain or secure market leadership • Interesting product portfolio
• Provisioning & Operations• Extremely efficient deployment (minutes instead of days & weeks)• Based on tested & proven industry standard technologies
(Clavister, VMware, IBM/HP/Dell)• Extremely scalable
Business Case 2 – Hosting Providers
Business Case – Service Providers (Hosting)
• Value AddingOffer a value-adding managed security services to hosting customers.
• Tailor made service portfolioUse the pick-n-choose service packaging's
• Operational EfficiencyAutomatic deployment without any human intervention
• Accelerates hosting business Makes customers more comfortable hosting sensitive applications (Cloud and utility computing is specific)
• Increase ARPU
• Low investment - High profit margins
SMB - Hosting Security Services Hosted - Virtual Machines(dedicated or part of a cloud)- Microsoft Exchange- Web Server- FTP Server
Virtual Security GatewayManaged or self-managed
DatacenterCore Network
Customer #1
Customer #3
Customer #2
ESXi
Firewall
VPN
Content Filtering
IDP
Anti-Virus
Reporting
Customer Experience - Deployment
1. Choose Service
2.Automatic deployment
( < 1hour )
3.Use the service
€
Copyright © 2008 Clavister AB. All rights reserved.
Price-efficiency– Use VMware and Clavister to provide dedicated firewall, VPN, IDP and
reporting capabilities in a price efficient manner to customers of all sizes
Scalability– Start with a virtual gateway and grow to a dedicated platform when the need
for performance and functionality increases
Deployment– Virtual appliances are turn-key solutions and can be deployed within minutes
Convergence and standardization on robust hardware– Utilize standardized hardware also for security services
Provide Improved SLAs– Utilize tested VMware redundancy and clustering in order to provide improved
SLAs for security services
Business Benefits
• Les différentes machines virtuelles ne sont autorisées à communiquer entre-elles sans passer par Clavister
• Toutes les inspections de sécurité qui auraient été faites par un équipement externe sont faites “en interne” nativement dans l’environnement virtuel
Virtualization Layer
Virtual Network
Hardware
Virtual Switch (VLANS)
VM VM VMVM
Virtual Security Gateway
ConclusionVirtualisation: Exemple sur site client
Administration Centrale viaInControl
x 100 VSG peuvent être installé sur un hôte « standard » VMWare ESXi/ESX (12Go RAM & 1TB HD)
1 x VSG =32 Mo Espace stockage64 Mo Mémoire Vive
Administration Centrale viaInControl
ConclusionVirtualisation: Hosting Provider (Sécurité ou/et SaaS)
Terremark - Reference Customer
About TerremarkTerremark Worldwide (NASDAQ:TMRK) acclaimed Infinistructure utility computing architecture has redefined industry standards for scalable and flexible computing infrastructure and its digitalOps service delivery platform combines end-to-end systems management workflow with a comprehensive customer portal.
TERREMARK AT A GLANCE •NASDAQ: TMRK •Leader in managed IT infrastructure services (Gartner - Leaders Quadrant)•Datacenters in the United States, South America and Europe •SAS 70 Type II Certified •Microsoft Gold Certified Partner •United States General Services Administration (GSA) Schedule# GS35F0073U
Thank You
Tanguy Derriks – MMS-SECURE (Ditributor for BeNeLux)
Email: [email protected] Phone: +32 (0)2 767 93 03
Contact Information:Roberto Correnti - CLAVISTER
Email: [email protected]: +33 (0)1 75 43 78 90Mobile: +33 (0)6 11 17 66 71