Infrastructure Consolidation : Understanding the security obstacles moving to Phase 2...
-
date post
19-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of Infrastructure Consolidation : Understanding the security obstacles moving to Phase 2...
Agenda
Presentation:– Defining the Problem– How is virtualization impacting our security?– Moving to Phase 2 Virtualization– Best practices
Open Discussion
2
New collaborative tools and business processes utilizing Web 2.0 technologies such as blogs, wikis, social networking services, etc.
International expansion
Research and development innovation/improvement
“Green” initiatives related to energy efficiency and/or reducing company-wide environmental impact
Improved business intelligence and delivery of real-time business information
Business growth via mergers, acquisitions, or organic expansion
Regulatory compliance
Security/risk management initiatives
Business process improvement initiatives
Cost reduction initiatives
0% 10% 20% 30% 40% 50% 60%
11%
13%
21%
18%
20%
19%
19%
25%
27%
54%
12%
13%
13%
20%
22%
24%
27%
25%
34%
54%
12%
13%
16%
19%
21%
22%
24%
25%
31%
54%
Total (N=492)
Enterprise (1,000 employees or more, N=305)
Midmarket (100 to 999 employ-ees, N=187)
Business Impact on 2009 IT
External force are driving changes
© 2009 Crossbeam Systems 5
Diversity of uses accessing on-line business services
Dramatic growth in number of financially driven security threats from around the globe
Increase growth of bandwidth on the network
6
It’s all about Risk Mitigation
Affordable malware tools are spawning a sophisticated hacker business community
2008 saw more Malware than the past 20 years combined
© 2008 Crossbeam Systems
Data is at Risk from all Vectors
Data is the most exposed attack surface
Can be reach by multiple attack vectors
“Defense in Depth” is no longer adequate
Vulnerabilities can exist in any area – look for the weakest link
Amount of Data is compounding the problem
© 2008 Crossbeam Systems- Confidential 8
Half a Zettabyte will cross the Internet in 2012Analysis & Detection is increasingly expensive
© 2008 Crossbeam Systems
To combat this, a huge amount of Security segments are being created
1999Simple
Perimeter Security
Internal
DMZ
2004Multi-Zone Perimeter Security
Internal
DMZ 1
DMZ 2
DMZ 3
2009DistributedPerimeter Security
Partner 1 DMZ 2
Division X DMZ 5
10
Security Perimeters will continue to shrink and provide security between “Trust Boundaries”
1 Security Perimeter
3 Security Perimeters
9 Security Perimeters
N Security Perimeters
© 2009 Crossbeam Systems
But Perimeters Continue to Shrink
11
Web Servers
Risk Level: Low
Risk Level: Medium
Application Servers
Risk Level: High
Database Servers
© 2009 Crossbeam Systems
Securing Trust Boundaries
© 2008 Crossbeam Systems
Expensive to architect perimeters with different security levels
Expensive to manage rule / topology changes
Necessary.. BUT Complex
13
Applying Trust Boundaries was managed through physical separation of
servers
Level 1 (Web Servers)
Level 3 (PeopleSoft)
Level 2 (Oracle)
Level 4 (Database)
© 2009 Crossbeam Systems
Was simple in the physical world
14
Architecture provided monitoring between Trust
Boundaries
Level 1
Level 3
© 2009 Crossbeam Systems
© 2009 Crossbeam Systems 16
Virtualization – A great Tool..?
20%
20%
20%
Server 1
Server 2
Server 3
Virtualized Server
80%
Dramatically improved server utilization, power, cooling, space
17
Let’s Virtualize EVERYTHING!
© 2009 Crossbeam Systems
“Everything should be made as simple as possible, but no simpler”
Albert Einstein
Huge Server Virtualization Usage
Using virtualization in production environment
Using virtualization in test environment only
Have not yet deployed virtualization but plan to
Have not deployed vir-tualization and have no
current plans to
0%
10%
20%
30%
40%
50%
60%
32%
24%21%
23%
54%
24%
14%
9%
Midmarket (100-999 employees, N=180) Enterprise (1,000 employees or more, N=292)
© 2009 Crossbeam Systems 19
Server Virtualization
Is IT Infrastructure safe when virtualized?
eCommerce Web Site
Customer Credentials
Product Database
Credit Card System
22
Host OS
Hypervisor
Gue
st O
S
Gue
st O
S
Gue
st O
S
Vulnerabilities in the underlying
OS?
Gaining access between the Guest
and the Host?
How robust is the hypervisor?
Is this really a THREAT?
Capturing data between VMs – Man in the Middle Attacks?
© 2009 Crossbeam Systems
Top Server Virtualization Initiatives for 2009
Purchase third-party management software for virtual envi-ronments
Deploy a storage virtualization solution to support virtual server environment
Integrate virtual environments into existing management software frameworks
Implement virtual machine mobility / HA (high availability) func-tionality
Move more applications from test/development to production envi-ronment
Improve operational processes for managing virtual environments
Improve backup and recovery of virtual machines
Make use of virtual machine replication for disaster recovery
Expand number of applications running on virtual machines
Consolidate more physical servers onto virtualization platforms
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
12%
16%
17%
18%
21%
21%
24%
31%
38%
39%
Transitioning from Phase 1 2
Phase 1 – Basic Workload Reduction
Phase 2 – Enterprise Efficiency
Virtualization Unit Server Application
Primary skill set Server administration Server, application, database, networking, security, storage . . .
Networking Simple virtual to physical
More complex physical and virtual connectivity with L2 and L3 virtualization
L4-L7 services Single or multiple physical domains
Multiple virtual domains
Security Single or multiple physical domains
Multiple virtual domains
Still need to manage security between Trust Boundaries with the Virtual Infrastructure
28© 2009 Crossbeam Systems
How do you add security protection between services running on the same hardware?
31
What happens when a SysAdmin spins down or moves a Virtual Appliance accidentally or maliciously?
© 2009 Crossbeam Systems
32
What is the process to manage multiple VAs between VMs between Trust Boundaries
© 2009 Crossbeam Systems
Firewall
IPS
Web Application Firewall
Database Firewall
--- Trust Levels ---
33
How do we achieve the right level of visibility between trust boundaries when applications are virtualized?
© 2009 Crossbeam Systems
34
Just ensure you have assigned the correct Ethernet port to the trunked VLAN and have enabled the right security services to
secure Trust Boundaries between the right Virtual machines and tap the right VM to monitor the traffic
© 2009 Crossbeam Systems
36
We need centralized “process-driven” control of security services between trust
boundaries
© 2009 Crossbeam Systems
38
Can enforce Trust Boundary policies with any combination of security services
© 2009 Crossbeam Systems
39
Can monitor any traffic between any trust boundaries with a click of a mouse
© 2009 Crossbeam Systems
What’s Needed for Network Security?
Simple configuration management– Implementation, moves-adds-changes
Virtual security stacks– Defenses based upon asset value and risk– Customized protection– Any-to-any secure connectivity rules set
Integrated networking– Switching, routing, load balancing . . .
Graceful scalability– Support 100s of trust zones
End-to-end visibility– Common logging service– Security reporting and analytics
Implementation Possibilities
Virtual appliances Physical appliances
Simple management and operations
No No
Virtual security stack Some No
Integrated networking No Sometimes
Graceful scalability No No
End-to-end visibility No No
Another Alternative
Network Security Platforms?– Carrier-class design– Massive amount of hardware– Multiple security services– Integrated networking– Scalable OS, networking, security, etc.– Simple configuration management– Built for network business processes
44
Virtualizes Services together by RISK
LEVEL
© 2009 Crossbeam Systems
Applications Servers
Database ServersWeb Servers
Maintain 99%+ efficiency from virtualization
45
Clients
Insert Network/Security Platform like Crossbeam
© 2009 Crossbeam Systems
Applications Servers
Database ServersWeb Servers
Create a security architecture for virtualized applications
FW
46
Policy-Driven security services between Trust Boundaries
© 2009 Crossbeam Systems
Applications Servers
Database ServersWeb Servers
FW IPS WAF
47
Centrally manage, enforce and change whenever you need
© 2009 Crossbeam Systems
Applications Servers
Database ServersWeb Servers
IPS
48
Client
Easily apply monitoring taps between trust boundaries
© 2009 Crossbeam Systems
Applications Servers
Database ServersWeb Servers
To-Do
Physical to virtual planning– Network, VM hosting, security– Determine skills weaknesses
Map security zones– Understand all threat vectors and vulnerability to data– VLANs– Traffic– Services
Create security/networking profiles– Align with other IT skills
Assess management needs– RBAC (Roll-based access control), alerts, reports . . .
© 2009 Crossbeam Systems 51
Crossbeam Systems
51
What We Do– Crossbeam delivers a scalable, high-performance, open network
security platform that allows large enterprises and carriers to– Consolidate security appliances and networking equipment– Virtualize implementation of security services– Choose security applications from best of breed ISVs
Proven Track Record– Over 860 global customers– Experience re-architecting security infrastructure for the global 2000– Strong and sustained year / year revenue growth 56%– Combined engineering innovation capacity of 3,100 engineers
52© 2009 Crossbeam Systems 52
Crossbeam Approach…The Next Generation Security Platform
FW
Internet
IPS
L2
L2
LB
LB
LB
LB
Network Processor Modules–Policy switching, load balancing
Application Processor Modules–Virtualized security application delivery
Control Processing Modules–High availability monitoring, fail over, self-healing
© 2009 Crossbeam Systems 53
Internet
Next Generation Security Platform
Security is no longer embedded, but delivered via a services layer– Multi-Dimension consolidation with > 50-70% power
reduction– A Change-Ready architecture dramatically extending
refresh cycles– Best-of-breed security – choice preserved– Carrier Grade High Availability– Linear scalability all the way to “real world” 40Gbps
© 2008 Crossbeam Systems 54
XOS™ Software Architecture
Virtualized load-balancing
Virtual Application Processing
SecureFlow
Processing
Distributed Flow Management
SerializationParallelization
DoS Protection
Dynamic ResourceAllocation
Dynamic VAP Grouping
Self-Healing
Broad support of best-in-class security applications
Protects the protectors
Policy-based service processing
Creates a virtualized network
Virtualizes the application infrastructure
Automatic capacity restoration
Multiple blades act as one
Matches processing to capacity reqs.
Open Secure OS
Thank You.
Crossbeam Systems, Inc.80 Central StreetBoxborough, Massachusetts 01719
Via Tel: +1 978.318.7500Via Fax: +1 978.287.4210Via web: http://www.crossbeamsystems.comVia email: [email protected]
55