LHC3296BES OVH: Shields Up! Building a True Security or … · 2019-06-27 · Over 1.2 Million...
Transcript of LHC3296BES OVH: Shields Up! Building a True Security or … · 2019-06-27 · Over 1.2 Million...
Chris Romano, Principal Systems EngineerTwitter - @virtualirishman
LHC3296BES
#VMworld #LHC3296BES
OVH: Shields Up! Building a True Security Barrier in the Cloud
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
VMworld disclaimer
This presentation may contain product features that are
currently under development. This overview of new
technology represents no commitment from VMware or OVH
to deliver these features in any generally available product.
Features are subject to change, and must not be included in
contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final
delivery. Pricing and packaging for any new technologies or
features discussed or presented have not been determined.
2
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––AGENDA
1 OVH – Who We Are
2 OVH Product Overview
3 Defense at the PERIMETER DDOS Mitigation
4 Defense WITHIN the Virtual Data Center
6 Securing the Extended Data Center
7 Q & A
3
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential
–––
WHO IS OVH
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
OVH is a global, hyper-scale cloud provider
that offers our customers maximum performance and value
• Vertical integration (constructing own servers, data centers) and proprietary green water cooling technology allows
OVH to save costs and pass savings to customers
• Named largest hosting & cloud provider in Europe and third largest global hosting provider by Netcrafthttps://www.netcraft.com/internet-data-mining/hosting-analysis/
5
OVH GROUP HIGHLIGHTS
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
6
Over 1.2 Million Business Clients in 138 Countries
Own 11+ Tbps
Network
with
32 PoPs
2016
20 data centers in
5 countries and
4 continents
2017
27 data centers
in 11 countries
2020
50 data centers
Hosting capacity: 1.3
million physical servers
270,000 already deployed
OVH IS A GLOBAL CLOUD LEADER
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––OVH BUILDS ITS OWN DATA CENTERS
7
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
30% natural air cooling
+
70% water cooling
=
0% air conditioning
OVH MANUFACTURES SERVERS & USES GREEN TECHNOLOGY
8
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
+ Dedicated Cloud
+ Virtual Private Cloud
+ Disaster Recovery
+ VMware SDDC
+ Open API
+ Automation Compatibility
+ Scalability
+ Bring you own License
+ Non-Virtual Workloads
+ Proprietary Software
Dedicated Servers
Bare Metal
Customer Support & Services
Global Hyper-Scale Reach
OVH’s Fiber Optic Network (11+ Tbps) + Anti-DDoS + Private LAN
Public Cloud
SOLUTIONS TO SUIT YOUR NEEDS
Hosted Private Cloud
9
VMworld 2017 Content: Not fo
r publication or distri
bution
©2017 OVH US | Proprietary & Confidential
–––NETWORK CAPACITY 11+ Tbps
10
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential
–––
WHY WE ARE HERE
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential
–––
DEFENSE AT THE PERIMETER
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––Domain name provider Dyn suffered the largest DDoS attack in history on
Oct. 21
DYN DDOS ATTACK - OCTOBER 21, 2016
13
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––MEANWHILE IN ROUBAIX 1 MONTH EARLIER…….
Each day OVH detects
and mitigates over
1500 attacks against
its customers’
servers. About one
third of these attacks
are "SYN flood"
attacks.
1 Tbps DDoS Attack Launched from 152,000 Hacked Smart Devices
This is likely the largest DDoS attack ever reported.
Reference Article:
https://www.ovh.com/us/news/articles/a2367.the-ddos-that-didnt-break-the-camels-vac
14
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––DDOS ATTACKS INCREASE 125% ANNUALLY
Source: Akamai: Q1 2016 State of the Internet - Security Report
In 2016 we saw 19 attacks over 100 Gbps
15
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––TARGETS AND TYPES OF ATTACKS
16
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
End of the attack. Auto-mitigation is maintained
for 26 hours after the attack has ended
The server is operational - no attack Internet-based
services are used without any problems.
The DDoS attack begins the attack is launched via
the internet and on the backbone.
Mitigation of the attack Between 15 and 120 seconds
after the attack has started, the mitigation is activated.
STAGES OF MANAGING AN ATTACK
1
3 4
2
17
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
18
• Pre-Firewall
• OVH Managed Firewall
• Firewall Network
• Customer Configurable per IP address
• Shield
• UDP reflexion/amplification attacks filtering
• Armor
• Profiles based mitigation
• Does the grunt of the work : SYN Authentication, Zombie detection, payload patterns,
…
• Only enabled when we detect an attack
VAC
Pre-Firewall Firewall Shield Armor
VAC
Architecture
VAC – OVH’S ANSWER TO DDOS
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––OVH MITIGATION TECHNIQUES
Traffic Analysis and Attack Detection
• Netflow analysis of 1/2000 of the traffic that
passes through routers.
• The Armor boxes analyze this and compare it to
the attack signatures.
• If the comparison is positive, mitigation is
ACTIVATED WITHIN SECONDS!
Detection
19
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
VAC
VAC
VAC
VAC
SBG
RBX
GRA
BHS
Reference Article:
https://www.ovh.com/us/news/articles/a2367.the-ddos-that-didnt-break-the-camels-vac
LEVERAGING A GLOBAL NETWORK
20
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
VAC
Anti-Hack
Anti-Spam
Anti-Phishing
Remotely Triggered
Black Hole (RTBH)
• A fully redundant global network
• Redundancy of all components
• Fire risk management
• High security Data Centers
• Human presence in all Data Centers
• Measures to counteract any failure of the electrical supply network.
ADDITIONAL PROTECTION
21
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential
–––
DEFENSE WITHIN THE VIRTUAL DATA CENTER
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––EDGE SECURITY
NSX EDGE GATEWAY
(vCloud Air Network)
(vCloud Air Network)
• Stateful Inspection Firewall
• Network Address Translations
(NAT)
• DHCP
• Site to Site VPN (IPSec)
• Static Routing
• Dynamic Routing OSPF, BGP
• Load Balancer L4/L7
• SSL Certificate Offloading
• SSL VPN (Client to Server)
• 200 Sub-Interfaces
• Distributed Firewall
23
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
Runs in Kernel
Space
Full vCenter
Integration
(VC Containers, vMotion)
Zero-trust Security
Micro-Segmentation
Line RateDistributed Enable traffic
redirection to
3rd party services
Spoofguard
Fully
programmable
(REST API)
Internet
DISTRIBUTED FIREWALL CHARACTERISTICS
24
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
WAN Internet
Compute Cluster Compute Cluster
Perimeter
Firewall
(Physical)
NSX EDGE
Service
Gateway
Compute Cluster
SDDC (Software Defined DC)
DFW DFW DFW
DFW: E-W
Edge Service Gateway
positioned to protect
border of the Cloud
Instance or SDDC:
North – South traffic
protection
Distributed Firewall
positioned for internal
traffic protection:
East – West
traffic protection
Physical
Virtual
Compute Cluster
ED
GE
: N
-S
NSX SECURITY IN THE CLOUD
25
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––SPOOFGUARD
• Ensuring the IP of a VM cannot be altered without
intervention
• IP address does not match the IP address on record
vNIC is prevented from accessing the network
entirely.
• Prevents rogue virtual machines from assuming the
IP address of an existing VM
• Guarantees distributed firewall (DFW) rules cannot
be bypassed
26
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––3RD PARTY INTEGRATION
Hytrust Encryption at Rest
Private Cloud / vSphere Data Center
VM +
HyTrust
Key Controller 4
VM +
HyTrust
VM +
HyTrust
Key Controller 2
Key Controller 1
Key Controller 3
vCloud Air
Admin 1
Admin 2
• Encrypt and re-key without taking applications offline
• Transparent to users and admins
• Customer retention of keys (Bring Your Own Keys)
• Encryption travels with the VM, regardless of location
27
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
3RD PARTY INTEGRATION
28
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential
–––
SECURING THE EXTENDED DATA CENTER
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
• Secure VM migration or vMotion with IPSec and Suite-B Encryption
• Flow entropy with FOU tunneling
• Authentication required for migration
• NAT’d vMotion Traffic
• HCX will available upon release from VMware
UNIQUE HYBRID CAPABILITIES
Migrate Virtual Machines On-Prem to vCloud Air with Zero Downtime
Compatibility Portability Security
Hybrid Cloud
vCloud AirOn-Premises
Zero-Downtime Migration
Active Replicating
Secure Tunnel
Overview
30
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––SECURITY POLICY MIGRATION
The VMware SDDCPrivate Cloud
The VMware Public Cloud
Security PolicyMigration
Untether workloads from the physical data center for increased flexibility and agility
Support data center migration and
consolidation projects without need for
maintenance windows
Simplify transition to cloud by carrying
existing security and networking policies with
the virtual machine
31
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
HCX – ANY-TO-ANY CLOUD
32
32
HCX – Any-to-Any
• Tether legacy vSPhere 5.1 to next-gen vSphere 6.5 and above
• Seamless application mobility between different VMW stacks
• Secure L2 Extension w/o need for NSX on site
• Automatic VPN connectivity across sites
• vMotion and replication across disparate VMW stacks
Features
Benefits
• Move to cloud w/o need to upgrade vSphere on-prem
• No need to upgrade networking architecture to extend L2 to cloud
• Transform from legacy stack to next-gen SDDC+NSX without downtime
• Transform with no change in networking, IP or IT policies
• Automatic secure, high performance connection between sites
vSphere 5.1+
VCF orVC + NSX
HCX Hybridity
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
vRACK (VIRTUAL RACK)
Once enabled, your services communicate with each other across a virtual network (vLAN).
• Secure Private connection of all OVH infrastructures around the world.
• vRack Enables private connectivity between Data Centers
• Customer has the ability to make changes themselves
• Allows extending layer 2 networks
• Interconnects different environment types on the same VLAN
33
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
Customer Managed Networks
& vRACK
OVH POP
Open Stack vSphere-as-
a-ServiceDedicated
Server
Roubaix Hillsboro Vint Hill
Customer DC
vSphere-as-
a-Service
CONNECTIVITY SIMPLIFIED
34
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––SUMMARY
• OVH is a global hyper-scale cloud provider with a rich 20 year history.
• OVH Customers have more options for data center locations, more direct
connection points to get to the OVH network, more choices & product selection.
• Industry leading anti-DDOS protection frontends your OVH based assets whether
they are dedicated servers, private cloud computing, or public cloud instances.
• Behind that industry leading DDOS protection is security in depth under your
control.
36
VMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––HOW TO CONTACT US
37
VMworld Booth Location – D313
@ovh and @vcloudair_ovh
@ovh and @vcloudair.ovh
OVH and vCloud Air powered by OVH
ovh.comVMworld 2017 Content: Not fo
r publication or distri
bution
2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
OVH AT VMWORLD
38
Session ID Session Title Time
LHC3295BES OVH: Why Optimizing Layer 0 matters Wednesday Sept 13th 2:00 p.m. – 3:00 p.m.
LHC2401BE How far is too far? The Hybrid Cloud Distance Factor. Tuesday Sept 12 3:30 p.m. – 4:30 p.m.
LHC3296BES Shields Up! Building a True Security Barrier in the Cloud Tuesday Sept 12th 2:00p.m. – 3:00 p.m
LHC1951BEAutomate Cloud Recovery For When You Are Nuked From
Orbit: It’s the Only Way to Be SureThursday Sept 14th 9:00 a.m. – 10:00 a.m.
LHC1010BES Open your mind: mix Private Cloud, Hybridity and Elasticity all
TogetherTuesday, Sept 12th 5:00 p.m. – 6:00 p.m.
GRC2676BEBuilding a Paper Trail: How to Secure and Audit a Public
CloudWednesday Sept 13th 3:30 p.m. – 4:30 p.m.
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution