LHC3296BES OVH: Shields Up! Building a True Security or … · 2019-06-27 · Over 1.2 Million...

Chris Romano, Principal Systems EngineerTwitter - @virtualirishman

LHC3296BES

#VMworld #LHC3296BES

OVH: Shields Up! Building a True Security Barrier in the Cloud

VMworld 2017 Content: Not fo

r publication or distri

bution

2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential

–––

VMworld disclaimer

This presentation may contain product features that are

currently under development. This overview of new

technology represents no commitment from VMware or OVH

to deliver these features in any generally available product.

Features are subject to change, and must not be included in

contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final

delivery. Pricing and packaging for any new technologies or

features discussed or presented have not been determined.

2



bution


–––AGENDA

1 OVH – Who We Are

2 OVH Product Overview

3 Defense at the PERIMETER DDOS Mitigation

4 Defense WITHIN the Virtual Data Center

6 Securing the Extended Data Center

7 Q & A

3



bution

2017 Proprietary and Confidential

–––

WHO IS OVH



bution


–––

OVH is a global, hyper-scale cloud provider

that offers our customers maximum performance and value

• Vertical integration (constructing own servers, data centers) and proprietary green water cooling technology allows

OVH to save costs and pass savings to customers

• Named largest hosting & cloud provider in Europe and third largest global hosting provider by Netcrafthttps://www.netcraft.com/internet-data-mining/hosting-analysis/

5

OVH GROUP HIGHLIGHTS



bution

https://www.netcraft.com/internet-data-mining/hosting-analysis/


–––

6

Over 1.2 Million Business Clients in 138 Countries

Own 11+ Tbps

Network

with

32 PoPs

2016

20 data centers in

5 countries and

4 continents

2017

27 data centers

in 11 countries

2020

50 data centers

Hosting capacity: 1.3

million physical servers

270,000 already deployed

OVH IS A GLOBAL CLOUD LEADER



bution


–––OVH BUILDS ITS OWN DATA CENTERS

7



bution


–––

30% natural air cooling

+

70% water cooling

=

0% air conditioning

OVH MANUFACTURES SERVERS & USES GREEN TECHNOLOGY

8



bution


–––

+ Dedicated Cloud

+ Virtual Private Cloud

+ Disaster Recovery

+ VMware SDDC

+ Open API

+ Automation Compatibility

+ Scalability

+ Bring you own License

+ Non-Virtual Workloads

+ Proprietary Software

Dedicated Servers

Bare Metal

Customer Support & Services

Global Hyper-Scale Reach

OVH’s Fiber Optic Network (11+ Tbps) + Anti-DDoS + Private LAN

Public Cloud

SOLUTIONS TO SUIT YOUR NEEDS

Hosted Private Cloud

9



bution

©2017 OVH US | Proprietary & Confidential

–––NETWORK CAPACITY 11+ Tbps

10



bution


–––

WHY WE ARE HERE



bution


–––

DEFENSE AT THE PERIMETER



bution


–––Domain name provider Dyn suffered the largest DDoS attack in history on

Oct. 21

DYN DDOS ATTACK - OCTOBER 21, 2016

13



bution


–––MEANWHILE IN ROUBAIX 1 MONTH EARLIER…….

Each day OVH detects

and mitigates over

1500 attacks against

its customers’

servers. About one

third of these attacks

are "SYN flood"

attacks.

1 Tbps DDoS Attack Launched from 152,000 Hacked Smart Devices

This is likely the largest DDoS attack ever reported.

Reference Article:

https://www.ovh.com/us/news/articles/a2367.the-ddos-that-didnt-break-the-camels-vac

14



bution



–––DDOS ATTACKS INCREASE 125% ANNUALLY

Source: Akamai: Q1 2016 State of the Internet - Security Report

In 2016 we saw 19 attacks over 100 Gbps

15



bution


–––TARGETS AND TYPES OF ATTACKS

16



bution


–––

End of the attack. Auto-mitigation is maintained

for 26 hours after the attack has ended

The server is operational - no attack Internet-based

services are used without any problems.

The DDoS attack begins the attack is launched via

the internet and on the backbone.

Mitigation of the attack Between 15 and 120 seconds

after the attack has started, the mitigation is activated.

STAGES OF MANAGING AN ATTACK

1

3 4

2

17



bution


–––

18

• Pre-Firewall

• OVH Managed Firewall

• Firewall Network

• Customer Configurable per IP address

• Shield

• UDP reflexion/amplification attacks filtering

• Armor

• Profiles based mitigation

• Does the grunt of the work : SYN Authentication, Zombie detection, payload patterns,

…

• Only enabled when we detect an attack

VAC

Pre-Firewall Firewall Shield Armor

VAC

Architecture

VAC – OVH’S ANSWER TO DDOS



bution


–––OVH MITIGATION TECHNIQUES

Traffic Analysis and Attack Detection

• Netflow analysis of 1/2000 of the traffic that

passes through routers.

• The Armor boxes analyze this and compare it to

the attack signatures.

• If the comparison is positive, mitigation is

ACTIVATED WITHIN SECONDS!

Detection

19



bution


–––

VAC

VAC

VAC

VAC

SBG

RBX

GRA

BHS

Reference Article:


LEVERAGING A GLOBAL NETWORK

20



bution



–––

VAC

Anti-Hack

Anti-Spam

Anti-Phishing

Remotely Triggered

Black Hole (RTBH)

• A fully redundant global network

• Redundancy of all components

• Fire risk management

• High security Data Centers

• Human presence in all Data Centers

• Measures to counteract any failure of the electrical supply network.

ADDITIONAL PROTECTION

21



bution


–––

DEFENSE WITHIN THE VIRTUAL DATA CENTER



bution


–––EDGE SECURITY

NSX EDGE GATEWAY

(vCloud Air Network)

(vCloud Air Network)

• Stateful Inspection Firewall

• Network Address Translations

(NAT)

• DHCP

• Site to Site VPN (IPSec)

• Static Routing

• Dynamic Routing OSPF, BGP

• Load Balancer L4/L7

• SSL Certificate Offloading

• SSL VPN (Client to Server)

• 200 Sub-Interfaces

• Distributed Firewall

23



bution


–––

Runs in Kernel

Space

Full vCenter

Integration

(VC Containers, vMotion)

Zero-trust Security

Micro-Segmentation

Line RateDistributed Enable traffic

redirection to

3rd party services

Spoofguard

Fully

programmable

(REST API)

Internet

DISTRIBUTED FIREWALL CHARACTERISTICS

24



bution


–––

WAN Internet

Compute Cluster Compute Cluster

Perimeter

Firewall

(Physical)

NSX EDGE

Service

Gateway

Compute Cluster

SDDC (Software Defined DC)

DFW DFW DFW

DFW: E-W

Edge Service Gateway

positioned to protect

border of the Cloud

Instance or SDDC:

North – South traffic

protection

Distributed Firewall

positioned for internal

traffic protection:

East – West

traffic protection

Physical

Virtual

Compute Cluster

ED

GE

: N

-S

NSX SECURITY IN THE CLOUD

25



bution


–––SPOOFGUARD

• Ensuring the IP of a VM cannot be altered without

intervention

• IP address does not match the IP address on record

vNIC is prevented from accessing the network

entirely.

• Prevents rogue virtual machines from assuming the

IP address of an existing VM

• Guarantees distributed firewall (DFW) rules cannot

be bypassed

26



bution


–––3RD PARTY INTEGRATION

Hytrust Encryption at Rest

Private Cloud / vSphere Data Center

VM +

HyTrust

Key Controller 4

VM +

HyTrust

VM +

HyTrust

Key Controller 2

Key Controller 1

Key Controller 3

vCloud Air

Admin 1

Admin 2

• Encrypt and re-key without taking applications offline

• Transparent to users and admins

• Customer retention of keys (Bring Your Own Keys)

• Encryption travels with the VM, regardless of location

27



bution


–––

3RD PARTY INTEGRATION

28



bution


–––

SECURING THE EXTENDED DATA CENTER



bution


–––

• Secure VM migration or vMotion with IPSec and Suite-B Encryption

• Flow entropy with FOU tunneling

• Authentication required for migration

• NAT’d vMotion Traffic

• HCX will available upon release from VMware

UNIQUE HYBRID CAPABILITIES

Migrate Virtual Machines On-Prem to vCloud Air with Zero Downtime

Compatibility Portability Security

Hybrid Cloud

vCloud AirOn-Premises

Zero-Downtime Migration

Active Replicating

Secure Tunnel

Overview

30



bution


–––SECURITY POLICY MIGRATION

The VMware SDDCPrivate Cloud

The VMware Public Cloud

Security PolicyMigration

Untether workloads from the physical data center for increased flexibility and agility

Support data center migration and

consolidation projects without need for

maintenance windows

Simplify transition to cloud by carrying

existing security and networking policies with

the virtual machine

31



bution


–––

HCX – ANY-TO-ANY CLOUD

32

32

HCX – Any-to-Any

• Tether legacy vSPhere 5.1 to next-gen vSphere 6.5 and above

• Seamless application mobility between different VMW stacks

• Secure L2 Extension w/o need for NSX on site

• Automatic VPN connectivity across sites

• vMotion and replication across disparate VMW stacks

Features

Benefits

• Move to cloud w/o need to upgrade vSphere on-prem

• No need to upgrade networking architecture to extend L2 to cloud

• Transform from legacy stack to next-gen SDDC+NSX without downtime

• Transform with no change in networking, IP or IT policies

• Automatic secure, high performance connection between sites

vSphere 5.1+

VCF orVC + NSX

HCX Hybridity



bution


–––

vRACK (VIRTUAL RACK)

Once enabled, your services communicate with each other across a virtual network (vLAN).

• Secure Private connection of all OVH infrastructures around the world.

• vRack Enables private connectivity between Data Centers

• Customer has the ability to make changes themselves

• Allows extending layer 2 networks

• Interconnects different environment types on the same VLAN

33



bution


–––

Customer Managed Networks

& vRACK

OVH POP

Open Stack vSphere-as-

a-ServiceDedicated

Server

Roubaix Hillsboro Vint Hill

Customer DC

vSphere-as-

a-Service

CONNECTIVITY SIMPLIFIED

34



bution



bution


–––SUMMARY

• OVH is a global hyper-scale cloud provider with a rich 20 year history.

• OVH Customers have more options for data center locations, more direct

connection points to get to the OVH network, more choices & product selection.

• Industry leading anti-DDOS protection frontends your OVH based assets whether

they are dedicated servers, private cloud computing, or public cloud instances.

• Behind that industry leading DDOS protection is security in depth under your

control.

36



bution


–––HOW TO CONTACT US

37

VMworld Booth Location – D313

@ovh and @vcloudair_ovh

@ovh and @vcloudair.ovh

OVH and vCloud Air powered by OVH

ovh.comVMworld 2017 Content: Not fo


bution


–––

OVH AT VMWORLD

38

Session ID Session Title Time

LHC3295BES OVH: Why Optimizing Layer 0 matters Wednesday Sept 13th 2:00 p.m. – 3:00 p.m.

LHC2401BE How far is too far? The Hybrid Cloud Distance Factor. Tuesday Sept 12 3:30 p.m. – 4:30 p.m.

LHC3296BES Shields Up! Building a True Security Barrier in the Cloud Tuesday Sept 12th 2:00p.m. – 3:00 p.m

LHC1951BEAutomate Cloud Recovery For When You Are Nuked From

Orbit: It’s the Only Way to Be SureThursday Sept 14th 9:00 a.m. – 10:00 a.m.

LHC1010BES Open your mind: mix Private Cloud, Hybridity and Elasticity all

TogetherTuesday, Sept 12th 5:00 p.m. – 6:00 p.m.

GRC2676BEBuilding a Paper Trail: How to Secure and Audit a Public

CloudWednesday Sept 13th 3:30 p.m. – 4:30 p.m.



bution



bution

LHC3296BES OVH: Shields Up! Building a True Security or … · 2019-06-27 · Over 1.2 Million...

Documents

Transcript of LHC3296BES OVH: Shields Up! Building a True Security or … · 2019-06-27 · Over 1.2 Million...