Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových center (SDDC) s...
-
Upload
marketingarrowecscz -
Category
Technology
-
view
418 -
download
0
Transcript of Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových center (SDDC) s...
©2015 Check Point Software Technologies Ltd. 1©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals
Síla virtuality virtualizovaná bezpečnost
Softwarově Definovaných Datových Center (SDDC)
s plnou podporou SDN
Martin Koldovský, Check Point Software TechnologiesSE Manager Eastern Europe
©2015 Check Point Software Technologies Ltd. 22
DID YOU KNOW?
months is the average time to deliver new DC service. 3
Source: Gartner Research
©2015 Check Point Software Technologies Ltd. 33
$7,900 per minute
$1/2 M dollar per hour
Source: Gartner Research
DID YOU KNOW?
Average Costs of a downtime:
©2015 Check Point Software Technologies Ltd. 44
DID YOU KNOW?
1 in 5 companies fire employees due to downtime.
Source: Gartner Research
©2015 Check Point Software Technologies Ltd. 8[Restricted] ONLY for designated groups and individuals
CRM ERP WebServer
FileSystem
Billing MailServer
The Backbone of any Enterprise Business
©2015 Check Point Software Technologies Ltd. 99[Restricted] ONLY for designated groups and individuals
It is nearly impossible for today’s data center to run at business speed.
“”
ZK Research
©2015 Check Point Software Technologies Ltd. 10
Hey, I can spin-up VMs in minutes. Why does it take a week to get network/firewall changes
State of Virtualization vs. Networking
©2015 Check Point Software Technologies Ltd. 1111[Restricted] ONLY for designated groups and individuals
The traditional DC isSLOW
INSECURE
©2015 Check Point Software Technologies Ltd. 1212[Confidential] For designated groups and individuals
But it doesn’t have to work this way.
let’s take a DIFFERENT APPROACH
©2015 Check Point Software Technologies Ltd. 13
A new networking model is needed
[Highly Restricted] ONLY for designated individuals
Facebook’s Data Center @ Altoona Iowa US
©2015 Check Point Software Technologies Ltd. 1414[Restricted] ONLY for designated groups and individuals
A new trend is gaining momentum…
Software Defined Networking
©2015 Check Point Software Technologies Ltd. 1515[Restricted] ONLY for designated groups and individuals
Before SDN
Traditionally, switches and routers learn the network topology by communicating with neighbor devices
©2015 Check Point Software Technologies Ltd. 1616[Restricted] ONLY for designated groups and individuals
What is SDN all about?
Controller
With SDN, network devices get directions from a central controller
©2015 Check Point Software Technologies Ltd. 1717[Restricted] ONLY for designated groups and individuals
Benefits of SDN
Controller
SDN allows modern networks to bemore agile and automated
Network App
Network App
©2015 Check Point Software Technologies Ltd. 1818
Traditional Data Center• Dedicated and Isolated Hardware
• Low utilization• Low flexibility
Virtualized Data Center• Server Consolidation andVirtualization
• Optimized Compute utilization• Performance issues
Software Defined Data Center• Offer infrastructure as a service
• Better utilization
• Higher flexibility / Capacity on demand
DATACENTEREVOLUTION
Server VirtualizationAllows aggregation
of multiple independent virtual servers to exist on a physical server
2007-2010
Network VirtualizationDecouples the physical infrastructure from the
connectivity services making the network adaptive and dynamic with simple one-
touch provisioning
ComputeAccess
Data CenterCore
CampusCore
Distribution
Layer
AccessLayer
©2015 Check Point Software Technologies Ltd. 19
SDDC
©2015 Check Point Software Technologies Ltd. 20[Restricted] ONLY for designated groups and individuals
The SDDC Vision
Software Defined Data Center revolutionize IT by implementing SDN concepts and supporting :
Orchestration & automation
Private/Hybrid cloud
Self service
©2015 Check Point Software Technologies Ltd. 21
SDDC improves traffic flows
[Restricted] ONLY for designated groups and individuals
• Networking layer is virtualized and centrally controlled
• IP segments no longer force ineffective traffic routes• Fully optimized traffic flows are be generated
automatically on demand without admin intervention• Potentially – everything is connected !
©2015 Check Point Software Technologies Ltd. 22
But what about security ?
[Restricted] ONLY for designated groups and individuals
• Traditional security methodology no longer apply:E̶ No IP based topology
E̶ No clear static segmentsE̶ Dynamic real-time end-user-triggered changes
E̶ Security policies and access control readiness for changes
E̶ Lack of virtualization awareness
E̶ The Data Center is a blind spot for the IT security
• Multiple vendor-independent components
• Dynamic traffic flows serving application layer
• SDDC prone to malware propagation and collateral movement
©2015 Check Point Software Technologies Ltd. 23[Protected] Non-confidential content
Anatomy OfModern AttacksOn Data Centers
infiltrate lateral move
©2015 Check Point Software Technologies Ltd. 24[Restricted] ONLY for designated groups and individuals
We need a new security model, don’t we ?
Software Defined Protection
http://www.checkpoint.com/sdp/
©2015 Check Point Software Technologies Ltd. 25
SDN An emerging network architecture, decoupling network control and data planes.Data flows between network nodes controlled viaa programmable network SDN controller.
SDPAn overlay architecture enforcing security traffic flows within an SDN networkData flows are programmed to pass through SDP enforcement points
SDP AND SDN MODELS WORKIN SYNERGY
©2015 Check Point Software Technologies Ltd. 26
vSECSolution Components
©2015 Check Point Software Technologies Ltd. 27[Restricted] ONLY for designated groups and individuals
vSEC solution components
Production
Integration
DMZ
VSVS
VSVS
VSVS
InternetLAN
Production
Host
vSwitch
Host
vSwitch
Host
vSwitch
Host
vSwitch
VMVM
VMVM
VMVM
VM
VMVM VM
VMVMVM
VMVM
VM
VMVMVM
CP SECURITY
MANAGEMENTvSEC controller
vCenter
NSX
vSEC
vSEC
vSEC
vSEC
©2015 Check Point Software Technologies Ltd. 28
vSECKey Features
©2015 Check Point Software Technologies Ltd. 29
Automatically & instantly scale vSEC to secure VMs on new host members
CHECK POINT vSEC AUTO-DEPLOYMENT
vSEC
vSECvSEC
vSEC vSEC
Datacenter Production
VMWareNSXManager
VMWare
©2015 Check Point Software Technologies Ltd. 30
SECURITY FOR EAST-WEST TRAFFIC NSX chains Check Point vSEC gateway between VMs
VM
vSEC
vSEC
VM
Traffic between VMs goes through VMware NSX and Check Point vSEC gateways
“A”
“B”
vSwitchNSX
vSwitchNSX
Datacenter Production
©2015 Check Point Software Technologies Ltd. 31
VMVM
VM
VM
VM
IPSAntivirusAntibotAnti SpamApp. Control
Check Point
vSEC
Use vSEC for Advanced Threat Prevention inside data center
PREVENT LATERAL THREATS
vSEC
Legal
PartnersDatacenter
©2015 Check Point Software Technologies Ltd. 32
UNIFIED MANAGEMENT
Check Point Smart
Management
vSEC Controller
Use Check Point unified management for consistent policy control and threat visibility across virtual and perimeter gateways
Internet
Check Point Smart
Management
vSECDatacenter
©2015 Check Point Software Technologies Ltd. 33
vCenter
APPLICATION-AWARE POLICY
Check Point Access Policy Rule From To Service Action
3 WEB_VM (vCenter Object)
Database (NSX SecGroup)
SQL Allow
Check Point Smart
Management
vSEC Controller
NSXManager
Use Fine-grained security policies tied to NSX Security Groups and Virtual Machine identities
Check Point dynamically fetches objects from NSX and vCenter
©2015 Check Point Software Technologies Ltd. 34
vSEC Controller
NSXManager
SHARED-CONTEXT POLICY
NSX Policy From To Action Infected VM (Tagged by Check Point) Any Quarantine
Shared security context between vSEC and NSX Manager to automatically quarantine and trigger remediation by other services
Check Point Smart
Management
Check Point tags infected Virtual Machines in NSX manager
©2015 Check Point Software Technologies Ltd. 35
Use Check Point SmartEvent to monitor and investigate threats across north-south and east-west traffic
Internet
vSEC
THREAT VISIBILITY INSIDE THE DATACENTER
4800
12400
Infected Virtual Machines
VM Identity Severity Date
VM_Web_22 High 3:22:12 2/4/2015
VM_DB_12 High 5:22:12 2/4/2015
VM_AD_15 Medium 5:28:12 2/4/2015
VM_SAP_34 Medium 7:28:12 2/4/2015
©2015 Check Point Software Technologies Ltd. 36
Demo
37©2013 Check Point Software Technologies Ltd.
User Access
Application Usage
Sensitive Data
Mobile Access
Network Threat Prevention
Advanced Security Protections
Granular Visibility
Identity Awareness
DLP
Mobile Access
SmartEvent
Application Control
URLF
IPSAnti-BotAntivirus
Threat Emulation
HTT
PSH
TTPS
HTT
PSU
SER
CH
ECK
UC
UC
©2015 Check Point Software Technologies Ltd. 38
Summary
Check Point SDDC security solutions
Advanced Security protections seamlessly enforced inside the SDDC
Agile Security Provisioning for the SDDC
Comprehensive threat visibility across the SDDC
©2015 Check Point Software Technologies Ltd. 39[Confidential] For designated groups and individuals
Feature Check Point
Policy Management
Unified management for Virtual and physical Gateways
Datacenter policy segmentation with sub policies*
Fetch vCenter and NSX objects for use in Check Point policy
Security
Threat Prevention with multi-layered defenses for Virtual Data Center
Tag infected VM and update NSX for automatic remediation
Visibility & Forensics View VM objects in security logs
Comprehensive Datacenter Threat Visibility
Automation & Orchestration
Granular privilege down to individual rule for trusted integrations*
Check Point vSEC Key Features
* Available in R80
©2015 Check Point Software Technologies Ltd. 40©2015 Check Point Software Technologies Ltd.
THANK YOU!