Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových center (SDDC) s...

©2015 Check Point Software Technologies Ltd. 1©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals

Síla virtuality virtualizovaná bezpečnost

Softwarově Definovaných Datových Center (SDDC)

s plnou podporou SDN

Martin Koldovský, Check Point Software TechnologiesSE Manager Eastern Europe

©2015 Check Point Software Technologies Ltd. 22

DID YOU KNOW?

months is the average time to deliver new DC service. 3

Source: Gartner Research


$7,900 per minute

$1/2 M dollar per hour


DID YOU KNOW?

Average Costs of a downtime:


DID YOU KNOW?

1 in 5 companies fire employees due to downtime.


©2015 Check Point Software Technologies Ltd. 8[Restricted] ONLY for designated groups and individuals

CRM ERP WebServer

FileSystem

Billing MailServer

The Backbone of any Enterprise Business


It is nearly impossible for today’s data center to run at business speed.

“”

ZK Research


Hey, I can spin-up VMs in minutes. Why does it take a week to get network/firewall changes

State of Virtualization vs. Networking


The traditional DC isSLOW

INSECURE

©2015 Check Point Software Technologies Ltd. 1212[Confidential] For designated groups and individuals

But it doesn’t have to work this way.

let’s take a DIFFERENT APPROACH


A new networking model is needed

[Highly Restricted] ONLY for designated individuals

Facebook’s Data Center @ Altoona Iowa US


A new trend is gaining momentum…

Software Defined Networking


Before SDN

Traditionally, switches and routers learn the network topology by communicating with neighbor devices


What is SDN all about?

Controller

With SDN, network devices get directions from a central controller


Benefits of SDN

Controller

SDN allows modern networks to bemore agile and automated

Network App

Network App


Traditional Data Center• Dedicated and Isolated Hardware

• Low utilization• Low flexibility

Virtualized Data Center• Server Consolidation andVirtualization

• Optimized Compute utilization• Performance issues

Software Defined Data Center• Offer infrastructure as a service

• Better utilization

• Higher flexibility / Capacity on demand

DATACENTEREVOLUTION

Server VirtualizationAllows aggregation

of multiple independent virtual servers to exist on a physical server

2007-2010

Network VirtualizationDecouples the physical infrastructure from the

connectivity services making the network adaptive and dynamic with simple one-

touch provisioning

ComputeAccess

Data CenterCore

CampusCore

Distribution

Layer

AccessLayer


SDDC


The SDDC Vision

Software Defined Data Center revolutionize IT by implementing SDN concepts and supporting :

Orchestration & automation

Private/Hybrid cloud

Self service


SDDC improves traffic flows

[Restricted] ONLY for designated groups and individuals

• Networking layer is virtualized and centrally controlled

• IP segments no longer force ineffective traffic routes• Fully optimized traffic flows are be generated

automatically on demand without admin intervention• Potentially – everything is connected !


But what about security ?

[Restricted] ONLY for designated groups and individuals

• Traditional security methodology no longer apply:E̶ No IP based topology

E̶ No clear static segmentsE̶ Dynamic real-time end-user-triggered changes

E̶ Security policies and access control readiness for changes

E̶ Lack of virtualization awareness

E̶ The Data Center is a blind spot for the IT security

• Multiple vendor-independent components

• Dynamic traffic flows serving application layer

• SDDC prone to malware propagation and collateral movement

©2015 Check Point Software Technologies Ltd. 23[Protected] Non-confidential content

Anatomy OfModern AttacksOn Data Centers

infiltrate lateral move


We need a new security model, don’t we ?

Software Defined Protection

http://www.checkpoint.com/sdp/


SDN An emerging network architecture, decoupling network control and data planes.Data flows between network nodes controlled viaa programmable network SDN controller.

SDPAn overlay architecture enforcing security traffic flows within an SDN networkData flows are programmed to pass through SDP enforcement points

SDP AND SDN MODELS WORKIN SYNERGY


vSECSolution Components


vSEC solution components

Production

Integration

DMZ

VSVS

VSVS

VSVS

InternetLAN

Production

Host

vSwitch

Host

vSwitch

Host

vSwitch

Host

vSwitch

VMVM

VMVM

VMVM

VM

VMVM VM

VMVMVM

VMVM

VM

VMVMVM

CP SECURITY

MANAGEMENTvSEC controller

vCenter

NSX

vSEC

vSEC

vSEC

vSEC


vSECKey Features


Automatically & instantly scale vSEC to secure VMs on new host members

CHECK POINT vSEC AUTO-DEPLOYMENT

vSEC

vSECvSEC

vSEC vSEC

Datacenter Production

VMWareNSXManager

VMWare


SECURITY FOR EAST-WEST TRAFFIC NSX chains Check Point vSEC gateway between VMs

VM

vSEC

vSEC

VM

Traffic between VMs goes through VMware NSX and Check Point vSEC gateways

“A”

“B”

vSwitchNSX

vSwitchNSX

Datacenter Production


VMVM

VM

VM

VM

IPSAntivirusAntibotAnti SpamApp. Control

Check Point

vSEC

Use vSEC for Advanced Threat Prevention inside data center

PREVENT LATERAL THREATS

vSEC

Legal

PartnersDatacenter


UNIFIED MANAGEMENT

Check Point Smart

Management

vSEC Controller

Use Check Point unified management for consistent policy control and threat visibility across virtual and perimeter gateways

Internet

Check Point Smart

Management

vSECDatacenter


vCenter

APPLICATION-AWARE POLICY

Check Point Access Policy Rule From To Service Action

3 WEB_VM (vCenter Object)

Database (NSX SecGroup)

SQL Allow

Check Point Smart

Management

vSEC Controller

NSXManager

Use Fine-grained security policies tied to NSX Security Groups and Virtual Machine identities

Check Point dynamically fetches objects from NSX and vCenter


vSEC Controller

NSXManager

SHARED-CONTEXT POLICY

NSX Policy From To Action Infected VM (Tagged by Check Point) Any Quarantine

Shared security context between vSEC and NSX Manager to automatically quarantine and trigger remediation by other services

Check Point Smart

Management

Check Point tags infected Virtual Machines in NSX manager


Use Check Point SmartEvent to monitor and investigate threats across north-south and east-west traffic

Internet

vSEC

THREAT VISIBILITY INSIDE THE DATACENTER

4800

12400

Infected Virtual Machines

VM Identity Severity Date

VM_Web_22 High 3:22:12 2/4/2015

VM_DB_12 High 5:22:12 2/4/2015

VM_AD_15 Medium 5:28:12 2/4/2015

VM_SAP_34 Medium 7:28:12 2/4/2015


Demo

37©2013 Check Point Software Technologies Ltd.

User Access

Application Usage

Sensitive Data

Mobile Access

Network Threat Prevention

Advanced Security Protections

Granular Visibility

Identity Awareness

DLP

Mobile Access

SmartEvent

Application Control

URLF

IPSAnti-BotAntivirus

Threat Emulation

HTT

PSH

TTPS

HTT

PSU

SER

CH

ECK

UC

UC


Summary

Check Point SDDC security solutions

Advanced Security protections seamlessly enforced inside the SDDC

Agile Security Provisioning for the SDDC

Comprehensive threat visibility across the SDDC

©2015 Check Point Software Technologies Ltd. 39[Confidential] For designated groups and individuals

Feature Check Point

Policy Management

Unified management for Virtual and physical Gateways

Datacenter policy segmentation with sub policies*

Fetch vCenter and NSX objects for use in Check Point policy

Security

Threat Prevention with multi-layered defenses for Virtual Data Center

Tag infected VM and update NSX for automatic remediation

Visibility & Forensics View VM objects in security logs

Comprehensive Datacenter Threat Visibility

Automation & Orchestration

Granular privilege down to individual rule for trusted integrations*

Check Point vSEC Key Features

* Available in R80

Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových center (SDDC) s...

Technology

Transcript of Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových center (SDDC) s...