CHECK POINT & VMWARE NSX AUTOMATING ADVANCED SECURITY FOR THE SOFTWARE-DEFINED DATACENTER Micki Boland Virtual and Cloud Cyber Security Architect mboland@checkpoint.com 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 1
DATA CENTERS are rapidly evolving. 2015 Check Point Software Technologies Ltd. 2
DATA CENTER EVOLUTION Virtual Datacenter Software Defined Datacenter Private Cloud Server (compute) virtualization Network operation is manual Network are is also virtualized Services can be dynamically inserted and orchestrated via automation 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 3
THE NEW ERA OF SOFTWARE-DEFINED DATACENTERS (SDDC) Allowing IT to deliver applications at a fraction of the cost and time in a more secure way! 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 4
VMWARE NSX - NETWORK VIRTUALIZATION Network & Security Services in the Hypervisor - Programmatic s control Virtual Switching and Routing Virtual Load Balancing Virtual L2-L4 Firewalling Centrally and automatically manage network and advanced security services in the data center 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 5
SECURITY CHALLENGES IN THE CURRENT DATACENTER 2015 Check Point Software Technologies Ltd. 6
Challenge #1: Increasing Traffic Inside the Datacenter NORTH WEST EAST SOUTH Perimeter (north-south) security is blind to 80% of the east-west data center traffic 2015 Check Point Software Technologies Ltd. 7 [Restricted] ONLY for designated groups and individuals
Challenge #2: Lateral Threats Inside the Data Center Lack of security control between VMs Threat can easily traverse VLANs Threats attack low-priority service and then move to critical systems Modern threats can spread laterally inside the data center, moving from one application to another 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 8
Challenge #3: Security Ignores Data Center Changes New Virtual Machines Virtual Machine movement VM that change IP address Dormant VMs that wakes up VMs move between VLANs Traditional static controls fail to secure dynamic networks and highly mobile applications 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 9
Challenge #4: Security Inhibits Data Center Agility How to define secure policy for catalog applications that have not been provisioned and still don t have IP address? Lack of security automation impacts business agility in delivering services, results in security gaps 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 10
WHAT IS NEEDED? 2015 Check Point Software Technologies Ltd. 11
SECURITY REQUIREMENTS INSIDE THE DATA CENTER 3 Automated insertion and deployment of advanced threat prevention to protect inside the data center 2 Automated security provisioning to keep pace with dynamic data center changes 1 Security visibility into traffic inside the data center 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 12
Introducing: Check Point Teams with VMware to Automate Advanced Security for the Software-Defined Data Center 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 13
CHECK POINT & VMWARE Automating Security inside the Data Center + Virtual Security with Advanced Threat Prevention Next Generation Networking and security Lateral Threat Prevention Automated Security Provisioning Security Control & Visibility 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 14
vsec & NSX DATACENTER SECURITY 100% Software Based: Service, Network & Security Micro-Segmentation with advanced threat prevention s Automation of Virtual Network & Security Security Control for All Data Center Traffic s Segmented Data Center Security Orchestration between Virtual Machines Consistent security for N-S and E-W traffic 2015 Check Point Software Technologies Ltd. [Protected] Non-confidential content 15
VMWARE CORE PRODUCTS FOR SOFTWARE DEFINED DATACENTER (SDDC) 2015 Check Point Software Technologies Ltd. 16
VMWARE PLATFORM FOR SOFTWARE DEFINED DATACENTER (SDDC) Virtual Machines NSX Virtual Network ESX Hosts (Cluster) 2015 Check Point Software Technologies Ltd. 17
CHECK POINT vsec DEPLOYMENT NSX automatically provisions Check Point vsec GW on each host 2015 Check Point Software Technologies Ltd. 18
NSX AUTOMATICALLY DEPLOYS vsec IN SOFTWARE DEFINED DATACENTER (SDDC) 2015 Check Point Software Technologies Ltd. 19
CHECK POINT vsec DEPLOYMENT NSX automatically provisions Check Point vsec gateway on each host 2015 Check Point Software Technologies Ltd. 20
CHECK POINT vsec AUTO-DEPLOYMENT NSX manager automatically deploys and provisions Check Point vsec Gateway on each host 2015 Check Point Software Technologies Ltd. 21
CHECK POINT vsec AUTO-DEPLOYMENT Automatically & instantly scale vsec to secure VMs on new host members 2015 Check Point Software Technologies Ltd. 22
SECURITY FOR EAST-WEST TRAFFIC NSX chains Check Point vsec gateway between VMs Traffic between VMs goes through VMware NSX and Check Point vsec gateways 2015 Check Point Software Technologies Ltd. 23
AUTOMATE ADVANCED SECUREITY FOR SOFTWARE DEFINED DATACENTER (SDDC) 2015 Check Point Software Technologies Ltd. 24
PERIMETER SECURITY GATEWAY Use Check Point Appliances with Advanced Threat Prevention for Datacenter Perimeter Security (North-South traffic) 2015 Check Point Software Technologies Ltd. 25
VIRTUAL SECURITY GATEWAY Use Check Point vsec Gateway for advanced security between Virtual Machines (East-West traffic) 2015 Check Point Software Technologies Ltd. 26
MICRO-SEGMENTATION NSX Security Group Finance Legal Web Partners Database Use NSX to segment Virtual Machines into different Security Groups using a flat network 2015 Check Point Software Technologies Ltd. 27
EAST-WEST SECURITY CONTROL NSX Service Chain Policy Traffic from Partner to Legal Security Group must go through Check Point vsec Gateway Use Check Point vsec to control traffic access between Virtual Machines 2015 Check Point Software Technologies Ltd. 28
PREVENT LATERAL THREATS Use vsec for Advanced Threat Prevention inside data center 2015 Check Point Software Technologies Ltd. 29
UNIFIED MANAGEMENT Use Check Point unified management for consistent policy control and threat visibility across virtual and perimeter gateways 2015 Check Point Software Technologies Ltd. 30
APPLICATION-AWARE POLICY Check Point Access Policy Rule From To Service Action 3 WEB_VM (vcenter Object) Database (NSX SecGroup) SQL Allow Check Point dynamically fetches objects from NSX and vcenter Use Fine-grained security policies tied to NSX Security Groups and Virtual Machine identities 2015 Check Point Software Technologies Ltd. 31
MICRO-SEGMENTATION WITH SUB-POLICIES* Check Point Access Policy Rule From To Service Action 3 Any 3.1 Database (NSX SecGroup) WEB_VM1 DB_VM1 (vcenter Object) (vcenter Object) Sub-Policy SQL Allow Delegate privileges to change and push policy change of a single rule Use security policy that is easily segmented into sub-policies *Available in R80 2015 Check Point Software Technologies Ltd. 32
SHARED-CONTEXT POLICY NSX Policy From To Action Infected VM (Tagged by Check Point) Any Quarantine Check Point tags infected Virtual Machines in NSX manager Shared security context between vsec and NSX Manager to automatically quarantine and trigger remediation by other services 2015 Check Point Software Technologies Ltd. 33
THREAT VISIBILITY INSIDE THE DATACENTER Infected Virtual Machines 4800 VM Identity Severity Date VM_Web_22 High 3:22:12 2/4/201 VM_DB_12 High 5:22:12 2/4/201 12400 VM_AD_15 Medium 5:28:12 2/4/201 VM_SAP_34 Medium 7:28:12 2/4/201 Use Check Point SmartEvent to monitor and investigate threats across north-south and east-west traffic 2015 Check Point Software Technologies Ltd. 34
Check Point vsec Key Features Feature Check Point Policy Management Unified management for Virtual and physical Gateways Datacenter policy segmentation with sub policies* Fetch vcenter and NSX objects for use in Check Point policy Security Threat Prevention with multi-layered defenses for Virtual Data Center Tag infected VM and update NSX for automatic remediation Visibility & Forensics View VM objects in security logs Comprehensive Datacenter Threat Visibility Automation & Orchestration Granular privilege down to individual rule for trusted integrations* * Available in R80 2015 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 35
THREE QUESTIONS TO ASK YOUR CUSTOMERS Q1: Do you have security and threat visibility inside your datacenter? Q2: Do you feel that security impedes datacenter service agility? Q3: Are you frustrated using VLANs to segment your datacenter? 2015 Check Point Software Technologies Ltd. 36
FAQ Q: What is the vsec product version? A: vsec Gateway is R77.20 vsec. vsec Controller is based on R77.30 Q: Can I buy and use it today? A: Yes Q: Will vsec be supported in R80? A: Yes Q: Was it certified by VMWare NSX A: Yes. It is certified on ESX5.5 and ESX6.0 Q: Where can I learn more about the solution A: Visit the vsec wiki & Check Point vsec webpage 2015 Check Point Software Technologies Ltd. 37
SUMMARY 2015 Check Point Software Technologies Ltd. 38
CHECK POINT & VMWARE Automating Advanced Securing Inside the Data Center + Virtual Security with Advanced Threat Prevention Next Generation Networking and Security Lateral Threat Prevention Automated Security Provisioning Security Control & Visibility 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 39
THANK YOU! 2015 Check Point Software Technologies Ltd. 40 [Restricted] ONLY for designated groups and individuals