Securing the private cloud Gary Gardiner Security Engineer 2011 Check Point Software Technologies Ltd. [Unrestricted] For everyone Top Trends of 2011 1 2 3 4 5 6 7 8 9 Virtualization & Cloud Computing IT Consumerization Threat Landscape Consolidation & Complexity Data Security and Loss Web 2.0 & Social Media Governance, Risk & Compliance (GRC) Cost Reduction Green IT 2 1
2011 Security Trends Virtualization & Cloud Computing 2010 Check Point Software Technologies Ltd. [Confidential] For Check Point users and approved third parties 3 On Data Center Consolidation Private cloud 1 28% have one 30% plan one CIOs will virtualize 55% of production servers next year, up from 42% this year 2 1 Information Week, June 2010 2 Morgan Stanley, June 2010 2011 Check Point Software Technologies Ltd. [Confidential] For Check Point users and approved third parties 4 2
Enterprise Virtualization Initiatives Top Security Challenges for Server Virtualization What are the biggest security challenges preventing server virtualization in your enterprise? Lack of skills in security team 36% Cost of new information security solutions 28% Can t port existing security tools from physical to virtual world Lack of security best practices for server virtualization 24% Regulatory compliance issues 24% 26% Lack of knowledge in security teams remains the biggest challenge in moving to virtualized environments. Enterprise Strategy Group 2010 Survey of enterprise decision makers 5 On Cloud Computing Top concerns with private clouds What are your greatest concerns about deploying and managing them? Loss of control 80% Data security 76% Data portability and ownership 73% Regulatory compliance 62% Reliability 60% Morgan Stanley 2010 CIO Cloud Survey 6 3
On Cloud Priorities Top hardware / IT infrastructure priorities Are you considering building an internal or private cloud operated by IT (not a service provider) in next 12 months? Enterprise 45% 55% Mid-market 56% 44% Small Business 64% 36% Not currently planned On project list Forrester Research 2010 Enterprise and SMB Survey 2011 Check Point Software Technologies Ltd. [Confidential] For Check Point users and approved third parties 7 2011 Security Trends 8 Cost Reduction 2010 Check Point Software Technologies Ltd. [Confidential] For Check Point users and approved third parties 8 4
On Cost Reduction and Doing More with Less CIOs I ve talked to expect dramatic >30% cuts in infrastructure and operations costs. Mark McDonald Group Vice President, Gartner November 2010 9 2011 Security Trends 9 Green IT 2010 Check Point Software Technologies Ltd. [Confidential] For Check Point users and approved third parties 10 5
On Green IT Environmental Motivations What are your organization s top three motivations for pursuing greener IT operations? Reduce energy-related operating expenses 70% Reduce other IT operating expenses 38% Improve brand image with the public 35% Global Green IT Online Surveys April 2010 11 Gartner s top strategic technologies for 2011 1 2 3 Cloud Computing Mobile Applications and Media Tablets Web 2.0 Social Technologies and Communications 2010 Check Point Software Technologies Ltd. [Confidential] For Check Point users and approved third parties 12 6
Virtualization vs. Cloud Virtualizing efficiency is good Virtualizing efficiency is good But Cloud efficiency is much better! Cloud Virtualization 13 The Cloud Evolution Efficiency On-Premise Private Cloud Virtualization Hybrid Cloud Off-Premise Public Cloud SaaS Legacy Datacenter Web Hosting $11.8 billion by 2014 $55 billion by 2014 14 7
Moving to Private Cloud Legacy Datacenter Corpnet DMZ ranet 1:1 Server per Application 1:10 Security Zone (VLANs) per Server 15 Moving to Private Cloud Application Virtualization Corpnet DMZ ranet 1:5 Server per Application 1:1 Security Zone (VLANs) per Server 16 8
Moving to Private Cloud Networks Virtualization Corpnet DMZ ranet 1:20 Server per Application 5:1 Security Zone (VLANs) per Server 17 Moving to Private Cloud Datacenter Consolidation Corpnet DMZ ranet 1:100 Server per Application 20:1 Security Zone (VLANs) per Server 18 9
The VLANs Sprawl Problem Cheap and easy to add applications Everyone wants more s s Sprawl How to secure? More VLANs to segment s Hard to manage VLANs Sprawl Problem Lack of compliance Black spots Latency 19 The Evolving Datacenter 1 Physical 2 Virtual 3 Appl. OS Appl. OS Appl. OS HW. HW. HW. Traditional datacenter Private Cloud (On-premise/internal) 4 WARE. HARDWARE Servers virtualized in scalable, shared, elastic environment Appl. OS WARE. Appl. OS Servers virtualized with minimal changes to datacenter processes Select enterprise applications in public cloud HARDWARE Public Cloud (Off-premise/external) WARE. HARDWARE Your employee 20 20 10
Private Cloud - Security Needs Protection from external threats Inspect traffic between Virtual Machines (s) Secure new Virtual Machines automatically 21 Private Cloud - Security Needs Protection from external threats Inspect traffic between Virtual Machines (s) Secure new Virtual Machines automatically Hypervisor 22 11
Private Cloud - Security Needs Protection from external threats Inspect traffic between Virtual Machines (s) Secure new Virtual Machines automatically Ensure Security in dynamic environment 23 Introducing Check Point Security Gateway Virtual Edition () Check Point Secures the Private Cloud Check Point Security Gateway Virtual Edition Best Virtual Security Gateway Securing the Virtual Machines Unified Management for Physical and Virtual 24 12
Secure the Virtual Infrastructure Protects Virtual Machines Hypervisor security Certified by Ware Hypervisor Hypervisor Connector Audit virtualization system 25 Virtual Edition Features Best Security All Software Blades Flexible Security Check Point Security Gateway Virtual Edition () Firewall VPN IPS Antivirus Hypervisor Connector Hypervisor 26 13
Virtual Edition Features Best Security s Protection All Software Blades Securing New s Automatically Flexible Security Secure Dynamic Environment Inspecting Inter- Traffic Hypervisor Connector Hypervisor 27 Virtual Edition Features Best Security s Protection All Software Blades Flexible security Securing New s Automatically Secure Dynamic Environment Hypervisor Connector Hypervisor 28 14
Virtual Edition Features Best Security s Protection Unified Management All Software Blades Flexible security Securing New s Automatically Secure Dynamic Environment Same management for Physical and Virtual Virtualize the Management 29 Virtual Edition Features Best Security s Protection Unified Management All Software Blades Flexible security Securing New s Automatically Secure Dynamic Environment Same management for Physical and Virtual Virtualize the Management Hypervisor Connector Hypervisor 30 15
Virtualized Security Scenarios Hypervisor Connector Hypervisor Secure the Virtual Environment Use Security Gateway Virtual Edition to apply granular firewall and IPS policies for inter- traffic Hypervisor Office in a Box Use Security Gateway Virtual Edition () with firewall, IPS, VPN and Software Blade to secure your office networks and assets Hypervisor Enterprise Security Gateways Consolidate your Security Gateways deployment into a virtualized environment 31 Easy Deployment Secure virtual environment by installing a virtual appliance Standard Open Virtualization Format (OVF) virtual appliance 32 16
Layer 2 security packet flow ESX Server Pkt 2.1.1.1 sends packet to 2.1.1.3 2111 2.1.1.1 2112 2.1.1.2 2113 2.1.1.3 2114 2.1.1.4 2115 2.1.1.5 Pkt Agent Agent Agent Agent Agent Packet intercepted Packet continues the the Agent and flow forwarded from where to the it was Gateway for inspection intercepted Security API vswitch Packet is not inspected again Pkt Packet passed firewall inspection and is sent back to the Agent 33 Layer 2 security in dynamic environments 2.1.1.1 ESX 1 ESX 2 Connection initiated from 2.1.1.1 to 2.1.1.3 2.1.1.2 2.1.1.3 2.1.1.2 Pkt Agent Agent Agent Security API Security API vswitch vswitch Pkt Sync 34 17
Layer 2 security in dynamic environments 2.1.1.1 ESX 1 Connections related with ESX 2 2.1.1.3 will be marked that they are handled by ESX 1 2.1.1.2 2.1.1.3 2.1.1.2 2.1.1.3 is migrating Agent Agent to ESX 2 Security API Agent Security API Agent vswitch vswitch SG Sync SG 35 Layer 2 security in dynamic environments ESX 1 ESX 2 Existing 2.1.1.1 connection 2.1.1.2 New connection 2.1.1.3 Pkt Pkt Agent Agent Pkt Agent Security API Security API vswitch vswitch Packet forwarded to ESX 1 Pkt Sync Pkt Packet not forwarded 36 18
Anti-spoofing illustration 2.1.1.1 2.1.1.2 2.1.1.3 2.1.1.4 2.1.1.5 2.1.1.1 2.1.1.5 Tries to spoof With 2.1.1.1 IP Agent Agent Agent Agent Agent 2.1.1.1 Security API vswitch Packet dropped 37 Deployment - Layer 2 mode Automatic - No network changes required Protects all Virtual Machines on the ESX host Attaches fast path agent to all virtual NICs on the ESX host Creates new vswitch named _cp_private_vswitch Creates new port group named _cp_private Connects Security Gateway to _cp_private port group 38 19
Installation automation Seamless security for dynamic environments 2.1.1.1 1 2 3 4 5 Agent Agent Agent Agent Agent ESX Server attaches the Fast Path Agents on the vnics of of the new s SG Security API vswitch Event sent to informing of new s Service Console installed retrieves information on s/port groups/vswitches ernal Switch 39 Flexible Virtual Machine security The Fast Path Agent configuration options Bypass: Pass the packet without inspection Secure: Forward the packet to security gateway Block: Drop the packet Monitor-only: Inspects and log packets that would have been dropped 40 20
Single security management Unified administration of physical and virtualized environments Single console for Single console IPS to manage all firewall rules 41 Integration of ESX logs Logging and auditing of virtualization events ESX logs integrated into Check Point management ware ESX Server logs 42 21
Pricelist Secure Gateway Virtual Edition Containers The following products are based on the Software Blades architecture Security Gateway Container Specifications Container Price SG4801 For Security Gateway on a Virtual System with up to 48 cores $6,000 SG1601 SG801 For Security Gateway on a Virtual System with up to 16 cores For Security Gateway on a Virtual System with up to 8 cores $3,000 $2,000 The Firewall blade is included in the Security Gateway container price Additional software blades can added separately Gateways are licensed based on number of available physical cores. 43 44 22
Cloud Providers Security Needs Multitenancy: Servicing Multiple Customers From the Same Environment Cloud Secure connection to the Cloud Security of the Cloud Security within the Cloud 45 Check Point Cloud Security Check Point Secures the Public Clouds Use VSX for secure connectivity with the Public Cloud Secure s and Inter-s connection with Security Gateway Virtual Edition Offer Multi-tenancy management and customized policy via Multi-Domain Management 46 23
The case for: Cloud Computing and Virtualization Plug-and-play security for public / private clouds and ddynamic virtual it environments Safe Integration Inter- Traffic Protection Unified Management VSX Virtual Security Gateway 5G Next-Gen Firewall Security Gateway } Comprehensive cloud and virtualization security and unified management tfor both physical and virtual 47 Summary Check Point Pioneers the Cloud Security Virtual Security Gateway For Multi-Tenant Cloud Environments Best Hypervisor security for Virtual Machines The only solution with unified management for Physical and Virtual 48 24
Cloud Security Alliance Australian Chapter Linkedin group http://www.linkedin.com/groups?gid=3966724 49 Thank You! 2010 Check Point Software Technologies Ltd. [Confidential] For Check Point users and approved third parties 50 25