Zabezpečení softwarově definovaných datových center prostřednictvím Check Point vsec a VMware NSX Tomáš Michaeli Senior System Engineer, Vmware Peter Kovalčík Security Engineer, Check Point Software Technologies 2015 Check Point Software Technologies Ltd. 1
Nebezký cloud?
Dnes virtualizujeme síťové služby pomocí VMware NSX Network Hypervisor
S koncepcí definice datového centra v software vrealize Suite nebo OpenStack Stavové programovatelné ovládání Software Hardware Virtuální Servery Výpočetní Kapacita APIs Aplikace Virtuální Sítě Data Center Virtualization Propojovací Kapacita Virtuální Úložiště Datová Kapacita Komoditní HW kapacita 4
Umožňuje vytvářet virtuální prostředí oftwarové Kontajnery Virtuální Sítě Load-Balancing NAT, VPN, Firewall
Programatický přístup k bezpečnostním s síťovým službám https://www.vmware.com/support/pubs/nsx_pubs.html Logický Switch Logický Router 100 pravidel Firewallu L3 Subnet L3 Subnet L3 Subnet Web Tier App Tier DB Tier NAT NAT Definice VIP Load Balancing 7
Neustále se setkáváme s krádežemi dat nebo čísel karet Nekontrolovaná komunikace Malá nebo laterální kontrola uvnitř perimetru Aplikace nízké priority jsou cílem útoku na prvním místě. Internet Útočník se může svobodně pohybovat v rámci zóny. Data Center Perimeter 10110100110 101001010000010 1001110010100 Útočník se infiltruje v řádu týdnů nebo měsíců. 8
Zero Trust bezpečnost detailně Současný model bezpečnostních zón FIREWALL NSX Transparentní Zero-Trust bezpečnost Port Group Web VLAN 91 Port Group Web VLAN 91 FIREWALL Bezpečnostní Skupina: Web Pravidlo Firewallu: Nemožné Pravidlo Firewallu: Web na Web: DROP 10
Plně automatizované datové centrum Hypervisor ESXi VMware NSX CheckPoint vsec Automatizace Cloudu Okamžité Nasazení Minuty Čekám Čekám Připraveno Automatická Konfigurace Manuální Konfigurace Hodiny a Dny 11
DATA CENTERS are rapidly evolving. 2015 Check Point Software Technologies Ltd. 12
DATA CENTER EVOLUTION Virtual Datacenter Software Defined Datacenter Private Cloud Server (compute) virtualization Network operation is manual Network are is also virtualized Services can be dynamically inserted and orchestrated via automation 2015 Check Point Software Technologies Ltd. 13
THE NEW ERA OF SOFTWARE-DEFINED DATACENTERS (SDDC) Allowing IT to deliver applications at a fraction of the cost and time in a more secure way! 2015 Check Point Software Technologies Ltd. 14
SECURITY CHALLENGES IN THE CURRENT DATACENTER 2014 Check Point Software Technologies Ltd. 15
Challenge #1: Increasing Traffic Inside the Datacenter NORTH WEST EAST SOUTH Perimeter (north-south) security is blind to 80% of the east-west data center traffic 2015 Check Point Software Technologies Ltd. 16
Challenge #2: Lateral Threats Inside the Data Center Lack of security control between VMs Threat can easily traverse VLANs Threats attack low-priority service and then move to critical systems Modern threats can spread laterally inside the data center, moving from one application to another 2015 Check Point Software Technologies Ltd. 17
Challenge #3: Security Ignores Data Center Changes New Virtual Machines Virtual Machine movement VM that change IP address Dormant VMs that wakes up VMs move between VLANs Traditional static controls fail to secure dynamic networks and highly mobile applications 2015 Check Point Software Technologies Ltd. 18
Challenge #4: Security Inhibits Data Center Agility How to define secure policy for catalog applications that have not been provisioned and still don t have IP address? Lack of security automation impacts business agility in delivering services, results in security gaps 2015 Check Point Software Technologies Ltd. 19
WHAT IS NEEDED? 2015 Check Point Software Technologies Ltd. 20
SECURITY REQUIREMENTS INSIDE THE DATA CENTER 3 Automated insertion and deployment of advanced threat prevention to protect inside the data center 2 Automated security provisioning to keep pace with dynamic data center changes 1 Security visibility into traffic inside the data center 2015 Check Point Software Technologies Ltd. 21
CHECK POINT & VMWARE Automating Security inside the Data Center + Virtual Security with Advanced Threat Prevention Next Generation Networking and security Lateral Threat Prevention Automated Security Provisioning Security Control & Visibility 2015 Check Point Software Technologies Ltd. 23
vsec & NSX DATACENTER SECURITY 100% Software Based: Service, Network & Security Micro-Segmentation with advanced threat prevention s Automation of Virtual Network & Security Security Control for All Data Center Traffic s Segmented Data Center Security Orchestration between Virtual Machines Consistent security for N-S and E-W traffic 2015 Check Point Software Technologies Ltd. 24
Check Point vsec + VMware NSX How it works 2015 Check Point Software Technologies Ltd. 28
CHECK POINT vsec DEPLOYMENT NSX automatically provisions Check Point vsec gateway on each host 2015 Check Point Software Technologies Ltd. 29
CHECK POINT vsec AUTO-DEPLOYMENT NSX manager automatically deploys and provisions Check Point vsec Gateway on each host 2015 Check Point Software Technologies Ltd. 30
CHECK POINT vsec AUTO-DEPLOYMENT Automatically & instantly scale vsec to secure VMs on new host members 2015 Check Point Software Technologies Ltd. 31
MICRO-SEGMENTATION NSX Security Group Finance Legal Web Partners Database Use NSX to segment Virtual Machines into different Security Groups using a flat network 2015 Check Point Software Technologies Ltd. 32
EAST-WEST SECURITY CONTROL NSX Service Chain Policy Traffic from Partner to Legal Security Group must go through Check Point vsec Gateway Use Check Point vsec to control traffic access between Virtual Machines 2015 Check Point Software Technologies Ltd. 33
PREVENT LATERAL THREATS Use vsec for Advanced Threat Prevention inside data center 2015 Check Point Software Technologies Ltd. 34
APPLICATION-AWARE POLICY Check Point Access Policy Rule From To Service Action 3 WEB_VM (vcenter Object) Database (NSX SecGroup) SQL Allow Check Point dynamically fetches objects from NSX and vcenter Use Fine-grained security policies tied to NSX Security Groups and Virtual Machine identities 2015 Check Point Software Technologies Ltd. 35
SHARED-CONTEXT POLICY NSX Policy From To Action Infected VM (Tagged by Check Point) Any Quarantine Check Point tags infected Virtual Machines in NSX manager Shared security context between vsec and NSX Manager to automatically quarantine and trigger remediation by other services 2015 Check Point Software Technologies Ltd. 36
UNIFIED MANAGEMENT Use Check Point unified management for consistent policy control and threat visibility across virtual and perimeter gateways 2015 Check Point Software Technologies Ltd. 37
THREAT VISIBILITY INSIDE THE DATACENTER Infected Virtual Machines 4800 VM Identity Severity Date VM_Web_22 High 3:22:12 2/4/201 VM_DB_12 High 5:22:12 2/4/201 12400 VM_AD_15 Medium 5:28:12 2/4/201 VM_SAP_34 Medium 7:28:12 2/4/201 Use Check Point SmartEvent to monitor and investigate threats across north-south and east-west traffic 2015 Check Point Software Technologies Ltd. 38
Check Point vsec Key Features Feature Check Point Policy Management Unified management for Virtual and physical Gateways Datacenter policy segmentation with sub policies* Fetch vcenter and NSX objects for use in Check Point policy Security Threat Prevention with multi-layered defenses for Virtual Data Center Tag infected VM and update NSX for automatic remediation Visibility & Forensics View VM objects in security logs Comprehensive Datacenter Threat Visibility Automation & Orchestration Granular privilege down to individual rule for trusted integrations* * Available in R80 2015 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 40
LIVE DEMO 2015 Check Point Software Technologies Ltd. 41
SUMMARY 2015 Check Point Software Technologies Ltd. 42
vsec & NSX DATACENTER SECURITY 100% Software Based: Service, Network & Security Software Defined Datacenters s Automation of Virtual Network & Security Security Control for All Data Center Traffic s Software Defined Datacenter Private Cloud SDDC Security Orchestration between Virtual Machines Consistent security for N-S and E-W traffic 2015 Check Point Software Technologies Ltd. 43
THANK YOU! 2015 Check Point Software Technologies Ltd. 45