Upload
lindsey-lathrop
View
227
Download
0
Tags:
Embed Size (px)
Citation preview
© 2010 VMware Inc. All rights reserved
Confidential
VMware Security Briefing
Dan Watson, Senior Systems Engineer, VMware
VMUG, Edinburgh, Feb 24, 2011
2 Confidential
2010 Milestone: Virtualization is Now De Facto Model
We are past a virtual tipping point!
VM Cross Over
2005 2006 2007 2008 2009 2010 2011 2012 2013
Source: IDC
Physical Hosts Virtual Machines
17,500,000
15,000,000
12,500,000
10,000,000
7,500,000
5,000,000
2,500,000
84% of all virtualized applications in the world run on VMware.
Gartner, December 2009
3 Confidential
Virtualization Paves the Way to a New Era in IT
Mainframe
PC / Client-Server
WebCloud
Cloud Computing will transform the delivery and consumption of IT services
Virtualization
4 Confidential
Security Journey to the Private and Hybrid Clouds
“Air Gapped” Pods Mixed Trust Hosts Secure Hybrid Cloud
HYPEREALITY
Public Cloud
FUTURE
5 Confidential
ENTERPRISE DATA CENTER SECURITY & NETWORKING TODAY
vSphere
Users
Sites
BackendServices
- Network Segmentation, Firewalls, IDS/IPS- Server A/V Agents- App | data | identity aware security, compliance
- DMZ firewall, NAT, IPAM, VR- Site and user VPNs- Web load balancers
- Desktop A/V Agents- DLP, FIM, white listing
DMZ
Web
View
6 Confidential
VMware’s Security Vision for Secure Clouds
Virtualize Security into Security VMs (SVMs), including partner offers
Unify security into a programmable, trust zone/policy framework
Encapsulate and standup secure vApps, VDCs on demand
Secure the virtualization stack – Infrastructure, Apps, End Users
Bring the benefits of Cloud Computing to the Enterprise, via Secure Hybrid Clouds
“Disruptively Simplified” Security
7 Confidential
First Priority is to Virtualize Security Infrastructure
Apps / DB TierDMZ
Users
Sites
Web Servers
1. Virtualize and consolidate security functions into the hypervisor
2. Leads to a much simplified, agile architecture
8 Confidential
Secure vApps simplify Cloud Deployments
Users
Sites
Secure IaaS
IaaS = It’s About Apps Stupid!
Secure vApp
10 Confidential
2010 – Introducing vShield Products
VMware vSphere + vCenter
Securing the Private Cloud End to End: from the Edge to the Endpoint
Edge
vShield Edge
Secure the edge of the virtual datacenter
Security Zone
vShield App
Application protection from network based threats
Endpoint = VM
vShield Endpoint
Enables offloaded anti-virus
Virtual Datacenter 1 Virtual Datacenter 2
DMZ PCI compliant
HIPAA compliant
Web ViewVMwarevShield
VMwarevShield
VMware vShield Manager
11 Confidential
vShield Endpoint – Efficient Anti-Virus for Virtual Servers and Desktops
VMware vSphereIntrospection
SVM
OS
AV
VM
APP
OSKernel
BIOS
VM
APP
OSKernel
BIOS
VM
APP
OSKernel
BIOS
Features• Offload guest A/V to Security VM (SVM)
• File-scanning engines and virus definitions• On-demand and on-access scans
• Security VM delivered by leading AV partners• Enforce remediation using driver in VM • Policy and configuration Management: through UI
or REST APIs• Logging and auditing
Benefits• Improve performance by offloading anti-virus
functions in tandem with AV partners• Avoids AV storms (I/O spikes, cpumem utilization)• 90% reduction in guest footprint• Reduce risk by eliminating agents susceptible to
attacks and enforced remediation• Satisfy audit requirements with detailed logging of
AV tasks
12 Confidential
• Multiple edge security services in one appliance• Stateful inspection firewall• Network Address Translation (NAT)• Dynamic Host Configuration Protocol (DHCP)• Site to site VPN (IPsec)• Web Load Balancer
• Network isolation(edge port group isolation)• Detailed network flow statistics for chargebacks, etc• Policy management through UI or REST APIs• Logging and auditing based on syslog format
vShield Edge - Secure the Edge of the Virtual Data Center
Features
Benefits• Lower cost and complexity by eliminating multiple
special purpose appliances• Ensure policy enforcement with network isolation• Scaleout architecture with one edge per org/tenant• Programmable interfaces enable automation• Rapid provisioning of edge security services• Simplify IT compliance with detailed logging
VMware vSphere
Tenant A Tenant C Tenant X
VMware
vShield Edge
VMware
vShield Edge
VMware
vShield Edge
VPNLoad balancerFirewall
13 Confidential
vShield App - Application Protection for Network Based Threats
Features
• Hypervisor-level firewall • Inbound, outbound connection control applied at
vNIC level• Elastic security groups - “stretch” as virtual machines
migrate to new hosts• Robust flow monitoring • Policy Management
• Simple and business-relevant policies• Managed through UI or REST APIs
• Logging and auditing based on industry standard syslog format
14 Confidential
PCI Compliant DMZ PCI Compliant
TODAY
With vShield AppMixed trust hosts with virtual
isolation and segmentation
VMware vSphere vCenter
vShield App enables Mixed Trust Zones!
“Air gap”
15 Confidential
Leveraging vShield App for Better-than-Physical Security
Key Benefits
• Complete visibility and control to the inter VM traffic enabling mixed trust zones on same ESX cluster
Better than Physical
• Distributed virtual firewall with scaleout port density
• Hypervisor level introspection provides access to inter-VM traffic
• Intuitive trust zones leverage vCenter inventory; independence from physical network segmentation or re-configuration
• Security policies follow the VMs
• Built in firewall capabilities provide better than physical security at 1/3rd the cost
Securi
ty
Policy
16 Confidential
3 Use Cases are Emerging…
1. App / Server protection in vSphere environments
2. Protection of View environments
3. Private and hybrid vCloud security
17 Confidential
Use Case #1: Securing Business Critical Applications
VMware vSphere + vShield
DMZ Finance
FinanceDevelopment
DevelopmentRequirements
• Deploy production apps in a shared infrastructure with:• Traffic segmentation between applications • Improve consolidation ratios• Authorized access to applications by LOB• Monitor, secure inter-VM communications• Maintain security policies with vMotion• Comply with various audit requirements
VMware
vShield App
18 Confidential
Securing vSphere with Physical Security Solutions Today
Customers cannot realize true virtualization benefits due to security concerns
VIRTUALIZED DMZ WITH FIREWALLS
APPLICATION ZONE DATABASE ZONEWEB ZONE
ENDPOINT SECURITY
INTERIOR SECURITY
PERIMETER SECURITY
Internet
vSphere vSphere vSphere
• Air Gapped Pods with dedicated physical hardware
• Mixed trust clusters without internal security segmentation
• Configuration Complexity– VLAN sprawl – Firewall rules sprawl– Rigid network IP rules
without resource context
• Private clouds (?)
19 Confidential
Use Case #1: Solution with vShield App
Features
Hypervisor-level firewall - inbound, outbound connection control applied at vNIC level Elastic security groups - “stretch” as virtual machines migrate to new hosts Robust flow monitoring; logging and auditing based on industry standard syslog format Policy Management - simple and business-relevant policies Programmable - managed through UI or REST APIs, enabling script-based automation
20 Confidential
Use Case #2: Secure View Deployments
Solution - vShield Endpoint+App+Edge
• Improve performance by offloading AV processing • Reduce costs by freeing up virtual machine resources
and eliminating agents• Improve security by streamlining AV functions to a
hardened security virtual machine(SVM)• Protect View application servers from threats• Demonstrate compliance and satisfy audit requirements
with detailed logging of offloaded AV tasks
Requirements
• Support thousands of internal and external View users with:
• Comprehensive security for View servers• Anti virus agents to protect client data and
applications• Optimal performance and scalability• Protection between desktop VMs and internal
serversVMware vSphere + vShield
DMZ View Desktops
Remote User Local User
Public Network
Private Network
VMware
vShield App
Virtual Servers
21 Confidential
Use Case #2 Solution: vShield Edge, App, and EndPoint
vShield solutions secure View deployments within virtual
desktops, for internal applications, and the network
perimeter .
SERVERFARM
22 Confidential
Use Case #3: Service Provider - Multi-Tenant Hosting Service
Company A Company B
VMware vSphere + vCenter + vShield
Company A Company B Company C
Company C
Solution – vShield Edge, VMware Cloud Director
• Guarantee full confidentiality and protection of tenant apps and data with built-in firewall and VPN
• Use enterprise directory services for security policies• Accelerate compliance by logging all traffic information
on per-tenant basis• Lower cost of security by 100+% by eliminating purpose
built appliances and by increasing utilization and VM density
Requirements
• Host thousands of tenants in shared infrastructure with:• Traffic Isolation between the tenants• Protection, confidentiality of tenant apps and data• Integration with Active Directory• Compliance with various audit requirements
Cisco VPN Juniper VPN
VMware VPN
Vmware vCloud Director
vShield
Edge
NOTE: Private Cloud is a simplified version of the
Service Provider Use Case
23 Confidential
vShield for vCloud Director
vCloud Director
Organization
vApp
vDC2
NAT, DHCP, Firewall
Deploy Orgs, vDCs
Secure the perimeter
Connect Remote vDCs - Secure VPN Access
Scale out web servers - Load Balancer
Defense-in-depth for sensitive apps – vShield App
Efficient endpoint protection – vShield Endpoint
vDC1
SECU
RE
VPN
Security as a service
Automated (scripts), RESTful API’s
Managed by IT
24 Confidential
Private & Partner vClouds = Secure Hybrid Cloud Computing
Public Cloud
VDC Silver
ResourcePools
ResourcePools
ResourcePools
ResourcePools
ResourcePools
ResourcePools
Private Cloud
Secure VPN
VMwarevCloud
DatacenterService
Secure the VM i.e. Lockdown the virtual server
Secure the vAppi.e. Protect your IP
Secure the VDCi.e. Protect the logical perimeter
25 Confidential
Vision: Disruptively Simplified Secure Private & Hybrid Clouds
App
EndpointEndpoint
Vmware vSphere
Security Services
1. Standup zoned vApps on vSphere
2. Standup secure View VMs on demand
3. Standup vApps in multi-tenant vCloud VDC
4. Standup Spring vApps on vCloud
Finance vAppSECURE VPN
SECURE VPN
Edge
App
Endpoint
View VDC
External vCloud
Spring vApp
Edge
Spring Framework
Edge
App
EndpointEndpoint
vCloud VDC
Partner vCloud
26 Confidential
Vision: Comprehensive Security across the VMware Stack
Layer 2
Layer 3
Layer 1Cloud
Infrastructure
Cloud
Application
Platforms
End User
Computing
Man
ag
emen
t & O
rch
estration
PaaS, SaaS
Data
EnterpriseApps
Web 2.0Apps
Sec
urity M
anag
emen
t
Co
mp
lian
ce
Policies
Events
Edge Sec
AppSec
DataSec
VI Sec
EndPt Sec
IdSec
Trust Sec
IaaS
DesktopVMs
ServerVMs
vSphere
VMware & Partners
27 Confidential
The Emerging Security Ecosystem…
NetSec
Physical Network
vSphere & vCenter
EPSec
vShield – Security APIs
vCloud Director – Security Self-Service
vShield SDK- Ecosystem…
5 Security Services
vShield Manager 4 vShield Manager
EndPoint App Edge 2 Security VMs
1 Virtual Infrastructure
3 Security EnginesAV DLP FW IDS FW VPN
… … …
SEVERAL INTEGRATION POINTS
28 Confidential
Summary: Security Journey to the Cloud
Service Provider
Tenant A Tenant B
Tenant A
WEB APP
vSphere vSphere
Internet
WEB APP DB
Air Gapped Pods Mixed Trust Zones Secure Hybrid Clouds