Virtualized Security for the Cloud Himani SinghFeb 2017

Data Center Concerns

• Cloud security can be divided into four categories

Cloud data protection Cloud Data Governance

Cloud access policy and intelligence

Cloud workload Security audit and Management

• Cloud Application security concerns – Cloud access policy and intelligence– Cloud Data protection– Cloud Data Governance

Security area and Vendors: CASB

• Data Center security concerns – East - West traffic– Data Centers are virtualized and SDN is

in use.

Gap1: CASB doesn’t address workload security!Gap2: CASB doesn’t protect the infrastructure!

Public, Private and Hybrid cloud Public Cloud

– Cloud services such as computing, storage, networking and hosting are provided in a virtualized environment, that is constructed by many physical resources, and can be accessed through internet.

– Always-available, scalable, instant provisioning to expand with business needs.– Multi-tenant.– A cloud-provider provides security for infrastructure but application and webserver security

is your responsibility– Examples – AWS, AZURE, IBM SoftLayer, Google

Private cloud – It is same as public cloud in terms of self-service, scalability, automatic provisioning on

demand except is it for one organization and mostly on premises. – Some in-house IT staff is needed.– It can support multi-tenancy for the same organizations but different departments.– Examples - MS private cloud, VMware vCloud, OpenStack, Apache CloudStack– Some public clouds such as AWS allow to create a private cloud. It is called as VPC

Hybrid cloud – Companies prefer to keep some data online but critical data on their premises. – In most of the cases a tunnel will be made between public and private cloud to sync the data.

Typical Deployments• Public Cloud

• Private Cloud – VFW’s are shares same hypervisor with another server

• Approach is same as a physical data center– With SDN and virtualization when workloads (VMs) are

dynamically created, moved between hypervisors– We need a differed security solution

• Hybrid Cloud – Company site + AWS VPC, NGFW can be acquired from market

place

LBVNGFW

Server LB

App Web Server

DB

Server

DCFW

Security issues in the data center

• Monitoring east-to-west traffic – Once a breach is inside the data center, it is very hard to detect– Monitor the traffic in-between and in-and-out of workloads (VMs) – L4 and L7 rules should be applied

• Workload VMs are dynamically created, moved or destroyed – Tracking and protecting a new instance of VMs and applications on it

• FW session is lost– For Elasticity, another VFW instance is created ( to handle extra traffic) and

automatically destroyed when traffic is less– But when instance of V(NG)FW is destroyed the session instance history is lost

too• In case of attack, breach the evidence is lost

– Drawback: Useful data lost for breach detection and analysis

Security issue in the data center ...Contd.

• Traditional solutions• VFW will miss it• SIEMs will have too much data to process

– Solutions like AlertLogic will only have alerts not action

– Solutions like Crowdstrike have endpoint protection

Current solutions are not adequate

• The physical FWs are not useful – FW and security solutions are installed on the edge of the

datacenter – Most DCs are moving towards SDN so it is hard to keep

track of dynamically changing workloads• Virtual (NG)FW

• It is based on Physical FW that has the same functionality• The performance will be different depending on CPU

• VFWs has many flavors– VFW vendors like PAN, Checkpoint and Fortinet, have

released based on public or private cloud provider.

Shortcomings in current solutions• Most security vendors still depend on VMware’s NSX for

creating the new VFW instance when a workload is moved– NSX has 650 throughput limit for VM– NSX security posture is really basic

• Multi-layer security solution– Some solutions bring VM for each services like Fortinet as

Fortimail, FortiWeb, FortiADC, FortiAuth, Fortigate – Others have one product for all security services –like checkpoint

secure cloud – All the vendors have different flavor for AWS, Azur, ESXi, NSX ,

KVM, ZEN, HyperV, Xen– It would be nice to have one software manage all !

Shortcomings of current solutions ...Contd.

• VFW for public cloud – Through put limitation based on CPU, RAM or

shared resources– In case of vSEC(checkpoint) when one services is

busy, the whole system ‘s resources are at 80% and a new instance is created

– To cover more, we need more LB’s before security devices

Issue with VMware NSXVMware NSX provides NFV and layer 2-4 security. It automatically keeps track of workload creation and moves.NSX solution

– Provide security tagging for workloads inside the data-center – Automatically tracks the workload creation, movement and deletion– Layer2-4 security policies are inbuilt – Layer7 security such as stateful FW, NGFW, DLP, IDS are provided by

external vendors such as PAN, Fortinet, Juniper and Checkpoint• The VM is created and associated with a group of VM’s • When any new member is added to that security group, those policies is

applied automatically.

• Any FW deployed on NSX has the maximum throughput of 650 Mbps

What would be good to have

An ideal solution should have • Prevention• Automation of security profile when new workload is

provisioned • Layer4 to Layer7 security • Focused approach to filter out unnecessary alerts• Signature-based solution issues– Behavior based learning– Signature based on service, workload or location– Security service scalability based on traffic load

Functions of the "Ideal Solution" • Prevention

– Reduce the potential attack surface:• Firewall policies, IPS, user segmentation, patch management, and infrastructure design

– Patch management includes the new signature – Update blacklist of host, IP’s and URL’s

– Apply the policies inside the data center between workloads based on security tags • Automation of security profile when new workload is provisioned

– Dynamic Security profile creation when workloads are moved, created or deleted• Although VMware NSX, AWS and Azure provide that solution they have limitations.• NSX Security control is divided:

– NSX itself only provides layer2-4 security – For layer-7 security it depends on other vendors (PAN, Checkpoint, Fortinet) and

throughput are limited• AWS

– Has inbuilt security for only infrastructure not the workloads – Marketplace is used to buy security solutions for workloads

• Single vendor security solution for correlation between events– It would be nice to have one vendor who can protect from layer4 to layer7 for the

workloads

Functions of the Ideal Solution ...contd. • Signature-based solution issues

– Most of layer7 security solutions are signature based • Issue: one can miss the zero-day attack• Behavior based learning

• Focused approach to filter out unnecessary alerts– Issue: A huge number of alerts are issued based on anomalies or policy

violation. Even if we filter out for high-priority attacks, still these are too many to attend to in a timely manner.

– Solution: Filter out the message that are on the last level. For example, to breach a database, hacker first compromises the public facing server and the application, using recon, mapping and finally exploiting the vulnerabilities or misconfigurations.

– Need to identify the behavior anomaly or normal looking traffic to/from internal server.

Functions of the Ideal Solution ...contd.

• Only required signatures are loaded in memory to make search faster and use less memory– Based on the workload and OS

• For example, if the webserver is Apache based then in that case loading the IIS based vulnerabilities is useless

• Solution: Identify the end-server and application to protect and upload only necessary signatures as IPS, antivirus and all have a huge number of signatures.

– Based on the service • Load signatures based on the service such as FTP, HTTP or RSTP

– Based on the Geolocation• Load signatures based on the Geo location

Scalability - based on modules (security rules) not based on VMs

• Scenario: Suppose one selects IPS, AV, DLP and NGFW as layer-7 security. Some modules takes more computing (eg.DLP) resources than others and create a performance barrier. – Even if one module’s CPU is at 90% of its capacity and other are 50%,

automatic provisioning will create a new instance of VM. – We may end up in a situation when we have 4 VMs in which all DLP modules

are running at 90% of its capacity and others are only consuming 30%

• Solution: In place of provisioning whole new VMs, we can only create a new instance of modules. In that scenario, a VM can have one instance of NGFW but two instance of DLP and three of AntiVirus. As we all know, the NGFW throughput is much higher than DLP or AntiVirus.

Other Ideal Solution Requirements• Independent

• Maintain one flavor for Virtual Security solution rather than vIPS, vNGFW, vMAIL• Solution that is independent of underlying technology such as ESXi , Rackspace, KVM...

• Workload– Works for all kind of workload such as webserver, http server– Only relevant functionality should be unzip and active

• DETECT – IDS, WAF, anomaly detection, NIDS, HIDS,

• RESPOND– report and communication to stack holders by email, alert, text– Immediate Isolation of the workload

• PREDICT – Regular scans, penetration testing– Dynamically and continuously change the policy – Updating the methods

Smart solution – micro segmentation • A software that sits on top of Hypervisor– Provide the monitoring, security control and

logging– Deeper level security module based on

workload, i.e. if workload is Linux/https the only web related service module should be loaded

DCSLB App Web

ServerDB

Server

Virtual UTM

Hypervisor

SLB App Web Server

DBServer

Virtual UTM

Hypervisor

Single management plane for Security points

Micro segmentation - at next level • Ubiquity

– Apply to all workloads– Different security levels based on VM type, such as webserver,

db, application server, mailserver• Zero-attack prevention

– No trust between workloads – IPS, DLP, agentless malware protections, SD distributed FW

• Suppress the noise– All logs /events are not useful – Look for successful breach not all connection – Select the second step on the connection

How to assess microsegment • Throughput

– http only ( in case of SSL offload)– https

• Check on private cloud – Use open stack, rack space, Vsphere– Get the throughput without any security device – Use PAN’s vNGFW enable following module and check

throughput• App based FW• IPS • Malware • Threat protection

How to assess microsegment functional and cost of ownership

• Functional testing– Add IPS based testing with all evasions – Add NGFW,app control, user control, – Content based on Data, PCI, HIPPA Compliance ??– Add breach detection and focused on lateral move – For all the above, make a group of pcap and use tcpreply

• Integration of context and automation– Security effectiveness when workload move, created

and destroyed – Isolation of workload

Weakness with CheckPoint vSEC

• Public Cloud • AWS gateway R77.30– vSEC NGTP (Firewall + IPS + Application Control +

URL Filter + Anti-Virus + Anti-Bot)• c4.8xlarge (36 virtual core) :: estimation 1600 Mbps• c4.4xlarge (16 virtual core) :: 1000 Mbps

• Private cloud – vSEC for VMware NSX,Cisco ACI, openStack • No published data

PAN V-100

• Capacities – VM-300: Max sessions 250,000 – VM-200: Max sessions 100,000 – VM-100: Max sessions 50,000

• Too many solutions for different requirements: – VM-Series for AWS, Citrix, KVM & OpenStack– VM-Series for Microsoft Azure, Microsoft Hyper-V– VM-Series for VMware NSX, ESXi/vCloud Air– VM-1000-HV, VM-300, VM-200 and VM-100