Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2010 VMware Inc. All rights reserved Confidential VMware Security Briefing Dan Watson, Senior Systems Engineer, VMware VMUG, Edinburgh, Feb 24, 2011.

Similar presentations


Presentation on theme: "© 2010 VMware Inc. All rights reserved Confidential VMware Security Briefing Dan Watson, Senior Systems Engineer, VMware VMUG, Edinburgh, Feb 24, 2011."— Presentation transcript:

1 © 2010 VMware Inc. All rights reserved Confidential VMware Security Briefing Dan Watson, Senior Systems Engineer, VMware VMUG, Edinburgh, Feb 24, 2011

2 2 Confidential 2010 Milestone: Virtualization is Now De Facto Model We are past a virtual tipping point! VM Cross Over Source: IDC Physical Hosts Virtual Machines 17,500,000 15,000,000 12,500,000 10,000,000 7,500,000 5,000,000 2,500,000 84% of all virtualized applications in the world run on VMware. Gartner, December % of all virtualized applications in the world run on VMware. Gartner, December 2009

3 3 Confidential Virtualization Paves the Way to a New Era in IT Mainframe PC / Client-Server Web Cloud Cloud Computing will transform the delivery and consumption of IT services Virtualization

4 4 Confidential Security Journey to the Private and Hybrid Clouds “Air Gapped” Pods Mixed Trust Hosts Secure Hybrid Cloud HYPE REALITY Public Cloud FUTURE

5 5 Confidential ENTERPRISE DATA CENTER SECURITY & NETWORKING TODAY vSphere Users Sites Backend Services - Network Segmentation, Firewalls, IDS/IPS - Server A/V Agents - App | data | identity aware security, compliance - Network Segmentation, Firewalls, IDS/IPS - Server A/V Agents - App | data | identity aware security, compliance - DMZ firewall, NAT, IPAM, VR - Site and user VPNs - Web load balancers - DMZ firewall, NAT, IPAM, VR - Site and user VPNs - Web load balancers - Desktop A/V Agents - DLP, FIM, white listing - Desktop A/V Agents - DLP, FIM, white listing DMZ Web View

6 6 Confidential VMware’s Security Vision for Secure Clouds  Virtualize Security into Security VMs (SVMs), including partner offers  Unify security into a programmable, trust zone/policy framework  Encapsulate and standup secure vApps, VDCs on demand  Secure the virtualization stack – Infrastructure, Apps, End Users Bring the benefits of Cloud Computing to the Enterprise, via Secure Hybrid Clouds “Disruptively Simplified” Security

7 7 Confidential First Priority is to Virtualize Security Infrastructure Apps / DB TierDMZ Users Sites Web Servers 1.Virtualize and consolidate security functions into the hypervisor 2.Leads to a much simplified, agile architecture

8 8 Confidential Secure vApps simplify Cloud Deployments Users Sites Secure IaaS IaaS = It’s About Apps Stupid! Secure vApp

9 9 Confidential VMware vShield Partners VMworld 2010 Launch

10 10 Confidential 2010 – Introducing vShield Products Securing the Private Cloud End to End: from the Edge to the Endpoint Edge vShield Edge Secure the edge of the virtual datacenter Security Zone vShield App Application protection from network based threats Endpoint = VM vShield Endpoint Enables offloaded anti-virus Virtual Datacenter 1 Virtual Datacenter 2 DMZ PCI compliant HIPAA compliant WebView VMware vShield VMware vShield VMware vShield Manager

11 11 Confidential vShield Endpoint – Efficient Anti-Virus for Virtual Servers and Desktops VMware vSphere Introspection SVM OS AV VM APP OS Kernel BIOS VM APP OS Kernel BIOS VM APP OS Kernel BIOS Features Offload guest A/V to Security VM (SVM) File-scanning engines and virus definitions On-demand and on-access scans Security VM delivered by leading AV partners Enforce remediation using driver in VM Policy and configuration Management: through UI or REST APIs Logging and auditing Benefits Improve performance by offloading anti-virus functions in tandem with AV partners Avoids AV storms (I/O spikes, cpumem utilization) 90% reduction in guest footprint Reduce risk by eliminating agents susceptible to attacks and enforced remediation Satisfy audit requirements with detailed logging of AV tasks

12 12 Confidential Multiple edge security services in one appliance Stateful inspection firewall Network Address Translation (NAT) Dynamic Host Configuration Protocol (DHCP) Site to site VPN (IPsec) Web Load Balancer Network isolation(edge port group isolation) Detailed network flow statistics for chargebacks, etc Policy management through UI or REST APIs Logging and auditing based on syslog format vShield Edge - Secure the Edge of the Virtual Data Center Features Benefits Lower cost and complexity by eliminating multiple special purpose appliances Ensure policy enforcement with network isolation Scaleout architecture with one edge per org/tenant Programmable interfaces enable automation Rapid provisioning of edge security services Simplify IT compliance with detailed logging Tenant A Tenant C Tenant X VMware vShield Edge VMware vShield Edge VMware vShield Edge VPN Load balancer Firewall

13 13 Confidential vShield App - Application Protection for Network Based Threats Features Hypervisor-level firewall Inbound, outbound connection control applied at vNIC level Elastic security groups - “stretch” as virtual machines migrate to new hosts Robust flow monitoring Policy Management Simple and business-relevant policies Managed through UI or REST APIs Logging and auditing based on industry standard syslog format

14 14 Confidential PCI Compliant DMZ PCI Compliant  TODAY  With vShield App Mixed trust hosts with virtual isolation and segmentation vShield App enables Mixed Trust Zones! “Air gap”

15 15 Confidential Leveraging vShield App for Better-than-Physical Security  Key Benefits Complete visibility and control to the inter VM traffic enabling mixed trust zones on same ESX cluster  Better than Physical Distributed virtual firewall with scaleout port density Hypervisor level introspection provides access to inter-VM traffic Intuitive trust zones leverage vCenter inventory; independence from physical network segmentation or re-configuration Security policies follow the VMs Built in firewall capabilities provide better than physical security at 1/3rd the cost Security Policy

16 16 Confidential 3 Use Cases are Emerging… 1.App / Server protection in vSphere environments 2.Protection of View environments 3.Private and hybrid vCloud security

17 17 Confidential Use Case #1: Securing Business Critical Applications DMZ Finance Development Requirements Deploy production apps in a shared infrastructure with: Traffic segmentation between applications Improve consolidation ratios Authorized access to applications by LOB Monitor, secure inter-VM communications Maintain security policies with vMotion Comply with various audit requirements VMware vShield App

18 18 Confidential Securing vSphere with Physical Security Solutions Today Customers cannot realize true virtualization benefits due to security concerns VIRTUALIZED DMZ WITH FIREWALLS APPLICATION ZONE DATABASE ZONE WEB ZONE ENDPOINT SECURITY INTERIOR SECURITY PERIMETER SECURITY Internet vSphere Air Gapped Pods with dedicated physical hardware Mixed trust clusters without internal security segmentation Configuration Complexity –VLAN sprawl –Firewall rules sprawl –Rigid network IP rules without resource context Private clouds (?)

19 19 Confidential Use Case #1: Solution with vShield App Features  Hypervisor-level firewall - inbound, outbound connection control applied at vNIC level  Elastic security groups - “stretch” as virtual machines migrate to new hosts  Robust flow monitoring; logging and auditing based on industry standard syslog format  Policy Management - simple and business-relevant policies  Programmable - managed through UI or REST APIs, enabling script-based automation

20 20 Confidential Use Case #2: Secure View Deployments Solution - vShield Endpoint+App+Edge Improve performance by offloading AV processing Reduce costs by freeing up virtual machine resources and eliminating agents Improve security by streamlining AV functions to a hardened security virtual machine(SVM) Protect View application servers from threats Demonstrate compliance and satisfy audit requirements with detailed logging of offloaded AV tasks Requirements Support thousands of internal and external View users with: Comprehensive security for View servers Anti virus agents to protect client data and applications Optimal performance and scalability Protection between desktop VMs and internal servers DMZ View Desktops Remote User Local User Public Network Private Network VMware vShield App Virtual Servers

21 21 Confidential Use Case #2 Solution: vShield Edge, App, and EndPoint SERVER FARM

22 22 Confidential Use Case #3: Service Provider - Multi-Tenant Hosting Service Company A Company B Company A Company B Company C Solution – vShield Edge, VMware Cloud Director Guarantee full confidentiality and protection of tenant apps and data with built-in firewall and VPN Use enterprise directory services for security policies Accelerate compliance by logging all traffic information on per-tenant basis Lower cost of security by 100+% by eliminating purpose built appliances and by increasing utilization and VM density Requirements Host thousands of tenants in shared infrastructure with: Traffic Isolation between the tenants Protection, confidentiality of tenant apps and data Integration with Active Directory Compliance with various audit requirements Cisco VPN Juniper VPN VMware VPN Vmware vCloud Director vShield Edge NOTE: Private Cloud is a simplified version of the Service Provider Use Case

23 23 Confidential vShield for vCloud Director vCloud Director Organization vApp vDC2 NAT, DHCP, Firewall  Deploy Orgs, vDCs  Secure the perimeter  Connect Remote vDCs - Secure VPN Access  Scale out web servers - Load Balancer  Defense-in-depth for sensitive apps – vShield App  Efficient endpoint protection – vShield Endpoint vDC1 SECURE VPN  Security as a service  Automated (scripts), RESTful API’s  Managed by IT

24 24 Confidential Private & Partner vClouds = Secure Hybrid Cloud Computing Public Cloud VDC Silver Resource Pools Private Cloud Secure VPN VMware vCloud Datacenter Service Secure the VM i.e. Lockdown the virtual server Secure the vApp i.e. Protect your IP Secure the VDC i.e. Protect the logical perimeter

25 25 Confidential Vision: Disruptively Simplified Secure Private & Hybrid Clouds App Endpoint Vmware vSphere Security Services 1. Standup zoned vApps on vSphere 2. Standup secure View VMs on demand 3. Standup vApps in multi-tenant vCloud VDC 4. Standup Spring vApps on vCloud Finance vApp SECURE VPN Edge App Endpoint View VDC External vCloud Spring vApp Edge Spring Framework Edge App Endpoint vCloud VDC Partner vCloud

26 26 Confidential Vision: Comprehensive Security across the VMware Stack Layer 2 Layer 3 Layer 1 Cloud Infrastructure Cloud Infrastructure Cloud Application Platforms Cloud Application Platforms End User Computing End User Computing Management & Orchestration PaaS, SaaS Data Enterprise Apps Enterprise Apps Web 2.0 Apps Web 2.0 Apps Security Management Compliance Policies Events Edge Sec AppSec DataSec VI Sec EndPt Sec IdSec Trust Sec IaaS Desktop VMs Desktop VMs Server VMs Server VMs vSphere VMware & Partners

27 27 Confidential The Emerging Security Ecosystem… NetSec Physical Network vSphere & vCenter EPSec vShield – Security APIs vCloud Director – Security Self-Service vShield SDK- Ecosystem … 5 Security Services vShield Manager 4 EndPoint App Edge 2 Security VMs 1 Virtual Infrastructure 3 Security Engines AVDLPFWIDSFWVPN ……… SEVERAL INTEGRATION POINTS

28 28 Confidential Summary: Security Journey to the Cloud Service Provider Tenant A Tenant B Tenant A WEB APP Internet WEBAPPDB Air Gapped Pods Mixed Trust Zones Secure Hybrid Clouds

29 29 Confidential Thank you Question & Answer Session


Download ppt "© 2010 VMware Inc. All rights reserved Confidential VMware Security Briefing Dan Watson, Senior Systems Engineer, VMware VMUG, Edinburgh, Feb 24, 2011."

Similar presentations


Ads by Google