Presentation is loading. Please wait.

Presentation is loading. Please wait.

AUTOMATING ADVANCED SECURITY

Published byHeather Jordan Modified over 8 years ago

Similar presentations

Presentation on theme: "AUTOMATING ADVANCED SECURITY"— Presentation transcript:

1 AUTOMATING ADVANCED SECURITY
CHECK POINT & VMWARE NSX AUTOMATING ADVANCED SECURITY FOR THE SOFTWARE-DEFINED DATACENTER Aleksandr Nosits Security Engineer, Baltics [Restricted] ONLY for designated groups and individuals

2 DATA CENTERS are rapidly evolving.

3 Software Defined Datacenter
DATA CENTER EVOLUTION Virtual Datacenter Software Defined Datacenter Private Cloud Network are is also virtualized Services can be dynamically inserted and orchestrated via automation Server (compute) virtualization Network operation is manual [Restricted] ONLY for designated groups and individuals

4 VMWARE NSX - NETWORK VIRTUALIZATION
Network & Security Services in the Hypervisor - Programmatic control Virtual Switching and Routing Virtual Load Balancing Virtual L2-L4 Firewalling This is where SDN comes in place – A network architecture that basically and simply Separates data networking and its control – so that there is one single and central traffic controller that sees all the network and can build traffic flows, connections with this concentrated view. Centrally and automatically manage network and advanced security services in the data center [Restricted] ONLY for designated groups and individuals

5 SECURITY CHALLENGES IN THE CURRENT DATACENTER

6 Perimeter (north-south) security is
Challenge #1: Increasing Traffic Inside the Datacenter SOUTH NORTH WEST EAST Perimeter (north-south) security is blind to 80% of the east-west data center traffic [Restricted] ONLY for designated groups and individuals

7 Challenge #2: Lateral Threats Inside the Data Center
Lack of security control between VMs Threat can easily traverse VLANs Threats attack low-priority service and then move to critical systems Modern threats can spread laterally inside the data center, moving from one application to another [Restricted] ONLY for designated groups and individuals

8 Challenge #3: Security Ignores Data Center Changes
New Virtual Machines Virtual Machine movement VM that change IP address Dormant VMs that wakes up VMs move between VLANs Traditional static controls fail to secure dynamic networks and highly mobile applications [Restricted] ONLY for designated groups and individuals

9 Challenge #4: Security Inhibits Data Center Agility
How to define secure policy for catalog applications that have not been provisioned and still don’t have IP address? Lack of security automation impacts business agility in delivering services, results in security gaps [Restricted] ONLY for designated groups and individuals

10 WHAT IS NEEDED?

11 1 2 3 SECURITY REQUIREMENTS INSIDE THE DATA CENTER
Automated insertion and deployment of advanced threat prevention to protect inside the data center 1 Automated security provisioning to keep pace with dynamic data center changes 2 Security visibility into traffic inside the data center 3 [Restricted] ONLY for designated groups and individuals

12 Introducing: Check Point Teams with VMware to Automate Advanced Security for the Software-Defined Data Center [Restricted] ONLY for designated groups and individuals

13 Distributed Firewall (DFW) protects East-West L2-L4 traffic.
Operates at the kernel level and processes packets close to line rate. Check Point vSEC Security Gateway also protects East-West traffic but can operate at L2-L7. vSEC provides additional L5-L7 capabilities like application identification, application inspection and user identification to NSX environments. vSEC Gateway operates at user space and processes packets up to 2 Gbps (per instance). vSEC Security Gateway uses NET-X API to redirect and inspect traffic. By default, traffic is secured by DFW unless explicit traffic redirection to vSEC Gateway is defined. Traffic redirection provides capability to steer specific traffic to vSEC Gateway. Traffic redirection policy is expressed by the user through NSX Service Composer.

14 + CHECK POINT & VMWARE Automating Security inside the Data Center
Virtual Security with Advanced Threat Prevention Next Generation Networking and security Lateral Threat Prevention Automated Security Provisioning Security Control & Visibility [Restricted] ONLY for designated groups and individuals

15 vSEC & NSX DATACENTER SECURITY
100% Software Based: Service, Network & Security s Segmented Data Center Micro-Segmentation with advanced threat prevention Security Orchestration between Virtual Machines Automation of Virtual Network & Security VM s Consistent security for N-S and E-W traffic Security Control for All Data Center Traffic [Protected] Non-confidential content

16 VMWARE CORE PRODUCTS FOR SOFTWARE DEFINED DATACENTER (SDDC)

17 Production VMWARE PLATFORM FOR SOFTWARE DEFINED DATACENTER (SDDC)
Virtual Machines NSX Virtual Network VM Host vSwitch NSX ESX Hosts (Cluster) Production Production Integration DMZ Another Q&A R&D

18 vSEC Architecture and Components
Virtual or Physical Appliance GAIA OS Check Point Secure Internal Communication (SIC) SSL Check Point Management Server vSEC Controller SSL SmartConsole Windows Client SSL TCP/443 Check Point Secure Internal Communication (SIC) REST API VMware NSX Manager vSphere API vSEC NetX API VMware vCenter VMware ESX [Restricted] ONLY for designated groups and individuals

19 vSEC Solution Components
GAIA OS with Check Point Management Server (R77.30) + Add-On (R77.30) on Virtual or Physical Appliance For vSEC to work, an Add-On to enable additional functionality must be installed. The Check Point Management Server manages both virtual and physical Check Point Security Gateways. Can be deployed on virtual or physical appliance. vSEC Security Controller Version (R77.30) Installed as a hotfix. The controller learns the Security Groups and specific vCenter inventory which can be used via security rules. vSEC Security Gateway Version (R77.20) Virtual appliance running vSEC firewall and advanced security blades/features; integrates with NSX via NetX API Protects virtualized environments from internal and external threats . Check Point SmartConsole Windows client application, used to manage the security policies.

20 Check Point Management Server
vSEC Controller Resides on the management server and learns information about vCenter and NSX Communication done between vSEC controller and NSX Manager/vCenter is via secure SSL connection and REST API and vSphere API Polling occurs from vSEC Controller every 30 seconds What is learned from vCenter: vCenter inventory: VMs, Clusters, vApp, Resource pool, Data Center, Host, and Cluster Folder What is learned from NSX Manager: - Security Groups GAIA OS Check Point Management Server vSEC Controller REST API vSphere API - vSEC controller learns VMs and Security Groups that can then be used when creating policies via the SmartConsole appliance. It enables the Check Point Management Server to be aware of the virtual environment. - Since a polling mechanism is used, an environment with more than 1,000 virtual objects displays a longer time to retrieve virtual objects. - Note, we can link the vSEC controller to both vCenter and NSX, but virtual objects learned are not counted in the 1000 performance limit unless used in policy rules. VMware NSX Manager VMware vCenter

21 vSEC Security Gateway VM User Space: Software Blade Architecture
If traffic is redirected to the vSEC gateway, without any policies configured on the vSEC Gateway, the traffic will be dropped. Traffic actually comes from the User Mode NetX API into Check Point’s user mode fwk, which is actually the same program that runs in kernel on hardware appliances. vSEC GW will be updated only in case of policy installation and changes in the virtual objects used in the policy. VM User Space: eth2 vNIC used internally - the interface is actually disconnected; it’s used to emulate to the firewall that it does get the traffic from an interface that way it knows how to work and inspect the traffic. fwk is actually the same program that runs in the kernel of the Check Point hardware appliances. Service VM (SVM) protects virtualized environments from internal and external threats. The vSEC Security Gateway only has one interface, eth0 for management communication eth2 vNIC used internally to emulate interface to firewall. Data Plane Traffic is redirected to Service VM (SVM) via NetX API fwk (firewall engine) cpd (handles mgmt communication) fwd (sends log messages) NetX API SDK vSEC

22 vSEC Solution Requirements
vSphere Requirements: VMware Component Validated Build Notes ESXi host 5.5 GA update 2 (build )  Testing for 6.0 in progress vCenter Server 5.5 GA update 2 (build ) NSX Manager 6.1.2 (build ) 6.1.2 or later * Currently vSEC supports only one NSX and one vCenter instance GAIA OS with Management Server and VSEC Controller Requirements for VM: VM Resource Minimum Recommended with Reporting CPU 2  4 RAM 4 GB 8 GB Disk 50 GB 100 GB

23 vSEC Solution Requirements
vSEC Gateway Requirements: VMware Component Minimum Recommended Memory 1 GB  2 GB Disk Space 32 GB  80 GB # of Virtual CPUs 1 5 OVF Space 4 GB vSEC Controller Requirements: Installed as a Patch on the Checkpoint Security Management Server At least 1 GB free disk space should be allocated

24 Deployment of Check Point vSEC Solution
1. Install GAIA OS with Check Point Management Server R Add-On R77.30 as a virtual appliance or on hardware appliance or install Add-On onto existing R77.30 Management Server. 2. Install the hotfix: “Check_Point_VSEC_R77_30_HF_MGMT.linux.tgz”. This installs the vSEC Controller. For the vSEC Controller, Make sure you have 1 GB free disk space on the server. This hotfix can also be installed via the Web UI as well. 3. . The Check Point Management Server can be used to manage both virtual and physical gateways. If physical gateways will also be used, the following hotfix must also be applied on the physical gateway. fw1_wrapper_HOTFIX_R77_20_VSEC_HF_GW.tgz fw1_wrapper_HOTFIX_R77_30_VSEC_HF_GW.tgz

25 Deployment of Check Point vSEC Solution
4. Upload vSEC OVF image to Check Point Management Server (or other web server). 5. Register the vSEC service using vsec_config client on Check Point Management Server

26 Deployment of Check Point vSEC Solution
6. Deploy the service from the vCenter Network & Security under Installation  Service Deployments

27 Deployment of Check Point vSEC Solution
7. Configure a policy via SmartConsole and push down to respective hosts. Below two vSEC Gateways were added as members of a cluster and a rule accepting all traffic is pushed down to both members of the cluster.

28 Deployment of Check Point vSEC Solution
8. Configure Security Groups and Security Policy to redirect traffic to Check Point vSEC Gateway.

29 Deployment of Check Point vSEC Solution
9. Can log directly into a vSEC gateway and confirm traffic is being redirected to it. In this case, two VMs with IP addresses and are sending ICMP pings to each other. The below console output is from the vSEC gateway where the VM with IP address resides. The VM with IP address resides on another host.

30 Deployment of Check Point vSEC Solution
10. We can easily enable additional blades/features on the vSEC Gateways.

31 Performance and Guidelines
vSEC Gateway operates at user space and processes packets up to 2 Gbps (per instance) Enabling additional software blades consumes more CPU and impacts performance The vSEC controller polls NSX and vCenter every 30 seconds for updates and communicates any changes as needed to the vSEC Gateways. 30 seconds is the maximum update time it can take for a vSEC controller to update the respective vSEC Gateway(s). What does this imply? If a VM is added to a security group it can take up to 30 seconds for the respective vSEC Gateway(s) to be updated with the correct IP of the VM. - For example, adding the IPS blade cuts the CPU performance in half and will have an affect on throughput.

32 vSEC - VMotion Scenario
In case of a vMotion event all the traffic which is related to the old connections will be inspected by the new firewall. Information on old vSEC Gateway won’t pass to the new Gateway. vMotion is not relevant to vSEC Gateway rules, as rules are applied at a cluster level, and all Gateways in the cluster will have the same rules applied. In general, vSEC Gateway clusters should parallel vSphere clusters. CheckPoint rules are updated only in an Install Policy event. Virtual Objects are updated in the rules as objects are learned from NSX/vCenter vSEC A vSEC Gateway cluster should have all member vSEC gateways from all clusters the user expects to be able to vMotion across. The important thing to note here is that policies should be consistent on vSEC gateways on different hosts the user expects vMotion across. vSEC

33 vSEC - Controller HA Scenario
The vSEC controllers reside on the Check Point Management Server. The Check Point Management Server follows an active-standby model; automatic failover is not supported. * Two vSEC controllers are supported in an Active-Standby mode with only one controller active at any time. * A synchronization between the servers is triggered every time a policy is installed. * If manual failover is not initiated by the user, the vSEC controller will not update the vSEC gateways with virtual objects learned from NSX/vCenter. * If the vSEC controller is down, traffic will keep passing based on rules already installed on the vSEC Gateways, but no new learning from NSX/vCenter will occur. HA is supported over both L2 and L3. - The traffic will pass as before the failover, but the vSEC gateways will not receive updates on new virtual objects from NSX Manager and vCenter. - In a Multi-Domain Security Management environment, you must first failover the Multi-Domain Servers and then synchronize the Domain Management Servers.

34 AUTOMATE ADVANCED SECUREITY FOR SOFTWARE DEFINED DATACENTER (SDDC)

35 Datacenter PERIMETER SECURITY GATEWAY Internet
Use Check Point Appliances with Advanced Threat Prevention for Datacenter Perimeter Security (North-South traffic)

36 vSEC Gateway Datacenter VIRTUAL SECURITY GATEWAY
Check Point vSEC Gateway vSEC Datacenter Use Check Point vSEC Gateway for advanced security between Virtual Machines (East-West traffic)

37 Datacenter MICRO-SEGMENTATION
Finance Legal Web Database Partners NSX Security Group VM VM VMWare NSX Datacenter Use NSX to segment Virtual Machines into different Security Groups using a flat network

38 Datacenter EAST-WEST SECURITY CONTROL Legal Partners
vSEC VMWare NSX Legal NSX Service Chain Policy Traffic from Partner to Legal Security Group must go through Check Point vSEC Gateway Datacenter Partners Use Check Point vSEC to control traffic access between Virtual Machines

39 vSEC Datacenter PREVENT LATERAL THREATS Legal Partners
IPS Antivirus Antibot Anti Spam App. Control Check Point vSEC VM VM vSEC Legal VM VM Datacenter VM Partners Use vSEC for Advanced Threat Prevention inside data center

40 Check Point Smart Management
UNIFIED MANAGEMENT Internet Datacenter vSEC Check Point Smart Management vSEC Controller Check Point Smart Management Use Check Point unified management for consistent policy control and threat visibility across virtual and perimeter gateways

41 Check Point Smart Management
APPLICATION-AWARE POLICY Check Point Access Policy Rule From To Service Action 3 WEB_VM (vCenter Object) Database (NSX SecGroup) SQL Allow vCenter Check Point Smart Management vSEC Controller Check Point dynamically fetches objects from NSX and vCenter NSX Manager Use Fine-grained security policies tied to NSX Security Groups and Virtual Machine identities

42 Visibility & Forensics Automation & Orchestration
Check Point vSEC Key Features Feature Check Point Policy Management Unified management for Virtual and physical Gateways Datacenter policy segmentation with sub policies* Fetch vCenter and NSX objects for use in Check Point policy Security Threat Prevention with multi-layered defenses for Virtual Data Center Tag infected VM and update NSX for automatic remediation Visibility & Forensics View VM objects in security logs Comprehensive Datacenter Threat Visibility Automation & Orchestration Granular privilege down to individual rule for trusted integrations* * Available in R80 [Confidential] For designated groups and individuals

43 FAQ Q: What is the vSEC product version?
A: vSEc Gateway is R77.20 vSEC. vSEC Controller is based on R77.30 Q: Can I buy and use it today? A: Yes Q: Will vSEC be supported in R80? A: Yes Q: Was it certified by VMWare NSX A: Yes. It is certified on ESX5.5 and ESX6.0 Q: Where can I learn more about the solution A: Visit the vSEC wiki & Check Point vSEC webpage

44 CHECK POINT & VMWARE Automating Advanced Securing Inside the Data Center + Virtual Security with Advanced Threat Prevention Next Generation Networking and Security Lateral Threat Prevention Automated Security Provisioning Security Control & Visibility [Restricted] ONLY for designated groups and individuals

45 THANK YOU! [Restricted] ONLY for designated groups and individuals

Download ppt "AUTOMATING ADVANCED SECURITY"

Similar presentations

Capacity Planning in a Virtual Environment

Capacity Planning in a Virtual Environment
High Availability Deep Dive What’s New in vSphere 5 David Lane, Virtualization Engineer High Point Solutions.

High Availability Deep Dive What’s New in vSphere 5 David Lane, Virtualization Engineer High Point Solutions.
System Center 2012 R2 Overview

System Center 2012 R2 Overview
Www.cyberoam.com © Copyright 2012 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Securing You Cyberoam Virtual UTM Our Products Unified Threat Management.

© Copyright 2012 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Securing You Cyberoam Virtual UTM Our Products Unified Threat Management.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Software Defined Networking.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Software Defined Networking.
© 2010 VMware Inc. All rights reserved Cloud Andy Steven: Enterprise Cloud Architect Northern EMEA

© 2010 VMware Inc. All rights reserved Cloud Andy Steven: Enterprise Cloud Architect Northern EMEA
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
Introduction to XTMv WatchGuard Training.

Introduction to XTMv WatchGuard Training.
Introducing VMware vSphere 5.0

Introducing VMware vSphere 5.0
Yes, yes it does! 1.Guest Clustering is supported with SQL Server when running a guest operating system of Windows Server 2008 SP2 or newer.

Yes, yes it does! 1.Guest Clustering is supported with SQL Server when running a guest operating system of Windows Server 2008 SP2 or newer.
Virtualization Infrastructure Administration Cluster Jakub Yaghob.

Virtualization Infrastructure Administration Cluster Jakub Yaghob.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Patch Management Module 13. Module 2-421 You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.

Patch Management Module 13. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.
VMware vCenter Server Module 4.

VMware vCenter Server Module 4.
Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.

Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.
Monitor Linux OS health & performance Monitor log files Monitor JEE app servers Monitor line-of-business applications Monitor databases and web.

Monitor Linux OS health & performance Monitor log files Monitor JEE app servers Monitor line-of-business applications Monitor databases and web.
Virtual Machine Management

Virtual Machine Management
VM Role (PaaS)Virtual Machine (IaaS) StorageNon-Persistent StoragePersistent Storage Easily add additional storage DeploymentBuild VHD offsite and upload.

VM Role (PaaS)Virtual Machine (IaaS) StorageNon-Persistent StoragePersistent Storage Easily add additional storage DeploymentBuild VHD offsite and upload.
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.

Similar presentations

Ads by Google