zabezpečení softwarově definovaných datových center prostřednictvím check point vsec a vmware...
TRANSCRIPT
©2015 Check Point Software Technologies Ltd. 1 ©2015 Check Point Software Technologies Ltd.
Zabezpečení softwarově definovaných datových center prostřednictvím Check Point vSEC a VMware NSX
Peter Kovalčík
SE Manager, Check Point Software Technologies
©2015 Check Point Software Technologies Ltd. 2
Hey, I can spin-up VMs in minutes. Why does it take a week to get network/firewall changes
State of Virtualization vs. Networking
©2015 Check Point Software Technologies Ltd. 4
Virtual Datacenter
DATA CENTER EVOLUTION
• Server (compute) virtualization
• Network operation is manual
Software Defined Datacenter
Private Cloud
• Network are is also virtualized
• Services can be dynamically inserted and
orchestrated via automation
©2015 Check Point Software Technologies Ltd. 5
THE NEW ERA OF SOFTWARE-DEFINED DATACENTERS (SDDC)
Allowing IT to deliver applications at a fraction of the cost and time in a more secure way!
©2015 Check Point Software Technologies Ltd. 7
WEST EAST
SOUTH
NORTH
Perimeter (north-south) security is blind to 80% of the east-west data center traffic
Challenge #1: Increasing Traffic Inside the Datacenter
©2015 Check Point Software Technologies Ltd. 8
• Lack of security control between VMs
• Threat can easily traverse VLANs
• Threats attack low-priority service and then move to critical systems
Modern threats can spread laterally inside the data center, moving from one application to another
Challenge #2: Lateral Threats Inside the Data Center
©2015 Check Point Software Technologies Ltd. 9
Traditional static controls fail to secure dynamic networks and highly mobile applications
Challenge #3: Security Ignores Data Center Changes
• New Virtual Machines
• Virtual Machine movement
• VM that change IP address
• Dormant VMs that wakes up
• VMs move between VLANs
©2015 Check Point Software Technologies Ltd. 10
How to define secure policy for catalog applications that have not been provisioned and still don’t have IP address?
Lack of security automation impacts business agility in delivering services, results in security gaps
Challenge #4: Security Inhibits Data Center Agility
©2015 Check Point Software Technologies Ltd. 11
Securing SDDC - goals
Better SECURITY
Better MANAGED
Better PERFORMANCE
©2015 Check Point Software Technologies Ltd. 12
Securing SDDC - goals
Increased visibility and control
DEEP inspection, CLOSE to applications
Security is natural part of modern SDDC design
Improved security policy management
avoid overhead by knowing CONTEXT
FLEXIBLE for application deployments and changes
Performance and scalability
SCALABLE - growing with datacenter growth
no choke point design
©2015 Check Point Software Technologies Ltd. 13
Building blocks
• Automated security provisioning (new ESXi hosts deployed with security from beginning)
• Transparent security insertion – configurable redirection to deep inspection engine
• Cloud management systems integration into Security Management – consume objects and state of NSX/vCenter (using SDDC context)
• Tagging VMs with security incidents
• API and CLI for security automation and orchestration
14 ©2013 Check Point Software Technologies Ltd.
Beyond L4 firewall… Users, applications, data, known and unknown threats
Gra
nu
lar V
isib
ility
Identity Awareness
DLP
Mobile Access
SmartEvent
Application Control
URLF
IPS
Anti-Bot
Antivirus
Threat Emulation
HT
TP
S
HT
TP
S
HT
TP
S
US
ER
CH
EC
K
UC
U
C
©2015 Check Point Software Technologies Ltd. 16
SECURITY REQUIREMENTS INSIDE THE DATA CENTER
Automated insertion and deployment of advanced threat prevention to protect inside the data center
3
Automated security provisioning to keep pace with dynamic data center changes 2
Security visibility into traffic inside the data center 1
©2015 Check Point Software Technologies Ltd. 18
CHECK POINT & VMWARE
Automating Security inside the Data Center
+ Virtual Security with Advanced
Threat Prevention
Security Control &
Visibility
Next Generation Networking
and security
Lateral
Threat Prevention
Automated Security
Provisioning
©2015 Check Point Software Technologies Ltd. 19
vSEC & NSX DATACENTER SECURITY
100% Software Based: Service, Network & Security
s
Segmented Data Center
Micro-Segmentation
with advanced threat
prevention
Security Orchestration
between Virtual Machines
Automation of Virtual
Network & Security
s
Consistent security for N-S
and E-W traffic
Security Control for
All Data Center Traffic
©2015 Check Point Software Technologies Ltd. 24
CHECK POINT vSEC DEPLOYMENT NSX automatically provisions Check Point vSEC gateway on each host
©2015 Check Point Software Technologies Ltd. 25
NSX manager automatically deploys and provisions Check Point vSEC Gateway on each host
CHECK POINT vSEC AUTO-DEPLOYMENT
©2015 Check Point Software Technologies Ltd. 26
Automatically & instantly scale vSEC to secure VMs on new host members
CHECK POINT vSEC AUTO-DEPLOYMENT
©2015 Check Point Software Technologies Ltd. 27
Use NSX to segment Virtual Machines into different Security Groups using a flat network
MICRO-SEGMENTATION
Finance Legal
Web
Database
Partners
NSX Security Group
©2015 Check Point Software Technologies Ltd. 28
Use Check Point vSEC to control traffic access between Virtual Machines
EAST-WEST SECURITY CONTROL
NSX Service Chain Policy
Traffic from Partner to Legal Security Group must go through Check Point vSEC Gateway
©2015 Check Point Software Technologies Ltd. 29
Use vSEC for Advanced Threat Prevention inside data center
PREVENT LATERAL THREATS
©2015 Check Point Software Technologies Ltd. 30
APPLICATION-AWARE POLICY
Check Point Access Policy
Rule From To Service Action
3 WEB_VM
(vCenter Object)
Database
(NSX SecGroup) SQL Allow
Use Fine-grained security policies tied to NSX Security Groups and Virtual Machine identities
Check Point dynamically fetches objects from NSX and vCenter
©2015 Check Point Software Technologies Ltd. 31
SHARED-CONTEXT POLICY
NSX Policy
From To Action
Infected VM (Tagged by Check Point)
Any Quarantine
Shared security context between vSEC and NSX Manager to automatically quarantine and trigger remediation by other services
Check Point tags infected Virtual Machines in NSX manager
©2015 Check Point Software Technologies Ltd. 32
UNIFIED MANAGEMENT
Use Check Point unified management for consistent policy control and threat visibility across virtual and perimeter gateways
©2015 Check Point Software Technologies Ltd. 33
Use Check Point SmartEvent to monitor and investigate threats across north-south and east-west traffic
THREAT VISIBILITY INSIDE THE DATACENTER
4800
12400
Infected Virtual Machines
VM Identity Severity Date
VM_Web_22 High 3:22:12 2/4/2015
VM_DB_12 High 5:22:12 2/4/2015
VM_AD_15 Medium 5:28:12 2/4/2015
VM_SAP_34 Medium 7:28:12 2/4/2015
©2015 Check Point Software Technologies Ltd. 36
vSEC & NSX DATACENTER SECURITY
100% Software Based: Service, Network & Security
s
SDDC
Software Defined
Datacenters
Security Orchestration
between Virtual Machines
Automation of Virtual
Network & Security
s
Consistent security for N-S
and E-W traffic
Security Control for
All Data Center Traffic
Software Defined
Datacenter
Private Cloud