Download
1 / 29
290 likes | 312 Vues
Virtualization Security. Erez Berkner Virtualization Team Manager Check Point R&D May 2009. Agenda. Virtualization overview Virtualization security hazards VPN-1 Virtual Edition (VE) Common use cases vSwitch integrated security (VMSafe). Virtualization Overview. Virtualization 101.
E N D
Virtualization Security Erez BerknerVirtualization Team ManagerCheck Point R&DMay 2009
Agenda • Virtualization overview • Virtualization security hazards • VPN-1 Virtual Edition (VE) • Common use cases • vSwitch integrated security (VMSafe)
Virtualization 101 Virtualization Layer • Virtualization decouples physical resources from the OS & applications • Machines are encapsulated as files
Virtualization Virtualization Virtualization Virtualization Virtual Infrastructure Virtualization 101 Non-Virtualized World Virtual Infrastructure File/Print Exchange Operating System Operating System Operating System Operating System CPUPool MemoryPool CRM VPN StoragePool Operating System Operating System Operating System Operating System InterconnectPool
Enables the Virtual Datacenter CPUPool MemoryPool StoragePool Virtual Infrastructure InterconnectPool
Dynamic resource allocation APP APP APP APP APP APP APP APP APP OS OS OS OS OS OS OS OS OS Virtual Infrastructure CPUPool MemoryPool StoragePool InterconnectPool Exchange CRM File/Print
Heals Itself Automatically APP APP APP APP APP APP APP APP APP OS OS OS OS OS OS OS OS OS Virtual Infrastructure CPUPool MemoryPool StoragePool InterconnectPool Exchange CRM File/Print
VMotion - Its time to have some fun… Dynamic migration of VMs across disparate hardware with no downtime or disruption to applications or users App App App App OS OS OS OS VMware Infrastructure VMotion Storage VMotion
Specific Challenges with Network Security • Lack of inter-VM visibility for monitoring and enforcement • Aligning static policies with fast VM sprawl and mobility • Maintaining network session state with live migration (VMotion) • Loss of SOD between server admin and network/security teams
Introducing VPN-1 VE • Certified Virtual Appliance by VMware • Protects against inter-VM and external threats • No need for physical appliances and switches • Same management console – security policy cross virtual and physical boundaries • VE provides visibility inside the virtualization environment (logs / Compliance) • Protects virtualization resources (e.g. service console)
VPN-1 VE Key points • Check Point is the only major network security vendor to protect the virtualization environment • Persistent security in all scenarios (Failure, VMotion, DRS, etc..) • Full redundancy using ClusterXL – No single point of failure • Provides the same level of security as in the physical world, inside the virtualization environment
Deploying virtualization security Data Center Virtualization
Towards Application-Centric Security Policy IIS #1 Load Balancer Firewall Firewall Oracle IIS #2 Tomcat App Server Before After
VMotion & ClusterXL Pkt pkt pkt The Internet ESX server 2 ESX server 1 ext Web ext Web Web Vswitch Web Vswitch Web VE Active VE Standby Sync Sync Vswitch ext Vswitch ext Vswitch sync Vswitch sync Active int int Vswitch App Vswitch App Switch App1 App2 App3 Mgmt
ESX farms Active pkt pkt pkt The Internet Ext Ext Ext Ext ESX 1 ESX 2 ESX 3 ESX 4 Standby Sync Sync Sync App App App
Service Providers • Adding virtualized security to the cloud • Protecting it with Check Point VPN-1 VE • VPN-1 VE per customer • VPN-1 VE per service • Specific service/s to specific customer/s • Antivirus • Anti-spam\Malware • Mail scanning • Web Filtering • VoIP
Deploying virtualization security Customer A Customer B Customer C Int ext Int ext Int ext VE VE VE UTM-1 Web Filtering UTM-1 full-set UTM-1 Antivirus ESX Server pkt pkt MSP-s
Deploying virtualization security Office in a box (SMB & Branch offices) • Consolidate and virtualized all physical devices under one single server • Simplifies provisioning of remote office • VPN-1 VE protect consolidated virtual machines as well as the office physical servers & clients • VPN services • Multiple SMB/BR sites can be managed by one management server
Office in a box pkt The Internet Ext VPN Tunnel VE Trunk port Int Trunk port V1 V4 V2 V3 Web pkt DB FTP V5 Service Console V6 V7 pkt
Deploying virtualization security Disaster Recovery • Preserve security in DR scenarios • No need for additional physical Firewall on the DR site • “DR on a Disk” • Fast deployment – zero time
Is running VPN-1 VE on VMware is safe? • A hypervisor is at less risk of an external attack because • There is no ip on vSwitch/Hypervisor • It doesn't listen on input/output ports • The hypervisor network attack surface (the vSwitch) is very thin (think of it as a nic driver) • VE can protect the service console • Every incoming packet should go through VE security inspection before it reaches a VM • VMware has resource allocation abilities to prevent DoS on resource by a malicious VM
vSwitch integrated security (VMsafe) Creates a new, stronger layer of defense – fundamentally changes protection available for VMs running on VMware Infrastructure vs. physical machines Protect the VM by inspection of virtual components (CPU, Memory, Network and Storage) Complete integration and awareness of VMotion, Storage VMotion, HA, etc. Provides an unprecedented level of security – “Virtual is more secure than Real” • Firewall • IPS/IDS • Anti-Virus VPN-1 VE pkt pkt Security API ESX Server
Ability to firewall and protect individual VMs, even between VMs on a same vSwitch VMotion awareness Inspection at the Hypervisor level Great performance VPN-1 VE with VMsafe
