Zabezpečení softwarově definovaných datových center prostřednictvím Check Point vSEC a VMware NSX
Tomáš Michaeli Senior System Engineer, Vmware Peter Kovalčík Security Engineer, Check Point Software Technologies
©2015 ©2015 Check Check Point Point Software Software Technologies Technologies Ltd. Ltd.
1
Nebezký cloud?
Dnes virtualizujeme síťové služby pomocí VMware NSX
Network Hypervisor
S koncepcí definice datového centra v software vRealize Suite nebo OpenStack
Stavové programovatelné ovládání
Software Hardware
APIs Aplikace
Virtuální Servery
Virtuální Sítě
Virtuální Úložiště
Data Center Virtualization
Výpočetní Kapacita
Propojovací Kapacita
Datová Kapacita
Komoditní HW kapacita
4
Umožňuje vytvářet virtuální prostředí
Softwarové Kontajnery Virtuální Sítě Load-Balancing NAT, VPN, Firewall
Programatický přístup k bezpečnostním s síťovým službám https://www.vmware.com/support/pubs/nsx_pubs.html Web Tier Logický Switch
L3 Subnet
App Tier NAT
Logický Router
L3 Subnet
DB Tier 100 pravidel Firewallu
L3 Subnet
NAT Definice VIP Load Balancing 7
Neustále se setkáváme s krádežemi dat nebo čísel karet Nekontrolovaná komunikace Malá nebo laterální kontrola uvnitř perimetru Aplikace nízké priority jsou cílem útoku na prvním místě. Útočník se může svobodně pohybovat v rámci zóny.
Internet
10110100110 Útočník se 101001010000010 1001110010100infiltruje v řádu Data Center Perimeter
týdnů nebo měsíců.
8
Zero–Trust bezpečnost detailně Současný model bezpečnostních zón
NSX Transparentní Zero-Trust bezpečnost
FIREWALL
Port Group “Web” VLAN 91
Port Group “Web” VLAN 91
FIREWALL
Bezpečnostní Skupina: Web Pravidlo Firewallu: Nemožné
Pravidlo Firewallu: Web na Web: DROP 10
Plně automatizované datové centrum
Hypervisor ESXi
VMware CheckPoint Automatizace Okamžité Nasazení NSX vSEC Cloudu Minuty
Čekám
Automatická Konfigurace
Čekám Připraveno
Manuální Konfigurace
Hodiny a Dny 11
DATA CENTERS are rapidly evolving.
©2015 Check Point Software Technologies Ltd.
12
DATA CENTER EVOLUTION
Software Defined
Virtual Datacenter
Datacenter Private Cloud
• •
Server (compute) virtualization Network operation is manual
©2015 Check Point Software Technologies Ltd.
• •
Network are is also virtualized Services can be dynamically inserted and orchestrated via automation
13
THE NEW ERA OF SOFTWARE-DEFINED DATACENTERS (SDDC)
Allowing IT to deliver applications at a fraction of the cost and time in a more secure way! ©2015 Check Point Software Technologies Ltd.
14
SECURITY CHALLENGES IN THE CURRENT DATACENTER
©2014 Check Point Software Technologies Ltd. 15
Challenge #1: Increasing Traffic Inside the Datacenter
NORTH
WEST
EAST
SOUTH
Perimeter (north-south) security is blind to 80% of the east-west data center traffic ©2015 Check Point Software Technologies Ltd.
16
Challenge #2: Lateral Threats Inside the Data Center
•
Lack of security control between VMs
•
Threat can easily traverse VLANs
•
Threats attack low-priority service and then move to critical systems
Modern threats can spread laterally inside the data center, moving from one application to another ©2015 Check Point Software Technologies Ltd.
17
Challenge #3: Security Ignores Data Center Changes
•
New Virtual Machines
•
Virtual Machine movement
•
VM that change IP address
•
Dormant VMs that wakes up
•
VMs move between VLANs
Traditional static controls fail to secure dynamic networks and highly mobile applications ©2015 Check Point Software Technologies Ltd.
18
Challenge #4: Security Inhibits Data Center Agility
How to define secure policy for catalog applications that have not been provisioned and still don’t have IP address?
Lack of security automation impacts business agility in delivering services, results in security gaps ©2015 Check Point Software Technologies Ltd.
19
WHAT IS NEEDED?
©2015 Check Point Software Technologies Ltd.
20
SECURITY REQUIREMENTS INSIDE THE DATA CENTER
3
Automated insertion and deployment of advanced threat prevention to protect inside the data center
2
Automated security provisioning to keep pace with dynamic data center changes
1
Security visibility into traffic inside the data center
©2015 Check Point Software Technologies Ltd.
21
CHECK POINT & VMWARE Automating Security inside the Data Center
+ Virtual Security with Advanced Threat Prevention
Lateral Threat Prevention
©2015 Check Point Software Technologies Ltd.
Next Generation Networking and security
Automated Security Provisioning
Security Control & Visibility
23
vSEC & NSX DATACENTER SECURITY 100% Software Based: Service, Network & Security Micro-Segmentation with advanced threat prevention
Automation of Virtual Network & Security
s
Segmented Data Center ©2015 Check Point Software Technologies Ltd.
Security Control for All Data Center Traffic
s
Security Orchestration between Virtual Machines
Consistent security for N-S and E-W traffic 24
Check Point vSEC + VMware NSX How it works
©2015 Check Point Software Technologies Ltd.
28
CHECK POINT vSEC DEPLOYMENT NSX automatically provisions Check Point vSEC gateway on each host
©2015 Check Point Software Technologies Ltd.
29
CHECK POINT vSEC AUTO-DEPLOYMENT
NSX manager automatically deploys and provisions Check Point vSEC Gateway on each host
©2015 Check Point Software Technologies Ltd.
30
CHECK POINT vSEC AUTO-DEPLOYMENT
Automatically & instantly scale vSEC to secure VMs on new host members
©2015 Check Point Software Technologies Ltd.
31
MICRO-SEGMENTATION
NSX Security Group Finance
Legal
Web
Partners
Database
Use NSX to segment Virtual Machines into different Security Groups using a flat network ©2015 Check Point Software Technologies Ltd.
32
EAST-WEST SECURITY CONTROL
NSX Service Chain Policy Traffic from Partner to Legal Security Group must go through Check Point vSEC Gateway
Use Check Point vSEC to control traffic access between Virtual Machines ©2015 Check Point Software Technologies Ltd.
33
PREVENT LATERAL THREATS
Use vSEC for Advanced Threat Prevention inside data center
©2015 Check Point Software Technologies Ltd.
34
APPLICATION-AWARE POLICY Check Point Access Policy Rule 3
From
To
WEB_VM
Database
(vCenter Object)
(NSX SecGroup)
Service
Action
SQL
Allow
Check Point dynamically fetches objects from NSX and vCenter
Use Fine-grained security policies tied to NSX Security Groups and Virtual Machine identities ©2015 Check Point Software Technologies Ltd.
35
SHARED-CONTEXT POLICY
NSX Policy From Infected VM (Tagged by Check Point)
To
Action
Any
Quarantine
Check Point tags infected Virtual Machines in NSX manager
Shared security context between vSEC and NSX Manager to automatically quarantine and trigger remediation by other services ©2015 Check Point Software Technologies Ltd.
36
UNIFIED MANAGEMENT
Use Check Point unified management for consistent policy control and threat visibility across virtual and perimeter gateways ©2015 Check Point Software Technologies Ltd.
37
THREAT VISIBILITY INSIDE THE DATACENTER
4800
Infected Virtual Machines VM Identity
Severity
Date
VM_Web_22
High
3:22:12 2/4/201
VM_DB_12
High
VM_AD_15
Medium
5:22:12 2/4/201 12400 5:28:12 2/4/201
VM_SAP_34
Medium
7:28:12 2/4/201
Use Check Point SmartEvent to monitor and investigate threats across north-south and east-west traffic ©2015 Check Point Software Technologies Ltd.
38
Check Point vSEC Key Features Feature Policy Management
Check Point
Unified management for Virtual and physical Gateways
Datacenter policy segmentation with sub policies*
Fetch vCenter and NSX objects for use in Check Point policy Threat Prevention with multi-layered defenses for Virtual Data Center Security
Tag infected VM and update NSX for automatic remediation Visibility & Forensics
View VM objects in security logs Comprehensive Datacenter Threat Visibility
Automation & Orchestration Granular privilege down to individual rule for trusted integrations* * Available in R80
©2015 Check Point Software Technologies Ltd.
[Confidential] For designated groups and individuals
40
LIVE DEMO
©2015 Check Point Software Technologies Ltd.
41
SUMMARY
©2015 Check Point Software Technologies Ltd.
42
vSEC & NSX DATACENTER SECURITY 100% Software Based: Service, Network & Security Software Defined Datacenters
Automation of Virtual Network & Security
s
Security Control for All Data Center Traffic
s Software Defined Datacenter Private Cloud
SDDC ©2015 Check Point Software Technologies Ltd.
Security Orchestration between Virtual Machines
Consistent security for N-S and E-W traffic 43
THANK YOU!
©2015 Check Point Software Technologies Ltd.
45