1 / 29

Virtualization Security Overview for Check Point Erez Berkner Virtualization Team

Explore the essentials of virtualization security, hazards, Check Point VPN-1 Virtual Edition (VE), use cases, and integrated vSwitch security. Learn about the deployment of virtualized security in data centers, application-centric security policy, and disaster recovery scenarios. Discover the benefits of VPN-1 VE for safeguarding the virtualization environment against internal and external threats.

versace
Download Presentation

Virtualization Security Overview for Check Point Erez Berkner Virtualization Team

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtualization Security Erez BerknerVirtualization Team ManagerCheck Point R&DMay 2009

  2. Agenda • Virtualization overview • Virtualization security hazards • VPN-1 Virtual Edition (VE) • Common use cases • vSwitch integrated security (VMSafe)

  3. Virtualization Overview

  4. Virtualization 101 Virtualization Layer • Virtualization decouples physical resources from the OS & applications • Machines are encapsulated as files

  5. Virtualization Virtualization Virtualization Virtualization Virtual Infrastructure Virtualization 101 Non-Virtualized World Virtual Infrastructure File/Print Exchange Operating System Operating System Operating System Operating System CPUPool MemoryPool CRM VPN StoragePool Operating System Operating System Operating System Operating System InterconnectPool

  6. Enables the Virtual Datacenter CPUPool MemoryPool StoragePool Virtual Infrastructure InterconnectPool

  7. Dynamic resource allocation APP APP APP APP APP APP APP APP APP OS OS OS OS OS OS OS OS OS Virtual Infrastructure CPUPool MemoryPool StoragePool InterconnectPool Exchange CRM File/Print

  8. Heals Itself Automatically APP APP APP APP APP APP APP APP APP OS OS OS OS OS OS OS OS OS Virtual Infrastructure CPUPool MemoryPool StoragePool InterconnectPool Exchange CRM File/Print

  9. VMotion - Its time to have some fun… Dynamic migration of VMs across disparate hardware with no downtime or disruption to applications or users App App App App OS OS OS OS VMware Infrastructure VMotion Storage VMotion

  10. Hazards!

  11. No Free Lunches…

  12. Specific Challenges with Network Security • Lack of inter-VM visibility for monitoring and enforcement • Aligning static policies with fast VM sprawl and mobility • Maintaining network session state with live migration (VMotion) • Loss of SOD between server admin and network/security teams

  13. Introducing VPN-1 VE • Certified Virtual Appliance by VMware • Protects against inter-VM and external threats • No need for physical appliances and switches • Same management console – security policy cross virtual and physical boundaries • VE provides visibility inside the virtualization environment (logs / Compliance) • Protects virtualization resources (e.g. service console)

  14. VPN-1 VE Key points • Check Point is the only major network security vendor to protect the virtualization environment • Persistent security in all scenarios (Failure, VMotion, DRS, etc..) • Full redundancy using ClusterXL – No single point of failure • Provides the same level of security as in the physical world, inside the virtualization environment

  15. Deploying virtualization security

  16. Deploying virtualization security Data Center Virtualization

  17. Towards Application-Centric Security Policy IIS #1 Load Balancer Firewall Firewall Oracle IIS #2 Tomcat App Server Before After

  18. VMotion & ClusterXL Pkt pkt pkt The Internet ESX server 2 ESX server 1 ext Web ext Web Web Vswitch Web Vswitch Web VE Active VE Standby Sync Sync Vswitch ext Vswitch ext Vswitch sync Vswitch sync Active int int Vswitch App Vswitch App Switch App1 App2 App3 Mgmt

  19. ESX farms Active pkt pkt pkt The Internet Ext Ext Ext Ext ESX 1 ESX 2 ESX 3 ESX 4 Standby Sync Sync Sync App App App

  20. Service Providers • Adding virtualized security to the cloud • Protecting it with Check Point VPN-1 VE • VPN-1 VE per customer • VPN-1 VE per service • Specific service/s to specific customer/s • Antivirus • Anti-spam\Malware • Mail scanning • Web Filtering • VoIP

  21. Deploying virtualization security Customer A Customer B Customer C Int ext Int ext Int ext VE VE VE UTM-1 Web Filtering UTM-1 full-set UTM-1 Antivirus ESX Server pkt pkt MSP-s

  22. Deploying virtualization security Office in a box (SMB & Branch offices) • Consolidate and virtualized all physical devices under one single server • Simplifies provisioning of remote office • VPN-1 VE protect consolidated virtual machines as well as the office physical servers & clients • VPN services • Multiple SMB/BR sites can be managed by one management server

  23. Office in a box pkt The Internet Ext VPN Tunnel VE Trunk port Int Trunk port V1 V4 V2 V3 Web pkt DB FTP V5 Service Console V6 V7 pkt

  24. Deploying virtualization security Disaster Recovery • Preserve security in DR scenarios • No need for additional physical Firewall on the DR site • “DR on a Disk” • Fast deployment – zero time

  25. Is running VPN-1 VE on VMware is safe? • A hypervisor is at less risk of an external attack because • There is no ip on vSwitch/Hypervisor • It doesn't listen on input/output ports • The hypervisor network attack surface (the vSwitch) is very thin (think of it as a nic driver) • VE can protect the service console • Every incoming packet should go through VE security inspection before it reaches a VM • VMware has resource allocation abilities to prevent DoS on resource by a malicious VM

  26. vSwitch integrated security (VMsafe) Creates a new, stronger layer of defense – fundamentally changes protection available for VMs running on VMware Infrastructure vs. physical machines Protect the VM by inspection of virtual components (CPU, Memory, Network and Storage) Complete integration and awareness of VMotion, Storage VMotion, HA, etc. Provides an unprecedented level of security – “Virtual is more secure than Real” • Firewall • IPS/IDS • Anti-Virus VPN-1 VE pkt pkt Security API ESX Server

  27. Ability to firewall and protect individual VMs, even between VMs on a same vSwitch VMotion awareness Inspection at the Hypervisor level Great performance VPN-1 VE with VMsafe

More Related