s series presentation
DESCRIPTION
TRANSCRIPT
©2009 HP Confidential template rev. 12.10.091©2009 HP Confidential template rev. 12.10.09
Sean EnnisSolutions Architect (HP TippingPoint) – Canada
HP TIPPINGPOINT IPS AND VIRTUALIZATION SECURITY
FOR THE DATA CENTER
2
AGENDA– Modern Threat Landscape
– IPS Platform
– Secure Virtualization Framework
– Q&A
3
Present & Future
Sophisticated Targeted Attacks, Re-Perimeterization
Legacy + Web, IPv4 + IPv6, Data + Voice + Video
Virtualization, Blades,Increased Bandwidth
Do More With Less
Past
Worms, Viruses,Trojans, DDoS
Legacy, Client Server,IPv4, Data
Dispersed, Physical,
Connect Everyone to Everything
DATA CENTER TRENDS
Efficiency DrivesConsolidation
New Apps,Protocols &
TrafficThreat
LandscapeChange
©2009 HP Confidential template rev. 12.10.094
MODERN ATTACK LANDSCAPEAPPLICATIONS ARE THE PRIMARY TARGETS
Network / Server Downtime
Attacks
SocialEngineering
Attacks
Enterprise and WebApplication
Attacks
IndividualAccount
Credentials
CorporateRansom
EmailSpamming
Corporate ConfidentialInformation
CustomerDetails
CreditCard
Database
OnlineClickFraud
VirusTrojan
Worm
DDoS O/S Specific Attacks
P2P
SQL Injection XSSPhishing
PHP File IncludeSpyware
2002-2004 2004-2007 2007-2010+
Whaling
BotnetSocial MediaMalware Application Exploits
5
WHAT ABOUT THE FIREWALL?
In simplest form….
• Separates distinct security zones• Designed to block or allow traffic based on a set of rules• Rejects all unauthorized ports/protocols at the edge of a security zone• Very good at ensuring network resources (servers, clients, etc.) only see required traffic• Can also be generally responsible for VPN,NAT, redirection, proxying, etc.
6
WHAT ABOUT THE FIREWALL?
In simplest form….
• Separates distinct security zones• Designed to block or allow traffic based on a set of rules• Rejects all unauthorized ports/protocols at the edge of a security zone• Very good at ensuring network resources (servers, clients, etc.) only see required traffic• Can also be generally responsible for VPN,NAT, redirection, proxying, etc.
DDoS SQL Injection XSSPHP File IncludeSpyware
…Browser exploits…Drive-by DL…Adobe exploits……
7
IPS PlatformDesigned for future security demands and services
IPS PLATFORM INTRODUCTION
Proactive• In-line reliability
• In-line performance (throughput/latency)
• Filter accuracy
Unknown TrafficGoes In
Clean TrafficComes Out
IPS Platform
Security Management System
Security• Leading security
research
• Fastest coverage
• Broadest coverage
Costs• Quick to deploy
• Automated threat blocking
• Easy to manage
©2009 HP Confidential template rev. 12.10.098
HP TIPPINGPOINT S-SERIES PRODUCTS
TippingPoint S10
20Mbps • 2 Segments
TippingPoint S110
100Mbps • 4 Segments
TippingPoint S330
300Mbps • 4 Segments
TippingPoint S660N
750Mbps • 10 Segments
TippingPoint S1400N
1.5Gbps • 10 Segments
TippingPoint S2500N
3Gbps • 11 Segments
TippingPoint S5100N
5Gbps • 11 Segments
Core Controller
20Gbps • 3x10GbE
Security Management System (SMS)
Manage Multiple Units • Central Dashboard
Digital Vaccine
Broadest Coverage • Evergreen Protection
Web App DV and Scanning
Web Scan• Custom Filters • PCI Report
ThreatLinQ
Real Time Threat Intelligence
IPS Platform Solutions Security Intelligence
Reputation DV
IP Reputation • DNS Reputation
ROBO, Perimeter, Zone isolation, MSPs…
10GE Networks, Core, Data Center, Service
Providers…
Management, Accessories DVLabs Services
SSL Appliance S1500
Transparent SSL Bridging and Off-Loading
vController and VMC
Virtual Data Center Security & Visibility
VIRTUALCONTROLLER
9
TECHNICAL SPECIFICATION - N-PLATFORM SENSORS
TippingPoint 660N TippingPoint 1400N TippingPoint 2500N TippingPoint 5100N
• 750 Mbps• 750 Mbps
• < 80 microseconds• 6,500,000
• 1,200,000• 115,000
• 1.5 Gbps• 1.5 Gbps
• < 80 microseconds• 6,500,000
• 1,200,000• 115,000
• 15 Gbps• 3 Gbps
• < 80 microseconds• 10,000,000
• 2,600,000• 230,000
• 15 Gbps• 5 Gbps
• < 80 microseconds• 10,000,000
• 2,600,000• 230,000
• 10 x 1GbE Copper• 10 x 1GbE SFP• 10 Total Segments• External ZPHA
• 10 x 1GbE Copper• 10 x 1GbE SFP• 10 Total Segments• External ZPHA
• 1 x 10GbE XFP• Internal ZPHA (10GbE)• 10 x 1GbE Copper• 10 x 1GbE SFP• 10 Total Segments• External ZPHA
• 1 x 10GbE XFP• Internal ZPHA (10GbE)• 10 x 1GbE Copper• 10 x 1GbE SFP• 10 Total Segments• External ZPHA
Interfaces
PerformanceNetwork ThroughputInspection Throughput
Typical LatencyConcurrent Network
SessionsSecurity ContextsConnections/Sec
• AC only • AC only • AC or DC • AC or DC
Power
©2009 HP Confidential template rev. 12.10.091010
Threat Suppression EngineTSE
Tier 1
Tier 2
Tier 3,4Thread Thread Thread
Load Balancer, Traffic Management (FW), Bypass
11
HP TIPPINGPOINT 1200N EMBEDDED IPS PLATFORM– TippingPoint IPS module brings
industry leading IPS, including Digital Vaccine and Reputation DV service to any A7500 series switch
– 1.3 Gbps aggregate inspection throughput across 2 x 1Gb copper or 1 x 10Gb backplane interface
– A unified network and security management framework based on TippingPoint’s Security Management System (SMS) integrated and HP’s Intelligent Management Center (IMC)
HP A7500 Switch Series
HP TippingPoint 1200N IPS
©2009 HP Confidential template rev. 12.10.091212
CORE CONTROLLER FOR 10GBE
Core Controller Model Provides:•High Availability – Reliability and Redundancy•High Performance with Low Latency – 10Gbps inspection across IPS’s•Ease of Management and Low TCO – Low cost of entry and pay-as-you-grow design
•Scalability – Expand IPS capacity to meet high bandwidth demands
• Three 10GbE segments
• 20Gbps aggregate inspection throughput
• 24x iLink segments- Interconnects to IPSs- 48 1Gbps ports
• Smart ZPHA modules (Optional)
• Zero Power High Availability –bypass
• Dual hot-swappable power supplies
• System health and status panel
13
Clean Encrypted Traffic
1500S – SSL INSPECTION
› Key Benefits• Increased Web server and application security• Virtually no traffic bottlenecks or application performance penalty• Carrier-class reliability delivers high-availability / up-time• Contributes to regulatory compliance efforts• Reduced server utilization in off-loading configuration
10101010101010101010101010101010100100000110
1001010011010
000100101010011110100100101010101010110101010101010001
110101010101
SSL Appliance
IPS Platform
Dirty Encrypted Traffic
JOHNSONAMY>TEL21251>NUMBER0338-2934-051 QUE€2532.90>DOB09/19/
High-performance, transparent SSL off-loading and bridging for IPS traffic inspection
cvc
vClean Un-Encrypted
Traffic
OR
©2009 HP Confidential template rev. 12.10.091414
TippingPoint IPS Platform
DVLabs Services:› Digital Vaccine› Web App DV› Reputation DV› Custom DV
Leading security research and filter development with 30+ Dedicated Researchers
Partners
SANS, CERT, NIST, etc.Software & Reputation Vendors
2,000+ Customers Participating
1,400+ Independent Researchers
IPS Platform is Only as Good as its Security IntelligenceLEADING SECURITY RESEARCH – DVLABS
DV Labs Research & QA
› App DV› ThreatLinQ› Lighthouse Program
15
PROVEN IN-LINE FILTER ACCURACYUNMATCHED ACCURACY FROM DVLABS AND DIGITAL VACCINE
Vulnerability
False Positives(coarse filter)
Standard IPS Exploit Filterfor Exploit A
Exploit AExploit B(missed by Exploit Filter A)
TippingPoint’s vulnerability filter acts like a Virtual Software Patch, eliminating false positives
Term DefinitionVulnerability Security flaw in a software
program
ExploitAttack on a vulnerability to:
• Gain unauthorized access• Create a denial of service
Exploit Filter
Stops a single exploit• Easy to produce• Typically produced due to
IPS engine performance limitations
• Results in missed attacks and false positives
Vulnerability Filter
Stops all exploits attacking the vulnerability
September 22, 2010 15
16
BLOCK OUTBOUND TRAFFIC BLOCK INBOUND TRAFFIC
Reputation Database• IPv4 & IPv6 Address•DNS Names
IPS Platform
Access Switch
• Botnet Trojan downloads• Malware, spyware, & worm downloads• Access to botnet CnC sites• Access to phishing sites
• Spam and phishing emails• DDoS attacks from botnet hosts• Web App attacks from botnet hosts
Botnets Currently Being Tracked: Conficker, ZeuS, Kraken, Srizbi, Torpia, Storm, Asprox, Gumblar, Koobface, Mariposa, Dark Energy
REPUTATION DIGITAL VACCINE
• Geography• Merge with your data
Keep the bad guys and the botnets off your network
Internet
17
2010: DATA CENTER VIRTUALIZATION REACHES THE TIPPING POINTLeading in Times of Transition: the 2010 CIO Agenda
2010 2011 2012
16%
50%~ 58 million deployed x86 machines
Source: Gartner Says 16% of Workloads are Running in VirtualMachines Today. Will grow to 50% by 2012(October 2009)
Survey of 1,586 CIOs:• Virtualization becomes…#1 Technology Priority in 2010
•Displaces Business Intelligencewhich held top position for the last 5 yrs!
18
BUT WHAT ABOUT SECURITY?
“60 Percent of Virtualized Servers Will Be Less Secure than the Physical Servers They Replace Through 2012”
I. Information Security Isn't Initially Involved in the Virtualization Projects
II. A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads
III. Workloads of Different Trust Levels Are Consolidated onto a Single Physical Server Without Sufficient Separation
IV. Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools are Lacking
V. There Is a Potential Loss of SOD for Network and Security Controls
Source: MacDonald, Neal. Addressing the Most Common Security Risks in Data Center Virtualization Projects, Gartner, Inc. January 25, 2010 SOD: Separation Of Duties
...
19
Core
SECURE VIRTUALIZATION FRAMEWORKVIRTUALIZATION VISIBILITY GAPS
OS OS OS OS
Virtual Switch
App App App App
APPLICATION VMs
HYPERVISOR
VMsafe Kernel Module
ESX Host
IPS
ESX Host
(1) Host to HostIPS inspection on each uplink is expensive/unmanageable
?
?
?
(2) VM to VMNo way to insert physical IPS
(3) VM MobilityWhat happens when a vm moves?
20
OS OS OS OS
Virtual Switch
App App App App
APPLICATION VMs
HYPERVISOR
VMsafe
OS OS OS OS
Virtual Switch
App App App App
APPLICATION VMs
HYPERVISOR
VMsafe
Core
SECURE VIRTUALIZATION FRAMEWORKTIPPINGPOINT VCONTROLLER
OS OS OS OS
Virtual Switch
App App App App
APPLICATION VMs
HYPERVISOR
VMsafe
ESX Host
vCon
trolle
r
Redirection Policies
• Utilizes same specialized hardware as physical network segments
• Policy-based redirection ties IPS inspection to VMs
• VMsafe kernel module integration provides deep insight into vm behavior maintains low redirection latency (<80us)
• Manage all virtual and physical networks with the same tools
• VMC console provides full visibility into logical VM connectivity
IPS
http://www.bestofinterop.com/winners/#security
21
Core
WHAT ABOUT VIRTUAL IPS?RESTRICTED SCALABILITY
21
OS OS OS OS
Virtual Switch
App App App App
APPLICATION VMs
HYPERVISOR
VMsafe Kernel Module
ESX Host
IPS
vIPS
• Can be effective in smaller environments
• Cannot take advantage of specialized hardware
• Shares resources with other VMs
• Latency is typical due to lack of hardware acceleration
• Difficult to establish performance baselines
?
22
VISUALIZE YOUR VIRTUALIZATIONTIPPINGPOINT VIRTUALIZATION MANAGEMENT CENTER (VMC)
Empower network/security teams with real-time visibility into virtual environment
Integration with virtualization management
Topology mapping provides identification of virtual/physical network paths
23
TIPPINGPOINT VMCIT’S ALL ABOUT THE INSPECTION POLICIES
Assign policies by VM and/or zone, not location or network connection
Automate trust zone assignmentfor new or untrusted workloads
Ensure policies follow VM regardless of state(in motion, powered on, powered off)
Cloned VMs must automatically inherit parent policies
24
SUMMARY
S ecuring T he Next G eneration Data C enter
• vController• Visibility and control • Leverage existing hardware
investments• No compromise to
consolidation ratio
• Protects in Minutes• Automated DV Updates• Most Timely Protection• Leading Zero-Day Protection• Intuitive managment
• Highest performance• 20Mbps to 16Gbps• Latency in Microseconds• Protects Layer 2-7• Inline or out-of-band
deployment options• Deployment Options for
Virtual Data Centers
Immediate, Always Up To Date P rotection
S top ThreatsF as ter
P rotects Highes t B andwidth Data C enters
S ecure V irtualizationF ramework
• Proactive Security Model• Best Inline Enforcement• Broadest Security• DVLabs Leading Security
Research• Zero-Day Initiative• Application Visibility• Vulnerability Intelligence
©2009 HP Confidential template rev. 12.10.092525 ©2009 HP Confidential
THANK YOU