Upload File

sdn & the pursuit of building more secure datacenters€¦ · - gemalto research, 2015 “205...

  • Home
  • Documents
  • SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management
18
SDN & the pursuit of building more secure datacenters Hussein Khazaal Sr. Director Technical BD @hakhazaal

Upload: others

Post on 20-Aug-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

Copyright2015Alcatel-Lucent.Allrightsreserved.

CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOWPROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

SDN&thepursuitofbuildingmoresecuredatacenters

HusseinKhazaalSr.DirectorTechnicalBD@hakhazaal

Page 2: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

NuageNetworks

Mitaka

• HQinSiliconValleywithaglobalteam• ANokiaventurefocusedondatacenternetworkevolutionforthecloudera• Offersanopen,high-performance,scalableSDNsolutionthatsupportsany

workload,anywhereandoveranyphysicalinfrastructure• MemberoftheOpenStackcommunity

LibertyKiloJunoIcehouse

Page 3: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

CloudServiceManagement Plane

VirtualizedServicesDirectory

VirtualRouting&Switching(VRS)• Distributedswitch/router– L2-4rules• Integrationofbaremetalassets

VirtualizedServicesController(VSC)• SDNController,programsthenetwork• RichroutingfeaturesetbasedonALU7x50

VirtualizedServicesDirectory(VSD)• NetworkPolicyEngine– abstractscomplexity• Servicetemplatesandanalytics

NuageNetworksVirtualizedServicesPlatform(VSP)

DatacenterControl Plane

VirtualizedServicesController

MP-BGP

VirtualRouting&Switching

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HYPERVISOR

HardwareGWforBareMetal

IPFabric

DatacenterData Plane

EdgeRouter

MP-BGP

NuageNetworksVSPArchitecture

C VPC

V

Page 4: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

MarketTrendsDrivingNewSecurityRequirements

9/15/164

• SecurityAutomation• Multi-tenancy• SupportMobility

• Mitigatelateralspread• VisibilitytoEast/WestTraffic• FastResponse

ThreatLandscapeMovetoCloud

Page 5: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

“1Billion+Recordsbreachedin2014”

- GemaltoResearch,2015

“205daysonaveragetodetectthreats”

- MandiantM-Trends,2015

“Firewallrule/ACLmanagementistime-consumingandcomplex”

- ESGITSecurityProfessionalsSurvey,2015

ChallengeswithExistingDataCenterSecurityModel

Protection Detection Operations

Lackofvisibilityforeast/westtraffic

ManualIntervention

Complex

ManualProcess

Lackofsufficientsegmentation

Limitedbystaticnetworktopology

SDNcanhelpaddressthesechallenges!

Page 6: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

Protection

Detection

Operations

§ Perimetercentric– requirestrustbetweenallappsandtenants§ Cannotenforceinternalsegmentation

§ Lackofvisibility/controlforEast-Westdatacentertraffic§ Traditionalapproachescannotscaleforcloud

§ Manualprocessesdelaypolicychangesandappdelivery§ Costlytoremediate,manageandupdate

CurrentApproachesAren’tSufficient

Page 7: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

Micro-Segmentationreducesriskswitha“Zero-Trust”⌑ Model

§ Benefits§ Enforcesecuritybetweenend-points

anywhere§ Restrictslateralmovementof

malware

§ UseCases§ Highvalueassetprotection§ PCIcompliance§ Restrictsharedservicesaccess§ Securingeast/westapplicationtraffic

9/15/167

Gartner,NetworkSecurityArchitecturesforVirtualizedDataCenters, Joerg Fritsch,10August2015;Figure2

⌑ Forrester,FiveStepsToAZeroTrust(ZT)Network,JohnKindervag,July27,2016

UntrustedZone Outside(South)

DMZ

TrustedZone

RestrictedZone

SQL

VoIPLaurel

App1

WWWMobile

Index

MailDB

Stuttgart

AmsterdamHardy

DB

Record

Domain

BigData

Search

Perimeter

Perimeter

Perimeter

Micro-segmentationischangingthenetworksecurityarchitecture

Protection

Page 8: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

§ Securemulti-tenancy

§ Isolationbasedonvirtualnetworks

§ Logicalsegmentationusingpolicygroups

§ DistributedL4statefulfirewall

§ Supportsbare-metal,VMs,containers

Tenant1

VirtualNetwork1

(PCIDomain)

VirtualNetwork2

(NonPCIDomain)

E-commercefront-end

PolicyGroup

E-commerceback-end

PolicyGroup

WebTier/PolicyGroup

AppTier/PolicyGroup

DataTier/PolicyGroup

9/15/168

Protection

NuageVSPenablesFlexibleSegmentationforANYEnd-point

Page 9: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

Automatesecurityserviceinsertionbasedonforwardingpolicy

Automatesecurityprovisioningatthetimeofworkloadinstantiation,removal

Automate enterprisewidesecurityenforcementtoensurecompliance

9/15/169

GlobalPolicyTemplate

Hypervisor

ACLConfig

NetworkSecurity

ApplicationTeam

ApplicationSpecificPolicy

Hypervisor

ACLConfig

operation

SecurityAutomationwithNuageNetworksVSP

Page 10: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

VisibilityandSecurityMonitoringinVirtualNetworks

9/15/1610

• ContextualFlowVisibility

• ApplicationFlowDetection

• SecurityAlerts

• MonitoringReports

• ACLFlowLogging

• PolicybasedMirroring

Web

App DB

detection

Page 11: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

11

Networkandapplication-levelmicrosegmentationwithadvancedthreatprotectionSampleUse-Case

Page 12: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

PolicyEngine(VSD)

Controller(VSC)

DistributedRoutingandSwitching(VRS)

ACLAllowandDenyLogs(Externalsyslogserver)

IDS/SecurityAnalytics

ACLLogsforComplianceandAudit

BetterVisibility,Compliance&AcceleratedThreatDetection

Page 13: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

SIEM/IPS

NuageVSP

NuageVSPAPItoQuarantineInfectedServers/VMs

• MoveVMtoQuarantineZone• Applysecuritypolicytoblock

selectcommunications(e.g.,C&C,FTP)

QuarantineZoneNon-Infected/CleanZone

IDS/IPS

SecurityAlert

SecurityEvents

FasterIncidentResponse[AutomatedQuarantine]

Page 14: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

NuageNetworksVSPintegrationwithindustryleadingproducts

§ SecurityAutomation

§ Policybasedinsertionofphysicalorvirtualsecurityservices

§ Policybasedsecurityautomationforanyworkload

§ AdvancedSecurityControls

§ Applicationbasedmicro-segmentation

§ Advancedthreatprotection

9/15/1614

VirtualizedServicesDirectory

VirtualizedServicesController

HYPERVISOR

VirtualizedRouter/Switch

PhysicalGateway

HYPERVISOR

VirtualGateway

APIcallsEvent&PolicySynchronization

SecurityApplianceManager

PhysicalFW

vFW vFW

Page 15: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

• Protectionwithbroadsecurityeco-systemintegration

• Solutionsenableadvancedmicro-segmentation,threatdetectioninsidedatacenterandautomatedquarantine

• FlexibleSecurityServiceInsertion(PhysicalorVirtualSecurityAppliances)

• InvestmentProtection(workswithexistingsecurityappliancesandoperationalmodels)

VSPBuilt-inSecurity

(Isolation,Micro-segmentation,L4

DistributedFirewall,Service

Insertion)

NGFW

AdvancedMalwareDefense

IPS

DDoSProtection

L4-7DistributedSecurity

EndpointIntegrityChecks

AdvancedSecuritySolutionsthroughPartnerIntegration

Page 16: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

Demo

X

VMs&Containers

AnySecurityVendor’sFirewall

Page 17: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

©2016Nokia.Allrightsreserved.Nuage NetworksisaNokiaventure.CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOW

PROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

NuageNetworksVSPAddressesCloudandEnterpriseDataCenterSecurityChallenges

SecureMulti-tenancyforPrivateandPublicCloud

ü Reducesrisk,lowersinfrastructurecostsü Enablescloudserviceproviderstooffernetworksecurityasaservice

Micro-SegmentationPreventsLateralMalwareSpread

PolicybasedSecurityAutomationandCompliance

FasterIncidentResponsewithAutomatedQuarantine

ü EmbeddedL4distributedfirewallwithAdv.L4-7Securityserviceinsertionü Protectsanyworkload(P,V,C),multi-hypervisor,anynetwork

ü Policybasedonlogicalcontextandgroupingü AutomatedprovisioningofL4securityandcomplianceenforcement

ü APIsforintegrationwiththreatdetection/SIEMsystemstoautomatequarantine

Page 18: SDN & the pursuit of building more secure datacenters€¦ · - Gemalto Research, 2015 “205 days on average to detect threats” - Mandiant M-Trends, 2015 “Firewall rule/ACL management

Copyright2015Alcatel-Lucent.Allrightsreserved.

CONFIDENTIAL- SOLELYFORAUTHORIZEDPERSONSHAVINGANEEDTOKNOWPROPRIETARY– USEPURSUANTTOCOMPANYINSTRUCTION

THANKYOU!Wanttolearnmore,visitourOpenStacksummitboothtoseelivedemosorourwebsite@www.nuagenetworks.net/partners

Gotquestions,[email protected]


Mandiant apt1 report

10-Gemalto Interworking

Cloud datacenters

Mandiant Advantage eBook - FireEye

SmartCard Forum 2008 - Gemalto

Mandiant Consulting Course Catalog

Gemalto Protiva Sale A00

SIMagine 2009 Awards - Gemalto

Who is MANDIANT?

MultiApp ID IAS ECC Security Target - ssi.gouv.fr · SECURITY TARGET ST Applicable on: December 2008 Page : 3 / 58 Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential

Gemalto Magazine

Restwarmte uit datacenters - NLdigital · 2. Colocatie datacenters. Gespecialiseerde datacenters die connectiviteit en geconditioneerde ruimten voor servers bieden aan meerdere externe

Remove Mandiant u.s.a. cyber security ransomware

Datacenters 2012

Pres gemalto sur facebook

Automation datacenters

eTravel v2.2 on MultiApp v4.0.1 platform BAC, EAC and AA ... · ST Rev : 1.1p Page : 1 / 71 Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret

SafeNet Authentication Service - Gemalto

Gemalto readers (r)

Startup Accelerators & mHealth Gemalto December 2013 GEMALTO M2M

Mandiant M-Trends 2015

Pres gemalto sur l'identite

Gemalto MPCOS Version 0.1

DataCenters BestPractices

eTravel EAC v2 Security Target · eTravel EAC v2.0: SAC Security Target ST Applicable on: Page : 2 / 65 Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto

Anne Meilhac - Gemalto

Mandiant Report

Gemalto KonnexSim - SIMagine 2009

Gemalto issue 1_2013

The Threat Today - digiknow.dti.delaware.gov · The Threat Today James Nettesheim, ... © Mandiant, a FireEye Company. ... QUESTIONS © Mandiant, a FireEye Company

Gemalto, The Review

Gemalto LinkedIN

Sentinel LDK - gemalto-sm.cn

Green datacenters

Smart DataCenters