securing software defined date centers · data center evolution server virtualization allows...

©2015 Check Point Software Technologies Ltd. 1©2015 Check Point Software Technologies Ltd.

SECURING

SOFTWARE DEFINED

DATE CENTERS

Martin KoldovskýSE Manager Eastern [email protected]

©2015 Check Point Software Technologies Ltd. 22

DID YOU KNOW?

months is the average time to deliver new DC service.

Source: Gartner Research


DID YOU KNOW?

1 in 5 companies

fire employees due to downtime.



Average Costs

of a downtime:

$7,900 per minute



Locating an available server

Deploying the server

Connecting the server to the right switch

Configuring admin access

Configuring IP connectivity

Checking NAT and routes

Fixing the routes

Installing the needed web application

Setting up the application

Configuring the load balancer

Setting up the reverse proxy

Asking the security admin to configure access

Asking the security admin again

Realizing the IP is wrong

Fixing the configuration

Monitoring the Data Center utilization

Checking the connectivity to the new server

What does it take to deploy a service?


It is nearly impossible for today’s data center to run at

business speed.

“”

ZK Research


Software Defined Data

Center


Traditional Data Center• Dedicated and Isolated Hardware

• Low utilization• Low flexibility

Virtualized Data Center• Server Consolidation andVirtualization

• Optimized Compute utilization• Performance issues

Software Defined Data Center• Offer infrastructure as a service

• Better utilization• Higher flexibility / Capacity on demand

DATACENTEREVOLUTION

Server VirtualizationAllows aggregation of multiple independent virtual servers to exist

on a physical server2007-2010

Network VirtualizationDecouples the physical infrastructure

from the connectivity services making the network adaptive and dynamic with simple one-touch provisioning

Compute

Access

Data Center

Core

Campus

Core

Distribution

Layer

Access

Layer


From traditional networks to SDDC

Traditionally, switches and routers learn

the network topology by communicating

with neighbor devices


SDN: the foundation for SDDC

Controller

Software Defined NetworkingWith SDN, network devices get

directions from a central controller


Benefits of SDN

Controller

SDN allows modern networks to be

more agile and automated

Network App

Network App


A Software Defined Data Center

• Software Defined Data Center revolutionize IT by implementing SDN concepts and supporting :

• Orchestration & automation

• Private/Hybrid cloud

• Self Provisioningfor Applications


We need a new security model, don’t we ?


SOFTWARE DEFINED PROTECTION

E N F O R C E M E N T L AY E RInspects traffic and enforces protection in well-defined segments

C O N T R O L L AY E RDelivers real-time protections to the enforcement points

M AN A G E M E N T L AY E RIntegrates security with business process


SDNAn emerging network architecture, decoupling

network control and data planes.

Data flows between network nodes controlled via

a programmable network SDN controller.

SDPAn overlay architecture enforcing security

traffic flows within an SDN network

Data flows are programmed to pass through

SDP enforcement points

SDP AND SDN MODELS WORK

IN SYNERGY


SDDC security requirements

E N F O R C E M E N T L A Y E R

• S e a m l e s s l y d e p l o ye d

• P h ys i c a l a n d V i r t u a l

• I n s p e c t d yn a m i c f l ow s

• S c a l a b l e

• M i c r o s e g m e n t n e tw o r k s



C O N T R O L L A Y E R

• S D D C a w a r e

• E c o - s ys t e m i n t e g r a t e d

• C o n t r o l a l l e n f o r c e m e n t p o i n t s

• D e l i ve r p r o t e c t i o n s i n r e a l t i m e



M A N A G E M E N T L A Y E R

• P r o v i d e s e c u r e d a u t o m a t i o n

• E n a b l e o r c h e s t r a t i o n

• A l l o w c o m p l e t e v i s i b i l i t y

©2015 Check Point Software Technologies Ltd.

CHECK POINT

SDDC


SDDC: Protect Data Center Perimeter


SDDC: Protect Virtual Environment


Software Defined Data Center flows

Application

server access

another

server in the

same

segment

Packets are

inspected

regardless of

IP segments

Application

server needs to

access the DB

server

vSEC Gateway


Security Management

vSEC Controller Add-On installed

vSphere

NSX Controller

Virtual Machines

Security Groups

Tight Integration with VMware vCenter and NSXenables using cloud objects in Check Point rules

[Confidential] For designated groups and individuals

Check Point vSEC Controller


Security PolicyObjects imported from vCenter and NSX

Check Point Access Policy

Rule From To Service Action

3WEB_VM

(vCenter Object)

Database

(NSX SecGroup)SQL Allow

vSEC is R77.30 integrated!

vSEC supports dynamic updates of

objects learned from vCenter or

NSX Controller: changes of IPs

do not affect Security!


Trigger Security Processes

DATA CENTER

NSX

Tag

VM

VM

VM

VM

VM

VM

Web

App

DB

Instant tagging

of the infected

virtual machine

The machine will

get isolated!

A bot is

detected by

Check Point

gateway


Secured Automation with R80

[Restricted] ONLY for designated groups and individuals

Data Center

Admin

Orchestration via Secure

API

Assign different levels of permissions for granular and secure

policy management


Data Center Visibility

Check Point SmartLog

Search any log by VM name is just the beginning


Check Point SDDC security model


Summary

Check Point SDDC security solutions

Advanced Security protections seamlessly enforced

inside the SDDC

Agile Security Provisioning for the SDDC

Comprehensive threat visibility across the SDDC

securing software defined date centers · data center evolution server virtualization allows...

Documents