securing software defined date centers · data center evolution server virtualization allows...
TRANSCRIPT
![Page 1: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/1.jpg)
©2015 Check Point Software Technologies Ltd. 1©2015 Check Point Software Technologies Ltd.
SECURING
SOFTWARE DEFINED
DATE CENTERS
Martin KoldovskýSE Manager Eastern [email protected]
![Page 2: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/2.jpg)
©2015 Check Point Software Technologies Ltd. 22
DID YOU KNOW?
months is the average time to deliver new DC service.
Source: Gartner Research
![Page 3: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/3.jpg)
©2015 Check Point Software Technologies Ltd. 33
DID YOU KNOW?
1 in 5 companies
fire employees due to downtime.
Source: Gartner Research
![Page 4: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/4.jpg)
©2015 Check Point Software Technologies Ltd. 44
Average Costs
of a downtime:
$7,900 per minute
Source: Gartner Research
![Page 5: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/5.jpg)
©2015 Check Point Software Technologies Ltd. 5
Locating an available server
Deploying the server
Connecting the server to the right switch
Configuring admin access
Configuring IP connectivity
Checking NAT and routes
Fixing the routes
Installing the needed web application
Setting up the application
Configuring the load balancer
Setting up the reverse proxy
Asking the security admin to configure access
Asking the security admin again
Realizing the IP is wrong
Fixing the configuration
Monitoring the Data Center utilization
Checking the connectivity to the new server
What does it take to deploy a service?
![Page 6: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/6.jpg)
©2015 Check Point Software Technologies Ltd. 66
It is nearly impossible for today’s data center to run at
business speed.
“”
ZK Research
![Page 7: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/7.jpg)
©2015 Check Point Software Technologies Ltd. 77
Software Defined Data
Center
![Page 8: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/8.jpg)
©2015 Check Point Software Technologies Ltd. 88
Traditional Data Center• Dedicated and Isolated Hardware
• Low utilization• Low flexibility
Virtualized Data Center• Server Consolidation andVirtualization
• Optimized Compute utilization• Performance issues
Software Defined Data Center• Offer infrastructure as a service
• Better utilization• Higher flexibility / Capacity on demand
DATACENTEREVOLUTION
Server VirtualizationAllows aggregation of multiple independent virtual servers to exist
on a physical server2007-2010
Network VirtualizationDecouples the physical infrastructure
from the connectivity services making the network adaptive and dynamic with simple one-touch provisioning
Compute
Access
Data Center
Core
Campus
Core
Distribution
Layer
Access
Layer
![Page 9: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/9.jpg)
©2015 Check Point Software Technologies Ltd. 99
From traditional networks to SDDC
Traditionally, switches and routers learn
the network topology by communicating
with neighbor devices
![Page 10: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/10.jpg)
©2015 Check Point Software Technologies Ltd. 1010
SDN: the foundation for SDDC
Controller
Software Defined NetworkingWith SDN, network devices get
directions from a central controller
![Page 11: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/11.jpg)
©2015 Check Point Software Technologies Ltd. 1111
Benefits of SDN
Controller
SDN allows modern networks to be
more agile and automated
Network App
Network App
![Page 12: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/12.jpg)
©2015 Check Point Software Technologies Ltd. 12
A Software Defined Data Center
• Software Defined Data Center revolutionize IT by implementing SDN concepts and supporting :
• Orchestration & automation
• Private/Hybrid cloud
• Self Provisioningfor Applications
![Page 13: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/13.jpg)
©2015 Check Point Software Technologies Ltd. 13
We need a new security model, don’t we ?
![Page 14: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/14.jpg)
©2015 Check Point Software Technologies Ltd. 14
SOFTWARE DEFINED PROTECTION
E N F O R C E M E N T L AY E RInspects traffic and enforces protection in well-defined segments
C O N T R O L L AY E RDelivers real-time protections to the enforcement points
M AN A G E M E N T L AY E RIntegrates security with business process
![Page 15: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/15.jpg)
©2015 Check Point Software Technologies Ltd. 15
SDNAn emerging network architecture, decoupling
network control and data planes.
Data flows between network nodes controlled via
a programmable network SDN controller.
SDPAn overlay architecture enforcing security
traffic flows within an SDN network
Data flows are programmed to pass through
SDP enforcement points
SDP AND SDN MODELS WORK
IN SYNERGY
![Page 16: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/16.jpg)
©2015 Check Point Software Technologies Ltd. 16
SDDC security requirements
E N F O R C E M E N T L A Y E R
• S e a m l e s s l y d e p l o ye d
• P h ys i c a l a n d V i r t u a l
• I n s p e c t d yn a m i c f l ow s
• S c a l a b l e
• M i c r o s e g m e n t n e tw o r k s
![Page 17: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/17.jpg)
©2015 Check Point Software Technologies Ltd. 17
SDDC security requirements
C O N T R O L L A Y E R
• S D D C a w a r e
• E c o - s ys t e m i n t e g r a t e d
• C o n t r o l a l l e n f o r c e m e n t p o i n t s
• D e l i ve r p r o t e c t i o n s i n r e a l t i m e
![Page 18: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/18.jpg)
©2015 Check Point Software Technologies Ltd. 18
SDDC security requirements
M A N A G E M E N T L A Y E R
• P r o v i d e s e c u r e d a u t o m a t i o n
• E n a b l e o r c h e s t r a t i o n
• A l l o w c o m p l e t e v i s i b i l i t y
![Page 19: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/19.jpg)
©2015 Check Point Software Technologies Ltd.
CHECK POINT
SDDC
![Page 20: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/20.jpg)
©2015 Check Point Software Technologies Ltd. 20
SDDC: Protect Data Center Perimeter
![Page 21: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/21.jpg)
©2015 Check Point Software Technologies Ltd. 21
SDDC: Protect Virtual Environment
![Page 22: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/22.jpg)
©2015 Check Point Software Technologies Ltd. 22
Software Defined Data Center flows
Application
server access
another
server in the
same
segment
Packets are
inspected
regardless of
IP segments
Application
server needs to
access the DB
server
vSEC Gateway
![Page 23: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/23.jpg)
©2015 Check Point Software Technologies Ltd. 23
Security Management
vSEC Controller Add-On installed
vSphere
NSX Controller
Virtual Machines
Security Groups
Tight Integration with VMware vCenter and NSXenables using cloud objects in Check Point rules
[Confidential] For designated groups and individuals
Check Point vSEC Controller
![Page 24: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/24.jpg)
©2015 Check Point Software Technologies Ltd. 24
Security PolicyObjects imported from vCenter and NSX
Check Point Access Policy
Rule From To Service Action
3WEB_VM
(vCenter Object)
Database
(NSX SecGroup)SQL Allow
vSEC is R77.30 integrated!
vSEC supports dynamic updates of
objects learned from vCenter or
NSX Controller: changes of IPs
do not affect Security!
![Page 25: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/25.jpg)
©2015 Check Point Software Technologies Ltd. 2525
Trigger Security Processes
DATA CENTER
NSX
Tag
VM
VM
VM
VM
VM
VM
Web
App
DB
Instant tagging
of the infected
virtual machine
The machine will
get isolated!
A bot is
detected by
Check Point
gateway
![Page 26: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/26.jpg)
©2015 Check Point Software Technologies Ltd. 26
Secured Automation with R80
[Restricted] ONLY for designated groups and individuals
Data Center
Admin
Orchestration via Secure
API
Assign different levels of permissions for granular and secure
policy management
![Page 27: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/27.jpg)
©2015 Check Point Software Technologies Ltd. 27
Data Center Visibility
Check Point SmartLog
Search any log by VM name is just the beginning
![Page 28: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/28.jpg)
©2015 Check Point Software Technologies Ltd. 28
Check Point SDDC security model
![Page 29: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/29.jpg)
©2015 Check Point Software Technologies Ltd. 29
Summary
Check Point SDDC security solutions
Advanced Security protections seamlessly enforced
inside the SDDC
Agile Security Provisioning for the SDDC
Comprehensive threat visibility across the SDDC
![Page 30: SECURING SOFTWARE DEFINED DATE CENTERS · DATA CENTER EVOLUTION Server Virtualization Allows aggregation of multiple independent virtual servers to exist on a physical server 2007-2010](https://reader034.vdocuments.mx/reader034/viewer/2022051900/5fee6dfc8a0ba72b3065690d/html5/thumbnails/30.jpg)
©2015 Check Point Software Technologies Ltd. 30©2015 Check Point Software Technologies Ltd.
THANK YOU!