Professional Documents
Culture Documents
2
Security Challenges in the Cloud
3
Security is the Primary Concern in the Cloud
63% 83%
“Security and Privacy are the “Security is an important
top reasons for NOT using the criteria to be considered when
Public Cloud” it comes to Hybrid Clouds.”
4
Traditional Perimeter Security Fails
Internet
• No visibility of internal traffic and threats in cloud
N deployments
• No security of East-West workloads
• No scalability of security in cloud environments
Tenants W
? E Tenants
5
The Challenges of Cloud Security
6
Complete Protection for the Cloud
S
N N
W E W E
S S
W E W E
VPC VPC
7
Hillstone CloudHive
Value Proposition:
Micro-Segmentation Solution
8
What is Hillstone CloudHive?
CloudHive Modules
Cloud • One vSOM - to manage service lifecycle
vCenter Orchestration • Two vSCMs – for High Availability
or
FusionSphere • Up to 200 vSSMs – in each physical server
OpenStack Controller • One or multiple vDSM – for log forwarding
vSOM
HA vSCM
vSCM
vDSM
vSSM vSSM vSSM
9
How Does Hillstone's CloudHive Work?
Service
Policy Preparation Protection
Distribution Moved
vMotion / Live-migration
Source Destination
Server Server
11
Hillstone CloudHive Value Proposition
12
Deep Improved Micro-
Visibility Productivity Segmentation
13
CloudHive Architecture
VMware vCenter or
OpenStack Controller
14
Designed for the Virtual Environment
Virtual Networks
Hypervisor
No plug-in on hypervisor
No hardware needed
15
Fully Distributed
• Distributed deployment
• Scale up or down
• Centralized
• Ease of deployment
management
VM level Synchronization
16
Non-Disruptive
• APP
• AD
• IPS
• AV
• URL Filtering Inline transparent
VM L3
Virtual Switch
No interruption to
network
• Add VM/Network
• Change VM name vCenter or Openstack
• VM migration
• …
vSOM
Identify change in cloud
Management Panel assets
Fabric
vSCM vSCM
Policy and Session Change
Control Panel
18
Separation of Data and Management Network
vSOMvSCM
vSCM
19
Highly Available Distributed Architecture
• vSOM “VM shutdown” does not affect
Distributed CloudHive service
• Separation of management, control and service
Processing &
plane ensures service stability
Non-Distributed
• vSCM are deployed in pairs (Active/Passive) to
Architecture provide high availability
No-Sync • Single vSSM “VM down” does not affect the
system; the user VM traffic can bypass the
vSSM
• vSCM can reboot and restart security service
Distributed automatically after “VM down”
Processing & • vMotion support: security policy and flow
Fully- Real-time Sync sessions automatically synchronize across
multiple service modules
Distributed
• Support In Service Software Upgrade (ISSU)
Architecture
Real-time Sync
20
Deep Improved Micro-
Visibility Productivity Segmentation
21
Visibility of Virtual Assets
Network
Statistic
22
Virtual Network Resource Topology
Business
2
Management
Zone Zone
Irregularity
Anomaly
3 1
Overview Scrutiny
• Network architecture • Affiliation between network and virtual machines
• Virtual machine density • Traffic interaction in network
• The complexity of interaction between virtual • Traffic interaction between virtual machines
machines • Anomalies and irregularities
23
Display of Complex Internal Communications
24
Application Visibility – Network View
Network
Dimension
Application
Traffic direction Traffic statistic
type
25
Application Visibility – Virtual Machine View
Virtual Machine
Dimension
Application
Traffic direction Traffic statistic Policy
type
26
Application View
Characteristic
Distribution Category top 10
Top 10 Application
27
Network Threat Visibility
• Web attack
• Spoofing
• Hijacking
• DDoS flood
• Cross-site Network Threat
scripting Tracking
28
Network Threat Statistic
Threat distribution Threat details
29
Network Traffic Statistic
VM
dimension
30
Network Traffic Tracking
Detecting abnormal
behavior based on
multi-dimensional
analysis of network
traffic
31
Visibility-Accurate Depiction of Threat
2 Select application/threat
3
32
Service Performance Monitor (SPM) - Overview
Displays the performance data of virtual machines, services, and networks in the service group synchronized from the
group management function.
33
Service Performance Monitor (SPM) - Details
Display services and their internal and external connections in a topology view.
34
Screen Casting
Users can intuitively understand the overall situation of the entire cloud environment from this interface.
35
Comprehensive Threat Report
The report can generate necessary information for users to perform Cloud Security Risk Assessment Report
data retention, reporting, and other tasks on network data, and can
provide important support for compliance audits.
36
Comprehensive Threat Report
High risk traffic statistics
Cloud threat trends
37
Threat/Session Log Output at a High Speed
Cloud platform
vSCM
vSOM network
vSCM
vDSM
CloudHive Big data analysis
Network platform
Business network
38
Deep High Micro-
Visibility Productivity Segmentation
39
Productivity: Automation, Compatibility and Scalability
On-demand Multiplatform
monitoring
Strategy
learning
ISSU
Productivity
Session
Custom
synchro-
service
nization
Third-party Online
management capture
40
Support for Multiple Virtualized Platform
FusionSphere Huawei
OpenStack FusionCompute
v6.7
41
Efficient Processing
Concurrent transactions
5
Provide 5 threads, parallel processing
No waiting, continuous operation
42
On-Demand, Flexible Control
Virtual Machine
Ap We Mai SQ FT Xxx
p1 b1 l1 L1 P1 1
Ap We Mai SQ FT Xxx
pn bn ln Ln Pn n ① APP*à FTP à Permit
② Mail à SQLà Permit
③ SQL à Any à Deny
④ Any à Net3à Permit
Virtual Network
43
Increase Policy for Same Type of VMs
• The same type of newly-added virtual
• Separate security domains for each machine is automatically put into the • Reduced virtual machine, automatic
type of VMs corresponding security domain adjustment of security domain
• Deploy appropriate security policies • Deploy similar security policies for the
for each type VM security domain same type of newly-added virtual
machines
Web APP DB DB
APP
Web
DB
APP
Web
1. Configure Extensive policy Policy ID: 1, Source: Internal Purpose: Internal, Service: Any,
Operation: Permit
2. View session log
Trial run for a while
3. Write aggregation rules
Micro-
segmentation
policy
45
Policy Hit and Redundancy Check
46
Customized Services
Communication Traffic:
TCP: 8888
TCP: 4321 Customized Server Dashboard
TCP: 33389,….. Name
What is this
application/service?
47
Packet Capture in the Cloud
Benefit:
Help the administrator locate any
gaps in the cloud, regardless of:
• Data source
• Destination
• Simultaneous and multiple
capture points
48
Guarantee Business Continuity
Virtual Switch
Prevent disruptions during VM migrations
VM1 VM2 VM3
3, Drainage
5, Release
4, UpgradevSSM (old)
1, New vSSM
(new) 2,
Physical server Synchronization
49
HA of Distributed Architecture
Distributed processing
Non-distributed architecture
• Redundancy protection: main control module HA, real-time
synchronization
Configuration management
• Support migration: HA based on universal mature
virtualization migration technology (vSOM and vSCM only)
• Bypass function: vSSM module failure leads to unlock
Not synchronized
protection
Distributed processing • Self-recovery capability: system automatically rebuilt after
Distributed architecture
the vSSM module lost
Real-time synchronization • Security Service Following: automated Session and Policy
Following in Virtual Machine Migration
Real-time synchronization
50
Deep Improved Micro-
Visibility Productivity Segmentation
51
Common Micro-Segmentation Solutions
VDS&VSS
+ OVS ② Host agent protection
③ Network switch control
52
CloudHive Micro-Segmentation
Virtual Switch
• Threat/ application/ traffic visibility Provide 2
Firewall layers of network control
• Provide L2-L7 security service for VMs
Firewall
53
CloudHive Micro-Segmentation
Logical
Segmentation
Department A Department B Department C
Website
Application A
Department A/B/C
54
Security Protection Features
FW WAF
VM A
IPS
VM B AD AV
ARP
Application/Service
3000+application identification
Abnormal behavior 8000+abnormal behavior identification
Antivirus
Attack Defense
3.2 Million virus signature detection Anti-DoS/DDoS, including SYN Flood, DNS
Network attack defense Query Flood defense
SIP/D IP/SPort/Dport/Protocol
56
Attack Defense
• Risk :
– Internal sniffing after VM is compromised
– Critical asset is not protected
– Abuse of cloud computing resources
• Influence:
– Provide feasible channels for authority control and data breach
– Using cloud resources, generate external attack
– Quality of cloud services are impacted
• Solution
– Limit high frequency visits of internal virtual machines
– Mitigate depth damage caused from proximal attack
• Highlights:
– Abnormal protocol attack defense
– Anti-DoS/DDoS, including SYN Flood, DNS Query Flood defense
– Port scan detect and defense
57
ARP Attack Protection - Escort the Underlying Network of
the Cloud Platform
IP/IC/IQ card, tell me
• Risks and problems: all the passwords
– Internal virtual machine is infected by malware
Let me take a look
– The internal virtual machine was breached to steal or
at your account
tamper with sensitive data
Basic • Impacts:
password
58
Firewall
Tailored cloud security protection
Micro-Segmentation · cloud firewall
• Risk:
VM/
– Lack internal segmentation Port
User APP Service
– Single access point problem easy to spread globally Group
– Does not meet classified data protection policies (China)
• Influence:
IP Port Protocol
– Springboard access lead to limits in traditional security protection
– Flood attack is easy to spread internally, decreasing the quality and
security of network and application
• Solution:
– Low threshold - With unique drainage technology, achieve network
drainage without additional plugins
– No network changes necessary - deployed on the second layer, Firewall
– Multidimensional - based on traditional protection, provide virtual Virtual Switch
machine and port group dimensions of access control for the cloud
environment
– Versatile - suitable for server virtualization scenarios, also applies to
VDI desktop virtualization scenarios
59
Intrusion Prevention
• Risk:
– Network layer attack:vulnerability scan, buffer overflows, and network
worm
– Application layer attack/spread:Trojan, SQL injection,XSS attack,CC • Detect malicious action • Known vulnerability attack
attack from compromised host • Unusual protocol access
• SQL injection,XSS
• Influence:
attack
– Abnormal access between VM
– Indirectly influencing network quality of service
• Solution:
– Recognize, locate and visualize VM with abnormal behavior, reduce
possibility of compromising internal VM
– Interception/blocking the spread of the abnormal behavior, mitigate
internal risk spread after the virtual machine is compromised
• Highlights:
– Distributed detection mechanism, avoid access bottlenecks
– 8000+abnormal behavior signature base
• Network congestion • Phishing
– NSS Labs recommended caused by internal • Trojan
– Forensics violation/exception
60
Anti-Virus
61
Hillstone CloudHive
Value Proposition:
Joint Solution with NSX
62
What is NSX!
NetX APIs are used to build networking and security services over VMware infrastructure. NetX
APIs allows partners to integrate their existing or new solutions inside the VMware work flow
management and tap valuable information inside vSphere to provide services. Currently,
solutions supported by these APIs include load-balancing (LB), WAN Optimization and intrusion
detection and prevention (IDS/IPS) service integration.
EPSec APIs are used to deliver endpoint security solutions in a more efficient manner that does
not require the management of resource-intensive agents inside the guest VM. The VMware
EPSec APIs allows partners to eliminate the requirement for these agents and instead
consolidate security intelligence into a single Security Virtual Appliance (SVA) per ESXi host.
Currently, solutions supported by these APIs include anti-virus (AV), and file integrity monitoring
(FIM).
65
NSX(SDN) and CloudHive Integration Solution
Optimization
In-depth
• Threats, application visibility
• Cloud security report
Visibility
• Layer 5-7 advanced threat
protection
66
NSX DFW Protects the Internal Network Separately
Internet
67
CloudHive+DFW Intranet Protection
IPS AV IPS AV
Application
Application Internet Identification
Identification
68
How VMware NSX Redirects Traffic
1!VM sends the packet
Security Service VM
vSCM virtual Service Center Module, serve as central
data synchronization point for service VMs. Manage
security service VMs for configuration and status
monitoring
vSSM virtual Security Service Module, service VM,
Provide application security services
vSCM and vSSM need to connect to the same VDS PG,
or be reachable to each other via IP address, for the
immediate effect of policies and logs.
CC CC attack
Attack DFW allow HTTP(port
NSX DFW NSX DFW 80)
VSS/VDS
CC
vSSM
Attack
ESXi ESXi
Visibility of the traffic applications and threats between VMs and Networks.
73
Use Case: A Province Smart City Project
Transport Zone Transport Zone B Transport Zone Transport zone
A C D
Virtual Network
75
CloudHive Components
Module Definition Function Description Deployment
Management Plane:
One CloudHive system
virtual Security Integrates with third- • Manages the lifecycle of the CloudHive system
deploys a single vSOM; it
vSOM Orchestration party CMP, manages (System installation, stopping, deleting etc.)
can be installed on any
Module service lifecycle • CMP connects with vSOM (Web UI/CLI/ North
physical server
interface)
Control Plane: One CloudHive system
Centralized
• Security policy configuration deploys two vSCMs in HA
virtual Security management and
vSCM • Manages the lifecycle of the vSSMs (Monitors mode; they must be
Control Module configuration for all
starting and stopping of VMs) installed on two different
vSSMs
• Collects logs/data physical servers
76
CloudHive Performance
Firewall Throughput
5 Gbps 1 Tbps 5 Gbps 1 Tbps
(Max)
Max Concurrent
1.7 Million 340 Million 3.4 Million 580 Million
Sessions
New sessions/sec
30,000 6 Million 50,000 10 Million
(HTTP)
• vDSM: Max. performance is 200K PPS, 1 vDSM can support up to 7 vSSMs’ log forwarding requirement.
77
System Resource Requirement
vSCM Virtual Security Control Module 2*vCPU, 6GB Memory, 17GB Hard Disk 1 Min., 2 Recommended
vDSM Virtual Data Service Module 2*vCPU, 4GB Memory, 5GB Hard Disk Optional, multiple mode supported
78
Virtualization Support
79
CloudHive SKUs
Perpetual Mode Subscription Mode
CloudHive subscription license Essential package (4*CPU 1 year
CloudHive vSSM Perpetual License Essential Package (4*CPU perpetual
CloudH-vSSM-BP-IN CloudH-vSSM-BS-IN-12 subscription license, vSSM by demand, 1*vSOM, 2*vSCM, 1-year
license, vSSM by demand, 1*vSOM, 2*vSCM, without service)
software upgrade and maintenance service)
CloudHive vSSM Perpetual License Expansion Package CloudHive vSSM expansion package (1*CPU subscription license, 1-
CloudH-vSSM-EP-IN CloudH-vSSM-SS-IN-12
(1*CPU perpetual license without service) year software upgrade and maintenance service)
CloudHive vSSM Perpetual License Essential Package CloudHive subscription license Essential package (vSSM04 4*CPU 1
CloudH-vSSM04-BP-IN (vSSM04 4*CPU perpetual license, 1*vSOM, 2*vSCM, vDSM, without CloudH-vSSM04-BS-IN-12 year subcription license, 1*vSOM, 2*vSCM, vDSM, 1-year software
service) upgrade and maintenance service)
CloudHive vSSM Perpetual License Expansion Package CloudHive vSSM expansion package (vSSM04 1*CPU subsription
CloudH-vSSM04-EP-IN CloudH-vSSM04-SS-IN-12
(vSSM04 1*CPU perpetual license without service) license, 1-year software upgrade and maintenace service)
CloudHive 1-year service performance monitor license (1*CPU
SPM-SP-IN CloudHive service performance monitor license (1*CPU perpetual license) SPM-SS-IN-12
subscription license, 1-year software upgrade and maintenace service)
CloudH-vSSM-SP-IN-12 1*CPU 1-year software upgrade and maintenance service
CloudH-vSSM-SP-IN-24 1*CPU 2-year software upgrade and maintenance service
CloudH-vSSM-SP-IN-36 1*CPU 3-year software upgrade and maintenance service
IPS-SP-IN-12 CloudHive vSSM 1-year IPS license with signature upgrade service IPS-SS-IN-12 CloudHive vSSM 1-year IPS license with signature upgrade service
IPS-SP-IN-24 CloudHive vSSM 2-year IPS license with signature upgrade service
IPS-SP-IN-36 CloudHive vSSM 3-year IPS license with signature upgrade service
AV-SP-IN-12 CloudHive vSSM 1-year AV license with signature upgrade service AV-SS-IN-12 CloudHive vSSM 1-year AV license with signature upgrade service
AV-SP-IN-24 CloudHive vSSM 2-year AV license with signature upgrade service
AV-SP-IN-36 CloudHive vSSM 3-year AV license with signature upgrade service
URL-SP-IN-12 CloudHive vSSM 1-year URL license with signature upgrade service URL-SS-IN-12 CloudHive vSSM 1-year URL license with signature upgrade service
URL-SP-IN-24 CloudHive vSSM 2-year URL license with signature upgrade service
URL-SP-IN-36 CloudHive vSSM 3-year URL license with signature upgrade service
80
How to Buy CloudHive
Example A: 2*2-CPU Servers requiring vSSM02, 1 year CloudHive Service only
Basic Package Service
Perpetual Mode 1*CloudH-vSSM-BP-IN 4*CloudH-vSSM-SP-IN-12
Example B: 5*2-CPU Servers requiring vSSM02, 1 year CloudHive Service with IPS and
AV Subscription
Extension
Basic Package Service IPS AV
Package
Perpetual 1*CloudH-vSSM-BP- 10*CloudH-vSSM-
6*CloudH-vSSM-EP-IN 10*IPS-SP-IN-12 10*AV-SP-IN-12
Mode IN SP-IN-12
81
How to Buy CloudHive
Example A: 2*2-CPU Servers requiring vSSM04, 1 year CloudHive Service only
Basic Package Service
Perpetual Mode 1*CloudH-vSSM04-BP-IN 4*CloudH-vSSM-SP-IN-12
Example B: 5*2-CPU Servers requiring vSSM04, 1 year CloudHive Service with IPS and
URL Subscription
Extension
Basic Package Service IPS URL
Package
Perpetual 1*CloudH-vSSM04- 6*CloudH-vSSM04-EP- 10*CloudH-
10*IPS-SP-IN-12 10*URL-SP-IN-12
Mode BP-IN IN vSSM-SP-IN-12
82
Deployment Scenarios
& Winning Cases
83
Customer References
20,000+ CPUs Serve Customers
84
Use Case: Secure the Cloud for a Local Government
Reality: All the VMs are in the same
L2 network without any
segmentation
• Different tenants: Investment, weather
bureau; law enforcement etc.
• Different functions: Web,. App, DB,
Admin etc.
• Different business priority and security
classification.
85
Use Case: Secure the Cloud for a Local Government
CloudHive Solution Benefits:
• No interruption with Easy scalability
• No network configuration
• No VM configuration
• Business continuity
• Ease of management
• Flexible policy configuration based on
business requirement and security
features.
86
n Use Case 1: Cloud Security
p Use Case 2: Cloud Compliance Audit
p Use Case 3: Value-added Safety with SDN
p Use Case 4: Cloud Value-added Service
87
Large Power Company
p Customer Value:
l Protect critical business applications
running in the Cloud
88
National Commercial Bank
VM Segmentation
89
Fortune 500 Telco
90
p Use Case 1: Cloud Security
n Use Case 2: Cloud Compliance Audit
p Use Case 3: Value-added Safety with SDN
p Use Case 4: Cloud Value-added Service
91
Cloud Compliance Audit for a Government Agency
Physical Security CloudHive
• Server • VM level visibility
• Switch Bureau of Statistics • VM level security
• Gateway/Firewall • Log and audit
FW Gateway
Virtualization
vSW
VM VM VM
92
p Use Case 1: Cloud Security
p Use Case 2: Cloud Compliance Audit
n Use Case 3: Value-added Safety with SDN
p Use Case 4: Cloud Value-added Service
93
University – Non-Compliance Application Identification
Control with NSX DFW
Thunder
Thunder
download
download
DFW only allows HTTP (port 80)
NSX DFW NSX DFW
VSS/VDS
Thunder
vSSM
download
ESXi ESXi
Internet
94
IDC - CC Attack Recognition Control with NSX DFW
CC Attack CC Attack
VSS/VDS
CC Attack
vSSM
ESXi ESXi
Internet
95
p Use Case 1: Cloud Security
p Use Case 2: Cloud Compliance Audit
p Use Case 3: Value-added Safety with SDN
n Use Case 4: Cloud Value-added Service
96
Value-Added Service for Cloud Service Providers
l VMware Based Virtualized Cloud, running l VMware Based Virtualized Cloud, running public
environment service and system
information service system
l 1*vCenter,2*DC,1*Cluster for each DC l 1*vCenter,1*DC,3*Cluster
l Integration with CloudHive l Integrated with CloudHive
l Operated and Management by Inspur l Operated by a CSP
Value Proposition
The integration with CloudHive provides the customer a comprehensive
virtualization solution with security services, and enhanced competitive
advantage for the CSPs
97
+1 408 508 6750
inquiry@hillstonenet.com
5201 Great America Pkwy, #420
Santa Clara, CA 95054
www.hillstonenet.com
98