Scribd Logo
Upload

Welcome to Scribd!

  • Security Virtualization: Timothy Brown Network Utility Force

    Uploaded by

    pritish kene
    8 views24 pages

    Original Title

    12747503

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views24 pages

    Security Virtualization: Timothy Brown Network Utility Force

    Uploaded by

    pritish kene

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Security Timothy Brown

    Director, S&V Practice

    Virtualization
    Network Utility Force
    tim@netuf.net
    Intro
    What is this presentation about?
    • Survey of security elements and techniques
    • Virtualization advantages and disadvantages
    • How virtualization alters security architecture
    • Three main concepts:

    • Infrastructure as code
    • Security moving with the target
    • Reduce burden of security
    Security Basics
    • Protecting information
    systems
    • Balance between risk,
    protection from risk
    and ease of use
    • Protecting systems has
    a real cost, heavy
    armor costs more and
    armor is oriented
    towards the attacker
    How are elements protected?
    • IDS/IPS – Host and network
    • Firewalls
    • Segmentation (Limiting the pivot)
    • Systems Monitoring PEOPLE
    • Network Telemetry and Monitoring
    • Host Integrity
    • Intelligence (All Source)
    A reference diagram
    Firewall, Router

    Switch

    VLAN 100

    VLAN 200
    Virtualization Basics
    • Hypervisor: A hypervisor or virtual machine monitor (VMM) is
    a piece of computer software, firmware or hardware that creates
    and runs virtual machines.
    • Core: A microprocessor (with multiple threads, cache, …)
    • Virtual Machine: In computing, a virtual machine (VM) is an 
    emulation of a particular computer system.
    • vSwitch (Virtual Switch): A piece of code that emulates or
    runs a switch.
    Market evolving in three ways
    • Appliances being made available virtually
    • Elements more powerful
    • Automation
    A reference diagram
    Firewall, Router

    Switch

    VLAN 100

    VLAN 200
    VM changes
    • Add a new VLAN or Virtual Virtual Switch
    • Can have many VLANs attached to one virtual switch
    • …or many virtual switches…
    • …controlled by different parties…
    A reference diagram
    Firewall, Router

    Switch

    VLAN 100

    VLAN 200

    Programmable
    Switch
    How does a virtual switch work?
    • Virtual switch similar in functionality to a traditional switch
    • Accelerated by special drivers
    • MAC learning or manual MAC programming (Hypervisor knows
    MACs, can do creative processing)
    • Greater flexibility in where a MAC lives and where traffic
    goes
    What does it mean?
    • Can insert { any security element } { anywhere in the
    virtualized network }
    • Can connect { any security element } to { any physical or
    virtualized host }
    Security relationships can be built anywhere

    Firewall, Router

    Switch
    VLAN 200

    VLAN 100

    VLAN 200

    Virtualization allows
    flexibility: Resources,
    VLAN 300
    FWs, or everything can
    VLAN 300
    be moved around
    (including between DCs)
    Resources can be moved between DCs
    Data Center 1 Data Center 2

    VLAN 200 VLAN 200

    VLAN 300 VLAN 300


    Resources can be moved between DCs
    Data Center 1 Data Center 2

    VLAN 200 VLAN 200

    Firewall
    moving
    VLAN 300 VLAN 300
    with
    elements
    Interesting ideas
    • Virtual network firewalls
    • Virtual application firewalls
    • Virtual load balancers / application delivery controllers
    • Virtual taps
    • Virtual IDS/IPS
    How does virtualization add to security?
    • Segmentation and microsegmentation
    • Including with physical hardware through the use of VXLAN
    • Separation of management concerns
    • Functional separation
    • Snapshots and imaging
    • SDN
    Motivations for security virtualization
    • Reduce scope of changes and testing
    • Increase performance for lower aggregated cost
    • Minimize reliability concerns and impact
    • Flexibility in architecture
    • Move things around
    • Reduced audit scope
    • Hide security infrastructure from attackers
    • More security closer to the host at higher performance
    (Mis)conceptions
    • Virtualization reduces performance
    • Impact is quite mild on the right hardware
    • More to manage
    • Yes, but vendors are getting smart and infrastructure is now code
    • Cost will be high
    • Vendors are getting smart: Cost is coming down (volume) and
    hardware is a losing game (commoditization)
    • Harder to learn
    • This is true, but only if you have a weaker understanding of the basics
    • MACs, bridges, traffic flows, TCP…
    What is now available in virtual form?
    • Firewalls
    • Application Firewalls
    • Database Firewalls
    • Monitoring Appliances
    • Sandboxing, DPI, Netflow
    • Load Balancing
    • Intrusion Detection
    Coming back

    Easier to hide my infrastructure

    Segments and snapshots;


    easier IDS

    Roll back machine quickly,


    better change management

    Firewall and IDS in front of


    every host, good luck with
    the pivot
    Questions?
    Thanks

    http://go.netuf.net/afcea-2017-dobbins

    You might also like