This document discusses securing virtualized and cloud environments. It notes that virtualization is becoming a common architecture for clouds, but security is a top concern for adoption. The challenges of securing virtualized environments are described, such as lack of visibility and difficulty with continuous enforcement. The goal is to enable secure clouds while retaining control. The ideal solution is described as using a hypervisor-based security architecture, with an engine embedded in the hypervisor, to provide granular security while minimizing overhead. Traditional validation approaches are discussed along with a proposed approach using BreakingPoint to effectively stress infrastructure and validate security under high load conditions.
3. …And Now You Are Moving To The Cloud
Can you stay compliant?
Will it be secure?
Will it remain high-performing?
3
4. Market DYNAMICS
50% of the world’s workloads will be virtualized by 2012
–Gartner
Virtualization is near de-facto architecture for clouds
–GigaOM
Security is a top concern for virtualization adoption
–CDW Survey
37% of large enterprises expect to adopt IaaS (cloud) in the next year
–Yankee Group
7. Virtualization/Cloud Security Challenges
• Monitoring and auditing breaks
– Physical security is blind to traffic
– VMs can “move” to low trust zones
• Continuous enforcement is very difficult
– VM replicate on a click and sprawl
– VM users can self provision
– “Bad” configurations proliferate easily
• Separation of duties is lost
– Server, network boundaries are blurred
– Unified administration gives too
• Least privilege access policy enforcement is lost
– VM access patterns can change with “migration”
– Too much change means errors
Page 7
8. Goal: Enable Cloud/Retain Control
1. VLANs offer no 1. Agents are very 1. Superior security
granular security costly to manage 2. “Wire-line” perf
2. Physical FWs 2. Significant perf 3. Minimal
are expensive degradation overhead
4. 10x cost
reduction
Page 8
9. The IDEAL MIX: Hypervisor-BASED Security
1. Using a custom kernel enforcement embeds into the ESX hypervisor in “fast path” mode
2. All packets flow through the hypervisor-embedded security engine
Page 9
10. vGW & The Hypervisor-based Architecture
Enterprise-grade
VMware “VMsafe Certified”
Protects each VM and the hypervisor
Fault-tolerant architecture (i.e. HA) Virtual
Center
Security
Design
VM
for VGW
VM1 VM2 VM3
Virtualization Aware
“Secure VMotion” scales to
ESX Host
1,000+ ESX Partner Server
(IDS, SIM,
“Auto Secure” detects/protects Syslog, Netflow)
new VMs Packet Data
THE vGW ENGINE
ESX Kernal
VMWARE DVFILTER
Granular, Tiered Defense VMWARE VSWITCH OR
CISCO 1000V
Stateful firewall and integrated IDS
Flexible Policy Enforcement – Zone,
VM group, VM, Application, Port, HYPERVISOR
Protocol, Security state
11. Traditional Cloud Validation Approach
• 100-1000+ servers
• $ Millions in software licenses
• Multiple products with
separate interfaces
• Many disassociated reports
Load
• No security validation
Balancer
Application Traffic
Test Software
Router Firewall IPS Switch
• High total cost of ownership Virtual or
• Limited performance Physical
• Doesn’t effectively stress SSL Server,
infrastructure Accelerator Server
• Inaccurate and error-prone Farm, Data
• Complex and labor intensive Center
12. BreakingPoint’s Approach
• Stresses infrastructure with mix of stateful application traffic
• Validates performance/effectiveness under extreme load conditions
• Validates the integrity of server transactions
• Integrates security for ability to assess performance under attack