2. Company Overview
• A leading European provider of network
security solutions for Service Providers,
Enterprise and Government customers
• Our solutions protects against:
– Hackers
– Intrusions
– Information theft
– Eavesdropping
– Viruses
– Spam
– Malicious content
... and more
3. Proven track record and industry experience
• Long-term experience from securing some of the world’s most demanding
networks
• Protecting 100.000+ networks and 20.000+ customers
• Customers include:
• Complete and mature product portfolio designed for performance and scalability
4. Established market position
• Recognized as one of the top 12 suppliers
in the world by analyst Gartner Group
• Several technology awards and product
recognitions in magazines
• Technology partnerships with leading
industry partners including Cavium
Networks, RadiSys, Kaspersky and VMware
5. Global Presence
• About 70 employees
• Headquarters in Örnsköldsvik, Sweden
• Sales offices in Europe and Asia
– Stockholm, Sweden
– Hamburg, Germany
– Paris, France
– Torino, Italy
– Singapore
– China (5 locations)
• 100+ Solution and Channel Partners worldwide
7. CorePlus – The Core in our Products
Secure & Robust
• Our proprietary and purposely built network security operating system
• No inheritance of vulnerabilities from an underlying Operating System
• Minimal footprint and attack surface
Compact, Optimized & Scaleable
• Optimal resource utilization
• High performance with high reliability
• xPansion Lines Licensing offering scalability
Fine granular Control
• Seamless integration of all subsystems, in-depth
administrative control
12. Virtualization going forward
Just like…..
IT
as a
Service Inexpensive, usage based, pay-as-you-go
Ubiquitously available
Reliable
Choice of providers
13. The virtual network – not just for the server guys
Traditional Network Virtual Network
• Multitude of network segments • Less network segments which divides the servers
• Communication between zones are monitored and • Communication between virtual machines are not
secured monitored or secured !
DANGER
16. Drawbacks With “Mixed Solutions”
• Looks good at first glance but not as attractive in the longer run!
• You will still have to rely on external, non virtual, appliances
• Forces you to create isolated islands instead of a dynamic and
scalable pool of resources
• Virtual yes, cloud no!
• Does not allow you to protect the private cloud which might be a
mix of on site and off site resources
• Does not benefit from Redundancy and Disaster Recovery tools
• Creating team or project oriented silos which is very common in e.g.
consulting and media companies very difficult
18. The Clavister Virtual Security Gateway Solution
No underlying Operating System – Only Clavister
CorePlus
Runs in the virtual infrastructure and benefits from
the virtualization itself:
Easy to deploy, highly
redundant, scalable, simplified
maintenance, etc.
Templates & workflows – Ideal for large
installations e.g. Managed Services, Utilities such
as smart grid, wind/solar power etc.
19. Clavister Virtual Security Gateway Solution
Virtual Machines (VMs) are not allowed to talk with each All security inspections which would have been performed
other without first going through the Virtual Securigy by a physical security gateway in a physical structure are
Gateway done ”in-line” in the virtual environment.
20. Communication Path Diagram
All virtual machines and inter-communication is
secured using best-in-class virtual security gatways
Web Front-End Zone and which enables mission critical applications to be
virtualized without comprimises to the security
policies
ETH1
Clavister Virtual Security Gateway
Middleware /
Business Logic Zone
Virtual Switch
ETH2
Back-End Database
Zone
ETH2
21. Troubleshooting, Monitoring, Alarms & Auditing
• Troubleshoot communication using:
• Real-time monitoring with filters
• PCAP & Memlog recording
• Log analysis
• Monitor behavior of traffic using:
• SNMP
• Real-Time monitoring
• Real-Time KPI dashboards
• Create custom and policy based alarms events (thresholds etc)
• Full auditing capabilities using
• Built-in log viewing applications
• External SIEM systems
22. Typical Enterprise Environment
Disaster Recovery or Lab/Test Network
Virtualized production infrastructure
Traditional physical server network
24. Clavister VSG Models & Dimensioning
VSG21 VSG110 VSG510 VSG1100
Plaintext Performance (Mbit/s)* 50 200 500 1000
VPN Tunnels 25 200 500 1000
VLAN 4 64 128 512
Concurrent Connections 4000 16000 64000 256000
Recommended Application Test & Lab Networks Small installations with a Medium and Large Large installations with
with no or very low limited amount of installations with medium medium to high
performance protected VMs with low to to high performance performance applications
demands medium performance applications such as such as
demands web/mail/citrix/databases web/mail/citrix/databases
and similar and similar
25. Features
• Protect Virtual Servers
Segregate virtual machines from each other and avoid hackers from jumping from one machine to
another without having to use physical appliance and creating isolated islands.
• Secure Cloud Infrastructures
Enforce network security within the private cloud, both for the part of the cloud which is running in
your datacenter and the part that you might have outsourced to a hosting provider.
• Secure Inter-Communication
Utilize the VPN encryption to secure communication between virtual machines
• Achieve Auditing and Regulatory Compliance
Since the virtual security gateway can be run inside the virtual infrastructure security auditing can be
achieved and thereby regulatory compliance requirements can be met.
• No Security Policy Compromises for Virtual Environments
Utilize your standard set of policies not only for physical machines but just as easily also for virtual
ones.
26. Benefits
• Scalability
User can now extend security by simply deploying new security gateways as they go.
• Lower CAPEX
Virtualization opens up for new business models where CAPEX is minimized.
• Simplified Maintenance
Security components inherit all manageability features from a virtual environment, such as fail-
over, provisioning, and so forth.
• Minimized downtime
Less hardware in combination with highly efficient disaster recovery and redundancy tools such as VMmotion
reduces downtime and improves the overall in service performance of the security solution
• Simplified Test/Lab testing
Since the virtual security gateway is a part of the virtual infrastructure it becomes easier to create lab/test
environments which decreases the complexity of security tests which in it’s turn improves the overall security
27. Why Clavister VSG is better than physical UTMs
• No need to create isolated islands
Creating security zones inside the virtual infrastructure using physical gateways forces you
to have all traffic routed out of the infrastructure and then back in. Thereby leaving you with
isolated islands which turns into additional administration and limits the possibilities to
leverage cloud like resource pools and many of the fundamental virtualization benefits
• Improves the consolidation ratio
By using the Clavister Virtual Security Gateway to create security zones within a
homogeneous physical pool of resources and avoid creating the isolated islands which are
necessary when using physical UTM gateways, the consolidation ratio can be improved
since you do not have to have the extra performance overhead distributed on each
island.This becomes especially important when using the Vmware Dynamic Resource
Scheduler which can move VMs between physical hosts and and allocate more CPU and
RAM memory in run-time using the hot-add functionality.
28. Why Clavister VSG is better than physical UTMs
• Leverages virtualization benefits also for security gateways
Virtualization offers many benefits such as 100% guaranteed availability, disaster
recovery, ease of deployment, simplified administration. All these benefits the Clavister
VSG can leverage as it runs as a part of the virtual infrastructure. These benefits the
physical gateways can never leverage, it actually limits the possibilities for all the other IT
infrastructure from benefitting from it as well
• Improved SLAs and better control
With the security gateway running inside the virtual infrastructure you can improve your
SLAs and make the SLA reporting and prediction much more efficient since you do not
have to rely on external equipment not under the control of the virtual infrastructure.
Physical appliances used for protecting the “isolated” islands are often used also for the
other physical infrastructure, thereby creating a structure where modifications in the
physical infrastructure might disturb also your virtual datacenter.
29. Why Clavister VSG is better than other VSGs
No Prooven
Complete Scaleable Unified
Operating &
Security Licensing Management
System Trusted
Clavister VSG Advantages
Next
30. Advantages – No OS
No underlying Operating System
Clavister Virtual Security Gateways does not have an underlying
Footprint
Operating System which is the case for most other virtual security
32 MB
Clavister VSG
gateways. The Clavister VSG only use Clavister CorePlus which is Clavister CorePlus
our “bare-metal” security gateway application with built in operating
system functionality.
Virtual Machine
The Size does matter!
Hypervisor
There are many benefits of not having an underlying operating
system. Patch management is one of them. In many cases the
underlying OS has a very large footprint (checkpoint has a footprint
of more than 10 GB) which are made up of features and functions
500MB - 12 GB
which does not have anything to do with the security function, non
Other Vendors VSG
Application
Footprint
the less, the OS needs recurring updates even if the patches does
not have anything to do with the security itself. Equally often these
patches requires restarts and reboots. In the end the result of Operating System
having a bulky OS to run the security gateway is less predictable
quality, additional administration, un-necessary maintenance, etc.. Virtual Machine
Back Hypervisor
31. Advantages – No OS – Footprint Comparison
Checkpoint VPN1-VE
Min 12GB Storage
CheckPoint VPN1-VE
Min 512 MB RAM
CorePlus
2MB actual footprint
CorePlus Min 32MB Storage*
Min 32MB RAM
*The minimum storage size of a
virtual machine in vmware
ESXi is 32MB even if the application
is smaller
32. Advantages – Proven and Trusted
• Large Install base
Clavister CorePlus, is today being used in more than 100.000 installations world-wide, ranging from
small office/home office to large enterprises, military, government and telecom networks.
• Mature Technology
CorePlus has been on the market since 1997 and has a high level of maturity and does not suffer from
child deceases which might be the case for newer products and technologies
• Long term history and track record
CorePlus is a mature product with a history that dates back to 1997, CorePlus also has an impressive
track record of being used in some of the worlds most demanding networks, including the telecom
operator networks and customers like France Telecom/Orange, Roger
Wireless, Terremark, SAAB, French Navy/Military, etc.
• Large Virtual Networks Experience
CorePlus has been used as virtual security gateways in some of the worlds largest virtual
infrastructures with more than 1000 sites/virtual machines and >100.000 users which probably makes
it the worlds largest deployment of virtual security gateways..
Back
33. Advantages – Complete Security
• Not only a firewall or an IDS
Clavister CorePlus is a complete Unified Threat Management solution with comprehensive
protection against modern attacks and security threats. Most other virtual security gateways are
early to market solutions which only cover a limited set of protection features, such as only being a
firewall, only being an IDS solution etc.
•
• Complete yet saleable and dynamic
Even though Clavister Virtual Security Gateways has a very comprehensive set of feature’s, you as
an administrator can orchestrate the solution to only run the features as you like. Thereby making
the solution more adaptable to your real network with minimum overhead
• Complete feature set – High Performance
Thanks to the unique design of the Clavister Virtual Security Gateways and the CorePlus firmware
which has a minimum overhead and is optimized for the security functions only, performance
figures of multiple gigabit can be achieved even in the virtual infrastructure.
Back
34. Advantages – Scaleable licensing
• Licensing per Gateway – Not per Virtual Machine
The Clavister Virtual Security Gateway’s are licensed based on a per gateway basis, not per virtual
machine being protected. This means that you do not need the hassle with upgrading licenses for
the security gateway every time you wish to add new virtual machines to your infrastructure. It also
enables a much more cost effective setup in larger environments and provides a much more
predicable Total Cost of Ownership. This is especially important in the scenarios where you expect
an increased demand on new server and functions as IT becomes more available
• Feature & Capacity Differentiated License Models
The Clavister Virtual Security Gateway’s are offered in four different license model, each with
different amount of performance, capacity and features. This enables you to choose the model that
fit your needs best. Customized license models can also be offered for specific needs. E.g. power
utilities, managed security services, etc.
Back
35. Advantages – Unified Management
• Software, Hardware Virtual
The Clavister Virtual Security Gateway’s are managed using the exact same management software
as the hardware and software based versions are, i.e. using Clavister InControl. This means that
you can managed and administrate your entire network security architecture using the one and
same system independently on the platform. This not only lower your administration costs but it
also helps make your overall security stronger compared to other virtual machines which requires
you to learn a completely new management interface for the virtual infrastructure alone.
• Integrate with your business process and other IT systems
The Clavister InControl management suite offers a full blown Application Programmatic Interface
which enables you to integrate the management and administration of the Virtual Security gateway
from your other core IT systems. Through this integration capability you are able to have your
network operating central system manage the virtual security gateway, your IT support staff take
care of simple tasks from the support systems and similar. The advantage of this is that you are
able to lower administrative costs and become more reactive on your users and business demands
Back
37. xSPs / Telecom Operators- Market Situation
Competitive Market
• Highly competitive and saturated market
• Recruiting new customers is expensive
• Operational efficiency is a must to remain competitive
Financials
• Low and decreasing profit margins for traditional offerings
• Increasing Average Revenue Per User (ARPU) is absolute key to
growth & success
• Financial crisis drives the need to offer cost-savings services to
customers
First mover advantage
• Time between visionary to market leadership is shorter than ever
38. Clavister vSeries – Value Proposition for xSP´s
• Opportunity to take first mover advantage
• A value-adding and unique security offering
• Create your own attractive security services portfolio:
(Firewall, VPN, Content Filtering, IDP, Anti-Virus…)
• Leverage existing virtual infrastrucutres
• Extreme Scalability, Deployment, SLA, etc..
• Increase your Average Revenue Per User (ARPU)
• Low capital investment – Expands as you grow
39. Clavister vSeries – What it is
Security Platform
• Best-of-breed Security Gateway’s
• Clavister Security Services Platform (SSP) our offering for Service
Providers
Virtual for optimal scalability and financial benefits
• Runs inside a virtual infrastructure (e.g VMware / Xen/ Microsoft)
• Runs in your datacenter (each customer gets a dedicated security
gateways)
• Extremely resource efficient - More gateways on less hardware
Designed for Operators
• MSSP friendly Management & Operations
• Extremely scalable - Provision 1 gateway just as easy as 100.000
41. Security Services for Internet Subscribers
• Value Add Services for Internet Subscribers
• Added on top of internet connection bill
• Increase ARPU - Offer the services to all existing customers
• First mover advantage – Infrastructure as a Service (IaaS) already today
• Plug-in Solution for the Broadband Network Datacenter
• No need for End User Equipment
• Efficient Management and Maintenance
• Optimized Provisioning Capabilities
• Customer Focused Service Packages
• Small & Medium Business
• Remote Office
• Retail Stores…
46. Business Case – Service Providers (Hosting)
• Value Adding
Offer a value-adding managed security services to hosting customers.
• Tailor made service portfolio
Use the pick-n-choose service packaging's
• Operational Efficiency
Automatic deployment without any human intervention
• Accelerates hosting business
Makes customers more comfortable hosting sensitive applications
(Cloud and utility computing is specific)
• Increase ARPU
• Low investment - High profit margins
47. SMB - Hosting Security Services Hosted - Virtual Machines
(dedicated or part of a cloud)
- Microsoft Exchange
- Web Server
- FTP Server
Firewall
Customer #1
VPN
Content Filtering
Customer #2
IDP
Anti-Virus
Reporting
Datacenter
Core Network Customer #3
Virtual Security Gateway
Managed or self-managed
48. Customer Experience - Deployment
1. 2. 3.
Choose Service Automatic deployment Use the service
( < 1hour )
€
50. Terremark - Reference Customer
About Terremark
Terremark Worldwide (NASDAQ:TMRK) acclaimed Infinistructure utility
computing architecture has redefined industry standards for scalable and
flexible computing infrastructure and its digitalOps service delivery platform
combines end-to-end systems management workflow with a comprehensive
customer portal.
TERREMARK AT A GLANCE
• NASDAQ: TMRK
• Leader in managed IT infrastructure services (Gartner - Leaders Quadrant)
• Datacenters in the United States, South America and Europe
• SAS 70 Type II Certified
• Microsoft Gold Certified Partner
• United States General Services Administration (GSA) Schedule#
GS35F0073U
Over the last 10 years virtualization has developed and matured significantly.What in the early days was the ability to partition one server into several virtual machines has now grown into a virtual infrastructure which not only involves one hardware being virtualized but a complete datacenter.As we look forward cloud computing infrastructure becomes more and more commoditized, especially since the hypervisors are complemented with a full scaled cloud management framework as a part of the standard offering.The reason why the evolution is imporant from a security aspect is due to the fact that as the size of the virtual network grows, the need for security products tailored for these new environments increased dramatically.Protecting a virtual infrastructure with a simple physical gateway on the outside of the infrastructure just won’t provide the level of control and insight into the virtual network traffic.
As the trend for virtualization moves forward, driven by the generic business needs and IT itself becomming more mature and an integrated part of any organization in the same way as power or telephony, new technologies has emerged and is now being used by companies who want to escape the reality of costly maintenance and cludgy solutions that doesn’t support the business process the way it should.This is where the cloud comes in. The cloud is designed to offer IT as a Service, much similar to power or telephony and transforms IT from being something introvert and resource demanding to a very scaleable model where you pay for what you get and as expands with you at your own pace.
Traditional network security relies on physical segmentation of networks and servers. Physical firewalls / security gateways then form effective filters between communicating parties.To achieve secure zones using old fashioned physical gateways the virtual traffic needs to exit the virtual infrastructure and you end up having to create multiple isolated islands, with all the extra administration and inability to use cloud like capabilities.In a virtual environment, however, a large amount of servers may be deployed within the boundaries of a single hardware. As a result, communication between servers does not necessarily need to leave the physical hardware.
If the isolated zones are not created still having one large infrastructure, companies are putting their infrastructure at large risk since threats can easily spread from one zone to another without any security gateways scanning the traffic and applying policies.
The mixed solution has many disadvantages and does not allow organizations to have one large pool of resources that scales seamlessly, instead, each zone becomes its own isolated island with all the additional administration this means. Furthermore, in cloud scenarios where the private cloud can either be housed on site or off site, the physical gateway will not be able to protect your virtual resources efficiently.Clearly, the biggest disadvantage of this solution is that the environment still relies on external physical components, which is a total contradiction to the virtualization idea.Furthermore it will become difficult to create identical lab environments and test the setup where security is considered an important aspect.
Mixing virtual infrastructures with traditional physical security appliances limits your capabilities to leverage the virtualization benefits in a very large extent. This is also why the virtual security gateway is superior to the physical security gateway for the virtual infrastructures.
The most straight-forward way of solving the problem is to deploy also the security gateways as virtual nodes in the virtual environment.
The most straight-forward way of solving the problem is to deploy also the security gateways as virtual nodes in the virtual environment.
The size of other vendors virtual machines are often very large. 500MB is very common and in some cases such as with Checkpoint it’s up to 12 GB.This means that the security application actually are depending on a very bulky standard operating system with millions of lines of code which are not optimized for security specifically and often has nothing to do with the actuall application itself. This bulky OS will need recurring patches which might cause interuptions in your network security infrastructure. With Clavister, every single line of code is optimized for the security gateway itself and patches only needs to be applied for the security function itself, thereby keeping maintenance and disurbances at an absolute minimum,Other aspects of a large and bulky underlying operating system is the potential risk of inheriting vulnerabilities from the OS to the security function since these are heavily dependant on each other. One such example is the sockstress attack framework which utalizes several weaknesses and vulnerabilities in common operating systems. When information about the sockstress attack framework was released, checkpoint and almost every other security vendor who had been using a standard operating system such as Linux, Unix, Windows, BSD, etc had to scamble very fast to try and provide a patch for the vulnerabilities since their solution was vulnerable for this attack. In the end, the result was that their customers had to go through an extensive patch management procedure in order to avoid having critical security Denial of Service breaches occuring in their network.Since Clavister has no underlying operating system, the vulnerabilities did not apply to Clavister and there was no need for a patch since it was not affected by the attack.Sockstress is just one example, the fact that large operating systems needs patch management and has vulnerabilities that can pose a potential threat to the security application itself is a much more fundamental issue which should not be overlooked.