hp converged infrastructure - break the it innovation gridlock

1 HP FlexFabric - Data center network for the HP Converged Infrastructure

Data center network for the HP Converged Infrastructure

HP NetworkingAndy [email protected]

2 HP FlexFabric - Data center network for the HP Converged Infrastructure2

Business / IT initiatives

The network underpins all of thesemajor data center initiatives…

It must evolve and keep pace

Users, CustomersServer

virtualization

I/O virtualization

Cloud computing

Security & BC/DR

Desktop virtualization


Today’s network architectures can’t keep pace

LAN switching

Branch routing

Wireless

DC routingDC

switchingData traffic

Voice traffic

Network Convergence

Unified communication & collaboration

Cloud computing

Storage

Server virtualization

Video traffic

Desktop virtualization

Supply: Network evolution

Dem

an

d:

Netw

ork

serv

ices

Networkarchitecturegap


A blueprint to deliver “networking as a service”to the HP Converged Infrastructure

Converge Consolidate

storage-server I/O connects

Prepare for future network convergence

Orchestrate Centrally-

manage connection policies

Provision via data center orchestration

Scale + Secure

Scale for 1000’s of servers, TBs of storage

Assure security, performance, flexibility

HP FlexFabric design


Data Center

HP FlexFabric architecture

NetworkManagemen

tNetwork

Virtual Resource PoolsStorage

Interconnect

Server Edge

ServersMatrix

Operating Environment

NetworkSecurity

Backbone

Comprehensive resource management + virtualisation-aligned connection management Assured

business continuity

Modern; Standards-Based; Single OS; Resilient; Virtualised; Flatter

Simplicity; Performance; Reduced costs

http://www.procurve.com/solutions/enterprise/datacenter/connectivity.htm


3 Solutions Switch virtualisation: IRF

Enterprise network management: IMC

Intrusion Prevention for virtual hosts: vController/VMC


HP FlexFabric technologyIntelligent Resilient Framework (Simplify)

Traditional 3 Tier Data

Center

HPN Simplified 2 Tier Data

Center

HPN Simplified 1 Tier Data

Center


HP FlexFabric technologyIntelligent Management Center (IMC)

Comprehensive Management, better service, lower OpEx

Align demands for business-critical service delivery with network management

Comprehensive visibility across all layers and functions

Improving endpoint defense, control and visibility

Common operations view with extensions for IT orchestration

Unified resource management

Multi-vendor, single pane visibility across networking

Integrated access &user management

Common management integrated with HP Software


HP FlexFabric technologyIntelligent Management Center (VM Aware)

Comprehensive Management, better service, lower OpEx

Topology

Health

Location

Vmotion aware

VLAN QoS CAR ACL

Common operations view with extensions for IT orchestration

Visualise Virtual Machines

Track

Provision

Common management integrated with HP Software

10

TippingPoint Overview

2001: Pioneered In-line IPS

2005: Acquired by 3Com

2005: Gartner Leader’s Quadrant





2010: Acquired by HP

7,000+ customers

Gartner “Magic Quadrant” Network IPS Appliances 2009

11

TippingPoint IPS Platform

April 18, 2023 11

Availability

• In-line reliability

• High throughput

• Low latency

Dirty TrafficGoes In

Clean TrafficComes Out

IPS Platform

Security Management System

Security

• Filter quality

• Fastest coverage

• Broadest coverage

Costs

• Quick to deploy

• Recommended settings

• Easy to manage

12

TippingPoint IPS Reliability

Hardware:

Zero Power High Availability (ZPHA)• Maintains traffic if power fails

Dual hot-swappable power supplies

Software:

Automated L2 fallback and recovery• Self monitoring of Security and Mgmt• L2 fallback option if thresholds exceeded

Hitless OS upgrades and rebootsLink down synchronization

• Links mirrored and brought down together

IPS synchronise blocked flows• Efficient HA

Multiple redundancy options• Active-Active, or Active-Passive• No requirement to waste segments/ports

No IP address or MAC addressTransparent to network HA and

routing protocols• HSRP, VRRP, OSPF, EIGRP, BGP

April 18, 2023 12

RedundancyHigh Availability Features

Internal Security Processing

Normal Operating Mode

Internal Security Processing

Layer 2 Fallback

13

Broadest Protection

13April 18, 2023

Vulnerability Coverage2009 Microsoft Vulnerabilities

• Malware – worms, viruses, Trojans, etc.• Spyware• Phishing, Whaling and Spear Phishing• Un-patched devices, O/S and applications• Web Application Attacks

– XSS, PHP Includes and SQL Injection, etc.

• Unwanted Applications – IM and P2P• Policy Settings• Protocol Anomaly Checks

• Microsoft• Cisco• SAP• EMC• CA• Sun

• Mozilla• Novell• Oracle• Apple• Citrix• Adobe…

Application & O/S Coverage

Threat Coverage

146/163 Covered

14

0% 10% 20% 30% 40% 50%

Tipping Point

McAfee

Cisco

IBM ISS

Sourcefire

50%

15%

10%

8%

20%

% of Respondents

Zero-Day Threat CoveragePre-existing coverage

Infonetics Research IPS Survey – August 2008

Fastest Protection

April 18, 2023 14

2009 Microsoft Vulnerabilities Infonetics 2008 “IPS Customer Survey”Speed of Coverage

-31 days; 146/163 Covered

15

TippingPoint IPS Platform

DVLabs security research

DVLabs Services:

−Digital Vaccine

−Web App DV & Scanning

−Reputation DV

−Custom DV

−ThreatLinQ

−Lighthouse Program

15April 18, 2023

DVLabsLeading security research

and filter development

Partners

SANS, CERT, NIST, etc.Software & Reputation Vendors

ThreatLinQ Monitoring

2,000+ Customers Participating

DVLabs Research & QA

30+ Dedicated Researchers

Zero-Day Initiative

1,200+ Independent Researchers

An IPS Platform is Only as Good As its Security Intelligence

16

Virtual Software Patch

Term Definition

VulnerabilitySecurity flaw in a software program

Exploit

Method that takes advantage of a vulnerability to:

• Gain unauthorized access• Create a denial of service

Exploit Filter

Covers a single exploit, not the vulnerability

• Typically produced due to IPS performance or research limitations

• Results in false negatives (missed attacks) and false positives (block good traffic)

Vulnerability Filter

Covers entire vulnerability and all possible exploits

• Single filter protects against all exploits

Vulnerability

False Positives(coarse filter)

Standard IPS Exploit Filterfor Exploit A

Exploit AExploit B(missed by Exploit Filter A)

Virtual Software Patch

(TippingPoint Filter )

HP TippingPoint’s vulnerability filter acts as a Virtual Software Patch, streamlining the patching process

17

Vulnerability filtersAn old example (we have been doing this for a long time)

• The Blaster/Nachi RPC DCOM Buffer Overflow

• Microsoft proprietary implementation

• How it should work:

− Open connection (TCP ports 135, 139, 445, 593, UDP 135)

− Bind to interface

− Call function

− Supply arguments

Server expects the arguments to include a filename in the format: \\server\file

where server is a NetBIOS name and therefore no longer than 32 bytes.

One published exploit the value of \\server\file was \\...long_string_with_shellcode...\filename

• This caused a buffer overflow on the target system – allowed injection of arbitrary code to run with system privileges

18

Vulnerability filtersNo false negatives:

• The following must be in place for any exploit:

1. Open connection (TCP ports 135, 139, 445, 593, UDP 135)

2. Bind to interface

3. Call function

4. Supply arguments

− All exploits must comply to the above – if we detect the above we detect all possible exploits

• We have a no false negative filter – we won’t miss any attacks

No false positives:

• One step is never seen in good traffic

− Step 4 includes a server NetBIOS name never seen in good traffic (anything greater than 32 bytes)

− We also have a no false positive filter – we won’t block good traffic

19

HP TippingPoint Product Line

HP S 10 IPS

20Mbps • 2 Segments

HP S 110 IPS


HP S 330 IPS


HP S 660N IPS


HP S 1400N IPS

1.5Gbps • 10 Segments

HP S 2500N IPS

3Gbps • 11 Segments

HP S 5100N IPS

5Gbps • 11 Segments

HP Core Controller

20Gbps • 3x10GbE Segments

HP Security Management System (SMS)

Manage Multiple Units • Central Dashboard

HP Digital Vaccine

Broadest Coverage • Evergreen Protection

HP Web App DV and Scanning

Web Scan• Custom Filters • PCI Report

IPS Platform Solutions Security Intelligence

HP Reputation DV

IP Reputation • DNS Reputation

ROBO, Perimeter, Zone isolation, MSPs…

10GE Networks, Core, Data Center, Service

Providers…

Management, Accessories

DVLabs Services

Reputation DV

HP SSL Appliance 1500S

Transparent SSL Bridging and Off-Loading

IPS for Virtualisation

VMC and V-controller

Visibility &control in virtualised data centres

HP Custom DV

Customised DV

DV toolkit

1200 N IPS module (HP A 7500)

1.3 Gbps • VLAN segments

20

TippingPoint Deployment Options

• INTERNAL ATTACKS AGAINST– WIRED / WIRELESS LAN

INFRASTRUCTURE– DATA CENTER

• INTERNAL & EXTERNAL ATTACKS– MAJOR NETWORK SEGMENTS

• EXTERNAL ATTACKS THROUGH– CORPORATE WAN PERIMETER– Web APPLICATION INFRASTUCTURE– PCI– ROBO– PERRING POINTS

Centralized Policy and Configuration Management

TippingPointDigital Vaccine

Service

Perimeter and internal network deployment extends threat coverage across the network


Single Security Model for the Physical AND Virtual Data CenterData Center Security With HP TippingPoint

DMZ Zone Finance Zone

R&D Zone

OS

APP

OS

APP

OS

APP

OS

APPOS

APP

OS

APP

OS

APP

OS

APPOS

APP

OS

APP

OS

APP

OS

APP

Distributed vSwitchvController vControllervControllerPhysical R&D

ServersPhysical Finance Servers

Virtualized Servers Cluster

N-Platform IPS

Security Blade or

N-Platform IPS


HP FlexFabric for client virtualisationVirtualised server edge agility• Seamless provisioning, network-transparent migration of VM connectivity, precise VM-level bandwidth allocation

Virtual Connect Flex-10Virtual Connect FlexFabric

Virtualisation-enabling network designs

Highly-scalable platforms

Intelligent Resilient Framework (IRF)+ =

Virtualization-enabling Large Scale Layer 2 Interconnect

Virtualisation-integrated management & security• QoS policy management via VM provisioning/VMotion API integration

• High performance IPS technology, VM security offload

Intelligent Management Center (IMC)

TippingPoint IPS +

vController

Ideally suited to propel virtualisation agility and scale


Simplicity – streamlined network designs, centralized management

Agility – wire-once, high performance, accelerated provisioningReduced Cost – fewer systems, lower power, lower cost-of-acquisition, security

HP FlexFabric delivers…


Outcomes that matter.

Stand 430

hp converged infrastructure - break the it innovation gridlock

Technology

hp software

hp flexfabric design

hp converged infrastructure4

future network

tier data center hpn

major data center initiatives

network evolution demand

storage server io