hp converged infrastructure - break the it innovation gridlock
TRANSCRIPT
1 HP FlexFabric - Data center network for the HP Converged Infrastructure
Data center network for the HP Converged Infrastructure
HP NetworkingAndy [email protected]
2 HP FlexFabric - Data center network for the HP Converged Infrastructure2
Business / IT initiatives
The network underpins all of thesemajor data center initiatives…
It must evolve and keep pace
Users, CustomersServer
virtualization
I/O virtualization
Cloud computing
Security & BC/DR
Desktop virtualization
3 HP FlexFabric - Data center network for the HP Converged Infrastructure3
Today’s network architectures can’t keep pace
LAN switching
Branch routing
Wireless
DC routingDC
switchingData traffic
Voice traffic
Network Convergence
Unified communication & collaboration
Cloud computing
Storage
Server virtualization
Video traffic
Desktop virtualization
Supply: Network evolution
Dem
an
d:
Netw
ork
serv
ices
Networkarchitecturegap
4 HP FlexFabric - Data center network for the HP Converged Infrastructure4
A blueprint to deliver “networking as a service”to the HP Converged Infrastructure
Converge Consolidate
storage-server I/O connects
Prepare for future network convergence
Orchestrate Centrally-
manage connection policies
Provision via data center orchestration
Scale + Secure
Scale for 1000’s of servers, TBs of storage
Assure security, performance, flexibility
HP FlexFabric design
5 HP FlexFabric - Data center network for the HP Converged Infrastructure5
Data Center
HP FlexFabric architecture
NetworkManagemen
tNetwork
Virtual Resource PoolsStorage
Interconnect
Server Edge
ServersMatrix
Operating Environment
NetworkSecurity
Backbone
Comprehensive resource management + virtualisation-aligned connection management Assured
business continuity
Modern; Standards-Based; Single OS; Resilient; Virtualised; Flatter
Simplicity; Performance; Reduced costs
6 HP FlexFabric - Data center network for the HP Converged Infrastructure
3 Solutions Switch virtualisation: IRF
Enterprise network management: IMC
Intrusion Prevention for virtual hosts: vController/VMC
7 HP FlexFabric - Data center network for the HP Converged Infrastructure7
HP FlexFabric technologyIntelligent Resilient Framework (Simplify)
Traditional 3 Tier Data
Center
HPN Simplified 2 Tier Data
Center
HPN Simplified 1 Tier Data
Center
8 HP FlexFabric - Data center network for the HP Converged Infrastructure8
HP FlexFabric technologyIntelligent Management Center (IMC)
Comprehensive Management, better service, lower OpEx
Align demands for business-critical service delivery with network management
Comprehensive visibility across all layers and functions
Improving endpoint defense, control and visibility
Common operations view with extensions for IT orchestration
Unified resource management
Multi-vendor, single pane visibility across networking
Integrated access &user management
Common management integrated with HP Software
9 HP FlexFabric - Data center network for the HP Converged Infrastructure9
HP FlexFabric technologyIntelligent Management Center (VM Aware)
Comprehensive Management, better service, lower OpEx
Topology
Health
Location
Vmotion aware
VLAN QoS CAR ACL
Common operations view with extensions for IT orchestration
Visualise Virtual Machines
Track
Provision
Common management integrated with HP Software
10
TippingPoint Overview
2001: Pioneered In-line IPS
2005: Acquired by 3Com
2005: Gartner Leader’s Quadrant
2006: Gartner Leader’s Quadrant
2007: Gartner Leader’s Quadrant
2008: Gartner Leader’s Quadrant
2009: Gartner Leader’s Quadrant
2010: Acquired by HP
7,000+ customers
Gartner “Magic Quadrant” Network IPS Appliances 2009
11
TippingPoint IPS Platform
April 18, 2023 11
Availability
• In-line reliability
• High throughput
• Low latency
Dirty TrafficGoes In
Clean TrafficComes Out
IPS Platform
Security Management System
Security
• Filter quality
• Fastest coverage
• Broadest coverage
Costs
• Quick to deploy
• Recommended settings
• Easy to manage
12
TippingPoint IPS Reliability
Hardware:
Zero Power High Availability (ZPHA)• Maintains traffic if power fails
Dual hot-swappable power supplies
Software:
Automated L2 fallback and recovery• Self monitoring of Security and Mgmt• L2 fallback option if thresholds exceeded
Hitless OS upgrades and rebootsLink down synchronization
• Links mirrored and brought down together
IPS synchronise blocked flows• Efficient HA
Multiple redundancy options• Active-Active, or Active-Passive• No requirement to waste segments/ports
No IP address or MAC addressTransparent to network HA and
routing protocols• HSRP, VRRP, OSPF, EIGRP, BGP
April 18, 2023 12
RedundancyHigh Availability Features
Internal Security Processing
Normal Operating Mode
Internal Security Processing
Layer 2 Fallback
13
Broadest Protection
13April 18, 2023
Vulnerability Coverage2009 Microsoft Vulnerabilities
• Malware – worms, viruses, Trojans, etc.• Spyware• Phishing, Whaling and Spear Phishing• Un-patched devices, O/S and applications• Web Application Attacks
– XSS, PHP Includes and SQL Injection, etc.
• Unwanted Applications – IM and P2P• Policy Settings• Protocol Anomaly Checks
• Microsoft• Cisco• SAP• EMC• CA• Sun
• Mozilla• Novell• Oracle• Apple• Citrix• Adobe…
Application & O/S Coverage
Threat Coverage
146/163 Covered
14
0% 10% 20% 30% 40% 50%
Tipping Point
McAfee
Cisco
IBM ISS
Sourcefire
50%
15%
10%
8%
20%
% of Respondents
Zero-Day Threat CoveragePre-existing coverage
Infonetics Research IPS Survey – August 2008
Fastest Protection
April 18, 2023 14
2009 Microsoft Vulnerabilities Infonetics 2008 “IPS Customer Survey”Speed of Coverage
-31 days; 146/163 Covered
15
TippingPoint IPS Platform
DVLabs security research
DVLabs Services:
−Digital Vaccine
−Web App DV & Scanning
−Reputation DV
−Custom DV
−ThreatLinQ
−Lighthouse Program
15April 18, 2023
DVLabsLeading security research
and filter development
Partners
SANS, CERT, NIST, etc.Software & Reputation Vendors
ThreatLinQ Monitoring
2,000+ Customers Participating
DVLabs Research & QA
30+ Dedicated Researchers
Zero-Day Initiative
1,200+ Independent Researchers
An IPS Platform is Only as Good As its Security Intelligence
16
Virtual Software Patch
Term Definition
VulnerabilitySecurity flaw in a software program
Exploit
Method that takes advantage of a vulnerability to:
• Gain unauthorized access• Create a denial of service
Exploit Filter
Covers a single exploit, not the vulnerability
• Typically produced due to IPS performance or research limitations
• Results in false negatives (missed attacks) and false positives (block good traffic)
Vulnerability Filter
Covers entire vulnerability and all possible exploits
• Single filter protects against all exploits
Vulnerability
False Positives(coarse filter)
Standard IPS Exploit Filterfor Exploit A
Exploit AExploit B(missed by Exploit Filter A)
Virtual Software Patch
(TippingPoint Filter )
HP TippingPoint’s vulnerability filter acts as a Virtual Software Patch, streamlining the patching process
17
Vulnerability filtersAn old example (we have been doing this for a long time)
• The Blaster/Nachi RPC DCOM Buffer Overflow
• Microsoft proprietary implementation
• How it should work:
− Open connection (TCP ports 135, 139, 445, 593, UDP 135)
− Bind to interface
− Call function
− Supply arguments
Server expects the arguments to include a filename in the format: \\server\file
where server is a NetBIOS name and therefore no longer than 32 bytes.
One published exploit the value of \\server\file was \\...long_string_with_shellcode...\filename
• This caused a buffer overflow on the target system – allowed injection of arbitrary code to run with system privileges
18
Vulnerability filtersNo false negatives:
• The following must be in place for any exploit:
1. Open connection (TCP ports 135, 139, 445, 593, UDP 135)
2. Bind to interface
3. Call function
4. Supply arguments
− All exploits must comply to the above – if we detect the above we detect all possible exploits
• We have a no false negative filter – we won’t miss any attacks
No false positives:
• One step is never seen in good traffic
− Step 4 includes a server NetBIOS name never seen in good traffic (anything greater than 32 bytes)
− We also have a no false positive filter – we won’t block good traffic
19
HP TippingPoint Product Line
HP S 10 IPS
20Mbps • 2 Segments
HP S 110 IPS
100Mbps • 4 Segments
HP S 330 IPS
300Mbps • 4 Segments
HP S 660N IPS
750Mbps • 10 Segments
HP S 1400N IPS
1.5Gbps • 10 Segments
HP S 2500N IPS
3Gbps • 11 Segments
HP S 5100N IPS
5Gbps • 11 Segments
HP Core Controller
20Gbps • 3x10GbE Segments
HP Security Management System (SMS)
Manage Multiple Units • Central Dashboard
HP Digital Vaccine
Broadest Coverage • Evergreen Protection
HP Web App DV and Scanning
Web Scan• Custom Filters • PCI Report
IPS Platform Solutions Security Intelligence
HP Reputation DV
IP Reputation • DNS Reputation
ROBO, Perimeter, Zone isolation, MSPs…
10GE Networks, Core, Data Center, Service
Providers…
Management, Accessories
DVLabs Services
Reputation DV
HP SSL Appliance 1500S
Transparent SSL Bridging and Off-Loading
IPS for Virtualisation
VMC and V-controller
Visibility &control in virtualised data centres
HP Custom DV
Customised DV
DV toolkit
1200 N IPS module (HP A 7500)
1.3 Gbps • VLAN segments
20
TippingPoint Deployment Options
• INTERNAL ATTACKS AGAINST– WIRED / WIRELESS LAN
INFRASTRUCTURE– DATA CENTER
• INTERNAL & EXTERNAL ATTACKS– MAJOR NETWORK SEGMENTS
• EXTERNAL ATTACKS THROUGH– CORPORATE WAN PERIMETER– Web APPLICATION INFRASTUCTURE– PCI– ROBO– PERRING POINTS
Centralized Policy and Configuration Management
TippingPointDigital Vaccine
Service
Perimeter and internal network deployment extends threat coverage across the network
21 HP FlexFabric - Data center network for the HP Converged Infrastructure21
Single Security Model for the Physical AND Virtual Data CenterData Center Security With HP TippingPoint
DMZ Zone Finance Zone
R&D Zone
OS
APP
OS
APP
OS
APP
OS
APPOS
APP
OS
APP
OS
APP
OS
APPOS
APP
OS
APP
OS
APP
OS
APP
Distributed vSwitchvController vControllervControllerPhysical R&D
ServersPhysical Finance Servers
Virtualized Servers Cluster
N-Platform IPS
Security Blade or
N-Platform IPS
22 HP FlexFabric - Data center network for the HP Converged Infrastructure22
HP FlexFabric for client virtualisationVirtualised server edge agility• Seamless provisioning, network-transparent migration of VM connectivity, precise VM-level bandwidth allocation
Virtual Connect Flex-10Virtual Connect FlexFabric
Virtualisation-enabling network designs
Highly-scalable platforms
Intelligent Resilient Framework (IRF)+ =
Virtualization-enabling Large Scale Layer 2 Interconnect
Virtualisation-integrated management & security• QoS policy management via VM provisioning/VMotion API integration
• High performance IPS technology, VM security offload
Intelligent Management Center (IMC)
TippingPoint IPS +
vController
Ideally suited to propel virtualisation agility and scale
23 HP FlexFabric - Data center network for the HP Converged Infrastructure23
Simplicity – streamlined network designs, centralized management
Agility – wire-once, high performance, accelerated provisioningReduced Cost – fewer systems, lower power, lower cost-of-acquisition, security
HP FlexFabric delivers…
24 HP FlexFabric - Data center network for the HP Converged Infrastructure
Outcomes that matter.
Stand 430