virtualization security data center sab[1]
TRANSCRIPT
8/3/2019 Virtualization Security Data Center Sab[1]
http://slidepdf.com/reader/full/virtualization-security-data-center-sab1 1/7
There is nothing more important
than our customers.
Securing the Virtualized Data CenterA Strategy or Private Cloud Security
Introduction“As o mid-2011, at least 40% o x86 architecture workloads have been virtualized on servers;
urthermore, the installed base is expected to grow fve-old rom 2010 through 2015 (as both the
number o workloads in the marketplace grow and as penetration grows to more than 75%).”
Virtualization o the data center provides IT departments with an attractive set o cost saving
benets including lower total cost o ownership, increased operational eciencies and more
fexible management capabilities. Virtualization also provides an equally impressive set o
security challenges.
“Less than 20 percent o organizations using virtualization technology are adopting security tools
to work in tandem with the sotware in order to decrease the risks that are inherent in a virtualized environment.”
Virtualized Data Centers (Private Clouds) have two undamental dierences rom traditional data
centers driving these challenges. The rst dierence is that the virtual data center relies on a
hypervisor, which isolates the virtual machines (VMs) rom the physical network. This creates a
virtual network within the hypervisor that connects the server’s virtual machines and allows them
to communicate without the trac crossing the physical network. A consequence o this is that
security threats are isolated rom the traditional network security tools that provide visibility,
control, threat detection, and automated response. Virtual machines residing on the same physical
server can communicate across the virtual switch without having the trac ever appear on the
physical network where the security tools reside. The problem this creates is that i one virtual
machine is compromised, a single insecure application can attack other virtual machines on the
same physical server without being detected by the security tools on the physical network.
Figure 1 VM to VM Communications
VM-1 VM-2
Virtual Switch
IDS IPS SIEM
Virtual
Physical
Physical Network
VM-3 VM-4
1 Bittman, Thomas, J, et.al “Magic Quadrant or x86 Server Virtualization Inrastructure,” Gartner Research Note G00213635, June 30, 2011
2 Burke, John, Nemertes Research; Quoted in CSO.com; June 07 2011, Joan Goodchild, “Virtualized environments painully insecure?”
Benefts• Movevirtualmachinesbetweenphysical
serversatwillwithoutimpedingthe
enterprise’s security posture or requiring a
time consuming manual process
• Ensurethevisibility,threatdetectionand
control o the virtual environment meets
the same standard as the controls in the
physical environment
• Gainthebusinessagilitypromisedbythevirtualized environment
SOLUTION ARCHITECTURE BRIEF
8/3/2019 Virtualization Security Data Center Sab[1]
http://slidepdf.com/reader/full/virtualization-security-data-center-sab1 2/7
VM-1 VM-2
Virtual Switch Virtual Switch
Virtual
Physical
Server - 1 Server - 2
Physical Network
VM-3 VM-4 VM-4
Visibility
Enforcement
Detection &
Response
SECUR
ITY
• Correlate andmanage networkflow data
• Provide visibilityand reporting
• Correlate andmanage networkflow data
• Provide visibilityand reporting
• Enforce role basedleast privilegeaccess
• Control visitoraccess
• Enforce locationdepenedent access
• Enforce timedependent access
• Protect criticalnetwork segments
• Enforcecompartmentaliza-tion
• Harden servers
Page 2
The second dierence between virtualized datacenters (Private Clouds) and traditional datacenters is the Private Cloud’s combination o virtualization
and automation. Virtual machines can be automatically moved between physical servers to provide high availability or load balancing.
Figure 2 VM Automation
This automation means that to maintain the same security posture, network provisioning and security workfows must also be automated. Unortunately
many IT departments rely on time consuming and labor intensive manual workfows to provision and secure these virtual machines. This oten means
that the security and prioritization provisioning happen long ater the virtual server has moved to a new physical server. Until the provisioning is
complete the virtual server might be more vulnerable to attacks.
Securing the Virtualized Data Center
The undamental best practices o providing visibility into network fows, enorcement o security and acceptable use policies, and threat detection and
automated response that apply to the physical network also apply to the virtualized data center. Virtual servers require the same level o protection that a
physical server receives: communications across the virtual network need to be inspected, fow data needs to be examined and the solution needs to beable to adapt to dynamic system mobility.
Figure 3 Security Best Practices
Page 2
8/3/2019 Virtualization Security Data Center Sab[1]
http://slidepdf.com/reader/full/virtualization-security-data-center-sab1 3/7
SECURIT
Y
Visibility NBAD
SEIM
HIDS
IPS
DataCenter
managerEnforcement
Detection &
Response
• Correlate andmanage networkflow data
• Detect VM to VMflows
• Provide visibilityand reporting
• Detect threats
• Provide visibility and reporting
• Enforce VM specific Access Controls
• Enforce compartmentalization
• Prioritize Application traffic
Page 3
The challenge or enterprises is to nd a set o tools that enable them to implement these best practices in the virtualized and automated environment
o the virtualized data center. As Burke’s research cited at the beginning o this paper shows, enterprises are struggling in this eort and leaving
themselves open to increased risk.
TheEnterasyssolution
Enterasys provides a complete, end-to-end virtualization security solution that applies the experience o 28 years in network inrastructure and security
to the new challenges o virtualization. The Enterasys solution or securing the virtualized data center consists o our components that can be deployed
separately or in a ully integrated solution:
• VirtualizedHostIntrusionDetectionSystem(HIDS)sensor
• VirtualizedIntrusionDetectionSystem(IDS)sensor
• VirtualizedNetworkBasedAnomalyDetection(NBAD)owsensor/SIEM
• DataCenterManager
When deployed together these our elements provide the visibility, enorcement, and threat detection required to secure the virtualized data center.
Figure 4 Enterasys Solution
Virtualized Host Intrusion Detection Sensor – Protecting the Virtual Server
Just like their physical counterparts virtual servers need protection rom a variety o attacks. Enterasys virtualized host sensors are sophisticated security
applicationsthatdetectattacksonvirtualservers(VMs)inrealtime.HostintrusiondetectionisparticularlyvaluableinenvironmentswhereAES,SSL,
IPsec, or other encryption schemes are deployed because the sensor analyzes the decrypted data. Enterasys virtualized host sensors monitor systems
runningtoday’smostcommonoperatingsystemsforevidenceofmaliciousorsuspiciousactivityinrealtime.Hostsensorsuseavarietyoftechniquesto
detect attacks and misuse, including analyzing the security event log, checking the integrity o critical conguration les, and checking or kernel level
compromises.ThishybridapproachhelpsorganizationsmeetcompliancerequirementsforserversasmandatedbyregulationsincludingPCI,HIPAA
and Sarbanes Oxley.
8/3/2019 Virtualization Security Data Center Sab[1]
http://slidepdf.com/reader/full/virtualization-security-data-center-sab1 4/7
VM-1 VM-2
Virtual Switch
IDS IPS SIEM
Virtual
Physical
Physical Network
VM-3 VM-4
HIDS HIDS HIDS HIDS
Page 4
Figure 5 Virtualized HIDS
Enterasyshostbasedsensorsareuniquefortheirbroadplatformsupport,includingMicrosoft®Windows,Solaris,RedHatEnterpriseLinux,
HP-UX,FedoraCore,SUSEandAIX.ThehostsensorsaresupportedonanysupportedO/SthatisitselfrunningonavirtualmachineofaVMware
ESXServer(version3.0or4.0),AIX5.3and6.1runninginlogicalpartitions(LPARS),andonSolaris10runninginlogicaldomains(LDOMS)on
supported platorms.
Enterasys host sensors provide maximum protection using the ollow techniques to veriy the integrity o the virtual server:
• Monitorleattributessuchaslepermission,owner,group,value,sizeincrease,truncatedandmodicationdate
• Checkleintegritytodeterminewhethercontentofcriticalleswaschanged
• Continuouslyanalyzeloglesusingsignaturepoliciestodetectattacksand/orcompromises
• MonitorWindowseventlogsformisuseorattack
• AnalyzeWindowsregistryforattributesthatshouldnotbeaccessedand/ormodied
• PerformTCP/UDPservicedetectionforprotectionagainstbackdoorservices
• Monitorthekerneltodetectsuspiciousprivilegeescalationsandothersignsofkernel-levelcompromisessuchasrootkits.
ThehostsensorssupportcustommoduledevelopmentusingMicrosoft’s.NETFramework.Thisallowsuserstoleveragethepowerandexibilityof
the.NETframeworktocustomizeEnterasysfunctionalitytomeettheirneeds.
Virtualized Intrusion Detection Sensor – Detecting the Threats
IDS systems deployed in the physical network cannot inspect VM to VM trac that does not leave their physical server. This uninspected internal trac
represents a potentially serious threat vector. An inected virtual machine could compromise all o the other VMs residing on the physical server without
anyone being aware o the attack. The compromise, having been allowed to escalate, increases the potential data loss and damages. Virtualizing the
IDS sensor and attaching it to the virtual switch makes all internal (VM to VM) and external (VM to physical client) trac available or inspection.
EnterasysIDSvirtualsensorscanbedeployedonVMwareESX™servers.Withthesevirtualmachineoptionsenterprisescandeploycost-efcient
threat protection with the ability to monitor both the physical and virtual networks.
8/3/2019 Virtualization Security Data Center Sab[1]
http://slidepdf.com/reader/full/virtualization-security-data-center-sab1 5/7
VM-1 VM-2
Virtual Switch
Virtual
Physical
Physical Network
VM-3 VM-4
HIDS
VS-1
HIDS HIDS HIDS HIDS
VM-1 VM-2
Virtual Switch
Virtual
Physical
Virtual
IDS Sensor
Virtual
Flow Sensor
Physical Network
VM-3 VM-4
HIDS
VS-1
HIDSHIDS HIDS HIDS HIDS
NBAD
HIDS
IDS IPS SIEM
Page 5
Figure 6 Virtualized IDS Sensor
The virtual IDS sensor is attached to a port on the virtual switch that is placed in promiscuous mode. In this mode all trac seen on any port on the
switch will be mirrored to the sensor or analysis.
Thesensorshipswithacomprehensivesetofpre-installedsignatures,VoIPprotocoldecodersforSIP,MGCP,andH.323protocols,andfeaturesthatprovideadvanceddetectionofmalformedmessagestohelppreventDoSattacks.ThesensorsupportsbothIPv4andIPv6networkprotocols.Threat
detection is accomplished using multi-method detection technologies that integrate vulnerability pattern matching, protocol analysis, and anomaly-
based detection with specic support or VoIP environments. Application based event analysis is used to detect attacks against commonly targeted
applicationssuchasHTTP,RPC,andFTP.
The virtual sensors are centrally managed via the Enterprise Management Server (EMS). The EMS provides conguration management, status
monitoring, live security updates, and a secure encrypted communications channel.
VirtualizedNetworkBasedAnomalyDetection(NBAD)FlowSensor–
ProvidingVisibility
Networkandserveradministratorsneedtounderstandwhichclientsandwhichapplicationsarebeingusedtoaccesstheinformationstoredonboth
physical and virtual servers. External fow sensors can report on fows between the virtual servers and clients on the physical network, but to provide
visibilityintoowsbetweenvirtualserversresidingonthesamephysicalservertheowsensormustbevirtualized.ThevirtualizedNBADowsensor
providesthesamevisibilityandfunctionalityforthevirtualnetworkinfrastructurethatphysicalNBADowsensorsprovideforthephysicalnetwork.
The fow sensor connects to a port on the virtual switch that is placed in promiscuous mode so the sensor will see all data fows crossing the virtual
switch.Thesensorsupportsupto10,000owsperminuteandcanmonitorthreevirtualinterfaceswithoneadditionalswitchdesignatedasthe
management interace.
Figure 7 Virtualized Flow Sensor
8/3/2019 Virtualization Security Data Center Sab[1]
http://slidepdf.com/reader/full/virtualization-security-data-center-sab1 6/7
VM-1 VM-2
Virtual Switch Virtual Switch
Physical SwitchProvisioning Rules
Virtual
Physical
Server - 1 Server - 2
VM-3 VM-4 VM-4
VM-1 VM-2 VM-3 VM-4
Physical SwitchProvisioning Rules
VM-4
Page 6
Thevirtualizedowsensorcollectsowdatawithapplicationlayer(layerseven)visibility.FlowdataiscollectedandsenttotheSecurityInformation
and Event Manager (SIEM) or analysis. The application layer visibility allows the SIEM to analyze and report on which applications are being used to
access inormation on the servers. The SIEM correlates fow data rom the physical and virtual environments and creates baselines o normal application
fow patterns. I the fow patterns deviate rom this baseline or reveal potential threats or vulnerabilities they are fagged and a security event is issued.
Flowsthatrepresentthreatsorviolationsofpolicyarecapturedandreportedforcorrelationandremediation.
DataCenterManager–AutomatingSecurityandManagementWorkfows
Virtual machine mobility reers to the automated process o moving a VM rom one physical server to another to provide high availability, load balancing
or disaster recovery. The physical network switches that connect the servers containing the virtual machines to the physical network provide access
controls that protect the virtual machines and trac prioritization rules or the applications accessing the virtual machines. Since each virtual machine
will have dierent requirements they will each have a dierent set o provisioning rules. As long as a VM resides on a single physical server the network
switch can be provisioned with the rules or that VM. I the VM is automatically moved to another physical server the network switch or the new
physical server will have to be provisioned with the rules or the new VM. Relying on manual processes or this provisioning is labor intensive and the
time lag between the movement o the VM and the provisioning o the physical switch represents a security threat to the VM. One o Enterasys Data
Center Manager’s eatures is the ability to automate the process o provisioning the network inrastructure to apply the correct access controls and trac
prioritizations or each virtual machine.
Figure 8 Data Center Manager
Data Center Manager ensures that the proper provisioning is automatically applied to each virtual machine. I the VM moves to another physical server,
the VM’s specic provisioning rules are automatically enorced by the new physical switch without requiring any manual intervention. Automating the
provisioning workfows or the physical inrastructure reduces IT workload, improves virtual machine security, improves application delivery and satises
compliance requirements.
In summary, Enterasys Data Center Manager provides:
• Automateduniedphysical-virtualnetworkprovisioningtoimproveefciencyinthevirtualizeddatacenter
• Comprehensivevirtualmachinevisibilitytooptimizeresourceuseanddecreasetroubleshootingtime
• IntegratedworkowprocesstoreduceITworkloadandcontrolVMsprawl
• Vendoragnostictechnologysupportforavarietyofvirtualizationplatforms
• Simpliedcomplianceaddressesdatacenterrequirementsthroughpolicyenforcementandtrafcmonitoringpervirtualmachine
8/3/2019 Virtualization Security Data Center Sab[1]
http://slidepdf.com/reader/full/virtualization-security-data-center-sab1 7/7
Contact Us
Delivering on our promises. On-time. On-budget.
For more information, call Enterasys Networks toll free at 1-877-801-7082,
or +1-978-684-1000 and visit us on the Web at enterasys.com
07/11
© 2011 Enterasys Networks, Inc. All rights reserved. Enterasys Networks reserves the right to change
specifcations without notice. Please contact your representative to confrm current specifcations.
Please visit http://www.enterasys.com/company/trademarks.aspx or trademark inormation.
Patented Innovation
Conclusion – Deploying a Secure Virtualized Data Center
EnterasysNetworksprovidesacomprehensivesetofintegratedtoolstohelpenterprisessecurelydeployvirtualizeddatacenters.
Flowsensorsprovidethevisibilityintothevirtualenvironmentthatallowsadministratorstounderstandwhichexternal(physical)clientsandapplications
are accessing inormation on the virtual servers. The visibility extends to detecting fow patterns that reveal potential threats or vulnerabilities and fows
that represent violations o policy such as VM to VM trac.
Intrusion Detection Sensors identiy threats contained in trac that crosses the virtual switch. Trac rom the physical network and rom other
VMs will be examined or potential threats. This inspection oers protection rom an inected virtual server attempting to inect or compromise other
virtual servers.
HostIntrusionDetectionSensorsprovidestrong,multilayeredprotectionforthevirtualserver.Thehostsensorsuseavarietyoftechniquestodetect
attacks and misuse, including analyzing the security event log, checking the integrity o critical conguration les, and checking or kernel level
compromises.
Data Center Manager provides an extensive set o tools to automate the provisioning o the physical inrastructure to ensure that the proper controls
and prioritizations are applied to each virtual server.
These tools can be deployed in concert or individually as required to meet specic enterprise requirements and priorities.
Enterasys data center solutions drive down operational costs through a combination o management automation across both physical and virtual
environments and a robust and highly resilient distributed architecture. Built-in compliance controls and an open, standards-based approach or
interoperability with existing data center solutions ensure a solid oundation or virtualization.
The Enterasys security tools provide a comprehensive solution or securing virtualized data centers, ensuring enterprises may condently gain the
maximum benet rom their data center virtualization eorts.
Additional resources:
• EnterasysDataCenterManager
• EnterasysIPS
• EnterasysSIEM