Real Network Security for Virtual Data Centers

Greg Brown, VP Network Security, McAfee

Virtualization Trends
Organizations planning to or are engaged in data center upgrades. -Network World, 2011

Organizations planning to virtualize over 40% of their servers this year. -Network World, 2011

Organizations concerned about moving virtual machines causing operational complexity. -Network World, 2011

Virtualization Challenges Traditional Security

Flat network designs eliminate the single egress point Elimination of physical boundaries can cause blind spots VM portability challenges port/IP-based security policies Disparate management tools for physical and virtual

Top Security Concerns

New Requirements for Network Security

Eliminate blind spots with inspection of inter-VM traffic Port-agile security policies that move with virtual assets Common management across physical and virtual Integrated Network and Security controls

NETWORK SECURITY FOR VIRTUAL ENVIRONMENTS

6

Did You Know?

Average default IPS accuracy is 62% Average tuned IPS accuracy is 83% Minimum accuracy 30% Vendors underperformed 25-75% relative to claims

Souce: NSS Labs, 2010

Outstanding Threat Prevention Requires More than IPS

Centralized Policy & Risk Mgmt

Network Security Management policy definition reporting & alerts network visibility

Analysis Extensions Network DLP Advanced Malware Network Forensics

Advanced Analysis reputation analysis protocol analysis

Enforcement quarantine alert block access control virtual patch

Visibility Extensions Vulnerability Assessment Network Behavior Virtual Agent

behavior analysis

bot detection

rate limit

Next-gen hardware architecture 10 Gig connections 7-10 year lifecycle max port density

Impact of Networks Flattening

Greater Resilience Better Performance Simpler Design

However, Aggregation Points Disappear and Machines Go on the Mo

Providing Outstanding Threat Preventionfor Virtual Environments

Benefits:
Real-time visibility and threat detection for inter-VM traffic Common management across physical and virtual Quarantine of infected VMs No additional load on virtual servers

Source

Destination

Physical Environment

Physical Environment

Virtual machines Hypervisor-based Agent

10

The Importance of Threat Intelligence

Threat Reputation

Network IPS
300M IPS Attacks/Mo.

Firewall

Web Gateway
2B Botnet C&C IP Reputation Queries/Mo.

Mail Gateway
20B Message Reputation Queries/Mo.

Host AV

Host IPS

3rd Party Feed

Geo Location Feeds

300M IPS Attacks/Mo.

2.5B Malware . Reputation Queries/Mo.

300M IPS Attacks/Mo.

Moving Beyond Conventional Security

Ticket Oriented Resolution Protection Focused on Identifying Attack Packets

How to get to resolution? File tickets. Wait.

How to protect? Find attack packets on wire

Configuration Focused on Features

Multi-Vendor Strategies

How to implement policy? Rely on product features.

Defense in Depth? Manage multiple silod products.

The Maturity Model of Enterprise Security

REACTIVE
(~3% of IT Budget on Security)

COMPLIANT/PROACTIVE
(~8% of IT Budget on Security)

OPTIMIZED
(~4% of IT Budget on Security)

TCO

Security Posture

SECURITY OPTIMIZATION

New Requirements for Optimized Network Security

Proactive Management Predictive Threat Protection

Turn days of process into clicks

Characterize future threats today

Policy-Based Control

Extensible Architecture

Focus on real organization, people, applications, usage

Integrated, collaborative, easily add new capabilities

Protecting Critical Data Center from ZeuS Malware

Predictive Threat Protection with NSP + GTI
A. Malware infects websites Malware hits network Malware infects, McAfee Labs IDs, updates website reputations Threat dissected, analyzed

Wait on signature

Predictive action stops threat Future variants covered

Apply signature, update signature

Not Optimized
High Effort, High Risk

When Optimized
Low Effort, Low Risk

Benefit: Protection meets (and beats) hackers timelines, reduces alerts

Policy Enforcement Based on Application (versus port number)

A. Identify M&A team Map users to network address User directory auto-imports groups Firewall sees similar rule. 1 click to add. Avoid duplicate Hours or days to review, deploy New M&A members automatically added

Create new rule (duplicate?)

Weeks to review, test, deploy. Repeat?

Traditional
High Effort, High Risk

Next-Generation
Low Effort, Low Risk

Application ID Categories
Anonymizers / Proxies Authentication services Business web applications Content management Commercial monitoring Database Directory services Email Encrypted tunnels ERP/CRM Filesharing Gaming Instant messaging Infrastructure services IT utilities Mobile software Peer to Peer (P2P) Photo-Video sharing Remote administration Remote desktop / Terminal services Social networking Software / System updates Storage Streaming media Toolbars and PC utilities Voice over IP (VOIP) VPN Webmail Web browsing Web conferencing

Replacing IP Address with Identity

Seamlessly acquire identity without authentication Maintains user to network layer mapping Integrates w/ Active Directory. Enforce policy based on group membership

Just like in the physical world, your identity should follow you through different security gates / locations.

Provide Common Controls Across Physical and Virtual

Physical Virtual P P P P P P P
19

Enterprise Firewall & IPS Malware detection Common management Identity-based controls Application identity & control Advanced botnet detection Cloud-based threat feeds

P P P P P P P

Recommended Reading

May 23, 2011

20

Questions?
Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit.