How to Quickly Implement a Secure Cloud for Government and Military | Webinar
-
Upload
plumgrid -
Category
Technology
-
view
51 -
download
1
Transcript of How to Quickly Implement a Secure Cloud for Government and Military | Webinar
WEBINAR | JULY 14, 2016
Quickly Implement a Secure Cloud for Government and Military
Rick KundigerCEO & FounderAwnix
2
Security Today
* Contains 0% snake
EVERYTHING YOU NEED!NO OTHER SECURITY REQUIRED!
VLAN SNAKE OILEXLIXER
GUARANTEED RELIEF FROMHACKERS | PHISHERS | CRACKERS |SNIFFING | SPOOFING
SPAMMING | SPYING |EXPLOITING | SNARFINGSCRIPT KIDDIES |TARDS | & OTHERWISE BEING SNOWDEN’D
DON’T FORGET TO
ASK ABOUT OUR
BONUS ACL
OINTMENT!
COMBINE A LITTLE
ACL WITH THE VLAN
ELIXER TO CURE
WHAT AILS YOU!
Security Today
Traditional firewalls, while better than simple VLANs and ACLs, are only marginally better
• Firewalls can only inspect traffic that traverses them
• They rarely prevent server-to-server traffic we have VLANs and ACLs for that!(see previous slide)
• More and more rules are added as holes are found or exploited or assumed, making rule management nearly impossible
3
Security Today
• Silo’d network and security is inefficient • Frequent miscommunication between
customer / network & security which causes mistakes
• These errors lead to security incidents
What Customers Think of IT Security
What Customers Think of Networking
Customer to IT Security and Network
4
5
What’s Needed
• Network Micro-Segmentation• Tenant/Project Isolation• App Tier Isolation• Increased Security Behind the Firewall• Defense-in-Depth• Increased Agility in Network and Security• Increased Ability to Quickly Respond
Traditional physical networking and security tools, designs, appliances and methods cannot meet these needs in a timely and cost effective manner
Security Tenant
Internet – Common Provider Network w/ public floating IPs
vFirewall
vSec UTM, IDS, IPS, Etc.…Security Groups
Internal Provider Network 0 w/ private floating IPs
Web
DB
Mid-TierWeb Mid-Tier
DB
Internal Provider Network 1 w/ private floating IPs
Simple Tenant More Complex Tenant Security Tenant
6
App Tier Isolation
vFirewallMid
Mid
MidWeb Web
Web
Web Tenant Mid-Tier Tenant Security Tenant
DB DB
DB
DB Tenant
7
Internet – Common Provider Network w/ public floating IPs
Internal Provider Network 0 w/ private floating IPs
Internal Provider Network 1 w/ private floating IPs
Internal Provider Network 2 w/ private floating IPs
vSec
8
Forensics
Internet – Common Provider Network w/ public floating IPs
Mid
Mid
MidWeb Web
Web
Compromised Tenant Mid-Tier Tenant Security Tenant
DB DB
DB
Internal Forensics Network with no Gateway to Internet
DB Tenant
Web WebWeb Sec Tool Sec Tool
vFirewall
Move GW IP to
Forensic Network
vFirewall
vSec
Forensics tools for
Analysis / Remediation
9
Integrating new or existing threat management tools with APIs available via the SDN Controller or Neutron for automated remediation
IDS consumes
SDN metrics / telemetry via API
IDS Identifies
a Problem
IDS Sends Instructions
via API
Instruction is Executed
Offending Instance or
Network Remediate
d
Detection / Remediation
10
Security Groups vs FW Rules
• Security Groups are like a FW on every vNIC
• If Attacker get in one server they can’t jumpbox anywhere
• All traffic in separate encrypted domain• Granular strategic + tactical control• Attacker must compromise every node
individually
• If an Attacker compromises a server they can normally jump around to others because the internal network is “trusted”
• Attacker can sniff traffic as it isn’t encrypted
• Blanket FW rules, no granularity• Individual servers have little, if any
protection
DB
Mid-TierWeb 2
DB
Mid-TierWeb Mid-Tier
DB
Allow Mid
Allow WebAllow 80/443
Web
VLAN 234VLAN 567
VLAN Hopping
Packet Capture
Malicious Payload
11
Demo
Questions?
Thank you!