WEBINAR | JULY 14, 2016

Quickly Implement a Secure Cloud for Government and Military

Rick KundigerCEO & FounderAwnix

2

Security Today

* Contains 0% snake

EVERYTHING YOU NEED!NO OTHER SECURITY REQUIRED!

VLAN SNAKE OILEXLIXER

GUARANTEED RELIEF FROMHACKERS | PHISHERS | CRACKERS |SNIFFING | SPOOFING

SPAMMING | SPYING |EXPLOITING | SNARFINGSCRIPT KIDDIES |TARDS | & OTHERWISE BEING SNOWDEN’D

DON’T FORGET TO

ASK ABOUT OUR

BONUS ACL

OINTMENT!

COMBINE A LITTLE

ACL WITH THE VLAN

ELIXER TO CURE

WHAT AILS YOU!

Security Today

Traditional firewalls, while better than simple VLANs and ACLs, are only marginally better

• Firewalls can only inspect traffic that traverses them

• They rarely prevent server-to-server traffic we have VLANs and ACLs for that!(see previous slide)

• More and more rules are added as holes are found or exploited or assumed, making rule management nearly impossible

3

Security Today

• Silo’d network and security is inefficient • Frequent miscommunication between

customer / network & security which causes mistakes

• These errors lead to security incidents

What Customers Think of IT Security

What Customers Think of Networking

Customer to IT Security and Network

4

5

What’s Needed

• Network Micro-Segmentation• Tenant/Project Isolation• App Tier Isolation• Increased Security Behind the Firewall• Defense-in-Depth• Increased Agility in Network and Security• Increased Ability to Quickly Respond

Traditional physical networking and security tools, designs, appliances and methods cannot meet these needs in a timely and cost effective manner

Security Tenant

Internet – Common Provider Network w/ public floating IPs

vFirewall

vSec UTM, IDS, IPS, Etc.…Security Groups

Internal Provider Network 0 w/ private floating IPs

Web

DB

Mid-TierWeb Mid-Tier

DB

Internal Provider Network 1 w/ private floating IPs

Simple Tenant More Complex Tenant Security Tenant

6

App Tier Isolation

vFirewallMid

Mid

MidWeb Web

Web

Web Tenant Mid-Tier Tenant Security Tenant

DB DB

DB

DB Tenant

7

Internet – Common Provider Network w/ public floating IPs

Internal Provider Network 0 w/ private floating IPs

Internal Provider Network 1 w/ private floating IPs

Internal Provider Network 2 w/ private floating IPs

vSec

8

Forensics

Internet – Common Provider Network w/ public floating IPs

Mid

Mid

MidWeb Web

Web

Compromised Tenant Mid-Tier Tenant Security Tenant

DB DB

DB

Internal Forensics Network with no Gateway to Internet

DB Tenant

Web WebWeb Sec Tool Sec Tool

vFirewall

Move GW IP to

Forensic Network

vFirewall

vSec

Forensics tools for

Analysis / Remediation

9

Integrating new or existing threat management tools with APIs available via the SDN Controller or Neutron for automated remediation

IDS consumes

SDN metrics / telemetry via API

IDS Identifies

a Problem

IDS Sends Instructions

via API

Instruction is Executed

Offending Instance or

Network Remediate

d

Detection / Remediation

10

Security Groups vs FW Rules

• Security Groups are like a FW on every vNIC

• If Attacker get in one server they can’t jumpbox anywhere

• All traffic in separate encrypted domain• Granular strategic + tactical control• Attacker must compromise every node

individually

• If an Attacker compromises a server they can normally jump around to others because the internal network is “trusted”

• Attacker can sniff traffic as it isn’t encrypted

• Blanket FW rules, no granularity• Individual servers have little, if any

protection

DB

Mid-TierWeb 2

DB

Mid-TierWeb Mid-Tier

DB

Allow Mid

Allow WebAllow 80/443

Web

VLAN 234VLAN 567

VLAN Hopping

Packet Capture

Malicious Payload

11

Demo

Questions?

Thank you!