LHC3296BUS OVH: Shields Up! Building a True Security Barrier in the Cloud Chris Romano, Principal Systems Engineer #VMworld #LHC3296BUS
VMworld disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware or OVH to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. 3
AGENDA 1 OVH Who We Are 2 OVH Product Overview 3 Defense at the PERIMETER DDOS Mitigation 4 Defense WITHIN the Virtual Data Center 6 Securing the Extended Data Center 7 Q & A 4
WHO IS OVH
INTRODUCING OVH GLOBAL HYPER-SCALE CLOUD PROVIDER Own 11+ Tbps Network with 32Points of Presence VMworld 2017 Content: Not for 5 th Largest Cloud Provider in the world* Data center capacity: 1.3 million physical servers; 260,000 already deployed publication Over 1.2 Million Business Clients in 138 Countries 19 years experience building & managing servers + data centers 2016 20 data centers in 5 countries 2017 27 data centers in 11 countries 2020 50 data centers * https://www.netcraft.com/internet-data-mining/hosting-analysis/ 6
OVH BUILDS ITS OWN DATA CENTERS 7
OVH MANUFACTURES SERVERS & USES GREEN TECHNOLOGY VMworld 2017 Content: Not for 30% natural air cooling + 70% water cooling = 0% air conditioning publication 8
SOLUTIONS TO SUIT YOUR NEEDS Hosted Private Cloud + Dedicated Cloud + Virtual Private Cloud + Disaster Recovery + VMware SDDC Public Cloud + Open API + Automation Compatibility + Scalability Dedicated Servers Bare Metal + Bring you own License + Non-Virtual Workloads + Proprietary Software OVH s Fiber Optic Network (11+ Tbps) + Anti-DDoS + Private LAN High Touch Customer Support & Services Global Hyper-Scale Reach
NETWORK CAPACITY 11+ Tbps 10
WHY WE ARE HERE
DEFENSE AT THE PERIMETER
DYN DDOS ATTACK - OCTOBER 21, 2016 Domain name provider Dyn suffered the largest DDoS attack in history on Oct. 21 13
MEANWHILE IN ROUBAIX 1 MONTH EARLIER. 1 Tbps DDoS Attack Launched from 152,000 Hacked Smart Devices This is likely the largest DDoS attack ever reported. Each day OVH detects and mitigates over 1500 attacks against its customers servers. About one third of these attacks are "SYN flood" attacks. Reference Article: https://www.ovh.com/us/news/articles/a2367.the-ddos-that-didnt-break-the-camels-vac 14
DDOS ATTACKS INCREASE 125% ANNUALLY In 2016 we saw 19 attacks over 100 Gbps Source: Akamai: Q1 2016 State of the Internet - Security Report 15
TARGETS AND TYPES OF ATTACKS 16
STAGES OF MANAGING AN ATTACK 1 The server is operational - no attack Internet-based services are used without any problems. VMworld 2017 Content: Not for 3 4 2 The DDoS attack begins the attack is launched via the internet and on the backbone. publication Mitigation of the attack Between 15 and 120 seconds after the attack has started, the mitigation is activated. End of the attack. Auto-mitigation is maintained for 26 hours after the attack has ended 17
VAC OVH S ANSWER TO DDOS VAC Architecture Pre-Firewall OVH Managed Firewall Firewall Network Customer Configurable per IP address Shield Armor VAC Pre-Firewall Firewall Shield Armor UDP reflexion/amplification attacks filtering Profiles based mitigation Does the grunt of the work : SYN Authentication, Zombie detection, payload patterns, Only enabled when we detect an attack 18
OVH MITIGATION TECHNIQUES Traffic Analysis and Attack Detection Netflow analysis of 1/2000 of the traffic that passes through routers. The Armor boxes analyze this and compare it to the attack signatures. If the comparison is positive, mitigation is ACTIVATED WITHIN SECONDS! VMworld 2017 Detection Content: Not for publication 19
LEVERAGING A GLOBAL NETWORK SBG RBX GRA BHS VAC VAC VAC Reference Article: https://www.ovh.com/us/news/articles/a2367.the-ddos-that-didnt-break-the-camels-vac VAC 20
ADDITIONAL PROTECTION Remotely Triggered Black Hole (RTBH) A fully redundant global network Redundancy of all components Fire risk management High security Data Centers VAC Human presence in all Data Centers Anti-Hack Anti-Spam Anti-Phishing Measures to counteract any failure of the electrical supply network. 21
DEFENSE WITHIN THE VIRTUAL DATA CENTER
EDGE SECURITY NSX EDGE GATEWAY (vcloud Air Network) (vcloud Air Network) Stateful Inspection Firewall Network Address Translations (NAT) DHCP Site to Site VPN (IPSec) Static Routing Dynamic Routing OSPF, BGP Load Balancer L4/L7 SSL Certificate Offloading SSL VPN (Client to Server) 200 Sub-Interfaces Distributed Firewall 23
DISTRIBUTED FIREWALL CHARACTERISTICS Runs in Kernel Space Internet Full vcenter Integration (VC Containers, vmotion) VMworld 2017 Zero-trust Security Micro-Segmentation Spoofguard Content: Not for publication Distributed Line Rate Enable traffic redirection to 3 rd party services Fully programmable (REST API) 24
NSX SECURITY IN THE CLOUD Physical Virtual Compute Cluster Compute Cluster Perimeter Firewall (Physical) NSX EDGE Service Gateway WAN Internet Compute Cluster Compute Cluster DFW DFW DFW VMworld 2017 Content: Not for DFW: E-W EDGE: N-S SDDC (Software Defined DC) Edge Service Gateway positioned to protect border of the Cloud Instance or SDDC: North South traffic protection publication Distributed Firewall positioned for internal traffic protection: East West traffic protection 25
SPOOFGUARD Ensuring the IP of a VM cannot be altered without intervention IP address does not match the IP address on record vnic is prevented from accessing the network entirely. Prevents rogue virtual machines from assuming the IP address of an existing VM Guarantees distributed firewall (DFW) rules cannot be bypassed 26
3 RD PARTY INTEGRATION Hytrust Encryption at Rest VM + HyTrust Admin 1 Key Controller 1 Key Controller 2 Private Cloud / vsphere Data Center Admin 2 Key Controller 3 Key Controller 4 VM + HyTrust vcloud Air VM + HyTrust Encrypt and re-key without taking applications offline Transparent to users and admins Customer retention of keys (Bring Your Own Keys) Encryption travels with the VM, regardless of location 27
3 RD PARTY INTEGRATION 28
SECURING THE EXTENDED DATA CENTER
UNIQUE HYBRID CAPABILITIES Migrate Virtual Machines On-Prem to vcloud Air with Zero Downtime Active On-Premises Hybrid Cloud Zero-Downtime Migration Secure Tunnel Replicating vcloud Air Compatibility Portability Security Secure VM migration or vmotion with IPSec and Suite- B Encryption Flow entropy with FOU tunneling Authentication required for migration NAT d vmotion Traffic Overview HCX will available upon release from VMware 30
SECURITY POLICY MIGRATION The VMware SDDC Private Cloud Untether workloads from the physical data center for increased flexibility and agility Security Policy Migration Support data center migration and consolidation projects without need for maintenance windows The VMware Public Cloud Simplify transition to cloud by carrying existing security and networking policies with the virtual machine 31
vrack (VIRTUAL RACK) Secure Private connection of all OVH infrastructures around the world. vrack Enables private connectivity between Data Centers Customer has the ability to make changes themselves Allows extending layer 2 networks Interconnects different environment types on the same VLAN Once enabled, your services communicate with each other across a virtual network (vlan). 32
CONNECTIVITY SIMPLIFIED Dedicated Server Customer Managed Networks & vrack Customer DC Open Stack OVH POP vsphere-asa-service vsphere-asa-service Roubaix Hillsboro Vint Hill 33
SUMMARY OVH is a global hyper-scale cloud provider with a rich 20 year history. OVH ustomers have more options for data center locations, more direct connection points to get to the OVH network, more choices & product selection. Industry leading anti-ddos protection frontends your OVH based assets whether they are dedicated servers, private cloud computing, or public cloud instances. Behind that industry leading DDOS protection is security in depth under your control. 34
HOW TO CONTACT US VMworld Booth Location 406 ovh.com/us @ovh_us and @vcloudair_ovh @ovhus and @vcloudair.ovh OVH and vcloud Air powered by OVH 35
OVH AT VMWORLD Session ID Session Title Time LHC3295BUS OVH: Why Optimizing Layer 0 matters Tuesday, Aug 29, 11:30 a.m. - 12:30 p.m. LHC3297BES How far is too far? The Hybrid Cloud Distance Factor. Monday, Aug 28, 1:00 p.m. - 2:00 p.m. LHC3296BUS Shields Up! Building a True Security Barrier in the Cloud Wednesday, Aug 30, 2:30 p.m. - 3:30 p.m. LHC1951BU Automate Cloud Recovery For When You Are Nuked From Orbit: It s the Only Way to Be Sure VMworld 2017 Content: Not for publication Tuesday, Aug 29, 3:30 p.m. - 4:30 p.m. LHC2673BU Clearing Cloud Confusion Wednesday, Aug 30, 2:00 p.m. - 3:00 p.m. GRC2676BU Building a Paper Trail: How to Secure and Audit a Public Cloud Monday, Aug 28, 11:00 a.m. - 12:00 p.m 36