Security Considerations for Cloud Readiness

Similar documents
Zentera Systems CoIP Platform

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

AWS Reference Design Document

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

CyberP3i Course Module Series

Securing the Software-Defined Data Center

Securing VMware NSX MAY 2014

Securing VMware NSX-T J U N E 2018

2018 Cisco and/or its affiliates. All rights reserved.

OpenFlow: What s it Good for?

Cloud Native Security. OpenShift Commons Briefing

Cisco Nexus 1000V InterCloud

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

Title DC Automation: It s a MARVEL!

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Operationalizing NSX Micro segmentation in the Software Defined Data Center

McAfee Public Cloud Server Security Suite

WHITE PAPER MICRO-SEGMENTATION. illumio.com

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

HIPrelay Product. The Industry's First Identity-Based Router Product FAQ

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Indicate whether the statement is true or false.

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

CSE 565 Computer Security Fall 2018

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

Cisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack

The Why, What, and How of Cisco Tetration

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Cloud Security Best Practices

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

5 STEPS TO BUILDING ADVANCED SECURITY IN SOFTWARE- DEFINED DATA CENTERS

1V0-642.exam.30q.

Nuage Networks Product Architecture. White Paper

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

Simple and Powerful Security for PCI DSS

Why the cloud matters?

Achieving End-to-End Security in the Internet of Things (IoT)

Segmentation. Threat Defense. Visibility

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Securing Microservice Interactions in Openstack and Kubernetes

21CTL Disaster Recovery, Workload Mobility and Infrastructure as a Service Proposal. By Adeyemi Ademola E. Cloud Engineer

The threat landscape is constantly

Enterprise & Cloud Security

Enabling Efficient and Scalable Zero-Trust Security

Virtual Dispersive Networking Spread Spectrum IP

Monitoring and Threat Detection

Chapter 5. Security Components and Considerations.

NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.

Pulseway Security White Paper

Five Essential Capabilities for Airtight Cloud Security

Defining Security for an AWS EKS deployment

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

Securing Your Amazon Web Services Virtual Networks

CTO PoV: Enterprise Networks (Part 2) Security for IoT & Cloud

McAfee Network Security Platform 9.2

Solution Overview Gigamon Visibility Platform for AWS

Next-generation Connectivity and Security for Enterprise Mobility and Hybrid Cloud Environments

Network Virtualization Business Case

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Security for the Cloud Era

PrecisionAccess Trusted Access Control

Network Defenses 21 JANUARY KAMI VANIEA 1

Cisco Designing the Cisco Cloud (CLDDES) Download Full version :

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

Securing Your Microsoft Azure Virtual Networks

ACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)

Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation

SD-WAN 101. November 3 rd 2016 Rob McBride Marketing

Cross-Site Virtual Network Provisioning in Cloud and Fog Computing

McAfee Network Security Platform 9.2

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Verizon Software Defined Perimeter (SDP).

VMware vcloud Networking and Security Overview

SECURING THE MULTICLOUD

BeOn Security Cybersecurity for Critical Communications Systems

Feature Comparison Summary

PCI DSS Compliance. White Paper Parallels Remote Application Server

Firewalls for Secure Unified Communications

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Flip the Switch to Container-based Clouds

Virtual Security Gateway Overview

From Zero Touch Provisioning to Secure Business Intent

Seceon s Open Threat Management software

Pasiruoškite ateičiai: modernus duomenų centras. Laurynas Dovydaitis Microsoft Azure MVP

TECHNOLOGY WHITE PAPER. Facilitate PCI DSS compliance with the Nuage Networks SDN platform

Cisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Link Security Considerations in the. Enterprise

Stop Cyber Threats With Adaptive Micro-Segmentation. Chris Westphal Head Of Product Marketing

Delivering the Wireless Software-Defined Branch

McAfee Virtual Network Security Platform 8.4 Revision A

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

Ensuring a Consistent Security Perimeter with CloudGenix AppFabric

WHY COMPOSABLE INFRASTRUCTURE INSTEAD OF HYPERCONVERGENCE

INTRODUCTION 2 DOCUMENT USE PREREQUISITES 2

Design Guide for Cisco ACI with Avi Vantage

Hackproof Your Cloud Responding to 2016 Threats

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

Transcription:

Application Note Zentera Systems CoIP Platform CoIP Defense-in-Depth with Advanced Segmentation Advanced Segmentation is Essential for Defense-in-Depth There is no silver bullet in security a single solution is not enough. Hence, defense-in-depth is a key requirement for overall enterprise security. As a result, enterprises are deploying multiple layers of security, including application isolation, network segmentation, and application filtering. In addition, with the widespread adoption of virtualization and the emergence of SDN and the cloud, server-to-server communication is proliferating and multi-tenancy is becoming commonplace. Advanced attacks nowadays can take over a server as a zero-day attack station and then penetrate other neighbors. Conventional perimeter firewalls are now less effective, since they cannot prevent lateral attacks between servers inside a datacenter. To effectively block such attacks, organizations now have to implement advanced segmentation as part of defense-in-depth. This application note outlines current security considerations for enterprise datacenters anticipating deploying in the cloud. The next section describes how Zentera s CoIP (Cloud over IP ) Platform provides advanced segmentation and defense-in-depth to address those considerations. Finally, the closing section demonstrates how to deploy advanced segmentation and defense-in-depth using CoIP. Security Considerations for Cloud Readiness East-West Traffic Typically, organizations have implemented perimeter security technologies such as firewalls, IPS/IDS, routers, and other security devices that are placed in different security zones trusted, untrusted, and DMZ. The goal is to analyze and manage traffic flow in and out of the datacenter. This approach is not well-suited for analyzing server-to-sever communication within the datacenter (also known as east-west communication). Figure 1 depicts a typical security deployment.

Figure 1: A conventional security deployment The growing use of the application-tier model, which typically consists of web, application, and database servers, is resulting in increased east-west traffic that can surpass north-south traffic. Additionally, advanced threats, like man-in-the-middle attacks, are appearing deep inside the datacenter. Therefore, a new security solution is needed to protect east-west traffic and address advanced threats. Micro-Segmentation Virtualization is causing compute and security to converge inside the datacenter, in addition to hypervisors that provide micro-segmentation. Micro-segmentation is a security design technique in which the datacenter is divided into smaller, more protected security zones. In micro-segmentation, datacenter security services are provisioned at the perimeter, between application tiers (or zones), and even between devices within tiers. The idea is that if one device or service is compromised, the impact will be contained within a smaller fault domain. Micro-segmentation is efficient, quick to deploy, and fast to manage with newer security devices. However, implementing micro-segmentation using conventional firewalls is difficult, since firewalls do not provide a unified security fabric a key requirement to be what is referred to as cloud-ready. Figure 2 depicts a typical micro-segmentation. 2 Zentera Systems All Rights Reserved 2Q2017

Figure 2: Example of a micro-segmentation configuration Application Whitelists In addition, the whitelist security model is garnering attention due to the growing complexity of applications and network environments. In this model, security services specify applications that are permitted to access the network, and everything else is denied. This solution requires tight integration between applications and network services, and that integration is lacking in typical datacenter deployments today. CoIP Provides Defense-in-Depth CoIP is an on-demand virtual overlay network that provides deeply integrated defense-in-depth capabilities network isolation, network encryption, micro-segmentation, and application whitelisting. The platform is transport and cloud-agnostic, and can be deployed rapidly without interfering with existing infrastructure or security measures. Key Components CoIP consists of the following components: a centralized controller (zcenter) with deployment automation; CoIP LAN and WAN; and endpoint sensors for virtual machines (VMs), containers, and compute endpoints. APIs are provided to integration partners including industry-leading security 3 Zentera Systems All Rights Reserved 2Q2017

providers to extend their offerings (ex. IPS/IDS solutions) to clouds such as AWS, Azure, and Google Cloud. Figure 3 illustrates a conceptual multicloud CoIP deployment. Figure 3: Multicloud CoIP deployment Defense-in-Depth with CoIP The CoIP platform provides a layered approach to security that is designed to ensure defense-in-depth. CoIP operates at L5 (the session layer in the ISO network model), so it uses but does not interfere with the existing network and security infrastructure. CoIP offers traffic isolation via overlay network enclaves, or isolated network islands, that can span across datacenters or clouds. For more information about CoIP enclaves, see the Zentera CoIP Platform Traffic Isolation Application note. In addition to overlay enclaves, CoIP offers an overlay SSL tunnel that provides end-to-end network encryption within and across datacenters and clouds. CoIP also provides a chamber firewall that operates at L4 (the transport layer) and provides a filtering function. With CoIP chamber firewalls, all policies are created and maintained in a centralized controller, and are enforced on distributed endpoints for better performance and scalability. Advanced segmentation is a special form of micro-segmentation where segmentation can span across multiple public or private clouds as well as datacenters. Figure 4 shows an example of advanced segmentation with CoIP. Finally, CoIP offers application interlock or whitelist as an L7 (application layer) filtering function. The idea of application interlock is that only whitelisted and enterprise-certified applications running on a CoIP endpoint are allowed to use the CoIP network for communication. This is powerful because unauthorized applications are prevented from accessing networking resources. Alert and notification messages are generated in response to security violations. 4 Zentera Systems All Rights Reserved 2Q2017

Figure 4: An example of how CoIP can implement advanced segmentation Deploying Defense-in-Depth and Advanced Segmentation Using CoIP The CoIP controller is designed to manage multicloud deployments. It can be located in the enterprise datacenter or any private or public cloud (Azure, AWS, etc.). Network Encryption and Application Interlock Deployment Scenario The following deployment scenario shows a customer enclave that spans across an enterprise datacenter and AWS. The enclave is managed by the CoIP controller. The AWS server group (SG0), hosts two compute resources (aws1 and aws2) whereas the enterprise server group (SG1), hosts one (ent1). The SG0 and SG1 server groups are connected via an encrypted CoIP WAN link. AWS servers that are running mission-critical applications are protected by a stateful firewall chamber. The AWS servers are running RedHat and the enterprise VMs are running Linux CentOS. The deployment scenario is depicted in Figure 5. 5 Zentera Systems All Rights Reserved 2Q2017

Figure 5: Network encryption and application interlock deployment scenario Network Encryption By default, traffic over a CoIP WAN link is encrypted. Each endpoint connects to the CoIP controller for control plane traffic and establishes a TLS 1.2 connection to a Zentera Network Switch (ZNS) for data traffic. A ZNS is an L5 switch used in CoIP WAN deployment. Figure 6 illustrates end-to-end CoIP WAN network encryption, where two TLS 1.2 tunnels are used between two endpoints and the ZNS Figure 6: End-to-end network encryption using CoIP Network Encryption Verification The enterprise Server (ent1) sends packets to the AWS Server (aws1). Packet capture on aws1 shows TLS 1.2 connection established to ZNS (184.105.144.91) as it receives packets from ent1. Step Description 1 Turn on packet logging on aws1 2 Ping aws1 from Enterprise Server (ent1) 3 Packets from ent1 seen over TLS Application Interlock Configuration Step Description 1 Enable application interlock 2 Create whitelist rules 6 Zentera Systems All Rights Reserved 2Q2017

Step 1: Application Interlock is enabled by setting the Security Monitor Interval as follows: Step 2: Application whitelist rules are created for AWS servers to SSH to enterprise VM SSH whitelisted in AWS SSHD whitelisted in Enterprise Application Interlock Verification AWS compute VM can SSH to the enterprise server Telnet access is not permitted since it is not a whitelisted application The whitelisting rules shown above will not allow SSH from the enterprise to AWS. The CoIP controller logs application interlock traffic (permitted and blocked) between endpoints. 7 Zentera Systems All Rights Reserved 2Q2017

Micro-Segmentation Deployment Scenario This micro-segmentation deployment scenario includes two server groups (SG1, SG2) and three VMs in AWS (aws1, aws2, aws3). The SG1 servers are protected by a stateful firewall chamber. Communication within SG0 servers is based on server group settings. Traffic traversing the firewall boundary follow rules set for the chamber. Granular control of traffic flow is defined using TCP, UDP and IP ports. Chamber traffic control is supported both at the physical and CoIP levels. Micro-Segmentation Configuration Step Description 1 Add chamber 2 Create security policy Step 1: Micro-segmentation is enabled using a chamber at the server group level. 8 Zentera Systems All Rights Reserved 2Q2017

Step 2: Chamber security policy is created using port level unidirectional compute flows. This rule allows TCP port 22 traffic from SG2 (aws3) to SG1 (aws1 and aws2). Traffic using any other port from SG2 to SG1 is implicitly denied. Micro-Segmentation Verification With the security policy setting shown in micro-segmentation configuration Step 2, aws3 can SSH to aws1 (TCP 22 allowed from SG2 to SG1) SSH in the reverse direction (from aws1 to aws3) is not permitted. Security Policy rule added to allow TCP 22 from SG1 to SG2, now aws1 can SSH to aws2 as shown below. 9 Zentera Systems All Rights Reserved 2Q2017

Chamber functionality is also supported at the physical level. 10 Zentera Systems All Rights Reserved 2Q2017

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback