Security Virtualization Timothy Brown Director, S&V Practice Network Utility Force tim@netuf.net

Intro

What is this presentation about? Survey of security elements and techniques Virtualization advantages and disadvantages How virtualization alters security architecture Three main concepts: Infrastructure as code Security moving with the target Reduce burden of security

Security Basics Protecting information systems Balance between risk, protection from risk and ease of use Protecting systems has a real cost, heavy armor costs more and armor is oriented towards the attacker

How are elements protected? IDS/IPS – Host and network Firewalls Segmentation (Limiting the pivot) Systems Monitoring Network Telemetry and Monitoring Host Integrity Intelligence (All Source) PEOPLE

A reference diagram

Virtualization Basics Hypervisor: A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines. Core: A microprocessor (with multiple threads, cache, …) Virtual Machine: In computing, a virtual machine (VM) is an emulation of a particular computer system. vSwitch (Virtual Switch): A piece of code that emulates or runs a switch.

Market evolving in three ways Appliances being made available virtually Elements more powerful Automation

A reference diagram

VM changes Add a new VLAN or Virtual Virtual Switch Can have many VLANs attached to one virtual switch …or many virtual switches… …controlled by different parties…

A reference diagram

How does a virtual switch work? Virtual switch similar in functionality to a traditional switch Accelerated by special drivers MAC learning or manual MAC programming (Hypervisor knows MACs, can do creative processing) Greater flexibility in where a MAC lives and where traffic goes

What does it mean? Can insert { any security element } { anywhere in the virtualized network } Can connect { any security element } to { any physical or virtualized host }

Security relationships can be built anywhere Virtualization allows flexibility: Resources, FWs, or everything can be moved around (including between DCs)

Resources can be moved between DCs

Resources can be moved between DCs Firewall moving with elements

Interesting ideas Virtual network firewalls Virtual application firewalls Virtual load balancers / application delivery controllers Virtual taps Virtual IDS/IPS

How does virtualization add to security? Segmentation and microsegmentation Including with physical hardware through the use of VXLAN Separation of management concerns Functional separation Snapshots and imaging SDN

Motivations for security virtualization Reduce scope of changes and testing Increase performance for lower aggregated cost Minimize reliability concerns and impact Flexibility in architecture Move things around Reduced audit scope Hide security infrastructure from attackers More security closer to the host at higher performance

(Mis)conceptions Virtualization reduces performance More to manage Impact is quite mild on the right hardware More to manage Yes, but vendors are getting smart and infrastructure is now code Cost will be high Vendors are getting smart: Cost is coming down (volume) and hardware is a losing game (commoditization) Harder to learn This is true, but only if you have a weaker understanding of the basics MACs, bridges, traffic flows, TCP…

What is now available in virtual form? Firewalls Application Firewalls Database Firewalls Monitoring Appliances Sandboxing, DPI, Netflow Load Balancing Intrusion Detection

Coming back Easier to hide my infrastructure Segments and snapshots; easier IDS Roll back machine quickly, better change management Firewall and IDS in front of every host, good luck with the pivot

Questions?

Thanks http://go.netuf.net/afcea-2017-dobbins