©2015 Check Point Software Technologies Ltd. ©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 1
CHECK POINT & VMWARE NSX
AUTOMATING ADVANCED SECURITY
FOR THE SOFTWARE-DEFINED DATACENTER
Micki Boland
Virtual and Cloud Cyber Security Architect
[email protected]
DATA CENTERS
©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 3
Virtual
Datacenter
DATA CENTER EVOLUTION
•
Server (compute) virtualization
•
Network operation is manual
Software
Defined
Datacenter
Private Cloud
•
Network are is also virtualized
•
Services can be dynamically inserted and
THE NEW ERA OF
SOFTWARE-DEFINED DATACENTERS (SDDC)
©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 5
Centrally and automatically manage network and advanced
security services in the data center
VMWARE NSX - NETWORK VIRTUALIZATION
s
Network & Security Services in the
Hypervisor - Programmatic control
•
Virtual Switching and Routing
•
Virtual Load Balancing
SECURITY CHALLENGES IN THE
CURRENT DATACENTER
©2015 Check Point Software Technologies Ltd. 7 [Restricted] ONLY for designated groups and individuals
WEST
EAST
SOUTH
NORTH
Perimeter (north-south) security is
blind to 80% of the east-west data center traffic
•
Lack of security control between VMs
•
Threat can easily traverse VLANs
•
Threats attack low-priority service
and then move to critical systems
Modern threats can spread laterally inside the data center,
moving from one application to another
©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 9
Traditional static controls fail to secure dynamic networks
and highly mobile applications
Challenge #3: Security Ignores Data Center Changes
•
New Virtual Machines
•
Virtual Machine movement
•
VM that change IP address
•
Dormant VMs that wakes up
•
VMs move between VLANs
How to define secure policy for
catalog applications that have not
been provisioned and still don’t have
IP address?
Lack of security automation impacts business agility in
delivering services, results in security gaps
©2015 Check Point Software Technologies Ltd. 11
SECURITY REQUIREMENTS INSIDE THE DATA CENTER
Automated insertion and deployment of advanced threat
prevention to protect inside the data center
3
Automated security provisioning to keep pace with
dynamic data center changes
2
Security visibility into traffic inside the data center
©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 13
Check Point Teams with VMware to Automate Advanced Security
for the Software-Defined Data Center
CHECK POINT & VMWARE
Automating Security inside the Data Center
+
Virtual Security with Advanced
Threat Prevention
Security Control
&
Visibility
Next Generation Networking
and security
Lateral
Threat
Prevention
Automated
Security
Provisioning
©2015 Check Point Software Technologies Ltd. [Protected] Non-confidential content 15
vSEC & NSX DATACENTER SECURITY
100% Software Based: Service, Network & Security
s
Segmented Data Center
Micro-Segmentation
with advanced threat
prevention
Security Orchestration
between Virtual Machines
Automation of Virtual
Network & Security
s
Consistent security for N-S
and E-W traffic
Security Control for
All Data Center Traffic
VMWARE CORE PRODUCTS FOR
SOFTWARE DEFINED DATACENTER (SDDC)
©2015 Check Point Software Technologies Ltd. 17
Virtual Machines
ESX Hosts
(Cluster)
NSX Virtual Network
VMWARE PLATFORM
CHECK POINT vSEC DEPLOYMENT
©2015 Check Point Software Technologies Ltd. 19
NSX AUTOMATICALLY DEPLOYS vSEC IN
SOFTWARE DEFINED DATACENTER (SDDC)
CHECK POINT vSEC DEPLOYMENT
©2015 Check Point Software Technologies Ltd. 21
NSX manager automatically
deploys and provisions Check
Point vSEC Gateway on each host
Automatically & instantly
scale vSEC to secure VMs
on new host members
©2015 Check Point Software Technologies Ltd. 23
SECURITY FOR EAST-WEST TRAFFIC
NSX chains Check Point vSEC gateway between VMs
Traffic between VMs goes through
VMware NSX and Check Point vSEC
gateways
AUTOMATE ADVANCED SECUREITY FOR
SOFTWARE DEFINED DATACENTER (SDDC)
©2015 Check Point Software Technologies Ltd. 25
Use Check Point Appliances with Advanced Threat Prevention for
Datacenter Perimeter Security (North-South traffic)
Use Check Point vSEC Gateway for advanced security between
Virtual Machines (East-West traffic)
©2015 Check Point Software Technologies Ltd. 27
Use NSX to segment Virtual Machines
into different Security Groups using a flat network
MICRO-SEGMENTATION
Finance
Legal
Web
Database
Partners
NSX Security Group
Use Check Point vSEC to control traffic access between Virtual
Machines
EAST-WEST SECURITY CONTROL
NSX Service Chain Policy
Traffic from Partner to Legal
Security Group must go through
Check Point vSEC Gateway
©2015 Check Point Software Technologies Ltd. 29
Use vSEC for Advanced Threat Prevention inside data center
UNIFIED MANAGEMENT
Use Check Point unified management for consistent policy control
and threat visibility across virtual and perimeter gateways
©2015 Check Point Software Technologies Ltd. 31
APPLICATION-AWARE POLICY
Check Point Access Policy
Rule From
To
Service Action
3
WEB_VM
(
vCenter Object)
Database
(NSX SecGroup)
SQL
Allow
Use Fine-grained security policies tied to NSX Security Groups
and Virtual Machine identities
Check Point dynamically
fetches objects from NSX
and vCenter
MICRO-SEGMENTATION WITH SUB-POLICIES*
Use security policy that is easily segmented into sub-policies
Check Point Access Policy
Rule From
To
Service Action
3
Any
Database
(NSX SecGroup)
Sub-Policy
3.1
WEB_VM1
(
vCenter Object)
DB_VM1
(
vCenter Object)
SQL
Allow
Delegate privileges to change
and push policy change of a
single rule
©2015 Check Point Software Technologies Ltd. 33
SHARED-CONTEXT POLICY
NSX Policy
From
To
Action
Infected VM
(Tagged by Check Point)
Any
Quarantine
Shared security context between vSEC and NSX Manager to
automatically quarantine and trigger remediation by other services
Check Point tags
infected Virtual Machines
in NSX manager
Use Check Point SmartEvent to monitor and investigate threats
across north-south and east-west traffic
THREAT VISIBILITY INSIDE THE DATACENTER
4800
12400
Infected Virtual Machines
VM Identity
Severity
Date
VM_Web_22
High
3:22:12 2/4/201
VM_DB_12
High
5:22:12 2/4/201
VM_AD_15
Medium
5:28:12 2/4/201
©2015 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 35
Feature
Check Point
Policy
Management
Unified management for Virtual and physical Gateways
Datacenter policy segmentation with sub policies*
Fetch vCenter and NSX objects for use in Check Point policy
Security
Threat Prevention with multi-layered defenses for Virtual Data
Center
Tag infected VM and update NSX for automatic remediation
Visibility &
Forensics
View VM objects in security logs
Comprehensive Datacenter Threat Visibility
Automation &
Orchestration
Granular privilege down to individual rule for trusted integrations*
Check Point vSEC Key Features
Q1: Do you have security and threat visibility inside your datacenter?
Q3: Are you frustrated using VLANs to segment your datacenter?
Q2: Do you feel that security impedes datacenter service agility?
©2015 Check Point Software Technologies Ltd. 37
Q: What is the vSEC product version?
A: vSEc Gateway is R77.20 vSEC. vSEC Controller is based on R77.30
Q: Will vSEC be supported in R80?
A: Yes
Q: Was it certified by VMWare NSX
A: Yes. It is certified on ESX5.5 and ESX6.0
Q: Where can I learn more about the solution
A: Visit the vSEC wiki & Check Point vSEC webpage
FAQ
Q: Can I buy and use it today?
A: Yes
©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 39