©2009 HP Confidential template rev. 12.10.091©2009 HP Confidential template rev. 12.10.09

Sean EnnisSolutions Architect (HP TippingPoint) – Canada

HP TIPPINGPOINT IPS AND VIRTUALIZATION SECURITY

FOR THE DATA CENTER

2

AGENDA– Modern Threat Landscape

– IPS Platform

– Secure Virtualization Framework

– Q&A

3

Present & Future

Sophisticated Targeted Attacks, Re-Perimeterization

Legacy + Web, IPv4 + IPv6, Data + Voice + Video

Virtualization, Blades,Increased Bandwidth

Do More With Less

Past

Worms, Viruses,Trojans, DDoS

Legacy, Client Server,IPv4, Data

Dispersed, Physical,

Connect Everyone to Everything

DATA CENTER TRENDS

Efficiency DrivesConsolidation

New Apps,Protocols &

TrafficThreat

LandscapeChange

©2009 HP Confidential template rev. 12.10.094

MODERN ATTACK LANDSCAPEAPPLICATIONS ARE THE PRIMARY TARGETS

Network / Server Downtime

Attacks

SocialEngineering

Attacks

Enterprise and WebApplication

Attacks

IndividualAccount

Credentials

CorporateRansom

EmailSpamming

Corporate ConfidentialInformation

CustomerDetails

CreditCard

Database

OnlineClickFraud

VirusTrojan

Worm

DDoS O/S Specific Attacks

P2P

SQL Injection XSSPhishing

PHP File IncludeSpyware

2002-2004 2004-2007 2007-2010+

Whaling

BotnetSocial MediaMalware Application Exploits

5

WHAT ABOUT THE FIREWALL?

In simplest form….

• Separates distinct security zones• Designed to block or allow traffic based on a set of rules• Rejects all unauthorized ports/protocols at the edge of a security zone• Very good at ensuring network resources (servers, clients, etc.) only see required traffic• Can also be generally responsible for VPN,NAT, redirection, proxying, etc.

6

WHAT ABOUT THE FIREWALL?

In simplest form….

• Separates distinct security zones• Designed to block or allow traffic based on a set of rules• Rejects all unauthorized ports/protocols at the edge of a security zone• Very good at ensuring network resources (servers, clients, etc.) only see required traffic• Can also be generally responsible for VPN,NAT, redirection, proxying, etc.

DDoS SQL Injection XSSPHP File IncludeSpyware

…Browser exploits…Drive-by DL…Adobe exploits……

7

IPS PlatformDesigned for future security demands and services

IPS PLATFORM INTRODUCTION

Proactive• In-line reliability

• In-line performance (throughput/latency)

• Filter accuracy

Unknown TrafficGoes In

Clean TrafficComes Out

IPS Platform

Security Management System

Security• Leading security

research

• Fastest coverage

• Broadest coverage

Costs• Quick to deploy

• Automated threat blocking

• Easy to manage

©2009 HP Confidential template rev. 12.10.098

HP TIPPINGPOINT S-SERIES PRODUCTS

TippingPoint S10

20Mbps • 2 Segments

TippingPoint S110

100Mbps • 4 Segments

TippingPoint S330

300Mbps • 4 Segments

TippingPoint S660N

750Mbps • 10 Segments

TippingPoint S1400N

1.5Gbps • 10 Segments

TippingPoint S2500N

3Gbps • 11 Segments

TippingPoint S5100N

5Gbps • 11 Segments

Core Controller

20Gbps • 3x10GbE

Security Management System (SMS)

Manage Multiple Units • Central Dashboard

Digital Vaccine

Broadest Coverage • Evergreen Protection

Web App DV and Scanning

Web Scan• Custom Filters • PCI Report

ThreatLinQ

Real Time Threat Intelligence

IPS Platform Solutions Security Intelligence

Reputation DV

IP Reputation • DNS Reputation

ROBO, Perimeter, Zone isolation, MSPs…

10GE Networks, Core, Data Center, Service

Providers…

Management, Accessories DVLabs Services

SSL Appliance S1500

Transparent SSL Bridging and Off-Loading

vController and VMC

Virtual Data Center Security & Visibility

VIRTUALCONTROLLER

9

TECHNICAL SPECIFICATION - N-PLATFORM SENSORS

TippingPoint 660N TippingPoint 1400N TippingPoint 2500N TippingPoint 5100N

• 750 Mbps• 750 Mbps

• < 80 microseconds• 6,500,000

• 1,200,000• 115,000

• 1.5 Gbps• 1.5 Gbps

• < 80 microseconds• 6,500,000

• 1,200,000• 115,000

• 15 Gbps• 3 Gbps

• < 80 microseconds• 10,000,000

• 2,600,000• 230,000

• 15 Gbps• 5 Gbps

• < 80 microseconds• 10,000,000

• 2,600,000• 230,000

• 10 x 1GbE Copper• 10 x 1GbE SFP• 10 Total Segments• External ZPHA

• 10 x 1GbE Copper• 10 x 1GbE SFP• 10 Total Segments• External ZPHA

• 1 x 10GbE XFP• Internal ZPHA (10GbE)• 10 x 1GbE Copper• 10 x 1GbE SFP• 10 Total Segments• External ZPHA

• 1 x 10GbE XFP• Internal ZPHA (10GbE)• 10 x 1GbE Copper• 10 x 1GbE SFP• 10 Total Segments• External ZPHA

Interfaces

PerformanceNetwork ThroughputInspection Throughput

Typical LatencyConcurrent Network

SessionsSecurity ContextsConnections/Sec

• AC only • AC only • AC or DC • AC or DC

Power

©2009 HP Confidential template rev. 12.10.091010

Threat Suppression EngineTSE

Tier 1

Tier 2

Tier 3,4Thread Thread Thread

Load Balancer, Traffic Management (FW), Bypass

11

HP TIPPINGPOINT 1200N EMBEDDED IPS PLATFORM– TippingPoint IPS module brings

industry leading IPS, including Digital Vaccine and Reputation DV service to any A7500 series switch

– 1.3 Gbps aggregate inspection throughput across 2 x 1Gb copper or 1 x 10Gb backplane interface

– A unified network and security management framework based on TippingPoint’s Security Management System (SMS) integrated and HP’s Intelligent Management Center (IMC)

HP A7500 Switch Series

HP TippingPoint 1200N IPS

©2009 HP Confidential template rev. 12.10.091212

CORE CONTROLLER FOR 10GBE

Core Controller Model Provides:•High Availability – Reliability and Redundancy•High Performance with Low Latency – 10Gbps inspection across IPS’s•Ease of Management and Low TCO – Low cost of entry and pay-as-you-grow design

•Scalability – Expand IPS capacity to meet high bandwidth demands

• Three 10GbE segments

• 20Gbps aggregate inspection throughput

• 24x iLink segments- Interconnects to IPSs- 48 1Gbps ports

• Smart ZPHA modules (Optional)

• Zero Power High Availability –bypass

• Dual hot-swappable power supplies

• System health and status panel

13

Clean Encrypted Traffic

1500S – SSL INSPECTION

› Key Benefits• Increased Web server and application security• Virtually no traffic bottlenecks or application performance penalty• Carrier-class reliability delivers high-availability / up-time• Contributes to regulatory compliance efforts• Reduced server utilization in off-loading configuration

10101010101010101010101010101010100100000110

1001010011010

000100101010011110100100101010101010110101010101010001

110101010101

SSL Appliance

IPS Platform

Dirty Encrypted Traffic

JOHNSONAMY>TEL21251>NUMBER0338-2934-051 QUE€2532.90>DOB09/19/

High-performance, transparent SSL off-loading and bridging for IPS traffic inspection

cvc

vClean Un-Encrypted

Traffic

OR

©2009 HP Confidential template rev. 12.10.091414

TippingPoint IPS Platform

DVLabs Services:› Digital Vaccine› Web App DV› Reputation DV› Custom DV

Leading security research and filter development with 30+ Dedicated Researchers

Partners

SANS, CERT, NIST, etc.Software & Reputation Vendors

2,000+ Customers Participating

1,400+ Independent Researchers

IPS Platform is Only as Good as its Security IntelligenceLEADING SECURITY RESEARCH – DVLABS

DV Labs Research & QA

› App DV› ThreatLinQ› Lighthouse Program

15

PROVEN IN-LINE FILTER ACCURACYUNMATCHED ACCURACY FROM DVLABS AND DIGITAL VACCINE

Vulnerability

False Positives(coarse filter)

Standard IPS Exploit Filterfor Exploit A

Exploit AExploit B(missed by Exploit Filter A)

TippingPoint’s vulnerability filter acts like a Virtual Software Patch, eliminating false positives

Term DefinitionVulnerability Security flaw in a software

program

ExploitAttack on a vulnerability to:

• Gain unauthorized access• Create a denial of service

Exploit Filter

Stops a single exploit• Easy to produce• Typically produced due to

IPS engine performance limitations

• Results in missed attacks and false positives

Vulnerability Filter

Stops all exploits attacking the vulnerability

September 22, 2010 15

16

BLOCK OUTBOUND TRAFFIC BLOCK INBOUND TRAFFIC

Reputation Database• IPv4 & IPv6 Address•DNS Names

IPS Platform

Access Switch

• Botnet Trojan downloads• Malware, spyware, & worm downloads• Access to botnet CnC sites• Access to phishing sites

• Spam and phishing emails• DDoS attacks from botnet hosts• Web App attacks from botnet hosts

Botnets Currently Being Tracked: Conficker, ZeuS, Kraken, Srizbi, Torpia, Storm, Asprox, Gumblar, Koobface, Mariposa, Dark Energy

REPUTATION DIGITAL VACCINE

• Geography• Merge with your data

Keep the bad guys and the botnets off your network

Internet

17

2010: DATA CENTER VIRTUALIZATION REACHES THE TIPPING POINTLeading in Times of Transition: the 2010 CIO Agenda

2010 2011 2012

16%

50%~ 58 million deployed x86 machines

Source: Gartner Says 16% of Workloads are Running in VirtualMachines Today. Will grow to 50% by 2012(October 2009)

Survey of 1,586 CIOs:• Virtualization becomes…#1 Technology Priority in 2010

•Displaces Business Intelligencewhich held top position for the last 5 yrs!

18

BUT WHAT ABOUT SECURITY?

“60 Percent of Virtualized Servers Will Be Less Secure than the Physical Servers They Replace Through 2012”

I. Information Security Isn't Initially Involved in the Virtualization Projects

II. A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads

III. Workloads of Different Trust Levels Are Consolidated onto a Single Physical Server Without Sufficient Separation

IV. Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools are Lacking

V. There Is a Potential Loss of SOD for Network and Security Controls

Source: MacDonald, Neal. Addressing the Most Common Security Risks in Data Center Virtualization Projects, Gartner, Inc. January 25, 2010 SOD: Separation Of Duties

...

19

Core

SECURE VIRTUALIZATION FRAMEWORKVIRTUALIZATION VISIBILITY GAPS

OS OS OS OS

Virtual Switch

App App App App

APPLICATION VMs

HYPERVISOR

VMsafe Kernel Module

ESX Host

IPS

ESX Host

(1) Host to HostIPS inspection on each uplink is expensive/unmanageable

?

?

?

(2) VM to VMNo way to insert physical IPS

(3) VM MobilityWhat happens when a vm moves?

20

OS OS OS OS

Virtual Switch

App App App App

APPLICATION VMs

HYPERVISOR

VMsafe

OS OS OS OS

Virtual Switch

App App App App

APPLICATION VMs

HYPERVISOR

VMsafe

Core

SECURE VIRTUALIZATION FRAMEWORKTIPPINGPOINT VCONTROLLER

OS OS OS OS

Virtual Switch

App App App App

APPLICATION VMs

HYPERVISOR

VMsafe

ESX Host

vCon

trolle

r

Redirection Policies

• Utilizes same specialized hardware as physical network segments

• Policy-based redirection ties IPS inspection to VMs

• VMsafe kernel module integration provides deep insight into vm behavior maintains low redirection latency (<80us)

• Manage all virtual and physical networks with the same tools

• VMC console provides full visibility into logical VM connectivity

IPS

http://www.bestofinterop.com/winners/#security

21

Core

WHAT ABOUT VIRTUAL IPS?RESTRICTED SCALABILITY

21

OS OS OS OS

Virtual Switch

App App App App

APPLICATION VMs

HYPERVISOR

VMsafe Kernel Module

ESX Host

IPS

vIPS

• Can be effective in smaller environments

• Cannot take advantage of specialized hardware

• Shares resources with other VMs

• Latency is typical due to lack of hardware acceleration

• Difficult to establish performance baselines

?

22

VISUALIZE YOUR VIRTUALIZATIONTIPPINGPOINT VIRTUALIZATION MANAGEMENT CENTER (VMC)

Empower network/security teams with real-time visibility into virtual environment

Integration with virtualization management

Topology mapping provides identification of virtual/physical network paths

23

TIPPINGPOINT VMCIT’S ALL ABOUT THE INSPECTION POLICIES

Assign policies by VM and/or zone, not location or network connection

Automate trust zone assignmentfor new or untrusted workloads

Ensure policies follow VM regardless of state(in motion, powered on, powered off)

Cloned VMs must automatically inherit parent policies

24

SUMMARY

S ecuring T he Next G eneration Data C enter

• vController• Visibility and control • Leverage existing hardware

investments• No compromise to

consolidation ratio

• Protects in Minutes• Automated DV Updates• Most Timely Protection• Leading Zero-Day Protection• Intuitive managment

• Highest performance• 20Mbps to 16Gbps• Latency in Microseconds• Protects Layer 2-7• Inline or out-of-band

deployment options• Deployment Options for

Virtual Data Centers

Immediate, Always Up To Date P rotection

S top ThreatsF as ter

P rotects Highes t B andwidth Data C enters

S ecure V irtualizationF ramework

• Proactive Security Model• Best Inline Enforcement• Broadest Security• DVLabs Leading Security

Research• Zero-Day Initiative• Application Visibility• Vulnerability Intelligence

©2009 HP Confidential template rev. 12.10.092525 ©2009 HP Confidential

THANK YOU