Vitalization & HP TippingPoint
Virtual Firewall for Virtual machines, to validate the east west communications. As growth is tremendous in ES communication than legacy Datacenter architects more focus on North South traffic.
Report
Share
Report
Share
1 of 35
More Related Content
Virtualization & tipping point
2. Agenda
Part 1 - Virtualization& Server
• Virtualization basics (Hypervisor)
• Virtual (VM) Switch Vs Physical Switch
• vSwitch & dvSwitch & port group
• VMware -vSphere Components
• HP BladeSystem matrix
• C7000 and OA vs iLO
• vConnect
Part 2 – Network & TippingPoint
• North South & East West Communication (Datacentertraffic flow architect)
• TippingPoint
• SVF – Secure Virtual Framework
• Digital Vaccine – DV
• VMC and SMS Servers
• vController + vFirewall VM-Tipping 2
3. Self Intro
Disclaimer :
Here I’m trying to couple between Virtual machine to you network skills (Intermediate Level).
Only theoretical discussions , not covered practical / lab environment.
The materials are gathered from WW Internet.
To view the detailed contents run the slide show
Part 1 - Virtualization & Server
In computing, virtualization refers to the act of creating a virtual (rather than actual) version of something, including (but not
limited to) a virtual computer hardware platform, operating system (OS), storage device, or computer network resources. Wiki
VM-Tipping 3
5. Virtual Machine
• A virtual machine is a software computer that, like a physical computer, runs an operating system and applications. The hypervisor serves as a platform
for running virtual machines and allows for the consolidation of computing resources. Each virtual machine contains its own virtual, or software-based
hardware, including a virtual CPU, memory, hard disk, and network interface card.
• A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines. A
computer on which a hypervisor is running one or more virtual machines is defined as a host machine. Each virtual machine is called a guest machine.
• Because virtual machines are decoupled from specific underlying physical hardware, virtualization allows you to consolidate physical computing
resources such as CPUs, memory, storage, and networking into pools of resources that can be dynamically and flexibly made available to virtual
machines. With appropriate management software, such as vCenter Server, you can also use a number of features that increase the availability and
security of your virtual infrastructure.
VM-Tipping 5
6. Virtual Machine (Hypervisor Type 1 & 2)
Picture 2 : VM workstationor Virtual Box or KVMPicture 1: ESXi or Hyper-V or KVM
1 . Type 2 – Software-based Virtualization
2. Better hardware compatibility
3. Single point of failure ?
4. Host OS impact the performance
1 . Type 1 – Bare Metal Hypervisor
2. Better Performance
3. Single point of failure ? Really ?
4. Hardware, Expertise and Cost
Type 1 hypervisors are commonly considered bare metal hypervisors, in that the hypervisor code itself runs directly on top of your hardware.
Type 1 hypervisors tend to enjoy much better performance than type 2 hypervisors, due in part to their direct positioning on top of hardware.
Unlike type 1 hypervisors, a type 2 hypervisor must be installed on top of an existing OS. These hypervisors tend to have better hardware
compatibility because they use software-based virtualization. VM-Tipping 6
8. Physical Topology of vSphere (Components)
A typical VMware vSphere datacenter consists of basic physical building blocks such as x86
virtualization servers, storage networks and arrays, IP networks, a management server, and desktop
clients.
The vSphere datacenter topology includes the following components.
• Compute servers : Industry standard x86 servers that run ESXi on the bare metal. ESXi software
provides resources for and runs the virtual machines. Each computing server is referred to as a
standalone host in the virtual environment. You can group a number of similarly configured x86
servers with connections to the same network and storage subsystems to provide an aggregate
set of resources in the virtual environment, called a cluster.
• Storage networks and arrays : Fibre Channel SAN arrays, iSCSI SAN arrays, and NAS arrays are
widely used storage technologies supported by VMware vSphere to meet different datacenter
storage needs. The storage arrays are connected to and shared between groups of servers
through storage area networks.
• IP networks : Each compute server can have multiple physical network adapters to provide high
bandwidth and reliable networking to the entire VMware vSphere datacenter.
• vCenter Server : vCenter Server (Its Service !!) provides a single point of control to the
datacenter. It provides essential datacenter services such as access control, performance
monitoring, and configuration. It unifies the resources from the individual computing servers to
be shared among virtual machines in the entire datacenter. It does this by managing the
assignment of virtual machines to the computing servers and the assignment of resources to the
virtual machines within a given computing server based on the policies that the system
administrator sets.
• Management clients : VMware vSphere provides several interfaces for datacenter management and virtual machine access. These interfaces include
VMware vSphere Client (vSphere Client), vSphere Web Client for access through a web browser, or vSphere Command-Line Interface (vSphere CLI).
VM-Tipping 8
9. Architectures – VMWare || Hyper-V || KVM
Picture 3 : VMware Architect Picture 5 : Hyper-V Architect
Only for reference , no explanation
Picture 4 : KVM Architect
VM & Hyper V for x86 processer architects , KVM can support x86, power and other + its Open sourceVM-Tipping 9
11. vSwitch Vs dvSwitch Features Standard Switch Distributed Switch
Management
Standard switch needs to managed
at each individual
host level
Provides centralized management and
monitoring of the network
configuration
of all the ESXi hosts that are
associated with the dvswitch.
Licensing
Standard Switch is available for all
Licensing Edition
Distributed switch is only available for
enterprise edition of licensing
Creation &
configuration
Standard switch can be created and
configured at ESX/ESXi host level
Distributed switch can be created and
configured
at the vCenter server level
Layer 2 Switch Yes, can forward Layer 2 frames Yes, can forward Layer 2 frames
VLAN segmentation Yes Yes
802.1Q tagging
Can use and understand 802.1q
VLAN tagging
Can use and understand 802.1q
VLAN tagging
NIC teaming
Yes, can utilize multiple uplink to
form NIC teaming
Yes, can utilize multiple uplink to form
NIC teaming
Outbound Traffic
Shaping
Can be achieved using standard
switch
Can be achieved using distributed
switch
Inbound Traffic Shaping
Not available as part of standard
switches Only possible at distributed switch
VM port blocking
Not available as part of standard
switches Only possible at distributed switch
Private VLAN Not available
PVLAN can be created as part of
dvswitch. 3 types of
PVLAN(Promiscuous,
Community and Isolated)
Load based Teaming Not available
Can be achieved using distributed
switch
Network vMotion Not available
Can be achieved using distributed
switch
Per Port policy setting
Policy can be applied at switch
and port group
Policy can be applied at switch, port
group and even per port level
NetFlow Not available Yes
Port Mirroring Not available YesPicture 9: dvSwitch
Picture 8 : vSwitch
VM-Tipping 11
12. • Each (Virtual) port group is identified by a network label, which is unique to the current host. Network labels are used to
make virtual machine configuration portable across hosts. All port groups in a datacenter that are physically connected to
the same network (in the sense that each can receive broadcasts from the others) are given the same label. Conversely, if
two port groups cannot receive broadcasts from each other, they have distinct labels.
• A VLAN ID, which restricts port group traffic to a logical Ethernet segment within the physical network, is optional. If you
use VLAN IDs, you must change the port group labels and VLAN IDs together so that the labels properly represent
connectivity.
Port Groups and VLAN
VM-Tipping 12
16. HP BladeSystem Matrix
• It is built upon the core technologies of HP BladeSystem, HP Virtual Connect, HP Insight software and
implementation services. It also includes optimized support for HP Storage Works and factory integration and
onsite services.
• BladeSystem Matrix delivers a converged infrastructure built on well-established HP technologies and
functionality including:
• HP BladeSystem c-Class c7000 enclosure, server blades (ex: DL360 G8 – half blade), Virtual Connect with
Flex-10, and Thermal Logic
• HP Insight software
• Factory Integration, Factory Express, and Technology Services
• HP Storage Works 4400 Enterprise Virtual Array Starter kit
• Onboard Administration (OA) for enclosure : HP Onboard Administrator for BladeSystem delivers unmatched
Blade enclosure power and remote management capability, now with KVM capability.
• iLO : HP Integrated Lights-Out (iLO) provides the automated intelligence to maintain complete server control
from any place. HP iLO functions out-of-the-box without additional software installation regardless of the
servers' state of operation giving you complete access to your server from any location via a web browser or
the iLO Mobile App.
VM-Tipping 16
17. HP c7000 enclosure view
• Single-phase AC input, 3-phase AC input, -48V
DC input, and high voltage DC input.
• With Onboard Administrator, iLO remote
management, and HP OneView you can manage
your servers and take complete control
regardless of the state of the server operating
system.
• Hot plug redundant standard
• Form factor - 10U
• BladeSystem supportedVM-Tipping 17
19. HP vConnect and Flex-Connect
Reduce costs and simplify connections to SANs, consolidate your
network connections, and enable administrators to add, replace and
recover server resources on-the-fly. Being standards-based, it looks
like a pass-thru device to the Fibre Channel network, yet provides all
the key benefits of integrated switching including high performance
16 Gb uplinks to the SAN. VCM / VCEM used to manage vConnect.
VM-Tipping 19
20. Part1 Recap …
• Have you downloaded and played around VM machine trails provided by VMware !
• What is vMotion and why required dedicated EW communication?
• What are the draw back of Virtualization ?
• Any security breach noticed , How Inter VM communication Secured!
• What is vShield, vApp,
• ToR !! The onion Router ? No… it’s Top of Rack!!!
• How many vSS /dvS in 16 blade enclosure , as minimum ?
VM-Tipping 20
21. Part 2 – Network & Tipping Point
VM-Tipping 21
23. Datacenter Traffic
Data centers have grown to become more modular, reaching up to thousands of VMs over the host, and networks are shifting
from the traditional three-tier model (top-of-rack/aggregation/core) to flattened (leaf/TOR-spine/core) topology. These changes
imply a change in traffic from a north-south orientation to an east-west orientation and consequently, 75% of data center traffic
is now east-west.
VM-Tipping 23
24. • TippingPoint now functions as a part of HP Enterprise Security Products business in the HP Software Division. Originally, TippingPoint was an
American software company with roots back to 1999 focused on network security products, particularly intrusion prevention systems for
networks. Until September 2011, TippingPoint was within HP Networking, the networking division of HP. It transferred to the HP Software
Division.
• HP maintains the TippingPoint name today. In September 2013, HP announced that it entered the next-generation firewall market with a new line
of TippingPoint firewalls. The new line extends TippingPoint's existing intrusion prevention system (IPS) appliances with traditional stateful packet
filtering and application control.
• Security (S) Product Lines (8)
• NG Intrusion prevention system
• NG Firewall
• TippingPoint DV labs
• APT – Advance Thread Appliance
• Security management System (SMS)
• Digital Vaccine ToolKit
• Thread DV (Reputation Service)
• ThreadLinQ
• Where is vConnect in product!
HP TippingPoint
VM-Tipping 24
26. SVF – Secure Virtual Framework
• The HP TippingPoint Secure Virtualization Framework (SVF) is designed specifically for implementing threat protection for the virtualized infrastructure.
• The HP TippingPoint Virtual Controller + Virtual Firewall (vController+vFW) extends our leading IPS Platform for data center security from the physical to
the virtual data center enforcing security policies in VMs and mobile VMs. The vController+vFW and Virtual Management Center are purpose built
software solutions designed to enable and enforce full data center firewall segmentation and IPS inspection between trust zones for physical hosts, virtual
machines (VMs) and even mobile VMs. vController+vFW+vFW intercepts all packets within the hypervisor and based upon user defined policies permits
traffic, blocks traffic, or tunnels packets to a HP TippingPoint N-Platform IPS for inspection.
Key features
• Single solution for physical & virtual data center
• Purpose-built for virtualization security
• Real-time visibility of entire virtual data center
• VMware certified, VMsafe compatible
• Security policies follow VMs
Components
• HP TippingPoint
• IPS Platform
• vController +vFirewall
• vConnect & VCM/VECM(optional)
• SMS
• VMware vSphere
• ESXi – Hypervisor
• vCenter Server
• vSphere Client
• vSafe
VM-Tipping 26
27. SVF Component overview
• Purpose-built data center segmentation solution: The HP TippingPoint vController and vMC are purpose-built software
solutions designed to enable the physical IPS platform to enforce full data center segmentation of trust zones for physical
hosts, virtual machines (VMs), and even mobile VMs. The vController intercepts all packets within the hypervisor and based
upon user-defined policies, tunnels packets to an HP N Series IPS for inspection.
• The vController provides a direct path to the TippingPoint IPS Platform (appliance) to inspect and control VM-to-VM
communications. Using the VMSafe API, the vController efficiently directs appropriate traffic to TippingPoint’s appliance
and its leading threat suppression engine (TSE) ensures the optimal performance and control required in the virtual data
center. The vController and IPS Platform also operate in unison to support HA capabilities, including fail over of the
vController when HA requirements and configured policy dictate.
• The TippingPoint SMS is an enterprise class management platform that provides administration, configuration, monitoring
and reporting for multiple TippingPoint IPS platforms. Because the TippingPoint SMS provides a scalable, policy-based
operational model, it enables straightforward management of large scale IPS deployments across both physical and
virtualized infrastructure.
• This is in addition to the TippingPoint Security Management System (SMS), which provides a valuable tool for configuring
security policy management, monitoring and reporting. TippingPoint’s integration with VMware’s Vmsafe APIs via Reflex
System’s vTrust and Reflex’s Virtual Management Center (VMC) provides many advantages.
• Automatic discovery and graphical mapping of virtual infrastructure topology
• Supports Separation of Duties (SOD) between operations and network/security teams
• Security teams can monitor vSwitch and VM changes to identify tampering or disablement of security controls
• Upgradeable and compatible with full Reflex VMC
• Complete visibility and control over entire virtual infrastructureVM-Tipping 27
28. • Digital Vaccine Filter Service — New filters are
continuously fed to the IPS device to keep it
up to date against the latest vulnerabilities
• ThreatLinQ Portal — Easy to use, real time,
threat monitoring allows user to optimize
their network security
• Reputation Digital Vaccine Service — Allows
organizations to recognize and block "bad
traffic" at the network perimeter
• Application Digital Vaccine — Provides
granular application control and bandwidth
rate limiting
• Digital Vaccine Toolkit — Allows users in
sensitive environments to build their own
filters
• Web App Digital Vaccine — Identifies and
remedies vulnerabilities within custom built
applications without affecting network
performance.
TippingPoint NG IPS
VM-Tipping 28
29. TippingPoint NG IPS Initial setup
1. Connect cables into the IPS segments(pair of ingress / egress ports)
2. Serial Cable to setup the IP and user credentials at ‘Security level two’
• Level 0 - Weak Security checking
• Level 1 - Basic Security checking
• Level 2 - Recommended Maximum Security checking
3. Connect Web GUI - LSM (Local Security Manager) IP address set in previous setup
4. TOS update, TippingPoint Operating System update to latest
5. DV update , Digital Vaccine update to latest to get the inspection packages and enable
6. Apply the profile / filter to the Segment connected.
• IPS Digital Vaccine (DV) Filters monitor traffic passing between network segments. Based on the Security Profiles configured
on the device, the IPS applies the filters to traffic on each segment included in the profile. Each Security Profile has its own
filter settings. Within a Security Profile, you can accept the recommended settings for a filter category, or, if necessary,
customize individual filters based on your network environment and security needs.
• You configure filters separately for each Security Profile configured on the IPS device. When a profile is initially created, all
filters are set to the default Category Settings. You can change the Category Settings for filters or edit individual filters from
the Edit Security Profile page in the LSM.
VM-Tipping 29
33. vController + vFirewall + VMC
• vMC show real time stat of vCenter
• Topology view
• Easy to deploy vController in VM
• Inventory view
• vController Workspace ; Zone
creation with VQL (read-only)
• Pg.name=Department project
vm
• vController Policy editor; Policy
creation by VQL
• Vm.name contain ‘Bugzilla
web’
• To direct specific traffic to IPS
inspection or allow/ block by
firewall
• Monitor SMS for events
VM-Tipping 33
34. Part 2 Recap…
• ASICs and Multi-Core processors have traditionally been used with IPS applications. This luxury is not available in virtualized environments
because virtualization technologies typically do not allow direct hardware access to the underlying application-specific hardware.
Virtualization is well suited for general purpose applications which would otherwise be underutilized on dedicated hosting hardware.
Overcompensating for the loss of specific hardware by using larger than normal amounts of compute cycles for encryption, or memory for
state maintenance, defeats the purpose of server virtualization.
• How vCenter and vController Connected and where intial vController service run!
• Which Firewall is really working vshield or vController !
• How SMS Identify real event from the ocean of events from IPS !
VM-Tipping 34
Editor's Notes
Slide show must in this page
1. External network virtualization combines or subdivides one or more local area networks (LANs) into virtual networks to improve a large network's or data center's efficiency
2. Also called Virtual Channel Internal network virtualization configures a single system with software containers, such as VNIC
3. Virtual firewalls can operate in different modes to provide security services, depending on the point of deployment. Typically these are either bridge-mode or hypervisor-mode (hypervisor-based, hypervisor-resident). Both may come shrink wrapped as a virtual security appliance and may install a virtual machine for management purposes.
Ring 0-3 concept
VM & Hyper V for x86 processer architects , KVM can support x86, power and its Open source