Post on 11-Aug-2021
Enhancing the
Software Defined
Datacenter
Danny Claproth
Sr. Sales Engineer
• Bringing Security to virtualisation and cloud
– Responsibilities and Challenges
• Deep Security
– What, How, Why
• Secure Cloud
– What, How, Why
• What about NSX (Deep Security 9.5)?
Agenda
Security in the cloud (and virtualized environments)
Responsibilities and Challenges
Resource Contention 1
Typical AV
Console 3:00am Scan
Automatic antivirus scans
overburden the system
Antivirus Storm
Virtualization & Cloud
Key Security Inhibitors
Resource Contention 1
Instant-on Gaps 2
Dormant
Active
Reactivated with
Out-dated security
Cloned
Reactivated and cloned VMs can have out-of-date security
Resource Contention 1
Inter-VM Attacks / Blind Spots 3
Instant-on Gaps 2
Attacks can spread across VMs
Complexity of Management 4
Resource Contention 1
Inter-VM Attacks / Blind Spots 3
Instant-on Gaps 2
VM sprawl inhibits compliance
Patch
agents
Rollout
patterns
Provisioning
new VMs
Reconfiguring
agents
Cloud Security Challenges
Challenge: Multi-tenancy / Mixed Trust Level VMs
Shared resources creates a mixed trust level environment
Cloud Security Challenges
Challenge: Data Access and Governance
Cloud data can provide less visibility and control
10010011
01101100
10011
01110
00101
Cloud Security Challenges
Challenge: Data Destruction
When data is moved, unsecured data remnants can remain
10011
01110
00101
10011
0
00101
Deep Security Be Smart when changing your datacenters
PHYSICAL VIRTUAL CLOUD
Server Security Platform
Open, Automated, Scalable Platform
Anti-
malware Firewall
Integrity
Monitoring
Intrusion
Prevention
Log
Inspection
Web
Reputation
Anti-
malware • Anti-malware prevent viruses and other malicious code from penetrating your data center
• Real-time – scanning on all your disk activities
• Scheduled - and Manual scanning of all your disks
• Web-Reputation prevent hosts to access web content hosted on malicious
• Web resources are being categorized.
• Dynamic list based on Trend Micro’s Smart Protection Network
Web
Reputation
• IDS/IPS detects and blocks known and zero-day attacks that target vulnerabilities
• Web Application Protection: shields web application vulnerabilities
• Application Control provides increased visibility into or control over applications accessing the network
Intrusion
Prevention
Firewall • Reduces attack surface.
• Prevents DoS and detects reconnaissance scans
• Detects malicious and unauthorised changes to – Files
– Directories
– Registry keys
– …
Integrity
Monitoring
Log
Inspection
• Optimizes the identification of important security events buried in the log entries
Deep Security Architecture
3/11/2014 Copyright 2013 Trend Micro Inc.
DSVA VM VM VM VM
ESX
Hypervisor – Filter Driver
Deep Security Architecture
3/11/2014 Copyright 2013 Trend Micro Inc.
DSVA VM VM VM VM
ESX
Hypervisor – Filter Driver
Disk I/O Network Traffic
Physical Network Physical Disks
Deep Security Architecture
3/11/2014 Copyright 2013 Trend Micro Inc.
DSVA VM VM VM VM
ESX
DSVA VM VM
Hypervisor –
Filter Driver
ESX
Hypervisor – Filter Driver
DSM
Deep Security Architecture
3/11/2014 Copyright 2013 Trend Micro Inc.
DSVA VM VM VM VM
ESX
vCenter
DSVA VM VM
Hypervisor – Filter
Driver
ESX
Hypervisor – Filter Driver
DSM
Improved performance for Malware and Integrity Scans
Up to 20X improvement especially for VDI
Deeper agentless guest context enables software and vulnerability scan for automatic policy management
Deep Security 9
vSphere
VMs
OS
APPs
Deep Security Virtual Appliance Anti-Malware
Web Reputation
Intrusion Prevention
Firewall
Integrity Monitoring VM Tools Thin Driver
Deep Security 9 – Instant on Security
Flexible Deployment in the cloud
3/11/2014 Copyright 2013 Trend Micro Inc.
• Agent based deployment mode
• Agent installation can be scripted
Secure Cloud Be Smart when changing your datacenters
Patient Medical Records Credit Card Payment
Information Sensitive Research
Results Social Security Numbers
Encryption with Policy-based
Key Management
What is Secure Cloud
• Compliance support
• Custody of keys
• No vendor lock-in
• Trusted server access
• Control for when and where
data is accessed
AES Encryption
128, 192, & 256 bit
Policy-based
Key Management
Auditing, Reporting,
& Mobility
• Unreadable to outsiders
• Obscured data on recycled
devices
Platform Support
3/11/2014
Copyright 2013 Trend Micro Inc.
Trend Micro
SaaS Solution
Key Management
Deployment Options
Encryption Support
Or
Data Center
Software Application
VM VM VM VM
VM VM VM VM
SecureCloud
Console
Private
Clouds
Public
Clouds
vSphere
Virtual
Machines
VM VM VM VM
2
5
Physical
Machines
How SecureCloud works
Storage:
- Encrypted
Server
SecureCloud
Key Management
- With SC agent
Random session
key over SSL
• Server that needs access to storage – SC agent opens session with SC key
management server
– Policy check
• SC key management releases key
• Server uses key to access storage
Cloud Service
Provider Enterprise
Datacenter or
SaaS Offering
• Full volume Encryption
• SecureCloud Agents sits in OS stack between Disk driver and File System driver
• Encryption transparent to the OS and applications
• Encryption persists even after the instance is stopped
• FIPS 140-2 certified AES encryption
Why Secure Cloud
3/11/2014 Copyright 2013 Trend Micro Inc.
Deep Security + Secure Cloud = A Perfect Match
Trend Micro Cloud Protection
3/11/2014 Copyright 2013 Trend Micro Inc.
Patient Medical Records Credit Card Payment Information Sensitive Research Results Social Security Numbers
SecureCloud
Encryption with Policy-
based Key Management
Deep Security
Server Security Platform
Physical Virtual Cloud
=
=
System and application
protection for VMs in private,
public, and hybrid clouds
Data protection with
encryption for data stored in
private, public and hybrid
clouds
Trend Micro Deep Security
Cloud Protection Pack
What about NSX? Deep Security 9.5
Innovating with VMware
Deep Security 7 (2009) – Agentless Intrusion Prevention and Firewall
Deep Security 7.5 (2010) – Agentless Anti-Malware
Deep Security 8 (2012) – Agentless Integrity Monitoring – Agentless Web Reputation
Deep Security 9 (2013) – Agentless Recommendation Scan – Scan Cache
NSX replaces vShield and vCNS
3/11/2014 Copyright 2013 Trend Micro Inc. 32
Service Catalog & Auto Deployment
3/11/2014 Copyright 2013 Trend Micro Inc. 33
Group Management through vSphere
3/11/2014 Copyright 2013 Trend Micro Inc. 34
Partial Policy Management through vSphere
3/11/2014 Copyright 2013 Trend Micro Inc. 35
Tags Enable Automation/Interoperability
3/11/2014 Copyright 2013 Trend Micro Inc. 36
NSX Benefits
Automatic Deployment of DSVA on ESXi 5.5+
Auto Activation of DSVA
No maintenance mode/reboot
Fine-grained packet traffic control
Multi-product interoperability and automation through tagging
3/11/2014 Copyright 2013 Trend Micro Inc. 37
Deep Security 9.5 support all modules (using vShield with VMsafe-NET) on:
• ESXi 5.5
• ESXi 5.1
NSX Alternatives
3/11/2014 Copyright 2013 Trend Micro Inc. 3
8
Deep Security 9.5 Beta: This month! GA: Beginning Q2
Questions?