Shields Up! Building a True Security Barrier in the Cloud

2017 Proprietary and Confidential2017 Proprietary and Confidential
OVH: Shields Up!
Building a True Security Barrier in the Cloud
–––
Chris Romano | Principal Systems Engineer
@Virtualirishman

2017 Proprietary and Confidential©2017 OVH US | Proprietary & Confidential
–––
VMworld disclaimer
This presentation may contain product features that are
currently under development. This overview of new
technology represents no commitment from VMware or OVH
to deliver these features in any generally available product.
Features are subject to change, and must not be included in
contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final
delivery. Pricing and packaging for any new technologies or
features discussed or presented have not been determined.
2

–––
AGENDA
1 OVH – Who We Are
2 OVH Product Overview
3 Defense at the PERIMETER DDOS Mitigation
4 Defense WITHIN the Virtual Data Center
6 Securing the Extended Data Center
7 Q & A
3

2017 Proprietary and Confidential
–––
WHO IS OVH

–––
OVH is a global, hyper-scale cloud provider
that offers our customers maximum performance and value
• Vertical integration (constructing own servers, data centers) and proprietary green water cooling technology allows
OVH to save costs and pass savings to customers
• Named largest hosting & cloud provider in Europe and third largest global hosting provider by Netcraft
https://www.netcraft.com/internet-data-mining/hosting-analysis/
5
OVH GROUP HIGHLIGHTS

–––
6
Over 1.2 Million Business Clients in 138 Countries
Own 11+ Tbps
Network
with
32 PoPs
2016
20 data centers in
5 countries and
4 continents
2017
27 data centers
in 11 countries
2020
50 data centers
Hosting capacity: 1.3
million physical servers
270,000 already deployed
OVH IS A GLOBAL CLOUD LEADER

–––
OVH BUILDS ITS OWN DATA CENTERS
7

–––
30% natural air cooling
+
70% water cooling
=
0% air conditioning
OVH MANUFACTURES SERVERS & USES GREEN TECHNOLOGY
8

–––
+ Dedicated Cloud
+ Virtual Private Cloud
+ Disaster Recovery
+ VMware SDDC
+ Open API
+ Automation Compatibility
+ Scalability
+ Bring you own License
+ Non-Virtual Workloads
+ Proprietary Software
Dedicated Servers
Bare Metal
Customer Support & Services
Global Hyper-Scale Reach
OVH’s Fiber Optic Network (11+ Tbps) + Anti-DDoS + Private LAN
Public Cloud
SOLUTIONS TO SUIT YOUR NEEDS
Hosted Private Cloud
9

©2017 OVH US | Proprietary & Confidential
–––
NETWORK CAPACITY 11+ Tbps
10

–––
WHY WE ARE HERE

–––
DEFENSE AT THE PERIMETER

–––
Domain name provider Dyn suffered the largest DDoS attack in history on
Oct. 21
DYN DDOS ATTACK - OCTOBER 21, 2016
13

–––
MEANWHILE IN ROUBAIX 1 MONTH EARLIER…….
Each day OVH detects
and mitigates over
1500 attacks against
its customers’
servers. About one
third of these attacks
are "SYN flood"
attacks.
1 Tbps DDoS Attack Launched from 152,000 Hacked Smart Devices
This is likely the largest DDoS attack ever reported.
Reference Article:
https://www.ovh.com/us/news/articles/a2367.the-ddos-that-didnt-break-the-camels-vac
14

–––
DDOS ATTACKS INCREASE 125% ANNUALLY
Source: Akamai: Q1 2016 State of the Internet - Security Report
In 2016 we saw 19 attacks over 100 Gbps
15

–––
TARGETS AND TYPES OF ATTACKS
16

–––
End of the attack. Auto-mitigation is maintained
for 26 hours after the attack has ended
The server is operational - no attack Internet-based
services are used without any problems.
The DDoS attack begins the attack is launched via
the internet and on the backbone.
Mitigation of the attack Between 15 and 120 seconds
after the attack has started, the mitigation is activated.
STAGES OF MANAGING AN ATTACK
1
3 4
2
17

–––
18
• Pre-Firewall
• OVH Managed Firewall
• Firewall Network
• Customer Configurable per IP address
• Shield
• UDP reflexion/amplification attacks filtering
• Armor
• Profiles based mitigation
• Does the grunt of the work : SYN Authentication, Zombie detection, payload patterns,
…
• Only enabled when we detect an attack
VAC
Pre-Firewall Firewall Shield Armor
VAC
Architecture
VAC – OVH’S ANSWER TO DDOS

–––
OVH MITIGATION TECHNIQUES
Traffic Analysis and Attack Detection
• Netflow analysis of 1/2000 of the traffic that
passes through routers.
• The Armor boxes analyze this and compare it to
the attack signatures.
• If the comparison is positive, mitigation is
ACTIVATED WITHIN SECONDS!
Detection
19

–––
VAC
VAC
VAC
VAC
SBG
RBX
GRA
BHS
Reference Article:
https://www.ovh.com/us/news/articles/a2367.the-ddos-that-didnt-break-the-camels-vac
LEVERAGING A GLOBAL NETWORK
20

–––
VAC
Anti-Hack
Anti-Spam
Anti-Phishing
Remotely Triggered
Black Hole (RTBH)
• A fully redundant global network
• Redundancy of all components
• Fire risk management
• High security Data Centers
• Human presence in all Data Centers
• Measures to counteract any failure of the electrical supply network.
ADDITIONAL PROTECTION
21

–––
DEFENSE WITHIN THE VIRTUAL DATA CENTER

–––
EDGE SECURITY
NSX EDGE GATEWAY
(vCloud Air Network)
(vCloud Air Network)
• Stateful Inspection Firewall
• Network Address Translations
(NAT)
• DHCP
• Site to Site VPN (IPSec)
• Static Routing
• Dynamic Routing OSPF, BGP
• Load Balancer L4/L7
• SSL Certificate Offloading
• SSL VPN (Client to Server)
• 200 Sub-Interfaces
• Distributed Firewall
23

–––
Runs in Kernel
Space
Full vCenter
Integration
(VC Containers, vMotion)
Zero-trust Security
Micro-Segmentation
Line RateDistributed Enable traffic
redirection to
3rd party services
Spoofguard
Fully
programmable
(REST API)
Internet
DISTRIBUTED FIREWALL CHARACTERISTICS
24

–––
WAN Internet
Compute Cluster Compute Cluster
Perimeter
Firewall
(Physical)
NSX EDGE
Service
Gateway
Compute Cluster
SDDC (Software Defined DC)
DFW DFW DFW
DFW: E-W
Edge Service Gateway
positioned to protect
border of the Cloud
Instance or SDDC:
North – South traffic
protection
Distributed Firewall
positioned for internal
traffic protection:
East – West
traffic protection
Physical
Virtual
Compute Cluster
EDGE:N-S
NSX SECURITY IN THE CLOUD
25

–––
SPOOFGUARD
• Ensuring the IP of a VM cannot be altered without
intervention
• IP address does not match the IP address on record
vNIC is prevented from accessing the network
entirely.
• Prevents rogue virtual machines from assuming the
IP address of an existing VM
• Guarantees distributed firewall (DFW) rules cannot
be bypassed
26

–––
3RD PARTY INTEGRATION
Hytrust Encryption at Rest
Private Cloud / vSphere Data Center
VM +
HyTrust
Key Controller 4
VM +
HyTrust
VM +
HyTrust
Key Controller 2
Key Controller 1
Key Controller 3
vCloud Air
Admin 1
Admin 2
• Encrypt and re-key without taking applications offline
• Transparent to users and admins
• Customer retention of keys (Bring Your Own Keys)
• Encryption travels with the VM, regardless of location
27

–––
3RD PARTY INTEGRATION
28

–––
SECURING THE EXTENDED DATA CENTER

–––
• Secure VM migration or vMotion with IPSec and Suite-
B Encryption
• Flow entropy with FOU tunneling
• Authentication required for migration
• NAT’d vMotion Traffic
• HCX will available upon release from VMware
UNIQUE HYBRID CAPABILITIES
Migrate Virtual Machines On-Prem to vCloud Air with Zero Downtime
Compatibility Portability Security
Hybrid Cloud
vCloud AirOn-Premises
Zero-Downtime
Migration
Active Replicating
Secure Tunnel
Overview
30

–––
SECURITY POLICY MIGRATION
The VMware SDDC
Private Cloud
The VMware
Public Cloud
Security Policy
Migration
Untether workloads
from the physical data
center for increased
flexibility and agility
Support data center
migration and
consolidation projects
without need for
maintenance windows
Simplify transition to
cloud by carrying
existing security and
networking policies with
the virtual machine
31

–––
HCX – ANY-TO-ANY CLOUD
32
32
HCX – Any-to-Any
• Tether legacy vSPhere 5.1 to next-gen vSphere 6.5 and above
• Seamless application mobility between different VMW stacks
• Secure L2 Extension w/o need for NSX on site
• Automatic VPN connectivity across sites
• vMotion and replication across disparate VMW stacks
Features
Benefits
• Move to cloud w/o need to upgrade vSphere on-prem
• No need to upgrade networking architecture to extend L2 to cloud
• Transform from legacy stack to next-gen SDDC+NSX without
downtime
• Transform with no change in networking, IP or IT policies
• Automatic secure, high performance connection between sites
vSphere 5.1+
VCF or
VC + NSX
HCX Hybridity

–––
vRACK (VIRTUAL RACK)
Once enabled, your services communicate with each other across a virtual network (vLAN).
• Secure Private connection of all OVH infrastructures around the world.
• vRack Enables private connectivity between Data Centers
• Customer has the ability to make changes themselves
• Allows extending layer 2 networks
• Interconnects different environment types on the same VLAN
33

–––
Customer Managed Networks
& vRACK
OVH POP
Open Stack
vSphere-as-
a-Service
Dedicated
Server
Roubaix Hillsboro Vint Hill
Customer DC
vSphere-as-
a-Service
CONNECTIVITY SIMPLIFIED
34

–––
SUMMARY
• OVH is a global hyper-scale cloud provider with a rich 20 year history.
• OVH Customers have more options for data center locations, more direct
connection points to get to the OVH network, more choices & product selection.
• Industry leading anti-DDOS protection frontends your OVH based assets whether
they are dedicated servers, private cloud computing, or public cloud instances.
• Behind that industry leading DDOS protection is security in depth under your
control.
35

–––
HOW TO CONTACT US
36
VMworld Booth Location – D313
@ovh and @vcloudair_ovh
@ovh and @vcloudair.ovh
OVH and vCloud Air powered by OVH
ovh.com

–––
OVH AT VMWORLD
37
Session ID Session Title Time
LHC3295BES OVH: Why Optimizing Layer 0 matters Wednesday Sept 13th 2:00 p.m. – 3:00 p.m.
LHC2401BE How far is too far? The Hybrid Cloud Distance Factor. Tuesday Sept 12 3:30 p.m. – 4:30 p.m.
LHC3296BES Shields Up! Building a True Security Barrier in the Cloud Tuesday Sept 12th 2:00p.m. – 3:00 p.m
LHC1951BE
Automate Cloud Recovery For When You Are Nuked From
Orbit: It’s the Only Way to Be Sure
Thursday Sept 14th 9:00 a.m. – 10:00 a.m.
LHC1010BES
Open your mind: mix Private Cloud, Hybridity and Elasticity all
Together
Tuesday, Sept 12th 5:00 p.m. – 6:00 p.m.
GRC2676BE
Building a Paper Trail: How to Secure and Audit a Public
Cloud
Wednesday Sept 13th 3:30 p.m. – 4:30 p.m.

–––
THANK YOU

Shields Up! Building a True Security Barrier in the Cloud

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Shields Up! Building a True Security Barrier in the Cloud

Similar to Shields Up! Building a True Security Barrier in the Cloud (20)

Recently uploaded

Recently uploaded (20)

Shields Up! Building a True Security Barrier in the Cloud

Editor's Notes