Chris Romano, Principal Solutions Engineer at OVH US, presented "Shields Up! Building a True Security Barrier in the Cloud" at VMworld 2017 in Las Vegas and Barcelona.
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Shields Up! Building a True Security Barrier in the Cloud
1. 2017 Proprietary and Confidential2017 Proprietary and Confidential
OVH: Shields Up!
Building a True Security Barrier in the Cloud
–––
Chris Romano | Principal Systems Engineer
@Virtualirishman
Building own servers, from the racks, to the housing, to the servers themselves
With OVH you get access to almost any type of infrastructure you will need. If you are like most businesses you have a large number of Vmware based VMs running on-prem. OVH’s private cloud is based on Vmware’s SDDC stack and with the acquisition of vCloud Air, connecting your on-prem to a private cloud has never been easier.
If you are looking for public cloud burstability OVH has you covered with Public Cloud provided and run on Openstack.
But let’s say you have a workload that has specific requirements and you want access to all parts of the software stack. OVH has Bare Metal servers for you.
OVH not only provides differing product platforms to address specific project needs of customers, we also allow the integration of these resources to allow for easy setup and communication between these platforms with our vRack product.
A customer may have a piece of each of these all combined into a single solution that suites their needs.
Private cloud – vSphere SDDC allowing ease of management by leveraging the same tools you’re used to from VMware.
Public Cloud – Get virtualized machines at a per hour/minute cost by leveraging OVH’s public cloud built with Openstack.
Dedicated Servers – Have full control of every aspect of your environment by starting from bare metal. Have root and BIOs level access to your hardware, and install what you want.
The incident took offline some of the most popular sites on the web, including Netflix, Twitter, Spotify, Reddit, CNN, PayPal, Pinterest and Fox News – as well as newspapers including the Guardian, the New York Times and the Wall Street Journal.
Massive DDos Attack Against Dyn DNS over 1 Tbps
Amazon’s web services division, the world’s biggest cloud computing company, also reported an outage that lasted several hours on Friday morning.
Major cyber attack disrupts internet service across Europe and US
As the Internet of Things (IoT) or connected devices are growing at a great pace, they continue to widen the attack surface at the same time, giving attackers a large number of entry points to affect you some or the other way.1 Tbps DDoS Attack Hits OVHIoTs are currently being deployed in a large variety of devices throughout your home, businesses, hospitals, and even entire cities (Smart Cities), but they are routinely being hacked and used as weapons in cyber attacks due to lack of stringent security measures and insecure encryption mechanisms.Also Read: Here's How to Hack IoT Devices.Octave Klaba, the founder and CTO of OVH, revealed on Twitter last week when his company was hit with two simultaneous DDoS attacks whose combined bandwidth reached almost 1 Tbps."Last days, we got [a] lot of huge DDoS. Here, the list of "bigger that 100Gbps" only. You can see the simultaneous DDoS are close to 1 Tbps!," Klaba tweeted.A screenshot posted by Klaba shows multiple DDoS attacks that exceed 100 Gbps, including one that peaked at 799 Gbps alone, making it the largest DDoS attack ever reported.According to the OVH founder, the massive DDoS attack was carried out via a network of over 152,000 IoT devices that includes compromised CCTV cameras and personal video recorders.Must Read: How Drones Can Find and Hack Internet-of-Things Devices From the Sky.IoT-powered DDoS attacks have now reached an unprecedented size, as it is too easy for hackers to gain control of poorly configured, or vulnerable, IoT devices.Late last year, we reported that lazy manufacturers of the IoTs and home routers are reusing the same set of hard-coded SSH (Secure Shell) cryptographic keys, leaving millions of embedded devices, including home routers, modems, and IP cameras open to Hijacking.And the worst part:These insecure IoT or internet-connected devices are no longer in line for security updates, which makes it possible for hackers to hijack these connected devices today or tomorrow.
Mitigate against 16 different DDOS Attacks
OVH uses netflow sent by the routers and analyzed by the Arbor Peakflow boxes.
Each router sends a summary of 1/2000 of the traffic that is actually passing through it.
The Armor boxes analyze this and compare it to the attack signatures. If the comparison is positive, mitigation is ACTIVATED WITHIN SECONDS!
The signatures analyzed are based on traffic thresholds of "packets per second" (pps, Kpps, Mpps, Gpps) or "bits per second" (bps, Kbps, Mbps, Gbps) on certain packet types, such as: DNS, ICMP, IP Fragment, NULL IP, UDP , Total Traffic., etc
Given that it is necessary for certain thresholds to be triggered, and that only 1/2000 of the actual traffic is analyzed, setting up the mitigation can take between 15 and 120 seconds.
Prevents virtual machines from altering their existing IP address.
IP address does not match the IP address on record vNIC is prevented from accessing the network entirely.
Prevents rogue virtual machines from assuming the IP address of an existing vm
Ensures the IP addresses of virtual machines cannot be altered without intervention
Guarantees distributed firewall (DFW) rules cannot be bypassed
Hybrid Cloud Manager is available today for Dedicated Cloud
Current capabilities include low-downtime migration and stretching Layer 2 networks across on-prem and vCloud Air. HCM also supports WAN optimization for improved performance between these endpoints.
The most recent relase features 3 key new enhancements to HCM:
Zero-downtime migration/ cloud-to-cloud vMotion
Policy migration for customers already using NSX on-prem. This would allow you to carry the NSX firewall settings with the VM as it is migrated to vCloud Air
Expanded support for HCM in Virtual Private Cloud
Smaller enhancements include egress optimization and other implementation and performance improvements
VMware's Hybrid Cloud Manager offers vSphere users a seamless option for extending their networks to the cloud. Hybrid Cloud Manager™ provides an optimized, software-defined WAN to increase stretched network performance while reducing WAN traffic up to 50%, enabling networks to stretch in the cloud yet perform almost as if they were local.
Not only can the network fabric extend to the cloud but Hybrid Cloud Manager™ also enables zero downtime bidirectional migration of workloads as well as the migration of NSX security policies to vCloud Air Advanced Networking Services. Customers can move VMs up to 20x faster with our optimized network while retaining the same security controls available on-premises.
The new version of HCM offers our customers new, advanced networking capabilities to connect the on-prem environment to vCloud Air:
Zero Downtime Migration: Move VMs to the cloud without taking the VM offline!
Security Policy Migration: Duplicate your internal NSX microsegmentation policy for use with vCloud Air Advanced Networking Services to maintain security controls when migrating applications
High Speed Layer 2 tunnel: now customers can stretch their networks at multigigabit speeds, to make the WAN feel more like their LAN, making it faster and easier to move applications to and from the cloud and maintain connectivity to on-prem data center resources
HCM will now be sold in 3 tiers of service: Standard, Advanced, and Enterprise
Riding on our own private backbone we have a network implementation we refer to as vRack. Using VXLAN aware physical networking components, we’re able to interconnect your environments together and allow communication between your workloads within the same VLAN segments. This is regardless of type of solution as well. Open stack public cloud, connected to Vmware SDDC Private cloud, connected to your own custom bare metal solutions. This type of configuration is completely accessible and configurable from the customer side. No need to open a support case to request to configure connectivity between your OVH DC’s and solutions.
With vRack connect, you can also take advantage of these same benefits and bring your local VLAN’s to the cloud. Sharing network space simplifies configurations from a networking perspective at the customer level. Let us deal with the complicated configuration between sites, expensive hardware, and maintenance.