LHC3296BES
OVH: Shields Up! Building a True Security Barrier in the Cloud t o N nt:
7
1 0 2 rld
te n o C
o w M V
Chris Romano, Principal Systems Engineer Twitter - @virtualirishman #VMworld #LHC3296BES
r
n o i t ibu
n
u p r fo
io t a c bli
t s i d or
VMworld disclaimer –––
This presentation may contain product features that are currently under development. This overview of new n o i t u b technology represents no commitment from VMware or OVH i r t s i d r o to deliver these features in any generally onavailable product. i t a lic b u p must not be included in Features are subject to change,forand t o N : or sales agreements of any kind. t contracts, purchase orders, n e ont C Technical feasibility 17 and market demand will affect final 0 2 ld r o delivery. VPricing and packaging for any new technologies or Mw features discussed or presented have not been determined.
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
2
AGENDA
–––
1
OVH – Who We Are
2
OVH Product Overview
3 4 6 7
n o i t ibu
r
on i t a lic Defense at the PERIMETER DDOS Mitigation b u p r o f t o N Center : Defense WITHIN the Virtual Data t n te n o C 7 1 0 Securing the Extended Data Center 2 d l r o w VM
t s i d or
Q&A
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
3
r
n o i t ibu
n
io t a c bli
u WHO IS OVH p r t fo o ––– N : ent
t
on C 17
0 2 d orl
VMw
2017 Proprietary and Confidential
t s i d or
OVH GROUP HIGHLIGHTS –––
OVH is a global, hyper-scale cloud provider that offers our customers maximum performance and value n o i t u b i r t is d r o n o i t a c i l b u p or f t o N : t n e t on C 17 0 2 ld r o VMw •
Vertical integration (constructing own servers, data centers) and proprietary green water cooling technology allows OVH to save costs and pass savings to customers
•
Named largest hosting & cloud provider in Europe and third largest global hosting provider by Netcraft https://www.netcraft.com/internet-data-mining/hosting-analysis/
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
5
OVH IS A GLOBAL CLOUD LEADER –––
Hosting capacity: 1.3 million physical servers 270,000 already deployed
r o n o cati
2016 n data centers in 20 o i t u 5 countries and b i r t dis 4 continents
li
f t o :N
V
ld r o Mw
C 7 1 20
b u p or
t n e t on
Own 11+ Tbps Network with 32 PoPs
2017 27 data centers in 11 countries 2020 50 data centers
Over 1.2 Million Business Clients in 138 Countries ©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
6
OVH BUILDS ITS OWN DATA CENTERS –––
n o i t ibu
r
n
io t a c bli
t o N nt:
7
1 0 2 rld
t s i d or
u p r fo
te n o C
o w M V
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
7
OVH MANUFACTURES SERVERS & USES GREEN TECHNOLOGY –––
n o i t u air b i 30% natural r t is d r o n o + i t a c ubli
p r o tf
: No
V
©2017 OVH US | Proprietary & Confidential
ld r o Mw
C 7 1 20
t n e t on
2017 Proprietary and Confidential
cooling
70% water cooling = 0% air conditioning
8
SOLUTIONS TO SUIT YOUR NEEDS –––
Public Cloud
n o i t ibu
Hosted Private Cloud
Dedicated trServers s i d r Metal n oBare
o
+ + + +
i t a c ubli
p r o tf
Dedicated Cloud Virtual Private Cloud Disaster Recovery VMware SDDC
o N : ent
t
on C 17
+ Open API + Automation Compatibility + Scalability
+ Bring you own License + Non-Virtual Workloads + Proprietary Software
0 2 d orl
VMw
OVH’s Fiber Optic Network (11+ Tbps) + Anti-DDoS + Private LAN Customer Support & Services Global Hyper-Scale Reach ©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
9
NETWORK CAPACITY 11+ Tbps –––
n o i t ibu
r
n
io t a c bli
t o N nt:
7
1 0 2 rld
t s i d or
u p r fo
te n o C
o w M V
©2017 OVH US | Proprietary & Confidential
10
r
n o i t ibu
n
io t a c bli
t s i d or
u HERE p WHY WE ARE r o ot f N : t n te
on C 17
–––
0 2 d orl
VMw
2017 Proprietary and Confidential
n o i t ibu
r
n
io t a c bli
t s i d or
uPERIMETER p DEFENSE AT THE r fo t––– o N nt:
7
1 0 2 rld
te n o C
o w M V
2017 Proprietary and Confidential
DYN DDOS ATTACK - OCTOBER 21, 2016 –––
Domain name provider Dyn suffered the largest DDoS attack in history on Oct. 21
n o i t ibu
r
n
io t a c bli
t o N nt:
7
1 0 2 rld
t s i d or
u p r fo
te n o C
o w M V
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
13
MEANWHILE IN ROUBAIX 1 MONTH EARLIER…….
–––
1 Tbps DDoS Attack Launched from 152,000 Hacked Smart Devices This is likely the largest DDoS attack ever reported.
n o i t ibu
tr s Each day OVH detects i d r o n and mitigates over io t a c bli 1500 attacks against u p r o f t its customers’ o N : t n e servers. About one t on C third of these attacks 2017 ld r are "SYN flood" o Mw V attacks.
Reference Article: https://www.ovh.com/us/news/articles/a2367.the-ddos-that-didnt-break-the-camels-vac ©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
14
DDOS ATTACKS INCREASE 125% ANNUALLY –––
n o i t ibu
r
n
io t a c bli
t o N nt:
7
1 0 2 rld
t s i d or
u p r fo
te n o C
o w M V
In 2016 we saw 19 attacks over 100 Gbps ©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
Source: Akamai: Q1 2016 State of the Internet - Security Report
15
TARGETS AND TYPES OF ATTACKS –––
n o i t ibu
r
n
io t a c bli
t o N nt:
7
1 0 2 rld
t s i d or
u p r fo
te n o C
o w M V
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
16
STAGES OF MANAGING AN ATTACK
–––
2
1 The server is operational - no attack Internet-based services are used without any problems.
t o N nt:
7
1 0 2 rld
3
r
n
io t a c bli
u p r fo
t s i d or
The DDoS attack begins the attack is launched via the internet and on the backbone.
te n o C
o w M V
4
Mitigation of the attack Between 15 and 120 seconds after the attack has started, the mitigation is activated. ©2017 OVH US | Proprietary & Confidential
n o i t ibu
2017 Proprietary and Confidential
End of the attack. Auto-mitigation is maintained for 26 hours after the attack has ended 17
VAC – OVH’S ANSWER TO DDOS –––
r
VAC
n
io t a c bli
Pre-Firewall
7
1 0 2 rld •
o w M V VAC Architecture
•
•
te n o C
u p r fo Shield
Armor
Firewall Network • Customer Configurable per IP address Shield
Armor • •
•
©2017 OVH US | Proprietary & Confidential
t s i d or
Pre-Firewall • OVH Managed Firewall
•
•
t o N nt: Firewall
n o i t ibu
UDP reflexion/amplification attacks filtering Profiles based mitigation Does the grunt of the work : SYN Authentication, Zombie detection, payload patterns, … Only enabled when we detect an attack
2017 Proprietary and Confidential
18
OVH MITIGATION TECHNIQUES –––
Detection
Traffic Analysis and Attack Detection
•
n o i t ibu
r
Netflow analysis of 1/2000 of the traffic that passes through routers.
n
io t a c bli
t s i d or
u p r foto • The Armor boxes analyze this and compare it t o N : t n the attack signatures. te n o C 7 1 0 2 d rl • If the comparison iswopositive, mitigation is VM SECONDS! ACTIVATED WITHIN
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
19
LEVERAGING A GLOBAL NETWORK –––
SBG
VAC
ld r o VMw
C 7 1 20
u p r fo
onte
t s i d or
nVAC
io t a c bli
t o N nt:
n o i t ibu
r
RBX
GRA
VAC
BHS
VAC
Reference Article: https://www.ovh.com/us/news/articles/a2367.the-ddos-that-didnt-break-the-camels-vac ©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
20
ADDITIONAL PROTECTION
–––
n o i t ibu
r
n
io t a c bli
Remotely Triggered Black Hole (RTBH)
• • • • • •
: t n e ont
u p r VAC fo t o N
t s i d or
Anti-Hack Anti-Spam Anti-Phishing
Cglobal network A fully redundant 7 1 0 2 d rl Redundancy of all components o w M V Fire risk management High security Data Centers Human presence in all Data Centers Measures to counteract any failure of the electrical supply network.
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
21
n o i t ibu
r
n
io t a c bli
t s i d or
u DEFENSE WITHIN THE VIRTUAL DATA CENTER p r o ot f N : t n te
on C 17
–––
0 2 d orl
VMw
2017 Proprietary and Confidential
EDGE SECURITY –––
NSX EDGE GATEWAY
n
n
io t a c bli
t o N nt:
7
1 0 2 rld
o w M V
te n o C
u p r fo
(vCloud Air Network)
(vCloud Air Network)
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
oInspection Firewall i • Stateful t u trib Address Translations •disNetwork or (NAT) • DHCP • Site to Site VPN (IPSec) • Static Routing • Dynamic Routing OSPF, BGP • Load Balancer L4/L7 • SSL Certificate Offloading • SSL VPN (Client to Server) • 200 Sub-Interfaces • Distributed Firewall
23
DISTRIBUTED FIREWALL CHARACTERISTICS
–––
n o i t ibu
r
t s i d r Runs in Kernel Full vCenter Zero-trust Security o n io t Space Integration Micro-Segmentation a c li b u p (VC Containers, vMotion) or f t o N : t n te n o Internet C 7 1 0 2 d rl o w VM Distributed
©2017 OVH US | Proprietary & Confidential
Line Rate
Enable traffic redirection to 3rd party services
2017 Proprietary and Confidential
Spoofguard
Fully programmable (REST API) 24
NSX SECURITY IN THE CLOUD
–––
EDGE: N-S
WAN Internet
Perimeter Firewall (Physical)
Physical Virtual
NSX EDGE Service Gateway
Compute Cluster
Compute Cluster
ld r o VMw
C 7 1 20
f t o :N
Compute Cluster
t n e t on
DFW
r o n o cati
bli u p or Compute Cluster
DFW
DFW: E-W
DFW
Edge Service Gateway positioned to protect n of the Cloud border o i t u b i r Instance or SDDC: t dis North – South traffic protection
Distributed Firewall positioned for internal traffic protection: East – West traffic protection
SDDC (Software Defined DC)
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
25
SPOOFGUARD
–––
• • • •
Ensuring the IP of a VM cannot be altered without intervention IP address does not match the IP address on record n o i t a vNIC is prevented from accessing the network blic u p r entirely. t fo
n o i t ibu
r
t s i d or
o N : ent
nt o C Prevents rogue virtual machines from assuming the 7 1 0 2 d l IP address of anwexisting VM r o VM Guarantees distributed firewall (DFW) rules cannot be bypassed
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
26
3RD PARTY INTEGRATION
–––
Hytrust Encryption at Rest
Key Controller 3 Admin 1
f t o :N
Key Controller 1 VM + HyTrust
t n e t n
Key Controller 2
C 7 1 0
o
t s i d or
VM + HyTrust
n
io t a c bli
Admin 2
n o i t ibu
r
VM + HyTrust
u p r o
Key Controller 4
vCloud Air
Private Cloud / vSphere Data Center
2 d l or
w M V • Encrypt and re-key without taking applications offline
• Transparent to users and admins • Customer retention of keys (Bring Your Own Keys) • Encryption travels with the VM, regardless of location ©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
27
3RD PARTY INTEGRATION –––
n o i t ibu
r
n
io t a c bli
t o N nt:
7
1 0 2 rld
t s i d or
u p r fo
te n o C
o w M V
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
28
n o i t ibu
r
t s i d or
on i t SECURING THE EXTENDED DATA CENTER a blic u p r fo
t––– o N nt:
7
1 0 2 rld
te n o C
o w M V
2017 Proprietary and Confidential
UNIQUE HYBRID CAPABILITIES
–––
Migrate Virtual Machines On-Prem to vCloud Air with Zero Downtime
n o i t ibu
Hybrid Cloud
Zero-Downtime Migration
Active
o w M V
Compatibility
t o N nt:
7
1 0 2 rld
Secure Tunnel
On-Premises
tr s i d or Overview
Portability
te n o C
Replicating
on i t a • Secure licVM migration or vMotion with IPSec and Suiteb u BpEncryption r o f • Flow entropy with FOU tunneling
vCloud Air
• Authentication required for migration
Security
• NAT’d vMotion Traffic
• HCX will available upon release from VMware
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
30
SECURITY POLICY MIGRATION
–––
r
Security Policy Migration
The VMware SDDC Private Cloud
C 7 1 20
ld r o Untether V workloads Mw
from the physical data center for increased flexibility and agility
©2017 OVH US | Proprietary & Confidential
t o N :
t n e t on
n o i t ibu
n
io t a c bli
u p r fo
Support data center migration and consolidation projects without need for maintenance windows
2017 Proprietary and Confidential
t s i d or
The VMware Public Cloud
Simplify transition to cloud by carrying existing security and networking policies with the virtual machine
31
HCX – ANY-TO-ANY CLOUD ––– Features • Tether legacy vSPhere 5.1 to next-gen vSphere 6.5 and above
HCX – Any-to-Any
• Seamless application mobility between different VMW stacks
n o i t ibu
• Secure L2 Extension w/o need for NSX on site
r
t s i d or
• Automatic VPN connectivity across sites
n
io t a c bli
• vMotion and replication across disparate VMW stacks
t o N nt:
017
2 d l or
HCX Hybridity
VMw vSphere 5.1+
te n o C
VCF or VC + NSX
u p r fo
Benefits • Move to cloud w/o need to upgrade vSphere on-prem • No need to upgrade networking architecture to extend L2 to cloud • Transform from legacy stack to next-gen SDDC+NSX without downtime
• Transform with no change in networking, IP or IT policies • Automatic secure, high performance connection between sites 32 ©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
32
vRACK (VIRTUAL RACK)
–––
• • • • •
Secure Private connection of all OVH infrastructures around the world. vRack Enables private connectivity between Data Centers Customer has the ability to make changes themselves n o i t u Allows extending layer 2 networks b i r t is d r Interconnects different environment types on the same VLAN on o
i t a c ubli
p r o tf
o N : ent
t
on C 17
0 2 d orl
VMw
Once enabled, your services communicate with each other across a virtual network (vLAN). ©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
33
CONNECTIVITY SIMPLIFIED –––
Customer DC
n
o i t OVH POP u rib
Customer Managed Networks & vRACK
t o N nt:
7
1 0 2 rld
o w M V
u p r fo
te n o C
Dedicated Server
vSphere-asa-Service
Roubaix
Hillsboro
©2017 OVH US | Proprietary & Confidential
n
io t a c bli
t s i d or
Open Stack
2017 Proprietary and Confidential
vSphere-asa-Service
Vint Hill 34
r
n o i t ibu
n
io t a c bli
t o N nt:
7
o w M V
1 0 2 rld
te n o C
u p r fo
t s i d or
SUMMARY
–––
• •
OVH is a global hyper-scale cloud provider with a rich 20 year history.
n
o i t OVH Customers have more options for data center locations, more direct u rib t s i connection points to get to the OVH network, more choices or d& product selection. n
• •
io t a c bli
u p r Industry leading anti-DDOS protectionofrontends your OVH based assets whether fo t N computing, or public cloud instances. : t they are dedicated servers, private cloud n te n o C 7 1 0 2 d rl leading DDOS protection is security in depth under your o Behind that industry w M V control.
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
36
HOW TO CONTACT US
–––
@ovh and @vcloudair_ovh
n o i t ibu
r
n
io t a c bli
VMworld Booth Location – D313
ld r o Mw
C 7 1 20
t o N nt:
t s i d or
u p r fo
onte
@ovh and @vcloudair.ovh
V ovh.com OVH and vCloud Air powered by OVH
©2017 OVH US | Proprietary & Confidential
2017 Proprietary and Confidential
37
OVH AT VMWORLD ––– Session ID LHC3295BES
LHC2401BE
Session Title
Time
OVH: Why Optimizing Layer 0 matters
Wednesday Sept 13th 2:00 p.m. – 3:00 p.m.
How far is too far? The Hybrid Cloud Distance Factor.
Tuesday Sept 12 3:30 p.m. – 4:30 p.m.
r
Shields Up! Building a True Security Barrier in the Cloud
t o N nt:
LHC1951BE
u p r fo
Automate Cloud Recovery For When You Are Nuked From Orbit: It’s the Only Way to Be Sure
Thursday Sept 14th 9:00 a.m. – 10:00 a.m.
Building a Paper Trail: How to Secure and Audit a Public Cloud
Wednesday Sept 13th 3:30 p.m. – 4:30 p.m.
onte
LHC1010BES
V GRC2676BE
©2017 OVH US | Proprietary & Confidential
t s i d or
nTuesday Sept 12th 2:00p.m. – 3:00 p.m
io t a c bli
LHC3296BES
n o i t ibu
C 7 1 0 mix Private Cloud, Hybridity and Elasticity all Tuesday, Sept 12th 5:00 p.m. – 6:00 p.m. 2 Open your mind: d rl Together o w M
2017 Proprietary and Confidential
38
r
n o i t ibu
n
io t a c bli
t o N nt:
7
o w M V
1 0 2 rld
te n o C
u p r fo
t s i d or