LHC3296BES

OVH: Shields Up! Building a True Security Barrier in the Cloud t o N nt:

7

1 0 2 rld

te n o C

o w M V

Chris Romano, Principal Systems Engineer Twitter - @virtualirishman #VMworld #LHC3296BES

r

n o i t ibu

n

u p r fo

io t a c bli

t s i d or

VMworld disclaimer –––

This presentation may contain product features that are currently under development. This overview of new n o i t u b technology represents no commitment from VMware or OVH i r t s i d r o to deliver these features in any generally onavailable product. i t a lic b u p must not be included in Features are subject to change,forand t o N : or sales agreements of any kind. t contracts, purchase orders, n e ont C Technical feasibility 17 and market demand will affect final 0 2 ld r o delivery. VPricing and packaging for any new technologies or Mw features discussed or presented have not been determined.

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

2

AGENDA

–––

1

OVH – Who We Are

2

OVH Product Overview

3 4 6 7

n o i t ibu

r

on i t a lic Defense at the PERIMETER DDOS Mitigation b u p r o f t o N Center : Defense WITHIN the Virtual Data t n te n o C 7 1 0 Securing the Extended Data Center 2 d l r o w VM

t s i d or

Q&A

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

3

r

n o i t ibu

n

io t a c bli

u WHO IS OVH p r t fo o ––– N : ent

t

on C 17

0 2 d orl

VMw

2017 Proprietary and Confidential

t s i d or

OVH GROUP HIGHLIGHTS –––

OVH is a global, hyper-scale cloud provider that offers our customers maximum performance and value n o i t u b i r t is d r o n o i t a c i l b u p or f t o N : t n e t on C 17 0 2 ld r o VMw •

Vertical integration (constructing own servers, data centers) and proprietary green water cooling technology allows OVH to save costs and pass savings to customers

•

Named largest hosting & cloud provider in Europe and third largest global hosting provider by Netcraft https://www.netcraft.com/internet-data-mining/hosting-analysis/

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

5

OVH IS A GLOBAL CLOUD LEADER –––

Hosting capacity: 1.3 million physical servers 270,000 already deployed

r o n o cati

2016 n data centers in 20 o i t u 5 countries and b i r t dis 4 continents

li

f t o :N

V

ld r o Mw

C 7 1 20

b u p or

t n e t on

Own 11+ Tbps Network with 32 PoPs

2017 27 data centers in 11 countries 2020 50 data centers

Over 1.2 Million Business Clients in 138 Countries ©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

6

OVH BUILDS ITS OWN DATA CENTERS –––

n o i t ibu

r

n

io t a c bli

t o N nt:

7

1 0 2 rld

t s i d or

u p r fo

te n o C

o w M V

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

7

OVH MANUFACTURES SERVERS & USES GREEN TECHNOLOGY –––

n o i t u air b i 30% natural r t is d r o n o + i t a c ubli

p r o tf

: No

V

©2017 OVH US | Proprietary & Confidential

ld r o Mw

C 7 1 20

t n e t on

2017 Proprietary and Confidential

cooling

70% water cooling = 0% air conditioning

8

SOLUTIONS TO SUIT YOUR NEEDS –––

Public Cloud

n o i t ibu

Hosted Private Cloud

Dedicated trServers s i d r Metal n oBare

o

+ + + +

i t a c ubli

p r o tf

Dedicated Cloud Virtual Private Cloud Disaster Recovery VMware SDDC

o N : ent

t

on C 17

+ Open API + Automation Compatibility + Scalability

+ Bring you own License + Non-Virtual Workloads + Proprietary Software

0 2 d orl

VMw

OVH’s Fiber Optic Network (11+ Tbps) + Anti-DDoS + Private LAN Customer Support & Services Global Hyper-Scale Reach ©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

9

NETWORK CAPACITY 11+ Tbps –––

n o i t ibu

r

n

io t a c bli

t o N nt:

7

1 0 2 rld

t s i d or

u p r fo

te n o C

o w M V

©2017 OVH US | Proprietary & Confidential

10

r

n o i t ibu

n

io t a c bli

t s i d or

u HERE p WHY WE ARE r o ot f N : t n te

on C 17

–––

0 2 d orl

VMw

2017 Proprietary and Confidential

n o i t ibu

r

n

io t a c bli

t s i d or

uPERIMETER p DEFENSE AT THE r fo t––– o N nt:

7

1 0 2 rld

te n o C

o w M V

2017 Proprietary and Confidential

DYN DDOS ATTACK - OCTOBER 21, 2016 –––

Domain name provider Dyn suffered the largest DDoS attack in history on Oct. 21

n o i t ibu

r

n

io t a c bli

t o N nt:

7

1 0 2 rld

t s i d or

u p r fo

te n o C

o w M V

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

13

MEANWHILE IN ROUBAIX 1 MONTH EARLIER…….

–––

1 Tbps DDoS Attack Launched from 152,000 Hacked Smart Devices This is likely the largest DDoS attack ever reported.

n o i t ibu

tr s Each day OVH detects i d r o n and mitigates over io t a c bli 1500 attacks against u p r o f t its customers’ o N : t n e servers. About one t on C third of these attacks 2017 ld r are "SYN flood" o Mw V attacks.

Reference Article: https://www.ovh.com/us/news/articles/a2367.the-ddos-that-didnt-break-the-camels-vac ©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

14

DDOS ATTACKS INCREASE 125% ANNUALLY –––

n o i t ibu

r

n

io t a c bli

t o N nt:

7

1 0 2 rld

t s i d or

u p r fo

te n o C

o w M V

In 2016 we saw 19 attacks over 100 Gbps ©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

Source: Akamai: Q1 2016 State of the Internet - Security Report

15

TARGETS AND TYPES OF ATTACKS –––

n o i t ibu

r

n

io t a c bli

t o N nt:

7

1 0 2 rld

t s i d or

u p r fo

te n o C

o w M V

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

16

STAGES OF MANAGING AN ATTACK

–––

2

1 The server is operational - no attack Internet-based services are used without any problems.

t o N nt:

7

1 0 2 rld

3

r

n

io t a c bli

u p r fo

t s i d or

The DDoS attack begins the attack is launched via the internet and on the backbone.

te n o C

o w M V

4

Mitigation of the attack Between 15 and 120 seconds after the attack has started, the mitigation is activated. ©2017 OVH US | Proprietary & Confidential

n o i t ibu

2017 Proprietary and Confidential

End of the attack. Auto-mitigation is maintained for 26 hours after the attack has ended 17

VAC – OVH’S ANSWER TO DDOS –––

r

VAC

n

io t a c bli

Pre-Firewall

7

1 0 2 rld •

o w M V VAC Architecture

•

•

te n o C

u p r fo Shield

Armor

Firewall Network • Customer Configurable per IP address Shield

Armor • •

•

©2017 OVH US | Proprietary & Confidential

t s i d or

Pre-Firewall • OVH Managed Firewall

•

•

t o N nt: Firewall

n o i t ibu

UDP reflexion/amplification attacks filtering Profiles based mitigation Does the grunt of the work : SYN Authentication, Zombie detection, payload patterns, … Only enabled when we detect an attack

2017 Proprietary and Confidential

18

OVH MITIGATION TECHNIQUES –––

Detection

Traffic Analysis and Attack Detection

•

n o i t ibu

r

Netflow analysis of 1/2000 of the traffic that passes through routers.

n

io t a c bli

t s i d or

u p r foto • The Armor boxes analyze this and compare it t o N : t n the attack signatures. te n o C 7 1 0 2 d rl • If the comparison iswopositive, mitigation is VM SECONDS! ACTIVATED WITHIN

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

19

LEVERAGING A GLOBAL NETWORK –––

SBG

VAC

ld r o VMw

C 7 1 20

u p r fo

onte

t s i d or

nVAC

io t a c bli

t o N nt:

n o i t ibu

r

RBX

GRA

VAC

BHS

VAC

Reference Article: https://www.ovh.com/us/news/articles/a2367.the-ddos-that-didnt-break-the-camels-vac ©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

20

ADDITIONAL PROTECTION

–––

n o i t ibu

r

n

io t a c bli

Remotely Triggered Black Hole (RTBH)

• • • • • •

: t n e ont

u p r VAC fo t o N

t s i d or

Anti-Hack Anti-Spam Anti-Phishing

Cglobal network A fully redundant 7 1 0 2 d rl Redundancy of all components o w M V Fire risk management High security Data Centers Human presence in all Data Centers Measures to counteract any failure of the electrical supply network.

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

21

n o i t ibu

r

n

io t a c bli

t s i d or

u DEFENSE WITHIN THE VIRTUAL DATA CENTER p r o ot f N : t n te

on C 17

–––

0 2 d orl

VMw

2017 Proprietary and Confidential

EDGE SECURITY –––

NSX EDGE GATEWAY

n

n

io t a c bli

t o N nt:

7

1 0 2 rld

o w M V

te n o C

u p r fo

(vCloud Air Network)

(vCloud Air Network)

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

oInspection Firewall i • Stateful t u trib Address Translations •disNetwork or (NAT) • DHCP • Site to Site VPN (IPSec) • Static Routing • Dynamic Routing OSPF, BGP • Load Balancer L4/L7 • SSL Certificate Offloading • SSL VPN (Client to Server) • 200 Sub-Interfaces • Distributed Firewall

23

DISTRIBUTED FIREWALL CHARACTERISTICS

–––

n o i t ibu

r

t s i d r Runs in Kernel Full vCenter Zero-trust Security o n io t Space Integration Micro-Segmentation a c li b u p (VC Containers, vMotion) or f t o N : t n te n o Internet C 7 1 0 2 d rl o w VM Distributed

©2017 OVH US | Proprietary & Confidential

Line Rate

Enable traffic redirection to 3rd party services

2017 Proprietary and Confidential

Spoofguard

Fully programmable (REST API) 24

NSX SECURITY IN THE CLOUD

–––

EDGE: N-S

WAN Internet

Perimeter Firewall (Physical)

Physical Virtual

NSX EDGE Service Gateway

Compute Cluster

Compute Cluster

ld r o VMw

C 7 1 20

f t o :N

Compute Cluster

t n e t on

DFW

r o n o cati

bli u p or Compute Cluster

DFW

DFW: E-W

DFW

Edge Service Gateway positioned to protect n of the Cloud border o i t u b i r Instance or SDDC: t dis North – South traffic protection

Distributed Firewall positioned for internal traffic protection: East – West traffic protection

SDDC (Software Defined DC)

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

25

SPOOFGUARD

–––

• • • •

Ensuring the IP of a VM cannot be altered without intervention IP address does not match the IP address on record n o i t a vNIC is prevented from accessing the network blic u p r entirely. t fo

n o i t ibu

r

t s i d or

o N : ent

nt o C Prevents rogue virtual machines from assuming the 7 1 0 2 d l IP address of anwexisting VM r o VM Guarantees distributed firewall (DFW) rules cannot be bypassed

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

26

3RD PARTY INTEGRATION

–––

Hytrust Encryption at Rest

Key Controller 3 Admin 1

f t o :N

Key Controller 1 VM + HyTrust

t n e t n

Key Controller 2

C 7 1 0

o

t s i d or

VM + HyTrust

n

io t a c bli

Admin 2

n o i t ibu

r

VM + HyTrust

u p r o

Key Controller 4

vCloud Air

Private Cloud / vSphere Data Center

2 d l or

w M V • Encrypt and re-key without taking applications offline

• Transparent to users and admins • Customer retention of keys (Bring Your Own Keys) • Encryption travels with the VM, regardless of location ©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

27

3RD PARTY INTEGRATION –––

n o i t ibu

r

n

io t a c bli

t o N nt:

7

1 0 2 rld

t s i d or

u p r fo

te n o C

o w M V

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

28

n o i t ibu

r

t s i d or

on i t SECURING THE EXTENDED DATA CENTER a blic u p r fo

t––– o N nt:

7

1 0 2 rld

te n o C

o w M V

2017 Proprietary and Confidential

UNIQUE HYBRID CAPABILITIES

–––

Migrate Virtual Machines On-Prem to vCloud Air with Zero Downtime

n o i t ibu

Hybrid Cloud

Zero-Downtime Migration

Active

o w M V

Compatibility

t o N nt:

7

1 0 2 rld

Secure Tunnel

On-Premises

tr s i d or Overview

Portability

te n o C

Replicating

on i t a • Secure licVM migration or vMotion with IPSec and Suiteb u BpEncryption r o f • Flow entropy with FOU tunneling

vCloud Air

• Authentication required for migration

Security

• NAT’d vMotion Traffic

• HCX will available upon release from VMware

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

30

SECURITY POLICY MIGRATION

–––

r

Security Policy Migration

The VMware SDDC Private Cloud

C 7 1 20

ld r o Untether V workloads Mw

from the physical data center for increased flexibility and agility

©2017 OVH US | Proprietary & Confidential

t o N :

t n e t on

n o i t ibu

n

io t a c bli

u p r fo

Support data center migration and consolidation projects without need for maintenance windows

2017 Proprietary and Confidential

t s i d or

The VMware Public Cloud

Simplify transition to cloud by carrying existing security and networking policies with the virtual machine

31

HCX – ANY-TO-ANY CLOUD ––– Features • Tether legacy vSPhere 5.1 to next-gen vSphere 6.5 and above

HCX – Any-to-Any

• Seamless application mobility between different VMW stacks

n o i t ibu

• Secure L2 Extension w/o need for NSX on site

r

t s i d or

• Automatic VPN connectivity across sites

n

io t a c bli

• vMotion and replication across disparate VMW stacks

t o N nt:

017

2 d l or

HCX Hybridity

VMw vSphere 5.1+

te n o C

VCF or VC + NSX

u p r fo

Benefits • Move to cloud w/o need to upgrade vSphere on-prem • No need to upgrade networking architecture to extend L2 to cloud • Transform from legacy stack to next-gen SDDC+NSX without downtime

• Transform with no change in networking, IP or IT policies • Automatic secure, high performance connection between sites 32 ©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

32

vRACK (VIRTUAL RACK)

–––

• • • • •

Secure Private connection of all OVH infrastructures around the world. vRack Enables private connectivity between Data Centers Customer has the ability to make changes themselves n o i t u Allows extending layer 2 networks b i r t is d r Interconnects different environment types on the same VLAN on o

i t a c ubli

p r o tf

o N : ent

t

on C 17

0 2 d orl

VMw

Once enabled, your services communicate with each other across a virtual network (vLAN). ©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

33

CONNECTIVITY SIMPLIFIED –––

Customer DC

n

o i t OVH POP u rib

Customer Managed Networks & vRACK

t o N nt:

7

1 0 2 rld

o w M V

u p r fo

te n o C

Dedicated Server

vSphere-asa-Service

Roubaix

Hillsboro

©2017 OVH US | Proprietary & Confidential

n

io t a c bli

t s i d or

Open Stack

2017 Proprietary and Confidential

vSphere-asa-Service

Vint Hill 34

r

n o i t ibu

n

io t a c bli

t o N nt:

7

o w M V

1 0 2 rld

te n o C

u p r fo

t s i d or

SUMMARY

–––

• •

OVH is a global hyper-scale cloud provider with a rich 20 year history.

n

o i t OVH Customers have more options for data center locations, more direct u rib t s i connection points to get to the OVH network, more choices or d& product selection. n

• •

io t a c bli

u p r Industry leading anti-DDOS protectionofrontends your OVH based assets whether fo t N computing, or public cloud instances. : t they are dedicated servers, private cloud n te n o C 7 1 0 2 d rl leading DDOS protection is security in depth under your o Behind that industry w M V control.

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

36

HOW TO CONTACT US

–––

@ovh and @vcloudair_ovh

n o i t ibu

r

n

io t a c bli

VMworld Booth Location – D313

ld r o Mw

C 7 1 20

t o N nt:

t s i d or

u p r fo

onte

@ovh and @vcloudair.ovh

V ovh.com OVH and vCloud Air powered by OVH

©2017 OVH US | Proprietary & Confidential

2017 Proprietary and Confidential

37

OVH AT VMWORLD ––– Session ID LHC3295BES

LHC2401BE

Session Title

Time

OVH: Why Optimizing Layer 0 matters

Wednesday Sept 13th 2:00 p.m. – 3:00 p.m.

How far is too far? The Hybrid Cloud Distance Factor.

Tuesday Sept 12 3:30 p.m. – 4:30 p.m.

r

Shields Up! Building a True Security Barrier in the Cloud

t o N nt:

LHC1951BE

u p r fo

Automate Cloud Recovery For When You Are Nuked From Orbit: It’s the Only Way to Be Sure

Thursday Sept 14th 9:00 a.m. – 10:00 a.m.

Building a Paper Trail: How to Secure and Audit a Public Cloud

Wednesday Sept 13th 3:30 p.m. – 4:30 p.m.

onte

LHC1010BES

V GRC2676BE

©2017 OVH US | Proprietary & Confidential

t s i d or

nTuesday Sept 12th 2:00p.m. – 3:00 p.m

io t a c bli

LHC3296BES

n o i t ibu

C 7 1 0 mix Private Cloud, Hybridity and Elasticity all Tuesday, Sept 12th 5:00 p.m. – 6:00 p.m. 2 Open your mind: d rl Together o w M

2017 Proprietary and Confidential

38

r

n o i t ibu

n

io t a c bli

t o N nt:

7

o w M V

1 0 2 rld

te n o C

u p r fo

t s i d or