By Simon Leech, CISSP CISM CRISC: Manager, Solution Architects EMEA Enterprise Business, HP TippingPoint Group
This week, HP announced that Mobinil, Egypt’s leading mobile service provider, chose to deploy the HP TippingPoint Intrusion Prevention System (IPS) to safeguard its data centers and networking infrastructures from malicious threats. It’s a great thing when one of our customers is so satisfied with the deployment of our solutions that they are willing to share this with the rest of the world, so I thought it would be a good opportunity to dive in a bit deeper and look at Mobinil’s security challenges and their solution selection process.
I’m excited to be one of the hosts for HP’s Tech Bloggers Day(s) this week (Aug. 23-24, Twitter hashtag #HPNetworkDay). The list of blogger attendees includes: Jeremy Gaddis (http://evilrouters.net), Greg Ferro (http://etherealmind.com), Alex Williams (http://www.readwriteweb.com/enterprise), John Obeto (http://absolutelywindows.com), and Andy MCaskey (http://sdrnews.com). Naturally, I’ll be covering HP Networking’s recent security news and strategy, particularly our focus on the data center and recent news about security virtual environments and our Secure Virtual Framework (SVF).
Security for virtual environments is known to be a challenging technology, and it’s increasing in importance as organizations continue to consolidate their data centers, while both server and network virtualization becomes ever more prevalent. I usually sum up the problem for audiences by pointing out the dichotomy of having the industry’s leading in-line IPS appliance from TippingPoint, and the challenge of placing any physical device “in-line” in a virtualized data center environment where: 1) applications and virtual machines are always migrating between hosts (if not data centers) and 2) may not even hit a “real” network when two virtual machines on the same host share east-west traffic that, by policy, should be analyzed and secured. Security devices, of course, whether an IPS or Firewall, have to be in-line with the network flow to enforce policies and block malicious traffic.
There are few optimal solutions to this challenge, and even fewer standards between the various constituent vendors, but the approach developed by HP TippingPoint is rather elegant in design, simple to deploy and manage in large data centers, and takes advantage of the best features of our S-Series IPS appliances. The SVF consists of: 1) a highly scalable N-Platform IPS appliance, 2) a software layer deployed into the Hypervisor that redirects relevant traffic (per the security policy desired) to the external (outside the host server) IPS box, and 3) management extensions to the VMware management platform that manages and configures the virtual machines and hypervisors and defines the security policies to be enforced.
In the case of two applications resident on the same server host, this kind of traffic redirection introduces some network hops that may not otherwise be required, but the overall latency is extremely minimal when you consider that only the east-west traffic ever would require inspection (north-south traffic can be handled as it enters the data center), and that only certain east-west traffic applies, depending on application zones and policies. This inspection policy may apply to only PCI-related data accessed from applications outside a particular trust zone, which the redirection engine in the hypervisor can determine and redirect.
Arguably (and this is why technology is so fun, there are always design issues and points of contention, aren’t there?), a better approach could be to put an entire IPS in software in the hypervisor or the virtual machine itself. This may result in better overall performance, but greatly depends on the amount of traffic being inspected and what is being analyzed by the IPS. The HP TippingPoint appliances are purpose designed for high-throughput and parallel processing of various analytical filters that no software-based IPS can compare to. But ultimately, both approaches are valid and customers will want to have the choice.
We look forward to the vigorous debate, sharing more details, and a demo of SVF for our blogger guests, as well as sharing more details and strategy of our HP TippingPoint S-series product family.
Editor's note: We captured a short video of Gary just after his presentation in which he summarizes what he discussed: