This week at VMworld I’ve been focused on getting a first-hand view of the integration of key EMC assets into the VMware framework.
Two of the better use cases I’ve seen so far are the (a) Isilon/Hadoop integration with Serengeti, and (b) the latest backup and recovery integration with vSphere.
Both of these technology areas are great examples of how EMC products have extended their capabilities into VMware’s cloud framework.
Today I decided to take a deeper look at RSA’s security assets and the benefits that can be brought into a customer’s VMware cloud environment. What I’ve found are two RSA Security Analytics integrations that provide an improved framework to lock down and secure the cloud:
- A POC integration of sensors from RSA Security Analytics and VMware NetX. NetX gives RSA Security Analytics visibility at the packet level between the vNIC on the VM host and the Distributed Virtual Switch(DVS).
- A POC demonstration highlighting the integration between RSA Security Analytics and VCE VISION, which collects logs as well as SNMP traps from all of the VCE VBlock components.
I decided to stop by the VCE booth first and had the good fortune to bump into RSA expert Daniel Reich, who guided me through the VCE integration before bringing me over the the EMC booth.
VCE Booth: RSA Security Analytics and VCE
Customers building cloud deployments using EMC technologies have been steered towards one of three approaches:
- Select best of breed components yourself, leveraging specific EMC assets as desired. This takes more time and requires more expertise.
- Rely on a VSPEX proven infrastructure, which is typically a repeatable, faster deployment using components that have already been qualified and documented to work together.
- Deploy VCE VBlock, the pre-packaged, fastest deployment.
I’ve long felt that the VBlock option is the most secure. The demo at the VCE booth confirmed this belief. Each component in a VBlock (Cisco, VMware, EMC) can deploy sensors enabling a deeper integration with the RSA Security Analytics framework. Over time the ability to analyze VBlock from a behavioral standpoint gets better and better. The other two approaches (VSPEX and best-of-breed) have increasing levels of component permutation. This means that the scope of supporting deep behavioral measurement of all components becomes more challenging.
At the VCE booth I watched a real-world failed login occur to a Cisco switch. This failed login immediately showed up in Cisco’s Syslog, and ultimately surfaced in VCE’s Vision management framework. (VCE Vision provides a continuous, near real-time perspective of the compute, network, storage, and virtualization resources). This framework inserted the Cisco Syslog entry into the RSA Security Analytics environment. RSA SA is the right tool to start drilling down to respond to the problem.
Daniel stepped me through the graphical interface to prove that the failed login indeed was flagged in RSA’s GUI. Cool.
Both log data and full network packet capture are key to provide a
full, end-to-end picture of complex threats that manifest themselves on the
virtual and physical network (and on the devices attached to those networks). In order to show me the network packet capture piece, Daniel walked me over to the EMC booth. That’s where it got really interesting.
EMC Booth: RSA Security Analytics and NetX
What Daniel showed me was a new way of using RSA SA to drill down into a very specific network packet flow that leverages detailed knowledge of VMware’s hypervisor and networking interfaces.
Prior to NetX, customers would need to deploy a physical tap and capture every piece of data flowing across that tap. NetX allows a virtual tap to be inserted (dynamically) in between the VM host vNIC and the distributed virtual switch (DVS). This allows a security professional to respond quickly and specifically to a particular piece of the instrastructure or application (without having to capture every byte of packet flow).
If the investigation uncovers a valid threat, RSA can trigger an active defense response with VCE Vision
management tools and trigger a Vmotion. The compromised VMs can be moved to security
quarantine for forensic analysis.
Both demos show RSA’s commitment
to deep integration with both VMware and VCE VBlock in regards to the Security
Analytics product.
In the case of VCE, it
will enable VBlock to claim that it is not only the fastest cloud deployment
option, but the fastest and the most
secure cloud deployment option when deployed in conjunction with RSA SA. In addition, those customers that have already deployed a VBlock should consider augmenting their security architecture with the addition of RSA SA.
If you are not at VMworld this week and would like to see the demo of the NetX functionality, click on the YouTube video below:
Steve
EMC Fellow
