Stop Lateral Attacks Between VMs
Hillstone CloudHive provides micro-segmentation to secure each virtual machine (VM) in the cloud. It provides comprehensive visibility of East-West traffic and provides complete protection to stop lateral attacks between VMs. In addition, the CloudHive security service can scale easily to meet demand without business interruption.
Hillstone CloudHive is comprised of three types of virtual modules that work together as a single appliance to provide complete security to each virtual machine.
- Virtual Security Orchestration Module (vSOM), integrated and connected with Cloud Management Platforms (CMPs), manages the CloudHive service lifecycle.
- Virtual Security Control Module (vSCM) is the control panel, supporting policy configuration and distribution, as well as managing the lifecycle of the vSSM.
- Virtual Security Service Module (vSSM) is deployed on each physical server to implement micro-segmentation and provide L2-L7 security services.
- Virtual Data Service Module (vDSM) is an optional log forwarding module which forwards CloudHive logs to external syslog servers. It supports massive log forwarding via multi-module load balancing deployment.
Achieve Unparalleled Live Traffic Visibility
All virtual machines’ access points can be monitored to provide visibility of traffic, applications and threats related to this VM, which is the cornerstone for enabling East-West traffic control and protection. VM topology, traffic insight, application identification, as well as comprehensive log features allow Cloud Service Providers (CSPs) to meet compliance and security audit requirements.
Reduce Attack Surface to Nearly Zero
Each CloudHive Virtual Security Service Module (vSSM) is deployed on a physical server, enabling micro-segmentation for inter-VM communication. East-West traffic is secured with L2-L7 security services, including firewall features such as policy control and session limits, advanced security features such as Intrusion Prevention System (IPS) and Attack Defense (AD), as well as fine-grained application control. Real-time mitigation also blocks, impedes or quarantines active attacks.
Effortlessly Scale Security through Active Orchestration
On-demand security services can be applied to any and all new workloads and VMs through the scalability of vSSM. The deployment of vSCM enables unified security policy configuration for each VM. CloudHive supports vMotion to ensure security services persist in the event the VM moves, existing VM flows will not be interrupted by vMotion.
Improve Efficiency while Reducing Costs
CloudHive Layer 2 deployment does not impact existing network topology. It minimizes deployment and configuration overhead, without business impact or network interruption. In addition, the ease of management advantage of a single appliance reduces operational errors and improves overall efficiency. Total cost of ownership is also reduced as CloudHive security services do not need any upgrade or expansion of the current cloud management platforms.
- Over 3,000 applications that can be filtered by name, category, subcategory, technology and risk
- Each application contains a description, risk factors, dependencies, typical ports used, and URLs for additional reference
- Actions: block, reset session, monitor, traffic shaping
- Real-time application database upgrade
- Virtual asset auto discovery: networks and VMs
- Dynamic virtual asset monitor, auto/manual VM/IP/MAC address book update
- Visualization of virtual network topology, VMs and traffic
- Deep insight and monitoring of all traffic between VMs or port group
- Rank of traffic, application and threat, drill down to related information
- Customized Visualization options: Sort, inquiry, filtering, zoom in/zoom out
- Log support: session logs, threat logs and system logs
- Layer 2-Layer 7 access control
- VM and network based access control
- AD account based access control
- Time Table Based Access Control
- Application Layer Gateway (ALG)
- Session limit: New Session/Concurrent Session
- Abnormal protocol attack defense
- Anti-DoS/DDoS, including SYN Flood, DNS Query Flood defense
- ARP attack defense
- Port Scan detect and defense
- IPS Actions: default, monitor, block, reset (attackers IP or victim IP, incoming interface) with expiry time
- Protocol anomaly detection, rate-based detection, custom signatures, manual, automatic push or pull signature updates, integrated threat encyclopedia
- Packet logging option
- Filter Based Selection: severity, target, OS, application or protocol
- IP exemption from specific IPS signatures
- IDS sniffer mode
- IPv4 and IPv6 rate based DoS protection with threshold settings against TCP Syn flood, TCP/UDP/SCTP port scan, ICMP sweep, TCP/UDP/SCIP/ICMP session flooding (source/destination)
- Active bypass with bypass interfaces
- Predefined prevention configuration
- Manual, automatic push or pull signature updates
- Flow-based Antivirus: protocols include HTTP, SMTP, POP3, IMAP, FTP/SFTP
- Compressed file virus scanning
- Support both tapping mode and transparent in-line mode
- L2 deployment without the need for network configuration changes
- Ease of deployment without root authority and any plug-in, minimized affect to VM and hypervisor
- vSSM can scale up without interrupting security service, up to 200 vSSM modules
- Achieve VM based policy configuration through automatic learning on virtual assets
- Detect the state of the VM (up or down), and update VM IP change automatically
- Enable or disable security service on VM or port group through one click
- Support VMware VSS/VDS, vSAN deployment
- Support Openstack OVS deployment
- vSOM “VM shutdown” does not affect the CloudHive service
- Separation of management, control and service plane ensures the service stability
- vSCM are deployed in pairs (Active/Passive) to provide high availability
- Single vSSM “VM down” does not affect the system; the user VM traffic can bypass the vSSM
- vSCM can reboot and restart security service automatically after “VM down”.
- vMotion support: security policy and flow sessions automatically synchronize across multiple service modules
- Support In Service Software Upgrade (ISSU)
- Support trusted network admin host control and control over login trying times
- Interface: RESTful API, CLI, WebUI
- Distributed architecture, Centralized and unified management through a single interface
- Log forwarding to external syslog servers through vDSM, support massive and high-speed log forwarding.
- Support 3rd party Radius/TACACS+
- Support IP/Port/App based control and VM/Port group based control
- Support policy self-learning, policy convergence, duplication removing and hit counting.
- RestAPI to partner for further automation development and integration
- SNMP monitoring and SNMP trap alarm, NTP support.
- Multi-layer administration mode for the separation of operation and management.
- Package capture and download, environment change diagnosis for fault location
- VMWARE vSphere 5.0/5.1/5.5/6.0/6.5
- VMWARE NSX 6.2/6.3/6.4
- VMWARE Horizon VDI platform
- Openstack Mitaka (Openstack + KVM + OVS)