Post on 12-Mar-2018
Mate Barany, Systems Engineer, EUC EMEA VMware
Luca Morelli, Lead Specialist Systems Engineer, NSX SEMEA VMware
SIE3196BE
#VMworld #SIE3196BE
Limit Your Cyber Attack Footprint with Endpoint Security and Micro-Segmentation from VMware NSX and AirWatch
VMworld 2017 Content: Not fo
r publication or distri
bution
3
Key Security Objectives to Address
Maintain Security & Compliance
Trust Any User
Secure Any Application
Manage Any Endpoint
Protect Data Center
Detect Cyber Threats
Integrated and Seamless End-to-End Security
VMworld 2017 Content: Not fo
r publication or distri
bution
4
VMware vision to transform securityA ubiquitous software layer across application infrastructure and endpoints
On-Premise Data Centers
New app frameworks
Mobile Devices
Virtual Desktops(VDI)
Branch offices
Public clouds
#SIE3196BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
5
…this means security is everywhere
Visibility Policy
Service Insertion
Context
Ubiquitous software layer
#SIE3196BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Internally developed
mobile apps
Native public mobile apps
SaaS apps
Internal web apps
Modern Windows apps
Legacy Windows apps
Virtualized management
desktops
Workspace ONE
7
VMworld 2017 Content: Not fo
r publication or distri
bution
Workspace ONE + AirWatch
8
Any Endpoint Any Use Case
Knowledge
workerCorporate | BYO
Task workerLine of Business
No userKiosk | IOT
Modern Management Framework
Out of box
configuration
Policies and
security settings
Over-the-air
management and
updates
Asset
tracking
Full lifecycle
management
VMworld 2017 Content: Not fo
r publication or distri
bution
AirWatch Application Security
9
Add security and management capability to already-developed
applications
Application Wrapping
Standard for enterprise apps to interpret configurations and
policies
Add advanced security and management capabilities during
development
Software Development Kit (SDK)
Native O/S MAM
via Workspace Services ProfileStand Alone MAM
via App Container
VMworld 2017 Content: Not fo
r publication or distri
bution
Per-App VPN
• seamless user experience with minimal interaction
• simplified and automatic certificate management via WS1
• per-app versus whole-device model
• licensing included with WS1
• streamlined maintenance
10
VMworld 2017 Content: Not fo
r publication or distri
bution
Enhanced Network
Security
• App-level, enhanced security
•TLS v1.2
•SSL Pinning
•Compliance Validation
• Multiple factors of authentication:
APPLICATION
USER
DEVICE
Certificate Authentication
VMware Tunnel – Enhanced Network Security
11
VMworld 2017 Content: Not fo
r publication or distri
bution
Any App, Any Device
#SIE3196BE CONFIDENTIAL 12
Enterprise
Systems
VMwareTunnel
VMworld 2017 Content: Not fo
r publication or distri
bution
Device Restriction > App Restriction > Domain Restriction > Network Restriction
#SIE3196BE CONFIDENTIAL 13
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX value proposition
“Network platform”
Virtual networks
Network
storage
compute
Virtualization layer
The network virtualization
solution for the Software-
Defined Data Center
Network and security
services now in the
hypervisor
VMVM
VMVM
APPVMVM
VMVM
APPVMVM
VMVM
APP
#SIE3196BE CONFIDENTIAL 15
VMworld 2017 Content: Not fo
r publication or distri
bution
16
Web App DB
VMVM
VMVM
VMVM
VMVMVMVM
VMVM
VMVM
VMVMVMVM
VMVM
VMVM
VMVMVMVM
VMVM
VMVM
VMVM
Micro-SegmentationA firewall for every workload
Granular Policy EnforcementEnables zero trust security model with policy enforced at every workload
#SIE3196BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
17
NSX – Configure Security Policies with Security Groups
Select elements to uniquely identify
application workloads
Use attributes to create Security Groups Apply policies to security groups1 2 3
ABC
DEF
GroupXYZ
App 1
OS: Windows 8
TAG: “Production”
▪ Enforce policy based on logical constructs
▪ Reduce configuration errors
▪ Policy follows VM, not IP
▪ Reduce rule sprawl and complexity
Use security groups to abstract policy from application workloads.
GroupXYZ
Policy 1“IPS for Desktops”“FW for Desktops”
Policy 2“AV for Production”“FW for Production”
Element type
Static Dynamic
Data center
Virtual net
Virtual machine
vNIC
VM name
OS type
User ID
Security tag
Security Orchestration leveraging NSX Service Composer
VMworld 2017 Content: Not fo
r publication or distri
bution
Personalized DMZ
DMZ like security tailored
for any endpoint & any application
#SIE3196BE CONFIDENTIAL 18
VMworld 2017 Content: Not fo
r publication or distri
bution
Introducing the AirWatch & NSX Integration
19
VMworld 2017 Content: Not fo
r publication or distri
bution
Device Level VPN
Full Network Access
App Level VPN
Select Network Access
App Level VPN
Full Network Access
AirWatch & NSX IntegrationData center security for mobile workflows
EMM Data
Center Policies
Intelligent
Networking
Micro
Segmentation
20
VMworld 2017 Content: Not fo
r publication or distri
bution
Who can use VMware AirWatch and NSX Integration?
Workspace™ ONE™
Advanced & EnterpriseBlue & Yellow Advanced & Enterprise
21
VMworld 2017 Content: Not fo
r publication or distri
bution
Integrated Solution Components
• VMware AirWatch 8.4
– AirWatch Tunnel Server
– AirWatch Cloud Connector (For SaaS Customers)
• VMware NSX 6.2.x or 6.3.x
– NSX Manager
– NSX Distributed Firewall
– NSX Edge Services Gateway (Optional)
Note: vSphere hypervisor required for NSX
22
VMworld 2017 Content: Not fo
r publication or distri
bution
Device SupportPer App VPN APIs built into these Platforms
iOS 7+ Android 5.0+ Windows 10
23
VMworld 2017 Content: Not fo
r publication or distri
bution
Application Support
Public Internal Built In Proprietary
24
VMworld 2017 Content: Not fo
r publication or distri
bution
Mobile Apps accessing the Datacenter
Perimeter
Firewall
Internet
Firewall
App1 Servers
App2 Servers
App3 Servers
App-Level VPN
Full Network Access
Corporate Data
Centre Apps
Port: 8443
Internet DMZ Intranet
How do I create an App specific
“Personal DMZ” in here? 25
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Micro-segmentationNSX secures East-West communication of the App
Perimeter
Firewall
Internet
Firewall
App-Level VPN
Full Network Access
Corporate Data
Centre Apps
Internet DMZ
Security
Group “App1”
Security Group
“App2”
Security Group
“App3”
NSX Distributed Firewall
Port: 8443
26
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementation Details
27
• IPSets are added to a Security Group with (@airwatch) as the description.
• AirWatch pulls all Security Groups that contains @airwatch as the description via NSX Management plane API.
VMworld 2017 Content: Not fo
r publication or distri
bution
Personal DMZSecuring access to an application from a mobile device
Perimeter
Firewall
Internet
Firewall
VMware Tunnel
Server
Security Group
“Proxy”
Security Group
“Intranet”
Security Group
“Sensitive Data”
Security Group “Chrome-App”
“@airwatch” in description
IP Set “Chrome-App”{10.1.1.8/30}
10.1.1.0/24
Chrome App VPN
Source = 10.1.1.9
“Chrome” App VPN
“Chrome” App VPN
“Chrome” App VPN
NSX Manager
1
3 Security Policy2
X
SG “Chrome-App”4
5
6
28
VMworld 2017 Content: Not fo
r publication or distri
bution
Personal DMZHigh Availability
Perimeter
FirewallInternet
Firewall
Airwatch Tunnel
Server B
Security Group
“Proxy”
Security Group
“Intranet”
Security Group
“Sensitive Data”
Security Group “Chrome-App”
“@airwatch” in description
IP Set “Chrome-App”{10.1.1.8/30}
10.1
.1.0
/24
Chrome App VPN
Source = 10.1.1.9
Security Policy
Xx 50,000*
Chrome App VPN
Source = 10.1.1.10
Airwatch Tunnel
Server A
x 50,000*
* 4 CPU Cores, 16GB RAM
NSX Edge LB(SSL Pass-through,
Sticky Session)
29
VMworld 2017 Content: Not fo
r publication or distri
bution
Personal DMZHigh Availability and Multiple Apps
Perimeter
Firewall
Airwatch Tunnel
Server B
Security Group
“Proxy”
Security Group
“Intranet”
Security Group
“Sensitive Data”
Security Group “Chrome-App”
“@airwatch” in description
IP Set “Chrome-App”{10.1.1.8/30}
10.1
.1.0
/24
Chrome App VPN
Source = 10.1.1.9
Chrome App VPN
Source = 10.1.1.10
Airwatch Tunnel
Server A
* 4 CPU Cores, 16GB RAM
“Chrome” App VPN
“Oracle” App VPN
“Oracle” App VPN
“Chrome” App VPN
Oracle App VPN
Source = 10.1.1.13
Oracle App VPN
Source = 10.1.1.14
Security Group “Oracle-App”
“@airwatch” in description
IP Set “Oracle-App”{10.1.1.12/30}
SG “Oracle-App”
X
Internet
Firewall
x 50,000*
x 50,000*
NSX Edge LB(SSL Pass-through,
Sticky Session)
30
VMworld 2017 Content: Not fo
r publication or distri
bution
Mapping Mobile Apps to Security Groups in AirWatch
32
VMworld 2017 Content: Not fo
r publication or distri
bution
Learn More & Free Trials
LEARN MORE
VMware AirWatch
www.airwatch.com/
VMware NSX
www.vmware.com/products/nsx/
FREE TRIALS
VMware AirWatch
http://www.airwatch.com/lp/free-trial
VMware NSX www.vmware.com/products/nsx/nsx-hol
38
VMworld 2017 Content: Not fo
r publication or distri
bution