Post on 07-Apr-2018
8/3/2019 VMware vShield Presentation Pp en Dec10
1/34
1Confidential
Click to edit Master subtitle style
2009 VMware Inc. All rights reserved
VMware vShield Foundation for the Most Secure CloudDeployments
8/3/2019 VMware vShield Presentation Pp en Dec10
2/34
2Confidential
Agenda
Cloud Computing & Security
Security State of the Market
Virtualization Key Security Enabler
vShield Products
Use Cases
Summary
8/3/2019 VMware vShield Presentation Pp en Dec10
3/34
3Confidential
Security Market Overview
MarketSize in 2012
Endpoint SecurityAntivirus
Market GrowthRate
MarketSize(
$M)in2009
$27B Worldwide in 2009
Anti-Virus
$4,096(7%)
Application
Security
$2,987(15%)
SecurityOperations
Identity Mgmt
$3,565(20%)
Network Security
$9,136(8%)
Data Security
$3,258 (19%)Endpoint Security
$3,001
(2%)
$713
(8%)
Source: FORRESTER, 2009
NetworkSecurity
IdentityManagement
Others
Segments We Address
8/3/2019 VMware vShield Presentation Pp en Dec10
4/34
4Confidential
Security and Compliance are the Primary Concerns with Cloud
Internal IT
Public Cloud
Rate Card
Hands-off
Self-service
?Control
? Security
?Compliance
Virtualization forms the foundation for building private clouds.Security must change to support both.
Gartner, 2010
8/3/2019 VMware vShield Presentation Pp en Dec10
5/34
5Confidential
Agenda
Cloud Computing & Security
Security State of the Market
Virtualization Key Security Enabler
vShield Products
Use Cases
8/3/2019 VMware vShield Presentation Pp en Dec10
6/34
6Confidential
VLAN sprawl Gap between policy and
enforcement Manual re-implementation of
security policies Heightened risk exposures
Limited control and visibility
Organizational confusion (VI,security, network)
Hindered IT compliance Slow provisioning Heightened risk exposures
Security Challenges
Traditional Security
Expensive
Specialized hardwareappliances
Multiple point solutions
Rigid
Policy directly tied toimplementation
Not virtualization and change-aware
Effect
Complex
Spaghetti of different rules andpolicies
Security rationing
Heightened risk exposures
8/3/2019 VMware vShield Presentation Pp en Dec10
7/34
7 Confidential
The vShield Advantage: Increased Security
Traditional Security vShield
Cost Effective
Single virtual appliance withbreadth of functionality Single framework for
comprehensive protection
Simple
No sprawl in rules, VLANs, agents Relevant visibility for VI Admins,network and security teams
Simplified compliance
Adaptive
Virtualization and change aware Program once, execute
everywhere Rapid remediation
Expensive
Specialized hardwareappliances Multiple point solutions
Rigid
Policy directly tied toimplementation
Not virtualization and change-aware
Complex
Spaghetti of different rules andpolicies
Deployments on VMware are more secure than physical
8/3/2019 VMware vShield Presentation Pp en Dec10
8/34
8 Confidential
VMware Transforms Security from Expensive to Cost Effective
Load balancer
firewallVPN
VMware vSphere
Load balancerFirewallVPN
Etc vShieldVirtualApplia
nce
vShield eliminates the need for multiple special purpose hardwareappliances 3-5x Savings Capex, Opex
8/3/2019 VMware vShield Presentation Pp en Dec10
9/34
9 Confidential
VMware Transforms Security from Complex
VMware vSphere
VLANs
agent
Complex
Policies, rules implementation - no clear separation of duties;organizational confusion
Many steps configure network, firewall and vSphere Spaghetti of VLANs, Sprawl - Firewall rules, agents
Policies, Rules
Networkadmin
Security
admin
VI admin
OverlappingRoles /Responsibilities
Many steps.Configure
Network
Firewall
vSphere
Def
ine,Implem
ent,Monito
r,Refine,
agent
agent
agent
agent
agent
agent
agent
8/3/2019 VMware vShield Presentation Pp en Dec10
10/34
10 Confidential
To Disruptively Simple
VMware vSphere
vShield Manager + vCenter
Few steps:
ConfigurevShield
Simple Clear separation of duties Few steps configure vShield Eliminate VLAN sprawl vNIC firewalls Eliminate firewall rules, agents sprawl
Networkadmin
Security
admin
VI admin
Clearseparation ofRoles /Responsibilities
Def
ine,Monitor,
Refine,
Implem
ent
8/3/2019 VMware vShield Presentation Pp en Dec10
11/34
11 Confidential
VMware Turns Security from Rigid
BEFORE vShield
Security groups tied to
physical servers
Air gaps, i.e. physical
isolation, between security
groups
VMs in a security group
cannot be vMotioned to
other hosts
DMZ PCI compliant
VMware vSphere +vCenter
Air gap
VMware vSphere +vCenter
8/3/2019 VMware vShield Presentation Pp en Dec10
12/34
12 Confidential
PCI CompliantDMZDMZDMZ PCI Compliant
.to Adaptive
AFTER vShield
Security groups becomes a
VM construct rather than
physical server construct
Security groups enforced
with VM movement
Mix VMs from different
groups on the same host
VMware vSphere + vCenter
8/3/2019 VMware vShield Presentation Pp en Dec10
13/34
13 Confidential
Agenda
Cloud Computing & Security
Security State of the Market
Virtualization Key Security Enabler
vShield Products
Use cases
Summary
8/3/2019 VMware vShield Presentation Pp en Dec10
14/34
14 Confidential
Why VMware vShield is a Security Enabler ?
1. Unique introspection
2. Policy abstraction
Cost Effective Single virtual appliance with breadth
of functionality Single framework for comprehensive
protection
Simple No sprawl in rules, VLANs, agents Relevant visibility for VI Admins,
network and security teams Simplified compliance
Adaptive Virtualization and change aware Program once, execute everywhere Rapid remediation
8/3/2019 VMware vShield Presentation Pp en Dec10
15/34
15 Confidential
Security Enabler: Unique Introspection
Introspect detailed VM state and VM-to-VM communications
vSphere + vShield
Processor
memory
Network
Benefits Comprehensive host and VM
protection Reduced configuration errors Quick problem identification Reduced complexity no security
agents per VM required
8/3/2019 VMware vShield Presentation Pp en Dec10
16/34
16 Confidential
Security Enabler: Policy Abstraction
BeforevShield
VMware vSphere
Policy tied tothe physical
host; lostduring vMotion
Policy tied tological
attributes
AftervShield
+ vShield
Benefits
Create and enforce securitypolicies with live migration,automated VM load balancingand automated VM restart
Rapid provisioning of securitypolicies
Easier compliance with
continuous monitoring andcomprehensive logging
Separate the policy definition from the policy implementation
Policy tied tological
attributes; followvirtual machine
8/3/2019 VMware vShield Presentation Pp en Dec10
17/34
17 Confidential
Agenda
Cloud Computing & Security
Security State of the Market
Virtualization Key Security Enabler
vShield Products
Use cases
Summary
8/3/2019 VMware vShield Presentation Pp en Dec10
18/34
18 Confidential
2010 Introducing vShield Products
VMware vSphere + vCenter
Securing the Private Cloud End to End: from the Edge to the Endpoint
Edge
vShield Edge 1.0Secure the edge of thevirtual datacenter
Security ZonevShield App 1.0 andZones
Application protection fromnetwork based threats
Endpoint = VMvShield Endpoint 1.0
Enables offloaded anti-virus
Virtual Datacenter 1 Virtual Datacenter 2
DMZ PCI
compliant
HIPAA
compliant
Web ViewVMwarevShield
VMwarevShield
VMware vShield Manager
Shi ld Ed
8/3/2019 VMware vShield Presentation Pp en Dec10
19/34
19 Confidential
Multiple edge security services in one appliance
Stateful inspection firewall Network Address Translation (NAT) Dynamic Host Configuration Protocol (DHCP) Site to site VPN (IPsec) Web Load Balancer
Network isolation(edge port group isolation) Detailed network flow statistics for chargebacks, etc
Policy management through UI or REST APIs Logging and auditing based on industry standard syslog
format
vShield EdgeSecure the Edge of the Virtual Data Center
Features
Benefits
Lower cost and complexity by eliminating multiple specialpurpose appliances Ensure policy enforcement with network isolation Simplify management with vCenter integration andprogrammable interfaces
Easier scalability with one edge per org/tenant Rapid provisioning of edge security services Simplify IT compliance with detailed logging
VMware vSphere
Tenant A Tenant C Tenant X
VMware
vShield Edge
VMware
vShield Edge
VMwarevShield Edge
VPNLoad balancerFirewall
SecureVirtua
lAppliance
SecureVirtua
lAppliance
Secure
Virtual
Appliance
8/3/2019 VMware vShield Presentation Pp en Dec10
20/34
20 Confidential
vShield Lowers Cost of Security Significantly
Cost perMbps 50$45$40$35$3
0$25$20$15$1
0$5$
0$ .
5Gbps
1Gbps
10Gbps
100Gbps
Throughput
Network edge securitysolution
(Firewall + VPN + Load balancer)
vShield
Edge
Security appliances
>5x
Assumptions
100 VM per edge
vSphere & server costs
High availability
Mbps = Megabits/sec
Gbps = Gigabits/sec
Shi ld A
8/3/2019 VMware vShield Presentation Pp en Dec10
21/34
21 Confidential
vShield AppApplication Protection for Network Based Threats
Features
Hypervisor-level firewall Inbound, outbound connection control applied at
vNIC level Elastic security groups - stretch as virtual machines
migrate to new hosts Robust flow monitoring Policy Management
Simple and business-relevant policies Managed through UI or REST APIs
Logging and auditing based on industry standard syslogformat
8/3/2019 VMware vShield Presentation Pp en Dec10
22/34
22 Confidential
PCI CompliantDMZDMZDMZ PCI Compliant
vShield App Provides Adaptive Security with Policy Abstraction
VMware vSphere + vCenter
Security groupsenforced withVM movement
Policies basedon logicalattributes
vShield App
8/3/2019 VMware vShield Presentation Pp en Dec10
23/34
23 Confidential
vShield AppApplication Protection for Network Based Threats
Features
Hypervisor-level firewall Inbound, outbound connection control applied at
vNIC level Elastic security groups - stretch as virtual machines
migrate to new hosts Robust flow monitoring Policy Management
Simple and business-relevant policies
Managed through UI or REST APIs Logging and auditing based on industry standard
syslog format
Benefits
Increase visibility for inter-VM communications Eliminate dedicated hardware and VLANs for different
security groups Optimize resource utilization while maintaining strict
security Simplified compliance with comprehensive logging of
inter VM activity
vShield Endpoint
8/3/2019 VMware vShield Presentation Pp en Dec10
24/34
24 Confidential
vShield EndpointOffload Anti-virus Processing for Endpoints
Benefits
Improve performance by offloading anti-virus functions intandem with AV partners
Improve VM performance by eliminating anti-virus storms Reduce risk by eliminating agents susceptible to attacks
and enforced remediation Satisfy audit requirements with detailed logging of AV
tasks
Features
Eliminate anti-virus agents in each VM; anti-virus off-
loaded to a security VM delivered by AV partners Enforce remediation using driver in VM Policy and configuration Management: through UI or
REST APIs Logging and auditing
8/3/2019 VMware vShield Presentation Pp en Dec10
25/34
25 Confidential
Agenda
Cloud Computing & Security
Security State of the Market
Virtualization - Key Security Enabler
vShield Products
Use cases
Summary
8/3/2019 VMware vShield Presentation Pp en Dec10
26/34
26 Confidential
Service Provider - Offering Multi-Tenant Hosting Service
Company A Company B
VMware vSphere + vCenter + vShield
Company A
Company B
Company C
Company C
Solution vShield Edge,VMware Cloud Director Guarantee full confidentiality and protection of tenant
apps and data with built-in firewall and VPN Use enterprise directory services for security policies Accelerate compliance by logging all traffic information
on per-tenant basis Lower cost of security by 100+% by eliminating purpose
built appliances and by increasing utilization and VMdensity
Requirements
Host potentially hundreds or thousands of tenants in
shared infrastructure with: Traffic Isolation between the tenants Complete protection and confidentiality of tenant
apps and data Integration with enterprise directory services (e.g.Active Directory)
Complying with various audit requirements
Cisco VPN Juniper VPN
Checkpoint VPN
Vmware vCloud Director
vShield
Edge
8/3/2019 VMware vShield Presentation Pp en Dec10
27/34
27 Confidential
Enterprise - Securing Business Critical Applications
VMware vSphere + vShield
DMZ Finance
FinanceDevelopment
Development
Solution - vShield App + Edge
Protect data and applications with hypervisor levelfirewall
Create and enforce security policies with virtual machinemigration Facilitate compliance by monitoring all application traffic Improve performance and scalability with load balancer
and software based solution
Requirements
Deploy production and development applications in a
shared infrastructure with: Traffic segmentation between applications Authorized access to applications Strict monitoring and enforcement of rules on inter-
VM communications Ability to maintain security policies with VM
movement Compliance to various audit requirements
VMware
vShield App
8/3/2019 VMware vShield Presentation Pp en Dec10
28/34
28 Confidential
Enterprise - Secure View Deployments
Solution - vShield Endpoint+App+Edge
Improve performance by offloading AV processing Reduce costs by freeing up virtual machine resources
and eliminating agents
Improve security by streamlining AV functions to ahardened security virtual machine(SVM) Protect View application servers from threats Demonstrate compliance and satisfy audit requirements
with detailed logging of offloaded AV tasks
Requirements
Support thousands of internal and external View userswith:
Comprehensive security for View servers Anti virus agents to protect client data and
applications Optimal performance and scalabilityVMware vSphere + vShield
DMZ View Desktops
Remote User Local User
PublicNetwork
PrivateNetwork
VMware
vShield App
8/3/2019 VMware vShield Presentation Pp en Dec10
29/34
29 Confidential
Agenda
Cloud Computing & Security
Security State of the Market
Virtualization Key Security Enabler
vShield Products
Use cases
Summary
Shi ld Ed 1 0 Shi ld Z 4 1 Shi ld A 1 0
8/3/2019 VMware vShield Presentation Pp en Dec10
30/34
30 Confidential
vShield Edge 1.0 vs. vShield Zones 4.1 vs. vShield App 1.0
8/3/2019 VMware vShield Presentation Pp en Dec10
31/34
31 Confidential
vShield Products
3131
Product SKUs List/VM SnS
vShield Edge 1.0 $150 Standard Basic, Production
vShield Endpoint 1.0 $50 Standard Basic, Production
vShield Zones for vSphere 4.1(Included in vSphere Advanced and above)
NA vSphere SnS applies
vShield App 1.0 (includes Endpoint andZones)
$150 Standard Basic, Production
Upgrade to full vShield Edge 1.0 fromVMware Cloud Director
$110 Standard Basic, Production
Upgrade to vShield App 1.0 from vShieldEndpoint 1.0
$110 Standard Basic, Production
Notes
VMware Cloud Director Includes vShield Edge subset(Firewall, DHCP, NAT)
vShield App Includes vShield Endpoint
VMware View 4.5 Premier SKUs Include vShield Endpoint 1.0
All SKUs Min 25-VM purchase
Shi ld Wi B t f VM ld 2010
8/3/2019 VMware vShield Presentation Pp en Dec10
32/34
32 Confidential
vShield Wins Best of VMworld 2010
VMware vShield marks a major improvement in security. It includes manyessential features for virtualization security, and the ability to isolate trafficfor different port groups is a highlight
Q t
8/3/2019 VMware vShield Presentation Pp en Dec10
33/34
33 Confidential
Quotes
Definitely, the integration of vShield, offering application, network and end point
security for the cloud, is a big step.. CloudAve, Krishnan Subramanian
The vision of moving legacy and new applications between public and private
clouds necessitates a virtual security approach that surpasses static edge filtering
commonly found in AV, IPS and firewalls. ComputerWorld, Eric Ogren
Youve got to hand it to VMware ..this weeks VMworld, the company
announced the VMware vShield family of security products. Enterprise Strategy
Group, Jon Oltsik
vShield should help IT managers ensure that VMs can be protected and isolated
in the virtual network with technology that is baked into the virtualization
infrastructure. eWEEK, Cameron Sturdevant
VMware has finally taken virtual machine security and added it through theentire virtualization stack.. The dark horse feature of this product? Load
balancing. I tried it in the lab it takes 30 seconds to set up load balancing. No
more need for expensive F5s this could be a real game changer. Brandon
Hahn
8/3/2019 VMware vShield Presentation Pp en Dec10
34/34
34 Confidential
Click to edit Master subtitle style
Thank You