ADV1587BE NSX + Horizon: A Security Architecture for or distribution · 2019-06-27 · Graeme...
Transcript of ADV1587BE NSX + Horizon: A Security Architecture for or distribution · 2019-06-27 · Graeme...
Graeme GordonHoward Bliss
ADV1587BE
#VMworld #ADV1587BE
NSX + Horizon: A Security Architecture for Delivering Desktops and Applications with VMware
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#ADV1587BE CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 Today’s Landscape
2 How Horizon Can Help
3 Why NSX?
4 Protecting Infrastructure
5 Identify Based Firewall
6 Getting Started
#ADV1587BE CONFIDENTIAL 3
VMworld 2017 Content: Not fo
r publication or distri
bution
Attacks and attackers have become more sophisticated…
4
Organized
crimeInsiders
Cyber terrorists/
hacktivists
Nation
states
ADVANCED PERSISTENT THREATS WEAPONIZATION OF CYBERSPACE
VMworld 2017 Content: Not fo
r publication or distri
bution
How Can Horizon Help?
VMworld 2017 Content: Not fo
r publication or distri
bution
Secure Desktops, Apps and Data with Horizon 7
Just-in-Time Desktops
NetworkSecurity
App Lifecycle Management
Profile &Smart Policies
Centrally Delivered & Controlled
Access & Authentication
#ADV1587BE CONFIDENTIAL 7
VMworld 2017 Content: Not fo
r publication or distri
bution
Data Centralization
• Collapse Branch Infrastructure
– File servers, email servers, application servers.
• Data Sharing
– Reduce data replication
– Lower risk of out of date data being used in error.
• Data Backup (and recovery)
– Simplified by being centralized
– Enabled more advanced DR strategies
• eDiscovery
– Eases auditing effort
• Proactive Response to Security Incidents
– Simplified and consistent patching
#ADV1587BE CONFIDENTIAL 9
VMworld 2017 Content: Not fo
r publication or distri
bution
Just-in-Time DesktopsWith innovative technologies like Instant Clones, User Environment Management and App Volumes - Horizon ensures that IT can streamline desktop and application management like never before, providing employees with truly stateless desktops.
Drive Down
Storage Costs by
>30%
Deliver Apps
Instantly
Streamline
OpEX by >50%
#ADV1587BE CONFIDENTIAL 11
VMworld 2017 Content: Not fo
r publication or distri
bution
OS and Application Patching in the Physical World
• Ensure that all desktops receive proper patches
• Assessment
– Which patches are needed on which systems?
– 32-bit vs. 64-bit? Microsoft vs. third party, etc.?
• Scheduling
– When will patches be deployed to each system?
• Deployment
– Ensure that each system receives the proper set of patches and that they are properly executed.
• Reboot
– Many patch deployments require reboots.
• Rescan
– Reassess the machines post-reboot to make sure they were fully patched.
Risk of Configuration Drift
#ADV1587BE CONFIDENTIAL 12
VMworld 2017 Content: Not fo
r publication or distri
bution
OS and Application Patching with Horizon 7
• Patch the Master VM and update the pool.
• All desktops are in known state.
• Patch level controlled by Admin
– Can include the latest anti-malware definitions.
– Can include application updates/ patches
• Can restore pool to a last good state
– as well as remediation in case of Malware.
Controlled and Consistent
Datastore 1
1
Master VM
2
Replica 1
1
2
Replica 2
Desktops
#ADV1587BE CONFIDENTIAL 13
VMworld 2017 Content: Not fo
r publication or distri
bution
App VolumesManaged Application Containers
Settings
Data / Files Applications
App Volumes Agent
Traditional Just-in-Time App Model
OSOS
AppStack Writable VolumeAppStack
#ADV1587BE CONFIDENTIAL 14
VMworld 2017 Content: Not fo
r publication or distri
bution
Smart Policies
Overview
• Customize desktop features
• Features include:
– Clipboard Cut/Paste
– Client Drive Redirection
– USB
– Printing
– Bandwidth Profile
• Conditional policies based on:
– User Identity
– Location
– Pool Name
– etc.
Benefits
• Secures the desktop or application based on the user’s identity or location.
• Re-evaluate conditions during the session.
• Streamlined desktop experience … a single desktop image can be easily customized based on flexible policies.
#ADV1587BE CONFIDENTIAL 15
VMworld 2017 Content: Not fo
r publication or distri
bution
Unified Access Gateway
• Provides secure remote access for users to access:
– Various edge services.
– Resources within the corporate network.
• Deployed in DMZ or Cloud tenants
• Hardened appliance running SLES 12 Linux
– Compliance and certifications (FIPS/ CC)
• DMZ Authentication
– Smart Card Support
– Certificate
– SAML Pass-Thru support
– RADIUS / SecurID Support
• Supports multiple use cases:
– Horizon
– Reverse Proxy (Identity Manager)
– VMware Tunnel (Per App Tunnel & Proxy services)
– Identity Bridging
– Content Gateway (upcoming release) #ADV1
587BE
CONFI
DENTI
AL
16
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX and Horizon
VMworld 2017 Content: Not fo
r publication or distri
bution
Traditional Client Computing
• Traffic is only “North-South”
– Networking is simple and only north-south.
– Threat pattern is “north-south” .
– Straightforward protection scenario.
– Security via DMZ zones at the edge.
• “Data at Rest” is the primary concern
– Mission-critical data on endpoint local storage.
– Common motivator for desktop virtualization.
• Organizations implement desktop virtualization to:
– Optimize Compute and Storage resources.
– Secure data at rest (moved to data center).
– Exert better control over north-south threats
DataCenter
#ADV1587BE CONFIDENTIAL 18
VMworld 2017 Content: Not fo
r publication or distri
bution
Desktop & Application Virtualization BenefitsDesktop and App virtualization places O/S, Applications and Data in the data center
Virtual Desktop
Avoid loss of data sitting
on devices (device loss,
theft, damage)
Unauthorized access to
sensitive applications
installed on devices
Reduced branch
infrastructure footprint
(file/print/email
servers etc.)
Conducive to efficient,
centralized backup
Centralized patching
against vulnerabilities
✔
✔
✔
✔
✔
SAP, Oracle Exchange, etc.
Enterprise StorageOther
Users
WWW
WWW
#ADV1587BE CONFIDENTIAL 19
VMworld 2017 Content: Not fo
r publication or distri
bution
Current Challenges in the Data CenterLarge attack surface within the data center
Multiple, discrete “east-west” flows between desktops and infrastructureUser behaviors
Zero-day threats
Compromised
internet websites
Desktop-to-desktop
hacking
Desktop-to-server
hacking
EAST WEST
Virtual DesktopData
Center
SAP, Oracle Exchange, etc.
Enterprise StorageOther
Users
WWW
#ADV1587BE CONFIDENTIAL 20
VMworld 2017 Content: Not fo
r publication or distri
bution
Securing East-West within VDI Environments
• Hard to implement
• Lots of physical infrastructure required
• Complex to manage
Organizations with focus on compliancy and risk mitigation will implementsecurity zones to protect East-West flows within the data center.
Centralized Virtual
Desktops
Sharedsvcs
DMZ
DBZone
Remote workforce
Zone
EngZone
DevZone
FinancialZone
CorpZone
PCIZone
AdminZone
#ADV1587BE CONFIDENTIAL 21
VMworld 2017 Content: Not fo
r publication or distri
bution
Traditional Networking & Security is complex!
SharedsvcsDMZ
DBZone
Remote workforce
Zone
EngZone
DevZone
FinancialZone
CorpZone
Internet Internal Networks
PCIZone
AdminZone
Centralized Virtual
Desktops
#ADV1587BE CONFIDENTIAL 22
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX vSwitch
With NSX
Distributed Virtual Firewall
Before NSX
More Efficient Firewalls with NSX
Nexus 7000
UCS Fabric A UCS Fabric B
UCS Blade 1
vswitch
6 wire hops
Nexus 7000
6 wire hops
UCS Fabric A UCS Fabric B
UCS Blade 1 UCS Blade 2
vswitch vswitch
Nexus 7000
UCS Fabric A UCS Fabric B
0 wire hops
Nexus 7000
UCS Fabric A UCS Fabric B
UCS Blade 1 UCS Blade 2
With NSX
Distributed Virtual Firewall
Before NSX
East-West Firewalling / Same host East-West Firewalling / Host to host
2 wire hops
NSX vSwitch
UCS Blade 1
Fewer hops, more efficient and precise VM networking 23
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX for Horizon VDI Deployment
• Allows for elasticity and agility to spin up/down new pools or expand existing
• Desktop to Desktop control
• Desktop to Enterprise App control
• Security Services e.g. Agentless AV, NGFW, IPS
• Load balancing,
• Edge firewall
• NAT
• VPN
Internal Developer Pool
External Developer Pool
Internal Developer Network
External Developer Network
Horizon I
nfr
a
Micro-segmentation Edge Services Network Virtualization
#ADV1587BE CONFIDENTIAL 24
VMworld 2017 Content: Not fo
r publication or distri
bution
Segmentation of a Horizon Environment
• AD Group Based Identity Firewall (IDFW).
• Data Security to identify sensitive data.
• Desktop to Desktop control
• Desktop to Enterprise App control
• 3rd party Security Services e.g. Agentless AV, NGFW, IPS
• External world to Horizon components control
• Access control between various Horizon components
Internal Developer Pool
External Developer Pool
Protecting Horizon Infrastructure
Protecting Desktop Pools
User / Data based access control.
Internal Developer Pool
3 Tier Enterprise App
Web App DB
Horizon Components (Connection Servers, Unified Access Gateway, View Composer, vCenter)
#ADV1587BE CONFIDENTIAL 25
VMworld 2017 Content: Not fo
r publication or distri
bution
Protecting Infrastructure
VMworld 2017 Content: Not fo
r publication or distri
bution
Virtualized Apps
(ThinApps)
VMware Identity
ManagerVMware Horizon View
User Environment
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations for
Horizon
Database
(SQL)
VMware vSphere + NSX + VSAN
Virtual Desktop Pools
Windows 10
Instant Clone
Windows 10
3D Desktop
Applications
(VMware App Volumes)
Linux
Clone
SaaS, Mobile
Apps
Horizon
Connection
Servers
View
Composer
Hosted RDS
Desktops & Apps
IT Settings
User Profile
Horizon Clients
VMware Horizon Architecture Overview
User Workspace
Unified
Access
Gateways
#ADV1587BE CONFIDENTIAL 27
VMworld 2017 Content: Not fo
r publication or distri
bution
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/
vmware-horizon-7-end-user-computing-network-ports.pdf28
VMworld 2017 Content: Not fo
r publication or distri
bution
Easy Service Definition
#ADV1587BE CONFIDENTIAL 29
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation – Sample Configuration
Infrastructure Rules
Desktop and Application
Rules
#ADV1587BE CONFIDENTIAL 30
VMworld 2017 Content: Not fo
r publication or distri
bution
Identity Based FirewallPolicy driven micro-segmentation of the user
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX - Identity Based Firewall Rules (IDFW)
• DFW offers Identity Based Firewall (IDFW) functionalities:
‒ Specific AD security groups of users can be used to create DFW rules
– DFW rules are defined based on Active Directory (AD) membership (e.g. doctors or surgeons group):
‒ Define a NSX Security Group that contains an AD security group and apply it as the source of the DFW policy rule
• Users can use physical or virtual systems that have been joined to the AD Domain as the source - Destination system must be a VM.
Source Destination Service Action
Doctors (security
group)
Patient Record
Servers
Any Allow
Any Any Any Deny
Policy Rule:
#ADV1587BE CONFIDENTIAL 32
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX - Identity Based Firewall Rules & EUC
Before NSX
• All Desktops on a VLAN can communicate freely.
• Once one Desktop is compromised, lateral movement cannot be restricted.
With NSX
• Micro-segmentation can granularly control desktops even on shared VLAN.
• User/Group based Access Control
• Control VDI to Apps access using NGFW redirection when needed.
Jennifer(Finance)
Files HR Finance Email SharePoint
Network
Bob(HR)
Human Resources Finance
#ADV1587BE CONFIDENTIAL 33
VMworld 2017 Content: Not fo
r publication or distri
bution
Admin
Sales
Developer
Secure Just in Time Desktops
Network Policyfrom NSX
Sales
Developer
Admin
Sales
Developer
Admin
Application Layersfrom App Volumes
Sales
Dev.
Admin
Personalizationfrom UEM
Role-Based Desktop Creation & Customization
Salesdesktop
Admindesktop
Developerdesktop
Single Pool
StatelessdesktopSales
Developer
Admin
#ADV1587BE CONFIDENTIAL 34
VMworld 2017 Content: Not fo
r publication or distri
bution
Device Level VPN
App Level VPN
Micro Segmentation
App Level VPN
AirWatch Per-App VPN and VMware NSX
#ADV1587BE CONFIDENTIAL 35
VMworld 2017 Content: Not fo
r publication or distri
bution
Load Balancing Infrastructure
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX ESG – Integrated North South Network Services
….
Firewall
Load Balancer
VPN
Routing/NAT
DHCP/DNS relayDDI
VM VM VM VM VM
• Integrated L3 – L7 services
• Virtual appliance model to provide rapid deployment and scale-out
Overview
• Real time service instantiation
• Support for dynamic services per tenant/application
• Uses x86 compute capacity
Benefits
#ADV1587BE CONFIDENTIAL 37
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX ESG - Load Balancer
CS1 CS3CS2 • UDP, TCP, FTP, HTTP, HTTPS with Stateful HA
• Multiple Virtual IPs each with separate server pool and configurations
• Multiple load balancing algorithms
• Multiple Session Persistence methods
• Configurable health checks
• Application Rules
• SSL Termination with Certificate Management
• Transparent/Full Proxy Mode
• IPv6 Support
Features
• Per Tenant LB
• Dynamic VIP for VDI Management
Use Cases
#ADV1587BE CONFIDENTIAL 38
VMworld 2017 Content: Not fo
r publication or distri
bution
DMZ INTERNAL
Ex
tern
al
Lo
ad
Ba
lan
ce
r1
0.3
0.2
2.3
0
UAG1uag1.domain.com
192.168.2.51
UAG2uag2.domain.com
192.168.2.52
External
Users
Connection
Server 1horizon1.domain.com
192.168.1.31
Connection
Server 2horizon2.domain.com
192.168.1.32
Internal
Users
External DNS:horizon.domain.com
10.30.22.30
Internal DNS:horizon.domain.com
192.168.1.30
When resolving horizon.domain.com• External Clients get 10.30.22.30• All internal components and clients use 192.168.1.30
Inte
rnal
Lo
ad
Ba
lan
ce
r1
92
.16
8.1
.30
Connection Servers Load Balancing and External Access
#ADV1587BE CONFIDENTIAL 39
VMworld 2017 Content: Not fo
r publication or distri
bution
Partner IntegrationAV, Activity Monitoring
VMworld 2017 Content: Not fo
r publication or distri
bution
Optimized Performance for VDI Environments
Management
Network Usage
Scan Speed
CPU/Memory Usage
IOPS
Storage
ESXi
SAN
#ADV1587BE CONFIDENTIAL 41
VMworld 2017 Content: Not fo
r publication or distri
bution
Optimized Performance for VDI Environments
ESXi
SAN
Scan
Cache
Up to 20X Faster* Full Scans
Up to 5X Faster Real-time Scans
Up to 2X Faster VDI Login
Up to 30% More VM density
#ADV1587BE CONFIDENTIAL 42
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Service Insertion and Chaining for VDI
• Traffic exits guest VM and reaches DFW for processing.
• If action is set to permit, DFW will forward traffic to filtering module.
• If the Filtering module allows the traffic to be redirected then,
• Traffic redirection steers traffic to partner services VM/s
• Permitted traffic processed by partner services VM is sent to destination.
Partner
services VM
Partner console
vCenter
External network
Slot 2
Slot 4
Guest VM
DFW
Filtering module
Distributed Switch (vDS)
#ADV1587BE CONFIDENTIAL 43
VMworld 2017 Content: Not fo
r publication or distri
bution
Example: NSX Service Composer & Third-Party Service InsertionQuarantine Vulnerable Systems until Remediated
Security Group = Quarantine
Members = {Tag = ‘ANTI_VIRUS.VirusFound’}
Security Group = Standard
Policy Definition
Standard Policy
Anti-Virus – Scan
Quarantined Policy
Firewall – Block all except security tools
Anti-Virus – Scan and remediate
44
VMworld 2017 Content: Not fo
r publication or distri
bution
Getting StartedFirst Steps and Resources
VMworld 2017 Content: Not fo
r publication or distri
bution
Protecting Horizon in Simple Steps
• Deploy NSX Manager Appliance
• Prepare Hosts (Install VIB)
Install
• Add key VMs to Exclusion List (vCenter VMs)
• Create and Group Services
• Create Security Groups
• Build Distributed Firewall Rules
Configure
Test
#ADV1587BE CONFIDENTIAL 46
VMworld 2017 Content: Not fo
r publication or distri
bution
Achieving Micro-segmentation in Real World
Prepare Security Fabric
• Prepare Hosts for Security
• Optional: Deploy Security Vendor Management Consoles for advanced services
• Optional: Deploy security vendor appliances.
Monitor Flows
• Brownfield: Leverage existing knowledge from Perimeter firewalls
• Use NSX Built-In Application Rule Manager, Flow Monitoring, IPFIX tools
• Use vRealizeNetwork Insight to analyze traffic flows
• Integrate VMware Log Insight to analyze syslogs.
Determine Policy Model
• Identify patterns with flows
• Determine a policy model based on the patterns.
Apply Policy Model
• Determine approach : Firewall Rule Table or Service Composer Policy Model
• Based on the Policy Model – Create grouping models
• Write Security Policy
47
VMworld 2017 Content: Not fo
r publication or distri
bution
LearnConnect & Engagecommunities.vmware.com
NSX Product Page & Technical Resourcesvmware.com/products/nsx
Network Virtualization Blogblogs.vmware.com/networkvirtualization
VMware NSX on YouTubeyoutube.com/user/vmwarensx
Design GuideVMware NSX for vSphere End-User Computing
Design Guide
Resources for Starting with NSX
Experience
NSX SessionsSpotlights, breakouts, quick talks & group discussions
Visit the VMware BoothUse case demos, chat with NSX experts
Visit NSX Technical Partner BoothsIntegration demos
Test Drive NSX with free Hands-on LabsExpert-led or Self-paced. labs.hol.vmware.com
Use
NSX Proactive Support ServiceOptimize performance based on data monitoring
and analytics to help resolve problems, mitigate
risk and improve operational efficiency.
vmware.com/consulting
Take
Training and CertificationSeveral paths to professional certifications. Learn
more at the Education & Certification Lounge.
vmware.com/go/nsxtraining
#ADV1587BE CONFIDENTIAL 50
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution