NET2356BU NSX Service Insertion Platform for Advanced or ... · Rod Bachelor, Sr. Product Manager,...

Rod Bachelor, Sr. Product Manager, NSXVinay Reddy, Sr. Product Manager, NSX

NET2356BU

#VMWorld #NET2356BU

NSX Service InsertionPlatform for Advanced Networking and Security Services

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer



bution

APP

The goals haven’t changed…

Focus on the app

Security of applications and data

Speed of delivery

Application availability

…but everything else has

Changes in threats landscapeAttack Sophistication | Persistent Threats | Weaponization of Cyberspace

Changes in application architecturesContainerization | Microservices | PaaS

Changes to infrastructureConvergence | Private Cloud | Public Cloud

#NET2356BU CONFIDENTIAL



bution

What’s the big deal in the Datacenter?



bution

What do we need?Requirements for a Secure Software-defined Datacenter

Visibility ExtensibilityControl

Common Policy

Lifecycle Management and Automation



bution

APP APPAPP APPSERVICES

Step 1. Gain visibility

APP APPAPP APP

APP APPAPP APP

OTHERSERVICESSHARED

SERVICES

APP APPAPP APP

APP APPAPP APP OTHER



bution

APP APPAPP APPSERVICES

Step 2. Deploy granular controls

APP APPAPP APP

APP APPAPP APP

OTHERSERVICESSHARED

SERVICES

APP APPAPP APP




bution

Step 3. Insert best-of-breed services

OTHER


AV IPS NGFW

AV IPS NGFW

AV IPS NGFW

SERVICESSERVICESSHARED

SERVICES

AV IPS NGFW



bution

NSX

NSX Security Platform


Common Policy


Datacenter, application and host

Context-driven micro-segmentation

Best-of-breed partner integration



bution

NSX value proposition

Network virtualization is at the core of the software-defined data center approach

Network, storage, compute

Virtualization layerVMworld 2017 Content: Not fo


bution

Network and security services now in the hypervisor

Switching

Routing Firewalling/ACLs

Load balancing

High throughput rates

East-west firewalling

Native platform capability

The next-generation networking model



bution

NSX value proposition

Network, storage, compute

Virtualization layer

“Network platform”

Virtual networks



bution

VMware NSX: Virtualize the Network

Logicalswitching

Logicalrouting

Loadbalancing

Physicalto virtual

Firewallingand security VMworld 2017 Content: N

ot for publicatio

n or distribution

One-Click Deployment via Cloud Management Platform

VMware NSX: Virtualize the Network

Logicalswitching

Logicalrouting

Loadbalancing

Physicalto virtual

Firewallingand security VMworld 2017 Content: N

ot for publicatio

n or distribution

NSX

NSX Security Platform for a Secure SDDC


Common Policy







bution

NSX Extensibility: Guest & Network Introspection

Guest Introspection

Context Sharing &

Common Policy

Third-Party Services

Antivirus DLP Firewall

Vulnerability

Management

Intrusion

Prevention

Identity and

Access Mgmt

…and more in progress

Security Policy

Management

Partner Ecosystem

Network IntrospectionVMworld 2017 Content: Not fo


bution

Service Insertion Process

Pre-Req

vSphere (vCenter, ESXi)

VM Tools

NSX-V

Partner Management Console

Partner Service OVA

vCloud Automation Center

Service Onboarding

Register

Deploy/ Upgrade

Service Consumption

Identify what you want

to protect (tags, groups)

Identify how you want to

protect (services,

policies)

Service Monitoring

Identify, Monitor, and

Troubleshoot Service

Outages

Remediate



bution

Network Introspection: Under the Hood

User space

Kernel

NetXlib

Application

dvfilterklib

VMCI

vsipioctl

VSIP

vsfwdvpxa

hostd

Partner Service Manager REST API vSphere API

VDS

Slot 2 DFW

Slot 4-11 NetX

Service VM

User space

Kernel

ESXivm

nic

vm

nic

AMQP vSphere API



bution

Network Introspection Design Patterns

STOP

STOP

ControlledCommunication

Edge ServicesGateway

Policy

Traffic RedirectionPartner Services

Micro-Segmentation with Network (VLAN) Isolation And Service Insertion

Partner Service Manager



bution

Distributed Logical Router

Network Introspection Design Patterns

STOP

STOP

ControlledCommunication

Policy

Traffic RedirectionPartner Services

Partner Service Manager

Micro-Segmentation with Network Overlay Isolation and Service Insertion



bution

Network Introspection: Use Cases

• Advanced Security for High Risk Applications

• Multi-Tenancy

• DMZ Anywhere

• Remote / Branch Office Perimeter

• Advanced Security (UTM) for VDI



bution

Advanced Security for High Risk Applications

• Advanced security based on

risk/compliance requirements

• Grouping based on network

constructs/vCenter/NSX

objects

• Automated policy application

based for new workloads

• Granular redirection policy

based on multiple parameters

• Redirect “Confidential” and

Web Server traffic

Tier 2:

Internal

Tier 1:

ConfidentialTier 3:

Public

Tier 4:

Non-Prod.

Web Server

App Server

DB Server

SRC DST Servic

e

Action

ANY TIER

1

ANY Redirect

TIER1 ANY ANY Redirect

SRC DST Servic

e

Action

ANY WEB-

Server

ANY Redirect

Web-

Server

ANY ANY Redirect



bution

Multi-Tenant Scenarios

• Per-Tenant ESG, DFW

“Applied to”

• Differentiated Services

per tenant using Service

Profiles

• NSX Services Profiles

map to zones in partner

management console

Tenant 1 Tenant 2

Tenantfirewall

DMZ/Web

App

DB

HR Group

App

DMZ/Web

DB

Finance Group

Services Mgmt

Services/Management

Group

Tenantfirewall

DMZ/Web

App

DB

HR Group

App

DMZ/Web

DB

Finance Group

Services Mgmt

Services/Management

Group

Tenant 2

Service Profile/Zone

Tenant 1


Tenant 1




bution

What’s new in NetX

Kernel SpaceVSIP

Kernel SpaceMemory

Service VM Process Process 1 Process 2 Process 3

Shared

Memory

Filter3,

Filter5..Filter NFilter2,


Filter4..Filter N

Shared

Memory

Shared

Memory

Kernel SpaceVSIP

Kernel SpaceMemory

Service VM Process Thread 1 Thread 2 Thread 3

Shared

Memory

Filter3,



Filter4..Filter N

Shared

Memory

Shared

Memory

Process

• Increase the number of shared memory channels between Service VM and ESX

• Supports Multi-threading on Partner SVM applications

• Support up to 16 channels

• New Multi channel NetX SDK



bution

NSX Guest Introspection strikes balance between Context and Isolation

UbiquityIsolation Context

Ecosystem of

Distributed Services

Core Services Built Into

Hypervisor Kernel

better security

through

insight

fine-grained

containment

Switching Routing Firewalling



bution

Visibility into in-guest events

Users Logging In

Files Accessed

Network Connections

System Events

Applications Running

Canned Reports



bution

Guest VM

VMTools

File Driver

Network Driver

Application

Guest Introspection Architecture

ESX

vSphere Platform

Guest Introspection

ESX Module

Partner Security VM

Partner Security

Application

NSX Manager

Partner

Management

Console

vCenter

NSX Guest Introspection Library

File Introspection

Connection Introspection

System Introspection

VI Admin

Security Admin



bution

Automated ubiquitous deployment & enforcement

1. ESX Host added to cluster

2. Automated: NSX Deploys

Guest Introspection

Framework, Service VMs

(Partner & VMW)

3. VM brought up on host

4. Automated: Appropriate

Security Policies applied

5. VM vMotions to a different

host

6. Automated: Appropriate

Security Policies applied



bution

Guest Introspection in actionAgentless Anti-virus

• New security group used to quarantine VMs that may be infected with malware

• Security group will be populated only if a virus is found in a VM

• Based on security tag which AV partner will apply automatically



bution

Guest Introspection Use Cases

• Agentless VDI desktop protection

– Improves consolidation ratios for desktops on VDI servers

• Agentless Windows Server protection

– Protection follows workloads and O/S definition

• Agentless Linux Server protection

– Meet compliance mandates with anti-malware on all servers (not just Windows)

• Agentless Vulnerability Management

– Vulnerability scanning with no network impact or credentials



bution

What’s new in Guest Introspection?

Microsoft Windows 2016 support

• Extends full Guest Introspection capabilities to latest Windows Server O/S

• Available in NSX v6.3.3+

Linux agentless anti-virus support

• Agentless anti-virus on Red Hat, SUSE and Ubuntu Linux distributions

• Available in NSX v6.3.0+

#NET2356BU CONFIDENTIAL



bution

Feature ComparisonvShield Endpoint vs NSX Guest Introspection

vCNS vShield Endpoint NSX Guest Introspection

Deployment Manual, host based• Manual installation of security

VM’s and endpoint security

components

Automated, cluster based• Automatic installation of partner security VM’s and

endpoint security modules

Policy

Management

Partner console Partner console• Policies created in partner console

Orchestration

and Automation

Limited NSX Service Composer• Policy orchestration using shared security tags

• Multi-service, multi-partner orchestration and automation

Services

supported

File-based agentless anti-virus Partner• Agentless anti-virus, vulnerability management, file

integrity monitoring, host-based IDS/IPS

VMware• Endpoint monitoring, Identity Firewall



bution

Putting it together with Policy

Guest IntrospectionNSX driver pulls and shares file, user identity, process (application), network connections, registry keys etc.

Shared Context

Third-Party Services

Antivirus DLP Firewall

Vulnerability

Management

Intrusion Prevention

Identity and Access

Mgmt

…and more in progress

Security Policy

Management

Service Insertion Architecture

Network IntrospectionFull network traffic visibility @vNIC, vSwitch,

or Edge.



bution

Driving value with our NSX partner ecosystem

Compute

Infrastructure

Network

Infrastructure

Networking &

Security

Services

Orchestration &

Management

PlatformsOperations &

Visibility

vRealize Automation

vCloud Director

vRealize OrchestratorVIO

vSANReady Node



bution

NSX

NSX Security Platform for a Secure SDDC


Common Policy







bution

Learn more about NSX at these sessions

Introduction to NSX

Introduction to VMware NSX

[NET1152BU]

Introduction to VMware NSX for

Automation [NET1305BU]

Introduction to VMware NSX for

Security [SAI1303BU]

Customer Panel on VMware NSX for

Security [SAI1306PUR]

NSX Security - DFW, Service

Composer [MTE4865U]

The NSX Practical Path [NET3282BU]

NSX Partner Services

Automated Security for the Real-time

Enterprise with VMware NSX and Trend

Micro Deep Security [SAI3313BUS]

Check Point vSEC and NSX -

Advanced SDDC Security

[SPL182401U]

Integrating Threat Defense Lifecycle

Security Services with VMware NSX

[NET3389BUS]

How VMware IT Is Securing Apps Using

Micro-Segmentation and Third-Party

Integrations with NSX [SAI2325BU]

NSX, AirWatch and Security Beyond

Data Center [PAR4378BU]

Palo Alto Networks VM-Series on NSX

- Next-Gen Security for your SDDC

[SPL182301U]

NSX Automation

Automate Your Security with NSX

[SAI3019BU]

Automating NSX with vRealize

Automation (vRA) and vRealize

Orchestrator (vRO) [PAR4379BU]

Customer Panel on VMware NSX for

Automation [NET1341PU]



bution

Questions?



bution



bution

NET2356BU NSX Service Insertion Platform for Advanced or ... · Rod Bachelor, Sr. Product Manager,...

Documents

Transcript of NET2356BU NSX Service Insertion Platform for Advanced or ... · Rod Bachelor, Sr. Product Manager,...