Not for with NSX Data Center - cms.vmworldonline.com · VMware NSX Data Center Security Management...
Transcript of Not for with NSX Data Center - cms.vmworldonline.com · VMware NSX Data Center Security Management...
#vmworld
How to Design Multi-layered Security with NSX Data Center
John Krueger, VMware, Inc.Tim Burkard, VMware, Inc.
SAI1133BU
#SAI1133BUVMworld 2018 Content: Not for publication or distribution
Disclaimer
2©2018 VMware, Inc.
This presentation may contain product features orfunctionality that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.
VMworld 2018 Content: Not for publication or distribution
3©2018 VMware, Inc.
BRANCH
BRANCH
BRANCH
BRANCH
BRANCH
BRANCH
BRANCH
BRANCH
TELCO/NFV
TELCO/NFV
EDGE/IOT
TELCO/NFV
BRANCH
BRANCH
EDGE/IOT
EDGE/IOT
The Virtual Cloud NetworkConnect and Protect your Business
VMworld 2018 Content: Not for publication or distribution
4©2018 VMware, Inc.
Identity
Apps and Data
Policy ScalabilityAnalytics and Insights
Secure Connectivity Availability
Users
Private Data Centers
VMs, Containers, Microservices
Branch Offices
Public Clouds
Telco Networks
Things
Virtual Cloud NetworkingConnect & Protectany workload across any environment
Built-in
Automated
Programmable
Application Centric
VMworld 2018 Content: Not for publication or distribution
Agenda
5©2018 VMware, Inc.
1. Security features of VMware vCenter
2. Securing the ESXi Host
3. Securing Virtual Machines
4. Security features of VMware NSX Data Center
5. Securing traffic using the Edge Gateway VPN
VMworld 2018 Content: Not for publication or distribution
6©2018 VMware, Inc.
Security Features of vCenter
VMworld 2018 Content: Not for publication or distribution
7©2018 VMware, Inc.
Certificate management services provide the services necessary for end -to-end certificate administration in a vSphere infrastructure.
Certificate Management Services
Platform Services Controller
Identity Management
Lookup Service SSO
Identity Management Service
Secure Token Service
VMware Directory
VMware Certificate Authority
VMware Endpoint
Certificate Store
Certificate Services
VECS
VMworld 2018 Content: Not for publication or distribution
8©2018 VMware, Inc.
• The vCenter server installs with the default domain of vsphere.local, default administrator account is [email protected]
• You can join a Platform Services Controller appliance or a vCenter Server Appliance with an embedded Platform Services Controller to an Active Directory domain and attach the users and groups from this Active Directory domain to your vCenter Single Sign-On domain
• You can join a Platform Services Controller or a vCenter Server Appliance with an embedded Platform Services Controller only to an Active Directory domain with a writable domain controller
• Once vCenter has been added to the Active Directory domain, AD accounts can be used to assign rights and authenticate to vCenter
vCenter Can Be Joined to an Active Directory Domain
VMworld 2018 Content: Not for publication or distribution
9©2018 VMware, Inc.
• Supports Private VLANs (PVLANs)
• Increased visibility of inter-virtual machine traffic through Netflow
• Improved monitoring through port mirroring (dvMirror)
• Support for LLDP (Link Layer Discovery Protocol), a vendor-neutral protocol
• Additional port security is enabled through traffic filtering support
• Multiple TCP/IP Stack for vMotion - Allows vMotion traffic a dedicated networking stack. Simplifies IP address management with a dedicated default gateway for vMotion traffic.
Distributed Switch Security Features
VMworld 2018 Content: Not for publication or distribution
10©2018 VMware, Inc.
Securing the ESXi Host
VMworld 2018 Content: Not for publication or distribution
11©2018 VMware, Inc.
Lockdown Mode and the DCUI
In vSphere 6.0, you can select normal lockdown mode or strict lockdown mode:
• Normal lockdown mode: The DCUI service is not stopped
• Strict lockdown mode: The DCUI service is stopped
Accounts on the exception user list and users in the DCUI.Access list can access the DCUI:
• DCUI.Access list: A list of users that can disable lockdown mode
• Exception user list: Users do not lose their privileges when the host enters lockdown modeVMworld 2018 Content: Not for publication or distribution
12©2018 VMware, Inc.
+
vSphere 6.0 Update 2 added authentication supporting RSA SecurID and smart-card support for vSphere Web Client and the DCUI.
Users are prompted for the smart-card and PIN combination in addition to the default prompt for a user name and password.
DCUI Smart-Card Authentication
VMworld 2018 Content: Not for publication or distribution
13©2018 VMware, Inc.
In vSphere 5.x, ESXi hosts log actions by named vCenter Server users as vpxuser.
In vSphere 6.0, ESXi hosts log actions by named vCenter Server users as the correct user name.
Improved Audit Trail of ESXi Administrative Tasks
VMworld 2018 Content: Not for publication or distribution
14©2018 VMware, Inc.
UEFI Secure Boot for ESXi Hosts
Secure Boot is part of the Unified Extensible Firmware Interface (UEFI) firmware standard:
• With Secure Boot enabled, the UEFI firmware validates the digital signature of the ESXi kernel against a digital certificate in the UEFI firmware, ensuring that only a properly signed kernel boots
• A machine refuses to load any UEFI driver unless the operating system bootloader is cryptographically signed
With vSphere 6.5, ESXi supports Secure Boot if it is enabled in the hardware.
UEFI FirmwareUEFI CADigital
Certificate
ESXiSoftware
VMwarePublic Key
UEFI Secure Boot-Enabled Machine
VMworld 2018 Content: Not for publication or distribution
15©2018 VMware, Inc.
UEFI Secure Boot Sequence for ESXi Hosts
ESXi 6.5 supports UEFI Secure Boot at each level of the boot stack.
The boot sequence proceeds as follows:1. The UEFI firmware validates the bootloader and
the VMkernel.2. The Secure Boot VIB verifier verifies every VIB
package that is installed on the system.
If the security verifications pass during the boot sequence, the entire system is booted up, with the root of trust in certificates that are part of the UEFI firmware. UEFI FirmwareUEFI CA Digital
Certificate
Bootloader
VMkernel
Secure Boot VIB Verifier
ESXi Base System
Drivers and Modules
Management(hostd, DCUI, and so on)
VMwarePublic Key
VMwarePublic Key
VMworld 2018 Content: Not for publication or distribution
16©2018 VMware, Inc.
ESXI Host Firewall
68 (Default) DHCP Client Incoming and outgoing UDP
161 (Default) SNMP Server Incoming UDP
53 (Default) DNS Client Incoming and outgoing UDP
80 (Default) vSphere Fault Tolerance (FT) (outgoing TCP, UDP)
HTTP access
Incoming TCP
Outgoing TCP, UDP
111 (Default) RPC service used for the NIS register by vCenter Virtual Appliance Incoming and outgoing TCP
123 NTP Client Outgoing UDP
135 (Default) For the vCenter Virtual Appliance, this port is designated for Active Directory authentication Incoming and outgoing TCP
427 (Default) The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers. Incoming and outgoing UDP
443 (Default) HTTPS access
vCenter Server access to ESXi hosts
Default SSL Web port
vSphere Client access to vCenter Server
Incoming TCP
513 (Default) vCenter Virtual Appliance used for logging activity Incoming UDP
902 (Default) Host access to other hosts for migration and provisioning
Authentication traffic for ESXi and remote console traffic (xinetd/vmware-authd)
Incoming and outgoing TCP, outgoing UDP
VMworld 2018 Content: Not for publication or distribution
17©2018 VMware, Inc.
Securing Virtual Machines
VMworld 2018 Content: Not for publication or distribution
18©2018 VMware, Inc.
UEFI Secure Boot for Virtual Machines
You can enable Secure Boot in a virtual machine if the following prerequisites are met:
• The virtual machine uses EFI firmware• The virtual hardware is version 13• The guest operating system supports UEFI
Secure Boot
To properly support UEFI Secure Boot in a virtual machine, see the guest OS vendor documentation for the proper way to configure and use EFI firmware.
VMworld 2018 Content: Not for publication or distribution
19©2018 VMware, Inc.
About Virtual Machine Encryption
vSphere 6.5 introduces virtual machine encryption, which provides the following functionality:
• Encryption:– Protection of virtual machine files, virtual disk files, and core dump files– Multilayer key protection
• Orchestration:– Simplified deployment using storage policies– Agnostic to storage and guest operating system
• Key control:– Key management provided by key servers– Use of the Key Management Interoperability Protocol (KMIP),
an industry standard for the management of security keys– Nonpersistence of keys for added security
• Access control:– New role for administrators without cryptography permissions– Cryptographic tasks authorized only to administrators with
appropriate permissions
VMworld 2018 Content: Not for publication or distribution
20©2018 VMware, Inc.
Advantages of Virtual Machine Encryption
vSphere 6.5 virtual machine encryption has several advantages over similar offerings in the market:
• Does not require in-guest agents• Uniform methodology across all guest
operating systems• Protects all virtual machine data, including
virtual disk and swap files• Finely detailed key control: virtual machines
and disks can use different keys• Easy orchestration through virtual machine
storage policies
VMworld 2018 Content: Not for publication or distribution
21©2018 VMware, Inc.
Managing Virtual Machine Encryption
By default, the vCenter Server Administrator role has cryptographic privileges.
But not all administrators should be able to control encryption operations and have access to keys.
In vSphere 6.5, vCenter Server has a new role called No Cryptography Administrator, which enables you to control which administrators have encryption privileges. ESXi
vCenterServer
Third-PartyKMS
vSphere
VM Encryption
Virtual Machine Key
VM1VM2
✔✔
Security administratormanages your KMS and keys.
A subset of vSphere administrators should manage encryption within vSphere.
VMworld 2018 Content: Not for publication or distribution
22©2018 VMware, Inc.
vCenter Server Role: No Cryptographic Administrator
The No Cryptographic Administrator role has most of the same virtual machine privileges as Administrator, including:
• Power on, power off, shut down• Boot• Migrate
This role does not include the following privileges:• None of the cryptographic operations, such as
encrypting and decrypting• No console access to encrypted virtual machines• No download or upload of encrypted virtual machines
VMworld 2018 Content: Not for publication or distribution
23©2018 VMware, Inc.
Encrypted vSphere vMotion secures confidentiality, integrity, and authenticity of data that is transferred with vSphere vMotion.
Encrypted vSphere vMotion supports all variants of vSphere vMotion for unencrypted virtual machines, including migration across vCenter Server systems.
About Encrypted vSphere vMotion
generates
vCenter Server
Encrypted
vSphere vMotion Network
Migrate Spec:Including
Encryption Key;Nonce;
VMworld 2018 Content: Not for publication or distribution
24©2018 VMware, Inc.
Security Features of VMware NSX
VMworld 2018 Content: Not for publication or distribution
25©2018 VMware, Inc.
NETWORKING AND SECURITY MANAGEMENT AND AUTOMATION
vRealize AutomationEnd-to-end workload automation
Network InsightNetwork discovery and insights
Cloud-Based Management Workflow Automation Blueprints / Templates Insights / Discovery Visibility
NETWORK AND SECURITY VIRTUALIZATION
AppDefenseModern application
security
NSX SD-WANby VeloCloud
WAN connectivity services
NSX Hybrid ConnectData center and cloud
workload migration
NSX Data CenterNetworking and
security for data centerworkloads
NSX CloudNetworking and
security for Cloud workloads
Security Integration Extensibility Automation Elasticity
VMware NSX PortfolioThe Foundation of the Virtual Cloud Network
VMworld 2018 Content: Not for publication or distribution
26©2018 VMware, Inc.
VMware NSX Data Center Security Management Security services are managed more efficiently in a software-defined data center.
Apply and visualize security policies for
workloads, in one place.
Automate workflows across best-of-breed
services, without custom integration.
Provision and monitor uptime of different
services, using one method.
VMware NSX Network Virtualization Platform
Deploy Apply Automate
Built-In Services
NSX Edge Firewall Distributed Firewall
Server Activity Monitoring VPN (IPsec, SSL)
Third-Party Services
Antivirus DLP Firewall
Vulnerability Management
Intrusion Prevention
Identity and Access Management
Security Policy Management
VMworld 2018 Content: Not for publication or distribution
27©2018 VMware, Inc.
Perimeter-centric network security has proven insufficient. And before network virtualization, microsegmentation was operationally infeasible.
Data Center Network Security
Few or NoLateral ControlsInside Perimeter
Internet
Insufficient
Internet
OperationallyInfeasible
Before VMware NSX
VMworld 2018 Content: Not for publication or distribution
28©2018 VMware, Inc.
The distributed firewall provides micro-segmentation, which addresses many security challenges.
Using the SDDC Approach for Microsegmentation
Internet
Security Policy
Perimeter Firewalls
CloudManagementPlatform
VMworld 2018 Content: Not for publication or distribution
29©2018 VMware, Inc.
The distributed firewall performs firewall filtering closest to the virtual machine.
Efficiency of Distributed Security: Same-Host Example
VMworld 2018 Content: Not for publication or distribution
30©2018 VMware, Inc.
The distributed firewall provides optimal firewall filtering even when the virtual machines are on different ESXi hosts.
Efficiency of Distributed Security: Different-Host Example
VMworld 2018 Content: Not for publication or distribution
31©2018 VMware, Inc.
The NSX Edge services gateway is optimized for north-south traffic filtering. The distributed firewall is optimized for east-west traffic filtering.
VMware NSX Firewalls
Web
Application
Database
VMworld 2018 Content: Not for publication or distribution
32©2018 VMware, Inc.
The NSX Edge services gateway virtual machine form factors influence rule-processing capabilities. Idle TCP connections count toward the connection count.
NSX Edge Firewall Capabilities
Size vCPU RAM Number of Connections
Number of Rules
Comments
Compact 1 512 MB 64,000 2,000 Suitable for a basic firewall
Large 2 1 GB 1,000,000 2,000 Suitable for a medium-level firewall
QuadLarge
4 2 GB 1,000,000 2,000 Suitable for a high-performance firewall
ExtraLarge
6 8 GB 1,000,000 2,000 Suitable for a high-performance firewall,plus load balancerVMworld 2018 Content: Not for publication or distribution
33©2018 VMware, Inc.
The distributed firewall provides security filtering and service chaining functions on every host prepared for VMware NSX:
• Ensures consistent (ubiquitous) application of policy rules• Optimizes traffic: no firewall hairpins• Provides distributed enforcement of policy rules
The throughput scales as hypervisors are added.
The distributed firewall provides centralized configuration using the VMware vSphere® Web Client.
Distributed Firewall
VMworld 2018 Content: Not for publication or distribution
34©2018 VMware, Inc.
Intelligent GroupingSecurity groups can be defined by customized criteria
Operating System
Machine Name
Application Tier
Services
Security Posture
Regulatory Requirements
VMworld 2018 Content: Not for publication or distribution
35©2018 VMware, Inc.
Dynamic Inclusion
Static Inclusion
Static Exclusion
Security GroupsDefinition
Security Group:(Dynamic Inclusion + Static Inclusions) – Static Exclusion
Computer OS Name, Computer Name, VM Name, Security Tag, Entity
Security Group, Cluster, Logical Switch, Network, vApp, Data Center, IP Sets, Active Directory Group, MAC Sets, Security Tag, vNIC, VM, Resource Pool, Distributed Port Group
Static and Dynamic Group CriteriaOptions are available when defining group membership
VMworld 2018 Content: Not for publication or distribution
36©2018 VMware, Inc.
A security policy can contain the following services:• Guest introspection services:
– Antivirus– Vulnerability management– Data security and data loss prevention solutions
• Network introspection services:– Intrusion detection and intrusion prevention systems
• Firewall rules
Security PoliciesA collection of network and security services to be applied to a security group
Security Groups
Members: VM, vNIC
Context: User identity, security posture
Security PoliciesServices: Firewall, antivirus
Profiles: Labels representing specific policies
APPLYVMworld 2018 Content: Not for publication or distribution
37©2018 VMware, Inc.
Service Composer Security Policy Rules
Distributed Firewall Rules
Guest Introspection Rules
Network Introspection Rules
• Antimalware and Antivirus
• Vulnerability Management
• File Integrity Monitoring
• Only L3/L4 FW Rules
• IDS/IPS Services• Firewall Services (L7)
VMworld 2018 Content: Not for publication or distribution
38©2018 VMware, Inc.
Security services can be automatically applied to compromised virtual machines based on assigned tags.
Automated Quarantine
Security Group = Quarantine ZoneMembers = {Tag = ‘ANTI_VIRUS.VirusFound’}
Security Group = Standard
Policy Definitions:
Standard VM PolicyAntivirus: Scan
Quarantined VM PolicyFirewall: Block all except security toolsAntivirus: Scan and remediate
CloudManagementPlatform
VMworld 2018 Content: Not for publication or distribution
39©2018 VMware, Inc.
Securing Traffic Using the Edge Gateway VPN
VMworld 2018 Content: Not for publication or distribution
40©2018 VMware, Inc.
VMware NSX Data Center supports several types of VPNs:• Layer 2 VPN: Used to join layer 2 networks between locations• IPsec VPN: Used for site-to-site connectivity• SSL VPN-Plus: Enables remote users to connect to a private network behind
an NSX Edge gateway
VMware NSX Data Center VPNs
VMworld 2018 Content: Not for publication or distribution
41©2018 VMware, Inc.
Public Cloud
Logical Layer 2 VPN
Features• SSL-based • Web-proxy support • L2 bridge to cloud
Scale and Performance• High performance:
AES-NI acceleration• 1.5 Gbps throughput
per tenant
Use Cases• Cloud onboarding• Cloud bursting• Data center migration
VMworld 2018 Content: Not for publication or distribution
42©2018 VMware, Inc.
Site-to-Site (IPsec) VPN
Features• Interoperable IPsec tested
with major vendors• Encryption: 3DES, AES128,
AES256, AES-GCM• AESNI H/W Offload • NAT and perimeter firewall
traversal • Certificate authentication and
preshared key mode• IP Unicast traffic• 64 tunnels across a maximum
Scale and Performance• High performance:
AES-NI acceleration • Up to 2 Gb/s throughput
per tenant
Use Cases• Cloud to corporate• Cloud on-boarding
VMworld 2018 Content: Not for publication or distribution
43©2018 VMware, Inc.
SSL VPN-Plus
Features• Clients on all major operating
systems: Windows, Mac OS, Linux
• Remote authentication through Active Directory, RSA Secure ID, LDAP, Radius
• TCP acceleration • Encryption: 3DES, AES128,
AES256
Use Cases• Remote office or
branch office• Remote managementVMworld 2018 Content: Not for publication or distribution
44©2018 VMware, Inc.
NSX Security Hardening Guidehttps://www.vmware.com/security/hardening-guides.html
VMworld 2018 Content: Not for publication or distribution
45©2018 VMware, Inc.
Join the NSX VMUG Communityvmug.com/nsxConnect with your Peerscommunities.vmware.com
Embrace the NSX Mindsetnsxmindset.comFind NSX Resourcesvmware.com/products/nsx
Read the Network Virtualization Blogblogs.vmware.com/networkvirtualization
Where to Get Started
Attend the Networking and Security SessionsShowcases, breakouts, quick talks & group discussions
Visit the VMware BoothProduct overviews, use-case demos
Visit Technical Partner BoothsIntegration demos – Infrastructure, security, operations, visibility, and more
Meet the ExpertsJoin our experts in an intimate roundtable discussion
Free Hands-on LabsTest drive NSX with expert-led or self-paces hands-on labslabs.hol.vmware.com
VMware Education - Training and Certificationvmware.com/go/nsxtraining
Free NSX Training on Courseravmware.com/go/coursera
Engage and Learn Experience
Try Take
VMworld 2018 Content: Not for publication or distribution
PLEASE FILL OUTYOUR SURVEY.Take a survey and enter a drawingfor a VMware company store gift card.
#vmworld #SAI1133BUVMworld 2018 Content: Not for publication or distribution
THANK YOU!
#vmworld #SAI1133BUVMworld 2018 Content: Not for publication or distribution