NSX 9 Core Use Cases

© 2015 VMware Inc. All rights reserved.

NSX Core CasesSecure & Scale Beyond the Network.

Today’s Network / Security Paradigm.

Why Are We Still at Risk?Little or no lateral controls inside perimeter

Low priority systems are targeted first.

Attackers can move freely around the data center.

101101001101010010100000101001110010100

Attackers then gather and exfiltrate data over weeks or even months.

Internet

Data Center Perimeter

Today’s Network / Security Paradigm.

It’s Not Just Servers, but Users and the Controls.…and controls make it even harder to manage.

VDI

VDI to VDIDesktop-to-desktop hacking inside the DC

VDI to VMDesktop-to-server hacking inside the DC

VDIVDI

Bringing desktops into the data center opens up new risks for attack.

And a matrix of policies is needed on centralized, choke-point firewalls for the correct security posture.

Desktops

Servers

Finance

HR

Engineering

Security.Secure holistically from the Datacenter, to the VM, to the Network and beyond.

1. Datacenter Security1

Data Center Perimeter

Internet

DMZ

• Micro-segmentation allows each machine to retain it’s own hypervisor level firewall.

• Attackers can no longer move freely once access is gained to the datacenter.

• Virtual machines retain their firewall security as the migrate to ensure portability and security retention.

• The firewall is outside the scope of the VM, ensuring attackers are unable to compromise from the VM


1. Virtual Machine Security2 • Firewall and filter traffic for VMs based upon logical groupings, or based upon provisioning for VDI

• Threats to the datacenter from user interaction are eliminated through micro-segmentation

• Service-chaining with AV and NGFW partners deliver automated, policy integrated AV/malware protection, IPS/IDS, etc.

VDI

VDIVDI

FinanceMarketing HREngineering

• The attack surface increases when all machines are consolidated into a single infrastructure

• VDI deployments increase complexity for security due to user interaction and internal access of trusted resources.


1. Mobile Device Security3 • Mobile devices gain access to infrastructure resources through mobile applications

• Users cannot discern which data they’re interacting with, and datacenter controls cannot programmatically manage control

• Administration can granularly control which data streams are secured

• Control can be applied per device, per user/group or based upon business case or point of access, etc.

• NSX and AirWatch together can address the issue of "overprovisioning," in which users get access to more apps and data that they need to do their jobs

Scale & Elasticity.Create the ability to scale and shrink as needed, while not compromising security.

1. IT Automation4 IT automating IT• Faster project on boarding

Elastic Services• Streamline Security Enforcement• Mergers & Acquisition

Developer cloud• Leverage vSphere investment• Faster application development• Brings power of cloud on-prem

Multi-tenant infrastructure• Robust security to isolate each

tenant organization• Multi-tenancy for legacy apps

Switching

Routing

LoadBalancing

Connectivity to Physical Networks

Firewalling

VPN

Data Security

Activity Monitoring


1. Developer Clouds5 • NSX can be used in a DevOps model, setting up developer environments through APIs quickly.

• Using libnetwork, containers can leverage strong, granular security in real time.

• libnetwork is a community supported framework that enables Docker plugin models and has been endorsed by the networking community

• Containers all share the same kernel. If a contained application is hijacked with a privilege escalation vulnerability, all running containers and the host are compromised.

• Since containers are effectively managed by the kernel, a kernel-level exploit has the opportunity of compromising the applications running inside containers


1. MultiTenant Infrastructure • NSX provides isolation between different groups within an organization, or different tenants

• Some companies need isolation but may also want overlapping IP addresses for multitenancy, or for going from development and testing into production, and NSX can provide this

• NSX integrates directly into VMware’s vRealize Automation platform, allowing for self service creation of secure, scalable networks across tenants and platforms

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitchvSwitch

Hypervisor vSwitch

Hypervisor vSwitch

Hypervisor

vSwitch

Hypervisor

6

1. Disaster Recovery7 • NSX plays a big role in disaster recovery scenarios, ensuring that networking and security configurations are kept in place when a failure occurs and workloads have to be moved across data centers

• NSX can also ensure that firewalls and networking constructs are protected to provide ease of recovery and solidity of business continuity


vCenter B / SRM B

Prod_W

eb_V130

Prod_W

eb_V130

Prod_W

eb_V120

Prod_W

eb_V120

Prod_W

eb_V110

Prod_W

eb_V110

Universal Logical Switch

vCenter A / SRM A

Implicit Mapping

Implicit Mapping

Implicit Mapping

Primary Secondary

Data Center 2Data Center 1

SRM-based Disaster Recovery


1. Hybrid Networking Services8 • NSX is a key enabling technology for moving workloads between different clouds

• NSX is also part of VMware's "cross-cloud vMotion" technology, which allows running virtual machines to be moved from a private cloud to a public cloud. VMVM

VM

L2 Extensions


1. Metro Pooling9 • NSX makes it possible for customers to run virtual data centers in which compute, storage and networking are all driven through the hypervisor. Admins can use NSX to create pools of resources, each with their own distinct service level agreements and quality of service rules, which is core to the cloud computing model.

• NSX lets customers run an app in multiple data centers with Layer 2 stretched across them

NSX 9 Core Use Cases

Technology

Transcript of NSX 9 Core Use Cases