SAI1303BU Security with NSX. Greater Security in …...Alex Berger, NSX Product Marketing SAI1303BU...

Alex Berger, NSX Product Marketing

SAI1303BU

#VMworld #SAI1303BU

Security with NSX.Greater Security in the Digital Business Age

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

CONFIDENTIAL 2



bution

3

“By 2020, 60% of digital businesses

will suffer major service failures

due to the inability of IT security

teams to manage digital risk.”

Gartner, “Special Report: Cybersecurity at the Speed of

Digital Business,” May 2016.

Business demands

Control costs and reduce complexity

Deliver applications faster to improve time to market

Decrease business risk in an environment of advanced persistent threats



bution

From Monolithic Stack to Distributed Apps

STORAGE

DB

APP

UI

WEB

DB

DB

DB

APP

APP

STORAGE

STORAGE

STORAGE

STORAGEVMworld 2017 Content: Not fo


bution

The application is a network

55

PERIMETER SECURITY



bution

The application is a network

66

PERIMETER SECURITY

NGFWIPSWAF sFW ENC



bution

Our approach is not workingSecurity investments are increasing, yet the cost of breaches are rising faster

7

IT Spend Security Spend Security Breaches

Annual Cost of Security

Breaches: $445B(Source: Center for Strategic and Int’l

Studies)

Security as a % of IT

Spend:

2012: 11%

2015: 21 %(Source: Forrester)

Projected Growth Rate in

IT Spend from 2014-2019:

Zero (Flat)(Source: Gartner)



bution

Network virtualization - a point of alignmentAbstracting networking and security from the underlying infrastructure

IoTCloudData center Branch office



bution

Network, storage, compute

Virtualization layer

Hypervisor Hypervisor

vSwitch vSwitch

NSX value proposition



bution

Hypervisor

vSwitch

In-hypervisor (on-prem)

as a Service (cloud)

Hardware/Cloud independent

Network and security services


SwitchingRouting FirewallingLoadbalancing




bution

Hypervisor

vSwitch

Network, storage, compute

Virtualization layer

“Network platform”

Virtual networks






bution

Security with NSX

Micro-segmentation DMZ AnywhereSecure end userVMworld 2017 Content: N

ot for publicatio

n or distribution

Our security realitiesWhen threats breach the perimeter, it’s hard to stop lateral spread

13

INTERNET

NETWORK PERIMETER

Low priority systems are

often targeted first.

Attackers can move freely

around the data center.

Attackers then gather and

exfiltrate the valuable data.

MICRO-SEGMENTATION



bution

What if you could…Enforce security at the most granular level of the data center?

14

Every VM can have:

Individual security policies

Individual firewallsINTERNET

NETWORK PERIMETER

MICRO-SEGMENTATION



bution

What if you could…Maintain that level of consistent security across an entire application

MICRO-SEGMENTATION

Modern apps today are distributed in nature

WEB DBSecurity needs

to reach beyond an individual VM

Each VM is typically part of a larger application



bution

What if you could…Maintain that level of consistent security across an entire application

MICRO-SEGMENTATION



bution

Better security, simplified policy Define a policy using workload characteristics, not IPs and ports

An NSX security policy can be based on things like:

• Operating system

• Machine name

• Services

• Application tier

• Regulatory requirements

• Security posture

MICRO-SEGMENTATION

Creating and managing policies becomes a whole lot easier

DATA CENTER PERIMETER

PCI ScopePCI Scope



bution

Security with NSX


ot for publicatio

n or distribution

INTERNET

NETWORK PERIMETER

Our security realitiesProliferation of devices accessing the data center, yet not all are secured

20

Mobile device in the field or at home

Laptop or desktop at work or home

VDI at a branch or remote location

MOBILE WORKERS

HAVE BROAD ACCESS

TO DATA CENTER

RESOURCES

SECURE END USER



bution

INTERNET

NETWORK PERIMETER

What if you could…Extend micro-segmentation out to secure the end user device

21

Mobile device in the field or at home

Laptop or desktop at work or home

VDI at a branch or remote location

MICRO-SEGMENTATION

LIMITS DEVICE

ACCESS TO ONLY

WHAT IS NEEDED

SECURE END USER



bution

Security with NSX


ot for publicatio

n or distribution

CORE INFRASTRUCTURE

Our security realities

23

Isolating physical infrastructure for security is effective, but inefficient

Manual processes

High CapEx investment

Inefficient use of pooled

resources

PHYSICAL DMZ

DATA CENTER

DMZ ANYWHERE



bution

CORE INFRASTRUCTURE

What if you could…

24

Pool your physical infrastructure resources…

DATA CENTER

DMZ ANYWHERE



bution

CORE INFRASTRUCTURE


25

So that you could provide isolation at the hypervisor layer

DMZ ANYWHERE



bution

CORE INFRASTRUCTURE


26

Enabling you to create DMZs anywhere, regardless of their location

Scalable and flexible

Simplify management

Increase asset utilization

DMZ

DMZ

DMZ ANYWHERE



bution

Driving value with our NSX partner ecosystem

Compute

Infrastructure

Network

Infrastructure

Networking &

Security

Services

Orchestration &

Management

PlatformsOperations &

Visibility

vRealize Automation

vCloud Director

vRealize OrchestratorVIO

vSANReady Node



bution

NSX customer momentum is growing exponentially

Customers CertificationsDeployments

2017

2016

Q2 2,600+

Q2 1,300+

2,600+ customers across all

industries and organizational

sizes — representing 100%

year-over-year growth

Over two new deployments of NSX

per day. Number of deployments

increased 3x year-over-year

8,800+ Certified NSX

professionals

NSX



bution

Customer are using NSX…

SERVICE PROVIDER

To stay one step ahead of hackers

TECHNOLOGY

To keep pace with the explosion of data

TELECOM

To keep millions of people connected

FINANCE

To process millions of transactions globally

HEALTHCARE

To keep hospitals running smoothly

PUBLIC SECTOR

To protect governmentsand militaries

EDUCATION

To deliver apps to thousands of students

TRAVEL AND TRANSPORT

To keep planes in the air

RETAIL

To process $ billionsof retail transactions



bution

State of Louisiana

30

Dustin GloverCISOState of Louisiana - OTS



bution

Division of Administration

Office of Technology Services

Statewide

Enterprise Architecture

Information Security Overview



bution


Office of Technology Services Public32

Business Goals

• Louisiana Department of Health System Modernization• Medicaid Eligibility & Enrollment Systems (Initially)

• Noticeably Improve Public Facing services for Louisiana Citizens• Quality & Availability



bution



Technology Goals• (7) Core Components must be COTS

• ALL Application Service Integration must be achieved through an Enterprise Service Bus (ESB)

• Standardize Server and Database platforms

• Extensive High Availability (HA) (Active\Active) and Recoverability

• Components:• Enterprise Service Bus

• Identity Access Management

• Master Data Management

• Data Warehouse

• Electronic Document Management

• Consumer Communications

• Business Rules Engine



bution



InfoSec Goals• Verifiable Regulatory Compliance

• CMS MARS-E 2.0 & SSA Compliant (Initially)

• Establish and Document Secure Baseline for all elements within the published 3 environments: Production w/ Restricted Data, NonProduction w/ Restricted, and NonProduction w/ NonRestricted

• Create internal Isolation (defense in depth)

• Significantly improve security monitoring



bution





bution



Issues: Performance loss

vCenter

VM VMVMworld 2017 Content: Not fo


bution



Solution: NSX

vCenter

VM VM

NSX

• Keep traffic within the “virtual fabric”



bution



NSX Configuration Approach

vCenter

NSX

WebServer01

VMVM

AppServer01

[TAG]:AppServer01:8443

VM

DBServer01

[TAG]:DBServer01:1443

VM

• Every HOST must also have a TAG.

• Access Policy is applied to TAG for HOST.

• TAGs are applied to HOSTs that require access.

HOST TAG

HOSTTAG

TAG HOST



bution



NSX Configuration



bution



NSX Configuration (cont.)



bution



NSX Benefits

• Significantly Increased Performance• Routing and Firewall inside “virtual fabric”

• Allows for DNS load balancing inside NSX

• Significantly Increased Security Posture• True Micro-Segmentation

• Positioned for Migration to VMWare Cloud ready IaaS VMworld 2017 Content: N

ot for publicatio

n or distribution



Team Effort

Big THANK YOU to:



bution

Join VMUG for exclusive access to NSX

vmug.com/VMUG-Join/VMUG-Advantage

Connect with your peers

communities.vmware.com

Find NSX Resources

vmware.com/products/nsx

Network Virtualization Blog

blogs.vmware.com/networkvirtualization

Where to get started

Dozens of Unique NSX Sessions

Spotlights, breakouts, quick talks & group discussions

Visit the VMware Booth

Product overview, use-case demos

Visit Technical Partner Booths

Integration demos – Infrastructure, security, operations,

visibility, and more

Meet the Experts

Join our Experts in an intimate roundtable discussion

Free Hands-on Labs

Test drive NSX yourself with expert-led or self-paces

hands-on labs

labs.hol.vmware.com

Training and Certification

Several paths to professional certifications. Learn

more at the Education & Certification Lounge.

vmware.com/go/nsxtraining

Engage and Learn Experience

Try TakeVMworld 2017 Content: N

ot for publicatio

n or distribution

https://www.vmug.com/VMUG-Join/VMUG-Advantage

https://communities.vmware.com/community/vmtn/nsx

http://vmware.com/products/nsx

http://blogs.vmware.com/networkvirtualization

http://labs.hol.vmware.com/

http://www.vmware.com/go/nsxtraining



bution

SAI1303BU Security with NSX. Greater Security in …...Alex Berger, NSX Product Marketing SAI1303BU...

Documents

Transcript of SAI1303BU Security with NSX. Greater Security in …...Alex Berger, NSX Product Marketing SAI1303BU...