Network Virtualization and Security with VMware NSX White Paper
SAI1303BU Security with NSX. Greater Security in …...Alex Berger, NSX Product Marketing SAI1303BU...
Transcript of SAI1303BU Security with NSX. Greater Security in …...Alex Berger, NSX Product Marketing SAI1303BU...
Alex Berger, NSX Product Marketing
SAI1303BU
#VMworld #SAI1303BU
Security with NSX.Greater Security in the Digital Business Age
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
3
“By 2020, 60% of digital businesses
will suffer major service failures
due to the inability of IT security
teams to manage digital risk.”
Gartner, “Special Report: Cybersecurity at the Speed of
Digital Business,” May 2016.
Business demands
Control costs and reduce complexity
Deliver applications faster to improve time to market
Decrease business risk in an environment of advanced persistent threats
VMworld 2017 Content: Not fo
r publication or distri
bution
From Monolithic Stack to Distributed Apps
STORAGE
DB
APP
UI
WEB
DB
DB
DB
APP
APP
STORAGE
STORAGE
STORAGE
STORAGEVMworld 2017 Content: Not fo
r publication or distri
bution
The application is a network
55
PERIMETER SECURITY
VMworld 2017 Content: Not fo
r publication or distri
bution
The application is a network
66
PERIMETER SECURITY
NGFWIPSWAF sFW ENC
VMworld 2017 Content: Not fo
r publication or distri
bution
Our approach is not workingSecurity investments are increasing, yet the cost of breaches are rising faster
7
IT Spend Security Spend Security Breaches
Annual Cost of Security
Breaches: $445B(Source: Center for Strategic and Int’l
Studies)
Security as a % of IT
Spend:
2012: 11%
2015: 21 %(Source: Forrester)
Projected Growth Rate in
IT Spend from 2014-2019:
Zero (Flat)(Source: Gartner)
VMworld 2017 Content: Not fo
r publication or distri
bution
Network virtualization - a point of alignmentAbstracting networking and security from the underlying infrastructure
IoTCloudData center Branch office
VMworld 2017 Content: Not fo
r publication or distri
bution
Network, storage, compute
Virtualization layer
Hypervisor Hypervisor
vSwitch vSwitch
NSX value proposition
VMworld 2017 Content: Not fo
r publication or distri
bution
Hypervisor
vSwitch
In-hypervisor (on-prem)
as a Service (cloud)
Hardware/Cloud independent
Network and security services
NSX value proposition
SwitchingRouting FirewallingLoadbalancing
SwitchingRouting FirewallingLoadbalancing
VMworld 2017 Content: Not fo
r publication or distri
bution
Hypervisor
vSwitch
Network, storage, compute
Virtualization layer
“Network platform”
Virtual networks
NSX value proposition
SwitchingRouting FirewallingLoadbalancing
SwitchingRouting FirewallingLoadbalancing
VMworld 2017 Content: Not fo
r publication or distri
bution
Security with NSX
Micro-segmentation DMZ AnywhereSecure end userVMworld 2017 Content: N
ot for publicatio
n or distribution
Our security realitiesWhen threats breach the perimeter, it’s hard to stop lateral spread
13
INTERNET
NETWORK PERIMETER
Low priority systems are
often targeted first.
Attackers can move freely
around the data center.
Attackers then gather and
exfiltrate the valuable data.
MICRO-SEGMENTATION
VMworld 2017 Content: Not fo
r publication or distri
bution
What if you could…Enforce security at the most granular level of the data center?
14
Every VM can have:
Individual security policies
Individual firewallsINTERNET
NETWORK PERIMETER
MICRO-SEGMENTATION
VMworld 2017 Content: Not fo
r publication or distri
bution
What if you could…Maintain that level of consistent security across an entire application
MICRO-SEGMENTATION
Modern apps today are distributed in nature
WEB DBSecurity needs
to reach beyond an individual VM
Each VM is typically part of a larger application
VMworld 2017 Content: Not fo
r publication or distri
bution
What if you could…Maintain that level of consistent security across an entire application
MICRO-SEGMENTATION
VMworld 2017 Content: Not fo
r publication or distri
bution
What if you could…Maintain that level of consistent security across an entire application
MICRO-SEGMENTATION
VMworld 2017 Content: Not fo
r publication or distri
bution
Better security, simplified policy Define a policy using workload characteristics, not IPs and ports
An NSX security policy can be based on things like:
• Operating system
• Machine name
• Services
• Application tier
• Regulatory requirements
• Security posture
MICRO-SEGMENTATION
Creating and managing policies becomes a whole lot easier
DATA CENTER PERIMETER
PCI ScopePCI Scope
VMworld 2017 Content: Not fo
r publication or distri
bution
Security with NSX
Micro-segmentation DMZ AnywhereSecure end userVMworld 2017 Content: N
ot for publicatio
n or distribution
INTERNET
NETWORK PERIMETER
Our security realitiesProliferation of devices accessing the data center, yet not all are secured
20
Mobile device in the field or at home
Laptop or desktop at work or home
VDI at a branch or remote location
MOBILE WORKERS
HAVE BROAD ACCESS
TO DATA CENTER
RESOURCES
SECURE END USER
VMworld 2017 Content: Not fo
r publication or distri
bution
INTERNET
NETWORK PERIMETER
What if you could…Extend micro-segmentation out to secure the end user device
21
Mobile device in the field or at home
Laptop or desktop at work or home
VDI at a branch or remote location
MICRO-SEGMENTATION
LIMITS DEVICE
ACCESS TO ONLY
WHAT IS NEEDED
SECURE END USER
VMworld 2017 Content: Not fo
r publication or distri
bution
Security with NSX
Micro-segmentation DMZ AnywhereSecure end userVMworld 2017 Content: N
ot for publicatio
n or distribution
CORE INFRASTRUCTURE
Our security realities
23
Isolating physical infrastructure for security is effective, but inefficient
Manual processes
High CapEx investment
Inefficient use of pooled
resources
PHYSICAL DMZ
DATA CENTER
DMZ ANYWHERE
VMworld 2017 Content: Not fo
r publication or distri
bution
CORE INFRASTRUCTURE
What if you could…
24
Pool your physical infrastructure resources…
DATA CENTER
DMZ ANYWHERE
VMworld 2017 Content: Not fo
r publication or distri
bution
CORE INFRASTRUCTURE
What if you could…
25
So that you could provide isolation at the hypervisor layer
DMZ ANYWHERE
VMworld 2017 Content: Not fo
r publication or distri
bution
CORE INFRASTRUCTURE
What if you could…
26
Enabling you to create DMZs anywhere, regardless of their location
Scalable and flexible
Simplify management
Increase asset utilization
DMZ
DMZ
DMZ ANYWHERE
VMworld 2017 Content: Not fo
r publication or distri
bution
Driving value with our NSX partner ecosystem
Compute
Infrastructure
Network
Infrastructure
Networking &
Security
Services
Orchestration &
Management
PlatformsOperations &
Visibility
vRealize Automation
vCloud Director
vRealize OrchestratorVIO
vSANReady Node
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX customer momentum is growing exponentially
Customers CertificationsDeployments
2017
2016
Q2 2,600+
Q2 1,300+
2,600+ customers across all
industries and organizational
sizes — representing 100%
year-over-year growth
Over two new deployments of NSX
per day. Number of deployments
increased 3x year-over-year
8,800+ Certified NSX
professionals
NSX
VMworld 2017 Content: Not fo
r publication or distri
bution
Customer are using NSX…
SERVICE PROVIDER
To stay one step ahead of hackers
TECHNOLOGY
To keep pace with the explosion of data
TELECOM
To keep millions of people connected
FINANCE
To process millions of transactions globally
HEALTHCARE
To keep hospitals running smoothly
PUBLIC SECTOR
To protect governmentsand militaries
EDUCATION
To deliver apps to thousands of students
TRAVEL AND TRANSPORT
To keep planes in the air
RETAIL
To process $ billionsof retail transactions
VMworld 2017 Content: Not fo
r publication or distri
bution
State of Louisiana
30
Dustin GloverCISOState of Louisiana - OTS
VMworld 2017 Content: Not fo
r publication or distri
bution
Division of Administration
Office of Technology Services
Statewide
Enterprise Architecture
Information Security Overview
VMworld 2017 Content: Not fo
r publication or distri
bution
Division of Administration
Office of Technology Services Public32
Business Goals
• Louisiana Department of Health System Modernization• Medicaid Eligibility & Enrollment Systems (Initially)
• Noticeably Improve Public Facing services for Louisiana Citizens• Quality & Availability
VMworld 2017 Content: Not fo
r publication or distri
bution
Division of Administration
Office of Technology Services Public33
Technology Goals• (7) Core Components must be COTS
• ALL Application Service Integration must be achieved through an Enterprise Service Bus (ESB)
• Standardize Server and Database platforms
• Extensive High Availability (HA) (Active\Active) and Recoverability
• Components:• Enterprise Service Bus
• Identity Access Management
• Master Data Management
• Data Warehouse
• Electronic Document Management
• Consumer Communications
• Business Rules Engine
VMworld 2017 Content: Not fo
r publication or distri
bution
Division of Administration
Office of Technology Services Public34
InfoSec Goals• Verifiable Regulatory Compliance
• CMS MARS-E 2.0 & SSA Compliant (Initially)
• Establish and Document Secure Baseline for all elements within the published 3 environments: Production w/ Restricted Data, NonProduction w/ Restricted, and NonProduction w/ NonRestricted
• Create internal Isolation (defense in depth)
• Significantly improve security monitoring
VMworld 2017 Content: Not fo
r publication or distri
bution
Division of Administration
Office of Technology Services Public35
VMworld 2017 Content: Not fo
r publication or distri
bution
Division of Administration
Office of Technology Services Public36
Issues: Performance loss
vCenter
VM VMVMworld 2017 Content: Not fo
r publication or distri
bution
Division of Administration
Office of Technology Services Public37
Solution: NSX
vCenter
VM VM
NSX
• Keep traffic within the “virtual fabric”
VMworld 2017 Content: Not fo
r publication or distri
bution
Division of Administration
Office of Technology Services Public38
NSX Configuration Approach
vCenter
NSX
WebServer01
VMVM
AppServer01
[TAG]:AppServer01:8443
VM
DBServer01
[TAG]:DBServer01:1443
VM
• Every HOST must also have a TAG.
• Access Policy is applied to TAG for HOST.
• TAGs are applied to HOSTs that require access.
HOST TAG
HOSTTAG
TAG HOST
VMworld 2017 Content: Not fo
r publication or distri
bution
Division of Administration
Office of Technology Services Public39
NSX Configuration
VMworld 2017 Content: Not fo
r publication or distri
bution
Division of Administration
Office of Technology Services Public40
NSX Configuration (cont.)
VMworld 2017 Content: Not fo
r publication or distri
bution
Division of Administration
Office of Technology Services Public41
NSX Benefits
• Significantly Increased Performance• Routing and Firewall inside “virtual fabric”
• Allows for DNS load balancing inside NSX
• Significantly Increased Security Posture• True Micro-Segmentation
• Positioned for Migration to VMWare Cloud ready IaaS VMworld 2017 Content: N
ot for publicatio
n or distribution
Division of Administration
Office of Technology Services Public42
Team Effort
Big THANK YOU to:
VMworld 2017 Content: Not fo
r publication or distri
bution
Join VMUG for exclusive access to NSX
vmug.com/VMUG-Join/VMUG-Advantage
Connect with your peers
communities.vmware.com
Find NSX Resources
vmware.com/products/nsx
Network Virtualization Blog
blogs.vmware.com/networkvirtualization
Where to get started
Dozens of Unique NSX Sessions
Spotlights, breakouts, quick talks & group discussions
Visit the VMware Booth
Product overview, use-case demos
Visit Technical Partner Booths
Integration demos – Infrastructure, security, operations,
visibility, and more
Meet the Experts
Join our Experts in an intimate roundtable discussion
Free Hands-on Labs
Test drive NSX yourself with expert-led or self-paces
hands-on labs
labs.hol.vmware.com
Training and Certification
Several paths to professional certifications. Learn
more at the Education & Certification Lounge.
vmware.com/go/nsxtraining
Engage and Learn Experience
Try TakeVMworld 2017 Content: N
ot for publicatio
n or distribution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution