SAI1384BU Security Policy Creation or distribution for publication … · 2019-06-27 · Why...

Catherine Fan, Senior Product Line ManagerNicholas Furman, Senior Technical Product Manager

SAI1384BU

#VMworld #SAI1384BU

Security Policy Creation

VMworld 2017 Content: Not fo

r publication or distri

bution

The software-defined data center

Meet the demands of a

dynamic business

environment

Deliver networking

security that is faster than

cybercriminals

Provide flexibility to

app mobility

The Business World Is Ready for a New Model

#SAI1384BU CONFIDENTIAL 2



bution

The Pressure on IT


Provision VM

Provision

Network

Security Services

Configured

Security Mapped

to Network

App

Deployed

Change

Happens

Policies

are Set

New App

Requested



bution

Challenge:Adaptability to Changes in App, Network, User, Threats


IT & Security teams are

unable to keep up with

high rate of change

User BehaviorApp Proliferation / App Technologies

Rate of change leads to significant implications

for maintaining a secure and efficient environment for applications.

Traffic Patterns Smart Attack Vectors / Shadow IT



bution

Security Admins Desire Best-of-breed Security Tools…

…with flexibility of choice and agility to switch

Security Admin

Security

Hardening

Security

Compliance

Address

Vulnerabilities

Respond to

Emerging Threats




bution

Why Security Management is Challenging

Manual workflows due to lack of

interoperability and automation across

“best-of-breed” security products

Limited visibility into a workload’s

security posture and policies

Deployment complexity with multiple

security products




bution

Secure SDDC with VMware NSXSecurity services are managed more efficiently in a software-defined datacenter

Apply and visualize

security policies for

workloads, in one place.

Automate workflows

across best-of-breed

services, without custom

integration.

Provision and monitor

uptime of different services,

using one method.

NSX Network Virtualization Platform

Deploy Apply Automate

Service Insertion Security PoliciesSecurity Groups Security Tags




bution

Customer Scenario: Sensitive Systems with Unsupported OS


Identify

workloads

Create a

new VLAN

Re-IP

machines

FIX things

that won’t

work post

re-IP

Create

security

group

Apply policy

to restrict

access



bution

International Energy Company: Protect against Evolving Threats

• International company in energy sector

– Security expectations are high in consideration to sensitive systems in its datacenters

– Strict regulations related to IT activity and geo-localization

• Key Challenges and Objectives

– Many sensitive systems running non-supported Guest-OS

– Keep the pace with evolving threats

• Protect against lateral movement between applications and VMs with different sensitivity-level without starting-over its infrastructure

– Embracing digital transformation and need to speed up secure-application delivery to the business

9

ENERGYSECTOR

#SAI1384BU CONFIDENTIAL



bution

Customer Approach: (1) Identify and Classify Sensitive Assets

• Traditional network segmentation is not sufficient to classify sensitive apps.

• Assets classification is based on:

– OS-Centric and Application-Centric Security groups

– Using security tags to group VMs involved in same applications

– Using nested-Security Groups to include « OS-Centric SG » into « App-Centric SG »


VMVM

VMVMLinux

OSVMVM

VMVMW2K3

OS

Application1

VMVM

VMVMW2012

OSVMVM

VMVMLinux

OSVMVM

VMVMW2K3

OS

Application 2VMworld 2017 Content: N

ot for publicatio

n or distribution

Customer Approach: (2) Build Security Policy

• Enrolling Apps with their Security context, depending on sensitivity and accessed resources:

– Apps-to-Internet

– Apps-to-Shared services

– Apps-to-Apps

– Intra-Apps

• NSX Service Composer is used to build:

– Multi-levels Security policy to map with applications perimeters (boundaries) depending on their sensitivity

– Precedence (or priority) is used to identify the sensitivity level

– Default « tabular view » FW Section to catch all non-defined applications’ traffic and Denied traffic


Section SC – Level 4 : Private NET access rule

Section SC – Level 5 : SAS/Internet access rules

Section SC – Level 3 : Core DC access rule

Section SC – Level 2 : Shared services apps rules

Section SC – Level 6 : Generic rules

Section SC – Level 1 : Intra-Apps rules

Section – FW : DENY ALL APPS

Section – FW : Catch ALL APPS

DF

W

rule

s

Sections b

uilt

usin

gserv

ice c

om

poser



bution

Application 1 Application 4 Application 5

Application 3 Application 5

Application 3 Application 4

Application 5Application 1

Application 3

The Global Application-centric Security Policy

12

VMVM

VMVMLinux

OSVMVM

VMVMW2K3

OS

Application 1

VMVM

VMVMLinux

OS VMVM

VMVMW2K3

OS VMVM

VMVMW2012

OS

Application 2




bution

Build Security into the Application Lifecycle


With VMware NSX, security is enforced through every step of an application’s lifecycle

Provision app

• Deploy security service

• Create and assign security group

• Create and assign security policy

Monitor app

• Monitor protection status

• Runs periodic security scan

Manage app

• Address known threats & vulnerabilities

• Respond to emergent attacks

• Adjust security policy as app changes over time

Decommission app

• Report compliance and generate audit logs



bution


14


Provision app




Monitor app



Manage app




Decommission app





bution

Register Security Services with VMware NSX


Service Definitions: built-in and 3rd-party services

Firewalling Endpoint Monitoring

Service categories, vendors, versions

are visible in one central view

Security



bution

Deploy Security Services with VMware NSX


Service Insertion Architecture

NSX Manager

1

Third-Party Management Console

2

Logical Firewall Logical Switch

3NSX Built-in Security

Services (Appliance per host)

4NSX Partner Services (Appliance

per host)



bution

Security Policies and Security Groups

17

Distributed Firewall Rules

Guest Introspection Rules

Network Introspection Rules

Security Policy▪ Anti-Malware / Anti-Virus ▪ Vulnerability Management▪ File Integrity Monitoring

▪ L3 / L4 Firewall Rules

▪ IDS / IPS Services▪ Firewall Services (L7)

Security Group

Dynamic Inclusion

Static Inclusion

Static Exclusion

VM-Centric

Infrastructure-Centric

HOW you

want to protect

WHAT you

want to protect




bution

HR

Policy and Services Assigned to Groups

• Define Policy

• Assign Services

• Automate Response

Define Once

Apply Repeatedly

Web

App DBVMworld 2017 Content: Not fo


bution

Example: “Common Services” Security Policy


Ports required by all

• NTP-OUT

• DNS-OUT

• SYSLOG-OUT

• SNMP-IN

• DHCP-OUT?

• WINDOWS UPDATES

• AV-OUT

• ADMIN-PORTS-IN

• LAST RULE

• ANY-ANY DENY

(enable logging)

Source: A.T. Still University, VMworld 2016 (NET10706-GD)



bution

Micro-Segmentation Policy Creation Strategies

• Leveraging Existing Firewall Policy

• Application Discovery

• vRealize Log Insight – Firewall Log

• vRealize Network Insight

• NSX Application Rule Manager & NSX Endpoint Monitoring


Options for Creating a Micro-Segmentation Policy

?VMworld 2017 Content: N

ot for publicatio

n or distribution




bution




Provision app




Monitor app



Manage app




Decommission app




bution

Monitoring and Troubleshooting: Is Security the Culprit?


Shifting from an infrastructure-first to a workload-first procedure

!!!



bution

Monitoring and Troubleshooting: Is Security the Culprit?


Shifting from an infrastructure-first to a workload-first procedure

SECURITY GROUP

!!!



bution

Automated Security Policy Enforcement


With increased visibility



bution

Security-Centric View

26

Policies – collection of service

profiles - assigned to this

container…to define HOW you

want to protect this container

e.g. “PCI Compliance” or

“Quarantine Policy’Nested containers –

other groupings within

the container

e.g. “Quarantine Zone” is

a sub group within “My

Data Center”

VMs (workloads) that belong to this

container.

e.g. “Apache-Web-VM”, “Exchange Server-

VM”

Containers – Grouping of VMs, IPs, and

more…to define WHAT you want to protect.

e.g. “Financial Applications”, “Desktop Users”,

“Quarantine Zone”

Service profiles for *deployed*

services, assigned to these

policies

Services supported today:

• Distributed Virtual Firewall

• Anti-virus

• Vulnerability Management

• Network IPS

• File Integrity Monitoring




bution

Workload-Centric View:Security Groups & Tags Assigned to a VM


Any security issues?Protected in security group?

Virtual Machine



bution

Workload-Centric View:All Security Policies Applied to a VM


28



bution

Monitor Uptime of Different Services


Service Deployments: installation and service status

Installation Status & Service Status

are visible in one central view



bution

Increase Visibility into Service Availability

30

Virtualization Platform

Restart Security Virtual Appliances,

upon detection of service health failure

Error messages provide

insight into why service failed




bution

Increase Visibility into Service Availability

31

Virtualization Platform

Restart Security Virtual Appliances,

upon detection of service health failure

Error messages provide

insight into why service failed




bution




Provision app




Monitor app



Manage app




Decommission app

• Decommission security services




bution

Automate Security Operations

Without VMware NSX

• Manual workflows

• No interoperability between best-of-breed security products

With VMware NSX

• Security is automated

• If one service finds something, then another service can do something about it

33

Create repeatable, automated workflows

across best-of-breed security products with VMware NSX


To respond to rapidly changing security conditions



bution

Advanced Services Insertion


1 2 3

Traditional Data Center NSX Data Center

▪ Flexible service chain that

adapts to changing conditions

– more efficient use of services

▪ Platform for integrating the

leading security products:

better security by sharing tags

NSX enables dynamic actions to respond to

changing security conditions

Static service chain Dynamic service chain



bution

Adaptable and Proactive Security

UNIQUE POLICY

DEFINITIONS

Policy and services

defined with future

changes in mind

Vulnerability scan.

If vulnerability

found, tag workload

with CVE Score.

UNIQUE POLICY

DEFINITIONS

Remediate changes

with preset policy

definitions

If tagged, remediate

with IPS.




bution

Automated Security in a Software-defined Data Center

UNIQUE POLICY

DEFINITIONS

Policy and services

defined with future

changes in mind

Scan to ensure no

private information

is stored. If found,

tag.

UNIQUE POLICY

DEFINITIONS

Remediate changes

with preset policy

definitions

If tagged, move

workload to more

secure PII group.

Finance Group PII Group

SN# 555-55-5555




bution

Automate Security Operations

ACTION (then)ATTRIBUTE (if)

Virus found

IIS.EXE

Vulnerability found (old software version)

“PCI”

Sensitive Data Found

Allow & Encrypt*

Restrict access

while investigating

OR

▪ Automated detection of

security conditions

(virus, vulnerability, etc.)

▪ Security policies define

automated actions

Security operations are automated and adapt to

dynamic conditions

Monitor VMwith IPS

Quarantine VM with Firewall




bution


38


Provision app




Monitor app



Manage app




Decommission app





bution

Eliminate Policy Sprawl through AutomationNo manual cleanup necessary during application decommissioning

SECURITY POLICY

“Standard Web” Firewall – allow

inbound HTTP/S,

allow outbound ANY

IPS – prevent DOS

attacks, enforce

acceptable use

SECURITY GROUP

SECURITY GROUP




bution


40


Provision app




Monitor app



Manage app




Decommission app





bution

SDDC Enables a More Secure Data Center


By automating security policy enforcement with VMware NSX

• Initial provisioning of security services is fast

• Ongoing changes to security policies over time is easy

• Monitoring and auditing security policy is simple




bution

Join VMUG for exclusive access to NSX

vmug.com/VMUG-Join/VMUG-Advantage

Connect with your peers

communities.vmware.com

Find NSX Resources

vmware.com/products/nsx

Network Virtualization Blog

blogs.vmware.com/networkvirtualization

Where to Get Started

Dozens of Unique NSX Sessions

Spotlights, breakouts, quick talks & group discussions

Visit the VMware Booth

Product overview, use-case demos

Visit Technical Partner Booths

Integration demos – Infrastructure, security, operations,

visibility, and more

Meet the Experts

Join our Experts in an intimate roundtable discussion

Free Hands-on Labs

Test drive NSX yourself with expert-led or self-paces

hands-on labs

labs.hol.vmware.com

Training and Certification

Several paths to professional certifications. Learn

more at the Education & Certification Lounge.

vmware.com/go/nsxtraining

Engage and Learn Experience

Try Take




bution

https://www.vmug.com/VMUG-Join/VMUG-Advantage

https://communities.vmware.com/community/vmtn/nsx

http://vmware.com/products/nsx

http://blogs.vmware.com/networkvirtualization

http://labs.hol.vmware.com/

http://www.vmware.com/go/nsxtraining



bution

SAI1384BU Security Policy Creation or distribution for publication … · 2019-06-27 · Why...

Documents

Transcript of SAI1384BU Security Policy Creation or distribution for publication … · 2019-06-27 · Why...