SAI1384BU Security Policy Creation or distribution for publication … · 2019-06-27 · Why...
Transcript of SAI1384BU Security Policy Creation or distribution for publication … · 2019-06-27 · Why...
Catherine Fan, Senior Product Line ManagerNicholas Furman, Senior Technical Product Manager
SAI1384BU
#VMworld #SAI1384BU
Security Policy Creation
VMworld 2017 Content: Not fo
r publication or distri
bution
The software-defined data center
Meet the demands of a
dynamic business
environment
Deliver networking
security that is faster than
cybercriminals
Provide flexibility to
app mobility
The Business World Is Ready for a New Model
#SAI1384BU CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
The Pressure on IT
#SAI1384BU CONFIDENTIAL 3
Provision VM
Provision
Network
Security Services
Configured
Security Mapped
to Network
App
Deployed
Change
Happens
Policies
are Set
New App
Requested
VMworld 2017 Content: Not fo
r publication or distri
bution
Challenge:Adaptability to Changes in App, Network, User, Threats
#SAI1384BU CONFIDENTIAL 4
IT & Security teams are
unable to keep up with
high rate of change
User BehaviorApp Proliferation / App Technologies
Rate of change leads to significant implications
for maintaining a secure and efficient environment for applications.
Traffic Patterns Smart Attack Vectors / Shadow IT
VMworld 2017 Content: Not fo
r publication or distri
bution
Security Admins Desire Best-of-breed Security Tools…
…with flexibility of choice and agility to switch
Security Admin
Security
Hardening
Security
Compliance
Address
Vulnerabilities
Respond to
Emerging Threats
#SAI1384BU CONFIDENTIAL 5
VMworld 2017 Content: Not fo
r publication or distri
bution
Why Security Management is Challenging
Manual workflows due to lack of
interoperability and automation across
“best-of-breed” security products
Limited visibility into a workload’s
security posture and policies
Deployment complexity with multiple
security products
#SAI1384BU CONFIDENTIAL 6
VMworld 2017 Content: Not fo
r publication or distri
bution
Secure SDDC with VMware NSXSecurity services are managed more efficiently in a software-defined datacenter
Apply and visualize
security policies for
workloads, in one place.
Automate workflows
across best-of-breed
services, without custom
integration.
Provision and monitor
uptime of different services,
using one method.
NSX Network Virtualization Platform
Deploy Apply Automate
Service Insertion Security PoliciesSecurity Groups Security Tags
#SAI1384BU CONFIDENTIAL 7
VMworld 2017 Content: Not fo
r publication or distri
bution
Customer Scenario: Sensitive Systems with Unsupported OS
#SAI1384BU CONFIDENTIAL 8
Identify
workloads
Create a
new VLAN
Re-IP
machines
FIX things
that won’t
work post
re-IP
Create
security
group
Apply policy
to restrict
access
VMworld 2017 Content: Not fo
r publication or distri
bution
International Energy Company: Protect against Evolving Threats
• International company in energy sector
– Security expectations are high in consideration to sensitive systems in its datacenters
– Strict regulations related to IT activity and geo-localization
• Key Challenges and Objectives
– Many sensitive systems running non-supported Guest-OS
– Keep the pace with evolving threats
• Protect against lateral movement between applications and VMs with different sensitivity-level without starting-over its infrastructure
– Embracing digital transformation and need to speed up secure-application delivery to the business
9
ENERGYSECTOR
#SAI1384BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Customer Approach: (1) Identify and Classify Sensitive Assets
• Traditional network segmentation is not sufficient to classify sensitive apps.
• Assets classification is based on:
– OS-Centric and Application-Centric Security groups
– Using security tags to group VMs involved in same applications
– Using nested-Security Groups to include « OS-Centric SG » into « App-Centric SG »
#SAI1384BU CONFIDENTIAL 10
VMVM
VMVMLinux
OSVMVM
VMVMW2K3
OS
Application1
VMVM
VMVMW2012
OSVMVM
VMVMLinux
OSVMVM
VMVMW2K3
OS
Application 2VMworld 2017 Content: N
ot for publicatio
n or distribution
Customer Approach: (2) Build Security Policy
• Enrolling Apps with their Security context, depending on sensitivity and accessed resources:
– Apps-to-Internet
– Apps-to-Shared services
– Apps-to-Apps
– Intra-Apps
• NSX Service Composer is used to build:
– Multi-levels Security policy to map with applications perimeters (boundaries) depending on their sensitivity
– Precedence (or priority) is used to identify the sensitivity level
– Default « tabular view » FW Section to catch all non-defined applications’ traffic and Denied traffic
#SAI1384BU CONFIDENTIAL 11
Section SC – Level 4 : Private NET access rule
Section SC – Level 5 : SAS/Internet access rules
Section SC – Level 3 : Core DC access rule
Section SC – Level 2 : Shared services apps rules
Section SC – Level 6 : Generic rules
Section SC – Level 1 : Intra-Apps rules
Section – FW : DENY ALL APPS
Section – FW : Catch ALL APPS
DF
W
rule
s
Sections b
uilt
usin
gserv
ice c
om
poser
VMworld 2017 Content: Not fo
r publication or distri
bution
Application 1 Application 4 Application 5
Application 3 Application 5
Application 3 Application 4
Application 5Application 1
Application 3
The Global Application-centric Security Policy
12
VMVM
VMVMLinux
OSVMVM
VMVMW2K3
OS
Application 1
VMVM
VMVMLinux
OS VMVM
VMVMW2K3
OS VMVM
VMVMW2012
OS
Application 2
#SAI1384BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Build Security into the Application Lifecycle
#SAI1384BU CONFIDENTIAL 13
With VMware NSX, security is enforced through every step of an application’s lifecycle
Provision app
• Deploy security service
• Create and assign security group
• Create and assign security policy
Monitor app
• Monitor protection status
• Runs periodic security scan
Manage app
• Address known threats & vulnerabilities
• Respond to emergent attacks
• Adjust security policy as app changes over time
Decommission app
• Report compliance and generate audit logs
VMworld 2017 Content: Not fo
r publication or distri
bution
Build Security into the Application Lifecycle
14
With VMware NSX, security is enforced through every step of an application’s lifecycle
Provision app
• Deploy security service
• Create and assign security group
• Create and assign security policy
Monitor app
• Monitor protection status
• Runs periodic security scan
Manage app
• Address known threats & vulnerabilities
• Respond to emergent attacks
• Adjust security policy as app changes over time
Decommission app
• Report compliance and generate audit logs
#SAI1384BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Register Security Services with VMware NSX
#SAI1384BU CONFIDENTIAL 15
Service Definitions: built-in and 3rd-party services
Firewalling Endpoint Monitoring
Service categories, vendors, versions
are visible in one central view
Security
VMworld 2017 Content: Not fo
r publication or distri
bution
Deploy Security Services with VMware NSX
#SAI1384BU CONFIDENTIAL 16
Service Insertion Architecture
NSX Manager
1
Third-Party Management Console
2
Logical Firewall Logical Switch
3NSX Built-in Security
Services (Appliance per host)
4NSX Partner Services (Appliance
per host)
VMworld 2017 Content: Not fo
r publication or distri
bution
Security Policies and Security Groups
17
Distributed Firewall Rules
Guest Introspection Rules
Network Introspection Rules
Security Policy▪ Anti-Malware / Anti-Virus ▪ Vulnerability Management▪ File Integrity Monitoring
▪ L3 / L4 Firewall Rules
▪ IDS / IPS Services▪ Firewall Services (L7)
Security Group
Dynamic Inclusion
Static Inclusion
Static Exclusion
VM-Centric
Infrastructure-Centric
HOW you
want to protect
WHAT you
want to protect
#SAI1384BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
HR
Policy and Services Assigned to Groups
• Define Policy
• Assign Services
• Automate Response
Define Once
Apply Repeatedly
Web
App DBVMworld 2017 Content: Not fo
r publication or distri
bution
Example: “Common Services” Security Policy
#SAI1384BU CONFIDENTIAL 19
Ports required by all
• NTP-OUT
• DNS-OUT
• SYSLOG-OUT
• SNMP-IN
• DHCP-OUT?
• WINDOWS UPDATES
• AV-OUT
• ADMIN-PORTS-IN
• LAST RULE
• ANY-ANY DENY
(enable logging)
Source: A.T. Still University, VMworld 2016 (NET10706-GD)
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy Creation Strategies
• Leveraging Existing Firewall Policy
• Application Discovery
• vRealize Log Insight – Firewall Log
• vRealize Network Insight
• NSX Application Rule Manager & NSX Endpoint Monitoring
#SAI1384BU CONFIDENTIAL 20
Options for Creating a Micro-Segmentation Policy
?VMworld 2017 Content: N
ot for publicatio
n or distribution
#SAI1384BU CONFIDENTIAL 21
VMworld 2017 Content: Not fo
r publication or distri
bution
Build Security into the Application Lifecycle
#SAI1384BU CONFIDENTIAL 22
With VMware NSX, security is enforced through every step of an application’s lifecycle
Provision app
• Deploy security service
• Create and assign security group
• Create and assign security policy
Monitor app
• Monitor protection status
• Runs periodic security scan
Manage app
• Address known threats & vulnerabilities
• Respond to emergent attacks
• Adjust security policy as app changes over time
Decommission app
• Report compliance and generate audit logs
VMworld 2017 Content: Not fo
r publication or distri
bution
Monitoring and Troubleshooting: Is Security the Culprit?
#SAI1384BU CONFIDENTIAL 23
Shifting from an infrastructure-first to a workload-first procedure
!!!
VMworld 2017 Content: Not fo
r publication or distri
bution
Monitoring and Troubleshooting: Is Security the Culprit?
#SAI1384BU CONFIDENTIAL 24
Shifting from an infrastructure-first to a workload-first procedure
SECURITY GROUP
!!!
VMworld 2017 Content: Not fo
r publication or distri
bution
Automated Security Policy Enforcement
#SAI1384BU CONFIDENTIAL 25
With increased visibility
VMworld 2017 Content: Not fo
r publication or distri
bution
Security-Centric View
26
Policies – collection of service
profiles - assigned to this
container…to define HOW you
want to protect this container
e.g. “PCI Compliance” or
“Quarantine Policy’Nested containers –
other groupings within
the container
e.g. “Quarantine Zone” is
a sub group within “My
Data Center”
VMs (workloads) that belong to this
container.
e.g. “Apache-Web-VM”, “Exchange Server-
VM”
Containers – Grouping of VMs, IPs, and
more…to define WHAT you want to protect.
e.g. “Financial Applications”, “Desktop Users”,
“Quarantine Zone”
Service profiles for *deployed*
services, assigned to these
policies
Services supported today:
• Distributed Virtual Firewall
• Anti-virus
• Vulnerability Management
• Network IPS
• File Integrity Monitoring
#SAI1384BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Workload-Centric View:Security Groups & Tags Assigned to a VM
#SAI1384BU CONFIDENTIAL 27
Any security issues?Protected in security group?
Virtual Machine
VMworld 2017 Content: Not fo
r publication or distri
bution
Workload-Centric View:All Security Policies Applied to a VM
#SAI1384BU CONFIDENTIAL
28
VMworld 2017 Content: Not fo
r publication or distri
bution
Monitor Uptime of Different Services
#SAI1384BU CONFIDENTIAL 29
Service Deployments: installation and service status
Installation Status & Service Status
are visible in one central view
VMworld 2017 Content: Not fo
r publication or distri
bution
Increase Visibility into Service Availability
30
Virtualization Platform
Restart Security Virtual Appliances,
upon detection of service health failure
Error messages provide
insight into why service failed
#SAI1384BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Increase Visibility into Service Availability
31
Virtualization Platform
Restart Security Virtual Appliances,
upon detection of service health failure
Error messages provide
insight into why service failed
#SAI1384BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Build Security into the Application Lifecycle
#SAI1384BU CONFIDENTIAL 32
With VMware NSX, security is enforced through every step of an application’s lifecycle
Provision app
• Deploy security service
• Create and assign security group
• Create and assign security policy
Monitor app
• Monitor protection status
• Runs periodic security scan
Manage app
• Address known threats & vulnerabilities
• Respond to emergent attacks
• Adjust security policy as app changes over time
Decommission app
• Decommission security services
• Report compliance and generate audit logs
VMworld 2017 Content: Not fo
r publication or distri
bution
Automate Security Operations
Without VMware NSX
• Manual workflows
• No interoperability between best-of-breed security products
With VMware NSX
• Security is automated
• If one service finds something, then another service can do something about it
33
Create repeatable, automated workflows
across best-of-breed security products with VMware NSX
#SAI1384BU CONFIDENTIAL
To respond to rapidly changing security conditions
VMworld 2017 Content: Not fo
r publication or distri
bution
Advanced Services Insertion
#SAI1384BU CONFIDENTIAL 34
1 2 3
Traditional Data Center NSX Data Center
▪ Flexible service chain that
adapts to changing conditions
– more efficient use of services
▪ Platform for integrating the
leading security products:
better security by sharing tags
NSX enables dynamic actions to respond to
changing security conditions
Static service chain Dynamic service chain
VMworld 2017 Content: Not fo
r publication or distri
bution
Adaptable and Proactive Security
UNIQUE POLICY
DEFINITIONS
Policy and services
defined with future
changes in mind
Vulnerability scan.
If vulnerability
found, tag workload
with CVE Score.
UNIQUE POLICY
DEFINITIONS
Remediate changes
with preset policy
definitions
If tagged, remediate
with IPS.
#SAI1384BU CONFIDENTIAL 35
VMworld 2017 Content: Not fo
r publication or distri
bution
Automated Security in a Software-defined Data Center
UNIQUE POLICY
DEFINITIONS
Policy and services
defined with future
changes in mind
Scan to ensure no
private information
is stored. If found,
tag.
UNIQUE POLICY
DEFINITIONS
Remediate changes
with preset policy
definitions
If tagged, move
workload to more
secure PII group.
Finance Group PII Group
SN# 555-55-5555
#SAI1384BU CONFIDENTIAL 36
VMworld 2017 Content: Not fo
r publication or distri
bution
Automate Security Operations
ACTION (then)ATTRIBUTE (if)
Virus found
IIS.EXE
Vulnerability found (old software version)
“PCI”
Sensitive Data Found
Allow & Encrypt*
Restrict access
while investigating
OR
▪ Automated detection of
security conditions
(virus, vulnerability, etc.)
▪ Security policies define
automated actions
Security operations are automated and adapt to
dynamic conditions
Monitor VMwith IPS
Quarantine VM with Firewall
#SAI1384BU CONFIDENTIAL 37
VMworld 2017 Content: Not fo
r publication or distri
bution
Build Security into the Application Lifecycle
38
With VMware NSX, security is enforced through every step of an application’s lifecycle
Provision app
• Deploy security service
• Create and assign security group
• Create and assign security policy
Monitor app
• Monitor protection status
• Runs periodic security scan
Manage app
• Address known threats & vulnerabilities
• Respond to emergent attacks
• Adjust security policy as app changes over time
Decommission app
• Report compliance and generate audit logs
#SAI1384BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Eliminate Policy Sprawl through AutomationNo manual cleanup necessary during application decommissioning
SECURITY POLICY
“Standard Web” Firewall – allow
inbound HTTP/S,
allow outbound ANY
IPS – prevent DOS
attacks, enforce
acceptable use
SECURITY GROUP
SECURITY GROUP
#SAI1384BU CONFIDENTIAL 39
VMworld 2017 Content: Not fo
r publication or distri
bution
Build Security into the Application Lifecycle
40
With VMware NSX, security is enforced through every step of an application’s lifecycle
Provision app
• Deploy security service
• Create and assign security group
• Create and assign security policy
Monitor app
• Monitor protection status
• Runs periodic security scan
Manage app
• Address known threats & vulnerabilities
• Respond to emergent attacks
• Adjust security policy as app changes over time
Decommission app
• Report compliance and generate audit logs
#SAI1384BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
SDDC Enables a More Secure Data Center
#SAI1384BU CONFIDENTIAL 41
By automating security policy enforcement with VMware NSX
• Initial provisioning of security services is fast
• Ongoing changes to security policies over time is easy
• Monitoring and auditing security policy is simple
With VMware NSX, security is enforced through every step of an application’s lifecycle
VMworld 2017 Content: Not fo
r publication or distri
bution
Join VMUG for exclusive access to NSX
vmug.com/VMUG-Join/VMUG-Advantage
Connect with your peers
communities.vmware.com
Find NSX Resources
vmware.com/products/nsx
Network Virtualization Blog
blogs.vmware.com/networkvirtualization
Where to Get Started
Dozens of Unique NSX Sessions
Spotlights, breakouts, quick talks & group discussions
Visit the VMware Booth
Product overview, use-case demos
Visit Technical Partner Booths
Integration demos – Infrastructure, security, operations,
visibility, and more
Meet the Experts
Join our Experts in an intimate roundtable discussion
Free Hands-on Labs
Test drive NSX yourself with expert-led or self-paces
hands-on labs
labs.hol.vmware.com
Training and Certification
Several paths to professional certifications. Learn
more at the Education & Certification Lounge.
vmware.com/go/nsxtraining
Engage and Learn Experience
Try Take
#SAI1384BU CONFIDENTIAL 42
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution