VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for Security Services in...
-
Upload
vmworld -
Category
Technology
-
view
1.661 -
download
0
description
Transcript of VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for Security Services in...
Introducing NSX Service Composer:
The New Consumption Model for Security Services
in the SDDC
Merritte Stidston, McKesson
James Wiese, VMware
SEC5749
#SEC5749
2
Agenda
Cloud Security: The Challenge
Customer Example: McKesson
Introducing - NSX Service Composer
Product Examples
3
Problems with Security Products in a Virtual Environment
End Users Blame IT for being ‘Slow’
• Focus generally is only on Storage, Network, Compute but Security can drag
deployments – Need mechanism to apply policy to VM provisioning (make it stick)
Bigger Datacenter Threat: Rapid Deployment From the Inside (Drift)
• Users Create Servers Instantly – Snapshot of a golden image used to provision many
instances of server instantly, New VMs are not connected to protection service
• Servers have stale configurations & vulnerable software which introduces threat
Security Product Can Not “See” the VM
• VLANs can also segment out the network scanning services
• Is the VM on the right network? Is the right version of the agent there? Does the VM
agent have access to the security product console? What are the credentials?
Security Products Do Not Interoperate
• No Ability to Detect Issue & Remediate without complicated scripts & process
• Many Ways to Identify a VM – Requires correlation for management (SID, IP, VMID)
4
Overall Challenge: Security in the SDDC
Cumbersome Provisioning
Complicated deployment and troubleshooting
processes make it difficult to maintain service
levels for security.
Manual, Cross-Service Workflows
Security and cloud admins volley back and
forth to identify, assess, plan, implement
security risks…a very inefficient process.
Security Policy ≠ Security Operations
Expecting cloud operators to manage security
policies is unrealistic and unfair. Security
architects define policy. Cloud operators
implement policy.
Cloud
Operator
✔ ?
5
Challenge: Firewall Roulette: Which VM is behind Which Wire?
CISO: We need to
make sure the
Firewall is protecting
the RED VMs
appropriately. Can
you confirm this?
6
Challenge: Detection Services Not Interoperable & Increase Process
Web Servers
Services
Monitor
Events
Identify Threat
Report
File Ticket
With NetBios ID
Receive Ticket
Notification
Correlate to IP
(Attempt)
Ask for
VLAN Tag
Determine
VM -> Subnet -> Tag Realize NAT Issue?
Create
Rule
Verify Rule Close Ticket Open Ticket
To Patch Machine
7
7
Challenge: 9-Dashboards of Wonder & Making Security Stick
Agile security is possible in
2012…
…if you identify workloads and
connect the system – by IP, by
SID, by subnet, by host, by user,
and don’t change anything…
Vulnerability
System
Antivirus
System
Firewall
vCenter
IDS System
DLP System
8
No knowledge of internal traffic and potential threats
Most breaches are not discovered by the breached party.
Common point of purchase
Current state — head in the sand
"I know I am wearing rose-colored glasses; we
just haven't looked into this."
9
10
Agenda
Cloud Security: The Challenge
Customer Example: McKesson
Introducing - NSX Service Composer
Product Examples
11
Architectural Complexity: Securing Virtualization within the IT Infrastructure
12
Architectural Complexity: Securing Virtualization within the IT Infrastructure
Management & Admin Network
Zone PCI Internal Service
Networks CoLo Internal Service
Network
ASP-MSP Internal
Service Network
McKIT Shared Service
Network
Network Core Layer McKIT
WAN-MPLS
B2B
Extranet Internet McKesson CareBridge
Edge Perimeter Zone
Edge
Router
ISP 1
F/W
F/W
F/W F/W
F/W
F/W
CoLo’s
External Hosting ASP
MPS
Partners, Vendors,
Sub-Contractors
McKIT
Shared DMZ
PCI
DMZ
VPN
Remote Access
Core Edge Firewall Layer
O/S
Build
VM
Build
VM
Repository
HyTrust
Gateway
vCenter vShield
App
Edge
Endpoint Crypto
AV Agent
Auth-LDAP
Logs
VM1…n
Hypervisor Layer
B/U
Mngt. Agent
Hosts 1…n
vNet Fabric vSwitch1 vSwitch2 vSwitch3 vSwitchn
Management &
Security
Services
(Physical) Patch
Secure
VMs
B.U.R.N
VTL VTL
De-Dup
Back-up/Restore
Solution
Tape
* DASD
* SAN
* NAS
-NSF
-ISCI
-SMB
vSafe 1.6/API vShield 1.6/API
ISP 2
Internal
Router Infrastructure Distribution Layer
External Untrusted Layer
McK
Remote Offices
McK Remote Sites
Internal Trusted
Layer
ESXi
Mngt YF
vShield Endpoint
Patching
HP CSA SEIM
EKMDE
Directory Services
Central Logging
Key Management
vShield Edge
Backup & Recovery
Nessus
Vulnerability Scan
DLP IDS / IPS
Anti-virus
Inventory
13
What is Secure Lab?
What were some of the business problems that prompted you to
pick up the security baton?
• A fundamental belief that security is everyone's responsibility
• Our business units requested it and our customers expect it
• Build infrastructure with a security 1st approach was a challenge
What technical challenges made this an urgent need?
• No roadmap to help guide the way
• Multiple tools to integrate
• Common framework with common goals
• Decoupled software & hardware stack (Allows for future changes)
14
SecureLab
McKesson Imaging
VDC
Developers & App Support
ESXi
INTEL TXT INTEL TXT
VCD
ESXi ESXi ESXi
View 5 VDI (hardened)
McKesson SecureLab: NGDC Architecture
Physical desktops & laptops
NESSUS Tenable Security
Center
McAfee EPO Antivirus
Data in Use DLP RSA envision
SEIM
Symantec Data at Rest DLP
Code Green Data In Motion
DLP
Vormetric Data Security Mgr
Encryption Policy & Key
Management
MSFT
Sys Admin - Operations
Sec Admin
Active Directory
AD domains, trusts,
groups, roles,
assignments
Audit trail
Vulnerability assessment Secure File Transfer
Vulnerability assessment
Egress monitoring
Data Discovery
End point protection
Identity & Access Mgt
vShield - App
- Edge - Endpoint
Multi-Tenancy Management Application Partition
vCenter
Dev McK
vSphere administration
HyTrust
Role-Based Access Control
Privileged User Monitoring
WDC vInfrastructure
Admin
Consumed as a corporate service
One-way trust
Consumed as a corporate service
VDI “bastion host”
only access
App A Web MW DB
VDI
VDI
VDI
VDI Web DB MW App B
vShield App
All VDI instances
automatically
firewalled from
one another
vShield Edge
Network Gateway and
Secure Multi-tenancy
vShield App VDI “group” to App access
allowed by vShield App
ESXi Trusted boot
with Intel TPM/TXT
TPM/TXT
Horizon Clinicals
VDC
App C Web DB MW
App D DB
15
Agenda
Cloud Security: The Challenge
Customer Example: McKesson
Introducing - NSX Service Composer
Product Examples
16
NSX Service Composer
Security services can now be consumed more efficiently in the
software-defined data center.
Apply.
Apply and visualize
security policies for
workloads, in one
place.
Automate.
Automate
workflows across
different services,
without custom
integration.
Provision.
Provision and
monitor uptime of
different services,
using one method.
17
Concept – Apply Policies to Workloads
Security Groups
WHAT you want to
protect
Members (VM, vNIC…) and
Context (user identity, security
posture)
HOW you want to
protect it
Services (Firewall, antivirus…)
and Profiles (labels representing
specific policies)
APPLY
Define security policies based on service profiles already defined (or
blessed) by the security team. Apply these policies to one or more
security groups where your workloads are members.
18
NSX Service Composer – Canvas View
19
Introducing – NSX Service Composer
Policies – collection of service
profiles - assigned to this
container…to define HOW you
want to protect this container
e.g. “PCI Compliance” or
“Quarantine Policy’ Nested containers –
other groupings within
the container
e.g. “Quarantine Zone” is
a sub group within “My
Data Center”
VMs (workloads) that belong to this
container.
e.g. “Apache-Web-VM”, “Exchange Server-
VM”
Containers – Grouping of VMs, IPs, and
more…to define WHAT you want to protect.
e.g. “Financial Applications”, “Desktop Users”,
“Quarantine Zone”
Service profiles for *deployed*
services, assigned to these
policies
Services supported today:
• Distributed Virtual Firewall
• Anti-virus
• Vulnerability Management
• Network IPS
• Data Security (DLP scan)
• User Activity Monitoring
• File Integrity Monitoring
20
NSX Service Composer – Canvas View
Nested containers –
other groupings within
the container
e.g. “Quarantine Zone” is
a sub group within “My
Data Center”
Members: Apps and workloads that belong to this container.
e.g. “Apache-Web-VM”, “Exchange Server-VM”
21
22
Agenda
Cloud Security: The Challenge
Customer Example: McKesson
Introducing - NSX Service Composer
Product Examples
Corp
Cust Svc Desktop
Engineering Domain Controllers
Sales Desktop
Sales SAP SalesWeb
Extranet (DMZ)
External FTP Servers
Corp External Web
Eng Desktop
P1 – Corp Policy Block Telnet, SSH from *
P2 – Department Policy Block HTTP
P3 – Web App Policy Allow 8080 from Desktops
Allow 443 from * Block All Other
P4 – Eng Department Policy Allow 80 HTTP from Internet
P5 – Desktop Policy Block * to these from these
P6 – Sales Desktop Policy Allow * from Sales/SAP
P7 – AD Policy Allow * , TCP/UDP on port 137,445
Example: Firewall By Policy
24
Example: Orchestrating Security Between Multiple Services
SG: Quarantine SG: Web Servers
1.Web Server VM running IIS is deployed, unknowingly having a vulnerability
2.Vulnerability Scan is initiated on web server (e.g. Rapid7’s Nexpose product)
3.VM is tagged in NSX Manager with the CVE and CVSS Score
4.NSX Manager associates the VM with the Quarantine (VSM F/W Deny)
5.[Externally] Admin applies patches, Nexpose re-scans VMs, clears tag
6.NSX Manager removes the VM from Quarantine ; VM returns to it’s normal
duties
VSM F/W VSM F/W
Services Services
Membership: Include VMs which have CVSS score >= 9 Membership: Include VMs which have been provisioned as “WebServer”
NSX Manager
25 Confidential
Example: Deploying Security Services On Demand
1. ESX Host added to cluster
2. Service Composer: Deploys Security VMs (Partner & VMW)
3. VM brought up on host
4. Service Composer: Appropriate Security Services applied
5. VM vMotions to different host
6. Service Composer: Appropriate Security Services applied
26
“Dev” “Test” “Stage”
wire FW wire FW
“Production”
wire LB FW IDS
FIM SVM AV LOG
wire LB FW IDS
FIM SVM AV LOG
Example: Precedence Enforced for Dev/Test to Production
Service Policy for
App
27
NSX Integrated Partners
NSX Controller & NSX Manager
NSX API
Partner Extensions
L2 Gateway
Firewall ADC/LB IDS/IPS
+
Cloud Management
Platforms
AV/FIM Vulnerability Management
Security Services
28
VM Based Group Policy For Services
App
Consumer
Cloud
Operations
Infrastructure
(NOC)
29
NSX Service Composer Benefits
Streamline Service Provisioning
Fewer steps to deploy VMware and partner
content. Service outages are easy to
identify and troubleshoot.
Automate Workflows Across Services
Workflows between different services are
easily automated on this platform
Apply Policies in the SDDC
Workloads are easily organized (WHAT you
want to protect) and services can be easily
mapped to resources (HOW you want to
protect them), for consumption in the SDDC
AV FW
IPS DLP
Vuln. Mgmt
AV FW IPS DLP Vuln. Mgmt
✔ ✔
30
Related Sessions
SEC-5750: Security Automation Workflows with NSX
SEC-5253: Get on with Business: Vmware Reference Architectures
Help Streamline Compliance Efforts
HOL: HOL-SDC1303: VMware NSX Network Virtualized Platform
THANK YOU
Introducing NSX Service Composer:
The New Consumption Model for Security Services
in the SDDC
Merritte Stidston, McKesson
James Wiese, VMware
SEC5749
#SEC5749
34
Background Slides
35
Concept – Service Profiles
Comprises One or More Services
At least one service is required to define a
service profile.
Container 1
Container 2
Container 3
Container Can Have Multiple
Service Profiles
Different profiles may need to apply to a single
container.
Precedence Must Be Enforced on
Service Profiles
Ultimately, these services manifest in real
security services so in the case of overlapping
services or conflicts, precedence must be
enforced.
36
Container 1
Concept – Containers
Contain VMs
Including machines, networks…anything that
could comprise an application But it could also
be empty, perhaps waiting for a state change.
Can Contain Other Containers
Nesting is a powerful concept that allows you
to group applications and resources more
flexibly.
Can Contain Object Defined by
Security Tags
Services have intelligence in the form of
visibility and control. They can find an issue
with a machine and tag it to identify the issue.
The mere act of tagging can add the machine
to a container.
Container 2 Container 3
37
VMware SDN & Security: Composite Policy Management
• Minimize Dedicated Hardware
• Optimize Utilization
Security By Virtual Service
• Always Connected Security
• Scale Applications On-demand
• Simplify Operations
VM Protection
• Integrated Management
• 3rd Party Extensible
Attach Services
• Dynamic Provisioning
• Detect & Remediate
Enable Policy-based Automation
VMware Network & Security Virtualization
38
39
Introducing NSX Service Composer:
The New Consumption Model for Security Services
in the SDDC
Merritte Stidston, McKesson
James Wiese, VMware
SEC5749
#SEC5749