Introducing NSX Service Composer:

The New Consumption Model for Security Services

in the SDDC

Merritte Stidston, McKesson

James Wiese, VMware

SEC5749

#SEC5749

2

Agenda

Cloud Security: The Challenge

Customer Example: McKesson

Introducing - NSX Service Composer

Product Examples

3

Problems with Security Products in a Virtual Environment

End Users Blame IT for being ‘Slow’

• Focus generally is only on Storage, Network, Compute but Security can drag

deployments – Need mechanism to apply policy to VM provisioning (make it stick)

Bigger Datacenter Threat: Rapid Deployment From the Inside (Drift)

• Users Create Servers Instantly – Snapshot of a golden image used to provision many

instances of server instantly, New VMs are not connected to protection service

• Servers have stale configurations & vulnerable software which introduces threat

Security Product Can Not “See” the VM

• VLANs can also segment out the network scanning services

• Is the VM on the right network? Is the right version of the agent there? Does the VM

agent have access to the security product console? What are the credentials?

Security Products Do Not Interoperate

• No Ability to Detect Issue & Remediate without complicated scripts & process

• Many Ways to Identify a VM – Requires correlation for management (SID, IP, VMID)

4

Overall Challenge: Security in the SDDC

Cumbersome Provisioning

Complicated deployment and troubleshooting

processes make it difficult to maintain service

levels for security.

Manual, Cross-Service Workflows

Security and cloud admins volley back and

forth to identify, assess, plan, implement

security risks…a very inefficient process.

Security Policy ≠ Security Operations

Expecting cloud operators to manage security

policies is unrealistic and unfair. Security

architects define policy. Cloud operators

implement policy.

Cloud

Operator

✔ ?

5

Challenge: Firewall Roulette: Which VM is behind Which Wire?

CISO: We need to

make sure the

Firewall is protecting

the RED VMs

appropriately. Can

you confirm this?

6

Challenge: Detection Services Not Interoperable & Increase Process

Web Servers

Services

Monitor

Events

Identify Threat

Report

File Ticket

With NetBios ID

Receive Ticket

Notification

Correlate to IP

(Attempt)

Ask for

VLAN Tag

Determine

VM -> Subnet -> Tag Realize NAT Issue?

Create

Rule

Verify Rule Close Ticket Open Ticket

To Patch Machine

7

7

Challenge: 9-Dashboards of Wonder & Making Security Stick

Agile security is possible in

2012…

…if you identify workloads and

connect the system – by IP, by

SID, by subnet, by host, by user,

and don’t change anything…

Vulnerability

System

Antivirus

System

Firewall

vCenter

IDS System

DLP System

8

No knowledge of internal traffic and potential threats

Most breaches are not discovered by the breached party.

Common point of purchase

Current state — head in the sand

"I know I am wearing rose-colored glasses; we

just haven't looked into this."

9

10

Agenda

Cloud Security: The Challenge

Customer Example: McKesson

Introducing - NSX Service Composer

Product Examples

11

Architectural Complexity: Securing Virtualization within the IT Infrastructure

12

Architectural Complexity: Securing Virtualization within the IT Infrastructure

Management & Admin Network

Zone PCI Internal Service

Networks CoLo Internal Service

Network

ASP-MSP Internal

Service Network

McKIT Shared Service

Network

Network Core Layer McKIT

WAN-MPLS

B2B

Extranet Internet McKesson CareBridge

Edge Perimeter Zone

Edge

Router

ISP 1

F/W

F/W

F/W F/W

F/W

F/W

CoLo’s

External Hosting ASP

MPS

Partners, Vendors,

Sub-Contractors

McKIT

Shared DMZ

PCI

DMZ

VPN

Remote Access

Core Edge Firewall Layer

O/S

Build

VM

Build

VM

Repository

HyTrust

Gateway

vCenter vShield

App

Edge

Endpoint Crypto

AV Agent

Auth-LDAP

Logs

VM1…n

Hypervisor Layer

B/U

Mngt. Agent

Hosts 1…n

vNet Fabric vSwitch1 vSwitch2 vSwitch3 vSwitchn

Management &

Security

Services

(Physical) Patch

Secure

VMs

B.U.R.N

VTL VTL

De-Dup

Back-up/Restore

Solution

Tape

* DASD

* SAN

* NAS

-NSF

-ISCI

-SMB

vSafe 1.6/API vShield 1.6/API

ISP 2

Internal

Router Infrastructure Distribution Layer

External Untrusted Layer

McK

Remote Offices

McK Remote Sites

Internal Trusted

Layer

ESXi

Mngt YF

vShield Endpoint

Patching

HP CSA SEIM

EKMDE

Directory Services

Central Logging

Key Management

vShield Edge

Backup & Recovery

Nessus

Vulnerability Scan

DLP IDS / IPS

Anti-virus

Inventory

13

What is Secure Lab?

What were some of the business problems that prompted you to

pick up the security baton?

• A fundamental belief that security is everyone's responsibility

• Our business units requested it and our customers expect it

• Build infrastructure with a security 1st approach was a challenge

What technical challenges made this an urgent need?

• No roadmap to help guide the way

• Multiple tools to integrate

• Common framework with common goals

• Decoupled software & hardware stack (Allows for future changes)

14

SecureLab

McKesson Imaging

VDC

Developers & App Support

ESXi

INTEL TXT INTEL TXT

VCD

ESXi ESXi ESXi

View 5 VDI (hardened)

McKesson SecureLab: NGDC Architecture

Physical desktops & laptops

NESSUS Tenable Security

Center

McAfee EPO Antivirus

Data in Use DLP RSA envision

SEIM

Symantec Data at Rest DLP

Code Green Data In Motion

DLP

Vormetric Data Security Mgr

Encryption Policy & Key

Management

MSFT

Sys Admin - Operations

Sec Admin

Active Directory

AD domains, trusts,

groups, roles,

assignments

Audit trail

Vulnerability assessment Secure File Transfer

Vulnerability assessment

Egress monitoring

Data Discovery

End point protection

Identity & Access Mgt

vShield - App

- Edge - Endpoint

Multi-Tenancy Management Application Partition

vCenter

Dev McK

vSphere administration

HyTrust

Role-Based Access Control

Privileged User Monitoring

WDC vInfrastructure

Admin

Consumed as a corporate service

One-way trust

Consumed as a corporate service

VDI “bastion host”

only access

App A Web MW DB

VDI

VDI

VDI

VDI Web DB MW App B

vShield App

All VDI instances

automatically

firewalled from

one another

vShield Edge

Network Gateway and

Secure Multi-tenancy

vShield App VDI “group” to App access

allowed by vShield App

ESXi Trusted boot

with Intel TPM/TXT

TPM/TXT

Horizon Clinicals

VDC

App C Web DB MW

App D DB

15

Agenda

Cloud Security: The Challenge

Customer Example: McKesson

Introducing - NSX Service Composer

Product Examples

16

NSX Service Composer

Security services can now be consumed more efficiently in the

software-defined data center.

Apply.

Apply and visualize

security policies for

workloads, in one

place.

Automate.

Automate

workflows across

different services,

without custom

integration.

Provision.

Provision and

monitor uptime of

different services,

using one method.

17

Concept – Apply Policies to Workloads

Security Groups

WHAT you want to

protect

Members (VM, vNIC…) and

Context (user identity, security

posture)

HOW you want to

protect it

Services (Firewall, antivirus…)

and Profiles (labels representing

specific policies)

APPLY

Define security policies based on service profiles already defined (or

blessed) by the security team. Apply these policies to one or more

security groups where your workloads are members.

18

NSX Service Composer – Canvas View

19

Introducing – NSX Service Composer

Policies – collection of service

profiles - assigned to this

container…to define HOW you

want to protect this container

e.g. “PCI Compliance” or

“Quarantine Policy’ Nested containers –

other groupings within

the container

e.g. “Quarantine Zone” is

a sub group within “My

Data Center”

VMs (workloads) that belong to this

container.

e.g. “Apache-Web-VM”, “Exchange Server-

VM”

Containers – Grouping of VMs, IPs, and

more…to define WHAT you want to protect.

e.g. “Financial Applications”, “Desktop Users”,

“Quarantine Zone”

Service profiles for *deployed*

services, assigned to these

policies

Services supported today:

• Distributed Virtual Firewall

• Anti-virus

• Vulnerability Management

• Network IPS

• Data Security (DLP scan)

• User Activity Monitoring

• File Integrity Monitoring

20

NSX Service Composer – Canvas View

Nested containers –

other groupings within

the container

e.g. “Quarantine Zone” is

a sub group within “My

Data Center”

Members: Apps and workloads that belong to this container.

e.g. “Apache-Web-VM”, “Exchange Server-VM”

21

22

Agenda

Cloud Security: The Challenge

Customer Example: McKesson

Introducing - NSX Service Composer

Product Examples

Corp

Cust Svc Desktop

Engineering Domain Controllers

Sales Desktop

Sales SAP SalesWeb

Extranet (DMZ)

External FTP Servers

Corp External Web

Eng Desktop

P1 – Corp Policy Block Telnet, SSH from *

P2 – Department Policy Block HTTP

P3 – Web App Policy Allow 8080 from Desktops

Allow 443 from * Block All Other

P4 – Eng Department Policy Allow 80 HTTP from Internet

P5 – Desktop Policy Block * to these from these

P6 – Sales Desktop Policy Allow * from Sales/SAP

P7 – AD Policy Allow * , TCP/UDP on port 137,445

Example: Firewall By Policy

24

Example: Orchestrating Security Between Multiple Services

SG: Quarantine SG: Web Servers

1.Web Server VM running IIS is deployed, unknowingly having a vulnerability

2.Vulnerability Scan is initiated on web server (e.g. Rapid7’s Nexpose product)

3.VM is tagged in NSX Manager with the CVE and CVSS Score

4.NSX Manager associates the VM with the Quarantine (VSM F/W Deny)

5.[Externally] Admin applies patches, Nexpose re-scans VMs, clears tag

6.NSX Manager removes the VM from Quarantine ; VM returns to it’s normal

duties

VSM F/W VSM F/W

Services Services

Membership: Include VMs which have CVSS score >= 9 Membership: Include VMs which have been provisioned as “WebServer”

NSX Manager

25 Confidential

Example: Deploying Security Services On Demand

1. ESX Host added to cluster

2. Service Composer: Deploys Security VMs (Partner & VMW)

3. VM brought up on host

4. Service Composer: Appropriate Security Services applied

5. VM vMotions to different host

6. Service Composer: Appropriate Security Services applied

26

“Dev” “Test” “Stage”

wire FW wire FW

“Production”

wire LB FW IDS

FIM SVM AV LOG

wire LB FW IDS

FIM SVM AV LOG

Example: Precedence Enforced for Dev/Test to Production

Service Policy for

App

27

NSX Integrated Partners

NSX Controller & NSX Manager

NSX API

Partner Extensions

L2 Gateway

Firewall ADC/LB IDS/IPS

+

Cloud Management

Platforms

AV/FIM Vulnerability Management

Security Services

28

VM Based Group Policy For Services

App

Consumer

Cloud

Operations

Infrastructure

(NOC)

29

NSX Service Composer Benefits

Streamline Service Provisioning

Fewer steps to deploy VMware and partner

content. Service outages are easy to

identify and troubleshoot.

Automate Workflows Across Services

Workflows between different services are

easily automated on this platform

Apply Policies in the SDDC

Workloads are easily organized (WHAT you

want to protect) and services can be easily

mapped to resources (HOW you want to

protect them), for consumption in the SDDC

AV FW

IPS DLP

Vuln. Mgmt

AV FW IPS DLP Vuln. Mgmt

✔ ✔

30

Related Sessions

SEC-5750: Security Automation Workflows with NSX

SEC-5253: Get on with Business: Vmware Reference Architectures

Help Streamline Compliance Efforts

HOL: HOL-SDC1303: VMware NSX Network Virtualized Platform

THANK YOU

Introducing NSX Service Composer:

The New Consumption Model for Security Services

in the SDDC

Merritte Stidston, McKesson

James Wiese, VMware

SEC5749

#SEC5749

34

Background Slides

35

Concept – Service Profiles

Comprises One or More Services

At least one service is required to define a

service profile.

Container 1

Container 2

Container 3

Container Can Have Multiple

Service Profiles

Different profiles may need to apply to a single

container.

Precedence Must Be Enforced on

Service Profiles

Ultimately, these services manifest in real

security services so in the case of overlapping

services or conflicts, precedence must be

enforced.

36

Container 1

Concept – Containers

Contain VMs

Including machines, networks…anything that

could comprise an application But it could also

be empty, perhaps waiting for a state change.

Can Contain Other Containers

Nesting is a powerful concept that allows you

to group applications and resources more

flexibly.

Can Contain Object Defined by

Security Tags

Services have intelligence in the form of

visibility and control. They can find an issue

with a machine and tag it to identify the issue.

The mere act of tagging can add the machine

to a container.

Container 2 Container 3

37

VMware SDN & Security: Composite Policy Management

• Minimize Dedicated Hardware

• Optimize Utilization

Security By Virtual Service

• Always Connected Security

• Scale Applications On-demand

• Simplify Operations

VM Protection

• Integrated Management

• 3rd Party Extensible

Attach Services

• Dynamic Provisioning

• Detect & Remediate

Enable Policy-based Automation

VMware Network & Security Virtualization

38

39

Introducing NSX Service Composer:

The New Consumption Model for Security Services

in the SDDC

Merritte Stidston, McKesson

James Wiese, VMware

SEC5749

#SEC5749