NSX PCI Reference Architecture Workshop Session 1

- Segmentation

Allen Shortnacy, VMware

SEC5775

#SEC5775

© 2013 VMware Inc. All rights reserved © 2013 VMware Inc. All rights reserved

SEC5775 - NSX PCI Reference Architecture Workshop Session 1 - Segmentation

August 2013

3 3

Importance of Segmentation

4 4

About Segmentation

At a fundamental level the SDDC is about the:

• Pooling of physical compute and storage into groups

• Coupled with networks that allow for access to these resources

• Administrative and kernel networks for ESXi shell access and operations like vMotion

• APIs that allow us to interact with those resources

Auditors rely on ‘scope’ to define those items that should be audited

• In the SDDC it is easy to declare that everything is in ‘scope’ due to shared resources

• We need effective tools to declare ‘scopes’ and their usage as well as their join rules

• For those workloads that serve business function we want coherent policies

Value Propositions of Segmenting with NSX

• Reducing the ‘scope’ of the infrastructure subject to audit will reduce audit costs

• Leverage NSX to establish networks with policies that are transitive across datacenter

• Clearly define and orchestrate VMware and Technology Partners to monitor ‘layers’

5 5

Four Steps to Segmenting the SDDC

vSphere and Networking

• Hosts and Storage should also be segmented

• VLANs may still be used but are not relied upon as a control mechanism

• Dedicated cluster for SDDC Management VMs like vCenter, ActiveDirectory

Establish VXLAN for Workloads

• Allows for Layer 2 subnets across compliant hosts/clusters

• Provides routes to traverse from Layer 2 to other VXLAN and Edge Shared Services

Establish Zones for Shared Services, DMZ, etc. with Edge

• Active Directory serving Enterprise users, DNS, Messaging, Email, etc.

• Defining bastion host networks for access to administer these services

Establish Service Composer Firewall Policies

• Firewall and other technologies, declaratively enabled, follow the workload

• Workloads that come out of policy for any reason have access restricted

6 6

Groups

vSphere Storage Networks

ESXi Hosts/Clusters to LUNs

Usage

vSphere, Porticor

Create Encrypted iSCSI LUNs

Consume via Storage vSwitches

Step 1: Segment Storage for Consumption

Segmenting Storage with Encryption and dedicated vSwitches eases

consumption while maintaining compliance

7 7

Porticor Solution

State of the art encryption

• AES 256 / SHA 2 – standards based…

• … yet implemented with best-in-class performance

• Streaming, caching, stateless servers, cloud scale solution

Cloud key management - The “banker”

• Metaphor: a physical safety deposit box is behind strong walls, and… requires two keys to open/lock: one for the customer, the other for the banker

• The secret sauce: “split key” and “homomorphic” technology creates this in a virtual environment

8 8

The “Swiss Banker” metaphor

Customer has a key, “Banker” has a key

Master key with Homomorphic key encryption

Key-splitting and Homomorphic Technology together deliver Trust

9 9

Demo: Create Encrypted iSCSI LUNs and Map to vSwitch

10 10

Groups

ESXi Hosts/Clusters

vSwitch/Port Groups to VLANs

Usage

vSphere, HyTrust

Identify vSphere assets

Label in HyTrust as ‘PCI’

VLANs inherited from Port

Groups

Step 2: Identify and Label vSphere Components

Identifying Hosts, Storage and Network Assets for compliance scope

is the initial step in Segmentation

© 2013, HyTrust, Inc. www.hytrust.com | 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 | Phone: 650-681-8100 | email: info@hytrust.com

HyTrust

Multi-Tenancy Wizard

© 2013, HyTrust, Inc. www.hytrust.com | 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 | Phone: 650-681-8100 | email: info@hytrust.com

With Great Power Comes Great Responsibility….

Significant Risk of

Catastrophic Failure

12

© 2013, HyTrust, Inc. www.hytrust.com | 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 | Phone: 650-681-8100 | email: info@hytrust.com

How HyTrust Protects VMware

14 14

Demo: Identify and Tag Core vSphere Asset Groups

15 15

PCI DSS 2.0 on VLANs and Segmentation

“Relying on Virtual LAN (VLAN) based

segmentation alone is not sufficient. For

example, having the CDE on one VLAN and the

WLAN on a separate VLAN does not adequately

segment the WLAN and take it out of PCI DSS

scope. VLANs were designed for managing

large LANs efficiently. As such, a hacker can

hop across VLANs using several known

techniques if adequate access controls between

VLANs are not in place.”

16 16

NSX Architecture

vCD/vCAC

vCenter Server NSX Manager 1:1

Management Plane

Control Plane

NSX Edge

Distributed

Router

Controller

Data Plane

NSX Edge

Services Router

VXLAN DR DFW Security VXLAN DR DFW Security

1:Many

VXLAN DR DFW Security

17 17

Management Plane Components

Self service and on-

demand Provisioning of

Infrastructure

Abstracted pool of services

(Compute/Storage/Network

)

Catalogue of applications

vCD/vCAC

vCenter Server NSX Manager 1:1

Management Plane

Provisioning and

Management of

Compute/Memory

Storage

Virtual Switch

Provisioning and

Management of Network and

Network services

VXLAN Preparation

Logical Network Consumption

Network Services

Configuration

vCD/vCAC vCenter Server NSX Manager

18 18

Control Plane Components

Dynamic Routing

VXLAN – VLAN Bridging

Scale Out

VXLAN - no Multicast

ARP suppression

Distributed Routing

Control Plane

NSX Edge

Distributed

Router

Controller

NSX Edge Distributed Router Controller

19 19

Data Plane Components

Kernel Modules

Message Bus

User World Agent

NAT

DHCP

LB

VPN

Data Plane

NSX Edge

Services Router

ESX Host NSX Edge Services Router

VXLAN DR DFW Security VXLAN DR DFW Security VXLAN DR DFW Security

20 20

Communication Between The Three Planes

vCD/vCAC

vCenter Server NSX Manager

Management Plane

Control Plane

NSX Edge

Distributed

Router

Controller

Data Plane

NSX Edge

Services Router

VXLAN DR DFW Security VXLAN DR DFW Security VXLAN DR DFW Security

vSphere API

REST API vSphere API

REST API

VIX

A

PI

vS

ph

ere

A

PI

REST API

REST API

Me

ssag

e B

us

21 21

VXLAN NSX for vSphere

vSphere Host

VM1

vSphere Distributed Switch

VXLAN Transport Network

vSphere Host

VM2

vSphere Host

VXLAN 5001

VTEP1 10.20.10.10

VTEP2 10.20.10.11

VTEP3 10.20.11.10

vSphere Host

VTEP4 10.20.11.11

VM3 VM4

Unicast Traffic

Controller

Cluster

VXLAN Transport Subnet A 10.20.10.0/24 VXLAN Transport Subnet B 10.20.11.0/24

22 22

Components Mapped to Physical Infrastructure WAN

Internet

Compute Racks Infra Racks Edge Racks

Hypervisor

Modules

Controller, VC,

NSX Manager On/off Ramp

23 23

Step 3 : NSX Distributed Edge VXLAN Networks

vSwitch/Port Groups to VLANs

NSX Edge VXLANs

Groups

Create vDS for VXLAN in vSphere

NSX Manager prepare hosts, add

logical networks and deploy Edges

Usage

NSX provides Distributed Logical Routers as well as Distributed

Services like Firewall through Edge deployments

24 24

DB Tier

Web Tier

App Tier

WAN

Internet

L2

L3

VXLAN

802.1Q

VXLAN

VXLAN

VXLAN

VXLAN

VXLAN

VXLAN

VXLAN

Network

Fabric

Service Placement – Distributed Design

VXLAN

.1Q

.1Q

25 25

Demo: Create Segmented VXLAN Overlay Networks

26 26

Hypervisor Kernel Embedded Firewall

Benefits… • Built into the Hypervisor

• “Line Rate” Performance (15Gbps/Host)

• Better compliance model

27 27

Distributed Virtual Firewall

VM

VM

VM VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

Benefits… • No “Choke Point”

• Scale Out

• Enforcement closest to VM

28 28

Step 4: Establish NSX App Distributed Firewall Rules

NSX simplifies the steps for creating firewall rules used for

segmenting workload tiers and tenants

vApp Patterns to Firewall Rules

NSX Edge Firewall Security Groups

Groups

vSphere create vDS for VXLAN

NSX Manager prepare hosts, add

logical networks and deploy Edges

Usage

29 29

Demo: Create Firewall Policies For Controlling vApp Network Access

30 30

Step 4: Establish NSX App Distributed Firewall Rules

NSX enables migration across segmentation policy controlled hosts

while maintaining routing and firewall rule consistency

vSwitch/Port Groups to VLANs

NSX Edge VXLANs

Groups

vSphere create vDS for VXLAN

NSX Manager prepare hosts, add

logical networks and deploy Edges

Usage

31 31

Compute Racks Infrastructure Racks (Storage,

vCenter and vCloud Director)

Edge Racks

vCenter 1

vCenter 2

(Up-to Max supported

VMs by vCenter)

(Up-to Max supported

VMs by vCenter) VM

VM

ESXi Clusters

WAN

Internet

Capex Value Expressed in Infrastructure Utilization

32 32

Summary – Value Achieved via Segmentation

Segmentation techniques provide uniform consumption of SDDC while

maintaining controls needed for compliance

Dynamic routing and overlay networks provide isolation needed for SDDC

resources to be consumed

Centralized Policy Management eases the administrative burden by providing

networking and firewall rules that are always ‘in context’

Reduced Audit Costs by providing controls of core SDDC elements such as

storage and compute bound to networks thereby limiting scope

Get hands on experience! Partner Hands On Lab with HyTrust, Catbird and

LogRhythm to go with VMware NSX Hands On Labs

Visit the HyTrust booth and Porticor online at http://www.porticor.com/porticor-for-

vmware/ for more information

33 33

VMworld: Security and Compliance Sessions

Category Topic

NSX

• 5318: NSX Security Solutions In Action (201)

• 5753: Dog Fooding NSX at VMware IT (201)

• 5828: Datacenter Transformation (201)

• 5582: Network Virtualization across Multiple Data Centers (201)

NSX Firewall

• 5893: Economies of the NSX Distributed Firewall (101)

• 5755: NSX Next Generation Firewalls (201)

• 5891: Build a Collapsed DMZ Architecture (301)

• 5894: NSX Distributed Firewall (301)

NSX Service

Composer

• 5749: Introducing NSX Service Composer (101)

• 5750: NSX Automating Security Operations Workflows (201)

• 5889: Troubleshooting and Monitoring NSX Service Composer (301)

Compliance

• 5428: Compliance Reference Architecture Framework Overview (101)

• 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201)

• 5253: Streamlining Compliance (201)

• 5775: Segmentation (301)

• 5820: Privileged User Control (301)

• 5837: Operational Efficiencies (301)

Other

• 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in

Virtualized Infrastructure (Catbird – Jefferson radiology)

• 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A

Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust)

• 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based

IaaS provider better be doing! (Intel)

34 34

For More Information…

VMware Collateral VMware Approach to Compliance

VMware Solution Guide for PCI

VMware Architecture Design Guide for PCI

VMware QSA Validated Reference Architecture PCI

Partner Collateral VMware Partner Solution Guides for PCI

How to Engage?

compliance-solutions@vmware.com

@VMW_Compliance on Twitter

35 35

Other VMware Activities Related to This Session

HOL:

HOL-SDC-1315

vCloud Suite Use Cases - Control & Compliance

HOL-SDC-1317

vCloud Suite Use Cases - Business Critical Applications

HOL-PRT-1306

Compliance Reference Architecture- Catbird, HyTrust and LogRhythm

Group Discussions:

SEC1002-GD

Compliance Reference Architecture: Integrating Firewall, Antivirus,

Logging and IPS in the SDDC with Allen Shortnacy

SEC5428

THANK YOU

NSX PCI Reference Architecture Workshop Session 1

- Segmentation

Allen Shortnacy, VMware

SEC5775

#SEC5775