NSX PCI Reference Architecture Workshop Session 3

- Operational Efficiencies

Allen Shortnacy, VMware

SEC5837

#SEC5837

2

Operational Efficiencies

3

About Operational Efficiencies

Cloud and SDDC have evolved from IT silos including security and compliance

• ITSM, ITIL and other mature processes will need to evolve with the SDDC

• Impact of network and storage virtualization siloes will require more bi-directional

interaction from legacy infrastructure teams

Policies and Procedures regarding security and compliance will also change

• Understanding how different solutions interact with the platform and each other to

accommodate compliance becomes a must not just for design but also operations

• Due to the nature of the SDDC, workloads under regulatory compliance become

untethered from the physical topology but require coherent, near real time logging and

correlation strategy to understand inter-layer impact of events

Building and revising SDDC architectures will become SDLC like

• Opportunities to take out OPEX and operate at greater scale on the VI Admin/workload

ratio are many and with demonstrable ROI

• Will require some new skill sets like DevOps to automate APIs and generate new task

oriented interfaces

4

Security and Compliance Challenges in the SDDC

Cumbersome Provisioning

Complicated deployment and

troubleshooting processes make it difficult

to maintain service levels for security.

Manual, Cross-Service Workflows

Security and cloud admins volley back and

forth to identify, assess, plan, implement

security risks…a very inefficient process.

Policy ≠ Operations

Security and Compliance are roadblocks to

cloud but expecting security architects to

manage cloud operations is unrealistic and

unfair. Architects design define policy.

Operators implement.

Security

Architect

✔ ?

5

5

Compliance Challenges: Many Systems - Dashboards of Wonder

Vulnerability

Mgmt System

Antivirus

System

Firewall

vCenter

IDS System

DLP System

6

Four Steps to Gaining Operational Efficiencies in the SDDC

Define and Manage Partner Solutions from NSX Service Composer

• Deploy and monitor partner solutions and their availability

• Define parameters for inter-operating NSX and Partner Solutions

• Create NSX and Partner Services Policies that can be re-used across trust zones

Leverage integration of NSX and Partner Solutions for Workflows

• Creating common tags across NSX and Partner solutions allows for broader

administrative activities formerly accomplished through error prone ‘swivel chair’

Discover SDDC processes that are manual but repeatable, with little variation

• Leverage REST APIs and development toolkit such as Puppet, Chef or vCenter

Orchestrator to automate tasks

• Reduce ‘swivel chair’ operations across consoles providing greater scale or complete

end to end automation with logging for utility computing approach

Abstract SDDC Security and Compliance Policies into self-service governance

• Declare at deploy time the requirements for an application with regards to regulations

7

Function

Service Composer enables

creation of partner services

Service Composer templates

provide reusable methods for

distributed policy management

Usage

NSX Service Composer

Define Security Services

Define settings for services

Apply to new trust zones

Monitor for readiness

Step 1: Managing NSX and Partner Solutions w/ Service Composer

NSX and NSX Partner Solutions are integrated for deployment,

initialization and definition of common parameters

vSphere and Partner console

already deployed

Install vShield

Manager

Install vShield

Endpoint

Register Endpoint with VC

Add VC to Partner Console

Install required

drivers on hosts

Deploy Partner

SVA

Activate Partner

SVA

Activate VMs

Start managing security policies

Challenge – Security Product Provisioning in Cloud Infrastructure

• Remains Complex

• Unclear Ownership

• Lack of SLAs

VI Admin Security

Admin

*vShield Endpoint example

9

Troubleshooting Security Services Requires Considerable Back

and Forth Between Virtual Admins and Security Admins

If a service goes down, where do

you start with troubleshooting

steps? Security solution or

Virtualization solution?

What if there was a configuration

change in the infrastructure that

caused an outage? How could this

change be determined?

10

NSX Service Composer Provisioning

Compute Management Gateway

Host Prep

Install Kernel Modules -

VXLAN, Distributed

Router and Distributed

FW

Simple One Click install

per Cluster

All modules installed

together

1

Logical Network Prep

Configure VTEP IP, MTU,

Teaming per cluster

Create Transport Zones

(Network Scope)

2

Deploy Controller

Simple UI in VSM deploys

Controller OVF and

configures it

No other configuration

required!

Min 3-Node controller

required for HA

3

Register Services

Log in!

Some services are pre-

registered (Data Security,

Identity, Trend Micro,

Rapid 7, McAfee )

Register Symantec

Antivirus Solution

Register Symantec IPS

Solution

4

Deploy Services

Some services are pre-

deployed (Data Security,

Identity)

Deploy Symantec

Antivirus solution

5

Partner Mgmt.

Consoles

Registered

Troubleshooting Services

Power off or suspend data

security VM

Observe failure message

and root cause

Initiate ‘resolve’ (repair)

Observe progress and

final status

6

11

NSX Service Composer: Security Ready for Consumption

Security Groups

WHAT you want to

protect

Members: VM, vNIC, network

(virtual/Logical Switch, physical),

Distributed Virtual PG, cluster, data

center, Resource Pool, vApp, other

container, IP address, MAC

Context: User identity, sensitive

data, security posture

HOW you want to

protect it

Services: Firewall, antivirus,

intrusion prevention, vulnerability

management and more.

Profiles: Security policies from

VMware and third-party solutions

that are defined by the security

architect but implemented by the

cloud operator.

APPLY

12

Step 2 : Establish Workflow Integration between NSX and Partner

NSX and Partner Solutions are integrate by APIs either by making

direct calls to NSX or by setting machine metadata

SG: Web Servers

VSM F/W

Services

SG: Quarantine

VSM F/W

Services

Function

Service Composer enables

creation of ‘Tags’ for integrating

Partner Solutions

NSX and Partner Solutions

leverage one another

Usage

NSX Service Composer

Define Security Groups

Define Tags for dynamic

inclusion in NSX Security

Groups

Define Partner Solution Tags to

be set

13

Demo: Orchestrating Security Between Multiple Products

14

Step 3: NSX RESTful Automation

NSX provides REST APIs which means you can create, delete or

manipulate NSX SDDC constructs with HTTP POST and GET

Function

Identify repeatable NSX

Provisioning or Config tasks

Determine target integration

types and choose dev toolkit

Usage

NSX REST APIs

Unit test functionality with HTTP

tools (curl, Firefox RESTclient)

Integrate into larger scope

processes with vCenter

Orchestrator, etc.

15

Most Requested Deployment Models for Multi-Tiered Apps

Multi-tiered app,

Multiple networks

Multi-tiered app,

single network

APP

DATABASE

WEB

WEB APP DATABASE

16

Most Requested Network and Security Services

NSX provides built-in, logical networks and services to

address the most common (and challenging) requests for

cloud service automation.

Firewall Networks

(switches)

Load Balancer Router

17

Deployment Tools, Process, Best Practices

Package

Catalog

Packaging

Factory

VMware Cloud Application Deployment Toolkit - Details

Enterprise

ISVs Customers Deploy Factory

(Managed

Service Providers)

1. Packaging Factory A “factory” for producing

reusable, Cloud-ready

deployment packages for the

most popular business apps

3. Deploy Factory A controller to download

packages, provision secured

deployment environment and

orchestrate automated

deployment of the application

2. Package Catalog Cloud based, access

controlled repository to store

application packages

18

Deployment Tools, Process, Best Practices

Package

Catalog

Packaging

Factory

How Does this Work – Packaging Factory

Enterprise

ISVs Customers Deploy Factory

(Managed

Service Providers)

vFabric Application Director

Chef & VMware Studio

Subversion Server

Build Controller

Application Blueprint

Cookbook

Node Template

• Packaging factory infrastructure

consists of subversion server,

VMware Studio, vFabric

Application Director and Chef

Application • Application binaries remain

unchanged

• Deployment information is

captured in various levels of

details in application blue prints,

node templates and deployment

scripts (cook books)

19

Deployment Tools, Process, Best Practices

Package

Catalog

Packaging

Factory

How Does this Work – Package Catalog

Enterprise

ISVs Customers Deploy Factory

(Managed

Service Providers)

• An application package is

uploaded to a cloud based

repository

• Service provider gets access

to the repository using an

access-controlled portal

• Application package is

downloaded into service

provider’s cloud

20

Deployment Tools, Process, Best Practices

Package

Catalog

Packaging

Factory

How Does this Work – Deploy Factory

Enterprise

ISVs Customers Deploy Factory

(Managed

Service Providers)

vFabric Application Director

vCloud Director

VMware Studio & Chef

Deployment Controller

vApp

• Deploy Factory infrastructure

consists of vCloud Director, vFabric

Application Director, VMware Studio,

Chef and Deployment Controller

Virtual Network

• (Optional) Create private network

to place application into

• vApp(s) are deployed in the target

environment

• Application is installed via

Application Blueprints

• Each node is configured using Chef

VM VM VM

21

Demo: RESTful Automation of NSX Edge Deployment

22

Step 4: Use NSX Automation in Self-Service Provisioning

NSX metadata exposed in vCAC Self-Service Catalog allows for

declarative binding of network and services policies such as Firewall

Request 3-tiered app

Request network and services

Function

vCloud Automation Center self-

service provisioning

NSX dynamic policy profile

inclusion

Usage

vCloud Automation Center

New workload request

Bind to NSX Networks and

Services

23

vCloud Automation Center Policy Management

Business

Groups

B

A

C

USERS

A

C

B

A

Authentication & Role-Based

Authorization

Authorized

Users

Resource

Reservations

Cost Profile

A

Tier 1

Public

Physical

Virtual

Shared Infrastructure

Service

Blueprints

A

Requisition

Cost Profile

Provision

Manage

Retire

Public

Physical

Virtual

C

B

B

A

B

A

C

B A

24

vCloud Automation Center Extensibility Spectrum Flexibility without Complexity

25

Where We Are Today

Create On-

Demand

Leverage Existing

Infrastructure

APP

DATABASE

WEB

Requires

customization

Pre-Created, Logical Networks

Apps can be spun up on-demand using logical networks that have already been

created. Creating logical networks in advance is still more agile than

provisioning physical networks.

APP DATABASE WEB

26

Where We Are Today

Create On-

Demand

Leverage Existing

Infrastructure

APP

DATABASE

WEB

Requires

customization

Networks Explicitly Assigned

App blueprints may require networks with NAT, routed, or private connectivity.

Admin must directly specify network information.

APP DATABASE WEB

NAT

Network

A.B.C.# X.Y.Z.#

Routed

Network A.B.C.#

A.B.C.#

27

Where We Are Today

Create On-

Demand

Leverage Existing

Infrastructure

Requires

customization

Pre-created, Firewall Rules

Apps can be added to existing security groups.

APP

DATABASE

WEB

WEB APP DATABASE

28

Where We Are Today

Create On-

Demand

Leverage Existing

Infrastructure

Requires

customization

Pre-created, Load Balancer Pool

Apps can be added to existing load balancer pools.

APP

DATABASE

WEB WEB APP DATABASE Services

Edge

(Load Balancer) Services

Edge

(Load Balancer)

29

Discovery of vCNS Resources and Policies

VM VM VM

VM VM VM

VM

VM VM

Resources Policies

► Clone Templates

► Customization Spec.

► Host/Host Clusters

► CPU, Memory, Storage,

► Networking

vCNS

Manager VXLANs

► Security Groups ► VXLANs

► Load Balancers

Policies Resources

Managed

Endpoint

VMware

vCenter

Add a vCNS Manager address and

credentials to a vSphere (vCenter)

Endpoint definition

30

Reserving vCNS Resources for Each Group

• VXLANs appear as

network paths

in resource reservations

• Security Groups, Load

Balancers

− Can be specified as custom

properties on the reservation

or on the blueprint

VXLANs can be reserved by

Provisioning Group

31

Configuring Service Blueprints to Leverage vCNS

VCAC Blueprint Custom Properties define the

Load Balancer and Security Groups, that will be associated

with the Machine being provisioned.

32

Future Direction

Create On-

Demand

Leverage Existing

Infrastructure

APP

DATABASE

WEB

WEB APP DATABASE

Services

Edge

(Load Balancer)

Requires

customization

Services

Edge

(Load Balancer)

Cloud Automation + Network Virtualization

Spin up and tear down logical networks and services as needed, to deliver

application infrastructure on-demand.

33

Future Direction

Create On-

Demand

Leverage Existing

Infrastructure

Requires

customization

On-Demand Networks

Multi-machine blueprints can create new VMs and place them on networks

created on-demand using NSX (or vCloud Networking and Security). These

networks can be torn down once app lease times are up.

APP

DATABASE

WEB

WEB APP DATABASE

Logical

Router Logical

Router

34

Future Direction

Create On-

Demand

Leverage Existing

Infrastructure

Requires

customization

Network Profiles

Take the guesswork out of requesting networks (IP addressing, connectivity) by

PRIVATE NAT

ROUTED

35

Future Direction

Create On-

Demand

Leverage Existing

Infrastructure

Requires

customization

On-Demand Load Balancer

Blueprint admins or power users can create new load balancer services using

new or existing Edge gateways.

APP

DATABASE

WEB WEB APP DATABASE Services

Edge

(Load Balancer) Services

Edge

(Load Balancer)

36

Firewall Rules

Multi Network Model

Use security group to isolate entire app,

virtual firewall to control traffic between tiers.

Flat Network Model

Use security groups to isolate entire app and

app tiers, virtual firewall to control all traffic.

Distributed

Virtual

Firewall

Distributed

Virtual

Firewall

App firewall rules are consumed by placing workloads in existing security

groups. NSX security administrator should pre-create these groups with

necessary firewall rules.

37

Summary – Value Achieved via Operational Efficiencies

Single interface to manage deployment and enablement of NSX and Partner

Solutions taking out many manual steps previously required

• Automates not only previously manual steps but also error prone handoff between roles

NSX Service Composer to design and plan for orchestration of events and

actions by integrating NSX and Partner Solutions via ‘Tags’

• Rather than pivot between interfaces to respond to events NSX Service Composer and

Partner Solutions integrate to leverage one another in a prescribed manner

NSX RESTful APIs enable automation of repeatable tasks taking out OPEX

• Can be part of a larger orchestration or put into a workflow set of task oriented screens

vCloud Automation Center provides policy driven governance and entitlement

• Attach required policies to vCAC provisioning process by leveraging NSX Networks and

NSX Services by assigning ‘Tags’ to deployed workloads

That which can be Automated can be Easily Measured!

38

VMworld: Security and Compliance Sessions

Category Topic

NSX

• 5318: NSX Security Solutions In Action (201)

• 5753: Dog Fooding NSX at VMware IT (201)

• 5828: Datacenter Transformation (201)

• 5582: Network Virtualization across Multiple Data Centers (201)

NSX Firewall

• 5893: Economies of the NSX Distributed Firewall (101)

• 5755: NSX Next Generation Firewalls (201)

• 5891: Build a Collapsed DMZ Architecture (301)

• 5894: NSX Distributed Firewall (301)

NSX Service

Composer

• 5749: Introducing NSX Service Composer (101)

• 5750: NSX Automating Security Operations Workflows (201)

• 5889: Troubleshooting and Monitoring NSX Service Composer (301)

Compliance

• 5428: Compliance Reference Architecture Framework Overview (101)

• 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201)

• 5253: Streamlining Compliance (201)

• 5775: Segmentation (301)

• 5820: Privileged User Control (301)

• 5837: Operational Efficiencies (301)

Other

• 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in

Virtualized Infrastructure (Catbird – Jefferson radiology)

• 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A

Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust)

• 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based

IaaS provider better be doing! (Intel)

39

For More Information…

VMware Collateral VMware Approach to Compliance

VMware Solution Guide for PCI

VMware Architecture Design Guide for PCI

VMware QSA Validated Reference Architecture PCI

Partner Collateral VMware Partner Solution Guides for PCI

How to Engage?

compliance-solutions@vmware.com

@VMW_Compliance on Twitter

THANK YOU

NSX PCI Reference Architecture Workshop Session 3

- Operational Efficiencies

Allen Shortnacy, VMware

SEC5837

#SEC5837