VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational Efficiencies
-
Upload
vmworld -
Category
Technology
-
view
92 -
download
2
description
Transcript of VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational Efficiencies
NSX PCI Reference Architecture Workshop Session 3
- Operational Efficiencies
Allen Shortnacy, VMware
SEC5837
#SEC5837
2
Operational Efficiencies
3
About Operational Efficiencies
Cloud and SDDC have evolved from IT silos including security and compliance
• ITSM, ITIL and other mature processes will need to evolve with the SDDC
• Impact of network and storage virtualization siloes will require more bi-directional
interaction from legacy infrastructure teams
Policies and Procedures regarding security and compliance will also change
• Understanding how different solutions interact with the platform and each other to
accommodate compliance becomes a must not just for design but also operations
• Due to the nature of the SDDC, workloads under regulatory compliance become
untethered from the physical topology but require coherent, near real time logging and
correlation strategy to understand inter-layer impact of events
Building and revising SDDC architectures will become SDLC like
• Opportunities to take out OPEX and operate at greater scale on the VI Admin/workload
ratio are many and with demonstrable ROI
• Will require some new skill sets like DevOps to automate APIs and generate new task
oriented interfaces
4
Security and Compliance Challenges in the SDDC
Cumbersome Provisioning
Complicated deployment and
troubleshooting processes make it difficult
to maintain service levels for security.
Manual, Cross-Service Workflows
Security and cloud admins volley back and
forth to identify, assess, plan, implement
security risks…a very inefficient process.
Policy ≠ Operations
Security and Compliance are roadblocks to
cloud but expecting security architects to
manage cloud operations is unrealistic and
unfair. Architects design define policy.
Operators implement.
Security
Architect
✔ ?
5
5
Compliance Challenges: Many Systems - Dashboards of Wonder
Vulnerability
Mgmt System
Antivirus
System
Firewall
vCenter
IDS System
DLP System
6
Four Steps to Gaining Operational Efficiencies in the SDDC
Define and Manage Partner Solutions from NSX Service Composer
• Deploy and monitor partner solutions and their availability
• Define parameters for inter-operating NSX and Partner Solutions
• Create NSX and Partner Services Policies that can be re-used across trust zones
Leverage integration of NSX and Partner Solutions for Workflows
• Creating common tags across NSX and Partner solutions allows for broader
administrative activities formerly accomplished through error prone ‘swivel chair’
Discover SDDC processes that are manual but repeatable, with little variation
• Leverage REST APIs and development toolkit such as Puppet, Chef or vCenter
Orchestrator to automate tasks
• Reduce ‘swivel chair’ operations across consoles providing greater scale or complete
end to end automation with logging for utility computing approach
Abstract SDDC Security and Compliance Policies into self-service governance
• Declare at deploy time the requirements for an application with regards to regulations
7
Function
Service Composer enables
creation of partner services
Service Composer templates
provide reusable methods for
distributed policy management
Usage
NSX Service Composer
Define Security Services
Define settings for services
Apply to new trust zones
Monitor for readiness
Step 1: Managing NSX and Partner Solutions w/ Service Composer
NSX and NSX Partner Solutions are integrated for deployment,
initialization and definition of common parameters
vSphere and Partner console
already deployed
Install vShield
Manager
Install vShield
Endpoint
Register Endpoint with VC
Add VC to Partner Console
Install required
drivers on hosts
Deploy Partner
SVA
Activate Partner
SVA
Activate VMs
Start managing security policies
Challenge – Security Product Provisioning in Cloud Infrastructure
• Remains Complex
• Unclear Ownership
• Lack of SLAs
VI Admin Security
Admin
*vShield Endpoint example
9
Troubleshooting Security Services Requires Considerable Back
and Forth Between Virtual Admins and Security Admins
If a service goes down, where do
you start with troubleshooting
steps? Security solution or
Virtualization solution?
What if there was a configuration
change in the infrastructure that
caused an outage? How could this
change be determined?
10
NSX Service Composer Provisioning
Compute Management Gateway
Host Prep
Install Kernel Modules -
VXLAN, Distributed
Router and Distributed
FW
Simple One Click install
per Cluster
All modules installed
together
1
Logical Network Prep
Configure VTEP IP, MTU,
Teaming per cluster
Create Transport Zones
(Network Scope)
2
Deploy Controller
Simple UI in VSM deploys
Controller OVF and
configures it
No other configuration
required!
Min 3-Node controller
required for HA
3
Register Services
Log in!
Some services are pre-
registered (Data Security,
Identity, Trend Micro,
Rapid 7, McAfee )
Register Symantec
Antivirus Solution
Register Symantec IPS
Solution
4
Deploy Services
Some services are pre-
deployed (Data Security,
Identity)
Deploy Symantec
Antivirus solution
5
Partner Mgmt.
Consoles
Registered
Troubleshooting Services
Power off or suspend data
security VM
Observe failure message
and root cause
Initiate ‘resolve’ (repair)
Observe progress and
final status
6
11
NSX Service Composer: Security Ready for Consumption
Security Groups
WHAT you want to
protect
Members: VM, vNIC, network
(virtual/Logical Switch, physical),
Distributed Virtual PG, cluster, data
center, Resource Pool, vApp, other
container, IP address, MAC
Context: User identity, sensitive
data, security posture
HOW you want to
protect it
Services: Firewall, antivirus,
intrusion prevention, vulnerability
management and more.
Profiles: Security policies from
VMware and third-party solutions
that are defined by the security
architect but implemented by the
cloud operator.
APPLY
12
Step 2 : Establish Workflow Integration between NSX and Partner
NSX and Partner Solutions are integrate by APIs either by making
direct calls to NSX or by setting machine metadata
SG: Web Servers
VSM F/W
Services
SG: Quarantine
VSM F/W
Services
Function
Service Composer enables
creation of ‘Tags’ for integrating
Partner Solutions
NSX and Partner Solutions
leverage one another
Usage
NSX Service Composer
Define Security Groups
Define Tags for dynamic
inclusion in NSX Security
Groups
Define Partner Solution Tags to
be set
13
Demo: Orchestrating Security Between Multiple Products
14
Step 3: NSX RESTful Automation
NSX provides REST APIs which means you can create, delete or
manipulate NSX SDDC constructs with HTTP POST and GET
Function
Identify repeatable NSX
Provisioning or Config tasks
Determine target integration
types and choose dev toolkit
Usage
NSX REST APIs
Unit test functionality with HTTP
tools (curl, Firefox RESTclient)
Integrate into larger scope
processes with vCenter
Orchestrator, etc.
15
Most Requested Deployment Models for Multi-Tiered Apps
Multi-tiered app,
Multiple networks
Multi-tiered app,
single network
APP
DATABASE
WEB
WEB APP DATABASE
16
Most Requested Network and Security Services
NSX provides built-in, logical networks and services to
address the most common (and challenging) requests for
cloud service automation.
Firewall Networks
(switches)
Load Balancer Router
17
Deployment Tools, Process, Best Practices
Package
Catalog
Packaging
Factory
VMware Cloud Application Deployment Toolkit - Details
Enterprise
ISVs Customers Deploy Factory
(Managed
Service Providers)
1. Packaging Factory A “factory” for producing
reusable, Cloud-ready
deployment packages for the
most popular business apps
3. Deploy Factory A controller to download
packages, provision secured
deployment environment and
orchestrate automated
deployment of the application
2. Package Catalog Cloud based, access
controlled repository to store
application packages
18
Deployment Tools, Process, Best Practices
Package
Catalog
Packaging
Factory
How Does this Work – Packaging Factory
Enterprise
ISVs Customers Deploy Factory
(Managed
Service Providers)
vFabric Application Director
Chef & VMware Studio
Subversion Server
Build Controller
Application Blueprint
Cookbook
Node Template
• Packaging factory infrastructure
consists of subversion server,
VMware Studio, vFabric
Application Director and Chef
Application • Application binaries remain
unchanged
• Deployment information is
captured in various levels of
details in application blue prints,
node templates and deployment
scripts (cook books)
19
Deployment Tools, Process, Best Practices
Package
Catalog
Packaging
Factory
How Does this Work – Package Catalog
Enterprise
ISVs Customers Deploy Factory
(Managed
Service Providers)
• An application package is
uploaded to a cloud based
repository
• Service provider gets access
to the repository using an
access-controlled portal
• Application package is
downloaded into service
provider’s cloud
20
Deployment Tools, Process, Best Practices
Package
Catalog
Packaging
Factory
How Does this Work – Deploy Factory
Enterprise
ISVs Customers Deploy Factory
(Managed
Service Providers)
vFabric Application Director
vCloud Director
VMware Studio & Chef
Deployment Controller
vApp
• Deploy Factory infrastructure
consists of vCloud Director, vFabric
Application Director, VMware Studio,
Chef and Deployment Controller
Virtual Network
• (Optional) Create private network
to place application into
• vApp(s) are deployed in the target
environment
• Application is installed via
Application Blueprints
• Each node is configured using Chef
VM VM VM
21
Demo: RESTful Automation of NSX Edge Deployment
22
Step 4: Use NSX Automation in Self-Service Provisioning
NSX metadata exposed in vCAC Self-Service Catalog allows for
declarative binding of network and services policies such as Firewall
Request 3-tiered app
Request network and services
Function
vCloud Automation Center self-
service provisioning
NSX dynamic policy profile
inclusion
Usage
vCloud Automation Center
New workload request
Bind to NSX Networks and
Services
23
vCloud Automation Center Policy Management
Business
Groups
B
A
C
USERS
A
C
B
A
Authentication & Role-Based
Authorization
Authorized
Users
Resource
Reservations
Cost Profile
A
Tier 1
Public
Physical
Virtual
Shared Infrastructure
Service
Blueprints
A
Requisition
Cost Profile
Provision
Manage
Retire
Public
Physical
Virtual
C
B
B
A
B
A
C
B A
24
vCloud Automation Center Extensibility Spectrum Flexibility without Complexity
25
Where We Are Today
Create On-
Demand
Leverage Existing
Infrastructure
APP
DATABASE
WEB
Requires
customization
Pre-Created, Logical Networks
Apps can be spun up on-demand using logical networks that have already been
created. Creating logical networks in advance is still more agile than
provisioning physical networks.
APP DATABASE WEB
26
Where We Are Today
Create On-
Demand
Leverage Existing
Infrastructure
APP
DATABASE
WEB
Requires
customization
Networks Explicitly Assigned
App blueprints may require networks with NAT, routed, or private connectivity.
Admin must directly specify network information.
APP DATABASE WEB
NAT
Network
A.B.C.# X.Y.Z.#
Routed
Network A.B.C.#
A.B.C.#
27
Where We Are Today
Create On-
Demand
Leverage Existing
Infrastructure
Requires
customization
Pre-created, Firewall Rules
Apps can be added to existing security groups.
APP
DATABASE
WEB
WEB APP DATABASE
28
Where We Are Today
Create On-
Demand
Leverage Existing
Infrastructure
Requires
customization
Pre-created, Load Balancer Pool
Apps can be added to existing load balancer pools.
APP
DATABASE
WEB WEB APP DATABASE Services
Edge
(Load Balancer) Services
Edge
(Load Balancer)
29
Discovery of vCNS Resources and Policies
VM VM VM
VM VM VM
VM
VM VM
Resources Policies
► Clone Templates
► Customization Spec.
► Host/Host Clusters
► CPU, Memory, Storage,
► Networking
vCNS
Manager VXLANs
► Security Groups ► VXLANs
► Load Balancers
Policies Resources
Managed
Endpoint
VMware
vCenter
Add a vCNS Manager address and
credentials to a vSphere (vCenter)
Endpoint definition
30
Reserving vCNS Resources for Each Group
• VXLANs appear as
network paths
in resource reservations
• Security Groups, Load
Balancers
− Can be specified as custom
properties on the reservation
or on the blueprint
VXLANs can be reserved by
Provisioning Group
31
Configuring Service Blueprints to Leverage vCNS
VCAC Blueprint Custom Properties define the
Load Balancer and Security Groups, that will be associated
with the Machine being provisioned.
32
Future Direction
Create On-
Demand
Leverage Existing
Infrastructure
APP
DATABASE
WEB
WEB APP DATABASE
Services
Edge
(Load Balancer)
Requires
customization
Services
Edge
(Load Balancer)
Cloud Automation + Network Virtualization
Spin up and tear down logical networks and services as needed, to deliver
application infrastructure on-demand.
33
Future Direction
Create On-
Demand
Leverage Existing
Infrastructure
Requires
customization
On-Demand Networks
Multi-machine blueprints can create new VMs and place them on networks
created on-demand using NSX (or vCloud Networking and Security). These
networks can be torn down once app lease times are up.
APP
DATABASE
WEB
WEB APP DATABASE
Logical
Router Logical
Router
34
Future Direction
Create On-
Demand
Leverage Existing
Infrastructure
Requires
customization
Network Profiles
Take the guesswork out of requesting networks (IP addressing, connectivity) by
PRIVATE NAT
ROUTED
35
Future Direction
Create On-
Demand
Leverage Existing
Infrastructure
Requires
customization
On-Demand Load Balancer
Blueprint admins or power users can create new load balancer services using
new or existing Edge gateways.
APP
DATABASE
WEB WEB APP DATABASE Services
Edge
(Load Balancer) Services
Edge
(Load Balancer)
36
Firewall Rules
Multi Network Model
Use security group to isolate entire app,
virtual firewall to control traffic between tiers.
Flat Network Model
Use security groups to isolate entire app and
app tiers, virtual firewall to control all traffic.
Distributed
Virtual
Firewall
Distributed
Virtual
Firewall
App firewall rules are consumed by placing workloads in existing security
groups. NSX security administrator should pre-create these groups with
necessary firewall rules.
37
Summary – Value Achieved via Operational Efficiencies
Single interface to manage deployment and enablement of NSX and Partner
Solutions taking out many manual steps previously required
• Automates not only previously manual steps but also error prone handoff between roles
NSX Service Composer to design and plan for orchestration of events and
actions by integrating NSX and Partner Solutions via ‘Tags’
• Rather than pivot between interfaces to respond to events NSX Service Composer and
Partner Solutions integrate to leverage one another in a prescribed manner
NSX RESTful APIs enable automation of repeatable tasks taking out OPEX
• Can be part of a larger orchestration or put into a workflow set of task oriented screens
vCloud Automation Center provides policy driven governance and entitlement
• Attach required policies to vCAC provisioning process by leveraging NSX Networks and
NSX Services by assigning ‘Tags’ to deployed workloads
That which can be Automated can be Easily Measured!
38
VMworld: Security and Compliance Sessions
Category Topic
NSX
• 5318: NSX Security Solutions In Action (201)
• 5753: Dog Fooding NSX at VMware IT (201)
• 5828: Datacenter Transformation (201)
• 5582: Network Virtualization across Multiple Data Centers (201)
NSX Firewall
• 5893: Economies of the NSX Distributed Firewall (101)
• 5755: NSX Next Generation Firewalls (201)
• 5891: Build a Collapsed DMZ Architecture (301)
• 5894: NSX Distributed Firewall (301)
NSX Service
Composer
• 5749: Introducing NSX Service Composer (101)
• 5750: NSX Automating Security Operations Workflows (201)
• 5889: Troubleshooting and Monitoring NSX Service Composer (301)
Compliance
• 5428: Compliance Reference Architecture Framework Overview (101)
• 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201)
• 5253: Streamlining Compliance (201)
• 5775: Segmentation (301)
• 5820: Privileged User Control (301)
• 5837: Operational Efficiencies (301)
Other
• 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in
Virtualized Infrastructure (Catbird – Jefferson radiology)
• 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A
Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust)
• 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based
IaaS provider better be doing! (Intel)
39
For More Information…
VMware Collateral VMware Approach to Compliance
VMware Solution Guide for PCI
VMware Architecture Design Guide for PCI
VMware QSA Validated Reference Architecture PCI
Partner Collateral VMware Partner Solution Guides for PCI
How to Engage?
@VMW_Compliance on Twitter
THANK YOU
NSX PCI Reference Architecture Workshop Session 3
- Operational Efficiencies
Allen Shortnacy, VMware
SEC5837
#SEC5837