VMware NSX with Next-Generation Security by Palo

Alto Networks

Bilal Malik, Palo Alto Networks

Adina Simu, VMware

SEC5755

#SEC5755

2

Session Objectives

Discuss security challenges in virtualized environments

Introduce NSX Firewall and Palo Alto Networks Panorama

and VM-Series

Review the complete security solution that VMware and Palo Alto

Networks have built jointly

3

Recommended Sessions & Labs

NET5716 – Advanced NSX Architecture

NET5266 – Bringing Network Virtualization to VMware

Environments with NSX

NET5270 – Virtualized Network Services Model with NSX

NET5522 – VMware NSX Extensibility: Network and Security

Services from 3rd-Party Vendors

Hands on labs on NSX and NSX Firewall: HOL-SDC-1303

4

Agenda

Datacenter Transformation

What are the security barriers to transformation?

What is the solution?

How does the solution work?

Q&A

5

Infrastructure

Server Virtualization Cloud

The software defined data center is agile, flexible, elastic and simple

• Fast workload provisioning – weeks to hours

• Unlimited workload placement & mobility

• IT as a service with performance and scalability

• Simplified data center operations & economics

Its about Speed - Software Defined Data Center Transformation

6

Agenda

Datacenter Transformation

What are the security barriers to transformation?

What is the solution?

How does the solution work?

Q&A

7

Typical Data Center Physical Firewall Deployment

Gateway placement designed

around expectation of L3

segmentation

VM to VM traffic Hair Pinned to FW

No “VM” awareness

VLAN Complexities

FW as Performance bottleneck

Complex Rule Sets

Traditional physical firewalls limit your data center

8

Security Policies Cannot Keep Up …

Manual Security Rule changes

No VM Context

Not integrated into automated workflows

9

Applications Have Evolved …

10

Threats Come from Surprising Places …

Application Usage and Threat Report – February 2013

“Application Usage and Threat Report” (Palo Alto Networks) February 2013

Aggregates application and threat logs

3,000+ organizations across the globe

95% of all exploit logs came from just

10 applications

9 of 10 are common business apps

in data centers

MS-SQL

MS-RPC

SMB

MS SQL Monitor

MS Office Communicator

SIP

Active Directory

RPC

DNS

11

Agenda

Datacenter Transformation

What are the security barriers to transformation?

What is the solution?

How does the solution work?

Q&A

12

The Need for a Comprehensive Security Solution

VMware NSX Platform

NSX Distributed Firewall

VM level zoning without

VLAN/VXLAN

dependencies

Line rate access control

traffic filtering

Distributed enforcement at

Hypervisor level

Palo Alto Networks Next

Generation Security

Next Generation Firewall

Protection against known

and unknown threats

Visibility and safe

application enablement

User, device, and

application aware policies

Sophisticated Security

Challenges

Disappearance of standard

application behavior

Distributed user and

device population

Modern Malware

13

VMware NSX and Next-Generation Security Integrated Solution

Any Application

(without modification)

Virtual Networks

VMware NSX Network Virtualization Platform

Logical L2

Any Network Hardware

Any Cloud Management Platform

Logical

Firewall Logical

Load Balancer

Logical L3

Logical

VPN

Any Hypervisor

Palo Alto Networks Next

Generation Security

Security Provisioning

Palo Alto Networks VM-Series

Palo Alto Networks

PA-5000 Series

Components:

• VMware NSX (including NSX Manager and NSX API – cloud provisioning,

VMware NSX Firewall – Native, kernel-based firewall and traffic steering)

• Palo Alto Networks Panorama – security provisioning

• Palo Alto Networks VM-Series – next-generation security platform

14

NSX Distributed Firewall

Scale-out architecture

• Embedded in the Hypervisor

Line rate performance

• 10Gbps+ per host

Flexible access control

architecture

• NSX Logical Containers

• VM Tags

• User Identity and Active Directory

support

No VM can circumvent the

firewall

• Rules follow the VMs

VM

VM

VM VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

15

VM-Series Firewall

PAN-OS firewall in virtual machine form factor

Separation of management and data plane

Complete Next-Gen firewall features

• App-ID

• User-ID

• Content-ID

• WildFire

Dynamic Address Groups

Centrally managed through Panorama

16

Agenda

Datacenter Transformation

What are the security barriers to transformation?

What is the solution?

How does the solution work?

Q&A

17

Example: How to secure a MS Sharepoint deployment

MS

SQ

L 1

Share

Poin

t 1

IIS

Web F

ront E

nd 2

Dom

ain

Contr

olle

r 1

IIS

Web F

ront E

nd 1

WEB Tier Application Tier Database Tier

18

Setup

19

20

Three steps:

1

Register the Next Generation Palo Alto Networks Firewall with NSX Manager

2

Deploy NSX Firewall and Palo Alto Networks VM-Series appliances

3

Define and consume security policies

21

Next-Gen Firewall Service Registration

22

23

Three steps:

1

Register the Next Generation Palo Alto Networks Firewall with NSX Manager

2

Deploy NSX Firewall and Palo Alto Networks VM-Series appliances

3

Define and consume security policies

24

Automated Deployment of all solution components

VM

VM

VM VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

Cloud Admin

Security Admin

25

Next-Gen Firewall Service Deployment

26

27

Three steps:

1

Register the Next Generation Palo Alto Networks Firewall with NSX Manager

2

Deploy NSX Firewall and Palo Alto Networks VM-Series appliances

3

Define and consume security policies

28

Define NSX Logical Containers and attach policy

VM

VM

VM VM

VM VM

VM

VM

VM VM

VM

VM

VM

VM

VM VM VM

VM VM VM VM

VM VM

VM VM VM

VM

VM

VM

VM

VM

VM

VM VM

VM VM

VM

VM

VM VM

VM

VM

VM

VM

VM VM VM

VM VM VM VM

VM VM

VM VM VM

VM

VM

VM

VM

Simplify application management boundaries

29

Populate VM context into Next Gen Firewalls

VM

VM

VM VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

NSX Manager

NSX Logical Containers

Virtualization Context

Policy Rules and

Configuration

30

How to create NSX Logical Containers and traffic steering policy

32

Next-Gen Firewall Rules and Traffic Inspection

34

Securing the application scale-out

36

Complete protection - Protect against malware

MS

SQ

L 1

Share

Poin

t 1

IIS

Web F

ront E

nd 2

Dom

ain

Contr

olle

r 1

IIS

Web F

ront E

nd 1

WEB Tier Application Tier Database Tier

37

Exploit Example

39

An Integrated Solution for Securing the Software Defined Data Center

VMware NSX and Palo Alto Networks Next-Generation Security benefits:

Accelerate application delivery with transparent security enforcement

Optimize operational efficiency via simplified business policies

Address security and compliance mandates with next-gen protection

40

Come to the Palo Alto Networks booth

Booth #2305

More DEMOS

& Giveaways

THANK YOU

VMware NSX with Next-Generation Security by Palo

Alto Networks

Bilal Malik, Palo Alto Networks

Adina Simu, VMware

SEC5755

#SEC5755