Rod Bachelor, Sr. Product Manager, NSXVinay Reddy, Sr. Product Manager, NSX
NET2356BU
#VMWorld #NET2356BU
NSX Service InsertionPlatform for Advanced Networking and Security Services
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
VMworld 2017 Content: Not fo
r publication or distri
bution
APP
The goals haven’t changed…
Focus on the app
Security of applications and data
Speed of delivery
Application availability
…but everything else has
Changes in threats landscapeAttack Sophistication | Persistent Threats | Weaponization of Cyberspace
Changes in application architecturesContainerization | Microservices | PaaS
Changes to infrastructureConvergence | Private Cloud | Public Cloud
#NET2356BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
What’s the big deal in the Datacenter?
VMworld 2017 Content: Not fo
r publication or distri
bution
What’s the big deal in the Datacenter?
VMworld 2017 Content: Not fo
r publication or distri
bution
What do we need?Requirements for a Secure Software-defined Datacenter
Visibility ExtensibilityControl
Common Policy
Lifecycle Management and Automation
VMworld 2017 Content: Not fo
r publication or distri
bution
APP APPAPP APPSERVICES
Step 1. Gain visibility
APP APPAPP APP
APP APPAPP APP
OTHERSERVICESSHARED
SERVICES
APP APPAPP APP
APP APPAPP APP OTHER
VMworld 2017 Content: Not fo
r publication or distri
bution
APP APPAPP APPSERVICES
Step 2. Deploy granular controls
APP APPAPP APP
APP APPAPP APP
OTHERSERVICESSHARED
SERVICES
APP APPAPP APP
APP APPAPP APP OTHER
VMworld 2017 Content: Not fo
r publication or distri
bution
Step 3. Insert best-of-breed services
OTHER
APP APPAPP APP OTHER
AV IPS NGFW
AV IPS NGFW
AV IPS NGFW
SERVICESSERVICESSHARED
SERVICES
AV IPS NGFW
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX
NSX Security Platform
Visibility ExtensibilityControl
Common Policy
Lifecycle Management and Automation
Datacenter, application and host
Context-driven micro-segmentation
Best-of-breed partner integration
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX value proposition
Network virtualization is at the core of the software-defined data center approach
Network, storage, compute
Virtualization layerVMworld 2017 Content: Not fo
r publication or distri
bution
Network and security services now in the hypervisor
Switching
Routing Firewalling/ACLs
Load balancing
High throughput rates
East-west firewalling
Native platform capability
The next-generation networking model
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX value proposition
Network, storage, compute
Virtualization layer
“Network platform”
Virtual networks
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX: Virtualize the Network
Logicalswitching
Logicalrouting
Loadbalancing
Physicalto virtual
Firewallingand security VMworld 2017 Content: N
ot for publicatio
n or distribution
One-Click Deployment via Cloud Management Platform
VMware NSX: Virtualize the Network
Logicalswitching
Logicalrouting
Loadbalancing
Physicalto virtual
Firewallingand security VMworld 2017 Content: N
ot for publicatio
n or distribution
NSX
NSX Security Platform for a Secure SDDC
Visibility ExtensibilityControl
Common Policy
Lifecycle Management and Automation
Datacenter, application and host
Context-driven micro-segmentation
Best-of-breed partner integration
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Extensibility: Guest & Network Introspection
Guest Introspection
Context Sharing &
Common Policy
Third-Party Services
Antivirus DLP Firewall
Vulnerability
Management
Intrusion
Prevention
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
Partner Ecosystem
Network IntrospectionVMworld 2017 Content: Not fo
r publication or distri
bution
Service Insertion Process
Pre-Req
vSphere (vCenter, ESXi)
VM Tools
NSX-V
Partner Management Console
Partner Service OVA
vCloud Automation Center
Service Onboarding
Register
Deploy/ Upgrade
Service Consumption
Identify what you want
to protect (tags, groups)
Identify how you want to
protect (services,
policies)
Service Monitoring
Identify, Monitor, and
Troubleshoot Service
Outages
Remediate
VMworld 2017 Content: Not fo
r publication or distri
bution
Network Introspection: Under the Hood
User space
Kernel
NetXlib
Application
dvfilterklib
VMCI
vsipioctl
VSIP
vsfwdvpxa
hostd
Partner Service Manager REST API vSphere API
VDS
Slot 2 DFW
Slot 4-11 NetX
Service VM
User space
Kernel
ESXivm
nic
vm
nic
AMQP vSphere API
VMworld 2017 Content: Not fo
r publication or distri
bution
Network Introspection Design Patterns
STOP
STOP
ControlledCommunication
Edge ServicesGateway
Policy
Traffic RedirectionPartner Services
Micro-Segmentation with Network (VLAN) Isolation And Service Insertion
Partner Service Manager
VMworld 2017 Content: Not fo
r publication or distri
bution
Distributed Logical Router
Network Introspection Design Patterns
STOP
STOP
ControlledCommunication
Policy
Traffic RedirectionPartner Services
Partner Service Manager
Micro-Segmentation with Network Overlay Isolation and Service Insertion
VMworld 2017 Content: Not fo
r publication or distri
bution
Network Introspection: Use Cases
• Advanced Security for High Risk Applications
• Multi-Tenancy
• DMZ Anywhere
• Remote / Branch Office Perimeter
• Advanced Security (UTM) for VDI
VMworld 2017 Content: Not fo
r publication or distri
bution
Advanced Security for High Risk Applications
• Advanced security based on
risk/compliance requirements
• Grouping based on network
constructs/vCenter/NSX
objects
• Automated policy application
based for new workloads
• Granular redirection policy
based on multiple parameters
• Redirect “Confidential” and
Web Server traffic
Tier 2:
Internal
Tier 1:
ConfidentialTier 3:
Public
Tier 4:
Non-Prod.
Web Server
App Server
DB Server
SRC DST Servic
e
Action
ANY TIER
1
ANY Redirect
TIER1 ANY ANY Redirect
SRC DST Servic
e
Action
ANY WEB-
Server
ANY Redirect
Web-
Server
ANY ANY Redirect
VMworld 2017 Content: Not fo
r publication or distri
bution
Multi-Tenant Scenarios
• Per-Tenant ESG, DFW
“Applied to”
• Differentiated Services
per tenant using Service
Profiles
• NSX Services Profiles
map to zones in partner
management console
Tenant 1 Tenant 2
Tenantfirewall
DMZ/Web
App
DB
HR Group
App
DMZ/Web
DB
Finance Group
Services Mgmt
Services/Management
Group
Tenantfirewall
DMZ/Web
App
DB
HR Group
App
DMZ/Web
DB
Finance Group
Services Mgmt
Services/Management
Group
Tenant 2
Service Profile/Zone
Tenant 1
Service Profile/Zone
Tenant 1
Service Profile/Zone
VMworld 2017 Content: Not fo
r publication or distri
bution
What’s new in NetX
Kernel SpaceVSIP
Kernel SpaceMemory
Service VM Process Process 1 Process 2 Process 3
Shared
Memory
Filter3,
Filter5..Filter NFilter2,
Filter5..Filter NFilter1,
Filter4..Filter N
Shared
Memory
Shared
Memory
Kernel SpaceVSIP
Kernel SpaceMemory
Service VM Process Thread 1 Thread 2 Thread 3
Shared
Memory
Filter3,
Filter5..Filter NFilter2,
Filter5..Filter NFilter1,
Filter4..Filter N
Shared
Memory
Shared
Memory
Process
• Increase the number of shared memory channels between Service VM and ESX
• Supports Multi-threading on Partner SVM applications
• Support up to 16 channels
• New Multi channel NetX SDK
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Guest Introspection strikes balance between Context and Isolation
UbiquityIsolation Context
Ecosystem of
Distributed Services
Core Services Built Into
Hypervisor Kernel
better security
through
insight
fine-grained
containment
Switching Routing Firewalling
VMworld 2017 Content: Not fo
r publication or distri
bution
Visibility into in-guest events
Users Logging In
Files Accessed
Network Connections
System Events
Applications Running
Canned Reports
VMworld 2017 Content: Not fo
r publication or distri
bution
Guest VM
VMTools
File Driver
Network Driver
Application
Guest Introspection Architecture
ESX
vSphere Platform
Guest Introspection
ESX Module
Partner Security VM
Partner Security
Application
NSX Manager
Partner
Management
Console
vCenter
NSX Guest Introspection Library
File Introspection
Connection Introspection
System Introspection
VI Admin
Security Admin
VMworld 2017 Content: Not fo
r publication or distri
bution
Automated ubiquitous deployment & enforcement
1. ESX Host added to cluster
2. Automated: NSX Deploys
Guest Introspection
Framework, Service VMs
(Partner & VMW)
3. VM brought up on host
4. Automated: Appropriate
Security Policies applied
5. VM vMotions to a different
host
6. Automated: Appropriate
Security Policies applied
VMworld 2017 Content: Not fo
r publication or distri
bution
Guest Introspection in actionAgentless Anti-virus
• New security group used to quarantine VMs that may be infected with malware
• Security group will be populated only if a virus is found in a VM
• Based on security tag which AV partner will apply automatically
VMworld 2017 Content: Not fo
r publication or distri
bution
Guest Introspection Use Cases
• Agentless VDI desktop protection
– Improves consolidation ratios for desktops on VDI servers
• Agentless Windows Server protection
– Protection follows workloads and O/S definition
• Agentless Linux Server protection
– Meet compliance mandates with anti-malware on all servers (not just Windows)
• Agentless Vulnerability Management
– Vulnerability scanning with no network impact or credentials
VMworld 2017 Content: Not fo
r publication or distri
bution
What’s new in Guest Introspection?
Microsoft Windows 2016 support
• Extends full Guest Introspection capabilities to latest Windows Server O/S
• Available in NSX v6.3.3+
Linux agentless anti-virus support
• Agentless anti-virus on Red Hat, SUSE and Ubuntu Linux distributions
• Available in NSX v6.3.0+
#NET2356BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Feature ComparisonvShield Endpoint vs NSX Guest Introspection
vCNS vShield Endpoint NSX Guest Introspection
Deployment Manual, host based• Manual installation of security
VM’s and endpoint security
components
Automated, cluster based• Automatic installation of partner security VM’s and
endpoint security modules
Policy
Management
Partner console Partner console• Policies created in partner console
Orchestration
and Automation
Limited NSX Service Composer• Policy orchestration using shared security tags
• Multi-service, multi-partner orchestration and automation
Services
supported
File-based agentless anti-virus Partner• Agentless anti-virus, vulnerability management, file
integrity monitoring, host-based IDS/IPS
VMware• Endpoint monitoring, Identity Firewall
VMworld 2017 Content: Not fo
r publication or distri
bution
Putting it together with Policy
Guest IntrospectionNSX driver pulls and shares file, user identity, process (application), network connections, registry keys etc.
Shared Context
Third-Party Services
Antivirus DLP Firewall
Vulnerability
Management
Intrusion Prevention
Identity and Access
Mgmt
…and more in progress
Security Policy
Management
Service Insertion Architecture
Network IntrospectionFull network traffic visibility @vNIC, vSwitch,
or Edge.
VMworld 2017 Content: Not fo
r publication or distri
bution
Driving value with our NSX partner ecosystem
Compute
Infrastructure
Network
Infrastructure
Networking &
Security
Services
Orchestration &
Management
PlatformsOperations &
Visibility
vRealize Automation
vCloud Director
vRealize OrchestratorVIO
vSANReady Node
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX
NSX Security Platform for a Secure SDDC
Visibility ExtensibilityControl
Common Policy
Lifecycle Management and Automation
Datacenter, application and host
Context-driven micro-segmentation
Best-of-breed partner integration
VMworld 2017 Content: Not fo
r publication or distri
bution
Learn more about NSX at these sessions
Introduction to NSX
Introduction to VMware NSX
[NET1152BU]
Introduction to VMware NSX for
Automation [NET1305BU]
Introduction to VMware NSX for
Security [SAI1303BU]
Customer Panel on VMware NSX for
Security [SAI1306PUR]
NSX Security - DFW, Service
Composer [MTE4865U]
The NSX Practical Path [NET3282BU]
NSX Partner Services
Automated Security for the Real-time
Enterprise with VMware NSX and Trend
Micro Deep Security [SAI3313BUS]
Check Point vSEC and NSX -
Advanced SDDC Security
[SPL182401U]
Integrating Threat Defense Lifecycle
Security Services with VMware NSX
[NET3389BUS]
How VMware IT Is Securing Apps Using
Micro-Segmentation and Third-Party
Integrations with NSX [SAI2325BU]
NSX, AirWatch and Security Beyond
Data Center [PAR4378BU]
Palo Alto Networks VM-Series on NSX
- Next-Gen Security for your SDDC
[SPL182301U]
NSX Automation
Automate Your Security with NSX
[SAI3019BU]
Automating NSX with vRealize
Automation (vRA) and vRealize
Orchestrator (vRO) [PAR4379BU]
Customer Panel on VMware NSX for
Automation [NET1341PU]
VMworld 2017 Content: Not fo
r publication or distri
bution
Questions?
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Top Related