Transcription
NSX and vRNIPartner Enablement Day – Technical TrackEthan PalmerVMware Technical Specialist, VCP5-DCV, VCP6-NV703-230-7542Ethan.Palmer@Carahsoft.com 2014 VMware Inc. All rights reserved.Confidential & Proprietary
Agenda1Software-Defined Data Center (SDDC) & Network Virtualization2New Security Model – Zero Trust & Micro-Segmentation3Micro-segmentation Beyond Application Servers4vRealize Network Insight5Prospecting Guide
New NSX Offerings: Standard, Advanced & EnterpriseDistributed switching and routingNSX Edge firewallNATSW L2 bridging to physical environmentDynamic routing with ECMP (Active-active)API-driven automationIntegration with vRealize and OpenStackStandardAdvancedEnterprise 1,995/socket 4,495/socket 6,995/socketAgility and automation of thenetworkStandard, plus a fundamentally moresecure data centerAdvanced, plus networking and securityacross multiple domains Automation of security policies with vRealizeNSX Edge load balancingDistributed firewallingIntegration with Active DirectoryServer activity monitoringService insertion (3rd party integration)Cross vCenter NSXMulti-Site NSX optimizationsVPN (IPSEC and SSL)Remote GatewayIntegration with HW VTEPs1L2, L3 & NSX Edge Integration Only. No consumption of Security GroupsDetailed Feature List Available here: http://kb.vmware.com/kb/21445863
VMware NSX – Network Virtualization and SecurityPlatform
The Operational Model of a VM for NetworkingServicesInternet
Traffic Patterns in a Typical DatacenterNorthSouthEast-West
Provisioning Security Services is HardInternetRequest: We need to deploy a new web application with two tiers.Network Admin: How do I implement that topology?WebApp167234895
Why are breaches still happening?Unconstrained communicationLittle or no lateral controls inside perimeterLow priority systems aretargeted first.Attackers can move freelyaround the data center.Internet10110100110Attackers then gather and101001010000010 exfiltrate data over weeks1001110010100or even months.Data CenterPerimeter
Every modern Cyber Security Breach has somethingin common the attacker, once inside, was able to move freely in the victim's network.
Agenda1Software-Defined Data Center (SDDC) & Network Virtualization2New Security Model – Zero Trust & Micro-Segmentation3Micro-segmentation Beyond Application Servers4vRealize Network Insight5Prospecting Guide
VMware NSX - Getting from the Titanic to NuclearSubmarineJames Clapper, US Director of National Intelligence, compared todays segmentednetworks to the Titanic, where bulkheads were supposed to prevent one leak fromsinking the ship, but the walls weren’t high enough.A single breach shouldn’t give attackers access to an entire network infrastructureand a mother lode of proprietary data.http://tinyurl.com/odaqhkg
VMware NSX - Getting from the Titanic to NuclearSubmarineTitanicSubmarine“So we tell the private sector: Don’t let that happen to yourdata. Make sure a single breach won’t sink your entirecompany, your entire enterprise.”
Security is needed everywhere, but we can’t have iteverywhereWhy can’t we have individual firewalls for every VM?With traditional technology,this is operationally infeasible.Physical firewallsExpensive and complexInternetVirtual firewallsSlow, costly, and complicatedData CenterPerimeter
Goldilocks Zone
Security Today - Trading Off Context and IsolationTraditional ApproachSoftware DefinedData Center (SDDC)Any ApplicationHigh ContextLow IsolationSDDC PlatformData Center VirtualizationAny x86No Ubiquitous EnforcementAny StorageAny IP networkHigh IsolationLow Context
SDDC Virtualization Layer – Delivers Both Contextand IsolationSoftware DefinedData Center (SDDC)Secure Host IntrospectionAny ApplicationSDDC ApproachSDDC PlatformHigh ContextHigh IsolationUbiquitous EnforcementData Center VirtualizationAny x86Any StorageAny IP network
Why SDDC Virtualization Layer is the Security“Goldilocks Zone”Software DefinedData Center (SDDC)Network & Security Services Now Delivered Closer to the SourceAny ApplicationSDDC PlatformFirewalling/ACLsLoad BalancingData Center VirtualizationAny x86Any StorageAny IP networkL2 SwitchingL3 Routing
VMware NSX - Non-Disruptive Deployment ofDistributed Networking Services
VMware NSX - Non-Disruptive Deployment ofDistributed Security Services
Agenda1Software-Defined Data Center (SDDC) & Network Virtualization2New Security Model – Zero Trust & Micro-Segmentation3Micro-segmentation Beyond Application Servers4vRealize Network Insight5Prospecting Guide
With VDI your data center has a much larger securitysurface areaA converged infrastructure means virtual desktopsrun on the same infrastructure as serversInternetWestData CenterPerimeterEast
A matrix of policies is needed on centralized,choke-point firewalls for the correct security postureFinanceHREngineering
VMware NSX Simplifies VDI Networking & SecurityFinanceHR Each VM can now be its own wall Policies align with logical groups Prevents threats from spreadingApp Simplified, programmable, automatedapplication of network/security policy todesktop users/poolsDB Service-chaining with AV and NGFWpartners to deliver automated, policyintegrated AV / malware protection, NGFW,IPS, etc.ServicesADNTPDHCPDNSCERT
VMware NSX – Automating Security OperationsATTRIBUTE (if)Security operations areautomated and adapt todynamic conditionsACTION (then)Quarantine VMwith FirewallVirus found Service Insertion &Chaining Security policies defineautomated actionsMonitor VMwith IPSVulnerability foundAllow / Restrict“PCI”Sensitive Data FoundORRestrict accesswhile investigating
VMware NSX - Network Virtualization & SecurityServicesData PlaneDistributed Switching,Routing, Firewall, etc.Unit-level trust Each VM has its own firewall withflexible granularity - entire data centerdown to the vNIC level Security is shrink-wrapped aroundeach workload Faults and threats are contained withmicro-granularityControl PlaneManagement PlanePhysicalworkloadsand VLANS
Before and After Network VirtualizationTransformation% of Asset Utilization
How to get started?Where can I start?VMware Hands-On LabsNSX Install, Configure & ManageVMware NSX Design GuidesIntra-data centerMicro-SegmentationNetworking ServicesAbstraction (L2, L3,etc.) and ITAutomationThree levels of certifications: Professional,Implementation Expert, Design Expert
Agenda1Software-Defined Data Center (SDDC) & Network Virtualization2New Security Model – Zero Trust & Micro-Segmentation3Micro-segmentation Beyond Application Servers4vRealize Network Insight5Prospecting Guide
East-West Traffic Analysis East-West Traffic Flow Analysis Breakdown of Data Center Traffic by East-West, VM-to-VM, VM-to-Physical, Switched,Routed, etc. Get Detailed Flow stats behind each number
Security Policy Automation – Micro-Segmentation Discover vCenter and NSX constructs (folders,clusters, vlans, security tags) Automated Security Groupings Based onvCenter and NSX Constructs, WorkloadCharacteristics, Ports, Common Services Recommended Security Policies / FirewallRules (Zero-Trust Model) See Network Traffic Per Host, Per VM Export as CSV
Security Operations, Audit and Compliance Real Time Visibility into Security GroupMemberships & Effective Firewall Rules fora VM, between VMs and between VM andPhysical Datacenter Time Machine - Track Changesfor Troubleshooting or Audit Compliance Engine with a Simple Google-like Search Interface to Write Policies andSet Alerts Instant Alerting Upon Policy Violation andNon Compliance
Visibility Across Overlay And UnderlayConnectivity GraphsNSX Firewall VM to VM, VM to Physical, VM to Internet Hop-by-Hop Path across Overlay (LDRs, EdgePANW Virtual FWGateways) and Underlay (Physical VDCs & VRFs).See V-To-P BoundaryVXLAN Correlated Problems And Performance MetricsConvergedInfrastructure(Ex: UCS)Across Virtual and Physical See Effective Firewall Rules and Security Policiesacross NSX and PANW in Service-ChainedEnvironmentVLANPANW PhysicalFirewallPhysical NetworkSwitch, Router
Simple & Contextual SearchHi Peter, what do you need help with today? Single pane of glass between virtual & physical Google-like search for ease of use Time aware search (go back in time) Fewer clicks to find and identify issues Simplified interface, reduce learning curveacross admin teams
NSX Infrastructure Monitoring and Best PracticesChecksConfiguration, Health andConsistency Validation VTEP Level Misconfigurations VTEPS – Underlay MappingChecks Netcpa Health Hosts Version Validation LDR and Edge Config Issues Routing Misconfigurations/Issues between LDR, Edge andPhysical Routers
Agenda1Software-Defined Data Center (SDDC) & Network Virtualization2New Security Model – Zero Trust & Micro-Segmentation3Micro-segmentation Beyond Application Servers4vRealize Network Insight5Use Cases/ Demo
Better Data Center Networking and SecurityTransform the economics of network and security operations by bringing the operational model ofa virtual machine to data center networking.NSXNetworkAgilitySecurityCreate, save, delete and restorevirtual networks on demand, allwithout reconfiguring yourphysical networkReduce the time to provisionmulti-tier networking and securityservices from weeks to seconds,enable faster deployment andgreater agility, and provide theflexibility to run on top of anynetwork hardwareNSX Micro-segmentation bringssecurity inside the data center withautomated fine-grain policies tiedto the VMs they protect, whilesecurely isolating networks fromone another to deliver a bettersecurity modelNSX: The NetworkVirtualization PlatformBring your leading networking andsecurity solutions into the SDDC, takeadvantage of tight integration with theNSX platform to automatically deploythird-party products as needed, and adaptdynamically to changing data centerconditions36
vRealize Network Insight Demo
Thank you!Ethan PalmerVMware Technical Specialist, VCP5-DCV, VCP6-NV703-230-7542Ethan.Palmer@Carahsoft.com
NSX and vRNI Ethan Palmer VMware Technical Specialist, VCP5-DCV, VCP6-NV 703-230-7542 . 5 Prospecting Guide. New NSX Offerings: Standard, Advanced & Enterprise 3 . VMware NSX Design Guides Three levels of certifications: Professional, Implementation Expert, Design Expert.