andy kennedy - scottish vmug april 2016
TRANSCRIPT
1
ScottishVMUGApril, 2016
From untrustto zero trust…Securing what comes next for the SDDC
Andy Kennedy (@packetdiscards)
Networking & Security Business Unit, EMEA+44 7766 [email protected]
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2
From untrust to zero trust…Securing what comes next for the SDDC
© 2016 VMware Inc. All rights reserved.
Andy Kennedy (@packetdiscards)
Networking & Security Business Unit, EMEA+44 7766 [email protected]
From Shadow IT to the Next Unit of Compute- The blind spot indicator for cyber security
4
CloudSilos
PublicManagedPrivate
5
ApplicationSilos
Traditional Applications Cloud-Native Applications
6
DeviceProliferation
ApplicationsContent
7
One Cloud Any Application Any Device
8
BridgingTwo Worlds
Mobile Cloud Era
Client-Server Era
High-Level Architecture
Isol
atio
n
Segm
enta
tion
Serv
ice
Inse
rtion
Gue
st In
trose
pctio
n
Orchestration Configuration Management
DR
Backup & recovery
Log Management
SIEM
Operations Dashboard
Virtual Domain
RBAC / AAAPolicy Management
Policy EnforcementMonitoring & Analytics
Backup & Disaster Recovery
Physical Domain Hybrid CloudInfrastructure
People & Process
Operations
App Team
3rd Platform Enables New Types of Apps in the Mobile-Cloud Era
Hardware
OS
Application
App Team
x86
OS
Application
Operations
App Team
x86
Linux
Application
1st Platform(Servers)
2nd Platform(Virtualization)
3rd Platform(Cloud)
x86
Linux
Major NSX use cases
Intra-Datacenter Micro-Segmentation
DMZ Anywhere
Secure User Environments
SecurityIT Automating IT
Developer Clouds
Multi-tenant Infrastructure
AgilityDisaster Recovery
Metro Pooling
Hybrid Cloud Networking
Application Continuity
13
Microsegmentation
14
15
16
17
Topology Driven Security
Little or nolateral controlsinside perimeter
Internet
Internet
Topology Driven Security
Internet Internet
OperationallyInfeasible
20
Centralizedfirewalls
• Create firewall rules before provisioning• Update firewall rules when moving or changing• Delete firewall rules when app decommissioned• Problem increases with more east-west traffic
Internet
The challenge of topology driven security in the SDDC
Internet
How an SDDC Approach Makes Micro-segmentation Feasible
21
Security policy
Perimeterfirewalls
CloudManagement
Platform
Creating a zero trust model
Isolation Explicit allow comm. Secure communications Structured secure comms.
NGFW
IPS
IPS
NGFW
IPS
WAF
And align your controls to what you are protecting
Allow HTTPS
23
Adapting toChange
ApplicationSilos
Traditional Applications Cloud-Native Applications
24
Developer IT
Challenges with ContainersDifferent Units of Management
Partial Visibility Limited Security No Compatability
Tools
25
Containers without compromise
Today
Container Engine
Linux
vSphereIntegrated Containers
26
Security
Today vSphereIntegrated Containers
Hardware Level IsolationOS Level Isolation
27
Container Security
28
Vulnerable Application
Vaul
t
Vaul
t
Web
site
Web
site
Web
site
Web
site
Internet
Dat
abas
e
Port 80
Internalnetwork
Docker libnetwork – Options
29
– Bridge: Implements a way to configure new networks as isolated L2 bridges on single Docker hosts. The scope is ‘local’
– Overlay: Implements VXLAN based overlay networking to create L2 segments to attach containers running on multiple Docker Hosts.
– Remote: Implements an API to externalize network functions to 3rd party vendor / solutions.
Bridge Networking Multi-Host (Overlay) Driver
Remote (Vendor) Driver
Docker libnetwork – The Container Network Model (CNM)
30
• Sandbox– A Sandbox contains the configuration of a container's network stack. This includes management of the container's
interfaces, routing table and DNS settings. An implementation of a Sandbox could be a Linux Network Namespace, a FreeBSD Jail or other similar concept.
• Endpoint– An Endpoint joins a Sandbox to a Network. An implementation of an Endpoint could be a veth pair, an Open vSwitch
internal port or similar
• Network– A Network is a group of Endpoints that are able to communicate with each-other directly. An implementation of a
Network could be a VXLAN Segment, a Linux bridge, a VLAN, etc.
Source: https://github.com /docker/li bnetwork /bl ob/m aster/docs/design.md
ExternalnetworkG/w
Bridge
Containers – do we still need a Hypervisor?
31
Privilege escalation can lead to container host compromise
Vaul
t
Vaul
t
Web
site
Web
site
Web
site
Web
site
Internet
Dat
abas
e
Port 80
Internalnetwork
Confidential Information
Containers – do we still need a Hypervisor?
32
Lack of isolation allows an attacker to move around
Vaul
t
Vaul
t
Web
site
Web
site
Web
site
Web
site
Internet
Dat
abas
e
Port 80
Internalnetwork
Confidential Information
Containers – do we still need a Hypervisor?
33
NSX provides segmentation, visibility and integration
Web
site
Web
site
Web
site
Web
site
Internet
Port 80
Internalnetwork
Physical Network Infrastructure
Vaul
t
Vaul
t
Dat
abas
e
Dat
acen
ter
HONEY POT
VULNERABILITYSCANNER
Micro-segmentation Alert Connection
to data center
vSphere Integrated Containers Latest…
34
https://github.com/vmware/vic
http://blogs.vmware.com/cloudnative/introducing-vsphere-integrated-containers-open-source-software/
Hypervisor(ESXi &
KVM)
MinionVM
Pod
vif
DFW
eth1
Pod
eth2
vifDLR
MinionVM
Pod
vif
DFW
eth2
Pod
eth1
vif
eth0
Minion Mgmt. IP Stack
eth0
Minion Mgmt. IP Stack
mgmtnetwork
Lx bridge
Lx bridge
Lx bridge
Lx bridge
mgmtnetwork
Kubernetes - POC
Kubernetes – POC
36
Kubernetes – POC
37
Micro-segmentation Alert Connection
to data center
Benefits of NSX and containers
38
Micro-segmentation Alert Connection
to data center
• Micro-segmentation to establish clear boundaries
• Stop compromises at container or application level
• Central visibility into connectivity across the data center
• Per-flow tracking• Alerts for suspicious
behavior• Virtual taps at a per-
container level
• Integration with the rest of your IT infrastructure
• Monitoring, incident response, forensics
• Access to databases, backup, system updates
CloudSilos
PublicManagedPrivate
39
Public Cloud – The New Silo Infrastructure?
40
The Challenge: Connectivity Across Multiple Clouds
41
Data CenterIT Administrator
Internet
…
AWS CloudDeveloper
42
Ubiquitous Securityfor Public Cloud Workloads
NSX + Public Cloud + Containers
43
Sydney
Hong KongPalo Alto
Chicago
Dallas Virginia
Seattle
500 Web Servers7 data centers3 continents2 public clouds + 1 on premise…in 5 minutes
https://www.youtube.com/watch?v=RBJ-KoAM-OQ
44
Operational Focus
45
EMC Smarts for NSX – Virtual + Physical TopologyVirtual Network
Physical Network
Logical Switch
Logical Router
Leaf01Spine01
Hypervisor
Hyper-V On-Premises Data Center
Public Cloud
3rd Gen Applications
Virtual Desktop
Mobile Devices
47
Design for the New &Accommodate The Old
Network Virtualization Next Steps with VMware NSX
48
virtualizeyournetwork.com
The online resource for the people, teams and organizations that are adopting network virtualization
communities.vmware.com
Connect and engage with network virtualization experts and fellow VMware NSX users
vmware.com/go/NVtraining
Build knowledge and expertise for the next step in your career
labs.hol.vmware.com
Test drive the capabilities of VMware NSX
Technology Previews
49
https://youtu.be/RBJ-KoAM-OQ https://youtu.be/bjodui_ZhM8
Containers & Public Cloud Tech Preview
Distributed Network Encryption Tech PreviewKubernetes & NSX
Tech Preview