lhc1753be case study: how vmware nsx is empowering a or distribution · case study: how vmware nsx...
TRANSCRIPT
![Page 1: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/1.jpg)
Luke Huckaba, Principal Architect, RackspaceAnand Iyer, Global Product Marketing, VMware
LHC1753BE
#VMworld #LHC1753BE
Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry Compliance
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 2: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/2.jpg)
VMware Cloud Provider Name Change
3
Is Now
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 3: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/3.jpg)
What Can a VMware Cloud Provider Do for You?
✓4500+ Cloud Providers globally
✓Seamless integration with vSphere
✓Same operational tools on-premises and in the cloud
✓Value-added services, including management and support
✓Easy on-ramp to the cloud for existing vSphere workloads
BENEFITS / RESULTS
IaaSCold and Warm
Migration
Seamless Connectivity (L2VPN Client) Value
Added
Services
Managed Hosting Disaster Recovery Desktop as a Service
SDDC + vCloud Director
#LHC1753BE CONFIDENTIAL 4
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 4: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/4.jpg)
Agenda
• About the case study
• VMware NSX Distributed Firewall Overview
• Planning
• Implementation
• QSA Review
• Ongoing Maintenance
5#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 5: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/5.jpg)
About the case study
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 6: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/6.jpg)
About the case study
• What it is: Rackspace PCI-DSS certification for management infrastructure
• What is not: Rackspace customer certification
– Customers attain their own certification
• Problem: Systems in-scope for PCI are comingled in same L2 network as non-PCI systems
– Option 1: Re-IP
– Option 2: Deploy VMware NSX Distributed Firewall for microsegmentation
• VMware’s NSX Distributed Firewall leveraged to microsegment each environment
7#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 7: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/7.jpg)
VMware NSX Distributed FirewallOverview
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 8: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/8.jpg)
VMware NSX Distributed Firewall Overview
• Software VIB that runs on each ESXi host
• Stateful software firewall
• Firewall rules are applied to traffic in between the vNIC and the vSphere Distributed Switch
• Layer 2, 3 & 4 firewall rules, and up to layer 7 with 3rd party vendors/integrations
• Single management plane per vCenter
9#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 9: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/9.jpg)
VMware NSX Distributed Firewall Overview
10
An NSX for vSphere network is made up of distributed network elements embedded in each hypervisor,
enabling each VM to have its own firewall
▪ Firewalls/policies provisioned
simultaneously with VMs
▪ Policies move with their VMs
▪ Retiring a VM deprovisions its
firewall – no possibility of stale rules
▪ State persistent across VMware
vMotion®
NSX for vSphere firewalling: fully distributed, embedded
in every hypervisor in the data center
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 10: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/10.jpg)
Planning
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 11: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/11.jpg)
Planning
• Documentation is king!
• Follow an “outside-to-in” approach
– Similar to a “top-down” approach
• Audit all traffic flows
– What systems access the VMs from outside of the virtual environment?
– Inter-VM communication across multiple vCenters
– Which VMs inside the virtual environment access systems outside of the environment?
– Inter-VM communication from within the same vCenter
13#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 12: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/12.jpg)
Outside to in
Outside to inInside to out
Inside to out
Planning
14
PCI
Non-PCI
vCenter
Inter-VM trafficInter-VM traffic Inter-VM traffic
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 13: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/13.jpg)
Planning
• Use a spreadsheet to group everything
• Four (4) key grouping objects
– IP Sets
• Group of single IPs, Subnets, IP Ranges
– Security Groups
• Group of VMs, IP Sets
– Services
• Protocol & ports
– Service Groups
• Group of services
15#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 14: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/14.jpg)
Planning
16#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 15: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/15.jpg)
Planning
17
IP Sets
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 16: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/16.jpg)
Planning
18
Security Groups
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 17: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/17.jpg)
Planning
19
Services
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 18: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/18.jpg)
Planning
20
Service Groups
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 19: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/19.jpg)
Planning
21
Security Policies
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 20: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/20.jpg)
Planning
22
Applied Security Policies
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 21: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/21.jpg)
Implementation
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 22: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/22.jpg)
Dynamic Security Group
Security Group
Security Group
Implementation
• Follow your documentation
• Create IP sets first
• Create Security Groups
24
IP Set10.1.0.0/24
IP Set10.2.0.0/24
IP Set10.10.7.58
IP Set10.4.0.0/2410.5.0.0/24
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 23: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/23.jpg)
Implementation
• Follow your documentation
• Create IP sets first
• Create Security Groups
25
Dynamic, based on VM Name & Security Tag
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 24: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/24.jpg)
Implementation
• Follow your documentation
• Create IP sets first
• Create Security Groups
26
Static, based on IP Set
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 25: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/25.jpg)
Implementation
• Follow your documentation
• Create IP sets first
• Create Security Groups
27
Dynamic, based on virtual datacenter
And…Dynamically exclude based on objects
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 26: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/26.jpg)
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
– Offering a service or consuming a service?
• Where is the traffic initiated from?
28
vCenter
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 27: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/27.jpg)
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
– Offering a service
29
Security Group
Consumers
Service
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 28: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/28.jpg)
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
30#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 29: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/29.jpg)
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
– Consuming a service
31
Security Group
ApplicationService
Service
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 30: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/30.jpg)
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
32#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 31: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/31.jpg)
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
– Apply policies to security groups
33
Security Group
Consumers
Service
Security Group
ApplicationService
Service
Security
GroupSecurity
GroupSecurity
Group
Security
GroupSecurity
Group
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 32: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/32.jpg)
Security Group
Service
Security Group
Service
Security
GroupSecurity
GroupSecurity
Group
Security
GroupSecurity
Group
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
– Apply policies to security groups
34#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 33: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/33.jpg)
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
– Dynamically builds firewall rules for you
35#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 34: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/34.jpg)
Implementation
• After going over Service Composer, does this make better sense?
36#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 35: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/35.jpg)
QSA Review
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 36: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/36.jpg)
QSA Review
• Start with the spreadsheet
– Cover all communications starting with IP Sets, Security Groups, Services, and Service Groups
• Create Auditor-role user in NSX
– Provide overview and walkthrough of Service Composer & Security Policies
• Explain all firewall rules and how they’re generated through Service Composer
38#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 37: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/37.jpg)
Ongoing Maintenance
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 38: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/38.jpg)
Ongoing Maintenance
• Proper change control is a PCI requirement
– User A submits change request
– Member of governing group reviews and approves/denies change request
– Member of approved admins carries out change
• Maintain ‘Approved’ spreadsheet
• Ticketing system to track all changes
– Update your spreadsheet!
• Regular audits
– Quarterly, semi-annually
– Validate what’s in NSX is what’s in the ‘Approved’ spreadsheet
40#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 39: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/39.jpg)
Thank YouLuke Huckaba@ThepHuck
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 40: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/40.jpg)
VMworld 2017 Content: Not fo
r publication or distri
bution
![Page 41: LHC1753BE Case Study: How VMware NSX Is Empowering a or distribution · Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry](https://reader034.vdocuments.mx/reader034/viewer/2022042212/5eb5c68c4ac89e1e9f78d1de/html5/thumbnails/41.jpg)
VMworld 2017 Content: Not fo
r publication or distri
bution