micro segmentation with next generation firewall and vmware nsx daniel bortolazo thiago koga
TRANSCRIPT
Micro segmentation with Next Generation Firewall and Vmware NSX
Daniel Bortolazo
Thiago Koga
What’s changed?
2 | © 2015, Palo Alto Networks. Confidential and Proprietary.
THE EVOLUTION OF THE ATTACKER
$445CYBERCRIME NOW billion industry
100+ nations
CYBER WARFARE
What’s changed?
Known threats
Org
aniz
atio
nal r
iskIdentity compromise
Zero-day exploits / vulnerabilities
Evasive command-and-control
Unknown & polymorphic malware
Mobility threat
THE EVOLUTION OF THE ATTACK
4 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Changing data center characteristics
Shift to dynamic, scalable, self-provisioned compute infrastructure Eliminate compute silos and restrictions of where a workload can run
Today’s data center(Dedicated Servers + Virtualization)
Hypervisor
VM VM
Hybrid (Private + Public Cloud)
Virtualized Compute, Network & Storage
VM VM VM
Software Defined data center(Private Cloud)
Virtualized Compute, Network & Storage
VM VM VM
Virtualized Compute, Network and Storage
VM VM VM
NETWORK STORAGECOMPUTE
UI
APP
Storage
DB
Monolithic stack
Our changing landscape
APP
UI
WEB
DB
Storage
APP
WEB
DB
Storage
APP
WEB
DB
Storage
APP
WEB
DB
Storage Service Service
Service Service
Service Service
Service Service
Service
Multi-tiered distributedarchitecture
Composed services on converged infrastructure
Service
Service
UI
NETW
ORK
COM
PUTE
STORAG
E
6 | ©2015, Palo Alto Networks. Confidential and Proprietary.
Hyper-connected compute base
App
Storage
DB
Web
W
APP
W
APP
DB
W
APP
DB
W
APP
DB
W
APP
DB
W
APP
DBDB
VM VM VM VM VMVM
Lateral movement Comingled policy
Datacenter applications are heavily targeted
Crunchy perimeter, gooey interior?
21% MS-RPC
15%Web Browsing
11% SMB
10% MS-SQL Monitor
10% MS-Office Commu-
nicator
4% SIP
3% Other
2% Active Directory
2% RPC1% DNS
25% MS-SQL
10 out of 1,395 applications generated
97% of the exploit logs
Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.
9 of these were
datacenter applications
Requirements for the future
DETECT AND PREVENT THREATS AT EVERY POINT ACROSS THE ORGANIZATION
At the internet edge
Between employees and devices within
the LAN
At the data center edge, and
between VM’s
At the mobile device
Cloud
Within private, public and hybrid
clouds
6 | © 2015, Palo Alto Networks. Confidential and Proprietary.
WifiWMS
APPLIED TO THE CONNECTED INFRASTUCTURE
External Access
Corporate HQWarehouse
OnlineConsumers
Partners and Suppliers
Internet
Internet
Internet
Credit card authorization
& transactions
Private WAN
Private WAN Private WANStores - small to large
Store Manager
Station
POSPOSPOS
Datacenter(s)
Internet and extranet
DMZ zones
ERP & corporate functions
Inventory mgt
Analytics Other corporate functions
eCommerce Customer support & management
Inventory/Distribution Tacking and all corporate functions
Wifi WMS
END-TO-END PROTECTION AND PREVENTION
External Access
Corporate HQWarehouse
OnlineConsumers
Partners and Suppliers
Internet
Internet
Internet
Credit card authorization
& transactions
Private WAN
Private WAN Private WANStores - small to large
Store Manager
Station
POSPOSPOS
Inventory/Distribution Tacking and all corporate functions
Internet and extranet
DMZ zones
ERP & corporate functions
Inventory mgt
Analytics Other corporate functions
eCommerce Customer support & management
Firewall(s) FirewalL
Internet Gateway:• Visibility and control of ALL internet traffic• Control over partners/suppliers access
(segmentation)• Inspection of all traffic for known and
unknown threats
Wifi WMS
END-TO-END PROTECTION AND PREVENTION
External Access
Corporate HQWarehouse
OnlineConsumers
Partners and Suppliers
Internet
Internet
Internet
Credit card authorization
& transactions
Private WAN
Private WAN Private WANStores - small to large
Store Manager
Station
POSPOSPOS
Inventory/Distribution Tacking and all corporate functions
Internet and extranet
DMZ zones
ERP & corporate functions
Inventory mgt
Analytics Other corporate functions
eCommerce Customer support & management
Firewall(s) FirewalL
Datacenter:• Perimeter: high performance
control and inspection of all traffic• Segmentation into zones of similar
security profile
Wifi WMS
END-TO-END PROTECTION AND PREVENTION
External Access
Corporate HQWarehouse
OnlineConsumers
Partners and Suppliers
Internet
Internet
Internet
Credit card authorization
& transactions
Private WAN
Private WAN Private WANStores - small to large
Store Manager
Station
POSPOSPOS
Inventory/Distribution Tacking and all corporate functions
Internet and extranet
DMZ zones
ERP & corporate functions
Inventory mgt
Analytics Other corporate functions
eCommerce Customer support & management
Firewall(s) FirewalL
Virtualized datacenter:• Regain visibility and control into
East-West traffic (VM-to-VM)
And can create a zero trust model
Isolation Explicit allow comm. Secure communications Structured secure comms.
VM VM VM
VM VM VM
VM VM VM
VM VM VM
VM VM VM
VM VM VM
NGFW
IPS
IPS
NGFW
WS
VM VM VM
DB DB
IPS
WAF
And align your controls to what you are protecting
VM-Series Deployment Options
• VM-100, VM-200, VM-300, and VM-1000-HV deployed as Guest VM on VMware ESXi
• Virtual Networking configured to pass traffic through VM-Series – L2, L3, vWire, Tap
• ESXi 4.1 and 5.0 for PAN-OS 5.0 and ESXi 5.5 for PAN-OS 6.0
VMware vSphere Hypervisor (ESXi)
• VM-1000-HV for NSX deployed as a service with VMware NSX and Panorama
• Automated deployment, transparent traffic steering, dynamic context-sharing
• Filter traffic prior to network decisions - Ideal for East-West traffic inspection
VMware NSX VMware vSphere and vCloud Air
• VM-100, VM-200, VM-300, and VM-1000-HV deployed as guest VMs on VMware ESXi
• Deployed as part of virtual network configuration for East-West traffic inspection
• Protects hybrid cloud when used in vCloud Air
ProvidesFaithful Reproduction of Network & Security Services in Software
Switching Routing Firewalling LoadBalancing
VPN Connectivityto Physical
Any N
etwork H
ardware
NS
X P
latform
NS
X v
Sw
itch
NS
X C
on
tro
ller
Lo
gical S
witch
Lo
gical R
ou
ter
Lo
gical F
irewall
Lo
gical L
oad
Balan
cer
VM
ware N
SX
Software Networking Platform
VMware NSX: Virtualize the Network
NSX vSwitch
HypervisorNSX
vSwitchHypervisor
NSX vSwitch
HypervisorNSX
vSwitchHypervisor
NSX vSwitch
HypervisorNSX
vSwitchHypervisor
NSX vSwitch
HypervisorNSX
vSwitchHypervisor
LogicalSwitching
LogicalRouting
LoadBalancing
Physicalto Virtual
Firewalling& Security
One-Click Deployment via Cloud Management Platform
The Need for a Comprehensive Security Solution
VMware NSX Platform
NSX Distributed Firewall
VM level zoning without VLAN/VXLAN dependencies
Line rate access control traffic filtering
Distributed enforcement at Hypervisor level
Palo Alto Networks Next Generation Security
Next Generation Firewall
Protection against known and unknown threats
Visibility and safe application enablement
User, device, and application aware policies
Sophisticated Security Challenges
Applications are not linked to port &
protocols
Distributed user and device
population
Modern Malware
NSX Controller
Advanced Services Insertion – Example: Palo Alto Networks NGFW
Internet
Hypervisor
Physical Host
VMVM
vSwitchHypervisor
Physical Host
vSwitch
VM
VM
Security Policy
Security Admin
TrafficSteering
DDD
Automated Security in a Software-Defined Data CenterData Center Micro-Segmentation
A AA
W W W
Automated Security in a Software-Defined Data CenterData Center Micro-Segmentation
A
A
WD
A
D
A
W
D
W
W
Automated Security in a Software Defined Data CenterQuarantine Vulnerable Systems until Remediated
21
Softw
are
Def
ined
Dat
a C
ente
r
Security Group = Quarantine ZoneMembers = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network}
Security Group = Web Tier
Service Composer
Cloud Management
Virtual Network
Policy Definition
Standard Desktop VM Policy Anti-Virus – Scan
Quarantined VM Policy Firewall – Block all except security tools Anti-Virus – Scan and remediate
On Demand Micro-Segmentation
22
Web
App
Database
PRIVATE
No external connectivity
VM
VM
VM
VM
VM
VM
NSX-PAN Use Case: PCI Zone Segmentation
INTERNET
Dev Zone Prod Zone PCI Zone
DFW
PAN VM-Series FW
PANORAMA
PAN provides Intrusion Prevention (IPS), Application & User Based Access Control and Malware Prevention
Legend:
NSX-PAN Use Case: Secure Web DMZ
INTERNET
APP Tier
WEB DMZ
DB Tier
DFW
PAN VM-Series FW
PANORAMA
WEB DMZ WEB DMZ
Line rate processing of traffic allowed to
enter the DC
WEB and other protocols deep inspection
APP Tier
DB Tier
APP Tier
DB Tier
NSX-PAN Use Case: VDI Internet Access
INTERNET
Virtual Desktop
VDI
Virtual Desktop
Virtual Desktop
Virtual Desktop
Virtual Desktop
Virtual Desktop
WEBTier
APPTier
DBTier
Back End App
WEB browsing protocols inspection
SDDC
Next-generation security for Public Cloud scenarios
VPC gateway: Full next-generation firewall security for VPC traffic Enable applications, prevent known/unknown
threats, user-based access control
Hybrid cloud (IPSec VPN) Extend physical data center/private cloud to
AWS; IPSec VPN + full NGFW feature set
VPC-to-VPC protection Gateway + hybrid to control traffic between
VPCs; block known and unknown threats from moving laterally
Dev
App1
App2
Test
App1
App2
App1
App2
GlobalProtect remote access VPN Leverage AWS ubiquitous access and built-in
resiliency for remote/mobile users Extend full next-generation security policies to
all users, all locations, all types of devices
Securing the datacenter: physical, cloud, hybrid
Consistent NGFW security in both virtual and physical form factors
Zero Trust principles protect applications and data
Prevent cyber threats – inbound and across VMs
Dynamic policy updates eliminate app-vs-security lag
Centralized management and orchestration
Virtualized Compute, Network and Storage
SDDC/Private Cloud Credit Card Zone
Public Cloud
Virtualized Compute, Network and Storage
More Information
28 | © 2015, Palo Alto Networks. Confidential and Proprietary.
HOL-PRT-1672 http://labs.hol.vmware.com/HOL/catalogs/lab/2061
Deploying Palo Alto Networks Next-Generation Security Platform with VMware NSX
Better together to increase your security within Data Center