sie3196bu limit your cyber attack footprint with endpoint ... · pdf fileon-premise data...
TRANSCRIPT
Martin Kniffin, Product Manager, VMwareKausum Kumar, Senior Product Manager, NSX, VMwareTerry Chatman, Information Systems Specialist,Vallejo Sanitation
SIE3196BU
#VMworld #SIE3196BU
Limit Your Cyber Attack Footprint with Endpoint Security and Micro-Segmentation from VMware NSX and AirWatch
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#SIE3196BU CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 VMware for Security
2 Introducing Workspace One & AirWatch
3 Integration of AirWatch and NSX
4 Customer Deployment Story
#SIE3196BU CONFIDENTIAL 3
VMworld 2017 Content: Not fo
r publication or distri
bution
Why VMware for Security
#SIE3196BU CONFIDENTIAL 4
VMworld 2017 Content: Not fo
r publication or distri
bution
Strategic IT Priorities
Modernize
Data Center
Integrate
Public Clouds
Empower
Digital Workspace
Transform
Security
Digital Transformation
Business Agility & InnovationExceptional
Mobile Experiences
Protect Brand
& Customer Trust
Business Outcomes
#SIE3196BU CONFIDENTIAL 5
VMworld 2017 Content: Not fo
r publication or distri
bution
6
Key Security Objectives to Address
Maintain Security & Compliance
Trust Any User
Secure Any Application
Manage Any Endpoint
Protect Data Center
Detect Cyber Threats
Integrated and Seamless End-to-End Security
#SIE3196BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Vision to Transform Security
#SIE3196BU CONFIDENTIAL 7
A ubiquitous software layer across application infrastructure and endpoints
On-Premise Data Centers
New app frameworks
Mobile Devices
Virtual Desktops(VDI)
Branch offices
Public clouds
vCloud AirNetwork
VMworld 2017 Content: Not fo
r publication or distri
bution
…This Means Security Is Everywhere
#SIE3196BU CONFIDENTIAL 8
Visibility Policy
Service Insertion
Context
Ubiquitous software layer
VMworld 2017 Content: Not fo
r publication or distri
bution
Workspace ONE
#SIE3196BU CONFIDENTIAL 9
VMworld 2017 Content: Not fo
r publication or distri
bution
Internally developed
mobile apps
Native public mobile apps
SaaS apps
Internal web apps
Modern Windows apps
Legacy Windows apps
Virtualized management
desktops
Workspace ONE
10#SIE3196BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware AirWatch
11
Any Endpoint Any Use Case
Knowledge
workerCorporate | BYO
Task workerLine of Business
No userKiosk | IOT
Modern Management Framework
Out of box
configuration
Policies and
security settings
Over-the-air
management and
updates
Asset
tracking
Full lifecycle
management
#SIE3196BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
AirWatch Application Security
12
Add security and management capability to already-developed
applications
Application Wrapping
Standard for enterprise apps to interpret configurations and
policies
Add advanced security and management capabilities during
development
Software Development Kit (SDK)
Native O/S MAM
via Workspace Services ProfileStand Alone MAM
via App Container
#SIE3196BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Per-App VPN
• seamless user experience with minimal interaction
• simplified and automatic certificate management via WS1
• per-app versus whole-device model
• licensing included with WS1
• streamlined maintenance
#SIE3196BU CONFIDENTIAL 13
VMworld 2017 Content: Not fo
r publication or distri
bution
Enhanced Network
Security
• App-level, enhanced security
•TLS v1.2
•SSL Pinning
•Compliance Validation
• Multiple factors of authentication:
APPLICATION
USER
DEVICE
Certificate Authentication
VMware Tunnel – Enhanced Network Security
#SIE3196BU CONFIDENTIAL 14
VMworld 2017 Content: Not fo
r publication or distri
bution
Any App, Any Device
#SIE3196BU CONFIDENTIAL 15
Enterprise
Systems
VMwareTunnel
VMworld 2017 Content: Not fo
r publication or distri
bution
Device Restriction > App Restriction > Domain Restriction > Network Restriction
#SIE3196BU CONFIDENTIAL 16
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX
#SIE3196BU CONFIDENTIAL 17
VMworld 2017 Content: Not fo
r publication or distri
bution
DMZ like security tailored
for any endpoint & any application
Personalized DMZ
#SIE3196BU CONFIDENTIAL 18
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware AirWatch and NSX
Integration extends security
beyond your mobile device and
into the datacenter by integrating
identity, application, and
enterprise mobility management
with micro-segmentation.
AirWatch & NSX
Integration
#SIE3196BU CONFIDENTIAL 19
VMworld 2017 Content: Not fo
r publication or distri
bution
“Network platform”
Virtual networks
Network
storage
compute
Virtualization layer
The network virtualization
solution for the Software-
Defined Data Center
Network and security
services now in the
hypervisor
VMVM
VMVM
APPVMVM
VMVM
APPVMVM
VMVM
APP
NSX Value Proposition
#SIE3196BU CONFIDENTIAL 20
VMworld 2017 Content: Not fo
r publication or distri
bution
21
Web App DB
VMVM
VMVM
VMVM
VMVMVMVM
VMVM
VMVM
VMVMVMVM
VMVM
VMVM
VMVMVMVM
VMVM
VMVM
VMVM
Micro-SegmentationA firewall for every workload
Granular Policy EnforcementEnables zero trust security model with policy enforced at every workload
#SIE3196BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Introducing the AirWatch & NSX Integration
#SIE3196BU CONFIDENTIAL 22
VMworld 2017 Content: Not fo
r publication or distri
bution
Device Level VPN
Full Network Access
App Level VPN
Select Network Access
App Level VPN
Full Network Access
AirWatch & NSX Integration
Data center security for mobile workflows
EMM Data
Center Policies
Intelligent
Networking
Micro
Segmentation
#SIE3196BU CONFIDENTIAL 23
VMworld 2017 Content: Not fo
r publication or distri
bution
Who Can Use VMware AirWatch and NSX Integration?
Workspace™ ONE™
Advanced & EnterpriseBlue & Yellow Advanced & Enterprise
#SIE3196BU CONFIDENTIAL 24
VMworld 2017 Content: Not fo
r publication or distri
bution
Integrated Solution Components
• VMware AirWatch 8.3+
– AirWatch Tunnel Server
– AirWatch Cloud Connector (For SaaS Customers)
• VMware NSX 6.2.x or 6.3.x
– NSX Manager
– NSX Distributed Firewall
– NSX Edge Services Gateway (Optional)
Note: vSphere hypervisor required for NSX
#SIE3196BU CONFIDENTIAL 25
VMworld 2017 Content: Not fo
r publication or distri
bution
Device Support Per App VPN APIs built into these Platforms
iOS 7+ Android 5.0+ Windows 10
#SIE3196BU CONFIDENTIAL 26
VMworld 2017 Content: Not fo
r publication or distri
bution
Application Support
Public Internal Built In Proprietary
#SIE3196BU CONFIDENTIAL 27
VMworld 2017 Content: Not fo
r publication or distri
bution
Mobile Apps Accessing the Datacenter
#SIE3196BU CONFIDENTIAL 28
Perimeter
Firewall
Internet
Firewall
App1 Servers
App2 Servers
App3 Servers
App-Level VPN
Full Network Access
Corporate Data
Centre Apps
Port: 8443
Internet DMZ Intranet
How do I create an App specific
“Personal DMZ” in here?
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Micro-segmentation
#SIE3196BU CONFIDENTIAL 29
NSX secures East-West communication of the App
Perimeter
Firewall
Internet
Firewall
App-Level VPN
Full Network Access
Corporate Data
Centre Apps
Internet DMZ
Security
Group “App1”
Security Group
“App2”
Security Group
“App3”
NSX Distributed Firewall
Port: 8443
VMworld 2017 Content: Not fo
r publication or distri
bution
Personal DMZSecuring access to an application from a mobile device
Perimeter
Firewall
Internet
Firewall
VMware Tunnel
Server
Security Group
“Proxy”
Security Group
“Intranet”
Security Group
“Sensitive Data”
Security Group “Chrome-App”
“@airwatch” in description
IP Set “Chrome-App”{10.1.1.8/30}
10.1.1.0/24
Chrome App VPN
Source = 10.1.1.9
“Chrome” App VPN
“Chrome” App VPN
“Chrome” App VPN
NSX Manager
1
3 Security Policy2
X
SG “Chrome-App”
4
5
6
#SIE3196BU CONFIDENTIAL 30
VMworld 2017 Content: Not fo
r publication or distri
bution
Personal DMZHigh Availability
Perimeter
FirewallInternet
Firewall
Airwatch Tunnel
Server B
Security Group
“Proxy”
Security Group
“Intranet”
Security Group
“Sensitive Data”
Security Group “Chrome-App”
“@airwatch” in description
IP Set “Chrome-App”{10.1.1.8/30}
10.1
.1.0
/24
Chrome App VPN
Source = 10.1.1.9
Security Policy
Xx 50,000*
Chrome App VPN
Source = 10.1.1.10
Airwatch Tunnel
Server A
x 50,000*
* 4 CPU Cores, 16GB RAM
NSX Edge LB(SSL Pass-through,
Sticky Session)
#SIE3196BU CONFIDENTIAL 31
VMworld 2017 Content: Not fo
r publication or distri
bution
Personal DMZHigh Availability and Multiple Apps
Perimeter
Firewall
Airwatch Tunnel
Server B
Security Group
“Proxy”
Security Group
“Intranet”
Security Group
“Sensitive Data”
Security Group “Chrome-App”
“@airwatch” in description
IP Set “Chrome-App”{10.1.1.8/30}
10.1
.1.0
/24
Chrome App VPN
Source = 10.1.1.9
Chrome App VPN
Source = 10.1.1.10
Airwatch Tunnel
Server A
* 4 CPU Cores, 16GB RAM
“Chrome” App VPN
“Oracle” App VPN
“Oracle” App VPN
“Chrome” App VPN
Oracle App VPN
Source = 10.1.1.13
Oracle App VPN
Source = 10.1.1.14
Security Group “Oracle-App”
“@airwatch” in description
IP Set “Oracle-App”{10.1.1.12/30}
SG “Oracle-App”
X
Internet
Firewall
x 50,000*
x 50,000*
NSX Edge LB(SSL Pass-through,
Sticky Session)
#SIE3196BU CONFIDENTIAL 32
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX and AirWatch Integration
Stateful DFW
Distributed Segmentation with Network Overlay Isolation
NSX Manager
NSX for AirWatchAdmin Console
VMware Enterprise Systems Connector
SG4
STOP
ControlledCommunication NSX Edge
Distributed Logical RouterPolicy
SG1 SG2 SG3
LogicalSwitch
LogicalSwitch
VLAN backedDVS
TransitNetwork
NSX Edge(LB, SSL Pass-through,
sticky session)
VMware Tunnel
VMware Tunnel
Datacenter
#SIE3196BU CONFIDENTIAL 33
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Administration
#SIE3196BU CONFIDENTIAL 34
VMworld 2017 Content: Not fo
r publication or distri
bution
Syncing Security Groups in AirWatch
#SIE3196BU CONFIDENTIAL 35
VMworld 2017 Content: Not fo
r publication or distri
bution
Mapping Mobile Apps to Security Groups in AirWatch
36#SIE3196BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware AirWatch & NSX Policies
3737
Advanced security between an AirWatch-managed device and
the NSX micro-segmented cloud data center
#SIE3196BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
38
Demo Video
#SIE3196BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
#SIE3196BU CONFIDENTIAL 39
VMworld 2017 Content: Not fo
r publication or distri
bution
Real World Use Cases and Customer Example
#SIE3196BU CONFIDENTIAL 40
VMworld 2017 Content: Not fo
r publication or distri
bution
Real World Use CasesEnd-to-End Security for the Digital Workspace
Healthcare
Simplify mobile
security access and
control for clinician
mobility
Data Center Security for
Mobile Workflows
Government
Remove hurdles for
supporting access to
enterprise
mobile apps
Accelerate BYOD
Deployments
Retail
Treat all mobile users
and applications as
insecure inside the
datacenter
Policy Defined Network
Access for Mobile
Finance
Limit access to
corporate data if user,
device, app or network
is compromised
Limit EMM Footprint
Inside Datacenter
#SIE3196BU CONFIDENTIAL 41
VMworld 2017 Content: Not fo
r publication or distri
bution
Vallejo SanitationSuccess StoryTerry Chatman
Information Systems
Vallejo Sanitation and Flood Control District
#SIE3196BU CONFIDENTIAL 42
VMworld 2017 Content: Not fo
r publication or distri
bution
Vallejo’s Solution Components
• VMware NSX 6.2.0
– NSX Manager
– NSX Distributed Firewall
– NSX Edge Services Gateway (Optional)
• VMware Horizon 6.2.1
• VMware 5.5
• VMware AirWatch 8.3+
– AirWatch Tunnel Server
– AirWatch Cloud Connector (For SaaS Customers)
• Palo Alto Networks
– HV-1000-VM 7.19
– PanoRama 8.0
– Pan OS 7.18
– PaloAlto Traps
#SIE3196BU CONFIDENTIAL 43
VMworld 2017 Content: Not fo
r publication or distri
bution
Who Are We and How Did We Get There?
• Located near San Francisco
• Service 120,000 residents
• 84 Employees employed at the District
• Manage over 300 devices in core network
• 8 Physical Hosts, 4 with VDI acceleration
• 150 Virtual machines and Templates
• Energy savings around $50k a year after moving to 97% virtualization
• Cut costs without having to buy networking hardware, able to provision in a matter of minutes, not weeks, keep staffing and OT to a minimum level
#SIE3196BU CONFIDENTIAL 44
VMworld 2017 Content: Not fo
r publication or distri
bution
Out with the Old Way of Thinking…
#SIE3196BU CONFIDENTIAL 45Corporate Network
APP DMZ
SQL DMZ
ESX HOST ESX HOST
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-segmentation
ESX HOSTESX HOST
#SIE3196BU CONFIDENTIAL 46
VMworld 2017 Content: Not fo
r publication or distri
bution
Virtual Machine
Active Server
Virtual Network
Physical HostPhysical Host Physical HostPhysical Host
Shared Storage
Virtual Machine NSX ESG
#SIE3196BU CONFIDENTIAL
47
VMworld 2017 Content: Not fo
r publication or distri
bution
AirWatch Blue
RDSH Pool
VMware NSX
VM-1000-HV
Panorama
AirWatch Tunnel
#SIE3196BU CONFIDENTIAL 48
VMworld 2017 Content: Not fo
r publication or distri
bution
Pain Points
How did we fit NSX into our existing Brownfield Environment?
Best practice to obtain a wildcard cert by an outside Certificate Authority, get away from any self signed certs!
Use VMware standard ports on vSphere, it will come back and bite you!!
Obtain Palo Alto NSX bundle, not separate Virtual firewalls
Migration of previous provider firewall rules into NSX, and Palo Alto
CentOS for AirWatch was a barebones install, will have to install many components for AirWatch tunnel
Troubleshoot with NSX in mind, don’t get into the Bang-Head-Here scenario!!
Evaluate the different level of packages before you purchase, you may need a feature down the road that your platform does not support!!
#SIE3196BU CONFIDENTIAL 49
VMworld 2017 Content: Not fo
r publication or distri
bution
What NSX with Palo Alto Networks IntegrationAllows Us to Do
#SIE3196BU CONFIDENTIAL 50Phishing Attempt?
Spam!Ransomware?
Malware?
VMworld 2017 Content: Not fo
r publication or distri
bution
Learn More & Free Trials
LEARN MORE
VMware AirWatch
www.airwatch.com/
VMware NSX
www.vmware.com/products/nsx/
FREE TRIALS
VMware AirWatch
http://www.airwatch.com/lp/free-trial
VMware NSX www.vmware.com/products/nsx/nsx-hol
52#SIE3196BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution