software defined data centers - connect365€¦ · • add leading security solutions to your...
TRANSCRIPT
Software Defined Data CentersNetwork Virtualization & Security
Jeremy van DoornDirector of Systems EngineeringEMEA, Network & Security
1
2
“My business and its IT organization are being engulfed by a torrent of digital opportunities. We cannot respond in a timely fashion, and this threatens the success of the business and the credibility of the IT organization.”
— Worldwide CIO Survey Gartner, 2014
3
4
To stimulate growth and drive competitive advantage
Amaze customers and empower employees
Manage risk and protect brand value
The Driving Forces Behind the Liquid World
CONFIDENTIAL7
CLOUDMOBILE011010100100101
011010100100101
011010100100101
011010100100101
011010100100101
011010100100101
011010100100101
SLOW TECHNOLOGYADOPTION RATES
Harnessing Mobile and Cloud Is Challenging
CONFIDENTIAL8
HIGH USER EXPECTATIONS
SLOW REPONSES
PRIVACYISSUES
INTEGRATION PROBLEMS
SERVICE OUTAGES
SHORTAGE OF RIGHT SKILLS
DECLINING BUDGET
DIFFERENT APPLICATIONS AGING INFRASTRUCTURE
SECURITY
PROLIFERATIONOF DEVICES
FRAGMENTEDDATA CENTER
LIMITED RESOURCES
CLOUD SILOSSECURITY
PROLIFERATIONOF DEVICES
FRAGMENTEDDATA CENTER
CLOUD SILOS
Time for a New Model of IT
9
Optimized for rapid
development and delivery
of all applications, for safe
consumption on any deviceFLUIDINSTANT SECURE
Software-Defined Agility
Instant provisioning,delivery, and access from
data center to device
SeamlessHybridity
Unified private and publicclouds to dynamically
deploy any app or workload
IntrinsicSecurity
Enhanced security nativeto apps, infrastructure,
and devices
VMware: Your Best Partner for Brave New IT
INSTANT FLUIDSECURE
10
Conventional Approach to IT
11
Traditional Applications
Modern, Cloud Applications
On-Premises Public CloudOutsourced
AnyApplication
Traditional Applications
Modern, Cloud Applications
VMware Architecture for IT
Traditional Applications
Modern, Cloud Applications
OneCloud
Build-Your-OwnConverged
InfrastructureHyper-Converged
Infrastructure
Cloud Management
HYBRID CLOUD
PRIVATE
YourData Center
PUBLIC
vCloud Air
MANAGED
vCloud AirNetwork
Virtualized Compute, Network, Storage
AnyDevice
Business Mobility: Applications | Devices | Content
Software Defined Data Center
12
One Cloud, Any Application
13
Any Application,
Anywhere
Architect, deploy, and
run all traditional and
modern applications
Open
Management
Flexible choice to manage
your cloud infrastructure
and your applications
Unified Platform
On- and off-premise cloud with a common
Software-Defined Data Center platform, built on
VMware’s best-in-class compute, network, and
storage virtualization solutions
HYBRID CLOUD
PRIVATE MANAGED
Your Data Center
vCloud AirNetwork
PUBLIC
vCloudAir
The Software-Defined Data Center Approach
Ideal Architecture for the Hybrid Cloud
• All infrastructure services virtualized: compute, networking, storage
• Control of data center automated by software (management, security)
• Unified platform for existing and new apps, delivered to many devices
14
Hybrid Cloud
Compute Networking Storage
Management
Two Different Paths Forward:Hardware-Defined or Software-Defined Architecture?
1515
Software-Defined ApproachHardware-Defined Approach
Proprietary
HardwareIntelligence
Software Layer
Manual Operations
IT Struggles to Keep UpIT Moves at the Speed
of the Business
Existing
Hardware
Software
Layer
Intelligence
Automated Operations
Is SDDC a Proven Architecture?
16
Custom Application
Google / Facebook /
Amazon Data Centers
Custom Platform
Any x86
Any Storage
Any IP network
Software / Hardware Abstraction
Software / Hardware Abstraction
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
Hardware Defined
Data Center (HDDC)
Any Application
HDDC Platform
Integrated x86
Integrated Storage
Vendor Specific
Network
Ve
rtic
al In
teg
ratio
n
SDDC Architecture is Future proof
17
Data Center Virtualization
Inter- Data Center
Any Application
Any x86
Any Storage
Any IP network
Hybrid- Data Center
Any Application
Any x86
Any Storage
Any IP network
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center VirtualizationSDDC Platform
Cloud OperationsIntelligent, automated
operations with
comprehensive visibility
from apps to storage
Service Health
Capacity Optimization
Configuration Standards
VMware Cloud Management
18
The Control Plane for the Software-Defined Data Center and the Hybrid Cloud
Cloud AutomationAutomated, self-service
delivery of personalized
IT services
Service Catalog
Governance
Release Automation
Cloud BusinessComplete transparency
into costs and quality of
all IT services
Cost Transparency
Benchmarking
Service Quality Mgmt
• A cloud management platform purpose-built for heterogeneous datacenters and hybrid cloud
• Extends vCloud Suite to manage OpenStack, AWS, Hyper-V, KVM, and vCloud Air
• Works with modern and traditional application architectures
• Choice of on-prem or SaaS delivery model
OpenStack Runs Best on VMware
Deliver the OpenStack APIs Developers Want
Best-of-breed compute,
network, storage
Elegant, rapid, and
simplified operations
Single support
contact
Best of All: Free for vSphere Enterprise Plus Users
VMware Integrated OpenStack
+ VMware
19
vSphere – The Best Platform for All Applications
20
Scale-Up Apps /
Business Critical
AppsContainers
Integrated
OpenStackDesktop
Virtualization
Scale-Out
Applications
Capabilities
• Scalability enhancements (VMs and Clusters) for all application
workloads
• Desktop Virtualization – 2D/3D Graphics, Instant Clone
• OpenStack on vSphere = Success
• Big Data Extensions and Pivotal CF (PaaS) Support
• Linux Container Support
Benefits and Proof Points
• Increased scalability and performance
• SAP Hana – 400% performance gains over RDBMS
and 9x gains in planning load times
• Rapid deployment of desktop virtual machines in seconds
• 10x faster than in previous releases
• Productivity and portability for application developers
• Deliver Choice of Architecture
And Many More…
Rapid development, automated
deployment and secure consumption of all
enterprise apps
Choice in datacenter automation
and management
Best-in-class VMware technologies
across hybrid clouds
Unified Platform Any Application Flexible Control
VMware Software-Defined Storage Architecture
VMware Virtual SAN™
VMware vSphere
Storage-Policy Based Management
Virtual VolumesVVOL-enabled arrays
Storage
Partners
21
Network Virtualization
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
New Model for Security: Micro Segmentation
Virtual Network Virtual NetworkVirtual Network
VMware NSX™: The Network Hypervisor
50+ additional
partners
22
BridgingTwo Worlds
Software DefinedData Center Approach
Traditional Approach
Network Virtualization is at the core of an SDDC approach
Network, storage, compute
Virtualization layer
Non-Disrupting Deployment
Network, storage, compute
Virtualization layer
“Network hypervisor”
Virtual Data Centers
Network Virtualization is at the core of an SDDC approach
Non-Disrupting Deployment
The Power of Distributed Services
Switching
Routing
Firewalling/ACLs
Load Balancing
Network and security services now distributed in the hypervisor
Switching
Routing
Firewalling/ACLs
Load Balancing
High throughput rates
East-west firewalling
Native platform capability
The Power of Distributed Services
Programmatically Provisioned
Network & Security Services Distributed to the Virtual SwitchPhysical Network becomes high-speed IP backplane
Native Isolation
192.168.2.10
192.168.2.10
192.168.2.11
192.168.2.11
Support for Physical Workloads and VLANs
Security in the Software Defined Data Center
33
Copyright 2014 Trend Micro Inc. 34
$71.1 BWW 2014 Information
Security spending
46%Increase in 2015 security
technology spend
1,208# of new cybersecurity companies (solutions)
since 2010
43%
More Security Spend ≠ More Secure
Yet …
312Average # of Days a zero-day vulnerability goes un-
detected and/or un-patched
>$455 BTotal cost of cybercrime in
2014% of orgs. reported
datacenter breaches in 2014
Traditional security has little meaning in a borderless
Software Defined Data Center
Insufficient visibility into East-West traffic & inter-VM attacks Static policies cannot keep up with dynamic workloads
Service Provisioning is Slow, Complex & Error-prone
Disparate security solutions and lack of uniform policies
across clouds creates an operational nightmare
Traditional approaches to reduce breaches inside Data Center perimeter...
Adding more internal security…
Requires placing more security controls across
workloads
• Optimized for Data Center Perimeter
• Cost prohibitive: thousands needed
• Configuration and security policies restricted by network
topology
• Inefficient “choke point”
• Impractical for lateral coverage
Physical Security Appliances
Data Center Perimeter
Internet
• Lacks selective traffic inspection for smarter security
• Hair-pinning impacts performance
• Limited segmentation capabilities
• Lacks dynamic provisioning, deployment and scale out
Virtual Security Appliances Today
Data Center Security Options
37
Secure Perimeter
vs.
Zero-Trust Pervasive Security
Problem: Data Center Network SecurityPerimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Little or no
lateral controls
inside perimeter
Internet Internet
Insufficient OperationallyInfeasible
Why traditional approaches are operationally infeasible…
39
Internet
Perimeter Firewalls
• Create firewall rules before provisioning
• Update Firewall rules when move or change
• Delete firewall rules when app decommissioned
• Problem increases with more East-West traffic
How an SDDC approach makes micro-segmentation feasible
40
Internet
Security Policy
Perimeter Firewalls
CloudManagement
Platform
A “Zero Trust” model becomes operationally feasibleLogically align controls to what you are protecting
Isolation Explicit Allow Comm. Secure Communications
IPS
FIM
AM
WR
Se
rvic
e I
nse
rtio
n
Application A
Application B
App Tier
DB Tier
(e.g
TC
P,1
433)
No Communication Path
Intrusion Protection
File Integrity
Anti-Malware
Web Reputation
Isolation and segmentation
Unit-level trust / least privilege
Ubiquity and centralized control
321
Delivers higher levels of data center security
Micro-segmentation
Intelligent groupingGroups defined by customized criteria
Operating System Machine Name
Application Tier
Services
Security PostureRegulatory
Requirements
There is a BIG difference…
• Traditional Rule Mgt &
Operations
• Chokepoint Enforcement
• Virtual Firewalls
(~1Gbps)
Virtual Firewalls
Physical Firewalls
• Traditional Rule Mgt &
Operations
• Chokepoint Enforcement
• Physical Firewalls (~100
Gbps)
Distributed Firewalling
• Automated Policy Mgt & Operations
• Distributed Enforcement
• vSphere Kernel-based Performance
• Distributed Scale-out Capacity (20
Gbps/host)
SDDC Platform – “Zero Trust” is Now Operationally Feasible
45
Hypervisor-based, in kernel distributed firewalling
• High throughput rates on a per hypervisor basis
• Every hypervisor adds additional east-west firewalling capacity
• Native feature of the VMware NSX platform
Platform-based automation
• Automated provisioning and workload adds/moves/changes
• Accurate firewall policies follow workloads as they move
Audit Compliance
20 Gbps Firewallingthroughput per host
Data center micro-segmentationbecomes operationally feasible
NSX Platform Extensibility…With Advanced Security
• Add leading security solutions to your micro-segmentation deployment for greater security
• Apply the SDDC operational model to 3rd-party security products
• Adapt to changing security conditions in the data center by enabling security solutions to share intelligence
Traditional Data Center
Static service chain
In a traditional data center, security services must be configured when the
network is architected, meaning the “chain” of services is locked in once
deployed. This is an inefficient use of resources and cannot defend against
changing threat conditions.
NSX Data Center
Dynamic service chain
In an NSX data center, 3rd-party security solutions use NSX security tags
to share intelligence, adapting to changing security conditions. NSX
automatically applies the correct security function as needed.
1 32
Advanced Services Insertion – Example: Palo Alto Networks NGFW
Internet
Security Policy
Security Admin
TrafficSteering
Automated Security in a Software Defined Data CenterQuarantine Vulnerable Systems until Remediated
48
Security Group = Quarantine
Members = {Tag = ‘ANTI_VIRUS.VirusFound’}
Security Group = StandardPolicy Definition
Standard Policy
Anti-Virus – Scan
Quarantined Policy
Firewall – Block all except security tools
Anti-Virus – Scan and remediate
Benefits of Taking a Software Defined Data Center Approach
49
Multi-tenant Infrastructure
IT Automating IT
Developer CloudDMZ Anywhere
Micro-segmentation
Secure End User
Metro Pooling
Hybrid Cloud Networking
Reduce infrastructure
provisioning time from
weeks to minutes
Secure infrastructure
at 1/3 the cost
Reduce RTO by 80%
Disaster Recovery
Security Speed & Agility Application Continuity
Value
NSX customer momentum
Service Providers
Global Financials
Retail
Healthcare
Integrators
Media & Communications
Transportation
Government
Education
Starting Point
For a full listing of other NSX related sessions at VMworld: http://virtualizeyournetwork.com/vmworld2015us/
Technical DiscoveryThe things you need to do…
First Step virutalizeyournetwork.com
Connect & Engage
communities.vmware.com
Education & Certification
vmware.com/go/NVtraining
Test Drive
labs.hol.vmware.com
The things you need to read…
Thank you