vmware nsx micro-segmentation - sk-gruppe - sk … vmware solution nsx micro-segmentation is the...

© 2015 VMware Inc. All rights reserved.

VMware NSX Micro-SegmentationSolution Overview & Why you save money


Needs and TrendsA quick look at the requirements and trends in the area of data center security

How Does Data Center Security Work?

3

Per

imet

er F

W

Inte

rnal

FW

DMZIPS

Converged Infrastructure, running on data centercompute resources and vSphere hypervisors

Internet

End user computing/desktops

Application infrastructure

Internet-facing servers: Web, e-Mail, DNS, etc. Also for VDI: Horizon View Security Server

A/V

Other Server

Security

Client

CONFIDENTIAL3

Why Do Breaches Still Occur?

Data Center Perimeter

Today’s data centers are protected by strong perimeter defense…

But threats and exploits still infect servers. Low-priority systems are often the target.

Threats can lie dormant, waiting for the right moment to strike.

Server-server traffic growth has outpaced client-server traffic. The attack spreads and goes unnoticed.

Possibly after months of reconnaissance, the infiltration relays secret data to the attacker.

Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted.

101101001101010010100000101001110010100

CONFIDENTIAL 4

Breaches Still Occur Due to Perimeter-Focused SecurityPerimeter-centric network security has proven insufficient.

InsufficientLittle or no lateral controls inside perimeter


Internet

• Inside of data center left unprotected

• High-risk to potential security breaches

• Reactive Clean-Up: Look at Sony Pictures

• Costly: Target’s recent breach cost an estimated $1B million

Status Quo: Do nothing

CONFIDENTIAL 5

Other Alternatives Used to Reduce BreachesA few other options are available today to improve internal data center security. Both have their own challenges and are ultimately not operationally feasible.

Adding more internal security…Requires placing more firewalls across workloads • Cost prohibitive: thousands of firewalls needed (1 per

VM)

• Complex configuration: security policies restricted by network topology

• Inefficient “choke point” firewalling

• Impractical to build lateral coverage

Physical Firewalls


Internet

• Similar to physical firewalls, only slower performance• No micro-segmentation• Limited central management

• Costly and complicated

Virtual Firewalls

CONFIDENTIAL 6

Inefficient network design

Physical firewalls are choke points in the network

VM-to-VM traffic must “hairpin” out to physical firewall

Security policies tied to network topology: slows deployment

Firewall Inefficiencies Today

East-West FirewallingSAME HOST

East-West FirewallingHOST TO HOST

Traditional Firewall Challenges

Nexus 7000

UCS Fabric A UCS Fabric B

UCS Blade 1

vswitch

6 wire hops

Nexus 7000

6 wire hops


UCS Blade 1 UCS Blade 2

vswitch vswitch

CONFIDENTIAL 7

Typical VDI Environment

6) View Virtual Desktop5) View Composer3) View Connection Server2) View Security Server 4) View Administrator1) View Client

8

16Perimeter

Firewall

MS ActiveDirectory

RemoteConnection

LocalConnection

ViewSecurityServer(s)

ViewConnectionServer(s)

ViewAdministrator

(Browser)

Private Cloud (vSphere)

PCoIP DirectConnect

View ComposerParentImage

vCenter

Linked Clones3

4External Network

Internal Network

Internal Firewall

5

2

CONFIDENTIAL

Today’s VDI Challenges

9

A converged infrastructure means virtual desktops run on the same infrastructure as servers.

Bringing desktops into the data center opens up new risks for attack.

And a matrix of policies is needed on centralized, choke-point firewalls for the correct security posture.

VDI to VDIDesktop-to-desktop hacking inside the DC

VDI to VMDesktop-to-server hacking inside the DC

Finance

HR

Engineering

CONFIDENTIAL

Demands on the Customer

CONFIDENTIAL 10

Continual demands on customers to adapt to change and respond to business needs while providing adequate security inside the data center is a significant challenge.

Security Inside the Data CenterImproved security inside the data center to limit the spread of threats and respond to changing conditions

Speed and AgilityRapid response to changes in business requirements, application deployments, and threats

Strategic FoundationFlexible network foundation for future growth and adaptation to change.

10


The VMware SolutionNSX Micro-Segmentation is the biggest enterprise software opportunity since compute virtualization

NSX Enables the Next-Gen Networking Model

Applications

Virtual Machines

Virtual Networks

Virtual Storage

Data Center Virtualization

Location Independence

Software

Hardware

L2 Switching

L3 Routing

Firewalling/ACLs

Load Balancing

Automated Operational Model of the SDDC

Network & Security Services Now in the Hypervisor

Pooled compute, network and storage capacity; Vendor independent, best price/perf; Simplified config and mgt.

ComputeCapacity

NetworkCapacity

Storage Capacity

12CONFIDENTIAL

NSX Delivers Better Security and Makes Micro-Segmentation Operationally Feasible

CONFIDENTIAL 13

Hypervisor-based, in kernel distributed firewalling• High throughput rates on a per

hypervisor basis

• Every hypervisor adds additional east-west firewalling capacity

Platform-based automation• Automated provisioning and workload

adds/moves/changes

• Accurate firewall policies follow workloads as they move

13CONFIDENTIAL

How Does NSX Micro-Segmentation Work?

Isolation and segmentation

Unit-level trust / least privilege

Ubiquity and centralized control• Lower cost• Operationally practical• But ultimately insufficient

14

Today data center security relies on perimeter defense

Micro-Segmentation enables security that follows the VM

Security can be applied per workload, not just inside the perimeter

1

2

3


Internet


Internet

CONFIDENTIAL

How Does NSX Micro-Segmentation Work? (Detailed)

SegmentationIsolation Advanced services

Controlled communication path within a single network• Fine-grained enforcement of security

• Security policies based on logical groupings of VMs

Advanced services: addition of 3rd

party security, as needed by policy

• Platform for including leading security solutions

• Dynamic addition of advanced security to adapt to changing security conditions

No communication path between unrelated networks• No cross-talk between networks

• Overlay technology assures networks are separated by default

15


Business ValueNSX Micro-Segmentation simplifies network security, enables deployment acceleration, and provides agility for changing demands

Primary Pillars of Value

17

Streamlined operations and automated deployment which

can reduce operational expenses

Better network security built inside the data center, helping

to ensure regulatory compliance, protect sensitive information and protect the

brand of the company

Complete platform for advanced networking and security, which can help to

reduce capital expenditures

NSX is the network virtualization platform for the SDDC, transforming data center networking and making a new level of security possible.

CONFIDENTIAL

NSX Simplifies Network Security

Each VM can be its own perimeter Policies align with logical groups Prevents threats from spreading

App

DMZ

Services

DB

Perimeterfirewall

AD NTP DHCP DNS CERT

Insidefirewall

Finance EngineeringHR

18CONFIDENTIAL

NSX vSwitch

With NSX

Distributed Virtual Firewall

Before NSX

NSX Increases Firewall Efficiency

Nexus 7000


UCS Blade 1

vswitch

6 wire hops

Nexus 7000

6 wire hops



vswitch vswitch

Nexus 7000


0 wire hops

Nexus 7000



With NSX

Distributed Virtual Firewall

Before NSX

East-West Firewalling / Same host East-West Firewalling / Host to host

2 wire hops

NSX vSwitch

UCS Blade 1

Fewer hops, more efficient and precise VM networking 19CONFIDENTIAL

NSX Simplifies VDI

20

Firewall and filter traffic based on logical groupings

Simplified, programmable, automated application of network/security policy to desktop users/pools

Service-chaining with AV and NGFW partners to deliver automated, policy-integrated AV / malware protection, NGFW, IPS, etc.

App

DMZ

DB

Perimeterfirewall

Insidefirewall

Finance EngineeringHR

CONFIDENTIAL

NSX Enables Better Data Center Networking and SecurityTransform the economics of network and security operations by bringing the operational model of a virtual machine to data center networking.

NetworkCreate, save, delete and restore virtual networks on demand, all without reconfiguring your physical network

AgilityReduce the time to provision multi-tier networking and security services from weeks to seconds, enable faster deployment and greater agility, and provide the flexibility to run on top of any network hardware

SecurityNSX micro-segmentation brings security inside the data center with automated fine-grain policies tied to the VMs they protect, while securely isolating networks from one another to deliver a better security model

NSX: The Network Virtualization PlatformBring your leading networking and security solutions into the SDDC, take advantage of tight integration with the NSX platform to automatically deploy third-party products as needed, and adapt dynamically to changing data center conditions

NSX

21CONFIDENTIAL

Customer Benefits• NSX introduces a higher level of security to the data center

• It helps IT organizations streamline their networking and security operations

• It enables businesses to lay the foundation for the software-defined data center

Better SecurityUnmatched security insidethe data center, providing another level of assurance for compliance mandates and protection of sensitive data

Speed and AgilityDeploy faster and adapt to changes more easily, reducing the time to respond to changes and reducing the cost associated with operational changes

SDDC FoundationFlexible network foundation for the software-defined data center allowing customers to leverage their existing investments

22CONFIDENTIAL

Target Implementations

Need Business Size / Shape Situation VMware Solution

Security for VDI deployment

• Commercial (General Business) • Enterprise (T1), Enterprise Select

(T2) • Global• 250+ seats and/or 4+ types of users

Highly-regulated or security-sensitiveindustries like finance, healthcare, and public sector

Horizon ViewNSX

Security between VMs (simple network)

• Commercial (General Business) • Minimum 50 workloads (VMs) on premise

• vSOM ENT+ or vCloud Suite customers

NSX

Security for multiple zones (e.g., DMZ, internal)

• High-end Commercial (General Business)

• Enterprise (T1), Enterprise Select (T2)

• Global

Need to firewall and apply security between Internet-facing servers and internal systems, and/or between internal departments (e.g., IT, HR, finance, engineering, etc.)

NSX

Security for multi-tier app (e.g., Web, App, DB)

• High-end Commercial (General Business)

• Enterprise (T1), Enterprise Select (T2)

• Global

Need to firewall and apply security between different tiers of an application (e.g., web, app, database servers)

NSX

23CONFIDENTIAL

Customer Personas and Their ConcernsCustomers will continue to make predictable security decisions, often due to limited budget, skepticism toward new solutions, or a lack of understanding on how to address today’s security threats. Even the most cautious customer can be a forward thinker. Show them the how.

24CONFIDENTIAL

Title Decision-Making Biases Common Objections Overcoming Objections

NetworkEngineer

• Likely trained and certified byCisco

• Prefers CLI• Potentially views non-

Cisco/non CLI technologies as a job threat

“I lose visibility with a network virtualization solution.”

“Software-based networking can’t perform as fast as my dedicated hardware.”

• NSX consolidates configuration and operational state for all network connections to provide a centralized view of the network

• NSX provides true scale-out, adding nearly 20 Gbps with each new host

VP, Director of Networking

• Will defer to his/her team• Concern about operationalizing

new network/security paradigm

“My team can’t do their job if networking and security are integrated with the hypervisor layer.”

• NSX maintains role-based access control to separate the tasks of the compute, networking, and security teams

Security Team (all levels)

• Skeptical about the “latest thing” in security

“I can do micro-segmentation today with my existing firewalls.”

• Micro-segmentation is fine-grained security

• NSX prevents lateral movement of threats even between servers on the same VLAN

• Security policies are decoupled from the network topology, automatically following the VMs they protect


Buying MotionThen and Now. A close look at the security issues NSX can solve

Setting the Stakes

Breaches still occur. It’s time to rethink security in the data center.

NOW WITH NSX

A perimeter defense is inadequate to protect against malware designed to permeate even the strongest periphery.

• Protect the data center from within• Micro-granular security model• Flexible security policies can be applied all the way to a virtual

network interface

Low-priority systems inside the data center are easy targets. • Security distributed to every hypervisor• Firewalling for all systems

Deploying and managing security between servers is inefficient and time consuming.

• Automated provisioning of security policies• Security policies always follow the VM—create, move, delete

Centralized “choke point” firewalls result in large, complex firewall rule tables and configuration errors are common.

• Centralized security policies• Security policies organized by logical groupings of similar VMs• Simplified security configuration

Advanced security services are expensive and can slow network performance, forcing IT organizations to ration their use.

• NSX adapts to changing security conditions• Advanced security applied only where needed• Improved efficiency• Improved network security performance

26CONFIDENTIAL

CONFIDENTIAL

Next-generation firewall with intrusion detection/protection systemNext-gen firewall functionality with multi-layered security and software blades for additional functionality

Agentless anti-malware / Intrusion Prevention / Integrity Monitoring / Web ReputationAutomated virtual patching and seamless integration with vCenter Operations Manager

Working with Technology Partners

27

These security partners integrate tightly with NSX security policies. See the Micro-Segmentation Value Play Page on Partner Central for more details and the current list of security technology partners.

And more are listed on the NSX Website

Check Point


Thank you

vmware nsx micro-segmentation - sk-gruppe - sk … vmware solution nsx micro-segmentation is the...

Documents