vmware nsx micro-segmentation - sk-gruppe - sk … vmware solution nsx micro-segmentation is the...
TRANSCRIPT
© 2015 VMware Inc. All rights reserved.
VMware NSX Micro-SegmentationSolution Overview & Why you save money
© 2015 VMware Inc. All rights reserved.
Needs and TrendsA quick look at the requirements and trends in the area of data center security
How Does Data Center Security Work?
3
Per
imet
er F
W
Inte
rnal
FW
DMZIPS
Converged Infrastructure, running on data centercompute resources and vSphere hypervisors
Internet
End user computing/desktops
Application infrastructure
Internet-facing servers: Web, e-Mail, DNS, etc. Also for VDI: Horizon View Security Server
A/V
Other Server
Security
Client
CONFIDENTIAL3
Why Do Breaches Still Occur?
Data Center Perimeter
Today’s data centers are protected by strong perimeter defense…
But threats and exploits still infect servers. Low-priority systems are often the target.
Threats can lie dormant, waiting for the right moment to strike.
Server-server traffic growth has outpaced client-server traffic. The attack spreads and goes unnoticed.
Possibly after months of reconnaissance, the infiltration relays secret data to the attacker.
Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted.
101101001101010010100000101001110010100
CONFIDENTIAL 4
Breaches Still Occur Due to Perimeter-Focused SecurityPerimeter-centric network security has proven insufficient.
InsufficientLittle or no lateral controls inside perimeter
Data Center Perimeter
Internet
• Inside of data center left unprotected
• High-risk to potential security breaches
• Reactive Clean-Up: Look at Sony Pictures
• Costly: Target’s recent breach cost an estimated $1B million
Status Quo: Do nothing
CONFIDENTIAL 5
Other Alternatives Used to Reduce BreachesA few other options are available today to improve internal data center security. Both have their own challenges and are ultimately not operationally feasible.
Adding more internal security…Requires placing more firewalls across workloads • Cost prohibitive: thousands of firewalls needed (1 per
VM)
• Complex configuration: security policies restricted by network topology
• Inefficient “choke point” firewalling
• Impractical to build lateral coverage
Physical Firewalls
Data Center Perimeter
Internet
• Similar to physical firewalls, only slower performance• No micro-segmentation• Limited central management
• Costly and complicated
Virtual Firewalls
CONFIDENTIAL 6
Inefficient network design
Physical firewalls are choke points in the network
VM-to-VM traffic must “hairpin” out to physical firewall
Security policies tied to network topology: slows deployment
Firewall Inefficiencies Today
East-West FirewallingSAME HOST
East-West FirewallingHOST TO HOST
Traditional Firewall Challenges
Nexus 7000
UCS Fabric A UCS Fabric B
UCS Blade 1
vswitch
6 wire hops
Nexus 7000
6 wire hops
UCS Fabric A UCS Fabric B
UCS Blade 1 UCS Blade 2
vswitch vswitch
CONFIDENTIAL 7
Typical VDI Environment
6) View Virtual Desktop5) View Composer3) View Connection Server2) View Security Server 4) View Administrator1) View Client
8
16Perimeter
Firewall
MS ActiveDirectory
RemoteConnection
LocalConnection
ViewSecurityServer(s)
ViewConnectionServer(s)
ViewAdministrator
(Browser)
Private Cloud (vSphere)
PCoIP DirectConnect
View ComposerParentImage
vCenter
Linked Clones3
4External Network
Internal Network
Internal Firewall
5
2
CONFIDENTIAL
Today’s VDI Challenges
9
A converged infrastructure means virtual desktops run on the same infrastructure as servers.
Bringing desktops into the data center opens up new risks for attack.
And a matrix of policies is needed on centralized, choke-point firewalls for the correct security posture.
VDI to VDIDesktop-to-desktop hacking inside the DC
VDI to VMDesktop-to-server hacking inside the DC
Finance
HR
Engineering
CONFIDENTIAL
Demands on the Customer
CONFIDENTIAL 10
Continual demands on customers to adapt to change and respond to business needs while providing adequate security inside the data center is a significant challenge.
Security Inside the Data CenterImproved security inside the data center to limit the spread of threats and respond to changing conditions
Speed and AgilityRapid response to changes in business requirements, application deployments, and threats
Strategic FoundationFlexible network foundation for future growth and adaptation to change.
10
© 2015 VMware Inc. All rights reserved.
The VMware SolutionNSX Micro-Segmentation is the biggest enterprise software opportunity since compute virtualization
NSX Enables the Next-Gen Networking Model
Applications
Virtual Machines
Virtual Networks
Virtual Storage
Data Center Virtualization
Location Independence
Software
Hardware
L2 Switching
L3 Routing
Firewalling/ACLs
Load Balancing
Automated Operational Model of the SDDC
Network & Security Services Now in the Hypervisor
Pooled compute, network and storage capacity; Vendor independent, best price/perf; Simplified config and mgt.
ComputeCapacity
NetworkCapacity
Storage Capacity
12CONFIDENTIAL
NSX Delivers Better Security and Makes Micro-Segmentation Operationally Feasible
CONFIDENTIAL 13
Hypervisor-based, in kernel distributed firewalling• High throughput rates on a per
hypervisor basis
• Every hypervisor adds additional east-west firewalling capacity
Platform-based automation• Automated provisioning and workload
adds/moves/changes
• Accurate firewall policies follow workloads as they move
13CONFIDENTIAL
How Does NSX Micro-Segmentation Work?
Isolation and segmentation
Unit-level trust / least privilege
Ubiquity and centralized control• Lower cost• Operationally practical• But ultimately insufficient
14
Today data center security relies on perimeter defense
Micro-Segmentation enables security that follows the VM
Security can be applied per workload, not just inside the perimeter
1
2
3
Data Center Perimeter
Internet
Data Center Perimeter
Internet
CONFIDENTIAL
How Does NSX Micro-Segmentation Work? (Detailed)
SegmentationIsolation Advanced services
Controlled communication path within a single network• Fine-grained enforcement of security
• Security policies based on logical groupings of VMs
Advanced services: addition of 3rd
party security, as needed by policy
• Platform for including leading security solutions
• Dynamic addition of advanced security to adapt to changing security conditions
No communication path between unrelated networks• No cross-talk between networks
• Overlay technology assures networks are separated by default
15
© 2015 VMware Inc. All rights reserved.
Business ValueNSX Micro-Segmentation simplifies network security, enables deployment acceleration, and provides agility for changing demands
Primary Pillars of Value
17
Streamlined operations and automated deployment which
can reduce operational expenses
Better network security built inside the data center, helping
to ensure regulatory compliance, protect sensitive information and protect the
brand of the company
Complete platform for advanced networking and security, which can help to
reduce capital expenditures
NSX is the network virtualization platform for the SDDC, transforming data center networking and making a new level of security possible.
CONFIDENTIAL
NSX Simplifies Network Security
Each VM can be its own perimeter Policies align with logical groups Prevents threats from spreading
App
DMZ
Services
DB
Perimeterfirewall
AD NTP DHCP DNS CERT
Insidefirewall
Finance EngineeringHR
18CONFIDENTIAL
NSX vSwitch
With NSX
Distributed Virtual Firewall
Before NSX
NSX Increases Firewall Efficiency
Nexus 7000
UCS Fabric A UCS Fabric B
UCS Blade 1
vswitch
6 wire hops
Nexus 7000
6 wire hops
UCS Fabric A UCS Fabric B
UCS Blade 1 UCS Blade 2
vswitch vswitch
Nexus 7000
UCS Fabric A UCS Fabric B
0 wire hops
Nexus 7000
UCS Fabric A UCS Fabric B
UCS Blade 1 UCS Blade 2
With NSX
Distributed Virtual Firewall
Before NSX
East-West Firewalling / Same host East-West Firewalling / Host to host
2 wire hops
NSX vSwitch
UCS Blade 1
Fewer hops, more efficient and precise VM networking 19CONFIDENTIAL
NSX Simplifies VDI
20
Firewall and filter traffic based on logical groupings
Simplified, programmable, automated application of network/security policy to desktop users/pools
Service-chaining with AV and NGFW partners to deliver automated, policy-integrated AV / malware protection, NGFW, IPS, etc.
App
DMZ
DB
Perimeterfirewall
Insidefirewall
Finance EngineeringHR
CONFIDENTIAL
NSX Enables Better Data Center Networking and SecurityTransform the economics of network and security operations by bringing the operational model of a virtual machine to data center networking.
NetworkCreate, save, delete and restore virtual networks on demand, all without reconfiguring your physical network
AgilityReduce the time to provision multi-tier networking and security services from weeks to seconds, enable faster deployment and greater agility, and provide the flexibility to run on top of any network hardware
SecurityNSX micro-segmentation brings security inside the data center with automated fine-grain policies tied to the VMs they protect, while securely isolating networks from one another to deliver a better security model
NSX: The Network Virtualization PlatformBring your leading networking and security solutions into the SDDC, take advantage of tight integration with the NSX platform to automatically deploy third-party products as needed, and adapt dynamically to changing data center conditions
NSX
21CONFIDENTIAL
Customer Benefits• NSX introduces a higher level of security to the data center
• It helps IT organizations streamline their networking and security operations
• It enables businesses to lay the foundation for the software-defined data center
Better SecurityUnmatched security insidethe data center, providing another level of assurance for compliance mandates and protection of sensitive data
Speed and AgilityDeploy faster and adapt to changes more easily, reducing the time to respond to changes and reducing the cost associated with operational changes
SDDC FoundationFlexible network foundation for the software-defined data center allowing customers to leverage their existing investments
22CONFIDENTIAL
Target Implementations
Need Business Size / Shape Situation VMware Solution
Security for VDI deployment
• Commercial (General Business) • Enterprise (T1), Enterprise Select
(T2) • Global• 250+ seats and/or 4+ types of users
Highly-regulated or security-sensitiveindustries like finance, healthcare, and public sector
Horizon ViewNSX
Security between VMs (simple network)
• Commercial (General Business) • Minimum 50 workloads (VMs) on premise
• vSOM ENT+ or vCloud Suite customers
NSX
Security for multiple zones (e.g., DMZ, internal)
• High-end Commercial (General Business)
• Enterprise (T1), Enterprise Select (T2)
• Global
Need to firewall and apply security between Internet-facing servers and internal systems, and/or between internal departments (e.g., IT, HR, finance, engineering, etc.)
NSX
Security for multi-tier app (e.g., Web, App, DB)
• High-end Commercial (General Business)
• Enterprise (T1), Enterprise Select (T2)
• Global
Need to firewall and apply security between different tiers of an application (e.g., web, app, database servers)
NSX
23CONFIDENTIAL
Customer Personas and Their ConcernsCustomers will continue to make predictable security decisions, often due to limited budget, skepticism toward new solutions, or a lack of understanding on how to address today’s security threats. Even the most cautious customer can be a forward thinker. Show them the how.
24CONFIDENTIAL
Title Decision-Making Biases Common Objections Overcoming Objections
NetworkEngineer
• Likely trained and certified byCisco
• Prefers CLI• Potentially views non-
Cisco/non CLI technologies as a job threat
“I lose visibility with a network virtualization solution.”
“Software-based networking can’t perform as fast as my dedicated hardware.”
• NSX consolidates configuration and operational state for all network connections to provide a centralized view of the network
• NSX provides true scale-out, adding nearly 20 Gbps with each new host
VP, Director of Networking
• Will defer to his/her team• Concern about operationalizing
new network/security paradigm
“My team can’t do their job if networking and security are integrated with the hypervisor layer.”
• NSX maintains role-based access control to separate the tasks of the compute, networking, and security teams
Security Team (all levels)
• Skeptical about the “latest thing” in security
“I can do micro-segmentation today with my existing firewalls.”
• Micro-segmentation is fine-grained security
• NSX prevents lateral movement of threats even between servers on the same VLAN
• Security policies are decoupled from the network topology, automatically following the VMs they protect
© 2015 VMware Inc. All rights reserved.
Buying MotionThen and Now. A close look at the security issues NSX can solve
Setting the Stakes
Breaches still occur. It’s time to rethink security in the data center.
NOW WITH NSX
A perimeter defense is inadequate to protect against malware designed to permeate even the strongest periphery.
• Protect the data center from within• Micro-granular security model• Flexible security policies can be applied all the way to a virtual
network interface
Low-priority systems inside the data center are easy targets. • Security distributed to every hypervisor• Firewalling for all systems
Deploying and managing security between servers is inefficient and time consuming.
• Automated provisioning of security policies• Security policies always follow the VM—create, move, delete
Centralized “choke point” firewalls result in large, complex firewall rule tables and configuration errors are common.
• Centralized security policies• Security policies organized by logical groupings of similar VMs• Simplified security configuration
Advanced security services are expensive and can slow network performance, forcing IT organizations to ration their use.
• NSX adapts to changing security conditions• Advanced security applied only where needed• Improved efficiency• Improved network security performance
26CONFIDENTIAL
CONFIDENTIAL
Next-generation firewall with intrusion detection/protection systemNext-gen firewall functionality with multi-layered security and software blades for additional functionality
Agentless anti-malware / Intrusion Prevention / Integrity Monitoring / Web ReputationAutomated virtual patching and seamless integration with vCenter Operations Manager
Working with Technology Partners
27
These security partners integrate tightly with NSX security policies. See the Micro-Segmentation Value Play Page on Partner Central for more details and the current list of security technology partners.
And more are listed on the NSX Website
Check Point