#PCMVision: VMware NSX - Transforming Security
Download as PPTX, PDF1 like3,244 views
This document provides information about VMware, including: - VMware is headquartered in Palo Alto with over 17,800 employees worldwide and over $25 billion in revenues. - VMware promotes a software-defined data center approach using technologies like NSX for network virtualization, vSphere for compute virtualization, and vSAN for storage virtualization. - NSX allows for micro-segmentation within the data center, enabling granular security policies to be applied at the workload level for improved security compared to traditional perimeter-based approaches. - VMware AppDefense provides visibility and control over the application lifecycle to detect deviations from intended application behavior and automate security responses.
#PCMVision: VMware NSX - Transforming Security
- 1. © 2014 VMware Inc. All rights reserved. Paul Penn - ppenn@vmware.com Sales Director Western US Garrett Kray- krayg@vmware.com Security Specialist Network and Security Business Unit VMware NSX Transforming Security
- 2. VMware – Who we are… Headquartered in Palo Alto • Campus the size of Disneyland Over $25 billion in revenues 17 years old Over 55,000 partners worldwide ~17,800 employees worldwide Fastest Software Company in history to grow to $5 billion in sales (and did it with one product) Corporate Mascot: Turtle
- 3. VMware Software Defined Enterprise 3 Policy-based Management & Automation Cloud Automation Cloud Operations Cloud Business Software-Defined Data Center Private Clouds Public Clouds vCHS Virtualized Infrastructure Abstract & Pool Applications End User Computing Desktop Mobile Virtual Workspace Modern SaaSTraditional Compute Network Security Storage Availability vSphere NSX vSAN SRM vCenter Server vCenter Automation Center (VCAC) vCenter Operations (vCOPS) ITBM Horizon Workspace Horizon View Horizon Mirage
- 4. Agenda 1 SDDC/NSX Overview 2 The Killer Use Case // Micro-segmentation 3 Current Customers and Benchmarks 4 VMware AppDefense 4Confidential
- 5. IT’S TIME FOR A NEW IT APPROACH SLOW TECHNOLOGY ADOPTION RATES HIGH USER EXPECTATIONS SLOW REPONSES PRIVACY ISSUES INTEGRATION PROBLEMS SERVICE OUTAGES SHORTAGE OF RIGHT SKILLS DECLINING BUDGET DIFFERENT APPLICATIONS AGING INFRASTRUCTURE SECURITY PROLIFERATION OF DEVICES FRAGMENTED DATA CENTER LIMITED RESOURCES CLOUD SILOS SECURITY PROLIFERATION OF DEVICES FRAGMENTED DATA CENTER CLOUD SILOS
- 6. We are in the 3rd fundamental structural transition in the history of IT Client Server Cloud/MDM/SDDC We are here Mainframe Mainframe PC Revolution Client/Server Cloud Cloud • Mobile Devices & Clouds (public & private) • Software Defined • Local Applications • Minor role for networking • Desktops & Servers • Campus Networks • Data Centers
- 7. What Is a Software-Defined Data Center (SDDC)? 7 Hardware Software Data center virtualization layer Pooled compute, network, and storage capacity Vendor independent, best price/performance/service Simplified configuration and management Intelligence in software Operational model of VM for data center Automated provisioning and configuration CONFIDENTIAL
- 8. NSX value proposition Network virtualization is at the core of the software- defined data center approach Network, storage, compute Virtualization layer 8CONFIDENTIAL
- 9. Network and security services now in the hypervisor Switching Routing Firewalling/ACLs Load balancing East-west firewalling High throughput rates Hardware independent The Next-generation Networking Model 9CONFIDENTIAL
- 10. NSX value proposition Network, storage, compute Virtualization layer “Network platform” Virtual networks 10CONFIDENTIAL
- 11. 11 SECURITY Architecting security as an inherent part of the data center infrastructure Network Virtualization How is it being used today? AUTOMATION Automating IT processes to deliver IT at the speed of business APPLICATION CONTINUITY Enabling applications and data to reside and be accessible anywhere CONFIDENTIAL
- 12. CONFIDENTIAL 12 Transforming Security with Micro-segmentation
- 13. Increased Security Spending Has Not Decreased Breaches CONFIDENTIAL 13 IT Spend Security Spend Security Breaches Annual Cost of Security Breaches: $445B (Source: Center for Strategic and International Studies) Security as a Percentage of IT Spend: 2012: 11% 2015: 21 % (Source: Forrester) Projected Growth Rate in IT Spend from 2014-2019: Zero (Flat) (Source: Gartner)
- 14. Digital makes reliance on data lucrative for thieves Security investments are increasing, yet the cost of breaches are rising faster 14 Underfunding security isn’t the problem.
- 15. Improved Data Center Network Security Perimeter-centric network security has proven insufficient, and HW micro-segmentation is operationally infeasible Little or no lateral controls inside perimeter Internet Internet Traditional Edge FW NSX dFW
- 16. 16 Web App DB VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM Security Micro-segmentation | Secure End User | DMZ Anywhere Granular Policy Enforcement Enables zero trust security model with policy enforced at every workload
- 17. CONFIDENTIAL 17 3rd Party Service Insertion with NSX
- 18. Advanced Services Insertion – Example: Palo Alto Networks NGFW Internet Security Policy Security Admin Traffic Steering
- 19. Public Cloud Provider Your Data Center Your IT Governance VMware on AWS powered by NSX
- 20. Coalfire Benchmark Report CONFIDENTIAL 20 • Does VMware NSX functionally satisfy NIST recommendations? • Are the precepts of micro- segmentation, as defined in the complete definition, satisfied conceptually and in testing by NSX? • Can real-world threats be stopped by NSX in E-W and N-S, using industry- standard Penetration Testing tools?
- 21. Expanding Security to Scale with the Business Columbia Sportswear continues to stay ahead of competitors and threats by combining advanced, automated security inside the data center. “There just wasn’t a great way to insert security in order to address east-west traffic between VMs, nor have the security tied to the applications as they moved around dynamically.” John Spiegel Network Manager Columbia Sportswear
- 23. Abstraction layer between infrastructure and apps 23 We call this the “Goldilocks Zone” We can use this zone to transform endpoint detection and response Hypervisor AppDefense NSX Hypervisor AppDefense NSX Hypervisor AppDefense NSX VMware AppDefense
- 24. Hypervisor IT provisions a new app 1 Visibility and context into application lifecycle 24 Automated collection of intended state across app lifecycle IT provisions a change to the app 3 AppDefense notes the change 4 AppDefense collects intended state of the app 2 AppDefense NSX Insert security into DevOps process VMware AppDefense
- 25. Hypervisor Automated detection & response 25 Compare intended state against run-time state to detect deviations Automate response through vSphere and NSX: • Quarantine • Modify security policy • Increase logging AppDefense NSX Attacker compromise s an app 1 AppDefense automatically responds 2 Hypervisor AppDefense NSX Hypervisor AppDefense NSX VMware AppDefense
- 26. Hypervisor AppDefense NSX Isolation from attack surface 26 Isolated environment to monitor and control all endpoints AppDefense itself is protected from attacks Attacker compromise s an app 1 AppDefense is protected from the attack surface 2 Hypervisor AppDefense NSX Hypervisor AppDefense NSX VMware AppDefense
- 27. “Simple works, especially in InfoSec…I can sleep easy at night knowing that when AppDefense detects a problem, it will respond automatically.” Brad Doctor Senior Director, Information Security VMware VMware’s Information Security team uses AppDefense in our SOC to protect the critical security systems that secure our business applications. VMware Information Security – Case Study
- 28. Thank you
Editor's Notes
- #3: Fulfilling our vision to empower people and organizations has made VMware the industry-leading virtualization software company. More than 500,000 customers, from small and midsize companies to large enterprises—including 99 percent of Fortune 500 and 100 percent of Fortune Global 100 companies—use VMware technologies and services. More than 55,000 partners, including technology and consulting partners, top distributors and resellers, and system vendors and integrators, help provide customers with freedom and choice. Through the broadest set of cloud service provider partners—more than 10,000 of them—VMware is making the hybrid cloud a reality. VMware stays close to customers with offices in more than 100 countries. Innovation begins with the more than 13,000 VMware employees.
- #19: Let’s quickly look at how this advanced insertion works, using Palo Alto Networks as an example… Panorama, the Palo Alto Network management console, registers with the NSX Controller. The Controller then distributes the Palo Alto Networks VM Series application to each hypervisor in the SDDC virtualization layer. Then, security policies are created and connected to the NSX firewall policies and VMs are provisioned, If the workloads policy requires the advanced feature set and deep packet inspection offered by the Palo Alto next gen firewall the NSX firewalling steers traffic into the Palo Alto Networks VM. And, if the VMs move, the NSX platform automates moving the security policies with it.
- #21: OBJECTIVES OF THIS COALFIRE NSX MICRO-AUDIT VMware NSX-based micro-segmentation purports to meet all four of these recommendations. Coalfire Systems’ testing of the NSX product during this “micro-audit” intends to examine the form and function of NSX to determine the following: Does VMware NSX functionally satisfy NIST SP 800-125B recommendations VM-FW-R1, VM- FW-R2, VM-FW-R3 and VM-FW-R4? Are the precepts of micro-segmentation, as defined in the complete definition, satisfied conceptually and in testing by NSX? Can real-world threats be stopped by NSX in E-W (peer transits on the L2 network) and N-S (network to network transits via L3), using industry-standard Penetration Testing tools? Based on the determination of these three objectives, Coalfire will also render an opinion on the potential suitability of the VMware NSX product to deliver effective security controls to real-world legacy and emerging virtualized software-defined data centers.
- #29: Q&A