VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for Security Services in the SDDC
2 likes2,883 views
The document introduces NSX Service Composer, a new consumption model designed to enhance security services within the Software-Defined Data Center (SDDC). It addresses key challenges in cloud security, including inefficient manual workflows and lack of interoperability between security products, by enabling effective policy application, automation of workflows, and streamlined provisioning processes. The presentation includes customer examples, specifically McKesson, to illustrate the necessity and effectiveness of implementing these security measures.
![24
Example: Orchestrating Security Between Multiple Services
SG: QuarantineSG: Web Servers
1.Web Server VM running IIS is deployed, unknowingly having a vulnerability
2.Vulnerability Scan is initiated on web server (e.g. Rapid7’s Nexpose product)
3.VM is tagged in NSX Manager with the CVE and CVSS Score
4.NSX Manager associates the VM with the Quarantine (VSM F/W Deny)
5.[Externally] Admin applies patches, Nexpose re-scans VMs, clears tag
6.NSX Manager removes the VM from Quarantine ; VM returns to it’s normal
duties
VSM F/W VSM F/W
Services Services
Membership: Include VMs which have CVSS score >= 9Membership: Include VMs which have been provisioned as “WebServer”
NSX Manager](https://image.slidesharecdn.com/sec5749formattedv2-140613153837-phpapp02/85/VMworld-2013-Introducing-NSX-Service-Composer-The-New-Consumption-Model-for-Security-Services-in-the-SDDC-24-320.jpg)
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for Security Services in the SDDC
- 1. Introducing NSX Service Composer: The New Consumption Model for Security Services in the SDDC Merritte Stidston, McKesson James Wiese, VMware SEC5749 #SEC5749
- 2. 2 Agenda Cloud Security: The Challenge Customer Example: McKesson Introducing - NSX Service Composer Product Examples
- 3. 3 Problems with Security Products in a Virtual Environment End Users Blame IT for being ‘Slow’ • Focus generally is only on Storage, Network, Compute but Security can drag deployments – Need mechanism to apply policy to VM provisioning (make it stick) Bigger Datacenter Threat: Rapid Deployment From the Inside (Drift) • Users Create Servers Instantly – Snapshot of a golden image used to provision many instances of server instantly, New VMs are not connected to protection service • Servers have stale configurations & vulnerable software which introduces threat Security Product Can Not “See” the VM • VLANs can also segment out the network scanning services • Is the VM on the right network? Is the right version of the agent there? Does the VM agent have access to the security product console? What are the credentials? Security Products Do Not Interoperate • No Ability to Detect Issue & Remediate without complicated scripts & process • Many Ways to Identify a VM – Requires correlation for management (SID, IP, VMID)
- 4. 4 Overall Challenge: Security in the SDDC Cumbersome Provisioning Complicated deployment and troubleshooting processes make it difficult to maintain service levels for security. Manual, Cross-Service Workflows Security and cloud admins volley back and forth to identify, assess, plan, implement security risks…a very inefficient process. Security Policy ≠ Security Operations Expecting cloud operators to manage security policies is unrealistic and unfair. Security architects define policy. Cloud operators implement policy. Cloud Operator ✔ ?
- 5. 5 Challenge: Firewall Roulette: Which VM is behind Which Wire? CISO: We need to make sure the Firewall is protecting the RED VMs appropriately. Can you confirm this?
- 6. 6 Challenge: Detection Services Not Interoperable & Increase Process Web Servers Services Monitor Events Identify Threat Report File Ticket With NetBios ID Receive Ticket Notification Correlate to IP (Attempt) Ask for VLAN Tag Determine VM -> Subnet -> Tag Realize NAT Issue? Create Rule Verify RuleClose Ticket Open Ticket To Patch Machine
- 7. 7 7 Challenge: 9-Dashboards of Wonder & Making Security Stick Agile security is possible in 2012… …if you identify workloads and connect the system – by IP, by SID, by subnet, by host, by user, and don’t change anything… Vulnerability System Antivirus System Firewall vCenter IDS System DLP System
- 8. 8 No knowledge of internal traffic and potential threats Most breaches are not discovered by the breached party. Common point of purchase Current state — head in the sand "I know I am wearing rose-colored glasses; we just haven't looked into this."
- 9. 9
- 10. 10 Agenda Cloud Security: The Challenge Customer Example: McKesson Introducing - NSX Service Composer Product Examples
- 11. 11 Architectural Complexity: Securing Virtualization within the IT Infrastructure
- 12. 12 Architectural Complexity: Securing Virtualization within the IT Infrastructure Management & Admin Network Zone PCI Internal Service Networks CoLo Internal Service Network ASP-MSP Internal Service Network McKIT Shared Service Network Network Core Layer McKIT WAN-MPLS B2B Extranet Internet McKesson CareBridge Edge Perimeter Zone Edge Router ISP 1 F/W F/W F/WF/W F/W F/W CoLo’s External HostingASP MPS Partners, Vendors, Sub-Contractors McKIT Shared DMZ PCI DMZ VPN Remote Access Core Edge Firewall Layer O/S Build VM Build VM Repository HyTrust Gateway vCenter vShield App Edge Endpoint Crypto AV Agent Auth-LDAP Logs VM1…n Hypervisor Layer B/U Mngt. Agent Hosts 1…n vNet Fabric vSwitch1 vSwitch2 vSwitch3 vSwitchn Management & Security Services (Physical) Patch Secure VMs B.U.R.N VTLVTL De-Dup Back-up/Restore Solution Tape * DASD * SAN * NAS -NSF -ISCI -SMB vSafe 1.6/API vShield 1.6/API ISP 2 Internal Router Infrastructure Distribution Layer External Untrusted Layer McK Remote Offices McK Remote Sites Internal Trusted Layer ESXi Mngt YF vShield Endpoint Patching HP CSA SEIM EKMDE Directory Services Central Logging Key Management vShield Edge Backup & Recovery Nessus Vulnerability Scan DLPIDS / IPS Anti-virus Inventory
- 13. 13 What is Secure Lab? What were some of the business problems that prompted you to pick up the security baton? • A fundamental belief that security is everyone's responsibility • Our business units requested it and our customers expect it • Build infrastructure with a security 1st approach was a challenge What technical challenges made this an urgent need? • No roadmap to help guide the way • Multiple tools to integrate • Common framework with common goals • Decoupled software & hardware stack (Allows for future changes)
- 14. 14 SecureLab McKesson Imaging VDC Developers & App Support ESXi INTEL TXT INTEL TXT VCD ESXiESXiESXi View 5 VDI (hardened) McKesson SecureLab: NGDC Architecture Physical desktops & laptops VDI “bastion host” only access App A Web MW DB VDI VDI VDI VDI WebDBMW App B vShield App All VDI instances automatically firewalled from one another vShield Edge Network Gateway and Secure Multi-tenancy vShield App VDI “group” to App access allowed by vShield App ESXi Trusted boot with Intel TPM/TXT TPM/TXT Horizon Clinicals VDC App C WebDB MW App D DB
- 15. 15 Agenda Cloud Security: The Challenge Customer Example: McKesson Introducing - NSX Service Composer Product Examples
- 16. 16 NSX Service Composer Security services can now be consumed more efficiently in the software-defined data center. Apply. Apply and visualize security policies for workloads, in one place. Automate. Automate workflows across different services, without custom integration. Provision. Provision and monitor uptime of different services, using one method.
- 17. 17 Concept – Apply Policies to Workloads Security Groups WHAT you want to protect Members (VM, vNIC…) and Context (user identity, security posture) HOW you want to protect it Services (Firewall, antivirus…) and Profiles (labels representing specific policies) APPLY Define security policies based on service profiles already defined (or blessed) by the security team. Apply these policies to one or more security groups where your workloads are members.
- 18. 18 NSX Service Composer – Canvas View
- 19. 19 Introducing – NSX Service Composer Policies – collection of service profiles - assigned to this container…to define HOW you want to protect this container e.g. “PCI Compliance” or “Quarantine Policy’ Nested containers – other groupings within the container e.g. “Quarantine Zone” is a sub group within “My Data Center” VMs (workloads) that belong to this container. e.g. “Apache-Web-VM”, “Exchange Server- VM” Containers – Grouping of VMs, IPs, and more…to define WHAT you want to protect. e.g. “Financial Applications”, “Desktop Users”, “Quarantine Zone” Service profiles for *deployed* services, assigned to these policies Services supported today: • Distributed Virtual Firewall • Anti-virus • Vulnerability Management • Network IPS • Data Security (DLP scan) • User Activity Monitoring • File Integrity Monitoring
- 20. 20 NSX Service Composer – Canvas View Members: Apps and workloads that belong to this container. e.g. “Apache-Web-VM”, “Exchange Server-VM”
- 21. 21
- 22. 22 Agenda Cloud Security: The Challenge Customer Example: McKesson Introducing - NSX Service Composer Product Examples
- 23. Corp Cust Svc Desktop Engineering Domain Controllers Sales Desktop Sales SAPSalesWeb Extranet (DMZ) External FTP Servers Corp External Web Eng Desktop P1 – Corp Policy Block Telnet, SSH from * P2 – Department Policy Block HTTP P3 – Web App Policy Allow 8080 from Desktops Allow 443 from * Block All Other P4 – Eng Department Policy Allow 80 HTTP from Internet P5 – Desktop Policy Block * to these from these P6 – Sales Desktop Policy Allow * from Sales/SAP P7 – AD Policy Allow * , TCP/UDP on port 137,445 Example: Firewall By Policy
- 24. 24 Example: Orchestrating Security Between Multiple Services SG: QuarantineSG: Web Servers 1.Web Server VM running IIS is deployed, unknowingly having a vulnerability 2.Vulnerability Scan is initiated on web server (e.g. Rapid7’s Nexpose product) 3.VM is tagged in NSX Manager with the CVE and CVSS Score 4.NSX Manager associates the VM with the Quarantine (VSM F/W Deny) 5.[Externally] Admin applies patches, Nexpose re-scans VMs, clears tag 6.NSX Manager removes the VM from Quarantine ; VM returns to it’s normal duties VSM F/W VSM F/W Services Services Membership: Include VMs which have CVSS score >= 9Membership: Include VMs which have been provisioned as “WebServer” NSX Manager
- 25. 25 Confidential Example: Deploying Security Services On Demand 1. ESX Host added to cluster 2. Service Composer: Deploys Security VMs (Partner & VMW) 3. VM brought up on host 4. Service Composer: Appropriate Security Services applied 5. VM vMotions to different host 6. Service Composer: Appropriate Security Services applied
- 26. 26 “Dev” “Test” “Stage” wire FW wire FW “Production” wire LB FW IDS FIM SVM AV LOG wire LB FW IDS FIM SVM AV LOG Example: Precedence Enforced for Dev/Test to Production Service Policy for App
- 27. 27 NSX Integrated Partners NSX Controller & NSX Manager NSX API Partner Extensions L2 Gateway FirewallADC/LB IDS/IPS + Cloud Management Platforms AV/FIM Vulnerability Management Security Services
- 28. 28 VM Based Group Policy For Services App Consumer Cloud Operations Infrastructure (NOC)
- 29. 29 NSX Service Composer Benefits Streamline Service Provisioning Fewer steps to deploy VMware and partner content. Service outages are easy to identify and troubleshoot. Automate Workflows Across Services Workflows between different services are easily automated on this platform Apply Policies in the SDDC Workloads are easily organized (WHAT you want to protect) and services can be easily mapped to resources (HOW you want to protect them), for consumption in the SDDC AVFW IPS DLP Vuln. Mgmt AVFWIPS DLPVuln. Mgmt ✔ ✔
- 30. 30 Related Sessions SEC-5750: Security Automation Workflows with NSX SEC-5253: Get on with Business: Vmware Reference Architectures Help Streamline Compliance Efforts HOL: HOL-SDC1303: VMware NSX Network Virtualized Platform
- 31. THANK YOU
- 33. Introducing NSX Service Composer: The New Consumption Model for Security Services in the SDDC Merritte Stidston, McKesson James Wiese, VMware SEC5749 #SEC5749
- 35. 35 Concept – Service Profiles Comprises One or More Services At least one service is required to define a service profile. Container 1 Container 2 Container 3 Container Can Have Multiple Service Profiles Different profiles may need to apply to a single container. Precedence Must Be Enforced on Service Profiles Ultimately, these services manifest in real security services so in the case of overlapping services or conflicts, precedence must be enforced.
- 36. 36 Container 1 Concept – Containers Contain VMs Including machines, networks…anything that could comprise an application But it could also be empty, perhaps waiting for a state change. Can Contain Other Containers Nesting is a powerful concept that allows you to group applications and resources more flexibly. Can Contain Object Defined by Security Tags Services have intelligence in the form of visibility and control. They can find an issue with a machine and tag it to identify the issue. The mere act of tagging can add the machine to a container. Container 2 Container 3
- 37. 37 VMware SDN & Security: Composite Policy Management • Minimize Dedicated Hardware • Optimize Utilization Security By Virtual Service • Always Connected Security • Scale Applications On- demand • Simplify Operations VM Protection • Integrated Management • 3rd Party Extensible Attach Services • Dynamic Provisioning • Detect & Remediate Enable Policy-based Automation VMware Network & Security Virtualization
- 38. 38
- 39. 39
- 40. Introducing NSX Service Composer: The New Consumption Model for Security Services in the SDDC Merritte Stidston, McKesson James Wiese, VMware SEC5749 #SEC5749