adv1587be nsx + horizon: a security architecture for or distribution · 2019-06-27 · graeme...

Graeme GordonHoward Bliss

ADV1587BE

#VMworld #ADV1587BE

NSX + Horizon: A Security Architecture for Delivering Desktops and Applications with VMware

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

#ADV1587BE CONFIDENTIAL 2



bution

Agenda

1 Today’s Landscape

2 How Horizon Can Help

3 Why NSX?

4 Protecting Infrastructure

5 Identify Based Firewall

6 Getting Started




bution

Attacks and attackers have become more sophisticated…

4

Organized

crimeInsiders

Cyber terrorists/

hacktivists

Nation

states

ADVANCED PERSISTENT THREATS WEAPONIZATION OF CYBERSPACE



bution

How Can Horizon Help?



bution

Secure Desktops, Apps and Data with Horizon 7

Just-in-Time Desktops

NetworkSecurity

App Lifecycle Management

Profile &Smart Policies

Centrally Delivered & Controlled

Access & Authentication




bution

Data Centralization

• Collapse Branch Infrastructure

– File servers, email servers, application servers.

• Data Sharing

– Reduce data replication

– Lower risk of out of date data being used in error.

• Data Backup (and recovery)

– Simplified by being centralized

– Enabled more advanced DR strategies

• eDiscovery

– Eases auditing effort

• Proactive Response to Security Incidents

– Simplified and consistent patching




bution

Just-in-Time DesktopsWith innovative technologies like Instant Clones, User Environment Management and App Volumes - Horizon ensures that IT can streamline desktop and application management like never before, providing employees with truly stateless desktops.

Drive Down

Storage Costs by

>30%

Deliver Apps

Instantly

Streamline

OpEX by >50%




bution

OS and Application Patching in the Physical World

• Ensure that all desktops receive proper patches

• Assessment

– Which patches are needed on which systems?

– 32-bit vs. 64-bit? Microsoft vs. third party, etc.?

• Scheduling

– When will patches be deployed to each system?

• Deployment

– Ensure that each system receives the proper set of patches and that they are properly executed.

• Reboot

– Many patch deployments require reboots.

• Rescan

– Reassess the machines post-reboot to make sure they were fully patched.

Risk of Configuration Drift




bution

OS and Application Patching with Horizon 7

• Patch the Master VM and update the pool.

• All desktops are in known state.

• Patch level controlled by Admin

– Can include the latest anti-malware definitions.

– Can include application updates/ patches

• Can restore pool to a last good state

– as well as remediation in case of Malware.

Controlled and Consistent

Datastore 1

1

Master VM

2

Replica 1

1

2

Replica 2

Desktops




bution

App VolumesManaged Application Containers

Settings

Data / Files Applications

App Volumes Agent

Traditional Just-in-Time App Model

OSOS

AppStack Writable VolumeAppStack




bution

Smart Policies

Overview

• Customize desktop features

• Features include:

– Clipboard Cut/Paste

– Client Drive Redirection

– USB

– Printing

– Bandwidth Profile

• Conditional policies based on:

– User Identity

– Location

– Pool Name

– etc.

Benefits

• Secures the desktop or application based on the user’s identity or location.

• Re-evaluate conditions during the session.

• Streamlined desktop experience … a single desktop image can be easily customized based on flexible policies.




bution

Unified Access Gateway

• Provides secure remote access for users to access:

– Various edge services.

– Resources within the corporate network.

• Deployed in DMZ or Cloud tenants

• Hardened appliance running SLES 12 Linux

– Compliance and certifications (FIPS/ CC)

• DMZ Authentication

– Smart Card Support

– Certificate

– SAML Pass-Thru support

– RADIUS / SecurID Support

• Supports multiple use cases:

– Horizon

– Reverse Proxy (Identity Manager)

– VMware Tunnel (Per App Tunnel & Proxy services)

– Identity Bridging

– Content Gateway (upcoming release) #ADV1

587BE

CONFI

DENTI

AL

16



bution

NSX and Horizon



bution

Traditional Client Computing

• Traffic is only “North-South”

– Networking is simple and only north-south.

– Threat pattern is “north-south” .

– Straightforward protection scenario.

– Security via DMZ zones at the edge.

• “Data at Rest” is the primary concern

– Mission-critical data on endpoint local storage.

– Common motivator for desktop virtualization.

• Organizations implement desktop virtualization to:

– Optimize Compute and Storage resources.

– Secure data at rest (moved to data center).

– Exert better control over north-south threats

DataCenter




bution

Desktop & Application Virtualization BenefitsDesktop and App virtualization places O/S, Applications and Data in the data center

Virtual Desktop

Avoid loss of data sitting

on devices (device loss,

theft, damage)

Unauthorized access to

sensitive applications

installed on devices

Reduced branch

infrastructure footprint

(file/print/email

servers etc.)

Conducive to efficient,

centralized backup

Centralized patching

against vulnerabilities

✔

✔

✔

✔

✔

SAP, Oracle Exchange, etc.

Enterprise StorageOther

Users

WWW

WWW




bution

Current Challenges in the Data CenterLarge attack surface within the data center

Multiple, discrete “east-west” flows between desktops and infrastructureUser behaviors

Zero-day threats

Compromised

internet websites

Desktop-to-desktop

hacking

Desktop-to-server

hacking

EAST WEST

Virtual DesktopData

Center

SAP, Oracle Exchange, etc.

Enterprise StorageOther

Users

WWW




bution

Securing East-West within VDI Environments

• Hard to implement

• Lots of physical infrastructure required

• Complex to manage

Organizations with focus on compliancy and risk mitigation will implementsecurity zones to protect East-West flows within the data center.

Centralized Virtual

Desktops

Sharedsvcs

DMZ

DBZone

Remote workforce

Zone

EngZone

DevZone

FinancialZone

CorpZone

PCIZone

AdminZone




bution

Traditional Networking & Security is complex!

SharedsvcsDMZ

DBZone

Remote workforce

Zone

EngZone

DevZone

FinancialZone

CorpZone

Internet Internal Networks

PCIZone

AdminZone

Centralized Virtual

Desktops




bution

NSX vSwitch

With NSX

Distributed Virtual Firewall

Before NSX

More Efficient Firewalls with NSX

Nexus 7000

UCS Fabric A UCS Fabric B

UCS Blade 1

vswitch

6 wire hops

Nexus 7000

6 wire hops


UCS Blade 1 UCS Blade 2

vswitch vswitch

Nexus 7000


0 wire hops

Nexus 7000


UCS Blade 1 UCS Blade 2

With NSX

Distributed Virtual Firewall

Before NSX

East-West Firewalling / Same host East-West Firewalling / Host to host

2 wire hops

NSX vSwitch

UCS Blade 1

Fewer hops, more efficient and precise VM networking 23



bution

NSX for Horizon VDI Deployment

• Allows for elasticity and agility to spin up/down new pools or expand existing

• Desktop to Desktop control

• Desktop to Enterprise App control

• Security Services e.g. Agentless AV, NGFW, IPS

• Load balancing,

• Edge firewall

• NAT

• VPN

Internal Developer Pool

External Developer Pool

Internal Developer Network

External Developer Network

Horizon I

nfr

a

Micro-segmentation Edge Services Network Virtualization




bution

Segmentation of a Horizon Environment

• AD Group Based Identity Firewall (IDFW).

• Data Security to identify sensitive data.

• Desktop to Desktop control

• Desktop to Enterprise App control

• 3rd party Security Services e.g. Agentless AV, NGFW, IPS

• External world to Horizon components control

• Access control between various Horizon components


External Developer Pool

Protecting Horizon Infrastructure

Protecting Desktop Pools

User / Data based access control.


3 Tier Enterprise App

Web App DB

Horizon Components (Connection Servers, Unified Access Gateway, View Composer, vCenter)




bution

Protecting Infrastructure



bution

Virtualized Apps

(ThinApps)

VMware Identity

ManagerVMware Horizon View

User Environment

Core

Infrastructure

Active

Directory

vCenter

Server

vRealize

Operations for

Horizon

Database

(SQL)

VMware vSphere + NSX + VSAN

Virtual Desktop Pools

Windows 10

Instant Clone

Windows 10

3D Desktop

Applications

(VMware App Volumes)

Linux

Clone

SaaS, Mobile

Apps

Horizon

Connection

Servers

View

Composer

Hosted RDS

Desktops & Apps

IT Settings

User Profile

Horizon Clients

VMware Horizon Architecture Overview

User Workspace

Unified

Access

Gateways




bution

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/

vmware-horizon-7-end-user-computing-network-ports.pdf28



bution

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-7-end-user-computing-network-ports.pdf

Easy Service Definition




bution

Micro-Segmentation – Sample Configuration

Infrastructure Rules

Desktop and Application

Rules




bution

Identity Based FirewallPolicy driven micro-segmentation of the user



bution

VMware NSX - Identity Based Firewall Rules (IDFW)

• DFW offers Identity Based Firewall (IDFW) functionalities:

‒ Specific AD security groups of users can be used to create DFW rules

– DFW rules are defined based on Active Directory (AD) membership (e.g. doctors or surgeons group):

‒ Define a NSX Security Group that contains an AD security group and apply it as the source of the DFW policy rule

• Users can use physical or virtual systems that have been joined to the AD Domain as the source - Destination system must be a VM.

Source Destination Service Action

Doctors (security

group)

Patient Record

Servers

Any Allow

Any Any Any Deny

Policy Rule:




bution

VMware NSX - Identity Based Firewall Rules & EUC

Before NSX

• All Desktops on a VLAN can communicate freely.

• Once one Desktop is compromised, lateral movement cannot be restricted.

With NSX

• Micro-segmentation can granularly control desktops even on shared VLAN.

• User/Group based Access Control

• Control VDI to Apps access using NGFW redirection when needed.

Jennifer(Finance)

Files HR Finance Email SharePoint

Network

Bob(HR)

Human Resources Finance




bution

Admin

Sales

Developer

Secure Just in Time Desktops

Network Policyfrom NSX

Sales

Developer

Admin

Sales

Developer

Admin

Application Layersfrom App Volumes

Sales

Dev.

Admin

Personalizationfrom UEM

Role-Based Desktop Creation & Customization

Salesdesktop

Admindesktop

Developerdesktop

Single Pool

StatelessdesktopSales

Developer

Admin




bution

Device Level VPN

App Level VPN

Micro Segmentation

App Level VPN

AirWatch Per-App VPN and VMware NSX




bution

Load Balancing Infrastructure



bution

VMware NSX ESG – Integrated North South Network Services

….

Firewall

Load Balancer

VPN

Routing/NAT

DHCP/DNS relayDDI

VM VM VM VM VM

• Integrated L3 – L7 services

• Virtual appliance model to provide rapid deployment and scale-out

Overview

• Real time service instantiation

• Support for dynamic services per tenant/application

• Uses x86 compute capacity

Benefits




bution

VMware NSX ESG - Load Balancer

CS1 CS3CS2 • UDP, TCP, FTP, HTTP, HTTPS with Stateful HA

• Multiple Virtual IPs each with separate server pool and configurations

• Multiple load balancing algorithms

• Multiple Session Persistence methods

• Configurable health checks

• Application Rules

• SSL Termination with Certificate Management

• Transparent/Full Proxy Mode

• IPv6 Support

Features

• Per Tenant LB

• Dynamic VIP for VDI Management

Use Cases




bution

DMZ INTERNAL

Ex

tern

al

Lo

ad

Ba

lan

ce

r1

0.3

0.2

2.3

0

UAG1uag1.domain.com

192.168.2.51

UAG2uag2.domain.com

192.168.2.52

External

Users

Connection

Server 1horizon1.domain.com

192.168.1.31

Connection

Server 2horizon2.domain.com

192.168.1.32

Internal

Users

External DNS:horizon.domain.com

10.30.22.30

Internal DNS:horizon.domain.com

192.168.1.30

When resolving horizon.domain.com• External Clients get 10.30.22.30• All internal components and clients use 192.168.1.30

Inte

rnal

Lo

ad

Ba

lan

ce

r1

92

.16

8.1

.30

Connection Servers Load Balancing and External Access




bution

Partner IntegrationAV, Activity Monitoring



bution

Optimized Performance for VDI Environments

Management

Network Usage

Scan Speed

CPU/Memory Usage

IOPS

Storage

ESXi

SAN




bution

Optimized Performance for VDI Environments

ESXi

SAN

Scan

Cache

Up to 20X Faster* Full Scans

Up to 5X Faster Real-time Scans

Up to 2X Faster VDI Login

Up to 30% More VM density




bution

NSX Service Insertion and Chaining for VDI

• Traffic exits guest VM and reaches DFW for processing.

• If action is set to permit, DFW will forward traffic to filtering module.

• If the Filtering module allows the traffic to be redirected then,

• Traffic redirection steers traffic to partner services VM/s

• Permitted traffic processed by partner services VM is sent to destination.

Partner

services VM

Partner console

vCenter

External network

Slot 2

Slot 4

Guest VM

DFW

Filtering module

Distributed Switch (vDS)




bution

Example: NSX Service Composer & Third-Party Service InsertionQuarantine Vulnerable Systems until Remediated

Security Group = Quarantine

Members = {Tag = ‘ANTI_VIRUS.VirusFound’}

Security Group = Standard

Policy Definition

Standard Policy

Anti-Virus – Scan

Quarantined Policy

Firewall – Block all except security tools

Anti-Virus – Scan and remediate

44



bution

Getting StartedFirst Steps and Resources



bution

Protecting Horizon in Simple Steps

• Deploy NSX Manager Appliance

• Prepare Hosts (Install VIB)

Install

• Add key VMs to Exclusion List (vCenter VMs)

• Create and Group Services

• Create Security Groups

• Build Distributed Firewall Rules

Configure

Test




bution

Achieving Micro-segmentation in Real World

Prepare Security Fabric

• Prepare Hosts for Security

• Optional: Deploy Security Vendor Management Consoles for advanced services

• Optional: Deploy security vendor appliances.

Monitor Flows

• Brownfield: Leverage existing knowledge from Perimeter firewalls

• Use NSX Built-In Application Rule Manager, Flow Monitoring, IPFIX tools

• Use vRealizeNetwork Insight to analyze traffic flows

• Integrate VMware Log Insight to analyze syslogs.

Determine Policy Model

• Identify patterns with flows

• Determine a policy model based on the patterns.

Apply Policy Model

• Determine approach : Firewall Rule Table or Service Composer Policy Model

• Based on the Policy Model – Create grouping models

• Write Security Policy

47



bution

LearnConnect & Engagecommunities.vmware.com

NSX Product Page & Technical Resourcesvmware.com/products/nsx

Network Virtualization Blogblogs.vmware.com/networkvirtualization

VMware NSX on YouTubeyoutube.com/user/vmwarensx

Design GuideVMware NSX for vSphere End-User Computing

Design Guide

Resources for Starting with NSX

Experience

NSX SessionsSpotlights, breakouts, quick talks & group discussions

Visit the VMware BoothUse case demos, chat with NSX experts

Visit NSX Technical Partner BoothsIntegration demos

Test Drive NSX with free Hands-on LabsExpert-led or Self-paced. labs.hol.vmware.com

Use

NSX Proactive Support ServiceOptimize performance based on data monitoring

and analytics to help resolve problems, mitigate

risk and improve operational efficiency.

vmware.com/consulting

Take

Training and CertificationSeveral paths to professional certifications. Learn

more at the Education & Certification Lounge.

vmware.com/go/nsxtraining




bution

https://communities.vmware.com/community/vmtn/nsx

http://vmware.com/products/nsx

http://blogs.vmware.com/networkvirtualization

http://www.youtube.com/user/vmwarensx

https://communities.vmware.com/docs/DOC-31982#EUC

http://labs.hol.vmware.com/

http://www.vmware.com/consulting

http://www.vmware.com/go/nsxtraining



bution

adv1587be nsx + horizon: a security architecture for or distribution · 2019-06-27 · graeme...

Documents