apply consistent security across endpoints ... - vmware vforum · ©2019 vmware, inc. 24 nsx-t...

©2019 VMware, Inc.

Tock Hiong NgSenior Manager, SDDC Systems Engineering, Southeast Asia and Korea, VMware

Confidential │ ©2019 VMware, Inc.

Apply Consistent Security Across Endpoints and Workloads running in VMs, Containers and Bare Metal

Kang Yeong WongEnterprise Account Executive, Carbon Black, VMware

©2019 VMware, Inc.

Disclaimer

This presentation may contain product features or functionality that are currently under development.

This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.

Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.

This information is confidential.

2

The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein.

©2019 VMware, Inc.

Agenda

3

VMware Security Strategy

Overview

Next Generation Endpoint Protection

Overview

NSX-T Datacenter Distributed Firewall

Use case, Architecture

Container, Native Public Cloud & Bare-Metal Security

Overview & Architecture

©2019 VMware, Inc. 4

Public

Users

VMs, Containers, Microservices

VMware partners(VMC)

Private DataCenters

Telco Networks

Things

Private Cloud(VCF)

Edge

VCN

10k customers

to date

82% of Fortune 100

enterprises

70%of all Fortune

global 500 telcos

Gartner

MQ LeaderWAN Edge

Infrastructure

Virtual Cloud NetworkingTies it all together.


The Intrinsic Security Layer

Apps Data

Analytics

Intrinsic Security Layer

Workload

Endpoint

Network

Identity

Cloud

6©2019 VMware, Inc.

VMWare Carbon BlackBetter Together

Confidential │ ©2019 VMware, Inc. 7

Built-in Proactive Aligned

Bolted-on Reactive Siloed

Security Must Be Transformed


Living off the Land Attacks


Step 1: Unfiltered Data Collection

UNFILTERED DATA

Copy of every unique binary

All network connections

All executions

All file modifications

All cross-process events

All registry modifications

No blind spots

Continuous recording

Proprietary data shaping


Step 2: Tagging TTPs

TACTICS

TECHNIQUES, AND

PROCEDURES (TTPs)

Individual patterns of

behavior often found

with malicious activity

Merchant ID & reputation

Purchase in a strange place

Luxury items

Small purchase followed by large

purchase

12

34


PERSISTENCE

UNKNOWN_APP

HARVEST_PASSWORDS

PERSISTENCE

UNKNOWN_APP

CODE_INJECTION

PERSISTENCE Confidence: Low

Confidence: Medium

Confidence: HighREAD_USER_DATA

READ_USER_DATA

Probabilistic Modeling + Temporal Analysis

TTPs Endpoints Events

HUNDREDS MILLIONSHUNDREDS

OF BILLIONS

Step 3: Detection Through Data Science


Next Gen Anti-Virus

Vulnerability Management

Compliance Reporting

Managed Detection

Audit & Remediation

Workload Protection

DeviceControl

Rogue DeviceDetection

WL

EndpointDetection & Response

!


One Data-Driven Platform, Many Solutions

Incident Response &

Threat Hunting

App Control & Infrastructure

Protection

Next-Gen AV + EDR

Real-time Query &

Remediation

Managed Alert Triage

Virtual Datacenter

Security

Advanced Threat Hunting

& IR


VMware + Carbon Black + Ecosystem = Better Together

AppDefense

vSphere

Workload Security

Workspace ONE

Carbon Black

Endpoint Security

Carbon Black

NSX

Network Threat Analytics

Secure State

Carbon Black

Cloud Security

AGENTLESS UNIFIED EMBEDDED INTEGRATED

Eco

syst

em

Eco

syste

m

Carbon Black


Any Device

Any Application Traditional Cloud Native SaaS

Any Cloud Hybrid Edge Public Telco

VMware VisionThe essential, ubiquitous digital foundation

16©2019 VMware, Inc.

Network Security with NSX


The Intrinsic Security Layer

Apps Data

Analytics

Intrinsic Security Layer

Workload

Endpoint

Network

Identity

Cloud


Key NSX-T Data Center Use-cases

Security Cloud Native Automation Multi-Cloud Networking

Multi-vCenter Multi-hypervisor – ESX, KVM

Heterogenous end-points – Container, VM, Bare-Metal

Multi-Clouds – On-Premise, Hybrid, Public(AWS, Azure, VMC on AWS)


NSX Security CapabilitiesAt a Glance

Native Security Controls

L3/L4, L7 APP-ID Firewall, Identity FW, URL Filtering

Vendor Service Insertion

Service Chaining

NSX IntelligenceNetwork & Security

Analytics


Network Perimeter

Security Realities

Low priority systems are often targeted first.

Attackers can move freely around the data center.

Attackers then gather and exfiltrate the valuable data.

When Threats Breach the Perimeter, It’s Hard to Stop Lateral Spread

Internet

Perimeter Firewall


What If You Could…

Every VM can have:

Individual security policies

Individual firewalls

Policies can de defined based on any context

VM Attributes

Network Attributes

Application Attributes

Enforce Security at the Most Granular Level of the Data Center?

Internet

Perimeter Firewall

Network Perimeter


• Policies are network centric.

• Uses only IP Address and Mac Address Centric.

• Difficult to operate/scale

• Normally used for physical firewall policy migrations

• Data Center environments are static

• Policies are SDDC infrastructure centric.

• Uses Logical constructs.

• Requires knowledge of logical & physical boundaries

• Granularity dictated by topology

• Data Center environments are static

• Policies are application centric.

• Not tied to physical or logical topologies

• Data Center environments are dynamic.

• Tailor made policies, specific to individual applications tier, function or roles

Network Based Infrastructure Based Application Based

NSX-T Datacenter Distributed FirewallGrouping/Policy Methodology


Micro-segmentation Simplifies Network Security

Zero Trust/Least Privilege Model

Each VM can now be its own perimeter

Policies align with logical groups

Prevents threats from spreading

Network Topology Agnostic

App

DMZ

Services

DB

Perimeterfirewall

AD NTP DHCP DNS CERT

Insidefirewall

Finance EngineeringHR


NSX-T Distributed Firewall

Enforcement based on 5-tuple, APP-ID, FQDN/URL and User-ID

Enforces FW rules for any workload on any platform regardless of network transport

Static & Dynamic grouping based on Compute object, Tags and User

Micro-Segmentation for Overlay-backed workloads

Micro-Segmentation of VLAN-backed workloads connected via existing routers or CSP

Stateful Distributed L2-L7 Services for all workloads

Bare metalESXi/KVM ESXi/KVM

NSX Virtual Distributed Switch

Distributed Firewall


Rule ID SRC DST Service Action

1 ANY WEB HTTPS Allow

2 WEB APP HTTP Allow

3 APP DB MYSQL Allow

4 ANY ANY ANY Block

Flow Table

Rule Table

State

EST

FlowEntry

Flow 1

Index

1

Flow 2 Packet Matches FW rule 2, which is Allow. So packet is sent out to destination.

Flow 2 Not Found

2

4

WEB VM starts NEW session with APP VM: “SRC: WEBDST: APPPORT: HTTPTCP- SYN”

1

Flow hits DFW and does Flow Table Look Up first, to see any state match to existing Flow.-> Results in Flow 2 state not found.

3

Since Flow Table Miss for the Flow 2, DFW does Rule Table lookup in top-down order for 5 tuple match.

In addition, Flow table is updated with New Flow State for permitted flow as "Flow 2”. Subsequent packets in this flow checked against this flow for state match.

5


ESTFlow 22

NSX-T Datacenter Distributed FirewallDFW Policy Lookup – Flow Table & Rule Table

DFW


NSX-T Datacenter DFW Policy with Layer 7 APP-ID

Port-independent enforcement on the DFW

Built-in APP-IDs for common infrastructure and enterprise apps

Version sub-attributes for TLS and CIFS

Cipher-suite sub-attribute for TLS

Used in Rules via Context Profiles

Overview

With L7

TCP 443 APP_ID = HTTPS

TLS version 1.2

Without L7

TCP 443

Ethernet IPTCP/UDP

Web (HTTP, HTTPS, TLS,…)VDI (BLAST, PcoIP, RDP, VMC, …)

AAA (AD, LDAP, OSCP,…)

L2 L3 L4 L5-L7

Feature


NSX-T Datacenter Distributed Firewall for Containers

Every Pod/Container has DFW rules applied on its Interface

Security policy options:

• K8S Network Policy

• K8S Label (system and user defined) which maps to NSX Tag

• Default Policy per cluster

Allows Security policy for

• Container to Container

• Container to/from VM/Physical

Uniform operational Model for VM’s & Containers

Overview



ESX/KVM ESX/KVM ESX/KVM


ESX/KVM

Implementation

Pivotal Container

Service (PKS)

NCP

Plugin

** -> Logical representation of containers on NSX-T to show Networking and security policy enforced same way for both VM’s & containers


Bare-Metal Server

NSX Agent

OVS

NSX Micro-segmentation for Bare-Metal workloadArchitecture





ESX/KVM

Physical Network

Stateful Layer 4 Firewall for Bare-metal work Load.

Single pane of glass for Security Policy Consumption

Consistent Security Policy across VMs, Containers, Bare-Metal & Native Cloud Workloads

Bare-Metal Server

NSX Agent

OVS


NSX Cloud

Extension of NSX on-prem features for native Public Cloud workloads

• Single Pane of glass visibility

• Consistent security policy

• Precise control over cloud networking

• Uniform operations control with existing tools

Consistent Networking & Security for private, & native Public Cloud workloads

Consume with your existing tools

VisibilitySecurity

Networking

NSXData Center Cloud

Future Public CloudsAzurePrivate Cloud AWS

IT Defines security policies once

Consistent Networking

Visibility across clouds

Consistent Security


NSX Native Public Cloud SecurityNSX Cloud Architecture – NSX Enforced Mode





ESX/KVM

Pivotal Container

Service (PKS)

NCP

Plugin

CSM Manager

VNET/VPC

1Install On-Prem Cloud Service Manger (CSM) & Register with NSX Manger & Cloud Provider Azure/AWS with right credentials

2 Install NSX Cloud Gateway in Customers cloud Account

3 Have NSX Tools on Cloud VM instances.

4Push the micro segmentation security Policy to NSX Cloud Gateway, which in turn pushes policy to NSX managed instances

NSX Tools

OVS

NSX Tools

OVS

NSX Tools

OVS


NSX Native Public Cloud SecurityNSX Cloud Architecture – Native Cloud Enforce Mode





ESX/KVM

Pivotal Container

Service (PKS)

NCP

Plugin

CSM Manager

VNET/VPC

1Install On-Prem Cloud Service Manger (CSM) & Register with NSX Manger & Cloud Provider Azure/AWS with right credentials

2 Install NSX Cloud Gateway in Customers cloud Account

4Push the micro segmentation security Policy to NSX Cloud Gateway, which in turn pushes policy to VPC/VNET

Native Cloud Enforce Mode:

• NSX Manges Policy

• Enforcement Using AWS/AZURE Security Groups

• No NSX Tools inside Cloud Instance

• Management at VPC/VNET Level


VMs Containers BaremetalServers

VMware Cloud Destinations

NativePublic Cloud

Consistent Security Policy across all workloadsOn-prem, Public Cloud and VMware Cloud Destinations (VMC, IBM, OVH, VCPP)

East-West Security for All WorkloadsNSX Data Center & NSX Cloud


ResourcesHow to get started

Design Guides Demos

Take a Hands-on Lab Join VMUG, VMware Communities (VMTN)

LEARN TRY

VMware.com/go/NSXtechzone

CONNECTTRY

@VMwareNSX#runNSX

apply consistent security across endpoints ... - vmware vforum · ©2019 vmware, inc. 24 nsx-t...

Documents