apply consistent security across endpoints ... - vmware vforum · ©2019 vmware, inc. 24 nsx-t...
TRANSCRIPT
©2019 VMware, Inc.
Tock Hiong NgSenior Manager, SDDC Systems Engineering, Southeast Asia and Korea, VMware
Confidential │ ©2019 VMware, Inc.
Apply Consistent Security Across Endpoints and Workloads running in VMs, Containers and Bare Metal
Kang Yeong WongEnterprise Account Executive, Carbon Black, VMware
©2019 VMware, Inc.
Disclaimer
This presentation may contain product features or functionality that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.
This information is confidential.
2
The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein.
©2019 VMware, Inc.
Agenda
3
VMware Security Strategy
Overview
Next Generation Endpoint Protection
Overview
NSX-T Datacenter Distributed Firewall
Use case, Architecture
Container, Native Public Cloud & Bare-Metal Security
Overview & Architecture
©2019 VMware, Inc. 4
Public
Users
VMs, Containers, Microservices
VMware partners(VMC)
Private DataCenters
Telco Networks
Things
Private Cloud(VCF)
Edge
VCN
10k customers
to date
82% of Fortune 100
enterprises
70%of all Fortune
global 500 telcos
Gartner
MQ LeaderWAN Edge
Infrastructure
Virtual Cloud NetworkingTies it all together.
©2019 VMware, Inc. 5
The Intrinsic Security Layer
Apps Data
Analytics
Intrinsic Security Layer
Workload
Endpoint
Network
Identity
Cloud
6©2019 VMware, Inc.
VMWare Carbon BlackBetter Together
Confidential │ ©2019 VMware, Inc. 7
Built-in Proactive Aligned
Bolted-on Reactive Siloed
Security Must Be Transformed
©2019 VMware, Inc. 8
Living off the Land Attacks
Confidential │ ©2019 VMware, Inc. 9
Step 1: Unfiltered Data Collection
UNFILTERED DATA
Copy of every unique binary
All network connections
All executions
All file modifications
All cross-process events
All registry modifications
No blind spots
Continuous recording
Proprietary data shaping
Confidential │ ©2019 VMware, Inc. 10
Step 2: Tagging TTPs
TACTICS
TECHNIQUES, AND
PROCEDURES (TTPs)
Individual patterns of
behavior often found
with malicious activity
Merchant ID & reputation
Purchase in a strange place
Luxury items
Small purchase followed by large
purchase
12
34
Confidential │ ©2019 VMware, Inc. 11
PERSISTENCE
UNKNOWN_APP
HARVEST_PASSWORDS
PERSISTENCE
UNKNOWN_APP
CODE_INJECTION
PERSISTENCE Confidence: Low
Confidence: Medium
Confidence: HighREAD_USER_DATA
READ_USER_DATA
Probabilistic Modeling + Temporal Analysis
TTPs Endpoints Events
HUNDREDS MILLIONSHUNDREDS
OF BILLIONS
Step 3: Detection Through Data Science
Confidential │ ©2019 VMware, Inc. 12
Next Gen Anti-Virus
Vulnerability Management
Compliance Reporting
Managed Detection
Audit & Remediation
Workload Protection
DeviceControl
Rogue DeviceDetection
WL
EndpointDetection & Response
!
Confidential │ ©2019 VMware, Inc.
One Data-Driven Platform, Many Solutions
Incident Response &
Threat Hunting
App Control & Infrastructure
Protection
Next-Gen AV + EDR
Real-time Query &
Remediation
Managed Alert Triage
Virtual Datacenter
Security
Advanced Threat Hunting
& IR
Confidential │ ©2019 VMware, Inc. 14
VMware + Carbon Black + Ecosystem = Better Together
AppDefense
vSphere
Workload Security
Workspace ONE
Carbon Black
Endpoint Security
Carbon Black
NSX
Network Threat Analytics
Secure State
Carbon Black
Cloud Security
AGENTLESS UNIFIED EMBEDDED INTEGRATED
Eco
syst
em
Eco
syste
m
Carbon Black
Confidential │ ©2019 VMware, Inc. 15
Any Device
Any Application Traditional Cloud Native SaaS
Any Cloud Hybrid Edge Public Telco
VMware VisionThe essential, ubiquitous digital foundation
16©2019 VMware, Inc.
Network Security with NSX
©2019 VMware, Inc. 17
The Intrinsic Security Layer
Apps Data
Analytics
Intrinsic Security Layer
Workload
Endpoint
Network
Identity
Cloud
©2019 VMware, Inc. 18
Key NSX-T Data Center Use-cases
Security Cloud Native Automation Multi-Cloud Networking
Multi-vCenter Multi-hypervisor – ESX, KVM
Heterogenous end-points – Container, VM, Bare-Metal
Multi-Clouds – On-Premise, Hybrid, Public(AWS, Azure, VMC on AWS)
©2019 VMware, Inc. 19
NSX Security CapabilitiesAt a Glance
Native Security Controls
L3/L4, L7 APP-ID Firewall, Identity FW, URL Filtering
Vendor Service Insertion
Service Chaining
NSX IntelligenceNetwork & Security
Analytics
©2019 VMware, Inc. 20
Network Perimeter
Security Realities
Low priority systems are often targeted first.
Attackers can move freely around the data center.
Attackers then gather and exfiltrate the valuable data.
When Threats Breach the Perimeter, It’s Hard to Stop Lateral Spread
Internet
Perimeter Firewall
©2019 VMware, Inc. 21
What If You Could…
Every VM can have:
Individual security policies
Individual firewalls
Policies can de defined based on any context
VM Attributes
Network Attributes
Application Attributes
Enforce Security at the Most Granular Level of the Data Center?
Internet
Perimeter Firewall
Network Perimeter
©2019 VMware, Inc. 22
• Policies are network centric.
• Uses only IP Address and Mac Address Centric.
• Difficult to operate/scale
• Normally used for physical firewall policy migrations
• Data Center environments are static
• Policies are SDDC infrastructure centric.
• Uses Logical constructs.
• Requires knowledge of logical & physical boundaries
• Granularity dictated by topology
• Data Center environments are static
• Policies are application centric.
• Not tied to physical or logical topologies
• Data Center environments are dynamic.
• Tailor made policies, specific to individual applications tier, function or roles
Network Based Infrastructure Based Application Based
NSX-T Datacenter Distributed FirewallGrouping/Policy Methodology
©2019 VMware, Inc. 23
Micro-segmentation Simplifies Network Security
Zero Trust/Least Privilege Model
Each VM can now be its own perimeter
Policies align with logical groups
Prevents threats from spreading
Network Topology Agnostic
App
DMZ
Services
DB
Perimeterfirewall
AD NTP DHCP DNS CERT
Insidefirewall
Finance EngineeringHR
©2019 VMware, Inc. 24
NSX-T Distributed Firewall
Enforcement based on 5-tuple, APP-ID, FQDN/URL and User-ID
Enforces FW rules for any workload on any platform regardless of network transport
Static & Dynamic grouping based on Compute object, Tags and User
Micro-Segmentation for Overlay-backed workloads
Micro-Segmentation of VLAN-backed workloads connected via existing routers or CSP
Stateful Distributed L2-L7 Services for all workloads
Bare metalESXi/KVM ESXi/KVM
NSX Virtual Distributed Switch
Distributed Firewall
©2019 VMware, Inc. 25
Rule ID SRC DST Service Action
1 ANY WEB HTTPS Allow
2 WEB APP HTTP Allow
3 APP DB MYSQL Allow
4 ANY ANY ANY Block
Flow Table
Rule Table
State
EST
FlowEntry
Flow 1
Index
1
Flow 2 Packet Matches FW rule 2, which is Allow. So packet is sent out to destination.
Flow 2 Not Found
2
4
WEB VM starts NEW session with APP VM: “SRC: WEBDST: APPPORT: HTTPTCP- SYN”
1
Flow hits DFW and does Flow Table Look Up first, to see any state match to existing Flow.-> Results in Flow 2 state not found.
3
Since Flow Table Miss for the Flow 2, DFW does Rule Table lookup in top-down order for 5 tuple match.
In addition, Flow table is updated with New Flow State for permitted flow as "Flow 2”. Subsequent packets in this flow checked against this flow for state match.
5
NSX Virtual Distributed Switch
ESTFlow 22
NSX-T Datacenter Distributed FirewallDFW Policy Lookup – Flow Table & Rule Table
DFW
©2019 VMware, Inc. 26
NSX-T Datacenter DFW Policy with Layer 7 APP-ID
Port-independent enforcement on the DFW
Built-in APP-IDs for common infrastructure and enterprise apps
Version sub-attributes for TLS and CIFS
Cipher-suite sub-attribute for TLS
Used in Rules via Context Profiles
Overview
With L7
TCP 443 APP_ID = HTTPS
TLS version 1.2
Without L7
TCP 443
Ethernet IPTCP/UDP
Web (HTTP, HTTPS, TLS,…)VDI (BLAST, PcoIP, RDP, VMC, …)
AAA (AD, LDAP, OSCP,…)
L2 L3 L4 L5-L7
Feature
©2019 VMware, Inc. 27
NSX-T Datacenter Distributed Firewall for Containers
Every Pod/Container has DFW rules applied on its Interface
Security policy options:
• K8S Network Policy
• K8S Label (system and user defined) which maps to NSX Tag
• Default Policy per cluster
Allows Security policy for
• Container to Container
• Container to/from VM/Physical
Uniform operational Model for VM’s & Containers
Overview
Distributed Firewall
NSX Virtual Distributed Switch
ESX/KVM ESX/KVM ESX/KVM
NSX Virtual Distributed Switch
ESX/KVM
Implementation
Pivotal Container
Service (PKS)
NCP
Plugin
** -> Logical representation of containers on NSX-T to show Networking and security policy enforced same way for both VM’s & containers
©2019 VMware, Inc. 28
Bare-Metal Server
NSX Agent
OVS
NSX Micro-segmentation for Bare-Metal workloadArchitecture
Distributed Firewall
NSX Virtual Distributed Switch
ESX/KVM ESX/KVM ESX/KVM
NSX Virtual Distributed Switch
ESX/KVM
Physical Network
Stateful Layer 4 Firewall for Bare-metal work Load.
Single pane of glass for Security Policy Consumption
Consistent Security Policy across VMs, Containers, Bare-Metal & Native Cloud Workloads
Bare-Metal Server
NSX Agent
OVS
©2019 VMware, Inc. 29
NSX Cloud
Extension of NSX on-prem features for native Public Cloud workloads
• Single Pane of glass visibility
• Consistent security policy
• Precise control over cloud networking
• Uniform operations control with existing tools
Consistent Networking & Security for private, & native Public Cloud workloads
Consume with your existing tools
VisibilitySecurity
Networking
NSXData Center Cloud
Future Public CloudsAzurePrivate Cloud AWS
IT Defines security policies once
Consistent Networking
Visibility across clouds
Consistent Security
©2019 VMware, Inc. 30
NSX Native Public Cloud SecurityNSX Cloud Architecture – NSX Enforced Mode
Distributed Firewall
NSX Virtual Distributed Switch
ESX/KVM ESX/KVM ESX/KVM
NSX Virtual Distributed Switch
ESX/KVM
Pivotal Container
Service (PKS)
NCP
Plugin
CSM Manager
VNET/VPC
1Install On-Prem Cloud Service Manger (CSM) & Register with NSX Manger & Cloud Provider Azure/AWS with right credentials
2 Install NSX Cloud Gateway in Customers cloud Account
3 Have NSX Tools on Cloud VM instances.
4Push the micro segmentation security Policy to NSX Cloud Gateway, which in turn pushes policy to NSX managed instances
NSX Tools
OVS
NSX Tools
OVS
NSX Tools
OVS
©2019 VMware, Inc. 31
NSX Native Public Cloud SecurityNSX Cloud Architecture – Native Cloud Enforce Mode
Distributed Firewall
NSX Virtual Distributed Switch
ESX/KVM ESX/KVM ESX/KVM
NSX Virtual Distributed Switch
ESX/KVM
Pivotal Container
Service (PKS)
NCP
Plugin
CSM Manager
VNET/VPC
1Install On-Prem Cloud Service Manger (CSM) & Register with NSX Manger & Cloud Provider Azure/AWS with right credentials
2 Install NSX Cloud Gateway in Customers cloud Account
4Push the micro segmentation security Policy to NSX Cloud Gateway, which in turn pushes policy to VPC/VNET
Native Cloud Enforce Mode:
• NSX Manges Policy
• Enforcement Using AWS/AZURE Security Groups
• No NSX Tools inside Cloud Instance
• Management at VPC/VNET Level
©2019 VMware, Inc. 32
VMs Containers BaremetalServers
VMware Cloud Destinations
NativePublic Cloud
Consistent Security Policy across all workloadsOn-prem, Public Cloud and VMware Cloud Destinations (VMC, IBM, OVH, VCPP)
East-West Security for All WorkloadsNSX Data Center & NSX Cloud
©2019 VMware, Inc. 33
©2019 VMware, Inc. 34
ResourcesHow to get started
Design Guides Demos
Take a Hands-on Lab Join VMUG, VMware Communities (VMTN)
LEARN TRY
VMware.com/go/NSXtechzone
CONNECTTRY
@VMwareNSX#runNSX
©2019 VMware, Inc.
Thank You!
Confidential │ ©2019 VMware, Inc.
©2019 VMware, Inc. 36