nsx and vrni - carahsoft€¦ · nsx and vrni ethan palmer vmware technical specialist, vcp5-dcv,...
TRANSCRIPT
© 2014 VMware Inc. All rights reserved.
NSX and vRNI
Ethan Palmer VMware Technical Specialist, VCP5-DCV, [email protected]
Partner Enablement Day – Technical Track
Confidential & Proprietary
Agenda
1 Software-Defined Data Center (SDDC) & Network Virtualization
2 New Security Model – Zero Trust & Micro-Segmentation
3 Micro-segmentation Beyond Application Servers
4 vRealize Network Insight
5 Prospecting Guide
New NSX Offerings: Standard, Advanced & Enterprise
3
Standard Advanced Enterprise
$1,995/socket $4,495/socket $6,995/socket
Agility and automation of the network
Standard, plus a fundamentally more secure data center
Advanced, plus networking and security across multiple domains
Distributed switching and routing ✓ ✓ ✓
NSX Edge firewall ✓ ✓ ✓
NAT ✓ ✓ ✓
SW L2 bridging to physical environment ✓ ✓ ✓
Dynamic routing with ECMP (Active-active) ✓ ✓ ✓
API-driven automation ✓ ✓ ✓
Integration with vRealize and OpenStack ✓ ✓ ✓
Automation of security policies with vRealize ✓ ✓
NSX Edge load balancing ✓ ✓
Distributed firewalling ✓ ✓
Integration with Active Directory ✓ ✓
Server activity monitoring ✓ ✓
Service insertion (3rd party integration) ✓ ✓
Cross vCenter NSX ✓
Multi-Site NSX optimizations ✓
VPN (IPSEC and SSL) ✓
Remote Gateway ✓
Integration with HW VTEPs ✓1 L2, L3 & NSX Edge Integration Only. No consumption of Security Groups
Detailed Feature List Available here: http://kb.vmware.com/kb/2144586
VMware NSX – Network Virtualization and Security Platform
The Operational Model of a VM for Networking Services
Internet
Traffic Patterns in a Typical Datacenter
North-
South
East-West
Internet
Request: We need to deploy a new web application with two tiers.
Network Admin: How do I implement that topology?
Web
App
7
1
2 3 4 5
6
8
9
Provisioning Security Services is Hard
Unconstrained communicationLittle or no lateral controls inside perimeter
Low priority systems are targeted first.
Attackers can move freely around the data center.
10110100110101001010000010 exfiltrate data over weeks1001110010100
Attackers then gather and
or even months.
Internet
Data Center Perimeter
Why are breaches still happening?
…the attacker, once inside, was able to move freely in the victim's network.
Every modern Cyber Security Breach has something in common…
Agenda
1 Software-Defined Data Center (SDDC) & Network Virtualization
2 New Security Model – Zero Trust & Micro-Segmentation
3 Micro-segmentation Beyond Application Servers
4 vRealize Network Insight
5 Prospecting Guide
James Clapper, US Director of National Intelligence, compared todays segmented
networks to the Titanic, where bulkheads were supposed to prevent one leak from
sinking the ship, but the walls weren’t high enough.
A single breach shouldn’t give attackers access to an entire network infrastructure and a mother lode of proprietary data.
VMware NSX - Getting from the Titanic to Nuclear Submarine
http://tinyurl.com/odaqhkg
Submarine
“So we tell the private sector: Don’t let that happen to your
data. Make sure a single breach won’t sink your entire
company, your entire enterprise.”
Submarine
Titanic
VMware NSX - Getting from the Titanic to Nuclear
Why can’t we have individual firewalls for every VM?
Data Center Perimeter
Internet
Physical firewalls
Expensive and complex
With traditional technology, this is operationally infeasible.
Virtual firewalls
Slow, costly, and complicated
Security is needed everywhere, but we can’t have it everywhere
Goldilocks Zone
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Data Center Virtualization
Any x86
Any Storage
Any IP network High Isolation
Low Context
No Ubiquitous Enforcement
Traditional Approach
High Context
Low Isolation
Security Today - Trading Off Context and Isolation
Software Defined
Data Center (SDDC)
Any Application
Any x86
Any Storage
Any IP network
SDDC Platform
Data Center Virtualization
High Context
High Isolation
Ubiquitous Enforcement
SDDC Approach
Secure Host Introspection
SDDC Virtualization Layer – Delivers Both Context and Isolation
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Data Center Virtualization
Any x86
Any Storage
Any IP network
L2 Switching L3 Routing
Firewalling/ACLs Load Balancing
Network & Security Services Now Delivered Closer to the Source
Why SDDC Virtualization Layer is the Security “Goldilocks Zone”
VMware NSX - Non-Disruptive Deployment of Distributed Networking Services
VMware NSX - Non-Disruptive Deployment of Distributed Security Services
Agenda
1 Software-Defined Data Center (SDDC) & Network Virtualization
2 New Security Model – Zero Trust & Micro-Segmentation
3 Micro-segmentation Beyond Application Servers
4 vRealize Network Insight
5 Prospecting Guide
A converged infrastructure means virtual desktops
run on the same infrastructure as servers
Data Center Perimeter
InternetEastWest
With VDI your data center has a much larger security surface area
Finance
HR
Engineering
A matrix of policies is needed on centralized,choke-point firewalls for the correct security posture
VMware NSX Simplifies VDI Networking & Security
App
DMZ
Services
DB
Perimeter
firewall
AD NTP DHCP DNS CERT
Inside
firewall
Finance EngineeringHR Each VM can now be its own perimeter
Policies align with logical groups
Prevents threats from spreading
Simplified, programmable, automated
application of network/security policy to
desktop users/pools
Service-chaining with AV and NGFW
partners to deliver automated, policy-
integrated AV / malware protection, NGFW,
IPS, etc.
ACTION (then)ATTRIBUTE (if)
Virus found
Vulnerability found
“PCI”
Sensitive Data Found
Allow / Restrict
Restrict access
while investigating
OR
Monitor VM with IPS
Quarantine VM with Firewall
Security operations are
automated and adapt to
dynamic conditions
VMware NSX – Automating Security Operations
Service Insertion & Chaining
Security policies define
automated actions
VMware NSX - Network Virtualization & Security Services
Control Plane
Data PlaneDistributed Switching,
Routing, Firewall, etc.
Management Plane
Physical
workloads
and VLANS
Each VM has its own firewall with flexible granularity - entire data center down to the vNIC level
Security is shrink-wrapped around each workload
Faults and threats are contained with micro-granularity
Unit-level trust
Before and After Network Virtualization
% of Asset Utilization
Transformation
How to get started?
Intra-data center Micro-Segmentation
Networking Services
Abstraction (L2, L3,
etc.) and IT
Automation
Where can I start?
VMware Hands-On Labs
NSX Install, Configure & Manage
VMware NSX Design Guides
Three levels of certifications: Professional,
Implementation Expert, Design Expert
Agenda
1 Software-Defined Data Center (SDDC) & Network Virtualization
2 New Security Model – Zero Trust & Micro-Segmentation
3 Micro-segmentation Beyond Application Servers
4 vRealize Network Insight
5 Prospecting Guide
East-West Traffic Analysis
• East-West Traffic Flow Analysis
• Breakdown of Data Center Traffic by East-West, VM-to-VM, VM-to-Physical, Switched, Routed, etc.
• Get Detailed Flow stats behind each number
Security Policy Automation – Micro-Segmentation
• Discover vCenter and NSX constructs (folders, clusters, vlans, security tags)
• Automated Security Groupings Based on vCenter and NSX Constructs, Workload Characteristics, Ports, Common Services
• Recommended Security Policies / Firewall Rules (Zero-Trust Model)
• See Network Traffic Per Host, Per VM
• Export as CSV
Security Operations, Audit and Compliance
• Real Time Visibility into Security Group Memberships & Effective Firewall Rules for a VM, between VMs and between VM and Physical
• Datacenter Time Machine - Track Changes for Troubleshooting or Audit
• Compliance Engine with a Simple Google-like Search Interface to Write Policies and Set Alerts
• Instant Alerting Upon Policy Violation and Non Compliance
Visibility Across Overlay And Underlay
NSX Firewall
PANW Virtual FW
PANW Physical
Firewall
Physical Network
Switch, Router
VXLAN
VLAN
Converged
Infrastructure
(Ex: UCS)
Connectivity Graphs
• VM to VM, VM to Physical, VM to Internet
• Hop-by-Hop Path across Overlay (LDRs, Edge Gateways) and Underlay (Physical VDCs & VRFs). See V-To-P Boundary
• Correlated Problems And Performance Metrics Across Virtual and Physical
• See Effective Firewall Rules and Security Policies across NSX and PANW in Service-Chained Environment
Simple & Contextual Search
• Single pane of glass between virtual & physical
• Google-like search for ease of use
• Time aware search (go back in time)
• Fewer clicks to find and identify issues
• Simplified interface, reduce learning curve across admin teams
Hi Peter, what do you need help with today?
NSX Infrastructure Monitoring and Best Practices
Checks
Configuration, Health and Consistency Validation
• VTEP Level Misconfigurations
• VTEPS – Underlay Mapping Checks
• Netcpa Health
• Hosts Version Validation
• LDR and Edge Config Issues
• Routing Misconfigurations/ Issues between LDR, Edge and Physical Routers
Agenda
1 Software-Defined Data Center (SDDC) & Network Virtualization
2 New Security Model – Zero Trust & Micro-Segmentation
3 Micro-segmentation Beyond Application Servers
4 vRealize Network Insight
5 Use Cases/ Demo
Transform the economics of network and security operations by bringing the operational model of
a virtual machine to data center networking.
Better Data Center Networking and Security
36
Network
Create, save, delete and restore
virtual networks on demand, all
without reconfiguring your
physical network
Agility
Reduce the time to provision
multi-tier networking and security
services from weeks to seconds,
enable faster deployment and
greater agility, and provide the
flexibility to run on top of any
network hardware
Security
NSX Micro-segmentation brings
security inside the data center with
automated fine-grain policies tied
to the VMs they protect, while
securely isolating networks from
one another to deliver a better
security model
NSX: The Network
Virtualization Platform
Bring your leading networking and
security solutions into the SDDC, take
advantage of tight integration with the
NSX platform to automatically deploy
third-party products as needed, and adapt
dynamically to changing data center
conditions
NSX
vRealize Network Insight Demo
Thank you!
Ethan Palmer VMware Technical Specialist, VCP5-DCV, [email protected]