nsx and vrni - carahsoft€¦ · nsx and vrni ethan palmer vmware technical specialist, vcp5-dcv,...

© 2014 VMware Inc. All rights reserved.

NSX and vRNI

Ethan Palmer VMware Technical Specialist, VCP5-DCV, [email protected]

Partner Enablement Day – Technical Track

Confidential & Proprietary

Agenda

1 Software-Defined Data Center (SDDC) & Network Virtualization

2 New Security Model – Zero Trust & Micro-Segmentation

3 Micro-segmentation Beyond Application Servers

4 vRealize Network Insight

5 Prospecting Guide

New NSX Offerings: Standard, Advanced & Enterprise

3

Standard Advanced Enterprise

$1,995/socket $4,495/socket $6,995/socket

Agility and automation of the network

Standard, plus a fundamentally more secure data center

Advanced, plus networking and security across multiple domains

Distributed switching and routing ✓ ✓ ✓

NSX Edge firewall ✓ ✓ ✓

NAT ✓ ✓ ✓

SW L2 bridging to physical environment ✓ ✓ ✓

Dynamic routing with ECMP (Active-active) ✓ ✓ ✓

API-driven automation ✓ ✓ ✓

Integration with vRealize and OpenStack ✓ ✓ ✓

Automation of security policies with vRealize ✓ ✓

NSX Edge load balancing ✓ ✓

Distributed firewalling ✓ ✓

Integration with Active Directory ✓ ✓

Server activity monitoring ✓ ✓

Service insertion (3rd party integration) ✓ ✓

Cross vCenter NSX ✓

Multi-Site NSX optimizations ✓

VPN (IPSEC and SSL) ✓

Remote Gateway ✓

Integration with HW VTEPs ✓1 L2, L3 & NSX Edge Integration Only. No consumption of Security Groups

Detailed Feature List Available here: http://kb.vmware.com/kb/2144586

http://kb.vmware.com/kb/2144586

VMware NSX – Network Virtualization and Security Platform

The Operational Model of a VM for Networking Services

Internet

Traffic Patterns in a Typical Datacenter

North-

South

East-West

Internet

Request: We need to deploy a new web application with two tiers.

Network Admin: How do I implement that topology?

Web

App

7

1

2 3 4 5

6

8

9

Provisioning Security Services is Hard

Unconstrained communicationLittle or no lateral controls inside perimeter

Low priority systems are targeted first.

Attackers can move freely around the data center.

10110100110101001010000010 exfiltrate data over weeks1001110010100

Attackers then gather and

or even months.

Internet

Data Center Perimeter

Why are breaches still happening?

…the attacker, once inside, was able to move freely in the victim's network.

Every modern Cyber Security Breach has something in common…

Agenda





5 Prospecting Guide

James Clapper, US Director of National Intelligence, compared todays segmented

networks to the Titanic, where bulkheads were supposed to prevent one leak from

sinking the ship, but the walls weren’t high enough.

A single breach shouldn’t give attackers access to an entire network infrastructure and a mother lode of proprietary data.

VMware NSX - Getting from the Titanic to Nuclear Submarine

http://tinyurl.com/odaqhkg

http://tinyurl.com/odaqhkg

Submarine

“So we tell the private sector: Don’t let that happen to your

data. Make sure a single breach won’t sink your entire

company, your entire enterprise.”

Submarine

Titanic

VMware NSX - Getting from the Titanic to Nuclear

Why can’t we have individual firewalls for every VM?


Internet

Physical firewalls

Expensive and complex

With traditional technology, this is operationally infeasible.

Virtual firewalls

Slow, costly, and complicated

Security is needed everywhere, but we can’t have it everywhere

Goldilocks Zone

Software Defined

Data Center (SDDC)

Any Application

SDDC Platform

Data Center Virtualization

Any x86

Any Storage

Any IP network High Isolation

Low Context

No Ubiquitous Enforcement

Traditional Approach

High Context

Low Isolation

Security Today - Trading Off Context and Isolation

Software Defined

Data Center (SDDC)

Any Application

Any x86

Any Storage

Any IP network

SDDC Platform


High Context

High Isolation

Ubiquitous Enforcement

SDDC Approach

Secure Host Introspection

SDDC Virtualization Layer – Delivers Both Context and Isolation

Software Defined

Data Center (SDDC)

Any Application

SDDC Platform


Any x86

Any Storage

Any IP network

L2 Switching L3 Routing

Firewalling/ACLs Load Balancing

Network & Security Services Now Delivered Closer to the Source

Why SDDC Virtualization Layer is the Security “Goldilocks Zone”

VMware NSX - Non-Disruptive Deployment of Distributed Networking Services

VMware NSX - Non-Disruptive Deployment of Distributed Security Services

Agenda





5 Prospecting Guide

A converged infrastructure means virtual desktops

run on the same infrastructure as servers


InternetEastWest

With VDI your data center has a much larger security surface area

Finance

HR

Engineering

A matrix of policies is needed on centralized,choke-point firewalls for the correct security posture

VMware NSX Simplifies VDI Networking & Security

App

DMZ

Services

DB

Perimeter

firewall

AD NTP DHCP DNS CERT

Inside

firewall

Finance EngineeringHR Each VM can now be its own perimeter

Policies align with logical groups

Prevents threats from spreading

Simplified, programmable, automated

application of network/security policy to

desktop users/pools

Service-chaining with AV and NGFW

partners to deliver automated, policy-

integrated AV / malware protection, NGFW,

IPS, etc.

ACTION (then)ATTRIBUTE (if)

Virus found

Vulnerability found

“PCI”

Sensitive Data Found

Allow / Restrict

Restrict access

while investigating

OR

Monitor VM with IPS

Quarantine VM with Firewall

Security operations are

automated and adapt to

dynamic conditions

VMware NSX – Automating Security Operations

Service Insertion & Chaining

Security policies define

automated actions

VMware NSX - Network Virtualization & Security Services

Control Plane

Data PlaneDistributed Switching,

Routing, Firewall, etc.

Management Plane

Physical

workloads

and VLANS

Each VM has its own firewall with flexible granularity - entire data center down to the vNIC level

Security is shrink-wrapped around each workload

Faults and threats are contained with micro-granularity

Unit-level trust

Before and After Network Virtualization

% of Asset Utilization

Transformation

How to get started?

Intra-data center Micro-Segmentation

Networking Services

Abstraction (L2, L3,

etc.) and IT

Automation

Where can I start?

VMware Hands-On Labs

NSX Install, Configure & Manage

VMware NSX Design Guides

Three levels of certifications: Professional,

Implementation Expert, Design Expert

Agenda





5 Prospecting Guide

East-West Traffic Analysis

• East-West Traffic Flow Analysis

• Breakdown of Data Center Traffic by East-West, VM-to-VM, VM-to-Physical, Switched, Routed, etc.

• Get Detailed Flow stats behind each number

Security Policy Automation – Micro-Segmentation

• Discover vCenter and NSX constructs (folders, clusters, vlans, security tags)

• Automated Security Groupings Based on vCenter and NSX Constructs, Workload Characteristics, Ports, Common Services

• Recommended Security Policies / Firewall Rules (Zero-Trust Model)

• See Network Traffic Per Host, Per VM

• Export as CSV

Security Operations, Audit and Compliance

• Real Time Visibility into Security Group Memberships & Effective Firewall Rules for a VM, between VMs and between VM and Physical

• Datacenter Time Machine - Track Changes for Troubleshooting or Audit

• Compliance Engine with a Simple Google-like Search Interface to Write Policies and Set Alerts

• Instant Alerting Upon Policy Violation and Non Compliance

Visibility Across Overlay And Underlay

NSX Firewall

PANW Virtual FW

PANW Physical

Firewall

Physical Network

Switch, Router

VXLAN

VLAN

Converged

Infrastructure

(Ex: UCS)

Connectivity Graphs

• VM to VM, VM to Physical, VM to Internet

• Hop-by-Hop Path across Overlay (LDRs, Edge Gateways) and Underlay (Physical VDCs & VRFs). See V-To-P Boundary

• Correlated Problems And Performance Metrics Across Virtual and Physical

• See Effective Firewall Rules and Security Policies across NSX and PANW in Service-Chained Environment

Simple & Contextual Search

• Single pane of glass between virtual & physical

• Google-like search for ease of use

• Time aware search (go back in time)

• Fewer clicks to find and identify issues

• Simplified interface, reduce learning curve across admin teams

Hi Peter, what do you need help with today?

NSX Infrastructure Monitoring and Best Practices

Checks

Configuration, Health and Consistency Validation

• VTEP Level Misconfigurations

• VTEPS – Underlay Mapping Checks

• Netcpa Health

• Hosts Version Validation

• LDR and Edge Config Issues

• Routing Misconfigurations/ Issues between LDR, Edge and Physical Routers

Agenda





5 Use Cases/ Demo

Transform the economics of network and security operations by bringing the operational model of

a virtual machine to data center networking.

Better Data Center Networking and Security

36

Network

Create, save, delete and restore

virtual networks on demand, all

without reconfiguring your

physical network

Agility

Reduce the time to provision

multi-tier networking and security

services from weeks to seconds,

enable faster deployment and

greater agility, and provide the

flexibility to run on top of any

network hardware

Security

NSX Micro-segmentation brings

security inside the data center with

automated fine-grain policies tied

to the VMs they protect, while

securely isolating networks from

one another to deliver a better

security model

NSX: The Network

Virtualization Platform

Bring your leading networking and

security solutions into the SDDC, take

advantage of tight integration with the

NSX platform to automatically deploy

third-party products as needed, and adapt

dynamically to changing data center

conditions

NSX

vRealize Network Insight Demo

Thank you!

Ethan Palmer VMware Technical Specialist, VCP5-DCV, [email protected]

nsx and vrni - carahsoft€¦ · nsx and vrni ethan palmer vmware technical specialist, vcp5-dcv,...

Documents