Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Transcription

1 ADV1587BU NSX + Horizon: A Security Architecture for Delivering Desktops and Applications with VMware Wade Holmes Graeme Gordon VMworld 2017 Content: Not for publication #VMworld #ADV1587BU

2 Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. #ADV1587BU CONFIDENTIAL 2

3 Agenda 1 Today s Landscape 2 How Horizon Can Help 3 Why NSX? 4 Protecting Infrastructure 5 Identify Based Firewall 6 Getting Started #ADV1587BU CONFIDENTIAL 3

4 Attacks and Attackers Have Become More Sophisticated Organized crime VMworld 2017 Content: Not for Insiders publication Cyber terrorists/ hacktivists Nation states ADVANCED PERSISTENT THREATS WEAPONIZATION OF CYBERSPACE #ADV1587BU CONFIDENTIAL 4

5 How Can Horizon Help?

6 Secure Desktops, Apps and Data with Horizon 7 Access & Authentication Network Security Centrally Delivered & Controlled VMworld 2017 Just-in-Time Desktops Content: Not for publication App Lifecycle Management Profile & Smart Policies #ADV1587BU CONFIDENTIAL 7

7 Data Centralization Collapse Branch Infrastructure File servers, servers, application servers. Data Sharing Reduce data replication Lower risk of out of date data being used in error. Data Backup (and recovery) Simplified by being centralized Enabled more advanced DR strategies ediscovery Eases auditing effort Proactive Response to Security Incidents Simplified and consistent patching #ADV1587BU CONFIDENTIAL 9

8 Just-in-Time Desktops With innovative technologies like Instant Clones, User Environment Management and App Volumes - Horizon ensures that IT can streamline desktop and application management like never before, providing employees with truly stateless desktops. or Drive Down Storage Costs by >30% Deliver Apps Instantly distribution Streamline OpEX by >50% #ADV1587BU CONFIDENTIAL 11

9 OS and Application Patching in the Physical World Risk of Configuration Drift Ensure that all desktops receive proper patches Assessment Which patches are needed on which systems? 32-bit vs. 64-bit? Microsoft vs. third party, etc.? Scheduling When will patches be deployed to each system? Deployment Ensure that each system receives the proper set of patches and that they are properly executed. Reboot Many patch deployments require reboots. Rescan Reassess the machines post-reboot to make sure they were fully patched. #ADV1587BU CONFIDENTIAL 12

10 OS and Application Patching with Horizon 7 Controlled and Consistent Patch the Master VM and update the pool. All desktops are in known state. Patch level controlled by Admin Can include the latest anti-malware definitions. Can include application updates/ patches Can restore pool to a last good state as well as remediation in case of Malware. Master VM 2 1 Datastore 1 Replica 1 Replica Desktops #ADV1587BU CONFIDENTIAL 13

11 App Volumes Managed Application Containers Data / Files Applications Settings AppStack AppStack Writable Volume App Volumes Agent OS OS Traditional Just-in-Time App Model #ADV1587BU CONFIDENTIAL 14

12 Smart Policies Overview Customize desktop features Features include: Clipboard Cut/Paste Client Drive Redirection USB Printing Bandwidth Profile Conditional policies based on: User Identity Location Pool Name etc. VMworld 2017 Benefits Secures the desktop or application based on the user s identity or location. Re-evaluate conditions during the session. Streamlined desktop experience a single desktop image can be easily customized based on flexible policies. Content: Not for publication #ADV1587BU CONFIDENTIAL 15

13 Unified Access Gateway Provides secure remote access for users to access: Various edge services. Resources within the corporate network. Deployed in DMZ or Cloud tenants Hardened appliance running SLES 12 Linux Compliance and certifications (FIPS/ CC) DMZ Authentication Smart Card Support Certificate SAML Pass-Thru support RADIUS / SecurID Support Supports multiple use cases: Horizon Reverse Proxy (Identity Manager) VMware Tunnel (Per App Tunnel & Proxy services) Identity Bridging Content Gateway (upcoming release) #ADV1587BU CONFIDENTIAL 16

14 NSX and Horizon

15 Traditional Client Computing Traffic is only North-South Networking is simple and only north-south. Threat pattern is north-south. Straightforward protection scenario. Security via DMZ zones at the edge. Data at Rest is the primary concern Mission-critical data on endpoint local storage. Common motivator for desktop virtualization. Organizations implement desktop virtualization to: VMworld 2017 Content: Not for Optimize Compute and Storage resources. Secure data at rest (moved to data center). Exert better control over north-south threats Data Center publication #ADV1587BU CONFIDENTIAL 18

16 Desktop & Application Virtualization Benefits Desktop and App virtualization places O/S, Applications and Data in the data center WWW WWW Other Users Virtual Desktop SAP, Oracle Exchange, etc. Enterprise Storage Avoid loss of data sitting on devices (device loss, theft, damage) Unauthorized access to sensitive applications installed on devices Reduced branch infrastructure footprint (file/print/ servers etc.) Conducive to efficient, centralized backup Centralized patching against vulnerabilities #ADV1587BU CONFIDENTIAL 19

17 Current Challenges in the Data Center Large attack surface within the data center Multiple, discrete east-west flows between desktops and infrastructure Data Center WWW EAST VMworld 2017 Other Users Virtual Desktop WEST SAP, Oracle Exchange, etc. Enterprise Storage User behaviors Zero-day threats Compromised internet websites Content: Not for publication Desktop-to-desktop hacking Desktop-to-server hacking #ADV1587BU CONFIDENTIAL 20

18 Securing East-West within VDI Environments Organizations with focus on compliancy and risk mitigation will implement security zones to protect East-West flows within the data center. Hard to implement Lots of physical infrastructure required Complex to manage VMworld 2017 PCI Zone Remote workforce Zone Shared svcs DB Zone Corp Zone Dev Zone Eng Zone Centralized Virtual Desktops Content: Not for publication DMZ Admin Zone Financial Zone #ADV1587BU CONFIDENTIAL 21

19 Traditional Networking & Security is complex! Internet DMZ Remote workforce Zone Shared svcs DB Zone Centralized Virtual Desktops Corp Zone Dev Zone Eng Zone Internal Networks PCI Zone Admin Zone Financial Zone #ADV1587BU CONFIDENTIAL 22

20 More Efficient Firewalls with NSX East-West Firewalling / Same host East-West Firewalling / Host to host Before NSX With NSX Before NSX Distributed Virtual Firewall Nexus 7000 Nexus 7000 UCS Fabric A UCS Fabric B UCS Blade 1 vswitch UCS Fabric A UCS Blade 1 NSX vswitch UCS Fabric B Nexus 7000 vswitch vswitch With NSX Distributed Virtual Firewall Nexus 7000 UCS Fabric A UCS Fabric B UCS Fabric A UCS Fabric B UCS Blade 1 UCS Blade 2 UCS Blade 1 UCS Blade 2 NSX vswitch 6 wire hops 0 wire hops 6 wire hops Fewer hops, more efficient and precise VM networking 2 wire hops #ADV1587BU CONFIDENTIAL 23

21 NSX for Horizon VDI Deployment Micro-segmentation Edge Services Network Virtualization Internal Developer Pool External Developer Pool Desktop to Desktop control Desktop to Enterprise App control Security Services e.g. Agentless AV, NGFW, IPS Load balancing, Edge firewall NAT VPN Horizon Infra Internal Developer Network External Developer Network Allows for elasticity and agility to spin up/down new pools or expand existing #ADV1587BU CONFIDENTIAL 24

22 Segmentation of a Horizon Environment Protecting Horizon Infrastructure Horizon Components (Connection Servers, Unified Access Gateway, View Composer, vcenter) External world to Horizon components control VMworld 2017 Access control between various Horizon components Protecting Desktop Pools Internal Developer Pool External Developer Pool Desktop to Desktop control Desktop to Enterprise App control 3 rd party Security Services e.g. Agentless AV, NGFW, IPS User based access control. Web Internal Developer Pool Content: Not for publication App 3 Tier Enterprise App Identity Firewall (IDFW) AD Group Based #ADV1587BU CONFIDENTIAL 25 DB

23 Protecting Infrastructure

24 VMware Horizon Architecture Overview SaaS, Mobile Apps VMware Identity Manager User Workspace Virtualized Apps (ThinApps) Unified Access Gateways Windows 10 Instant Clone VMware Horizon View Linux Clone Horizon Connection Servers Virtual Desktop Pools Windows 10 3D Desktop View Composer Hosted RDS Desktops & Apps Horizon Clients Applications (VMware App Volumes) User Environment IT Settings User Profile Core Infrastructure vrealize Operations for Horizon vcenter Server Database (SQL) Active Directory VMware vsphere + NSX + VSAN #ADV1587BU CONFIDENTIAL 27

25 #ADV1587BU CONFIDENTIAL 28

26 Easy Service Definition #ADV1587BU CONFIDENTIAL 29

27 Micro-Segmentation Sample Configuration Infrastructure Rules Desktop and Application Rules #ADV1587BU CONFIDENTIAL 30

28 Identity Based Firewall Policy driven micro-segmentation of the user

29 VMware NSX Identity Based Firewall Rules (IDFW) DFW offers Identity Based Firewall (IDFW) functionalities: Specific AD security groups of users can be used to create DFW rules DFW rules are defined based on Active Directory (AD) membership (e.g. doctors or surgeons group): Define a NSX Security Group that contains an AD security group and apply it as the source of the DFW policy rule Users can use physical or virtual systems that have been joined to the AD Domain as the source Destination system must be a VM. Policy Rule: Source Destination Service Action Doctors (security group) Patient Record Servers Any Allow Any Any Any Deny #ADV1587BU CONFIDENTIAL 32

30 VMware NSX Identity Based Firewall Rules & EUC Before NSX All Desktops on a VLAN can communicate freely. Once one Desktop is compromised, lateral movement cannot be restricted. With NSX Micro-segmentation can granularly control desktops even on shared VLAN. User/Group based Access Control Control VDI to Apps access using NGFW redirection when needed. VMworld 2017 Files HR Finance SharePoint Network Content: Not for publication Bob (HR) Human Resources Jennifer (Finance) Finance #ADV1587BU CONFIDENTIAL 33

31 Secure Just in Time Desktops Sales Admin Developer Stateless desktop Single Pool Role-Based Desktop Creation & Customization Sales Developer Sales Sales Developer Developer Sales Dev. Sales desktop Developer desktop Admin Network Policy from NSX Admin Admin Application Layers from App Volumes Admin Personalization from UEM Admin desktop #ADV1587BU CONFIDENTIAL 34

32 AirWatch Per-App VPN and VMware NSX Device Level VPN App Level VPN App Level VPN Micro Segmentation #ADV1587BU CONFIDENTIAL 35

33 Load Balancing Infrastructure

34 VMware NSX ESG Integrated North South Network Services DDI. Firewall Load Balancer VPN Routing/NAT DHCP/DNS relay VMworld 2017 VM VM VM VM VM Overview Integrated L3 L7 services Virtual appliance model to provide rapid deployment and scale-out Benefits Content: Not for publication Real time service instantiation Support for dynamic services per tenant/application Uses x86 compute capacity #ADV1587BU CONFIDENTIAL 37

35 VMware NSX ESG Load Balancer CS1 CS2 CS3 VMworld 2017 Features UDP, TCP, FTP, HTTP, HTTPS with Stateful HA Multiple Virtual IPs each with separate server pool and configurations Multiple load balancing algorithms Multiple Session Persistence methods Configurable health checks Application Rules SSL Termination with Certificate Management Transparent/Full Proxy Mode IPv6 Support Content: Not for publication Use Cases Per Tenant LB Dynamic VIP for VDI Management #ADV1587BU CONFIDENTIAL 38

36 Connection Servers Load Balancing and External Access External DNS: horizon.domain.com External Users External Load Balancer UAG1 uag1.domain.com UAG2 uag2.domain.com DMZ Internal Users Internal Load Balancer INTERNAL Connection Server 1 horizon1.domain.com Connection Server 2 horizon2.domain.com Internal DNS: horizon.domain.com When resolving horizon.domain.com External Clients get All internal components and clients use #ADV1587BU CONFIDENTIAL 39

37 Partner Integration AV, Endpoint Monitoring

38 Optimized Performance for VDI Environments ESXi SAN Management Network Usage Scan Speed CPU/Memory Usage IOPS Storage #ADV1587BU CONFIDENTIAL 41

39 Optimized Performance for VDI Environments ESXi SAN Scan Cache VMworld 2017 Up to 20X Faster* Full Scans Up to 5X Faster Real-time Scans Content: Not for publication Up to 2X Faster VDI Login Up to 30% More VM density #ADV1587BU CONFIDENTIAL 42

40 NSX Service Insertion and Chaining for VDI Traffic exits guest VM and reaches DFW for processing. If action is set to permit, DFW will forward traffic to filtering module. If the Filtering module allows the traffic to be redirected then, Traffic redirection steers traffic to partner services VM/s Permitted traffic processed by partner services VM is sent to destination. VMworld 2017 Slot 2 Slot 4 vcenter Guest VM DFW Filtering module Partner console Partner services VM Content: Not for publication Distributed Switch (vds) External network #ADV1587BU CONFIDENTIAL 43

41 Example: NSX Service Composer & Third-Party Service Insertion Quarantine Vulnerable Systems until Remediated Policy Definition Standard Policy Anti-Virus Scan Quarantined Policy Firewall Block all except security tools Anti-Virus Scan and remediate Security Group = Standard VMworld 2017 Security Group = Quarantine Members = {Tag = ANTI_VIRUS.VirusFound } Content: Not for publication #ADV1587BU CONFIDENTIAL 44

42 Getting Started First Steps and Resources

43 Horizon + NSX: Benefits Fast and Simple VDI Networking Create, change and manage security policies across all of your virtual desktops with a few easy clicks Automated Policy Provisioning Set policies once, dynamically following users, independent of the network underneath Platform for Advanced Security Comprehensive security from endpoint to desktop, based on user role, protecting O/S, , browser and more NSX for Horizon Delivers Fast, Easy and Extensible Security That Protects Against: User Behaviors Zero-day Threats Compromised Websites Desktop-to-desktop Hacks Desktop-to-server Hacks #ADV1587BU CONFIDENTIAL 46

44 Protecting Horizon with NSX in Simple Steps Install Deploy NSX Manager Appliance Prepare Hosts (Install VIB) Configure Add key VMs to Exclusion List (vcenter VMs) Create and Group Services Create Security Groups Build Distributed Firewall Rules Test #ADV1587BU CONFIDENTIAL 47

45 Achieving Micro-segmentation in Real World Prepare Security Fabric Prepare Hosts for Security Optional: Deploy Security Vendor Management Consoles for advanced services Optional: Deploy security vendor appliances. Monitor Flows Brownfield: Leverage existing knowledge from Perimeter firewalls Use NSX Built-In Application Rule Manager, Flow Monitoring, IPFIX tools Use vrealize Network Insight to analyze traffic flows Integrate VMware Log Insight to analyze syslogs. Determine Policy Model Identify patterns with flows Determine a policy model based on the patterns. Apply Policy Model Determine approach : Firewall Rule Table or Service Composer Policy Model Based on the Policy Model Create grouping models Write Security Policy 48

46 Resources for Starting with NSX Learn Connect & Engage communities.vmware.com NSX Product Page & Technical Resources vmware.com/products/nsx Network Virtualization Blog blogs.vmware.com/networkvirtualization VMware NSX on YouTube youtube.com/user/vmwarensx Design Guide Use VMware NSX for vsphere End-User Computing Design Guide NSX Proactive Support Service Optimize performance based on data monitoring and analytics to help resolve problems, mitigate risk and improve operational efficiency. vmware.com/consulting Experience Take NSX Sessions Spotlights, breakouts, quick talks & group discussions Visit the VMware Booth Use case demos, chat with NSX experts Visit NSX Technical Partner Booths Integration demos Test Drive NSX with free Hands-on Labs Expert-led or Self-paced. labs.hol.vmware.com Training and Certification Several paths to professional certifications. Learn more at the Education & Certification Lounge. vmware.com/go/nsxtraining #ADV1587BU CONFIDENTIAL 50

47

48

49