Network Virtualization Business Case

Similar documents
3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

Transforming Security Part 2: From the Device to the Data Center

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Operationalizing NSX Micro segmentation in the Software Defined Data Center

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

1V0-642.exam.30q.

Data Center Micro-Segmentation

5 STEPS TO BUILDING ADVANCED SECURITY IN SOFTWARE- DEFINED DATA CENTERS

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Ewolucja sieci w Data Center

Micro-Segmentation: What It Is and What It Isn t. Explore Essential Security Controls for Fighting New Threats to Your Data Center

CASE STUDY INSIGHTS: MICRO-SEGMENTATION TRANSFORMS SECURITY. How Organizations Around the World Are Protecting Critical Data

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

CloudVision Macro-Segmentation Service

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Orchestrating the Cloud Infrastructure using Cisco Intelligent Automation for Cloud

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

Stop Cyber Threats With Adaptive Micro-Segmentation. Chris Westphal Head Of Product Marketing

Securing the Software-Defined Data Center

DELL EMC VSCALE FABRIC

WHITE PAPER MICRO-SEGMENTATION. illumio.com

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer CONFIDENTIAL 2

Cisco Enterprise Cloud Suite Overview Cisco and/or its affiliates. All rights reserved.

WHITE PAPER OCTOBER VMWARE NSX WITH CHECK POINT vsec. Enhancing Micro-Segmentation Security

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

Improve Existing Disaster Recovery Solutions with VMware NSX

Securing Your Virtual World Harri Kaikkonen Channel Manager

SYMANTEC DATA CENTER SECURITY

Cisco CloudCenter Solution with Cisco ACI: Common Use Cases

Practical Path to VMware NSX Nimish Desai - NSBU, VMware

The threat landscape is constantly

CYBER SECURITY MALAYSIA AWARDS, CONFERENCE & EXHIBITION (CSM-ACE) Securing Virtual Environments

The Next Opportunity in the Data Centre

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

VMware vshield App Design Guide TECHNICAL WHITE PAPER

Stop Cyber Threats With Adaptive Micro-Segmentation. Jeff Francis Regional Systems Engineer

WHITE PAPER. Why Traditional Data Center Security Is No Longer Enough

The Evolution of Data Center Security, Risk and Compliance

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

The rise of SDN: A practitioners deep dive into VMware NSX by Andy Hine

Go Cloud. VMware vcloud Datacenter Services by BIOS

Osynlig infrastruktur i datacentret med inbyggd säkerhet och resursoptimering.

Copyright 2011 Trend Micro Inc.

Securing Your Microsoft Azure Virtual Networks

Introducing VMware Validated Design Use Cases. Modified on 21 DEC 2017 VMware Validated Design 4.1

Cisco Application Centric Infrastructure

Building a Smart Segmentation Strategy

Securing Your Amazon Web Services Virtual Networks

NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.

Feature Comparison Summary

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

Weiterentwicklung von OpenStack Netzen 25G/50G/100G, FW-Integration, umfassende Einbindung. Alexei Agueev, Systems Engineer

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Segmentation. Threat Defense. Visibility

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Data Center and Cloud Automation

Microsoft Azure Integration and Security. Course Code: AZ-101; Duration: 4 days; Instructorled

Micro-Segmentation Builds Security Into Your Data Center s DNA

Hybrid Cloud Solutions

Development. Architecture QA. Operations

Deploy Microsoft SQL Server 2014 on a Cisco Application Centric Infrastructure Policy Framework

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

Pasiruoškite ateičiai: modernus duomenų centras. Laurynas Dovydaitis Microsoft Azure MVP

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

Acronis Backup. Acronis, All rights reserved. Dual headquarters in Switzerland and Singapore. Dual headquarters in Switzerland and Singapore

The Cisco HyperFlex Dynamic Data Fabric Advantage

A comprehensive framework for securing virtualized data centers. Business white paper

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

How to Use Micro-Segmentation to Secure Government Organizations

Microsegmentation with Cisco ACI

Securing your Virtualized Datacenter. Charu Chaubal Senior Architect, Technical Marketing 6 November, 2008

Security Readiness Assessment

Introducing VMware Validated Designs for Software-Defined Data Center

FlexPod Data Center Solution. Presented by: Bernd Dultinger Date: December 1 st 2011

Dynamic Datacenter Security Solidex, November 2009

Introduction. The Safe-T Solution

NETWORKING 3.0. Network Only Provably Cryptographically Identifiable Devices INSTANT OVERLAY NETWORKING. Remarkably Simple

Introducing VMware Validated Designs for Software-Defined Data Center

Security Considerations for Cloud Readiness

Enabling Efficient and Scalable Zero-Trust Security

Powering Transformation With Cisco

Introducing VMware Validated Designs for Software-Defined Data Center

Cisco Unified Data Center Strategy

2018 Cisco and/or its affiliates. All rights reserved.

Ten things hyperconvergence can do for you

Convergence is accelerating the path to the New Style of Business

VMware, Cisco and EMC The VCE Alliance

NET1846. Introduction to NSX. Milin Desai, VMware, Inc Kausum Kumar, VMware, Inc

HPE Hyper Converged. Mohannad Daradkeh Data center and Hybrid Cloud Architect Hewlett-Packard Enterprise Saudi Arabia

Vblock Architecture. Andrew Smallridge DC Technology Solutions Architect

Be a VDI hero with Nutanix

What s New at VMware? The Software-Defined Data Center and Network Virtualization

Transform your Datacenter. Mark Godfrey, NetApp Michael Kirchenbauer, Cisco

Next-Generation Security Platform on VMware NSX Reference Architecture

Transcription:

SESSION ID: GPS2-R01 Network Virtualization Business Case Arup Deb virtual networking & security VMware NSBU adeb@vmware.com

I. Data center security today Don t hate the player, hate the game - Ice T, Rapper

The pressure on security New App Requested Provision VM Policies are Set Security Services Configured Security Mapped to Network App Deployed Change Happens Provision Network

Impressive rates of DC change Rate of Change 2000 2002 2008 2009 2010 2011 2012 2015

Everything works well on day one DAY 1 Data Center DAY 2 Perimeter Firewall Finance Application SQL database server provision request Sensitive data is added to the new database VM DMZ/Web Database policy assumptions are: No confidential information No personal privacy information Vanilla DB policies Now 555-55-5555 what? App DB

Current security architecture Converged Infrastructure, running on data center compute resources and vsphere hypervisors Client Perimeter FW Internal FW End user computing/desktops Application infrastructure A/V Internet IPS DMZ Internet-facing servers: Web, E-mail, DNS, VDI etc Other server security 6

Why do breaches still occur? Data Center Perimeter Today s data centers are protected by strong perimeter defense But threats and exploits still infect servers. Lowpriority systems are often the target. Threats can lie dormant, waiting for the right moment to strike. 10110100110 101001010000010 1001110010100 Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted. Server-server traffic growth has outpaced client-server traffic. The attack spreads and goes unnoticed. Possibly after months of reconnaissance, the infiltration relays secret data to the attacker.

Breaches still occur because of perimeter-focused security Perimeter-centric network security has proven insufficient. Insufficient Little or no lateral controls inside perimeter Internet Status quo: do nothing Inside of data center left unprotected High-risk to potential security breaches Reactive clean-up: look at Sony Pictures Costly: Target s recent breach cost $100s of millions Data Center Perimeter

Ideally, every app would have dedicated resources

Not practical with three tier consolidated application infrastructure Web App DB

Manageability necessitates grouping Security Zones VLANS 192.168.10.4 192.168.10.12 192.168.20.6 192.168.20.11

Other alternatives used today to try to reduce breaches... There are a few other available options today to improve internal data center security. Both have their own challenges and ultimately are not operationally feasible. Adding more internal security Requires placing more firewalls across workloads Internet Physical firewalls Cost prohibitive: thousands of firewalls needed (1 per VM) Complex configuration: security policies restricted by network topology Inefficient choke point firewalling Impractical to build lateral coverage Data Center Perimeter Virtual firewalls Similar to physical firewalls, only slower performance No micro-segmentation Limited central management Costly and complicated

Firewall inefficiencies today East-West Firewalling SAME HOST Nexus 7000 East-West Firewalling HOST TO HOST Nexus 7000 Traditional firewall challenges Inefficient network design Physical firewalls are choke points in the network VM-to-VM traffic must hairpin out to physical firewall UCS Fabric A UCS Fabric B UCS Fabric A UCS Fabric B Security policies tied to network topology: slows deployment UCS Blade 1 vswitch UCS Blade 1 UCS Blade 2 vswitch vswitch 6 wire hops 6 wire hops

Architectural considerations Switching capacity in the core need to Address host and VM capacity. Firewall and load balancer Capacity needs to grow to address Added vms and application tiers Networking functions are performed in core Top of Rack or core switch.

Virtual networking approach Automated operational model Network & Security Services Now in the Hypervisor Applications Virtual Machines Virtual Networks Virtual Storage Data Center Virtualization Software Load Balancing L3 Routing Compute Capacity Network Capacity Storage Capacity Pooled compute, network and storage capacity; Vendor independent, best price/perf; Simplified config and mgt. Hardware L2 Switching Firewalling/ACLs Location Independence

Delivering better security and making microsegmentation operationally feasible Hypervisor-based, in kernel distributed firewalling High throughput rates on a per hypervisor basis Every hypervisor adds additional eastwest firewalling capacity Platform-based automation Automated provisioning and workload adds/moves/changes Accurate firewall policies follow workloads as they move

A micro-segmentation approach Today data center security relies on perimeter defense Micro-segmentation enables security that follows the VM Security can be applied per workload, not just inside the perimeter Internet 1 Isolation and segmentation Internet 2 Unit-level trust / least privilege Data Center Perimeter Data Center Perimeter Lower cost Operationally familiar But ultimately insufficient 3 Ubiquity and centralized control 17

Micro-segmentation in detail Isolation Segmentation Advanced services No communication path between unrelated networks No cross-talk between networks Overlay technology assures networks are separated by default Controlled communication path within a single network Fine-grained enforcement of security Security policies based on logical groupings of VMs Advanced services: addition of 3 rd party security, as needed by policy Multivendor solutions. Dynamic addition of security adapt to changing conditions

Micro-segmentation simplifies network security Perimeter firewall Finance HR Engineering Inside firewall DMZ App Each VM can now be its own perimeter Policies align with logical groups Prevents threats from spreading DB Services AD NTP DHCP DNS CERT

More efficient firewalls with virtual networking and security East-West Firewalling / Same host East-West Firewalling / Host to host Before virtial networking With virtual networking Before virtial networking With virtual networking Distributed Virtual Firewall Distributed Virtual Firewall Nexus 7000 Nexus 7000 Nexus 7000 Nexus 7000 UCS Fabric A UCS Fabric B UCS Fabric A UCS Fabric B UCS Fabric A UCS Fabric B UCS Fabric A UCS Fabric B UCS Blade 1 UCS Blade 1 vswitch vswitch UCS Blade 1 UCS Blade 2 vswitch UCS Blade 1 UCS Blade 2 vswitch vswitch 6 wire hops 0 wire hops 6 wire hops Fewer hops, more efficient and precise VM networking 2 wire hops

Architectural benefits Savings in Core switch Port Requirements, and Routing capacity Savings in Firewall and load balancer Capacity and reduced complexity in Managing firewall rules. Security functions are performed in nearest to virtual machines

Architectural benefits Application continuity and Disaster recovery Synchronize state of security infrastructure in secondary site Fast re-start of virtual Network, and Virtual security elements Active-Active Active Standby Easy testing of Virtual network failover

Policy and services assigned to groups Apply Repeatedly Define Once Define Policy Web Assign Services Automate Response App DB HR

Consistent policy and services HR +

Adaptable and proactive security UNIQUE POLICY DEFINITIONS UNIQUE POLICY DEFINITIONS Policy and services defined with future changes in mind Remediate changes with preset policy definitions Vulnerability scan. If vulnerability found, tag workload with CVE Score. If tagged, remediate with IPS.

Automated security UNIQUE POLICY DEFINITIONS UNIQUE POLICY DEFINITIONS Policy and services defined with future changes in mind Remediate changes with preset policy definitions Scan to ensure no private information is stored. If found, tag. SN# 555-55-5555 If tagged, move workload to more secure PII group. Finance Group PII Group

Today s VDI challenges VDI to VDI Desktop-to-desktop hacking inside the DC Finance HR Engineering VDI to VM Desktop-to-server hacking inside the DC

Virtual networking simplifies VDI Perimeter firewall Inside firewall Finance HR Engineering DMZ App DB Firewall and filter traffic based on logical groupings Simplified, programmable, automated application of network/security policy to desktop users/pools Service-chaining with AV and NGFW partners to deliver automated, policy-integrated AV / malware protection, NGFW, IPS, etc. 28

A multivendor security approach Integration platform for dynamic security services. 1 2 3 Security Solution Traditional Data Center Static service chain Data Center with virtual networking Dynamic service chain

Ground-breaking use cases Security IT automation Application continuity IT optimization Micro segmentation IT automating IT Disaster recovery Server asset utilization DMZ anywhere Developer cloud Metro pooling Hardware lifecycle Secure end user Multi-tenant infrastructure Hybrid cloud networking Price performance$ 30

Apply What You Have Learned Today Review security and protection of your virtual servers and virtual desktops. Identify the ratio of VMs that have no firewall protection. Consider extending firewall protection to 100% of your VM deployments. Employ tools to quickly isolate and remediate a Virus or Malware infected VM. Consider the impact to your business if VMs are compromised. Discuss the impact of security automation to Application provisioning times. Consider a one pain of glass approach to managing security and firewalls in a multisite, multidc and Hybrid cloud deployment. Adapt a virtual network and security platform that supports an advanced security approach from multiple vendors for your virtualized Data center. 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback