LHC1753BU Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry Compliance VMworld 2017 Content: Not for publication #VMworld #LHC1753BU
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. CONFIDENTIAL 2
LHC1753BU Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry Compliance VMworld 2017 Luke Huckaba, Principal Architect, Rackspace Anand Iyer, Global Product Marketing, VMware Content: Not for publication #VMworld #LHC1753BU
VMware Cloud Provider Name Change Is Now 4
What Can a VMware Cloud Provider Do for You? BENEFITS / RESULTS 4500+ Cloud Providers globally Seamless integration with vsphere Same operational tools onpremises and in the cloud Value-added services, including management and support Easy on-ramp to the cloud for existing vsphere workloads VMworld 2017 IaaS Cold and Warm Migration Seamless Connectivity (L2VPN Client) Managed Hosting Disaster Recovery Desktop as a Service SDDC + vcloud Director Content: Not for publication Value Added Services 5
Agenda 1 About the Case Study 2 VMware NSX Distributed Firewall Overview 3 Planning 4 Implementation 5 QSA Review 6 Ongoing Maintenance 6
About the Case Study
About the Case Study What it is: Rackspace PCI-DSS certification for management infrastructure What is is not: Rackspace customer certification Customers attain their own certification Problem: Systems in-scope for PCI are comingled in same L2 network as non-pci systems Option 1: Re-IP Option 2: Deploy VMware NSX Distributed Firewall for microsegmentation VMware s NSX Distributed Firewall leveraged to microsegment each environment 8
VMware NSX Distributed Firewall Overview
VMware NSX Distributed Firewall Overview Software VIB that runs on each ESXi host Stateful software firewall Firewall rules are applied to traffic in between the vnic and the vsphere Distributed Switch Layer 2, 3 & 4 firewall rules, and up to layer 7 with 3 rd party vendors/integrations Single management plane per vcenter 10
VMware NSX Distributed Firewall Overview An NSX for vsphere network is made up of distributed network elements embedded in each hypervisor, NSX for vsphere firewalling: fully distributed, embedded in every hypervisor in the data center enabling each VM to have its own firewall Firewalls/policies provisioned simultaneously with VMs Policies move with their VMs Retiring a VM deprovisions its firewall no possibility of stale rules State persistent across VMware vmotion 11
Planning
Planning Documentation is king! Follow an outside-to-in and inside-to-out approach Audit all traffic flows What systems access the VMs from outside of the virtual environment? Inter-VM communication across multiple vcenters Which VMs inside the virtual environment access systems outside of the environment? Inter-VM communication from within the same vcenter 14
Planning Outside Inside to in out VMworld 2017 Content: Not for Inside to out Outside to in Inter-VM traffic vcenter PCI Inter-VM traffic traffic publication Non-PCI 15
Planning Use a spreadsheet to group everything Four (4) key grouping objects IP Sets Group of single IPs, Subnets, IP Ranges Security Groups Group of VMs, IP Sets Services Protocol & ports Service Groups Group of services 16
Planning 17
Planning IP Sets 18
Planning Security Groups 19
Planning Services 20
Planning Service Groups 21
Planning Security Policies 22
Planning Applied Security Policies 23
Implementation
Implementation Follow your documentation Create IP sets first Create Security Groups IP Set 10.1.0.0/24 IP Set 10.2.0.0/24 IP Set 10.10.7.58 Security Group IP Set 10.4.0.0/24 10.5.0.0/24 Security Group Dynamic Security Group 25
Implementation Follow your documentation Create IP sets first Create Security Groups Dynamic, based on VM Name & Security Tag 26
Implementation Follow your documentation Create IP sets first Create Security Groups Static, based on IP Set 27
Implementation Follow your documentation Create IP sets first Create Security Groups Dynamic, based on virtual datacenter And Dynamically exclude based on objects 28
Implementation Follow your documentation Use Service Composer to create Security Policies Offering a service or consuming a service? Where is the traffic initiated from? vcenter 29
Implementation Follow your documentation Use Service Composer to create Security Policies Offering a service Consumers Service Security Group 30
Implementation Follow your documentation Use Service Composer to create Security Policies 31
Implementation Follow your documentation Use Service Composer to create Security Policies Consuming a service Application Service Service Security Group 32
Implementation Follow your documentation Use Service Composer to create Security Policies 33
Implementation Follow your documentation Use Service Composer to create Security Policies Apply policies to security groups Security Security Group Security Group Group Consumers Security Security Group Group Application Service Service Service Security Group Security Group 34
Implementation Follow your documentation Use Service Composer to create Security Policies Apply policies to security groups Security Security Group Security Group Group Security Security Group Group Service Security Group Security Group Service 35
Implementation Follow your documentation Use Service Composer to create Security Policies Dynamically builds firewall rules for you 36
Implementation After going over Service Composer, does this make better sense? 37
QSA Review
QSA Review Start with the spreadsheet Follow a top-down approach Cover all communications starting with IP Sets, Security Groups, Services, and Service Groups Provide overview and walkthrough of Service Composer & Security Policies Explain all firewall rules and how they re generated through Service Composer Create Auditor-role user in NSX if separate team needs to audit the firewall rules regularly 39
Ongoing Maintenance
Ongoing Maintenance Proper change control is a PCI requirement User A submits change request Member of governing group reviews and approves/denies change request Member of approved admins carries out change Maintain Approved spreadsheet Ticketing system to track all changes Update your spreadsheet! Regular audits Quarterly, semi-annually Validate what s in NSX is what s in the Approved spreadsheet 41
VMware Cloud Provider Sponsors Visit their booths at Solution Exchange! 42
Recommended Sessions VMware Cloud Partners Accelerate your digital business transformation with VMware Cloud Provider Partners. Learn more: cloudproviders.vmware.com SESSION ID NAME TIME LHC3139SU Spotlight Session: Achieving Success in a Multi-Cloud World Wednesday, 11:00 LHC1661BU Getting Started with the VMware Cloud Provider Program (Technical Tips and Tricks) Tuesday, 11:00 LHC1539BU Paving the Way to the Hybrid Cloud with VMware Cloud Service Providers and vcloud Availability Tuesday, 12:30 LHC1716BU On-Ramp to the Cloud: Migration Tools and Strategies Tuesday, 14:00 LHC2573BU Achieving Hybrid Cloud Data Agility Securely with VMware NSX Tuesday, 17:00 LHC1746BU Automating Disaster Recovery with vcloud Availability for vcloud Director and vrealize Orchestrator Wednesday, 8:00 LHC2424BU LHC2626BU LHC1753BU 200 to 40,000 VMs in 24 Months: Building Highly Scalable SDDC on Hybrid Cloud: Real-World Example Build VMware Powered Hybrid Clouds: See How vcloud Director and NSX work together to build true Hybrid Clouds Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry Compliance Wednesday, 8:00 Wednesday, 11:00 Wednesday, 12:30 LHC1809BU Use NSX to Deploy a Secure Virtual Network Bridging Multiple Locations for a True Hybrid Cloud Thursday, 13:30 43
Thank You Luke Huckaba @ThepHuck