Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Similar documents
NSX Experience Day Axians GNS AG

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer CONFIDENTIAL 2

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Introducing VMware Validated Design Use Cases. Modified on 21 DEC 2017 VMware Validated Design 4.1

Introducing VMware Validated Designs for Software-Defined Data Center

Introducing VMware Validated Designs for Software-Defined Data Center

Introducing VMware Validated Designs for Software-Defined Data Center

Introducing VMware Validated Design Use Cases

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Using Network Virtualization in DevOps environments Yves Fauser, 22. March 2016 (Technical Product Manager VMware NSBU)

VMware Cloud Provider Platform

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Securing VMware NSX MAY 2014

1V0-642.exam.30q.

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

AGENDA Introduction Pivotal Cloud Foundry NSX-V integration with Cloud Foundry New Features in Cloud Foundry Networking NSX-T with Cloud Fou

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

WHITE PAPER OCTOBER VMWARE NSX WITH CHECK POINT vsec. Enhancing Micro-Segmentation Security

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Practical Path to VMware NSX Nimish Desai - NSBU, VMware

VMware Cloud Foundation Real-World Success with Professional Services

Design Guide for Cisco ACI with Avi Vantage

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Intuit Application Centric ACI Deployment Case Study

Zero Trust Security with Software-Defined Secure Networks

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Network Virtualization Business Case

Speaker Introduction Who Mate Barany, VMware Manuel Mazzolin, VMware Peter Schmitt, Deutsche Bahn Systel Why VMworld 2017 Understanding the modern sec

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

VMworld disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

VMware vrealize Network Insight Arkin Messaging Document

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Securing VMware NSX-T J U N E 2018

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Improve Existing Disaster Recovery Solutions with VMware NSX

NET1846. Introduction to NSX. Milin Desai, VMware, Inc Kausum Kumar, VMware, Inc

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

ForeScout CounterACT. Configuration Guide. Version 1.1

Pasiruoškite ateičiai: modernus duomenų centras. Laurynas Dovydaitis Microsoft Azure MVP

Table of Contents HOL NET

NSX-T Data Center Migration Coordinator Guide. 5 APR 2019 VMware NSX-T Data Center 2.4

Layer 4 to Layer 7 Design

VMware vcloud Networking and Security Overview

Cross-vCenter NSX Installation Guide. Update 3 Modified on 20 NOV 2017 VMware NSX for vsphere 6.2

DISASTER RECOVERY- AS-A-SERVICE FOR VMWARE CLOUD PROVIDER PARTNERS WHITE PAPER - OCTOBER 2017

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Introducing VMware Validated Designs for Software-Defined Data Center

Cisco CloudCenter Solution with Cisco ACI: Common Use Cases

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

21CTL Disaster Recovery, Workload Mobility and Infrastructure as a Service Proposal. By Adeyemi Ademola E. Cloud Engineer

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

VMware NSX Micro-segmentation

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Architecture and Design. Modified on 21 AUG 2018 VMware Validated Design 4.3 VMware Validated Design for Software-Defined Data Center 4.

Cisco Virtual Security Gateway (VSG) Mohammad Salaheldin

Weiterentwicklung von OpenStack Netzen 25G/50G/100G, FW-Integration, umfassende Einbindung. Alexei Agueev, Systems Engineer

VMWARE TUNNEL AND VMWARE NSX MICRO-SEGMENTATION INTEGRATION GUIDE. VMware AirWatch Enterprise Mobility Management 9.1

The threat landscape is constantly

Table of Contents HOL-SDC-1415

Table of Contents HOL SLN

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Cross-vCenter NSX Installation Guide. Update 6 Modified on 16 NOV 2017 VMware NSX for vsphere 6.3

VMworld 2017 Content: Not for publication #CNA1699BE CONFIDENTIAL 2

IaaS Integration for Multi- Machine Services. vrealize Automation 6.2

Microsegmentation with Cisco ACI

Segmentation. Threat Defense. Visibility

NEXT-GENERATION SECURITY WITH VMWARE NSX AND PALO ALTO NETWORKS VM-SERIES

Agenda Basecamp The Journey So Far Enhancements Into the Fear Zone Climbing The VM-Series Performance Peak New VM-Series Models and Licensing Best Pra

Introducing VMware Validated Designs for Software-Defined Data Center

Next-Generation Security Platform on VMware NSX Reference Architecture

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

NSX Administration Guide. Update 3 Modified on 20 NOV 2017 VMware NSX for vsphere 6.2

CONTRAIL SECURITY. Contrail Cloud Networking & Security

Nuage Networks Product Architecture. White Paper

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Cisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Parallel to NSX Edge Using VXLAN Overlays with Avi Vantage for both North-South and East-West Load Balancing Using Transit-Net

Transcription:

SAI2803BU The Road to Micro- Segmentation with VMware NSX #VMworld #SAI2803BU

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. CONFIDENTIAL 2

SAI2803BU The Road to Micro-segmentation with VMware NSX Stijn Vanveerdeghem Geoff Wilmington - @vwilmo #Vmworld #SAI2803BU

Agenda 1 Security in the Datacenter with NSX 2 Deploying NSX Micro-Segmentation 3 Micro-Segmentation Policy Creation 4 Automation 4

Security in the DC with NSX Requirements for a Software-Defined Datacenter Visibility Lifecycle Management and Automation Common Policy Control Extensibility

Security in the DC with NSX NSX Security Platform Visibility Datacenter, application and host NSX Lifecycle Management and Automation Common Policy Control Context-driven micro-segmentation Extensibility Best-of-breed partner integration

Security in the DC with NSX What is Zero Trust? 7

Agenda 1 Security in the Datacenter with NSX 2 Deploying NSX Micro-Segmentation 3 Micro-Segmentation Policy Creation 4 Automation 8

Deploying NSX Micro-Segmentation Deployment Options: Distributed Segmentation Controlled Communication or Isolation between workloads on the same or different VLAN Distributed Firewall applied to each vnic East-West Filtering by NSX Distributed Firewall Existing physical firewall only handles North South communication Traffic discovery to determine required flows/rules. VMworld 2017 Advanced Partner Services can be inserted at each vnic Stateful DFW Policy Controlled Communication STOP STOP Stateful DFW Physical Router Content: Not for publication 9

Deploying NSX Micro-Segmentation Deployment Options: Distributed Segmentation and Network Overlays Logical Switches based on overlays to isolate/segment independent of the underlying physical network Distributed Logical Routers to optimize East-West Routing Edge Services Gateway can also be leveraged for N-S routing, N-S firewalling, load balancing, NAT, VPN Distributed Firewall providing Controlled Communication or Isolation between workloads on the same or different Logical Switch (overlay) VMworld 2017 Advanced Partner Services can be inserted at each vnic Stateful DFW Policy Controlled Communication Content: Not for publication STOP STOP Stateful DFW Distributed Logical Router 10

Deploying NSX Micro-Segmentation Deployment Steps: Deploying NSX Manager, VDS and Host Prep Pre-existing and Management and Compute clusters can be leveraged NSX Manager deployed in the Mgmt cluster and peered with the existing vcenter server VDS is required for all compute clusters Host preparation installs NSX VIB to all hosts in a cluster Non-disruptive operation VMworld 2017 Distributed Firewall is enabled on every VM with a default allowall policy Content: Not for publication Management Cluster VDS Compute Clusters VLAN 10 VLAN 20 VLAN 30 L3 L2 11

Deploying NSX Micro-Segmentation Deployment Steps: Determine and Configure Appropriate Policies Policy and Grouping Methodology Application Discovery Policy Model Service Composer/Firewall Rule Table 12

Deploying NSX Micro-Segmentation Deployment Steps: Reduce the Scope of the Perimeter Firewall (Brownfield) Move the default GW function from the perimeter firewall to the aggregation layer or deploy NSX Distributed Routing Remove E-W Rules from the perimeter firewall Perimeter Firewall now only handles N-S flows Can be done gradually VMworld 2017 Content: Not for publication N-S Flows VLAN 10 VLAN 20 VLAN 30 13

Agenda 1 Security in the Datacenter with NSX 2 Deploying NSX Micro-Segmentation 3 Micro-Segmentation Policy Creation 4 Automation 14

Micro-Segmentation Policy Creation Policy and Grouping Methodology Choose the policy and grouping methodology BEFORE beginning the process. Will provide a clear direction on how to tackle challenges along the way. APPLICATION INFRASTRUCTURE NETWORK 15

Micro-Segmentation Policy Creation Whitelisting and Blacklisting Whitelisting Definition A list of approved items. Anything not on this list is disallowed. More secure Advantages High degree of accuracy Minimizes false positives Easy to customize Can be established easily in different areas of the enterprise Disadvantages More time to manage Requires additional time to install Blacklisting Definition A list of unapproved items. Anything not on this list is allowed. Advantages Easy to manage Easy to install Updates quickly Disadvantages Exponential growth High rate of false positives, even possibly blocking necessary access Continual updates requires Hard to transition to whitelisting 16

Micro-Segmentation Policy Creation Firewall Rule Table and Service Composer Firewall Rule Table Analogous to typical Firewall rule table Provides overview of all rules in the system DFW Rules and Network Introspection Sections enable rule grouping UI and API Driven Service Composer One or more Security policies can be applied to Security Groups Policies define DFW rules and Service Chain. Abstraction enables efficient service deployment Independent policies are combined specific to each workload UI and API Driven 17

Micro-Segmentation Policy Creation Policy and Grouping Methodology Security Groups allow abstraction and grouping of workloads from the underlying virtual infrastructure End-Users and Cloud Admins are able to define application-centric security policies Security policies are applied to one or more security groups where workloads are members Security Tags are applied to Virtual Machines and can be used for dynamic Security Group membership Security Tag ST Virtual Machine VM Security Group SG Security Policy Members (VM, vnic) and Context (user identity, security posture) Guest Introspection, Distributed Firewall and Network Introspection Policies

Micro-Segmentation Policy Creation Dynamic Policy using Security Tags Example Requirements Apply differentiated policy based on OS, Environment, Automate policy application for new appliations being provisioned Upon vra Blueprint deployment All VMs part of an application are placed into a new Security Group Every VM is tagged with multiple tags identifying: Function, Zone, OS, Environment and Tenant App1 Apache App1 - WLS App1 - ORADB App1 Security Group DMZ_ PROD_ RHEL Apache TRUSTED_ PROD_ RHEL WLS RESTRICTED_ PROD_ RHEL ORADB

Micro-Segmentation Policy Creation Zero Trust Policy Model Emergency Rules Infrastructure Rules Environment Rules Inter-Application Rules Intra-Application Rules Default Rule = Deny VMworld 2017 Used for Quarantine and/or Allow Rules Global Rules AD, DNS, NTP, DHCP, Backup, Mgmt Servers Rules between Zones Prod vs Dev, PCI vs Non PCI, Inter BU rules Content: Not for publication Rules between Applications Rules between the app tiers or the rules or between micro-services VRNI /ARM / EM Whitelisting / Zero Trust 20

Micro-Segmentation Policy Creation Application Discovery - Methods and Tools Leveraging Existing Firewall Policy vrealize Network Insight NSX Application Rule Manager and Endpoint Monitoring vrealize Log Insight Firewall Log VMworld 2017 Content: Not for publication? 21

Micro-Segmentation Policy Creation Leveraging the existing FW policy Mostly relevant for Infrastructure and Environment Rules Analyze existing zones and rules and isolate North-South rules from East West rules. Determine flow patterns that are hair-pinned (East-west traffic). Also, helps you understand how to replace hair-pinned traffic with logical switches and routing using overlays via NSX. Correlate flow NSX patterns/logs with rules collected from perimeter firewalls. HR-Web Vlan 10 HR-App Vlan 11 HR-DB Vlan 12 HR Apps STOP Engineering Apps ENG-Web Vlan 20 ENG-App Vlan 21 ENG-DB Vlan 22 Shared Services 22

Micro-Segmentation Policy Creation Leveraging the existing FW policy Rule Migration 23

Micro-Segmentation Policy Creation vrealize Log Insight - Distributed Firewall Logs 1. Create Security Groups for your application 2. Create catch-all rules to log traffic 3. Monitor Logs to determine required rules 4. Create or update Shared Services rules 5. Create E-W Intra-Application Rules 6. Continue for other applications VMworld 2017 Per Application DB Tier DB Tier App Tier Application Policy DB Tier App Tier Intra-Application Rules Application Web Tier Application Policy Allow Any to Web Web Tier Allow Web to App Logging Rules Allow App Web to DB Tier Any/Any Rule: Allow and Log Block and Log Rule App Tier Any/Any Rule: Block and Log Default Block and Log Content: Not for publication DFW System Default: Allow or DFW System Default: Block Allow or Block 24

Micro-Segmentation Policy Creation NSX Micro-Segmentation Visibility and Planning Tools Profile applications both on the wire and on the guest. Can be used on a per application basis. End-to-end visibility and rule creation/enforcement Empowers app team = visibility and rule creation streamlines deployment Drives whitelisting model default deny and open up the necessities Fast app operationalization VMworld 2017 Content: Not for publication

Micro-Segmentation Policy Creation NSX Micro-Segmentation Visibility and Planning Tools: Application Rule Manager Leverages flow monitoring to monitors all flows for select VNICs Flows are de-duplicated, correlated and filtered Optimized Flow tables are presented to users IP addresses/ports are replaced with objects Users can further optimize flow table Firewall rules are generated and can be published after review

Micro-Segmentation Policy Creation Demo: Application Rule Manager Micro-Segment SAP HANA using Application Rule Manager

Micro-Segmentation Policy Creation vrealize Network Insight Plan Micro-segmentation Deployment and Ensure Compliance Optimize Network Performance with 360 0 Visibility & Analytics Across Virtual, Physical and Cloud Ensure Best Practices, Health and Availability of NSX Deployment 28

Micro-Segmentation Policy Creation vrealize Network Insight - Security Planning Network Insight can model the appropriate security groups and firewall rules for the entire environment. Comprehensive net flow (IPFIX) assessment and analysis to model Security Groups and Firewall Rules Recommendations to make microsegmentation easier to deploy Continuously monitor and audit compliance posture over time VMworld 2017 Content: Not for publication 29

Micro-Segmentation Policy Creation vrealize Network Insight: Application Modeling Analyze flows between applications or between tiers of an application Quickly add VMs to an application tier using vcenter Tags or search wildcards Support for modeling application tiers by multiple criteria (IP, tags, IPsets, folders, ) Support for physical IP addresses in microsegmentation planning and application tiers Export of All rules for applications, tiers, or security groups with one click VMworld 2017 Content: Not for publication 30

Micro-Segmentation Policy Creation Demo: vrealize Network Insight Micro-Segment SAP HANA using vrni VRNI to Suggest Recommended Rules VRNI 3.5 New functionality IPFIX for DFW

Agenda 1 Security in the Datacenter with NSX 2 Deploying NSX Micro-Segmentation 3 Micro-Segmentation Policy Creation 4 Security Automation 32

Security Automation The need for Automating Security VM sprawl requires more granular security controls Manual configuration breaks the cloud model Auditing and control are harder in dynamic environment Automating security configuration reduces risk and labor Internet Security Admin Automated Policy

Security Automation Automating Security with vra and NSX Provides application context to enable a policy based approach to security Granular security requires a mix of options: Existing or On-Demand Security Groups App Isolation to block traffic across deployments VMworld 2017 web-sv-001 web-sv-002 Web Tier Security Group app-sv-001 App Tier Security Group Permit only MySQL (TCP 3306)from App db-sv-001 Permit only Tomcat (TCP 8443)from Web DB Tier Security Group External Access Permit only SSH, HTTP, HTTPS from Any web-sv-003 web-sv-004 Web Tier Security Group app-sv-002 App Tier Security Group Permit only MySQL (TCP 3306)from App db-sv-002 Permit only Tomcat (TCP 8443)from Web Content: Not for publication DB Tier Security Group App Isolation Security Group UUID-01 App Isolation Security Group UUID-02

Security Automation Automating and Scaling Security with vra - Example Clinicians VDI Desktops NSX Security Group VDI NSX Security Group - VDI VMworld 2017 Content: Not for Hyperspace Web Servers NSX Security Group - HSW publication HSW HSW HSW HSW HSW

Key Takeaways The Road to Micro-segmentation with VMware NSX NSX Micro-Segmentation enables a Zero-Trust architecture Choosing an appropriate policy and grouping methodology is critical Application discovery is key to determining the appropriate rules in a Zero-Trust model NSX Application Rule Manager and vrealize Network Insight enable a quick road to Micro-Segmenting your applications vrealize Automation delivers NSX micro-segmentation in a fully automated environment. VMworld 2017 Content: Not for publication 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback