SAI1303BU Security with NSX. Greater Security in the Digital Business Age Alex Berger, NSX Product Marketing #VMworld #SAI1303BU
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. CONFIDENTIAL 2
Business demands Deliver applications faster to improve time to market Decrease business risk in an environment of advanced persistent threats C 7 1 0 Control costs and dreduce 2 l complexity Mwor V n o i t ibu r t s i d or n By 2020, atio60% of digital businesses t n e t on f t o :N o c lisuffer will major service failures b u p r due to the inability of IT security teams to manage digital risk. Gartner, Special Report: Cybersecurity at the Speed of Digital Business, May 2016. 3
From Monolithic Stack to Distributed Apps UI APP DB STORAGE APP DB DB STORAGE STORAGE STORAGE STORAGE APP DB WEB
The application is a network PERIMETER SECURITY 5
The application is a network PERIMETER SECURITY VMworld 2017 Content: Not for WAF IPS NGFW sfw ENC publication 6
Our approach is not working Security investments are increasing, yet the cost of breaches are rising faster Annual Cost of Security Breaches: $445B (Source: Center for Strategic and Int l Studies) VMworld 2017 Content: Not for Projected Growth Rate in IT Spend from 2014-2019: Zero (Flat) (Source: Gartner) Security as a % of IT Spend: 2012: 11% 2015: 21 % publication (Source: Forrester) IT Spend Security Spend Security Breaches 7
Network virtualization - a point of alignment Abstracting networking and security from the underlying infrastructure Data center Cloud Branch office IoT
NSX value proposition Virtualization layer Network, storage, compute vswitch Hypervisor vswitch Hypervisor
NSX value proposition Network and security services In-hypervisor (on-prem) as a Service (cloud) Hardware/Cloud independent Routing Switching vswitch Load balancing Hypervisor Firewalling Routing Switching Load balancing Firewalling
NSX value proposition Virtual networks Network platform Virtualization layer Network, storage, compute Routing VMworld 2017 Switching vswitch Load balancing Hypervisor Firewalling Routing Switching Load balancing Firewalling Content: Not for publication
Security with NSX Micro-segmentation Secure end user DMZ Anywhere
Our security realities When threats breach the perimeter, it s hard to stop lateral spread INTERNET VMworld 2017 Content: Not for MICRO-SEGMENTATION Low priority systems are often targeted first. publication Attackers can move freely around the data center. NETWORK PERIMETER Attackers then gather and exfiltrate the valuable data. 13
What if you could Enforce security at the most granular level of the data center? INTERNET MICRO-SEGMENTATION Every VM can have: Individual security policies Individual firewalls NETWORK PERIMETER 14
What if you could Maintain that level of consistent security across an entire application Security needs to reach beyond an individual VM VMworld 2017 MICRO-SEGMENTATION Modern apps today are distributed in nature WEB DB Content: Not for publication Each VM is typically part of a larger application
What if you could Maintain that level of consistent security across an entire application MICRO-SEGMENTATION
What if you could Maintain that level of consistent security across an entire application MICRO-SEGMENTATION
Better security, simplified policy Define a policy using workload characteristics, not IPs and ports An NSX security policy can be based on things like: Operating system Machine name Services Application tier Regulatory requirements Security posture VMworld 2017 DATA CENTER PERIMETER PCI Scope MICRO-SEGMENTATION Content: Not for publication Creating and managing policies becomes a whole lot easier
Security with NSX Micro-segmentation Secure end user DMZ Anywhere
Our security realities Proliferation of devices accessing the data center, yet not all are secured INTERNET VMworld 2017 Content: Not for SECURE END USER MOBILE WORKERS HAVE BROAD ACCESS TO DATA CENTER RESOURCES VDI at a branch or remote location publication Mobile device in the field or at home NETWORK PERIMETER Laptop or desktop at work or home 20
What if you could Extend micro-segmentation out to secure the end user device INTERNET VMworld 2017 Content: Not for SECURE END USER MICRO-SEGMENTATION LIMITS DEVICE ACCESS TO ONLY WHAT IS NEEDED VDI at a branch or remote location publication Mobile device in the field or at home NETWORK PERIMETER Laptop or desktop at work or home 21
Security with NSX Micro-segmentation Secure end user DMZ Anywhere
Our security realities Isolating physical infrastructure for security is effective, but inefficient DATA CENTER or DMZ ANYWHERE distribution Manual processes Inefficient use of pooled resources PHYSICAL DMZ CORE INFRASTRUCTURE High CapEx investment 23
What if you could Pool your physical infrastructure resources DATA CENTER DMZ ANYWHERE CORE INFRASTRUCTURE 24
What if you could So that you could provide isolation at the hypervisor layer DMZ ANYWHERE CORE INFRASTRUCTURE 25
What if you could Enabling you to create DMZs anywhere, regardless of their location DMZ DMZ DMZ ANYWHERE Scalable and flexible Increase asset utilization CORE INFRASTRUCTURE Simplify management 26
Driving value with our NSX partner ecosystem Orchestration & Management Networking & Security Services Network Infrastructure vrealize Automation VIO vrealize Orchestrator vcloud Director VMworld 2017 Content: Not for Platforms vsan Ready Node Operations & Visibility publication Compute Infrastructure
NSX customer momentum is growing exponentially Q2 1,300+ 2016 Customers Q2 2,600+ 2017 2,600+ customers across all industries and organizational sizes representing 100% year-over-year growth Deployments NSX Over two new deployments of NSX per day. Number of deployments increased 3x year-over-year Certifications 8,800+ Certified NSX professionals
Customer are using NSX SERVICE PROVIDER To stay one step ahead of hackers TELECOM To keep millions of people connected HEALTHCARE To keep hospitals running smoothly VMworld 2017 EDUCATION To deliver apps to thousands of students FINANCE To process millions of transactions globally RETAIL To process $ billions of retail transactions TECHNOLOGY To keep pace with the explosion of data PUBLIC SECTOR To protect governments and militaries Content: Not for publication TRAVEL AND TRANSPORT To keep planes in the air
State of Louisiana Dustin Glover CISO State of Louisiana - OTS VMworld 2017 Content: Not for publication 30
Division of Administration Office of Technology Services Statewide Enterprise Architecture Information Security Overview or distribution
Business Goals Louisiana Department of Health System Modernization Medicaid Eligibility & Enrollment Systems (Initially) Noticeably Improve Public Facing services for Louisiana Citizens Quality & Availability Division of Administration Office of Technology Services 32 Public
Technology Goals (7) Core Components must be COTS ALL Application Service Integration must be achieved through an Enterprise Service Bus (ESB) Standardize Server and Database platforms Extensive High Availability (HA) (Active\Active) and Recoverability Components: Enterprise Service Bus Identity Access Management Master Data Management Data Warehouse Electronic Document Management Consumer Communications Business Rules Engine Division of Administration Office of Technology Services 33 Public
InfoSec Goals Verifiable Regulatory Compliance CMS MARS-E 2.0 & SSA Compliant (Initially) Establish and Document Secure Baseline for all elements within the published 3 environments: Production w/ Restricted Data, NonProduction w/ Restricted, and NonProduction w/ NonRestricted Create internal Isolation (defense in depth) Significantly improve security monitoring Division of Administration Office of Technology Services 34 Public
Division of Administration Office of Technology Services 35 Public
Issues: Performance loss vcenter VM VM Division of Administration Office of Technology Services 36 Public
Solution: NSX Keep traffic within the virtual fabric vcenter VM NSX VM Division of Administration Office of Technology Services 37 Public
NSX Configuration Approach Every HOST must also have a TAG. Access Policy is applied to TAG for HOST. TAGs are applied to HOSTs that require access. WebServer01 VM NSX AppServer01 VM DBServer01 VM vcenter [TAG]:AppServer01:8443 [TAG]:DBServer01:1443 Division of Administration Office of Technology Services 38 Public
NSX Configuration Division of Administration Office of Technology Services 39 Public
NSX Configuration (cont.) Division of Administration Office of Technology Services 40 Public
NSX Benefits Significantly Increased Performance Routing and Firewall inside virtual fabric Allows for DNS load balancing inside NSX Significantly Increased Security Posture True Micro-Segmentation Positioned for Migration to VMWare Cloud ready IaaS Division of Administration Office of Technology Services 41 Public
Team Effort Big THANK YOU to: Division of Administration Office of Technology Services 42 Public
Where to get started Engage and Learn Join VMUG for exclusive access to NSX vmug.com/vmug-join/vmug-advantage Connect with your peers communities.vmware.com Find NSX Resources vmware.com/products/nsx Network Virtualization Blog blogs.vmware.com/networkvirtualization Try VMworld 2017 Experience Dozens of Unique NSX Sessions Spotlights, breakouts, quick talks & group discussions Visit the VMware Booth Product overview, use-case demos Visit Technical Partner Booths Integration demos Infrastructure, security, operations, visibility, and more Content: Not for publication Meet the Experts Join our Experts in an intimate roundtable discussion Take Free Hands-on Labs Test drive NSX yourself with expert-led or self-paces hands-on labs labs.hol.vmware.com Training and Certification Several paths to professional certifications. Learn more at the Education & Certification Lounge. vmware.com/go/nsxtraining