NET2896BU Expanding Protection Across the Software Defined Data Center with Encryption VMworld 2017 Chris Corde Senior Director, Security Product Management Content: Not for publication #VMworld #NET2896BU
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. 2
We need to focus on the application Align controls and policies to the application VMworld 2017 Known good Application Unknown Known bad Enforce least privilege Content: Not for publication
Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job. Professor Jerome Saltzer, MIT Communications of the ACM #NET2896BU CONFIDENTIAL 4
Least privilege can be enforced at multiple layers. 1 At the network level or distribution #NET2896BU CONFIDENTIAL 5
Least privilege can be enforced at multiple layers. 1 2 At the network level At the data plane or distribution #NET2896BU CONFIDENTIAL 6
Securing Data Across the Software Defined Data Center VM Encryption Bring your own KMS Agentless & Guest agnostic Easy to enable & customize Easy to Manage Security Scalable and Efficient User Friendly vsan Storage vsan Encryption Bring your own KMS General purpose hardware One Click Deployment Data in Transit (DNE) Protects data in flight throughout the datacenter 7
What Does Least Privilege Protect Against? APP WEB APP Listening APP DB Inserting
You Can Solve That with Encryption APP WEB APP APP DB
Encryption as a Distributed Service Introducing DNE APP WEB APP APP DB
Embedding Encryption Into the NSX Service Chain ENC ENC ENC #NET2896BU CONFIDENTIAL 11
Integrating in with additional pieces of the service chain WAF IPS NGFW DFW or distribution ENC #NET2896BU CONFIDENTIAL 12
DNE Value Propositions No Application Changes Leverages Microsegment Definition Integrates with Security Infrastructure Most customers will use application level encryption when dealing with sensitive data This places a burden on developers to have expertise in encryption controls It also leaves the management of keys and other sensitive material during execution in the hands of the developer DNE solves these challenges by building encryption directly into the infrastructure and requires no application changes DNE leverages the micro-segment context as an abstraction to determine who has access to which pieces of sensitive information As a result, DNE rule provisioning can be a simple drag and drop exercise, with the platform handling the hard work to distribute keys between nodes Application level encryption also has a nasty downside inline monitoring tools that rely on deep packet inspection no longer can function with the encrypted data With DNE, any security tool inserted via NSX will always have access to the unencrypted packet for inspection before the data protection layer is put in place 13
DNE Features/Benefits Feature Function Benefit Simple Rule Construction Encryption rules are aligned to existing grouping/inventory/switching embedded into NSX Customers can align encryption policies to application boundaries extremely simply Host-Enabled Encryption Encryption filter and keys live in the host Keys are not exposed to potentially compromised guest machines and developers are not required to implement encryption logic Built-in Key Management Integrated with NSX Security Service Chain Multi-HV Support Foundational key management elements (key rotation, revocation, etc) provided DNE is aware of the security services tied to any traffic flow and will provide unencrypted data to those services Encryption is provided across both ESX and KVM hosts Customers do not need to purchase or integrate a 3 rd party KM just to enable the feature Security middleware that requires packet info (next-gen firewalls, full packet capture analysis, etc) work seamlessly without requiring a break in the encryption chain Broader topology support CONFIDENTIAL 14
DNE Architecture Admin 1 Define key policies Define rules 4 2 Controller pushes rules and authorization ticket to hypervisor Hypervisor NSX Manager NSX Controller NSX Controller NSX Controller R Hypervisor 3 Manager pushes rules to controller Hypervisor Key Manager Hypervisor requests root encryption key from KM. 5 R Hypervisor Hypervisor uses root key from KM to generate session key pairs and encrypt/decrypt data in transit CONFIDENTIAL 15
Enabling Encryption in Two Steps 1 Create a Key Policy 2 Define Rule - Encryption Algorithm - Rotation Frequency VMworld 2017 Content: Not for publication - Source/Destination Logical Identifiers - Services/Ports - Key Policy - Action 16
Creating the Encrypted Tunnels Key Manager KEK Fetched from KM Hypervisor IPSEC Tunnel Created DEK Generated Hypervisor 17
DNE Performance - One TCP Flow Without DNE With DNE core 1 core 2 core 3 CPU NSX packet processing 93% 7% Idle 99% Idle 99% core 4..n Idle 99% core 1 core 2 core 3 core 4..n NSX NSX packet, 30% 30% DNE crypto & tunnel 70% Idle 99% Idle 99% Idle 99% Aggregate Throughput 9 Gbps 3 18
DNE Performance - Three TCP Flows Without DNE With DNE core 1 core 2 core 3 core 4..n core 1 core 2 core 3 core 4..n CPU NSX 30% Idle 70% NSX 30% Idle 70% NSX 30% Idle 70% Idle 99% NSX NSX packet, 30% 30% DNE crypto & tunnel 70% NSX 30% DNE crypto & tunnel 70% NSX 30% DNE crypto & tunnel 70% Idle 99% Aggregate Throughput 9 Gbps 8 Gbps Multiple flows is the common customer scenario and as more flows come into a host we will be more bandwidth constrained than CPU constrained 19
Simple Rule Construction VMworld 2017 Content: Not for Logical entities (Groups, VMs, Logical Switches, etc) as source/destination publication Service specific encryption rules CONFIDENTIAL 20
Built-In Key Management VMworld 2017 Content: Not for Confidenti ality and Integrity policies publication Flexible automate d rotation schedule Manual revoke and rotate actions CONFIDENTIAL 21
Where DNE Goes in the Future Broader Topology Support Additional Encryption Support Increased Scalability Integrate in with NSX Edge appliance for native LB/NAT Support customer s usage of 3 rd party Load Balancing and NAT through TLSbased encryption vs. IPSec Native public cloud on NSXaaS Containers through NSX Dropkick HSM integration for key management hardening KMIP interface for 3 rd party key management support Additional or pluggable crypto algorithm options (beyond AES 128) Go beyond 100 hosts within a datacenter Increase performance to allow for more widespread usage
Enabling Encryption in the Public Cloud AWS Instance Key Generation NSX Agent Mutual Auth AWS ELB NSX Agent AWS Instance Key Generation 23
Demo Setup VM0 VM0 VM0 VM1 VM1 Group 1 Group 2 VM0 VM0 VM1 VM0 VM1 Host 1 Host 2 Host 3 CONFIDENTIAL 24