Handwritten Text Recognition for manuscripts and early printed texts
nsx overview with use cases 1.0
1. Threat Protection with a
Zero Trust Model
Ng Tock Hiong, CISSP
Senior Manager, Systems Engineering
Networking and Security
Southeast Asia and Korea
tng@vmware.com
2. Agenda
1 Securing the New Digital Landscape
2 Current Networking and Security Challenges
3 The Solution – Network and Security Virtualization
4 Security Use Cases
5 Summary
6 Q & A
2
3. What is a Zero Trust Model
Forrester Research coined the term “Zero Trust” to describe
a model that prevents common and advanced persistent
threats from traversing laterally inside a network. This can
be done through a strict, micro-granular security model
that ties security to individual workloads and
automatically provisions policies. It’s a network that
doesn’t trust any data packets. Everything is untrusted.
Hence: Zero Trust.
CONFIDENTIAL 3
4. Devices
Infrastructure
Apps Traditional Apps Cloud-Native AppsAPP APP APP APP APP APP
The World We Must Secure
Security: The Last One Invited to the Party
APP APP APPAPP APP APP
APP APPAPP APP APP
APP
Managed
Clouds
Private
Clouds
Public
Clouds
APP
Final Step: “We Need to
Secure All of This”
Virtualized Compute, Storage, Networking
APP APP APPAPP APP APP
APP APPAPP APP APP APP
4
5. From Monolithic Stack to Distributed Apps
STORAGE
DB
APP
UI
WEB
DB
DB
DB
APP
APP
STORAGE
STORAGE
STORAGE
STORAGE
7. The New Security Control Point
CONFIDENTIAL 7
Physical Network Infrastructure
Hypervisor
Modern Apps
- Cloud Native Apps, IaaS, DevOps
- Focus is on agility
Traditional Apps
- Databases, Core Banking Apps,
Exchange, Legacy Apps
- Focus is on stability and efficiency.
- Minimal changes
Data Center
Security
Security
• Implementing security controls in the physical network infrastructure is only relevant to the
traditional applications that are directly connected to the network.
• For the modern applications, security controls have to be implemented in the Hypervisor
9. Problem: Data Center Network Security
Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Little or no
lateral controls
inside perimeter
Internet Internet
Insufficient Operationally
Infeasible
11. Trading Off Context and Isolation
18
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
SDDC Platform
High Context
Low Isolation
High Isolation
Low Context
No Ubiquitous Enforcement
Traditional Approach
12. Why SDDC Virtualization Layer is the Security
“Goldilocks Zone”
19
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
SDDC Platform
L2 Switching L3 Routing
Firewalling/ACLs Load Balancing
Network & Security Services Now in the Hypervisor
13. SDDC Virtualization Layer – Delivers Both Context and Isolation
20
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
SDDC Platform High Context
High Isolation
Ubiquitous Enforcement
SDDC Approach
Secure Host Introspection
14. SDDC – A Platform for Industry Innovation
21
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
SDDC Platform
18. The Data Center
NSX Distributed Firewall enable customers to deploy high-
performance Firewalls Everywhere – but managed centrally
CONFIDENTIAL 26
19. NSX Distributed Firewalling Performance
27
20Gbps Per Host of Firewall Performance
with Negligible CPU Impact
20. NSX Distributed Firewalling Performance
CONFIDENTIAL 28
80K CPS with 100+ Rules per Host
A Typical Virtual Appliance does ~6K CPS per VM
A Physical Appliance performs 300K – 400K CPS per appliance
21. What if you could…
Define this level of security repeatedly and predictably
29
DB
Web
App
Granular threat containment
Logical policy grouping
Simplified security policy
22. CONFIDENTIAL 30
NSX Distributed Firewall Characteristics
Runs in
kernel space
Full vCenter
integration
(VC containers, vMotion)
Zero-trust security
micro-segmentation
Line rateDistributed Enable traffic
redirection to third-
party services
Spoofguard
Identity
firewall
Operations kit
Fully
programmable
(REST API)
Centralized
Management
23. 31
Intelligent Grouping
Groups defined by customized criteria
CONFIDENTIAL
Operating system
Machine name
Services
Application tier
Regulatory requirements
Security posture
24. NSX Intra Site Feature: Distributed Firewall
vswitch
Hairpin
Traditional Appliance
Direct VM-VM Path
Distributed Virtual Firewall
NSX
vswitch
With NSX
Third Party Services
NSX
vswitch
Shortest Network Path
32
About Citrix
Citrix (NASDAQ:CTXS) is the cloud company th
accessing apps and data on any of the latest d
build clouds, leveraging virtualization and netw
market-leading cloud solutions for mobility, des
organizations of all sizes achieve the speed and
than 260,000 organizations and by over 100 m
citrix.com0813/PDF
CONFIDENTIAL
25. Micro-segmentation simplifies and improves network security
App
DMZ
Shared Services
DB
Perimeter
firewall
AD NTP DHCP DNS CERT
Inside
firewall
Finance EngineeringHR
33
26. Micro-segmentation simplifies network security
Each VM can now be its
own perimeter
Policies align with logical
groups
Prevents threats from
spreading
App
DMZ
Shared
Services
DB
Perimeter
firewall
Inside
router
Finance EngineeringHR
34
CERTDNSDHCPNTPAD
28. The Real Problem is Security Strategies Today
36
Existing data center endpoint security approaches are not effective enough
SIGNATURE-BASED BEHAVIORAL
Anti-Virus
IPS
Vulnerability Management
Machine Learning
AI
Security Analytics
SIEM
Narrow focus
No zero day threats
Broad focus
High false positive rate
CONFIDENTIAL
29. 37
• Highly complex and noisy
• Limited context – requires a lot of inputs
• Manual effort to confirm valid threat
Problem with the current model
Focused on chasing malicious behavior
CONFIDENTIAL
30. 38
• Highly complex and noisy
• Limited context – requires a lot of inputs
• Manual effort to confirm valid threat
Problem with the current model
Focused on chasing malicious behavior
It’s time for a new model
Focus on understanding the application intended state
and monitoring for deviations
• Simpler and smaller problem set
• Better signal-to-noise ratio
• Actionable and behavior-based
alerts and responses
CONFIDENTIAL
31. Introducing VMware AppDefense
Protecting applications running on virtualized and cloud environments
APPDEFENSE
MONITOR
CAPTURE DETECT RESPOND
VM MANIFESTVM MANIFEST
AUTOMATED AND
ORCHESTRATED RESPONSE
SECURE
INFRASTRUCTURE
INTEGRATED
ECOSYSTEM
Snapshot | Suspend | Block/Alarm |
Quarantine | Network Blocking | Service
Insertion | …
OS
Processes
Processes
Processes
32. Key Differentiators
CONFIDENTIAL 40
Automated threat response
“The right response at the right time”
Authoritative knowledge of
application intended state
“Know what’s good, so you can
detect what’s bad”
Isolation from the attack
surface
“Protect the protector”
AppDefense embeds threat detection and response into the virtualization layer
33. Using Automation to Enforce Security
41
• Unified Service Design and Delivery
• App-Centric Networking and Security
• Incorporate External Services
• Achieve greater control and visibility
• Reduce wait times for siloed IT services
• Manage Infrastructure as Code
• Lifecycle Manage Everything
• Standardised and repeatable process
Converged
Blueprint
Cloud
Consumers
Cloud
Admin
Applications
Extensibility
Security
Networking
Unified Service
Catalog
AVAILABILITY SECURITYCONNECTIVITY
Benefits
35. Use Case 1 – Network Segmentation
43
Controlling Traffic Within a Network
Perimeter
firewall
DMZ/Web
App
DB
HR Group
App
DMZ/Web
DB
Finance Group
Services Mgmt
Services/Management
Group
NSX for vSphere Data Center
• Control traffic between groups within a
network
• Secure traffic based on logical grouping –
rather than physical topology
• Create network segments flexibly – even
between systems on the same VLAN
(extremely difficult to do with traditional
networking)
Security
36. Use Case 2 – Pass your PCI audit in record time
Address PCI compliance requirements with NSX
44
Before NSX
1. Providing granular segmentation to address PCI
requirements requires re-architecture, re-
addressing and significant capital expenditure
2. PCI audit scope is across the entire DC,
lengthening the whole audit hell
Security
Data center
Perimeter Data center
Perimeter
Production
PCI
Non-production
Shared services
With NSX
1. Each zone is now segmented, without
the need to re-address or re-architect.
2. Scope of the PCI audit reduced to the
PCI zone only, cutting down the audit
from weeks to minutes.
37. Use Case 3: Microsegmentation for Securing VDI Infrastructure
Prevent communications between virtual desktop
• Desktop to Desktop control
• Desktop to Enterprise App control
Internal Developer Pool
External Developer Pool
Protecting Desktop Pools
Prevent communications between Virtual Desktops
• Without NSX, virtual desktops communications is
uncontrolled.
• Virtual Desktops do not need to communicate with
each other.
• In a recent breach, a hacker was able, once he had
compromised a virtual desktop, to move to
adjacent VDI desktops and exfiltrate critical
medical data out.
• NSX and its distributed firewall addresses this risk.
Security
38. Use Case 4: Consolidate VDI pools for TCO reduction
AD Group Based Identity Firewall (IDFW).
User-based access control.
APP1
Web 1 App 1
APP2
Web 2 App 2
Engineering External
Contractor 1
External
Contractor 2
Eng Eng net 4
“External 1*” Web 1 4
“External 2*” Web 2 4
Consolidate VDI pools
• Without NSX, customers tend to use one single pool
per business unit (HR, Contractors, 3rd Party, Sales,
R&D, etc…).
• This traditional architecture is used to provide each
pool with its own security access.
• With NSX, and our ability to control traffic based on
Active Directory groups, we can instead simplify the
architecture and:
• Consolidate multiple pools into one, reducing
TCO
• Create a granular and dynamic security model
based on AD groups
Reduce Expenses
39. 47
ESXi
SAN
Use Case 5: Optimize Performance for VDI environments
Agentless Anti-virus enhances user experience and enables greater consolidation ratio
Up to 20X Faster Full Scans
Up to 5X Faster Real-time Scans
Up to 2X Faster VDI Login
Up to 30% More VM density
Reduce Expenses
40. Situation
OS no longer supported on several systems
These systems need policy which restricts
access to only email servers
Unsupported OS Group
Use Case 6: Intelligent Grouping for Unsupported Operating Systems
CONFIDENTIAL 48
Security
41. Use Case 7: Automated Security in a Software Defined Data Center
Quarantine Vulnerable Systems until Remediated
Security Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2
Isolated Network}
Security Group = Web
TierPolicy Definition
Standard Desktop VM Policy
Anti-Virus – Scan
Quarantined VM Policy
Firewall – Block all except security tools
Anti-Virus – Scan and remediate
Security
42. 50
Specific mobile applications can access specific data center applications, without opening up access
from ALL mobile apps to ALL enterprise apps
AirWatch NSX
Translate {User, Device & App} context to Source IP/Port
Create NSX Security Group/Service Group
Provides micro-segmentation to support access to specific
data center applications
Patient App
Email App
Scheduling App
VMVM
VMVMVM
VMVM VMVM
VMVM
VMVMVM
AirWatch
Tunnel
Server
EndUser
John
(Doctor)
Internet
DataCenter
iPhone
Security
Use Case 8: Micro-segmentation applied to Mobile Devices
NSX & Airwatch integration
43. Use Case 9: Advanced Security (IDS/IPS) Insertion
Example: Palo Alto Networks NGFW
Internet
Security Policy
Security Admin
Traffic
Steering
Security
44. Use NSX to collapse DMZ back into the DC and
benefit from:
• Increased East-West security
• Lower cost (fewer hardware devices)
• Easier automation
Use Case 10 : ‘Collapsed’ DMZ
52CONFIDENTIAL
Current DMZ architectures are:
- Hardware dependent
- Complex and inflexible
- Slow to provision
Security
45. Isolation
Test - 192.168.1.0/24
Production – 192.168.1.0/24
No Communication Path
Use Case 11: Integrate Dev, Test and Prod environment into
single infrastructure
• No communication path between different
tenants
• Separate dev, test and production
environments over single physical network
• Independent of hardware
• Overlapping IP addressing can be used
Security
47. Security: a better way
1 2
A new architectural
approach to security is
needed
Secure what matters: apps,
users and data
Virtualization of
networking, security and
compute provides a unique
way forward
3
48. SDDC Platform – Native Security Capabilities
61
Hypervisor-based, in kernel distributed firewalling
• High throughput rates on a per hypervisor basis
• Every hypervisor adds additional east-west firewalling capacity
• Native feature of the VMware NSX platform
Platform-based automation
• Automated provisioning and workload adds/moves/changes
• Accurate firewall policies follow workloads as they move
Audit Compliance
20 Gbps Firewalling
throughput per host
Data center micro-segmentation
becomes operationally feasible
It’s important to understand we are not talking about replacing the North-South Firewall, you will likely leverage hardware based performance and throughput capacity for a very long time at the perimeter of the data center.
However it is important to understand that there is a BIG difference between physical or virtual firewalls and distributed firewalling. Hardware-based firewalls are designed to deliver high performance, high capacity throughput, typically ranging from 2 to 30 Gbps, with some of the most powerful chassis-based solutions exceeding 100 Gbps. I believe Palo Alto’s most recent PA-7050 series chassis solution delivers is in the range of 120 Gbps firewall throughput. Virtual firewalls, are effectively the same from an operational standpoint, but often reduce feature sets and deliver far less throughput capacity, in the range of 1 to 3 Gbps
The BIG difference with a distributed firewall solution is the combination of an automated operational model and scale-out throughput performance. Using an SDDC approach, firewalling policies are provisioned with and enforced at each VMs virtual interface. The firewalling function is done in the hypervisor kernel and delivers on the order of 30 Gbps, per hypervisor. So the more hypervisor hosts you have the more East-West firewalling capacity you have.
Darker blue shows performance of forwarding packets without filtering, about 20 Giga bits per second
Lighter blue shows performance of forwarding packets while filtering, about 19.7 Giga bits per second
Very little impact to the hypervisor’s ability to forward packets, because we are doing the filtering in the kernel.
And, we get about 80 thousand connections per second, compared to a typical virtual appliance firewall getting about 6 thousand connections per second.
You might be asking, why hasn’t this been done before?
It’s really hard to understand the intended state of an application. The infosec team is not the team that built the app and tracking down all of the details about which processes should be running and how those processes should be communicating inside the app is tedious and labor intensive.
The biggest differentiator that AppDefense has is its position in the hypervisor. AppDefense leverages its position in vSphere to automatically discover the intended state of an application. This process is aided with integrations into automation and provisioning systems, like VRA, so that as applications are built and provisioned, AppDefense sees their intended state from the get go. This authoritative understanding of the application’s intended state is critical and AppDefense makes this process relatively simple. In order to detect what’s bad, we need to know what good looks like.
Once we can discern what’s bad, we can automate responses with confidence. AppDefense uses vSphere and if it’s installed, NSX as well, to take action in response to a detected threat. For instance, we can take a snapshot of the compromised VM for forensic analysis later using vSphere, then quarantine the VM using NSX. Or we can suspend the VM or increase logging on the machine – we have a number of options we can take. The key here is that AppDefense allows us to orchestrate all of this ahead of time and automatically trigger the response when it detects a given threat.
The third differentiator is one that we talk about with respect to NSX a lot as well – because AppDefense is embedded in vSphere, it is protected in the event that a VM is compromised. Unlike AV agents that live on each individual data center endpoint, AppDefense cannot be simply turned off if an attacker or a piece of malware gains control of a VM. This layer of isolation is a major benefit to AppDefense’s architecture, and is fairly unique in the industry.
Use Case 1: Pure micro-segmentation
What do we achieve? Control traffic between devices within same subnet or within a network without the need for re-addressing or hardware purchase.
For what purpose? Cyber-security (eliminate the threat of lateral attacker movement within DC) and compliance.
Without NSX? Operational nightmare to maintain complex solution, such as Private VLAN
Use Case 2: Pass your PCI audit in record time
What do we achieve? Segment zones based on business purposes, without the need for re-architecture, re-addressing or expensive capital expenditure.
For what purpose? Achieve compliance (such as PCI) in very little time.
Without NSX? PCI scope encompassing the entire DC, lengthening the whole audit process & a nightmare to pass PCI audit without huge capital and operational investment
Use Case 3: Micro segmentation to secure VDI
What do we achieve? Control traffic between virtual desktops for cybersecurity
For what purpose? Cyber-security as it would prevent adjacent spread due to a VDI breach
Without NSX? Not possible nowadays unless every VDI is protected by a virtual firewall which does not scale.
Use Case 4: Consolidate VDI pools for TCO reduction
What do we achieve? NSX and Identity-Based FW enables us to consolidate multiple VDI pools into one
For what purpose? Greatly reduced TCO
Without NSX? Required multiple VDI pools and high number of firewall rules causing high cost and operational complexity
Use Case 5: Optimize Performance for VDI environments
What do we achieve? Move the AV function from inside each virtual desktop to a dedicated service virtual machine, greatly enhancing performance on each virtual desktop
For what purpose? Greater consolidation ratio, reducing the Total Cost of Ownership
Without NSX? AV agents on each VM add a 25% performance hit, reducing the maximum number of virtual desktops a host can support.
Use Case 6: Dynamic isolation of out-of-support servers like Windows Server 2003
What do we achieve? Isolate Windows Servers 2003 behind firewalls without the need to re-address them
For what purpose? Reduce security risk associated with out-of-support Windows Servers 2003
Without NSX? Isolating servers would require server re-addressing (and associated challenges) and manual firewall rules changes.
Let’s take a quick look at what that intelligent grouping enables:
One of our customers had a significant concern. Microsoft announced it would no longer be supporting Windows XP. Our customer had hundreds of VDI desktops that were actually running XP in different locations spread across the globe. They needed to be able to identify which machines were running the unsupported OS, and define a policy that would restrict access for those systems to internal resources only. The problem in a traditional networking construct, is that this policy would be incredibly complex, taking into account all of the various physical networking constructs needed to implement consistent security. This would have taken weeks to months.
With NSX, we are actually able to identify a group based on OS in minutes. This enables us to move into our policy definitions immediately.
Use Case 7: Dynamic isolation of virtual machines based on their security posture
What does this solution do? Automatically scans VMs and place affected machines in quarantine until they are remediated
For what purpose? Quickly and dynamically isolates security risk.
Without NSX? Requires manual scan, server re-addressing, manual firewall rule change before and after quarantine.
Automated security allows you to quarantine vulnerable systems until the threat can be remediated
CLICK – Create your policy definition policies CLICK – Apply those policies to specific security groups i.e. web servers, windows server etcCLICK – Once a threat is found the system is isolated from the network in it’s own L2 network with access to remediation services i.e. patch updatesCLICK – Once the threat has been remediated it’s allowed onto the network
Use Case 8: Micro-Segmentation applied to Mobile Devices
What does this solution do? Restricting mobile applications access to specific enterprise applications
For what purpose? Provides enhanced security for mobile devices enrolled with AirWatch
Without NSX? Mobile Applications would typically be able to access most enterprise applications
Use Case 9: Advanced IDS/IPS security – Palo Alto Firewalls example .
What do we achieve? L4-L7 security services as close to the source of the traffic (Virtual Machine).
For what purpose? Reduce security risk associated with east-west traffic.
Without NSX? Traffic is hair pinned to expensive physical firewall.
When you integrated Palo Alto Networks NGFW with NSX you now have the ability to performance advanced application layer filtering
CLICK – The Palo Alto Networks firewall manager called Panorama will talk to the NSX controller
CLICK – The NSX controller will provision Palo Alto firewalls on all hosts
CLICK – You then create a security policy within Panorama with your firewall rules, IDS and IPS policies
CLICK – This will then get pushed out to your perimeter Palo Alto firewalls as well as the host firewalls
CLICK – Traffic steering is then used to re-direct traffic form the distributed firewall to the Palo Alto firewall running on the host
CLICK – Traffic is blocked, allowed or inspected depending on the rule set configured
Use Case 10: Collapsed DMZ
What do we achieve? Deploy new services and applications onto a flat network, removing the need for multiple physical connections to a firewall
For what purpose? Facilitates provisioning of services and reducing time to market.
Without NSX? Current DMZ architectures prevent fast services deployments, have complex firewall rule sets and require costly physical firewalls
Use Case 11: Integrate Dev, Test and Prod environment into single infrastructure
What do we achieve? Consolidate multiple environments on single one while maintaining security isolation
For what purpose? Infrastructure rationalisation
Without NSX? Complex and highly dependent on whether network infrastructure can support features such as VRF
Isolation – No communication path, separate tenants, separate Dev, test and production environments
It’s this combination of hypervisor-based in kernel distributed firewalling and platform-based automation that is making data center micro-segmentation Nirvana a reality for security teams today.