Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Kausum Kumar
VMware
NSX Security Deep Dive
NET4285
Student Guide & Internal & Confidential Update Daily
https://goo.gl/VVmVZ0
Journey of the Deal: Best Practices from a VMwa...
Disclaimer
CONFIDENTIAL 3
• This presentation may contain product features that are currently under development.
• This ov...
Finding Needles in the Haystack
CONFIDENTIAL 4
Finding Needles in the Haystack
CONFIDENTIAL 5
Agenda
CONFIDENTIAL 6
1 Challenges with existing security controls
2 Introducing NSX Security
3 Automating Security
4 Bene...
1. Firewall Challenges in the SDDC
Physical Firewalls
• No Micro-segmentation
• Hardware CAPEX
• Choke point
• Rule sprawl...
2. Force Choosing between Context and Isolation
Guest VM
Hypervisor
Network
Host Based
Security Controls
Network Based
Sec...
3. Require In-guest Agents that Are Resource Intensive
Third-Party Management Consoles
Scheduled scans hit same underlying...
4. Hard to Automate Workflows across Services
 Manual workflows due to lack of
interoperability and automation across
“be...
CPU
Memory
Storage
Software-based
solutions
Network
scanner
Lack isolation, attack
surface in guest 
security risks
Lack ...
Agenda
CONFIDENTIAL 12
1 Challenges with existing security controls
2 Introducing NSX Security
3 Benefits
4 Use Cases
5 Au...
NSX Transforms Security for Optimal Context and Isolation
While Minimizing Resource Overhead
UbiquityIsolation
fine-graine...
NSX Provides Built-in Services to Manage the Security Posture
of Workloads at Scale
Guest Introspection
NSX driver pulls a...
NSX Distributed Firewall
• Delivers Micro-Segmentation
• Efficient rule management
• Dynamic Policy (e.g:AV, DLP, Vulnerab...
Internet
Security Policy
Cloud
Management
Platform
Perimeter
Firewalls
Leverage Distributed Firewall for Micro-Segmentatio...
NSX Enables Using Third Party Services to Manage the Security
Posture of Workloads at Scale
Guest Introspection
NSX driver...
Advanced Services Insertion –
Example: Palo Alto Networks NGFW
Internet
Traffic
Steering
Security Policy
Security Admin
CO...
Agenda
CONFIDENTIAL 19
1 Challenges with existing security controls
2 Introducing NSX Security
3 Automating Security
4 Ben...
Secure SDDC with VMware NSX
Security services are managed more efficiently in a software-defined datacenter
NSX Network Vi...
Register Security Services with VMware NSX
Service Definitions: built-in and 3rd-party services
Firewalling VPN Data Secur...
NSX Security Service Insertion Architecture
Network
6 Introspection
5 Guest Introspection
7 Host Modules
NSX Manager
1
Thi...
Security Groups & Security Policies
• End-Users and CloudAdmins are able to define security policies based on service prof...
Security Policies and Security Groups
NSX simplifies provisioning, audit, troubleshooting of security
CONFIDENTIAL 23SECUR...
Dynamic Inclusion
Static Inclusion
Static Exclusion
Security Groups
Definition
Security Group :
(Dynamic Inclusion + Stati...
Automate Security Operations
to respond to rapidly changing security conditions
• Security is automated
• If one service f...
Advanced Services Insertion
1 2 3
Traditional Data Center NSX Data Center
 Flexible service chain that
adapts to changing...
Agenda
CONFIDENTIAL 28
1 Challenges with existing security controls
2 Introducing NSX Guest Introspection
3 Automating Sec...
1. Optimized for Performance
Utilization
CPU
Memory
Storage
Consolidation Ratio
Low High
1 Reduces attack surface
Stronger...
2. Automated Ubiquitous Deployment & Enforcement
1.ESX Host added to cluster
2.Automated: NSX Deploys
Guest Introspection
...
3. Visibility into In-guest Events
Users Logging In
Files Accessed
Network Connections
System Events
Applications Running
...
Identity Based Access Control
CONFIDENTIAL
Active Directory
Eric Frost
IP: 192.168.10.75
Logs
Eric Frost
User AD Group App...
Demo: VMware NSX Activity Monitoring
33
CONFIDENTIAL
4. Simplified Policy Management & Automation across Services
Virtualization Platform
Security Policy
HOW you
want to
prote...
5. Automated Security Policy Enforcement
With increased visibility
CONFIDENTIAL 36
Security-Centric View
Policies – collection of service
profiles - assigned to this
container…to define HOW you
want to pro...
Workload-Centric View:
Security Groups & Tags Assigned to a VM
Any security issues?Protected in security group?
Virtual Ma...
Workload-Centric View:
All Security Policies Applied to a VM
CONFIDENTIAL
38
Monitor Uptime of Different Services
Service Deployments: installation and service status
Installation Status & Service St...
Eliminate Policy Sprawl through Automation
No manual cleanup necessary during application decommissioning
SECURITY POLICY
...
Increase Visibility into Service Availability
Virtualization Platform
Restart Security Virtual Appliances,
upon detection ...
Increase Visibility into Service Availability
Virtualization Platform
Restart Security Virtual Appliances,
upon detection ...
Agenda
CONFIDENTIAL 44
1 Challenges with existing security controls
2 Introducing NSX Guest Introspection
3 Automating Sec...
Scenario 1: Vulnerability Management Optimized for SDDC
VMware Network and Security Platform
Built-In Services Third-Party...
Traditional Challenges in Vulnerability Management
Scan IP range for
asset inventory
(NMAP)
Run port scan on
live systems ...
Vulnerability Management Optimized for SDDC Using NSX
Guest Introspection
File, user identity, process
(application), netw...
Scenario 2: Context Based Isolation in VDI Environment
VMware Network and Security Platform
Built-In Services Third-Party ...
Virus Detection Triggers Isolation and Remediation
Employee Desktops
SG
Front Desk
SG
ITAdmin Desktops SG
Records
Scheduli...
Scenario 3: Minimizing Attack Surface
VMware Network and Security Platform
Built-In Services Third-Party Services
Firewall...
Vulnerability Scan Triggers Traffic Introspection
Employee Desktops
SG SG
Front Desk ITAdmin Desktops SG
Records
Schedulin...
Scenario 4: Traffic Redirection to Advanced Services – e.g. PAN
HONWetwoyrkoInutrowspaecntiotn
to protect it
SECURITY GRO...
Security Partner Integrations
Partner Ecosystem
NSX is the platform for
integrating advanced
security services
Next-genera...
Agenda
CONFIDENTIAL 54
1 Challenges with existing security controls
2 Introducing NSX Guest Introspection
3 Benefits
4 Use...
Achieving Micro-Segmentation in Real World
Prepare
Security
Fabric
• Prepare Hosts
for Security
• Optional: Deploy
Securit...
Day 2 Operations
Continue
monitoring flow
patterns using
Log Insight.
Keep
advanced
services
updated.
Manage
FW rules
usin...
NSX Transforms Security by Providing Context &
Minimizing Overhead
Guest VM
Network
Hypervisor
Isolation
Ubiquity
Context
...
What’s Next…
• VMware NSX
• Hands-on Labs
• labs.hol.vmware.com
• VMware Booth #1229
• 3 NSX Demo Stations
• Explore, Enga...
Please submit your feedback
via our mobile app.
59
Thank You
61
Prochain SlideShare
Chargement dans…5
×

Nsx security deep dive

Nsx security deep dive

Nsx security deep dive

  1. 1. Kausum Kumar VMware NSX Security Deep Dive NET4285
  2. 2. Student Guide & Internal & Confidential Update Daily https://goo.gl/VVmVZ0 Journey of the Deal: Best Practices from a VMware Cloud Management Partner http://ouo.io/vBVQdO The Practical Path to NSX and Network Virtualization http://ouo.io/47hme Why an SSDC Approach with NSX is Better for Your Channel Business http://ouo.io/1hY4l Justifying Network Virtualization forYour Customers http://ouo.io/OzBquQ Reference Design for VMware NSX http://ouo.io/XaCMU Logical Routing with VMware NSX http://ouo.io/oKcbu Micro-segmentation with NSX and Distributed Firewalling http://ouo.io/BaoP8 NSX Security Deep Dive http://ouo.io/Qq8qqh Operational Best Practices for VMware NSX http://ouo.io/nyVbwd Self-service IT with vRealizeAutomation and NSX http://ouo.io/pHQ5kp Intro to NSX http://ouo.io/gzAp1
  3. 3. Disclaimer CONFIDENTIAL 3 • This presentation may contain product features that are currently under development. • This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. • Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. • Technical feasibility and market demand will affect final delivery. • Pricing and packaging for any new technologies or features discussed or presented have not been determined.
  4. 4. Finding Needles in the Haystack CONFIDENTIAL 4
  5. 5. Finding Needles in the Haystack CONFIDENTIAL 5
  6. 6. Agenda CONFIDENTIAL 6 1 Challenges with existing security controls 2 Introducing NSX Security 3 Automating Security 4 Benefits 5 Use Cases 6 Summary & Next Steps
  7. 7. 1. Firewall Challenges in the SDDC Physical Firewalls • No Micro-segmentation • Hardware CAPEX • Choke point • Rule sprawl (IP, MAC-based) • Trombone Traffic Src Dst 192.168.1.1 192.168.5.2 10.0.0.1 10.0.2.5 10.0.0.2 10.0.2.5 10.0.0.3 10.0.2.5 • Eliminate hardware • Choke points w/ low performance (1-3 Gbps) • Rule sprawl (IP, MAC-based)Rule sprawl Web App DB VM Virtual Firewalls VMs CONFIDENTIAL 7
  8. 8. 2. Force Choosing between Context and Isolation Guest VM Hypervisor Network Host Based Security Controls Network Based Security Controls Low Context High Isolation High Context Low Isolation CONFIDENTIAL 8  Security controls prone to attack  Manual deployment and policy management  No visibility into application, process, file, user or overall security posture
  9. 9. 3. Require In-guest Agents that Are Resource Intensive Third-Party Management Consoles Scheduled scans hit same underlying infrastructure at the same time Utilization CPU Memory Storage Consolidation Ratio Low High 3 2 1 SeparateAgent required per VM per Service Adding new services require manual deployment at each guest CONFIDENTIAL 9
  10. 10. 4. Hard to Automate Workflows across Services  Manual workflows due to lack of interoperability and automation across “best-of-breed” security products  Endpoint control events do not trigger network controls CONFIDENTIAL 10
  11. 11. CPU Memory Storage Software-based solutions Network scanner Lack isolation, attack surface in guest  security risks Lack app context  rule sprawl, complex troubleshooting Network-based solutions Security Today Isn’t Optimized for SDDC, with Negative Impact to Agility, Cost Impact performance 1 32 CONFIDENTIAL 11
  12. 12. Agenda CONFIDENTIAL 12 1 Challenges with existing security controls 2 Introducing NSX Security 3 Benefits 4 Use Cases 5 Automating Security 6 Summary & Next Steps
  13. 13. NSX Transforms Security for Optimal Context and Isolation While Minimizing Resource Overhead UbiquityIsolation fine-grained containment Context better security through insight Ecosystem of Distributed Services Switching Routing Firewalling Core Services Built Into Hypervisor Kernel CONFIDENTIAL 13
  14. 14. NSX Provides Built-in Services to Manage the Security Posture of Workloads at Scale Guest Introspection NSX driver pulls and shares file, user identity, process (application), network connections, registry keys etc. Shared Context Network Introspection Full network traffic visibility @vNIC, vSwitch, or Edge Built-In Services Firewa ll Identity Firewall Server Access Monitoring VPN (IPSEC, SSL) VMware Services DLP L2 and L3 Connectivity CONFIDENTIAL 14
  15. 15. NSX Distributed Firewall • Delivers Micro-Segmentation • Efficient rule management • Dynamic Policy (e.g:AV, DLP, Vulnerability Scan) • No choke points with scale out performance (20 Gbps) • Enabled for cloud automation Src Dst ANY Shared Service Desktop WEB_GROUP Rules based on logical containers Platform for Distributed Services WEB_ GROUP “Web Policy” Firewall – allow inbound HTTP/S, allow outbound ANY Firewall policies are pre- approved, used repeatedly by cloud automationWeb App DB VM NSX Distributed Firewall is Optimized for SDDC 14 CONFIDENTIAL
  16. 16. Internet Security Policy Cloud Management Platform Perimeter Firewalls Leverage Distributed Firewall for Micro-Segmentation CONFIDENTIAL 16 • Hypervisor-based, in kernel distributed firewalling • Platform-based automated provisioning and workload adds/moves/changes
  17. 17. NSX Enables Using Third Party Services to Manage the Security Posture of Workloads at Scale Guest Introspection NSX driver pulls and shares file, user identity, process (application), network connections, registry keys etc. Shared Context Third-Party Services DLP Firewall Vulnerability Management Antivirus Intrusion Prevention Identity and Access Mgmt …and more in progress Security Policy Management Service Insertion Architecture Network Introspection Full network traffic visibility @vNIC, vSwitch, or Edge CONFIDENTIAL 17
  18. 18. Advanced Services Insertion – Example: Palo Alto Networks NGFW Internet Traffic Steering Security Policy Security Admin CONFIDENTIAL 18
  19. 19. Agenda CONFIDENTIAL 19 1 Challenges with existing security controls 2 Introducing NSX Security 3 Automating Security 4 Benefits 5 Use Cases 6 Summary & Next Steps
  20. 20. Secure SDDC with VMware NSX Security services are managed more efficiently in a software-defined datacenter NSX Network Virtualization Platform Firewall Data Security (DLP) Server Activity Monitoring VPN (IPSEC, SSL) Antivirus Vulnerability Management Identity and Access Mgmt …and more in progress Security Policy Management Deploy Provision and monitor uptime of different services, using oSenrviece mInseerttiohnod CONFIDENTIAL 20 Apply Apply and visualize security policies for workloads, in Security Goronupes plSaeccuerity Policies Automate Automate workflows across best-of-breed services, without custom integrationSecurity Tags Built-In Services Third-Party Services DLP Firewall Intrusion Prevention
  21. 21. Register Security Services with VMware NSX Service Definitions: built-in and 3rd-party services Firewalling VPN Data Security Activity Monitoring Service categories, vendors, versions are visible in one central view Security CONFIDENTIAL 21
  22. 22. NSX Security Service Insertion Architecture Network 6 Introspection 5 Guest Introspection 7 Host Modules NSX Manager 1 Third-Party Management Console 2 3 NSX Built-in Security Services (Distributed) Logical Firewall Logical Switch 3 NSX Built-in Security Services (Appliance per host) 4 NSX Partner Services (Appliance per host) CONFIDENTIAL 22
  23. 23. Security Groups & Security Policies • End-Users and CloudAdmins are able to define security policies based on service profiles already defined or approved by the Security Admin. • Security policies are applied to one or more security groups where workloads are members WHAT you want to protect HOinbWoundyHoTuTPw/S,ant toIPpS r–optreevcentt DitOS attacks, enforce acceptable use SECURITY GROUP SECURITY POLICY Members (VM, vNIC) and Context (user identity, security posture) “Standard Web”  Firewall – allow allow outbound ANY Services (firewall, antivirus, IPS etc.) and Profiles (labels representing specific policies) CONFIDENTIAL 23
  24. 24. Security Policies and Security Groups NSX simplifies provisioning, audit, troubleshooting of security CONFIDENTIAL 23SECURITY GROUP HOW you want to protect it SECURITY POLICY WHAT you want to protect 1 Policy Provisioning: Define once (policy), use many (security groups). Tied to workload, not to infrastructure. Audit: Validate controls in one place – available services, applied policies.2 3 Troubleshooting: When an app doesn’t work, can start by observing the workload and all related security policies – rather than infer from infrastructure security.
  25. 25. Dynamic Inclusion Static Inclusion Static Exclusion Security Groups Definition Security Group : (Dynamic Inclusion + Static Inclusions) – Static Exclusion Computer OS name, Computer Name, VM Name, Security Tag, Entity. Security Group, Cluster, Logical Switch, Network, vAPP, Datacenter, IP Sets,Active Directory Group, MAC sets, Security Tag, vNIC, VM, Resource Pool, DVS Port Group. VM-Centric CONFIDENTIAL 25 Infrastructure- Centric Security Groups
  26. 26. Automate Security Operations to respond to rapidly changing security conditions • Security is automated • If one service finds something, then another service can do something about it With VMware NSX • Manual workflows • No interoperability between best-of-breed security products Without VMware NSX Create repeatable, automated workflows across best-of-breed security products with VMware NSX CONFIDENTIAL 26
  27. 27. Advanced Services Insertion 1 2 3 Traditional Data Center NSX Data Center  Flexible service chain that adapts to changing conditions – more efficient use of services better security by sharing tags  Platform for integrating the leading security products: NSX enables dynamic actions to respond to changing security conditions CONFIDENTIAL 27 Static service chain Dynamic service chain
  28. 28. Agenda CONFIDENTIAL 28 1 Challenges with existing security controls 2 Introducing NSX Guest Introspection 3 Automating Security 4 Benefits 5 Use Cases 6 Summary & Next Steps
  29. 29. 1. Optimized for Performance Utilization CPU Memory Storage Consolidation Ratio Low High 1 Reduces attack surface Stronger protection - cannot be turned off by malware Eliminates overhead of agent resources, management 4 Reduces VM footprint enables higher consolidation CONFIDENTIAL 29 2 3
  30. 30. 2. Automated Ubiquitous Deployment & Enforcement 1.ESX Host added to cluster 2.Automated: NSX Deploys Guest Introspection Framework, Service VMs (Partner & VMW) 3. VM brought up on host 4.Automated:Appropriate Security Policies applied 5.VM vMotions to a different host 6.Automated:Appropriate Security Policies applied CONFIDENTIAL 30
  31. 31. 3. Visibility into In-guest Events Users Logging In Files Accessed Network Connections System Events Applications Running Canned Reports CONFIDENTIAL 31
  32. 32. Identity Based Access Control CONFIDENTIAL Active Directory Eric Frost IP: 192.168.10.75 Logs Eric Frost User AD Group App Name Originating VM Name Destination VM Name Source IP Destination IP Eric Frost Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78 31
  33. 33. Demo: VMware NSX Activity Monitoring
  34. 34. 33 CONFIDENTIAL
  35. 35. 4. Simplified Policy Management & Automation across Services Virtualization Platform Security Policy HOW you want to protect it NSX Manager 2 NSX Admin 1 Security Admin Security Group WHAT you want to protect Cloud Management Portal 3 Cloud Architect CONFIDENTIAL 35
  36. 36. 5. Automated Security Policy Enforcement With increased visibility CONFIDENTIAL 36
  37. 37. Security-Centric View Policies – collection of service profiles - assigned to this container…to define HOW you want to protect this container e.g. “PCI Compliance” or “Quarantine Policy’ Nested containers – other groupings within the container e.g. “Quarantine Zone” is a sub group within “My Data Center” VMs (workloads) that belong to this container e.g. “Apache-Web-VM”, “Exchange Server-VM” Containers – Grouping of VMs, IPs, and more…to define WHAT you want to protect e.g. “Financial Applications”, “Desktop Users”, “Quarantine Zone” Service profiles for *deployed* services, assigned to these policies Services supported today: • Distributed Virtual Firewall • Anti-virus • Vulnerability Management • Network IPS • Data Security (DLP scan) • User Activity Monitoring • File Integrity Monitoring 36CONFIDENTIAL
  38. 38. Workload-Centric View: Security Groups & Tags Assigned to a VM Any security issues?Protected in security group? Virtual Machine CONFIDENTIAL 37
  39. 39. Workload-Centric View: All Security Policies Applied to a VM CONFIDENTIAL 38
  40. 40. Monitor Uptime of Different Services Service Deployments: installation and service status Installation Status & Service Status are visible in one central view CONFIDENTIAL 40
  41. 41. Eliminate Policy Sprawl through Automation No manual cleanup necessary during application decommissioning SECURITY POLICY “Standard Web” Firewall – allow inbound HTTP/S, allow outbound ANY IPS – prevent DOS attacks, enforce acceptable use SECURITY GROUP SECURITY GROUP CONFIDENTIAL 41
  42. 42. Increase Visibility into Service Availability Virtualization Platform Restart Security Virtual Appliances, upon detection of service health failure Error messages provide insight into why service failed CONFIDENTIAL 42
  43. 43. Increase Visibility into Service Availability Virtualization Platform Restart Security Virtual Appliances, upon detection of service health failure Error messages provide insight into why service failed CONFIDENTIAL 43
  44. 44. Agenda CONFIDENTIAL 44 1 Challenges with existing security controls 2 Introducing NSX Guest Introspection 3 Automating Security 4 Benefits 5 Use Cases 6 Summary & Next Steps
  45. 45. Scenario 1: Vulnerability Management Optimized for SDDC VMware Network and Security Platform Built-In Services Third-Party Services Firewall Data Security (DLP) Server Activity Monitoring VPN (IPSEC, SSL) Antivirus DLP Firewall Vulnerability Management Intrusion Prevention Identity and Access Mgmt …and more in progress Security Policy Management CONFIDENTIAL 45
  46. 46. Traditional Challenges in Vulnerability Management Scan IP range for asset inventory (NMAP) Run port scan on live systems – set of IPS alarms 1 Network scanner 2 Whitelist scanner IP address on IPS 3 Scans return inaccurate info4 Must secure system credentials to run accurate scans 5 Scans run over virtual network, impacting app performance 6 CONFIDENTIAL 46
  47. 47. Vulnerability Management Optimized for SDDC Using NSX Guest Introspection File, user identity, process (application), network connections, registry keys, etc. Virtualization Platform • No network scans required • Get all VM asset inventory from vCenter • Get all VM context - file, process, registry key - via NSX Guest Introspection • No credentials required for server scans – in-guest driver runs credentialed scan Simplified Deployment Automated deployment of 3rd party appliance to all selected clusters in data center CONFIDENTIAL 47
  48. 48. Scenario 2: Context Based Isolation in VDI Environment VMware Network and Security Platform Built-In Services Third-Party Services Firewall Data Security (DLP) Server Activity Monitoring VPN (IPSEC, SSL) Antivirus DLP Firewall Vulnerability Management Intrusion Prevention Identity and Access Mgmt …and more in progress Security Policy Management CONFIDENTIAL 48
  49. 49. Virus Detection Triggers Isolation and Remediation Employee Desktops SG Front Desk SG ITAdmin Desktops SG Records Scheduling App IT Services NSX Shared Resources Infected System SG “All Desktops”  AV – Agentless Scan “All Desktops”  AV –Scan And Remediate  DFW: Block access to applications CONFIDENTIAL 49
  50. 50. Scenario 3: Minimizing Attack Surface VMware Network and Security Platform Built-In Services Third-Party Services Firewall Data Security (DLP) Server Activity Monitoring VPN (IPSEC, SSL) Antivirus DLP Firewall Vulnerability Management Intrusion Prevention Identity and Access Mgmt …and more in progress Security Policy Management CONFIDENTIAL 50
  51. 51. Vulnerability Scan Triggers Traffic Introspection Employee Desktops SG SG Front Desk ITAdmin Desktops SG Records Scheduling App IT Services Shared Resources NSX “Applications”  Vulnerability Scan “Vulnerable”  IPS Vulnerable SG CONFIDENTIAL 51 Shared Apps SG
  52. 52. Scenario 4: Traffic Redirection to Advanced Services – e.g. PAN HONWetwoyrkoInutrowspaecntiotn to protect it SECURITY GROUP SG-WEB SECURITY POLICY SP-PAN-Redirect “PAN redirect” Services – Tomcat Traffic from WEB to APP : Redirect to PAN Services: Network Introspection Services (= traffic redirection) VM VM 1 2 WEB Tier (DVS P-G or Logical Switch) VM3 VM4 1.1.1.1 1.1.1.2 2.2.2.1 2.2.2.2 APP Tier (DVS P-G or Logical Switch) SG-WEB SG-APP Tomcat Network Introspection Rule: Any Tomcat traffic from WEB Tier to APP Tier is redirected to PAN VM-Series FW CONFIDENTIAL 52 Any other traffic from WEB Tier to APP Tier is not redirected to PAN Traffic hit first DFW and then traffic redirection rule: Tomcat traffic must be allowed on DFW rule otherwise it cannot be redirected to PAN Source Dest Service Action Policy’s SG SG-APP Tomcat Redirect to PAN
  53. 53. Security Partner Integrations Partner Ecosystem NSX is the platform for integrating advanced security services Next-generation IPS Granular protection of individual VM workloads with customizable policy definitions Malware Protection Data Center security with agentless anti-malware and guest network threat protection Real-time, dynamic threat protection and response for workloads moving between hosts and virtual data centers Automation of advanced malware interception Unified management for physical and virtual sensors Vulnerability Management Automatic vulnerability risk assessment Data Center wide real- time risk visibility Auto segmentation of risky assets Vulnerability prioritization for effective remediation Threat & Malware Protection Single virtual appliance provides agentless: Anti-malware with URL filtering Vulnerability and software scanning Detection of file changes Intrusion Detection & Prevention Next-Generation Firewall Multiple threat prevention disciplines including firewall, IPS, and antimalware Safe application enablement with continuous content inspection for all threats Granular user-based controls for apps, content, users CONFIDENTIAL 53
  54. 54. Agenda CONFIDENTIAL 54 1 Challenges with existing security controls 2 Introducing NSX Guest Introspection 3 Benefits 4 Use Cases 5 Automating Security 6 Summary & Next Steps
  55. 55. Achieving Micro-Segmentation in Real World Prepare Security Fabric • Prepare Hosts for Security • Optional: Deploy Security Vendor Management Consoles for advanced services • Optional: Deploy security vendor appliances Monitor Flows • Brownfield: Leverage existing knowledge from Perimeter firewalls • Use NSX Built-In Flow Monitoring, IPFIX tools • Integrate VMware Log Insight to analyze syslogs Determine Policy Model • Identify patterns with flows • Determine a policy model based on the patterns Apply Policy Model • Determine approach : Firewall Rule Table or Service Composer Policy Model CONFIDENTIAL 55 • Based on the Policy Model – Create grouping models • Write Security Policy
  56. 56. Day 2 Operations Continue monitoring flow patterns using Log Insight. Keep advanced services updated. Manage FW rules using Tufin, Algosec Drifts and Shifts in workload flows CONFIDENTIAL 56 Shifts in policies Keep services like AV, IPS updated with signatures
  57. 57. NSX Transforms Security by Providing Context & Minimizing Overhead Guest VM Network Hypervisor Isolation Ubiquity Context CONFIDENTIAL 57 Share rich context on applications, users, data, etc. Minimize attack targets like security controls (e.g.AV) and telemetry (e.g. logs) by leveraging guest and network isolation and micro-segmentation Ensuring visibility and control points are everywhere to help address coverage and scale challenges
  58. 58. What’s Next… • VMware NSX • Hands-on Labs • labs.hol.vmware.com • VMware Booth #1229 • 3 NSX Demo Stations • Explore, Engage, Evolve • virtualizeyournetwork.com • Network Virtualization Blog • blogs.vmware.com/networkvirtualization • NSX Product Page • vmware.com/go/nsx • NSX Training & Certification • NSX Technical Resources • Reference Designs • vmware.com/products/nsx/resourc es • VMware NSX YouTube Channel • youtube.com/user/vmwarensx Play Learn Deploy • www.vmware.com/go/NVtraining CONFIDENTIAL 58
  59. 59. Please submit your feedback via our mobile app. 59
  60. 60. Thank You
  61. 61. 61

×