VMware NSX A Perspective for Service Providers part 2

(1)

VMware NSX – A Perspective for Service

Providers – part 2

Using Software Defined Networking to harden DC security controls

Trevor Gerdes

(2)

NSX for SPs Part 2 - Agenda

1 Case Studies

2 Data Centre Security

3 Distributed Firewall – Use Cases 4 Current SDN Technologies

5 NSX Service Composer

6 Building a Zero Trust Model

(3)

Case Studies

(4)

Australian MSP

• Existing vSphere customer

• Using 3rd _{party orchestration system (non-vmware)} • Wanted to improve service delivery times

• Looking at hybrid virtual solution using elements from Juniper, Cisco and VMware

(5)

Australian MSP

• Implemented NSX into new cloud offering inside 3 months • Reduced service delivery time from 6 weeks to 3 days

• Brought forward revenue billing by 5 weeks

• Selected NSX over hybrid Cisco, VMware and Juniper solution due to all in one package of logical L2 networking, L3 routing and

perimeter gateway services including VPN and LB services.

• Integrated NSX via API into 3rd _{party cloud solution inside 1 week} using python scripts.

• Looking for next wave of feature integration and “value add” using NSX distributed FW and security partners.

(6)

CONFIDENTIAL 6

X

First Problem – VM Conversion required

Customer

(7)

CONFIDENTIAL 7

P

Customer

(8)

CONFIDENTIAL 8

Customer

Data Centre Cloud Hosting Service

(9)

CONFIDENTIAL 9

NSX – Providing Stretch Layer 2 (over Layer 3)

NSX

Customer

Data Centre Cloud Hosting Service

(10)

10 Confidential

SDDC Micro-Segmentation Business Case - Sample

Data Center Environment Firewall Throughput Required for Micro-Segmentation

Number of VMs 1,000 Average Application Throughput per Host 7 Gbps Number of VMs per CPU 5 Throughput Required to Support All VMs 700 Gbps Number of CPUs per Host 2 Segmentation Ratio (% of VMs requiring FW controls) 40% Number of Hosts 100 Effective Firewall Throughput Requirement 280 Gbps

Firewalls Required (20Gbps each x2 for HA) 28 Firewalls

Firewall Cost

List Price of 20Gbps Firewalls $150,000 Total CAPEX for Firewalls $4,200,000

Note: Operationally Infeasible

NSX Cost

List Cost for NSX Platform ~$1,300,000

(11)

11 Confidential

Large US Financial



25,000 VM deployment



$10m investment in NSX



$50m savings over 5 years



NSX improved host utilisation from 9:1 to 14:1

• NSX helped avoid hardware refresh on ESX hosts, Load

Balancers, Network hardware

• SDDC helped reduce labour costs by $8m



15 month PoC which morphed into full SDDC PoC (vCAC, vCO, vCOps, LogInsight)

(12)

Rackspace

“

NVP, combined with OpenStack

is a game changer. Together we are bringing enterprise private networking to the cloud.

LEW MOORMAN

PRESIDENT, RACKSPACE

• Rackspace Cloud Networks • $15-$20 million a year

savings by not

overprovisioning servers

Deliver enterprise-class private networking in a public, multi-tenant cloud.

(13)

Improved Server Utilization – less overprovisioning of servers Without Network Virtualization 60% Asset Utilization

(14)

Data Centre Security

A Better Way

(15)

“Hard Shell

on the Outside” Physical Workloads “Soft on the Inside”

(16)

Secure Micro-Segmentation in the Data Center

Uncontrolled

(17)

Secure Micro-Segmentation in the Data Center

Operationally

Infeasible

(18)

Secure Micro-Segmentation with VMware NSX

Controlled

Communication

Scale-Out

Performance

Automated

Operational Model

(19)

NSX Distributed Firewall – Overview

Hypervisor Kernel Embedded Firewall:

• Built directly in to the Hypervisor

• Near Line-Rate Performance

• Removes dependence on Guest based Firewall

• L2-4 Stateful East/West Firewalling

Distributed to Every VM:

• No “Choke Point”

• Policy independent of VM location

• Enforcement closest to VM

(20)

Distributed Firewall

-Use Cases

(21)

21 Dev Test Production Isolation Web App DB No Communication Path Controlled Communication Path Web App DB

Advanced Services Controlled Communication Path

(22)

22 Internet Security Policy Perimeter Firewalls Cloud Management Platform

NSX Distributed Firewall for vMotion

• Hypervisor-based, in kernel distributed firewalling

• Platform-based automated provisioning and workload adds/moves/changes

(23)

CONFIDENTIAL 23

PCI Non-PCI Private

(24)

Automated Security in a Software Defined Data Center Data Center Micro-Segmentation

(25)

Network-Segmentation or Micro-Segmentation CONFIDENTIAL 25 Web App Database VM VM VM VM VM VM NSX Load Balancer Multi-Tier, Multi-subnet Multi-Tier, Single-subnet NSX Distributed Router VM VM VM VM VM VM Web App DB NSX Load Balancer Or

(26)

Current SDN Technologies

(27)

Software Defined Networking - Layers C on sumpt ion D ata P lan e M an ag ement

How an end user consumes SDN

Build Networks and security services via WebUI, REST API (XML, JSON), Python Scripts etc e.g. vRealize Automation, CloudForms, ServiceMesh, CloudFoundry

Configuration interface REST XML API or WebUI

e.g. vCenter, NSX manager, APIC, Openstack

Forwards Packets

Provides: workload connectivity & services processing e.g. hypervisors, physical switches and appliances

27 C on tr ol P lan e

Programs Data Plane

Provides: API North side, Openflow or Proprietary Southbound e.g. NSX Controller, ACI N9K Spine sw., Contrail, OpenDaylight

(28)

CONFIDENTIAL 28

Hardware-based SDN

(29)

CONFIDENTIAL 29

(30)

The anatomy of the most agile & efficient data centers is SDDC

Custom Application

Google / Facebook / Amazon Data Centers

Custom Platform

Any x86 Any Storage Any IP network

Software / Hardware Abstraction Software / Hardware Abstraction

Facebook “6-pack”: the first open hardware

modular switch.

12 switching elements, 1.28Tbits/s each

(31)

“New IT” will be SDDC Software Defined Data Center (SDDC) Any Application SDDC Platform Any x86 Any Storage Any IP network

Data Center Virtualization

Public Data Center

Any Application

Any x86 Any Storage Any IP network

Hybrid- Data Center

Any Application

Any x86 Any Storage Any IP network SDDC Platform

(32)

NSX Service Composer

(33)

NSX Service Composer

CONFIDENTIAL 33 Security services are consumed more efficiently in a software-defined datacenter

VMware Network and Security Platform

Deploy

Apply

Automate

Extensibility

Security Tags Security Groups Security Policies Service Insertion

(34)

(35)

NSX Service Composer – Security Group

Security Policies– collection of Security Policy Objects (SPOs) assigned to this Security Group.

• How you want to protect this container • Can have multiples with weighting

e.g. “PCI Compliance Policy”

Included Security Groups - Nested containers

e.g. “Quarantine Zone” is a sub group within “PCI DSS Zone”

Virtual Machines that belong to this container.

e.g. “Apache-Web-VM”, “Exchange Server-vM”

Security Group (SG) - Container of VMs by IP, Security tag, switch etc

• Defines what you want to protect.

• e.g. “PCI DSS Zone”, “DMZ”, “Quarantine Zone”

Guest Introspection

• Anti-virus

• Vulnerability Management • Data Loss Prevention (DLP)

Firewall Rules

• Inbound, Outbound, Intra-Zone • Allow, Deny, and Log

Network Introspection – 3rd _{party services} integrated via NetX

• Intrusion Prevention (IPS), • Nextgen F/W

(36)

Security Group = Virtual_Desktops

Members = {Connected to VDI-01-Logical-Switch}

Policy = Standard Desktop

Automated Security in a Software Defined Data Center Quarantine Vulnerable Systems until Remediated

36

Security Group = Quarantine Zone

Members = {Tag = ‘ANTI_VIRUS.VirusFound’} Policy = Quarantine Zone

Policy Standard Desktop

 Anti-Virus – Scan

Policy Quarantine Zone

 Firewall – Permit remediation, deny all  Anti-Virus – Scan and remediate

(37)

Building a Zero-Trust Model

(38)

Forrester Zero Trust Model

http://csrc.nist.gov/cyberframework/rfi_comments/040813_forrester_research.pdf

“In short, Zero Trust flips the mantra "trust but verify" into "verify and never trust."

(39)

Zero-Trust with NSX – Stage 1

(40)

CONFIDENTIAL 40

(41)

CONFIDENTIAL 41

(42)

CONFIDENTIAL 42

(43)

Resulting Policy

(44)

Layer 4 – 7 Advanced Services Insertion

44

NSX and Palo Alto Networks VM Series Firewall

NSX Mgr

VM

Distributed Firewall Optimal Traffic Steering – Web Tier

 Rule1: Any to Web – PAN Insertion  Rule2: Web to App – DFW Permit

 Rule3: Web to Web – DFW Deny VM VM

Internet

Web

VM

(45)

(46)

Complexity driven by applications / E-W traffic flows

No

rth

/So

uth

East/West

• East-West traffic hairpins across the perimeter Firewall

• Complex static inter zone routing

• Requires punching holes across security zones

• Internal security zones exposed on perimeter devices

(47)

Zero-Trust Model Implementation with NSX

Any devices over any networks

App gateways and perimeter devices

Admin jump points

Common Services Applications EDS AD DB Edge Transport Routing and AV/AS Client Access Client connectivity Web services Hub Transport Routing and policy Mailbox Storage of mailbox items 25 50636 135 389, 3268, 88, 53, 135 To AD 443 RPC 808 5060, 5061 5062, dynamic Unified Messaging

Voice mail and voice access

(48)

In Summary

A Good Security Approach Requires

• Zero-Trust: Don’t Trust Anyone, Verify Always

• Control at the Perimeter alone is not enough NSX with Distributed Firewall Provides

• Easy Enforcement of East/West Policy

• Security Policy that Follows the Workload

• Enforcement at the Smallest Unit of Trust

• Easy Hardening of Data Centre Core through Micro-segmentation

• Integration with Best-of-Breed Security Vendors

(49)