Software Defined Data Centers
Network Virtualization & Security
Jeremy van Doorn
Director of Systems Engineering
EMEA, Network & Security
“My business and its IT organization
are being engulfed by a torrent of
digital opportunities. We cannot
respond in a timely fashion, and
this threatens the success of the
business and the credibility of the
IT organization.”
To stimulate growth and
drive competitive advantage
Amaze customers
and empower employees
Manage risk and
protect brand value
The Driving Forces Behind the Liquid World
CLOUD
MOBILE
01101 01001 00101 01101 01001 00101 01101 01001 00101 01101 01001 00101 01101 01001 00101 01101 01001 00101SLOW TECHNOLOGY ADOPTION RATES
Harnessing Mobile and Cloud Is Challenging
HIGH USER EXPECTATIONS
SLOW
REPONSES
PRIVACY
ISSUES
INTEGRATION PROBLEMS SERVICE OUTAGES SHORTAGE OF RIGHT SKILLS DECLINING BUDGET DIFFERENTAPPLICATIONS AGING INFRASTRUCTURE
SECURITY
PROLIFERATION
OF DEVICES
FRAGMENTED
DATA CENTER
LIMITED
RESOURCES
CLOUD SILOS
SECURITY
PROLIFERATION
OF DEVICES
FRAGMENTED
DATA CENTER
CLOUD SILOS
Time for a New Model of IT
Optimized for rapid
development and delivery
of all applications, for safe
consumption on any device
FLUID
Software-Defined
Agility
Instant provisioning,
delivery, and access from
data center to device
Seamless
Hybridity
Unified private and public
clouds to dynamically
deploy any app or workload
Intrinsic
Security
Enhanced security native
to apps, infrastructure,
and devices
VMware: Your Best Partner for Brave New IT
Conventional Approach to IT
Traditional
Applications
Modern, Cloud
Applications
Any
Application
Traditional Applications Modern, Cloud ApplicationsVMware Architecture for IT
Traditional
Applications
Modern, Cloud
Applications
One
Cloud
Cloud Management
HYBRID CLOUD PRIVATE Your Data Center PUBLIC vCloud Air MANAGED vCloud Air NetworkVirtualized Compute, Network, Storage
Any
Device
Business Mobility: Applications | Devices | ContentOne Cloud, Any Application
Any Application,
Anywhere
Architect, deploy, and
run all traditional and
modern applications
Open
Management
Flexible choice to manage
your cloud infrastructure
and your applications
Unified Platform
On- and off-premise cloud with a common
Software-Defined Data Center platform, built on
VMware’s best-in-class compute, network, and
storage virtualization solutions
HYBRID CLOUD PRIVATE MANAGED Your Data Center vCloud Air Network PUBLIC vCloud Air
The Software-Defined Data Center Approach
Ideal Architecture for the Hybrid Cloud
•
All infrastructure services virtualized:
compute, networking, storage
•
Control of data center automated by
software (management, security)
•
Unified platform for existing and new
apps, delivered to many devices
Hybrid Cloud
Compute
Networking
Storage
Two Different Paths Forward:
Hardware-Defined or Software-Defined Architecture?
Software-Defined Approach
Hardware-Defined Approach
Proprietary
Hardware
IntelligenceSoftware Layer
Manual Operations
IT Struggles to Keep Up
IT Moves at the Speed
of the Business
Existing
Hardware
Software
Layer
IntelligenceAutomated Operations
Is SDDC a Proven Architecture?
Custom Application
Google / Facebook /
Amazon Data Centers
Custom Platform
Any x86
Any Storage
Any IP network Software / Hardware Abstraction Software / Hardware Abstraction
Software Defined
Data Center (SDDC)
Any Application SDDC Platform Any x86 Any Storage Any IP network Data Center VirtualizationHardware Defined
Data Center (HDDC)
Any Application HDDC Platform Integrated x86 Integrated Storage Vendor Specific Network V ert ical I nteg rat ionSDDC Architecture is Future proof
Data Center Virtualization
Inter- Data Cen
ter
Any Application
Any x86
Any Storage
Any IP network
Hybrid- Data Center
Any Application Any x86 Any Storage Any IP network
Software Defined
Data Center (SDDC)
Any Application SDDC Platform Any x86 Any Storage Any IP networkCloud Operations
Intelligent, automated operations with comprehensive visibility
from apps to storage
Service Health Capacity Optimization Configuration Standards
VMware Cloud Management
The Control Plane for the Software-Defined Data Center and the Hybrid Cloud
Cloud Automation
Automated, self-service delivery of personalized IT services Service Catalog Governance Release AutomationCloud Business
Complete transparency into costs and quality ofall IT services
Cost Transparency Benchmarking Service Quality Mgmt
•
A cloud management platform purpose-built for heterogeneous
datacenters and hybrid cloud
•
Extends vCloud Suite to manage OpenStack, AWS, Hyper-V, KVM,
and vCloud Air
•
Works with modern and traditional application architectures
OpenStack Runs Best on VMware
Deliver the OpenStack APIs Developers Want
Best-of-breed compute,
network, storage
Elegant, rapid, and
simplified operations
Single support
contact
Best of All: Free for vSphere Enterprise Plus Users
VMware Integrated OpenStack
vSphere – The Best Platform for All Applications
Scale-Up Apps / Business Critical Apps Containers Integrated OpenStack Desktop Virtualization Scale-Out Applications Capabilities• Scalability enhancements (VMs and Clusters) for all application workloads
• Desktop Virtualization – 2D/3D Graphics, Instant Clone
• OpenStack on vSphere = Success
• Big Data Extensions and Pivotal CF (PaaS) Support
• Linux Container Support
Benefits and Proof Points
• Increased scalability and performance
• SAP Hana – 400% performance gains over RDBMS and 9x gains in planning load times
• Rapid deployment of desktop virtual machines in seconds
• 10x faster than in previous releases
• Productivity and portability for application developers
And Many More…
Rapid development, automated
deployment and secure consumption of all enterprise apps
Choice in datacenter automation and management
Best-in-class VMware technologies across hybrid clouds
VMware Software-Defined Storage Architecture
VMware Virtual SAN
™
VMware vSphere
Storage-Policy Based Management
Virtual Volumes
VVOL-enabled arrays
Storage Partners
Network Virtualization
Hypervisor vSwitch Hypervisor vSwitch Hypervisor vSwitch Hypervisor vSwitchNew Model for Security: Micro Segmentation
Virtual Network Virtual Network Virtual NetworkVMware NSX
™: The Network Hypervisor
50+ additional
Bridging
Two Worlds
Software Defined
Data Center Approach
Network Virtualization
is at the core of an
SDDC approach
Network, storage, compute
Virtualization layer
Network, storage, compute
Virtualization layer
“Network hypervisor”
Virtual Data Centers
Network Virtualization
is at the core of an
SDDC approach
The Power of Distributed Services
Switching Routing
Firewalling/ACLs Load Balancing
Network and security services now
distributed in the hypervisor
Switching Routing
Firewalling/ACLs Load Balancing
High throughput rates
East-west firewalling
Native platform capability
Network & Security Services Distributed to the Virtual Switch
Native Isolation
192.168.2.10
192.168.2.10
192.168.2.11
Security in the
$71.1 B
WW 2014 Information
Security spending
46%
Increase in 2015 security
technology spend
1,208
# of new cybersecurity
companies (solutions)
since 2010
43%
More Security Spend ≠ More Secure
Yet …
312
Average # of Days a
zero-day vulnerability goes
un->$455 B
Total cost of cybercrime in
Traditional security has little meaning in a borderless
Software Defined Data Center
Insufficient visibility into East-West traffic & inter-VM attacks
Static policies cannot keep up with dynamic workloads
Traditional approaches to reduce breaches inside Data Center
perimeter...
Adding more internal security…
Requires placing more security controls across workloads
• Optimized for Data Center Perimeter • Cost prohibitive: thousands needed
• Configuration and security policies restricted by network topology
• Inefficient “choke point”
• Impractical for lateral coverage
Physical Security Appliances
Data Center Perimeter
Internet
• Lacks selective traffic inspection for smarter security • Hair-pinning impacts performance
• Limited segmentation capabilities
• Lacks dynamic provisioning, deployment and scale out
Data Center Security Options
Secure Perimeter
vs.
Zero-Trust Pervasive
Security
Problem: Data Center Network Security
Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Little or no
lateral controls
inside perimeter
Why traditional approaches are operationally infeasible…
Internet
Perimeter Firewalls
• Create firewall rules before provisioning • Update Firewall rules when move or change • Delete firewall rules when app decommissioned • Problem increases with more East-West traffic
How an SDDC approach makes micro-segmentation feasible
Internet Security Policy Perimeter Firewalls Cloud Management PlatformA “Zero Trust” model becomes operationally feasible
Logically align controls to what you are protecting
Isolation Explicit Allow Comm. Secure Communications
IPS FIM AM WR S e rv ic e I n s e rt io n
Application A
Application B
App Tier
DB Tier
(e.g T CP ,14 33 ) No Communication Path Intrusion Protection File Integrity Anti-Malware Web ReputationIsolation and
segmentation
Unit-level trust /
least privilege
Ubiquity and
centralized control
3
2
1
Delivers higher levels of data center security
Intelligent grouping
Groups defined by customized criteria
Operating System
Machine Name
Application Tier
Services
Security Posture
Regulatory
There is a BIG difference…
• Traditional Rule Mgt & Operations
• Chokepoint Enforcement • Virtual Firewalls
Virtual Firewalls
Physical Firewalls
• Traditional Rule Mgt & Operations
• Chokepoint Enforcement • Physical Firewalls (~100
Gbps)
Distributed Firewalling
• Automated Policy Mgt & Operations • Distributed Enforcement• vSphere Kernel-based Performance • Distributed Scale-out Capacity (20
SDDC Platform – “Zero Trust” is Now Operationally Feasible
Hypervisor-based, in kernel distributed firewalling
• High throughput rates on a per hypervisor basis
• Every hypervisor adds additional east-west firewalling capacity
• Native feature of the VMware NSX platform
Platform-based automation
• Automated provisioning and workload adds/moves/changes
• Accurate firewall policies follow workloads as they move
Audit Compliance
20 Gbps Firewalling
throughput per host
Data center micro-segmentation
becomes operationally feasible
NSX Platform Extensibility…With Advanced Security
•
Add leading security solutions to your micro-segmentation deployment for greater security
•
Apply the SDDC operational model to 3
rd-party security products
•
Adapt to changing security conditions in the data center by enabling security solutions to share intelligence
Traditional Data Center
Static service chain
In a traditional data center, security services must be configured when the network is architected, meaning the “chain” of services is locked in once deployed. This is an inefficient use of resources and cannot defend against
NSX Data Center
Dynamic service chainIn an NSX data center, 3rd-party security solutions use NSX security tags
to share intelligence, adapting to changing security conditions. NSX automatically applies the correct security function as needed.
Advanced Services Insertion – Example: Palo Alto Networks NGFW
Internet Security Policy Security AdminTraffic
Steering
Automated Security in a Software Defined Data Center
Quarantine Vulnerable Systems until Remediated
Security Group =
Quarantine
Members = {Tag = ‘ANTI_VIRUS.VirusFound’}
Security Group =
Standard
Policy Definition
Standard Policy
Anti-Virus – Scan
Quarantined Policy
Firewall – Block all except security tools
Anti-Virus – Scan and remediate
Benefits of Taking a Software Defined Data Center Approach
Multi-tenant Infrastructure IT Automating IT Developer Cloud DMZ Anywhere Micro-segmentationSecure End User
Metro Pooling
Hybrid Cloud Networking
Reduce infrastructure
provisioning time from
weeks to minutes
Secure infrastructure
at 1/3 the cost
Reduce RTO by 80%
Disaster Recovery
