VMware NSX A Perspective for Service Providers part 2

Transcription

1 VMware NSX A Perspective for Service Providers part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes Strategic Architect Security and Networks

2 NSX for SPs Part 2 - Agenda 1 Case Studies 2 Data Centre Security 3 Distributed Firewall Use Cases 4 Current SDN Technologies 5 NSX Service Composer 6 Building a Zero Trust Model 2

3 Case Studies CONFIDENTIAL 3

4 Australian MSP Existing vsphere customer Using 3 rd party orchestration system (non-vmware) Wanted to improve service delivery times Looking at hybrid virtual solution using elements from Juniper, Cisco and VMware

5 Australian MSP Implemented NSX into new cloud offering inside 3 months Reduced service delivery time from 6 weeks to 3 days Brought forward revenue billing by 5 weeks Selected NSX over hybrid Cisco, VMware and Juniper solution due to all in one package of logical L2 networking, L3 routing and perimeter gateway services including VPN and LB services. Integrated NSX via API into 3 rd party cloud solution inside 1 week using python scripts. Looking for next wave of feature integration and value add using NSX distributed FW and security partners.

6 First Problem VM Conversion required X Customer Data Centre Cloud Hosting Service CONFIDENTIAL 6

7 P Customer Data Centre Cloud Hosting Service CONFIDENTIAL 7

8 What about a partial move? Customer Data Centre Cloud Hosting Service CONFIDENTIAL 8

9 NSX Providing Stretch Layer 2 (over Layer 3) NSX Customer Data Centre Cloud Hosting Service Currently in use by a large Sydney-based Hosting Provider CONFIDENTIAL 9

10 SDDC Micro-Segmentation Business Case - Sample Data Center Environment Firewall Throughput Required for Micro-Segmentation Number of VMs 1,000 Average Application Throughput per Host 7 Gbps Number of VMs per CPU 5 Throughput Required to Support All VMs 700 Gbps Number of CPUs per Host 2 Segmentation Ratio (% of VMs requiring FW controls) 40% Number of Hosts 100 Effective Firewall Throughput Requirement 280 Gbps Firewalls Required (20Gbps each x2 for HA) 28 Firewalls Firewall Cost List Price of 20Gbps Firewalls $150,000 Total CAPEX for Firewalls $4,200,000 Note: Operationally Infeasible NSX Cost List Cost for NSX Platform ~$1,300,000 Note: Operationally Easy to Deploy 3x Difference in CAPEX Cost 10 Confidential

11 Large US Financial 25,000 VM deployment $10m investment in NSX $50m savings over 5 years NSX improved host utilisation from 9:1 to 14:1 NSX helped avoid hardware refresh on ESX hosts, Load Balancers, Network hardware SDDC helped reduce labour costs by $8m 15 month PoC which morphed into full SDDC PoC (vcac, vco, vcops, LogInsight) 11 Confidential

12 Rackspace Deliver enterprise-class private networking in a public, multi-tenant cloud. NVP, combined with OpenStack is a game changer. Together we are bringing enterprise private networking to the cloud. LEW MOORMAN PRESIDENT, RACKSPACE Rackspace Cloud Networks $15-$20 million a year savings by not overprovisioning servers

13 Improved Server Utilization less overprovisioning of servers Without Network Virtualization 60% Asset Utilization With Network Virtualization 90% Asset Utilization

14 Data Centre Security A Better Way CONFIDENTIAL 14

15 Yesterday s Model for DC Security Hard Shell on the Outside Physical Workloads Soft on the Inside

16 Secure Micro-Segmentation in the Data Center Uncontrolled Communication

17 Secure Micro-Segmentation in the Data Center Operationally Infeasible

18 Secure Micro-Segmentation with VMware NSX Controlled Communication Scale-Out Performance Automated Operational Model

19 NSX Distributed Firewall Overview Hypervisor Kernel Embedded Firewall: Built directly in to the Hypervisor Near Line-Rate Performance Removes dependence on Guest based Firewall L2-4 Stateful East/West Firewalling Distributed to Every VM: No Choke Point Policy independent of VM location Enforcement closest to VM Removes Tromboning

20 Distributed Firewall - Use Cases

21 Isolation Segmentation Service Insertion Dev Web Web Test App App Production DB DB No Communication Path Controlled Communication Path Advanced Services Controlled Communication Path 21

22 NSX Distributed Firewall for vmotion Hypervisor-based, in kernel distributed firewalling Platform-based automated provisioning and workload adds/moves/changes Security Policy Cloud Management Platform Internet Perimeter Firewalls 22

23 NSX Distributed Firewall: Better Load Distribution PCI Non-PCI Private CONFIDENTIAL 23

24 Automated Security in a Software Defined Data Center Data Center Micro-Segmentation CONFIDENTIAL 24

25 Network-Segmentation or Micro-Segmentation Web VM VM VM NSX Load Balancer Multi-Tier, Multi-subnet App Database VM VM VM NSX Distributed Router Or Multi-Tier, Single-subnet Web App DB VM VM VM VM VM VM NSX Load Balancer CONFIDENTIAL 25

26 Current SDN Technologies CONFIDENTIAL 26

27 Data Plane Control Plane Management Consumption Software Defined Networking - Layers How an end user consumes SDN Build Networks and security services via WebUI, REST API (XML, JSON), Python Scripts etc e.g. vrealize Automation, CloudForms, ServiceMesh, CloudFoundry Configuration interface REST XML API or WebUI e.g. vcenter, NSX manager, APIC, Openstack Programs Data Plane Provides: API North side, Openflow or Proprietary Southbound e.g. NSX Controller, ACI N9K Spine sw., Contrail, OpenDaylight Forwards Packets Provides: workload connectivity & services processing e.g. hypervisors, physical switches and appliances 27

28 Hardware-based SDN H DN? CONFIDENTIAL 28

29 VMware NSX CONFIDENTIAL 29

30 The anatomy of the most agile & efficient data centers is SDDC Google / Facebook / Amazon Data Centers Custom Application Software / Hardware Abstraction Custom Platform Software / Hardware Abstraction Facebook 6-pack : the first open hardware modular switch. 12 switching elements, 1.28Tbits/s each Any x86 Any Storage Any IP network

31 New IT will be SDDC Software Defined Data Center (SDDC) Any Application SDDC Platform Data Center Virtualization Public Data Center Any Application Hybrid- Data Center Any Application Any x86 Any x86 Any x86 Any Storage Any Storage Any Storage Any IP network Any IP network Any IP network

32 NSX Service Composer CONFIDENTIAL 32

33 NSX Service Composer Security services are consumed more efficiently in a software-defined datacenter Apply Deploy Automate Security Groups Security Policies Service Insertion Security Tags VMware Network and Security Platform Extensibility CONFIDENTIAL 33

34 NSX Service Composer Canvas View

35 NSX Service Composer Security Group Security Group (SG) - Container of VMs by IP, Security tag, switch etc Defines what you want to protect. e.g. PCI DSS Zone, DMZ, Quarantine Zone Included Security Groups - Nested containers e.g. Quarantine Zone is a sub group within PCI DSS Zone Security Policies collection of Security Policy Objects (SPOs) assigned to this Security Group. How you want to protect this container Can have multiples with weighting e.g. PCI Compliance Policy Guest Introspection Anti-virus Vulnerability Management Data Loss Prevention (DLP) Firewall Rules Inbound, Outbound, Intra-Zone Allow, Deny, and Log Virtual Machines that belong to this container. e.g. Apache-Web-VM, Exchange Server-vM Network Introspection 3 rd party services integrated via NetX Intrusion Prevention (IPS), Nextgen F/W WAN optimization, load balancing services.

36 Automated Security in a Software Defined Data Center Quarantine Vulnerable Systems until Remediated Security Group = Virtual_Desktops Members = {Connected to VDI-01-Logical- Switch} Policy = Standard Desktop Security Group = Quarantine Zone Members = {Tag = ANTI_VIRUS.VirusFound } Policy = Quarantine Zone Policy Standard Desktop Anti-Virus Scan Policy Quarantine Zone Firewall Permit remediation, deny all Anti-Virus Scan and remediate 36

37 Building a Zero-Trust Model CONFIDENTIAL 37

38 Forrester Zero Trust Model In short, Zero Trust flips the mantra "trust but verify" into "verify and never trust."

39 Zero-Trust with NSX Stage 1 CONFIDENTIAL 39

40 Zero-Trust with NSX Stage 2 CONFIDENTIAL 40

41 Zero-Trust with NSX Stage 3 CONFIDENTIAL 41

42 Zero-Trust with NSX Stage 4 CONFIDENTIAL 42

43 Resulting Policy CONFIDENTIAL 43

44 Layer 4 7 Advanced Services Insertion NSX and Palo Alto Networks VM Series Firewall NSX Mgr Internet Optimal Traffic Steering Web Tier Rule1: Any to Web PAN Insertion Rule2: Web to App DFW Permit App Distributed Firewall DB Rule3: Web to Web DFW Deny VM VM Web 44 VM VM

45 Real-world Example of Firewall Sprawl 22 Firewalls!

46 North/South Complexity driven by applications / E-W traffic flows East-West traffic hairpins across the perimeter Firewall Complex static inter zone routing Requires punching holes across security zones Internal security zones exposed on perimeter devices East/West

47 Zero-Trust Model Implementation with NSX Any devices over any networks App gateways and perimeter devices Admin jump points Edge Transport Routing and AV/AS 443 Client Access Client connectivity Web services 389, 3268, 88, 53, 135 To AD RPC Hub Transport Routing and policy 135 Mailbox Storage of mailbox items 5060, , dynamic Unified Messaging Voice mail and voice access 808 Exchange Applications Common Services EDS AD DB

48 In Summary A Good Security Approach Requires Zero-Trust: Don t Trust Anyone, Verify Always Control at the Perimeter alone is not enough NSX with Distributed Firewall Provides Easy Enforcement of East/West Policy Security Policy that Follows the Workload Enforcement at the Smallest Unit of Trust Easy Hardening of Data Centre Core through Micro-segmentation Integration with Best-of-Breed Security Vendors CONFIDENTIAL 48

49 Thankyou!