Intro to NSX. Network Virtualization. 2014 VMware Inc. All rights reserved.

Intro to NSX Network Virtualization 2014 VMware Inc. All rights reserved.

Agenda Introduction NSX Overview Details: Microsegmentation NSX Operations More Information SDDC/Network Virtualization Security and Micro-segmentation Micro-segmentation on NSX SDDC and Micro-segmentation Isolation Segmentation Advanced Services Operations and Logging Audit and Compliance More information and next steps NSX and the Goldilocks Zone Use Case 1: Segmentation Distributed Firewall Performance Distributed Switching, Routing, Firewall Use Case 2: Multi-tenancy Use Case 3: VDI Security Partner Integrations CONFIDENTIAL 2

Business leaders want their IT to be like Amazon CONFIDENTIAL 3

New IT Internal/Hybrid Software Defined Data Center (SDDC) or or Hardware Defined Data Center (HDDC) No IT Outsourced Taking what we have learned CONFIDENTIAL 4

Automated Operational Model Programmatically Create, Snapshot, Store, Applications Intelligence in the virtualization layer Vendor independent x86 capacity Move, Virtual Transformative operational model Restore Delete, Machines Automated configuration & management Software Hardware Server Virtualization Compute Capacity Manual Op er ational Model Network Storage Intelligence in hardware Dedicated, vendor specific infrastructure Manual configuration & management CONFIDENTIAL 5

To deliver a Software Defined Data Center approach Automation and orchestration with Snapshot, Store, Move, Delete, Virtual Machines Virtual Networks Virtual Storage Automated Operational Model RESTful APIs Programmatically Create, Restore Applications CONFIDENTIAL 6

Software Hardware Data Center Virtualization Compute Capacity Network Capacity Storage Capacity Location Independence Pooled compute, network and storage capacity Vendor independent, best price/performance Simplified configuration & management CONFIDENTIAL 7

Network virtualization overview CONFIDENTIAL 8

Breaches still 2 3 1 Targeted system perimeter But threats and exploits still infect servers. Low-priority systems are often the target, and SSL is no guarantee of protection. Threats can lie dormant, waiting for the right moment to strike. occur in data centers with a secure Today s data centers are protected by strong perimeter defense CONFIDENTIAL 9

4 5 6 Critical system Attacks spread inside the data center, Server-server traffic growth has Possibly after months of where internal controls are often weak. outpaced client-server traffic. The reconnaissance, the infiltration Critical systems are targeted. attack spreads and goes unnoticed. relays secret data to the attacker. The Problem: Data Center Network Security Perimeter-centric network security has proven insufficient CONFIDENTIAL 10

Internet IT Spend Security Spend Security Breaches Today s security model focuses on perimeter defense But continued security breaches show this model is not enough CONFIDENTIAL 11

The Solution: Micro-segmentation CONFIDENTIAL 12

But micro-segmentation has been operationally infeasible Directing all traffic (virtual + physical) And a physical firewall per workload through chokepoint firewalls is inefficient is cost prohibitive CONFIDENTIAL 13

Until now: Micro-segmentation with NSX vcenter Physical workloads and VLANS CONFIDENTIAL 14

Until now: Micro-segmentation with NSX vcenter Physical workloads and VLANS CONFIDENTIAL 15

Until now: Micro-segmentation with NSX vcenter Physical workloads and VLANS CONFIDENTIAL 16

Until now: Micro-segmentation with NSX vcenter Physical workloads and VLANS CONFIDENTIAL 17

SDDC is the foundation for Microsegmentation CONFIDENTIAL 18

NSX: at the Goldilocks Zone of security Snapshot, Store, Move, Delete, Virtual Machines Virtual Networks Virtual Storage Automated Operational Model Programmatically Create, Software Hardware Restore Compute Capacity Applications Data Center Virtualization Network Capacity Storage Capacity CONFIDENTIAL 19

Location Independence Pooled compute, network and storage capacity Vendor independent, best price/performance Simplified configuration & management CONFIDENTIAL 20

NSX: at the Goldilocks Zone of security Switching Routing Firewalling Core Services Built Into Hypervisor Kernel Isolation fine-grained containment Ubiquity Context better security through insight Ecosystem of Distributed Services CONFIDENTIAL 21

A complete virtual network in software: Logical switching CONFIDENTIAL 22

Logical switching achieved through overlays L2 Frame Outer MAC HDR Outer IP HDR UDP HDR Overlay HDR L2 Frame L2 Frame 1 3 5 2 4 Overlay Encapsulated Frame VM Sends a Source Hypervisor Physical Network Destination Hypervisor Original L2 Frame standard L2 Frame adds overlay/ forwards frame as de-encapsulates delivered to VM encapsulation standard IP frame headers CONFIDENTIAL 23

A complete virtual network in software: Overlay technologies encapsulate L2 packets to isolate traffic flows. Use network isolation for: Multi-tenancy Separating highly secure Fault containment application infrastructures CONFIDENTIAL 24

Distributed routing CONFIDENTIAL 25

A complete virtual network in software: Distributed routing OSPF BGP ISIS A Logical Router Control VM is deployed and exchanges routing updates with peers. The NSX admin creates a The logical router VM sends route which distributes the routes to new logical router. updates to the NSX controller each hypervisor data plane. NSX routing: Highly available routing with CONFIDENTIAL 26

fully distributed data plane Distributed in each hypervisor Controllers are clustered can Central configuration scale-out based as needed CONFIDENTIAL 27

A complete virtual network in software: Distributed firewalling CONFIDENTIAL 28

Distributed firewalling is made up of distributed network elements embedded in each hypervisor, own firewall. NSX firewalling: fully distributed, embedded in every hypervisor in the data center Firewalls/policies provisioned Retiring a VM deprovisions its simultaneously with VMs firewall no possibility of stale CONFIDENTIAL 29

A complete virtual network in software: Policies move with their VMs rules CONFIDENTIAL 30

Achieving Isolation with NSX CONFIDENTIAL 31

Achieving segmentation with NSX CONFIDENTIAL 32

Configure policy with Security Groups 1 2 3 Select elements to uniquely Use attributes to create Apply policies to security identify application workloads Security Groups groups ABC DEF Policy 1 IPS for Desktops FW for Desktops Group XYZ Group XYZ Static Data center Virtual net Virtual machine vnic Dynamic VM name OS type User ID Security tag App 1 OS: Windows 8 TAG: Production Policy 2 AV for Production FW for Production Use security groups to abstract policy from application workloads. Enforce policy based on logical constructs Reduce configuration errors Policy follows VM, not IP Reduce rule sprawl and complexity CONFIDENTIAL 33

Element type CONFIDENTIAL 34

Automate security operations ATTRIBUTE (if) ACTION (then) 35

Quarantine VM with Firewall Virus found Monitor VM IIS.EXE Vulnerability found ( old software version) with IPS PCI Sensitive Data Found OR Allow & Encrypt* Restrict access while investigating Security operations are automated and adapt to dynamic conditions Automated detection of security conditions ( virus, vulnerability, etc.) Security policies define automated actions 36

Advanced services insertion Traditional Data Center NSX Data Center 1 2 3 Static service chain Dynamic service chain NSX enables dynamic actions to respond to changing security conditions Flexible service chain that adapts to changing conditions more efficient use of services Platform for integrating the leading security products: better security by sharing tags 37

Use case 1: Network segmentation Controlling traffic within a network Control traffic between groups within a network Secure traffic based on logical grouping rather than physical topology Create network segments flexibly even between systems on the same VLAN CONFIDENTIAL 38

Use case 2: Multi-tenancy with segmentation and advanced services 39

40

41 E

xternal Contractor 2 42

Security Operations Centralized operations and workflow plugs into existing infrastructure vcenter NSX Manager Distributed Services Syslog NetFlow collectors Audit/ compliance Centralized configuration and policy System events, audit logging, firewall messages Centralized monitoring and reporting CONFIDENTIAL 43

Distributed firewall performance 140 120 100 80 60 40 20 0 1 2 3 4 VMs (per host) 100 Rules 250 Rules 500 Rules CONFIDENTIAL 44

Partner integrations Partner Ecosystem NSX is the platform for integrating advanced security services. Next-generation IPS Granular protection of individual VM workloads with customizable policy definitions Automation of advanced malware interception Unified management for physical and virtual sensors Vulnerability Management Automatic vulnerability risk assessment Data Center wide real- time risk visibility Auto segmentation of risky assets Vulnerability prioritization for effective remediation Next-Generation Firewall Multiple threat prevention disciplines including firewall, IPS, and antimalware Safe application enablement with continuous content inspection for all threats Granular user-based controls for apps, content, users, Malware Protection Data Center security with agentless anti-malware and guest network threat protection Real-time, dynamic threat protection and response for workloads moving between hosts and virtual data centers CONFIDENTIAL 45

Malware Protection Single virtual appliance provides agentless: Anti-malware with URL filtering Vulnerability and software scanning Detection of file changes Intrusion Detection & Prevention CONFIDENTIAL 46

VMware NSX Ecosystem Technology Partners

VMware Named a Visionary in Gartner s Magic Quadrant for Data Center Networking Positioned the furthest for completeness of vision Gartner Magic Quadrant for Data Center Networking by Mark Fabbi, Tim Zimmerman, Andrew Lerner, April 24, 2014. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from VMware, Inc.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. More information Certification and Training www.vmware.com/products/nsx/ #virtualizeyournetwork Learn how WestJet secured their network with NSX NSX www.vmware.com/go/nvtraining CONFIDENTIAL 37

It s our Cisco upgrade plan Or, we could virtualize it.