Netzwerkvirtualisierung? Aber mit Sicherheit! Markus Schönberger Advisory Technology Consultant Trend Micro Stephan Bohnengel Sr. Network Virtualization SE VMware
Agenda Background and Basic Introduction to Network Virtualization Why Network Virtualization? Insight on Micro Segmentation Why Micro Segmentation? NSX Security Tags Dynamic security group inclusion, why it matters. Deep Security 9.5 and NSX Keep responsibilities where they belong
The Software-Defined Data Center Approach Ideal architecture for the hybrid cloud Private Cloud Hybrid Cloud Public Cloud All infrastructure services virtualized: compute, networking, storage Platform Management and Automation Control of data center automated by software (management, security) Compute Network Storage SOFTWARE-DEFINED DATA CENTER Unified platform for existing and new apps, delivered to many devices
NSX The Strategic Platform for the Next Generation Data Center Provision or repurpose generic physical capacity on demand Automation Micro- Segmentation Security NSX makes network security inside data center perimeter operationally feasible Reduce infrastructure provisioning time from weeks to minutes NSX Reduce RTO by 80% Self service Cloud (vrealize Automation or Openstack) Beyond the Datacenter Live migrate workloads to new data center without changing IP addresses. 4
Provides A Faithful Reproduction of Network & Security Services in Software Switching Routing Load Balancing Connectivity to Physical Networks Management APIs, UI Policies, Groups, Tags Firewalling VPN Data Security Activity Monitoring 5
VMware NSX: Virtualize the Network 6
VMware NSX: Virtualize the Network 7
VMware NSX: Virtualize the Network 8
VMware NSX: Virtualize the Network Logical Switching Logical Routing Load Balancing Physical to Virtual Firewalling & Security 9
VMware NSX: Virtualize the Network Logical Switching Logical Routing Load Balancing Physical to Virtual Firewalling & Security One-Click Deployment via Cloud Management Platform 10
Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible Internet Internet Little or no lateral controls inside perimeter Insufficient Operationally Infeasible
Solution: Advanced Security Services Insertion through Micro Segmentation Anti-Malware Vulnerability and Software Scanning File Integrity Monitoring Intrusion Prevention / Detection Deep Security Security Admin Security Policy Traffic Steering Internet 8
Automated Security in a Software Defined Data Center Security Group = Quarantine Zone Members = {Tag = ANTI_VIRUS.VirusFound, L2 Isolated Network} Security Group = Web Tier Policy Definition Standard Desktop VM Policy Anti-Virus Scan Quarantined VM Policy Firewall Block all except security tools Anti-Virus Scan and remediate 13 11 Quarantine Vulnerable Systems until Remediated by combining NSX Tagging with Deep Security Advanced Detection Capabilities 13 11
How Deep Security works Virtual appliance is deployed and gains visibility into VMware environment using APIs Policies, rules, events, tasks are managed via single console Updates across capabilities are provided to the virtual appliance Scans are performed by the virtual appliance All events can be shared with SIEM Integrates with VMware via vsphere, vcenter, vcloud Director Integrates with LDAP Integrates with SIEM Oracle or SQL
Deep Security for VMware NSX Logical Switching Auto Deployment Anti-Malware with Web Reputation Logical Routing No Hypervisor Install Firewall No Reboot Logical Load Balancer Logical VPN Logical Firewall NSX Deep Security 9.5 Fine Grained Intrusion Prevention Control Integrity Automation Through Monitoring Tagging Vulnerability & App Inventory Scan
Optimize data center environment resources How do you address the bottlenecks created by traditional security capabilities?
Use agentless security to reduce system load ESXi Network Usage Scan Speed SAN IOPS Disk Disk Disk Disk Disk Storage
Trend Micro provides capabilities to address threats, meet compliance, and support security best practices Anti-Malware with Web Reputation Intrusion Prevention Host-based Firewall Integrity Monitoring Timely protection against new malware being created and used to attack systems and steal data Shield vulnerabilities from attack with auto-updating security policies to ensure the right protection is applied to the right servers Create a firewall perimeter around each server to block attacks and limit communication to only the ports and protocols necessary Meet your compliance monitoring requirements and ensure unauthorized system changes are detected and reported Log Inspection Isolate security-relevant events in system logs to quickly identify suspicious behavior as well as meet compliance requirements.
Deep Security Intrusion Prevention Protect against vulnerabilities Detection and prevention of protocol violations & attacks Automated recommendation and deployment of rules, based on your specific environment Large set of pre-configured rules, with automatic categorization and ranking for easy implementation Virtual patching to protect before you patch Smart filtering using behavioral, statistical, behavioral, heuristic and protocol enforcement to stop attacks and reduce false positives Log for audit and compliance and forward to SIEM
Protect against vulnerabilities - before you patch Reduce risk of exposure to vulnerability exploits especially as you scale Save money avoiding costly emergency patching Patch at your convenience Vulnerability Disclosed or Exploit Available Virtually patch with Trend Exposure Micro Intrusion Prevention Soak Patched Patch Available Test Begin Deployment Complete Deployment
All controls from single management platform Monitor all controls with a comprehensive dashboard and built-in alerting Provide continuous protection VM no matter what state or location No need for Security admins to have deep virtualization knowledge
Data Center Physical Virtual Private Cloud Public Cloud Anti- Malware Intrusion Prevention Web Reputation Integrity Monitoring Log Inspection Firewall Cloud and Data Center Security Security Data Center Ops
#1 Corporate Server Security Market Share 31% Source: IDC Worldwide Endpoint Security 2013-2017 Forecast and 2012 Vendor Shares, Figure 2, doc #242618, August 2013
Thank You