Advancing Security with Software Defined Datacenter Karen Law Senior Systems Consultant VMware Hong Kong Ltd
AGENDA Why Micro-segmentation? Understanding SDDC Network Virtualization Why Network Hypervisor? Use Cases 2
AGENDA Why Micro-segmentation? Understanding SDDC Network Virtualization Why Network Hypervisor? Use Cases 3
BREACHES OCCUR IN DATA CENTERS 1 2 3 Targeted system Today s data centers are protected by strong perimeter defense But threats and exploits still infect servers. Lowpriority systems are often the target, and SSL is no guarantee of protection. Threats can lie dormant, waiting for the right moment to strike. 4 5 6 Critical system Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted. Server-server traffic growth has outpaced client-server traffic. The attack spreads and goes unnoticed. Possibly after months of reconnaissance, the infiltration relays secret data to the attacker. 4
THE PROBLEM: NETWORK SECURITY Perimeter-centric network security has proven insufficient Internet IT Spend Security Spend Security Breaches Today s security model focuses on perimeter defense But continued security breaches show this model is not enough 5
THE SOLUTION: MICRO-SEGMENTATION A new model for data center security STARTING ASSUMPTIONS DESIGN PRINCIPLES 1 Isolation and segmentation Assume everything is a threat and act accordingly. 2 3 Unit-level trust / least privilege Ubiquity and centralized control 6
HOWEVER micro-segmentation has not been operationally infeasible A typical data center has: Internet 2 firewalls vs 1000 workloads Directing all traffic (virtual + physical) through chokepoint firewalls is inefficient And a physical firewall per workload is cost prohibitive 7
SDDC APPROACH FOR MICRO-SEGMENTATION Data Plane Distributed switching, routing, firewall Control Plane NSX Manager Management Plane vcenter Physical workloads and VLANS 8
AGENDA Why Micro-segmentation? Understanding SDDC Network Virtualization Why Network Hypervisor? Use Cases 9
NETWORK CAPACITY Internet 10
COMPUTE CAPACITY Internet 11
DATA CENTER VIRTUALIZATION LAYER Internet 12
A NETWORK HYPERVISOR Internet 13
OPERATION MODEL OF A VM Internet 14
NON-DISRUPTIVE DEPLOYMENT 15
PROGRAMMATICALLY PROVISION 16
SERVICE DISTRIBUTION TO VIRTUAL SWITCH 17
BETTER SECURITY: NATIVE ISOLATION 192.168.2.11 192.168.2.11 192.168.2.10 192.168.2.10 18
SECURITY SERVICE DISTRIBUTION 19
AGENDA Why Micro-segmentation? Understanding SDDC Network Virtualization Why Network Hypervisor? Use Cases 20
THE GOLDILOCK ZONE Too Hot Too Cold 21
HYPERVISOR IS SECURITY GOLDILOCKS ZONE Software Defined Data Center (SDDC) Network & Security Services Now in the Hypervisor Any Application SDDC Platform Data Center Virtualization Firewalling/ACLs Load Balancing Any x86 L2 Switching L3 Routing Any Storage Any IP network SDDC Approach High Context High Isolation Ubiquitous Enforcement 22
MISSION IMPOSSIBLE TO POSSIBLE Micro-Segmentation is Possible By Network Hypervisor Internet Internet Little or no lateral controls inside perimeter 23
BENEFITS BY NETWORK HYPERVISOR Isolation Dev Segmentation Web Segmentation With Advanced Services Web Test App App Production DB DB No Communication Path Controlled Communication Path Advanced Services Controlled Communication Path 24
AGENDA Why Micro-segmentation? Understanding SDDC Network Virtualization Why Network Hypervisor? Use Cases 25
SIMPLIFY DATA CENTER NETWORK Production Development Finance HR Web App Security policies no longer tied to network topology Logical groups can be defined Prevents threats from spreading DB 26
ADVANCED DATA CENTER PROTECTION Security Group = Web Tier Policy Definition Standard Desktop VM Policy Anti-Virus Scan Quarantined VM Policy Firewall Block all except security tools Anti-Virus Scan and remediate 27
VM MOBILITY IN A SECURE WAY 28
REMOVE SECURITY HOLE 29
KEY TAKEAWAYS Challenge Answer Value Simplified management of security policies Internet Elastic security solution Securing east-west traffic Micro-segmentation Allow complicated security measurement 30
Karen Law Senior Systems Consultant VMware Hong Kong Ltd