VMware Software Defined Network Dejan Grubić VMware Systems Engineer for Adriatic
The Transformation of Infrastructure Infrastructure Servers Clouds Be more responsive to business, change economics of IT Fast Workload Provisioning weeks to minutes Unlimited Workload Placement & Mobility Any Hardware or Topology
Network virtualization overview Application Application Application Workload Workload Workload x86 Environment Software L2, L3, L4-7 Network Services Virtual Machine Virtual Machine Virtual Machine Virtual Network Virtual Network Virtual Network Server Hypervisor Requirement: x86 Decoupled Network Hypervisor Requirement: IP Transport Hardware General Purpose Server Hardware General Purpose Networking Hardware
NSX Components Cloud Consumption Self Service Portal vcloud Automation Center, OpenStack, Custom CMS Logical Network Management Plane Control Plane NSX Manager NSX Controller Single configuration portal REST API entry-point Manages Logical networks Control-Plane Protocol Separation of Control and Data Plane Data Plane Distributed Services Logical Switch Distributed Logical Router Firewall NSX Edge High Performance Data Plane Scale-out Distributed Forwarding Model ESXi Hypervisor Kernel Modules Physical Network
Provides A Faithful Reproduction of Network & Security Services in Software Switching Routing Firewalling Load Balancing VPN Connectivity to Physical
A complete virtual network in software: Logical switching
Logical switching achieved through overlays L2 Frame Outer MAC HDR Outer IP HDR UDP HDR Overlay HDR L2 Frame L2 Frame 1 2 Overlay Encapsulated Frame 3 4 5 VM Sends a standard L2 Frame Source Hypervisor adds overlay/encapsulation Physical Network forwards frame as standard IP frame Destination Hypervisor de-encapsulates headers Original L2 Frame delivered to VM Overlay technologies encapsulate L2 packets to isolate traffic flows. Use network isolation for: Multi-tenancy Fault containment CONFIDENTIAL Separating highly secure application infrastructures
Distributed routing A Logical Router Control VM is deployed and exchanges routing updates with peers. OSPF BGP ISIS The NSX admin creates a new logical router. The logical router VM sends route updates to the NSX controller which distributes the routes to each hypervisor data plane. NSX routing: Highly available routing with fully distributed data plane Distributed in each hypervisor Central configuration Controllers are clustered can scale-out based as needed CONFIDENTIAL
Distributed firewalling An NSX network is made up of distributed network elements embedded in each hypervisor, enabling each VM to have its own firewall. NSX firewalling: fully distributed, embedded in every hypervisor in the data center Firewalls/policies provisioned simultaneously with VMs Policies move with their VMs CONFIDENTIAL Retiring a VM deprovisions its firewall no possibility of stale rules
The Problem: Data Center Network Security Perimeter-centric network security has proven insufficient Internet IT Spend Security Spend Security Breaches Today s security model focuses on perimeter defense But continued security breaches show this model is not enough
The Solution: Micro-segmentation A new model for data center security STARTING ASSUMPTIONS 1 DESIGN PRINCIPLES Isolation and segmentation Assume everything is a threat and act accordingly. 2 3 Unit-level trust / least privilege Ubiquity and centralized control
But micro-segmentation has not been operationally infeasible A typical data center has: Internet vs 2 firewalls 1000 workloads Directing all traffic (virtual + physical) through chokepoint firewalls is inefficient And a physical firewall per workload is cost prohibitive
Until now: Micro-segmentation with NSX Data Plane Distributed switching, routing, firewall Control Plane NSX Manager Management Plane vcenter Physical workloads and VLANS
Until now: Micro-segmentation with NSX Central Management / Data Plane Distributed Control Distributed switching, routing, firewall Security policies are coordinated and centralized Control Plane NSX Manager Security actions are orchestrated centrally Firewall policies are provisioned, moved, and retired with their associated workloads Management Plane vcenter Physical workloads and VLANS CONFIDENTIAL
Until now: Micro-segmentation with NSX Data Plane Distributed switching, routing, firewall Isolation and Segmentation Control Plane NSX Manager Isolation of network traffic: no communication between unrelated traffic streams Segmentation of network traffic: communication within a network is controlled by policy Management Plane vcenter Physical workloads and VLANS CONFIDENTIAL 1
Until now: Micro-segmentation with NSX Data Plane Distributed switching, routing, firewall Unit-level trust Control Plane Each hypervisor NSX Manager has its own firewalling with flexible granularity: entire data center down to the vnic Security is shrink-wrapped around each workload Faults and threats are contained with micro-granularity Management Plane vcenter Physical workloads and VLANS CONFIDENTIAL
Achieving Isolation with NSX 192.168.2.11 192.168.1.11 192.168.2.10 192.168.1.10 NSX virtual networks: Decoupled from physical networks Networks completely isolated CONFIDENTIAL No communication between unrelated networks
SDDC is the foundation for Micro-segmentation Isolation Segmentation Advanced Services No Communication Path Controlled Communication Path Advanced Services Communication Path
Configure policy with Security Groups 1 2 3 Select elements to uniquely identify application workloads Use attributes to create Security Groups Apply policies to security groups ABC DEF Policy 1 IPS for Desktops FW for Desktops Element type Static Data center Virtual net Virtual machine vnic Dynamic VM name OS type User ID Security tag Group XYZ App 1 OS: Windows 8 TAG: Production Group XYZ Policy 2 AV for Production FW for Production Use security groups to abstract policy from application workloads. Enforce policy based on logical constructs Reduce configuration errors Policy follows VM, not IP CONFIDENTIAL Reduce rule sprawl and complexity
Automate security operations ATTRIBUTE (if) ACTION (then) Quarantine VM with Firewall Virus found IIS.EXE Vulnerability found (old software version) Monitor VM with IPS Sensitive Data Found PCI OR Allow & Encrypt* Restrict access while investigating Security operations are automated and adapt to dynamic conditions Automated detection of security conditions (virus, vulnerability, etc.) Security policies define automated actions
Security Operations Centralized operations and workflow plugs into existing infrastructure vcenter NSX Manager Distributed Services Syslog NetFlow collectors Audit/compliance Centralized configuration and policy System events, audit logging, firewall messages Centralized monitoring and reporting
Distributed firewall performance Connections / sec in 1000s 140 120 100 80 60 40 20 0 1 2 3 4 VMs (per host) 100 Rules 250 Rules 500 Rules
Partner integrations Partner Ecosystem NSX is the platform for integrating advanced security services. Next-generation IPS Granular protection of individual VM workloads with customizable policy definitions Automation of advanced malware interception Unified management for physical and virtual sensors Malware Protection Data Center security with agentless anti-malware and guest network threat protection Real-time, dynamic threat protection and response for workloads moving between hosts and virtual data centers Vulnerability Management Automatic vulnerability risk assessment Data Center wide real- time risk visibility Auto segmentation of risky assets Vulnerability prioritization for effective remediation Next-Generation Firewall Multiple threat prevention disciplines including firewall, IPS, and antimalware Safe application enablement with continuous content inspection for all threats Granular user-based controls for apps, content, users, File and Network Security Single virtual appliance provides agentless: Anti-malware with URL filtering Vulnerability and software scanning Detection of file changes Intrusion Detection & Prevention
More information www.vmware.com/products/nsx/ VMware NSX Hands-on Labs labs.hol.vmware.com Network Virtualization Blog blogs.vmware.com/networkvirtualization
Nagradna igra Ispunjavanjem e-upitnika sudjelujete u nagradnoj igri! Izvlačenje dobitnika nagrada na zatvaranju konferencije. 1. nagrada Lenovo Vibe X2, zlatni 2. nagrada Lenovo Vibe X2, bijeli 3. nagrada Lenovo Vibe X2, crni *Organizatori i sponzori Combis konferencije nemaju pravo sudjelovanja.
Hvala na pažnji! Thank you for your attention!