VMware Software Defined Network. Dejan Grubić VMware Systems Engineer for Adriatic



Similar documents
Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

How Network Virtualization can improve your Data Center Security

Netzwerkvirtualisierung? Aber mit Sicherheit!

Itex VMware NSX Network Virtualization Presentation

Advancing Security with Software Defined Datacenter. Karen Law Senior Systems Consultant VMware Hong Kong Ltd

Cisco Application Centric Infrastructure. Silvo Lipovšek Sistemski inženjer

Limiting the Spread of Threats: A Data Center for Every User

Software Defined Data Centers Network Virtualization & Security. Jeremy van Doorn Director of Systems Engineering EMEA, Network & Security

Advanced Security Services with Trend Micro Deep Security and VMware NSX Platforms

How To Build A Software Defined Data Center

Business Values of Network and Security Virtualization

VMware NSX A Perspective for Service Providers part 2

Palo Alto Networks. Security Models in the Software Defined Data Center

Keith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. kluck@vmware.com

(R)Evolution im Software Defined Datacenter Hyper-Converged Infrastructure

Secure Cloud-Ready Data Centers Juniper Networks

Orchestrating Software Defined Networks (SDN) to Disrupt the APT Kill Chain

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

How To Protect A Data Center From A Hacker Attack

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Softverski definirani data centri - 2. dio

Data Center Micro-Segmentation

IT Security at the Speed of Business: Security Provisioning with Symantec Data Center Security

Software Defined Environments

Security in the Software Defined Data Center

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

Expert Reference Series of White Papers. vcloud Director 5.1 Networking Concepts

HAWAII TECH TALK SDN. Paul Deakin Field Systems Engineer

VMware NSX Network Virtualization Design Guide. Deploying VMware NSX with Cisco UCS and Nexus 7000

Software Defined Network (SDN)

A Case for Overlays in DCN Virtualization Katherine Barabash, Rami Cohen, David Hadas, Vinit Jain, Renato Recio and Benny Rochwerger IBM

VMware vcloud Networking and Security Overview

VMware. NSX Network Virtualization Design Guide

VMware Integrated Partner Solutions for Networking and Security

Microsegmentation Using NSX Distributed Firewall: Getting Started

Protect Root Abuse privilege on Hypervisor (Cloud Security)

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

The Virtualization Practice

1518 Best Practices in Virtualization & Cloud Security with Symantec

Securing Virtualization with Check Point and Consolidation with Virtualized Security

About the VM-Series Firewall

Data Center Connector for vsphere 3.0.0

Lecture 02b Cloud Computing II

VIRTUALIZED SERVICES PLATFORM Software Defined Networking for enterprises and service providers

Automating Network Security

SYMANTEC DATA CENTER SECURITY: MONITORING EDITION 6.5

Securing Virtual Applications and Servers

Securing the Virtualized Data Center With Next-Generation Firewalls

Cross-vCenter NSX Installation Guide

Palo Alto Networks Cyber Security Platform for the Software Defined Data center. Zekeriya Eskiocak Security Consultant Palo Alto Networks

VXLAN: Scaling Data Center Capacity. White Paper

Introduction to Software Defined Networking (SDN) and how it will change the inside of your DataCentre

Core and Pod Data Center Design

JUNIPER. One network for all demands MICHAEL FRITZ CEE PARTNER MANAGER. 1 Copyright 2010 Juniper Networks, Inc.

How To Protect Your Cloud From Attack

Virtualization, SDN and NFV

Software Defined Networks Virtualized networks & SDN

The first agentless Security, Virtual Firewall, Anti- Malware and Compliance Solution built for Windows Server 2012 Hyper-V

Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

RIDE THE SDN AND CLOUD WAVE WITH CONTRAIL

PCI DSS 3.0 Compliance

Analysis of Network Segmentation Techniques in Cloud Data Centers

SDN Security for VMware Data Center Environments

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Commvault Simpana Prozor u svet podataka i informacija. Aleksandar Antić Commvault Territory Account Manager SEE Region

PICO Compliance Audit - A Quick Guide to Virtualization

Shifting Roles for Security in the Virtualized Data Center: Who Owns What?

Extending Networking to Fit the Cloud

Cloud and Data Center Security

Vyatta Network OS for Network Virtualization

Meeting the Challenges of Virtualization Security

Cisco Unified Network Services: Overcome Obstacles to Cloud-Ready Deployments

Expert Reference Series of White Papers. VMware vsphere Distributed Switches

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

Mitigating Information Security Risks of Virtualization Technologies

STREAM FRBC

SDDC: A New Architecture for a New Era of Ed IT

Virtual Machine in Data Center Switches Huawei Virtual System

Unified Threat Management, Managed Security, and the Cloud Services Model

Security. Environments. Dave Shackleford. John Wiley &. Sons, Inc. s j}! '**»* t i j. l:i. in: i««;

Devising a Server Protection Strategy with Trend Micro

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

VMware vcloud Networking and Security

Software defined networking. Your path to an agile hybrid cloud network

SourceFireNext-Generation IPS

SOFTWARE DEFINED NETWORKING: INDUSTRY INVOLVEMENT

Devising a Server Protection Strategy with Trend Micro

A Look at the New Converged Data Center

Active Visibility for Multi-Tiered Security. Juergen Kirchmann Director Enterprise Sales EMEA

Outline. Why Neutron? What is Neutron? API Abstractions Plugin Architecture

Simplify IT. With Cisco Application Centric Infrastructure. Roberto Barrera VERSION May, 2015

Reference Design: Deploying NSX for vsphere with Cisco UCS and Nexus 9000 Switch Infrastructure TECHNICAL WHITE PAPER

Transcription:

VMware Software Defined Network Dejan Grubić VMware Systems Engineer for Adriatic

The Transformation of Infrastructure Infrastructure Servers Clouds Be more responsive to business, change economics of IT Fast Workload Provisioning weeks to minutes Unlimited Workload Placement & Mobility Any Hardware or Topology

Network virtualization overview Application Application Application Workload Workload Workload x86 Environment Software L2, L3, L4-7 Network Services Virtual Machine Virtual Machine Virtual Machine Virtual Network Virtual Network Virtual Network Server Hypervisor Requirement: x86 Decoupled Network Hypervisor Requirement: IP Transport Hardware General Purpose Server Hardware General Purpose Networking Hardware

NSX Components Cloud Consumption Self Service Portal vcloud Automation Center, OpenStack, Custom CMS Logical Network Management Plane Control Plane NSX Manager NSX Controller Single configuration portal REST API entry-point Manages Logical networks Control-Plane Protocol Separation of Control and Data Plane Data Plane Distributed Services Logical Switch Distributed Logical Router Firewall NSX Edge High Performance Data Plane Scale-out Distributed Forwarding Model ESXi Hypervisor Kernel Modules Physical Network

Provides A Faithful Reproduction of Network & Security Services in Software Switching Routing Firewalling Load Balancing VPN Connectivity to Physical

A complete virtual network in software: Logical switching

Logical switching achieved through overlays L2 Frame Outer MAC HDR Outer IP HDR UDP HDR Overlay HDR L2 Frame L2 Frame 1 2 Overlay Encapsulated Frame 3 4 5 VM Sends a standard L2 Frame Source Hypervisor adds overlay/encapsulation Physical Network forwards frame as standard IP frame Destination Hypervisor de-encapsulates headers Original L2 Frame delivered to VM Overlay technologies encapsulate L2 packets to isolate traffic flows. Use network isolation for: Multi-tenancy Fault containment CONFIDENTIAL Separating highly secure application infrastructures

Distributed routing A Logical Router Control VM is deployed and exchanges routing updates with peers. OSPF BGP ISIS The NSX admin creates a new logical router. The logical router VM sends route updates to the NSX controller which distributes the routes to each hypervisor data plane. NSX routing: Highly available routing with fully distributed data plane Distributed in each hypervisor Central configuration Controllers are clustered can scale-out based as needed CONFIDENTIAL

Distributed firewalling An NSX network is made up of distributed network elements embedded in each hypervisor, enabling each VM to have its own firewall. NSX firewalling: fully distributed, embedded in every hypervisor in the data center Firewalls/policies provisioned simultaneously with VMs Policies move with their VMs CONFIDENTIAL Retiring a VM deprovisions its firewall no possibility of stale rules

The Problem: Data Center Network Security Perimeter-centric network security has proven insufficient Internet IT Spend Security Spend Security Breaches Today s security model focuses on perimeter defense But continued security breaches show this model is not enough

The Solution: Micro-segmentation A new model for data center security STARTING ASSUMPTIONS 1 DESIGN PRINCIPLES Isolation and segmentation Assume everything is a threat and act accordingly. 2 3 Unit-level trust / least privilege Ubiquity and centralized control

But micro-segmentation has not been operationally infeasible A typical data center has: Internet vs 2 firewalls 1000 workloads Directing all traffic (virtual + physical) through chokepoint firewalls is inefficient And a physical firewall per workload is cost prohibitive

Until now: Micro-segmentation with NSX Data Plane Distributed switching, routing, firewall Control Plane NSX Manager Management Plane vcenter Physical workloads and VLANS

Until now: Micro-segmentation with NSX Central Management / Data Plane Distributed Control Distributed switching, routing, firewall Security policies are coordinated and centralized Control Plane NSX Manager Security actions are orchestrated centrally Firewall policies are provisioned, moved, and retired with their associated workloads Management Plane vcenter Physical workloads and VLANS CONFIDENTIAL

Until now: Micro-segmentation with NSX Data Plane Distributed switching, routing, firewall Isolation and Segmentation Control Plane NSX Manager Isolation of network traffic: no communication between unrelated traffic streams Segmentation of network traffic: communication within a network is controlled by policy Management Plane vcenter Physical workloads and VLANS CONFIDENTIAL 1

Until now: Micro-segmentation with NSX Data Plane Distributed switching, routing, firewall Unit-level trust Control Plane Each hypervisor NSX Manager has its own firewalling with flexible granularity: entire data center down to the vnic Security is shrink-wrapped around each workload Faults and threats are contained with micro-granularity Management Plane vcenter Physical workloads and VLANS CONFIDENTIAL

Achieving Isolation with NSX 192.168.2.11 192.168.1.11 192.168.2.10 192.168.1.10 NSX virtual networks: Decoupled from physical networks Networks completely isolated CONFIDENTIAL No communication between unrelated networks

SDDC is the foundation for Micro-segmentation Isolation Segmentation Advanced Services No Communication Path Controlled Communication Path Advanced Services Communication Path

Configure policy with Security Groups 1 2 3 Select elements to uniquely identify application workloads Use attributes to create Security Groups Apply policies to security groups ABC DEF Policy 1 IPS for Desktops FW for Desktops Element type Static Data center Virtual net Virtual machine vnic Dynamic VM name OS type User ID Security tag Group XYZ App 1 OS: Windows 8 TAG: Production Group XYZ Policy 2 AV for Production FW for Production Use security groups to abstract policy from application workloads. Enforce policy based on logical constructs Reduce configuration errors Policy follows VM, not IP CONFIDENTIAL Reduce rule sprawl and complexity

Automate security operations ATTRIBUTE (if) ACTION (then) Quarantine VM with Firewall Virus found IIS.EXE Vulnerability found (old software version) Monitor VM with IPS Sensitive Data Found PCI OR Allow & Encrypt* Restrict access while investigating Security operations are automated and adapt to dynamic conditions Automated detection of security conditions (virus, vulnerability, etc.) Security policies define automated actions

Security Operations Centralized operations and workflow plugs into existing infrastructure vcenter NSX Manager Distributed Services Syslog NetFlow collectors Audit/compliance Centralized configuration and policy System events, audit logging, firewall messages Centralized monitoring and reporting

Distributed firewall performance Connections / sec in 1000s 140 120 100 80 60 40 20 0 1 2 3 4 VMs (per host) 100 Rules 250 Rules 500 Rules

Partner integrations Partner Ecosystem NSX is the platform for integrating advanced security services. Next-generation IPS Granular protection of individual VM workloads with customizable policy definitions Automation of advanced malware interception Unified management for physical and virtual sensors Malware Protection Data Center security with agentless anti-malware and guest network threat protection Real-time, dynamic threat protection and response for workloads moving between hosts and virtual data centers Vulnerability Management Automatic vulnerability risk assessment Data Center wide real- time risk visibility Auto segmentation of risky assets Vulnerability prioritization for effective remediation Next-Generation Firewall Multiple threat prevention disciplines including firewall, IPS, and antimalware Safe application enablement with continuous content inspection for all threats Granular user-based controls for apps, content, users, File and Network Security Single virtual appliance provides agentless: Anti-malware with URL filtering Vulnerability and software scanning Detection of file changes Intrusion Detection & Prevention

More information www.vmware.com/products/nsx/ VMware NSX Hands-on Labs labs.hol.vmware.com Network Virtualization Blog blogs.vmware.com/networkvirtualization

Nagradna igra Ispunjavanjem e-upitnika sudjelujete u nagradnoj igri! Izvlačenje dobitnika nagrada na zatvaranju konferencije. 1. nagrada Lenovo Vibe X2, zlatni 2. nagrada Lenovo Vibe X2, bijeli 3. nagrada Lenovo Vibe X2, crni *Organizatori i sponzori Combis konferencije nemaju pravo sudjelovanja.

Hvala na pažnji! Thank you for your attention!