Software Defined Data Centers Network Virtualization & Security. Jeremy van Doorn Director of Systems Engineering EMEA, Network & Security

Software Defined Data Centers Network Virtualization & Security Jeremy van Doorn Director of Systems Engineering EMEA, Network & Security 1

My business and its IT organization are being engulfed by a torrent of digital opportunities. We cannot respond in a timely fashion, and this threatens the success of the business and the credibility of the IT organization. Worldwide CIO Survey Gartner, 2014 2

3

4

To stimulate growth and drive competitive advantage Amaze customers and empower employees Manage risk and protect brand value

The Driving Forces Behind the Liquid World 01101 01001 00101 01101 01001 00101 01101 01001 00101 MOBILE CLOUD 01101 01001 00101 1101 1001 0101 01101 01001 00101 CONFIDENTIAL 01101 01001 00101 7

Harnessing Mobile and Cloud Is Challenging SERVICE OUTAGES SLOW REPONSES SECURITY DECLINING BUDGET PROLIFERATION OF DEVICES SLOW TECHNOLOGY ADOPTION RATES CLOUD SILOS HIGH USER EXPECTATIONS INTEGRATION PROBLEMS PRIVACY ISSUES FRAGMENTED DATA CENTER SHORTAGE OF RIGHT SKILLS DIFFERENT APPLICATIONS AGING INFRASTRUCTURE LIMITED RESOURCES CONFIDENTIAL 8

Time for a New Model of IT Optimized for rapid development and delivery of all applications, INSTANT for safe consumption on any device FLUID SECURE 9

VMware: Your Best Partner for Brave New IT Software-Defined Agility Instant provisioning, delivery, and access from data center to device Seamless Hybridity Unified private and public clouds to dynamically deploy any app or workload Intrinsic Security Enhanced security native to apps, infrastructure, and devices INSTANT FLUID SECURE 10

Conventional Approach to IT Traditional Applications Modern, Cloud Applications On-Premises Public Cloud Outsourced 11

VMware Architecture for IT Any Device Traditional Applications Any Application Traditional Applications Business Mobility: Applications Devices Content Modern, Cloud Applications Modern, Cloud Applications Cloud Management HYBRID CLOUD PRIVATE MANAGED PUBLIC One Cloud Your Data Center vcloud Air Network vcloud Air Software Defined Data Center Virtualized Compute, Network, Storage Build-Your-Own Converged Infrastructure Hyper-Converged Infrastructure 12

One Cloud, Any Application Any Application, Anywhere PRIVATE HYBRID CLOUD MANAGED PUBLIC Open Management Architect, deploy, and run all traditional and modern applications Your Data Center vcloud Air Network vcloud Air Flexible choice to manage your cloud infrastructure and your applications Unified Platform On- and off-premise cloud with a common Software-Defined Data Center platform, built on VMware s best-in-class compute, network, and storage virtualization solutions 13

The Software-Defined Data Center Approach Hybrid Cloud Management Ideal Architecture for the Hybrid Cloud All infrastructure services virtualized: compute, networking, storage Control of data center automated by software (management, security) Unified platform for existing and new apps, delivered to many devices Compute Networking Storage 14

Two Different Paths Forward: Hardware-Defined or Software-Defined Architecture? Hardware-Defined Approach Software-Defined Approach Software Layer Manual Operations Software Layer Proprietary Hardware Intelligence Automated Operations Existing Hardware Intelligence IT Struggles to Keep Up IT Moves at the Speed of the Business 15 15

Vertical Integration Is SDDC a Proven Architecture? Software Defined Data Center (SDDC) Any Application SDDC Platform Data Center Virtualization Google / Facebook / Amazon Data Centers Custom Application Software / Hardware Abstraction Custom Platform Software / Hardware Abstraction Hardware Defined Data Center (HDDC) Any Application HDDC Platform Any x86 Any x86 Integrated x86 Any Storage Any Storage Integrated Storage Any IP network Any IP network Vendor Specific Network 16

SDDC Architecture is Future proof Software Defined Data Center (SDDC) Inter- Data Center Hybrid- Data Center Any Application Any Application Any Application SDDC Platform Data Center Virtualization Data Center Virtualization SDDC Platform Any x86 Any x86 Any x86 Any Storage Any Storage Any Storage Any IP network Any IP network Any IP network 17

VMware Cloud Management The Control Plane for the Software-Defined Data Center and the Hybrid Cloud Cloud Automation Automated, self-service delivery of personalized IT services Service Catalog Governance Release Automation Cloud Operations Intelligent, automated operations with comprehensive visibility from apps to storage Service Health Capacity Optimization Configuration Standards Cloud Business Complete transparency into costs and quality of all IT services Cost Transparency Benchmarking Service Quality Mgmt A cloud management platform purpose-built for heterogeneous datacenters and hybrid cloud Extends vcloud Suite to manage OpenStack, AWS, Hyper-V, KVM, and vcloud Air Works with modern and traditional application architectures Choice of on-prem or SaaS delivery model 18

OpenStack Runs Best on VMware + VMware VMware Integrated OpenStack Deliver the OpenStack APIs Developers Want Best-of-breed compute, network, storage Elegant, rapid, and simplified operations Single support contact Best of All: Free for vsphere Enterprise Plus Users 19

vsphere The Best Platform for All Applications Unified Platform Any Application Flexible Control Best-in-class VMware technologies across hybrid clouds Rapid development, automated deployment and secure consumption of all enterprise apps Choice in datacenter automation and management Scale-Up Apps / Business Critical Apps Desktop Virtualization Scale-Out Applications Integrated OpenStack Containers And Many More Capabilities Scalability enhancements (VMs and Clusters) for all application workloads Desktop Virtualization 2D/3D Graphics, Instant Clone OpenStack on vsphere = Success Big Data Extensions and Pivotal CF (PaaS) Support Linux Container Support Benefits and Proof Points Increased scalability and performance SAP Hana 400% performance gains over RDBMS and 9x gains in planning load times Rapid deployment of desktop virtual machines in seconds 10x faster than in previous releases Productivity and portability for application developers Deliver Choice of Architecture 20

VMware Software-Defined Storage Architecture VMware vsphere Storage-Policy Based Management VMware Virtual SAN Virtual Volumes VVOL-enabled arrays Storage Partners 21

Network Virtualization Virtual Network Virtual Network Virtual Network VMware NSX : The Network Hypervisor vswitch vswitch vswitch vswitch Hypervisor Hypervisor Hypervisor Hypervisor New Model for Security: Micro Segmentation 50+ additional partners 22

Bridging Two Worlds Software Defined Data Center Approach Traditional Approach

Network Virtualization is at the core of an SDDC approach Non-Disrupting Deployment Virtualization layer Network, storage, compute

Network Virtualization is at the core of an SDDC approach Non-Disrupting Deployment Virtual Data Centers Network hypervisor Virtualization layer Network, storage, compute

The Power of Distributed Services Routing Load Balancing Switching Firewalling/ACLs Network and security services now distributed in the hypervisor

The Power of Distributed Services Routing Load Balancing High throughput rates East-west firewalling Firewalling/ACLs Switching Native platform capability

Programmatically Provisioned

Network & Security Services Distributed to the Virtual Switch Physical Network becomes high-speed IP backplane

Native Isolation 192.168.2.11 192.168.2.11 192.168.2.10 192.168.2.10

Support for Physical Workloads and VLANs

Security in the Software Defined Data Center 33

More Security Spend More Secure $71.1 B WW 2014 Information Security spending 46% Increase in 2015 security technology spend Yet 1,208 # of new cybersecurity companies (solutions) since 2010 43% % of orgs. reported datacenter breaches in 2014 312 Average # of Days a zeroday vulnerability goes undetected and/or un-patched >$455 B Total cost of cybercrime in 2014 Copyright 2014 Trend Micro Inc. 34

Traditional security has little meaning in a borderless Software Defined Data Center Insufficient visibility into East-West traffic & inter-vm attacks Static policies cannot keep up with dynamic workloads Service Provisioning is Slow, Complex & Error-prone Disparate security solutions and lack of uniform policies across clouds creates an operational nightmare

Traditional approaches to reduce breaches inside Data Center perimeter... Adding more internal security Requires placing more security controls across workloads Internet Physical Security Appliances Optimized for Data Center Perimeter Cost prohibitive: thousands needed Configuration and security policies restricted by network topology Inefficient choke point Impractical for lateral coverage Virtual Security Appliances Today Data Center Perimeter Lacks selective traffic inspection for smarter security Hair-pinning impacts performance Limited segmentation capabilities Lacks dynamic provisioning, deployment and scale out

Data Center Security Options vs. Secure Perimeter Zero-Trust Pervasive Security 37

Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible Internet Internet Little or no lateral controls inside perimeter Insufficient Operationally Infeasible

Why traditional approaches are operationally infeasible Create firewall rules before provisioning Update Firewall rules when move or change Delete firewall rules when app decommissioned Problem increases with more East-West traffic Internet Perimeter Firewalls 39

How an SDDC approach makes micro-segmentation feasible Cloud Management Platform Security Policy Internet Perimeter Firewalls 40

(e.g TCP,1433) Service Insertion A Zero Trust model becomes operationally feasible Logically align controls to what you are protecting Isolation Explicit Allow Comm. Secure Communications Application A App Tier IPS Intrusion Protection No Communication Path FIM File Integrity AM Anti-Malware Application B DB Tier WR Web Reputation

Delivers higher levels of data center security Micro-segmentation 1 Isolation and segmentation 2 Unit-level trust / least privilege 3 Ubiquity and centralized control

Intelligent grouping Groups defined by customized criteria Operating System Machine Name Services Application Tier Regulatory Requirements Security Posture

There is a BIG difference Physical Firewalls Traditional Rule Mgt & Operations Chokepoint Enforcement Physical Firewalls (~100 Gbps) Virtual Firewalls Traditional Rule Mgt & Operations Chokepoint Enforcement Virtual Firewalls (~1Gbps) Distributed Firewalling Automated Policy Mgt & Operations Distributed Enforcement vsphere Kernel-based Performance Distributed Scale-out Capacity (20 Gbps/host)

SDDC Platform Zero Trust is Now Operationally Feasible Hypervisor-based, in kernel distributed firewalling High throughput rates on a per hypervisor basis Every hypervisor adds additional east-west firewalling capacity Native feature of the VMware NSX platform Platform-based automation Automated provisioning and workload adds/moves/changes Accurate firewall policies follow workloads as they move Audit Compliance 20 Gbps Firewalling throughput per host Data center micro-segmentation becomes operationally feasible 45

NSX Platform Extensibility With Advanced Security Add leading security solutions to your micro-segmentation deployment for greater security Apply the SDDC operational model to 3 rd -party security products Adapt to changing security conditions in the data center by enabling security solutions to share intelligence 1 2 3 Traditional Data Center NSX Data Center Static service chain In a traditional data center, security services must be configured when the network is architected, meaning the chain of services is locked in once deployed. This is an inefficient use of resources and cannot defend against changing threat conditions. Dynamic service chain In an NSX data center, 3 rd -party security solutions use NSX security tags to share intelligence, adapting to changing security conditions. NSX automatically applies the correct security function as needed.

Advanced Services Insertion Example: Palo Alto Networks NGFW Security Admin Security Policy Traffic Steering Internet

Automated Security in a Software Defined Data Center Quarantine Vulnerable Systems until Remediated Security Group = Quarantine Members = {Tag = ANTI_VIRUS.VirusFound } Policy Definition Security Group = Standard Standard Policy Anti-Virus Scan Quarantined Policy Firewall Block all except security tools Anti-Virus Scan and remediate 48

Benefits of Taking a Software Defined Data Center Approach Security Speed & Agility Application Continuity Micro-segmentation IT Automating IT Disaster Recovery Value Secure infrastructure at 1/3 the cost Reduce infrastructure provisioning time from weeks to minutes Reduce RTO by 80% DMZ Anywhere Developer Cloud Metro Pooling Secure End User Multi-tenant Infrastructure Hybrid Cloud Networking 49

NSX customer momentum Service Providers Global Financials Retail Healthcare Integrators Media & Communications Transportation Government Education

Starting Point The things you need to read First Step virutalizeyournetwork.com Technical Discovery The things you need to do Test Drive labs.hol.vmware.com Connect & Engage communities.vmware.com Education & Certification vmware.com/go/nvtraining For a full listing of other NSX related sessions at VMworld: http://virtualizeyournetwork.com/vmworld2015us/

Thank you