Post on 28-Nov-2014
description
NSX PCI Reference Architecture Workshop Session 1
- Segmentation
Allen Shortnacy, VMware
SEC5775
#SEC5775
© 2013 VMware Inc. All rights reserved © 2013 VMware Inc. All rights reserved
SEC5775 - NSX PCI Reference Architecture Workshop Session 1 - Segmentation
August 2013
3 3
Importance of Segmentation
4 4
About Segmentation
At a fundamental level the SDDC is about the:
• Pooling of physical compute and storage into groups
• Coupled with networks that allow for access to these resources
• Administrative and kernel networks for ESXi shell access and operations like vMotion
• APIs that allow us to interact with those resources
Auditors rely on ‘scope’ to define those items that should be audited
• In the SDDC it is easy to declare that everything is in ‘scope’ due to shared resources
• We need effective tools to declare ‘scopes’ and their usage as well as their join rules
• For those workloads that serve business function we want coherent policies
Value Propositions of Segmenting with NSX
• Reducing the ‘scope’ of the infrastructure subject to audit will reduce audit costs
• Leverage NSX to establish networks with policies that are transitive across datacenter
• Clearly define and orchestrate VMware and Technology Partners to monitor ‘layers’
5 5
Four Steps to Segmenting the SDDC
vSphere and Networking
• Hosts and Storage should also be segmented
• VLANs may still be used but are not relied upon as a control mechanism
• Dedicated cluster for SDDC Management VMs like vCenter, ActiveDirectory
Establish VXLAN for Workloads
• Allows for Layer 2 subnets across compliant hosts/clusters
• Provides routes to traverse from Layer 2 to other VXLAN and Edge Shared Services
Establish Zones for Shared Services, DMZ, etc. with Edge
• Active Directory serving Enterprise users, DNS, Messaging, Email, etc.
• Defining bastion host networks for access to administer these services
Establish Service Composer Firewall Policies
• Firewall and other technologies, declaratively enabled, follow the workload
• Workloads that come out of policy for any reason have access restricted
6 6
Groups
vSphere Storage Networks
ESXi Hosts/Clusters to LUNs
Usage
vSphere, Porticor
Create Encrypted iSCSI LUNs
Consume via Storage vSwitches
Step 1: Segment Storage for Consumption
Segmenting Storage with Encryption and dedicated vSwitches eases
consumption while maintaining compliance
7 7
Porticor Solution
State of the art encryption
• AES 256 / SHA 2 – standards based…
• … yet implemented with best-in-class performance
• Streaming, caching, stateless servers, cloud scale solution
Cloud key management - The “banker”
• Metaphor: a physical safety deposit box is behind strong walls, and… requires two keys to open/lock: one for the customer, the other for the banker
• The secret sauce: “split key” and “homomorphic” technology creates this in a virtual environment
8 8
The “Swiss Banker” metaphor
Customer has a key, “Banker” has a key
Master key with Homomorphic key encryption
Key-splitting and Homomorphic Technology together deliver Trust
9 9
Demo: Create Encrypted iSCSI LUNs and Map to vSwitch
10 10
Groups
ESXi Hosts/Clusters
vSwitch/Port Groups to VLANs
Usage
vSphere, HyTrust
Identify vSphere assets
Label in HyTrust as ‘PCI’
VLANs inherited from Port
Groups
Step 2: Identify and Label vSphere Components
Identifying Hosts, Storage and Network Assets for compliance scope
is the initial step in Segmentation
© 2013, HyTrust, Inc. www.hytrust.com | 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 | Phone: 650-681-8100 | email: info@hytrust.com
HyTrust
Multi-Tenancy Wizard
© 2013, HyTrust, Inc. www.hytrust.com | 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 | Phone: 650-681-8100 | email: info@hytrust.com
With Great Power Comes Great Responsibility….
Significant Risk of
Catastrophic Failure
12
© 2013, HyTrust, Inc. www.hytrust.com | 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 | Phone: 650-681-8100 | email: info@hytrust.com
How HyTrust Protects VMware
14 14
Demo: Identify and Tag Core vSphere Asset Groups
15 15
PCI DSS 2.0 on VLANs and Segmentation
“Relying on Virtual LAN (VLAN) based
segmentation alone is not sufficient. For
example, having the CDE on one VLAN and the
WLAN on a separate VLAN does not adequately
segment the WLAN and take it out of PCI DSS
scope. VLANs were designed for managing
large LANs efficiently. As such, a hacker can
hop across VLANs using several known
techniques if adequate access controls between
VLANs are not in place.”
16 16
NSX Architecture
vCD/vCAC
vCenter Server NSX Manager 1:1
Management Plane
Control Plane
NSX Edge
Distributed
Router
Controller
Data Plane
NSX Edge
Services Router
VXLAN DR DFW Security VXLAN DR DFW Security
1:Many
VXLAN DR DFW Security
17 17
Management Plane Components
Self service and on-
demand Provisioning of
Infrastructure
Abstracted pool of services
(Compute/Storage/Network
)
Catalogue of applications
vCD/vCAC
vCenter Server NSX Manager 1:1
Management Plane
Provisioning and
Management of
Compute/Memory
Storage
Virtual Switch
Provisioning and
Management of Network and
Network services
VXLAN Preparation
Logical Network Consumption
Network Services
Configuration
vCD/vCAC vCenter Server NSX Manager
18 18
Control Plane Components
Dynamic Routing
VXLAN – VLAN Bridging
Scale Out
VXLAN - no Multicast
ARP suppression
Distributed Routing
Control Plane
NSX Edge
Distributed
Router
Controller
NSX Edge Distributed Router Controller
19 19
Data Plane Components
Kernel Modules
Message Bus
User World Agent
NAT
DHCP
LB
VPN
Data Plane
NSX Edge
Services Router
ESX Host NSX Edge Services Router
VXLAN DR DFW Security VXLAN DR DFW Security VXLAN DR DFW Security
20 20
Communication Between The Three Planes
vCD/vCAC
vCenter Server NSX Manager
Management Plane
Control Plane
NSX Edge
Distributed
Router
Controller
Data Plane
NSX Edge
Services Router
VXLAN DR DFW Security VXLAN DR DFW Security VXLAN DR DFW Security
vSphere API
REST API vSphere API
REST API
VIX
A
PI
vS
ph
ere
A
PI
REST API
REST API
Me
ssag
e B
us
21 21
VXLAN NSX for vSphere
vSphere Host
VM1
vSphere Distributed Switch
VXLAN Transport Network
vSphere Host
VM2
vSphere Host
VXLAN 5001
VTEP1 10.20.10.10
VTEP2 10.20.10.11
VTEP3 10.20.11.10
vSphere Host
VTEP4 10.20.11.11
VM3 VM4
Unicast Traffic
Controller
Cluster
VXLAN Transport Subnet A 10.20.10.0/24 VXLAN Transport Subnet B 10.20.11.0/24
22 22
Components Mapped to Physical Infrastructure WAN
Internet
Compute Racks Infra Racks Edge Racks
Hypervisor
Modules
Controller, VC,
NSX Manager On/off Ramp
23 23
Step 3 : NSX Distributed Edge VXLAN Networks
vSwitch/Port Groups to VLANs
NSX Edge VXLANs
Groups
Create vDS for VXLAN in vSphere
NSX Manager prepare hosts, add
logical networks and deploy Edges
Usage
NSX provides Distributed Logical Routers as well as Distributed
Services like Firewall through Edge deployments
24 24
DB Tier
Web Tier
App Tier
WAN
Internet
L2
L3
VXLAN
802.1Q
VXLAN
VXLAN
VXLAN
VXLAN
VXLAN
VXLAN
VXLAN
Network
Fabric
Service Placement – Distributed Design
VXLAN
.1Q
.1Q
25 25
Demo: Create Segmented VXLAN Overlay Networks
26 26
Hypervisor Kernel Embedded Firewall
Benefits… • Built into the Hypervisor
• “Line Rate” Performance (15Gbps/Host)
• Better compliance model
27 27
Distributed Virtual Firewall
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Benefits… • No “Choke Point”
• Scale Out
• Enforcement closest to VM
28 28
Step 4: Establish NSX App Distributed Firewall Rules
NSX simplifies the steps for creating firewall rules used for
segmenting workload tiers and tenants
vApp Patterns to Firewall Rules
NSX Edge Firewall Security Groups
Groups
vSphere create vDS for VXLAN
NSX Manager prepare hosts, add
logical networks and deploy Edges
Usage
29 29
Demo: Create Firewall Policies For Controlling vApp Network Access
30 30
Step 4: Establish NSX App Distributed Firewall Rules
NSX enables migration across segmentation policy controlled hosts
while maintaining routing and firewall rule consistency
vSwitch/Port Groups to VLANs
NSX Edge VXLANs
Groups
vSphere create vDS for VXLAN
NSX Manager prepare hosts, add
logical networks and deploy Edges
Usage
31 31
Compute Racks Infrastructure Racks (Storage,
vCenter and vCloud Director)
Edge Racks
vCenter 1
vCenter 2
(Up-to Max supported
VMs by vCenter)
(Up-to Max supported
VMs by vCenter) VM
VM
ESXi Clusters
WAN
Internet
Capex Value Expressed in Infrastructure Utilization
32 32
Summary – Value Achieved via Segmentation
Segmentation techniques provide uniform consumption of SDDC while
maintaining controls needed for compliance
Dynamic routing and overlay networks provide isolation needed for SDDC
resources to be consumed
Centralized Policy Management eases the administrative burden by providing
networking and firewall rules that are always ‘in context’
Reduced Audit Costs by providing controls of core SDDC elements such as
storage and compute bound to networks thereby limiting scope
Get hands on experience! Partner Hands On Lab with HyTrust, Catbird and
LogRhythm to go with VMware NSX Hands On Labs
Visit the HyTrust booth and Porticor online at http://www.porticor.com/porticor-for-
vmware/ for more information
33 33
VMworld: Security and Compliance Sessions
Category Topic
NSX
• 5318: NSX Security Solutions In Action (201)
• 5753: Dog Fooding NSX at VMware IT (201)
• 5828: Datacenter Transformation (201)
• 5582: Network Virtualization across Multiple Data Centers (201)
NSX Firewall
• 5893: Economies of the NSX Distributed Firewall (101)
• 5755: NSX Next Generation Firewalls (201)
• 5891: Build a Collapsed DMZ Architecture (301)
• 5894: NSX Distributed Firewall (301)
NSX Service
Composer
• 5749: Introducing NSX Service Composer (101)
• 5750: NSX Automating Security Operations Workflows (201)
• 5889: Troubleshooting and Monitoring NSX Service Composer (301)
Compliance
• 5428: Compliance Reference Architecture Framework Overview (101)
• 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201)
• 5253: Streamlining Compliance (201)
• 5775: Segmentation (301)
• 5820: Privileged User Control (301)
• 5837: Operational Efficiencies (301)
Other
• 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in
Virtualized Infrastructure (Catbird – Jefferson radiology)
• 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A
Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust)
• 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based
IaaS provider better be doing! (Intel)
34 34
For More Information…
VMware Collateral VMware Approach to Compliance
VMware Solution Guide for PCI
VMware Architecture Design Guide for PCI
VMware QSA Validated Reference Architecture PCI
Partner Collateral VMware Partner Solution Guides for PCI
How to Engage?
compliance-solutions@vmware.com
@VMW_Compliance on Twitter
35 35
Other VMware Activities Related to This Session
HOL:
HOL-SDC-1315
vCloud Suite Use Cases - Control & Compliance
HOL-SDC-1317
vCloud Suite Use Cases - Business Critical Applications
HOL-PRT-1306
Compliance Reference Architecture- Catbird, HyTrust and LogRhythm
Group Discussions:
SEC1002-GD
Compliance Reference Architecture: Integrating Firewall, Antivirus,
Logging and IPS in the SDDC with Allen Shortnacy
SEC5428
THANK YOU
NSX PCI Reference Architecture Workshop Session 1
- Segmentation
Allen Shortnacy, VMware
SEC5775
#SEC5775