Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security...
Transcript of Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security...
![Page 1: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/1.jpg)
Advanced Security & Micro Segmentation for your Network Platform
Paanob Mahanarongchai Account System Engineer VMWARE THAILAND
![Page 2: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/2.jpg)
Impressive rates of change
First year this event was named “RSA Conference”
2000 2002 2008 2009 2010 2011 2012 2015
Rate of Change Security Inclusion
![Page 3: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/3.jpg)
Problem: Data Center Network Security
Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Little or no
lateral controls
inside perimeter
Internet Internet
Insufficient Operationally Infeasible
![Page 4: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/4.jpg)
Security is needed everywhere, but we can’t have it everywhere
4
Why can’t we have individual firewalls for every VM?
Data Center Perimeter
Internet
Expensive and complex
Physical firewalls
With traditional technology, this is operationally infeasible.
Slow, costly, and complicated
Virtual firewalls
![Page 5: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/5.jpg)
NSX value proposition
Network Virtualization is at the core of an SDDC approach
Network, storage, compute
Virtualization layer
![Page 6: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/6.jpg)
The next-generation networking model
Switching
Routing
Firewalling/ACLs
Load Balancing
Network and security services now in the hypervisor
![Page 7: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/7.jpg)
Switching
Routing
Firewalling/ACLs
Load Balancing
High throughput
East-west firewalling
Native platform capability
The next-generation networking model
![Page 8: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/8.jpg)
NSX value proposition
Network Virtualization is at the core of an SDDC approach
Network, storage, compute
Virtualization layer
“Network hypervisor”
Virtual networks
NSX Network HyperVisor
![Page 9: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/9.jpg)
Business value
More secure and 1/3 the cost
of less secure infrastructure
NSX Security Delivering inherently secure infrastructure
Data Center Perimeter
Internet
DMZ
Secure User Environments
Security policies simplified
Logical groups enabled
Threats contained
![Page 10: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/10.jpg)
Automated Security in a Software Defined Data Center Quarantine Vulnerable Systems until Remediated
1
0
Security Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2
Isolated Network}
Security Group = Web
Tier Policy Definition
Standard Desktop VM Policy
Anti-Virus – Scan
Quarantined VM Policy
Firewall – Block all except security tools
Anti-Virus – Scan and remediate
![Page 11: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/11.jpg)
Automate security operations
Without VMware NSX
• Manual workflows
• No interoperability between best-of-breed security products
With VMware NSX
• Security is automated
• If one service finds something, then another service can do something about it
CONFIDENTIAL
Create repeatable, automated workflows
across best-of-breed security products with VMware NSX
![Page 12: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/12.jpg)
Intelligent grouping
Groups defined by customized criteria
Operating System Machine Name
Application Tier
Services
Security Posture Regulatory
Requirements
![Page 13: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/13.jpg)
Situation
OS no longer supported on several systems
These systems need policy which restricts
access to only email servers
Unsupported OS Group
Use case: Advance intelligent grouping for unsupported operating systems
![Page 14: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/14.jpg)
Use Case: Advance Security in DR
10.0.10/24 10.0.20/24
10.0.10.21 10.0.20.21 Major RTO Impact
Change IP Address Reconfig Security 4
Primary Site Recovery Site
Recover the VM
3
Replicate VM & Storage
2 Physical Network Infrastructure Physical Network Infrastructure
SAN
1 Snapshot VM
SAN
Step 1&2 (e.g VMware SRM)
14
![Page 15: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/15.jpg)
DR with NSX Network Virtualization
SAN SAN
10.0.30.21 10.0.30.21
Virtual Network 10.0.30/24
80% RTO NSX Controller NSX Controller
Snapshot Network & Security
2b
Primary Site Recovery Site
1 Snapshot VM Network & Security
already exists
Recover the VM
3
Physical Network Infrastructure Physical Network Infrastructure 2a
Replicate VM & Storage
10.0.10/24 10.0.20/24
Step 1&2 (e.g VMware SRM)
15
Virtual Network 10.0.30/24
![Page 16: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/16.jpg)
Summary
SDDC with NSX is fundamentally a more effective security solution
Removing grouping
decisions from the
network topology
enables intelligent
security decisions
NSX equips security
teams with the ability
to automate and
adapt to changes
![Page 17: Advanced Security & Micro Segmentation for your …...Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally](https://reader035.fdocuments.us/reader035/viewer/2022070712/5ecee1d07a5f4970a80eda39/html5/thumbnails/17.jpg)
Paanob Mahanarongchai System Engineer VMWARE THAILAND