VMware NSX – A Perspective for Service Providers – part 2Using Software Defined Networking to harden DC security controls

Trevor GerdesStrategic Architect – Security and Networks

NSX for SPs Part 2 - Agenda

1 Case Studies

2 Data Centre Security

3 Distributed Firewall – Use Cases

4 Current SDN Technologies

5 NSX Service Composer

6 Building a Zero Trust Model

2

Case Studies

CONFIDENTIAL3

Australian MSP

• Existing vSphere customer

• Using 3rd party orchestration system (non-vmware)

• Wanted to improve service delivery times

• Looking at hybrid virtual solution using elements from Juniper, Cisco and VMware

Australian MSP

• Implemented NSX into new cloud offering inside 3 months

• Reduced service delivery time from 6 weeks to 3 days

• Brought forward revenue billing by 5 weeks

• Selected NSX over hybrid Cisco, VMware and Juniper solution due to all in one package of logical L2 networking, L3 routing and perimeter gateway services including VPN and LB services.

• Integrated NSX via API into 3rd party cloud solution inside 1 week using python scripts.

• Looking for next wave of feature integration and “value add” using NSX distributed FW and security partners.

CONFIDENTIAL 6

XFirst Problem – VM Conversion required

CustomerData Centre Cloud Hosting Service

CONFIDENTIAL 7

P

CustomerData Centre Cloud Hosting Service

CONFIDENTIAL 8

CustomerData Centre Cloud Hosting Service

What about a partial move?

CONFIDENTIAL 9

NSX – Providing Stretch Layer 2 (over Layer 3)

NSX

CustomerData Centre Cloud Hosting Service

Currently in use by a large Sydney-based Hosting Provider

10 Confidential

SDDC Micro-Segmentation Business Case - Sample

Data Center Environment Firewall Throughput Required for Micro-Segmentation

Number of VMs 1,000 Average Application Throughput per Host 7Gbps

Number of VMs per CPU 5 Throughput Required to Support All VMs 700 Gbps

Number of CPUs per Host 2 Segmentation Ratio (% of VMs requiring FW controls) 40%

Number of Hosts 100 Effective Firewall Throughput Requirement 280 Gbps

Firewalls Required (20Gbps each x2 for HA) 28 Firewalls

Firewall Cost

List Price of 20Gbps Firewalls $150,000

Total CAPEX for Firewalls $4,200,000

Note: Operationally Infeasible

NSX Cost

List Cost for NSX Platform ~$1,300,000

Note: Operationally Easy to Deploy 3x Difference in CAPEX Cost

11 Confidential

Large US Financial

25,000 VM deployment

$10m investment in NSX

$50m savings over 5 years

NSX improved host utilisation from 9:1 to 14:1

• NSX helped avoid hardware refresh on ESX hosts, Load

Balancers, Network hardware

• SDDC helped reduce labour costs by $8m

15 month PoC which morphed into full SDDC

PoC (vCAC, vCO, vCOps, LogInsight)

Rackspace

“NVP, combined with OpenStackis a game changer. Together we arebringing enterprise private networkingto the cloud.

LEW MOORMANPRESIDENT, RACKSPACE

• Rackspace Cloud Networks• $15-$20 million a year

savings by not overprovisioning servers

Deliver enterprise-class private networking in a public,

multi-tenant cloud.

Improved Server Utilization – less overprovisioning of servers

Without Network Virtualization 60% Asset Utilization

With Network Virtualization 90% Asset Utilization

Data Centre SecurityA Better Way

CONFIDENTIAL14

“Hard Shellon the Outside”

“Soft on the Inside”Physical Workloads

Yesterday’s Model for DC Security

Secure Micro-Segmentation in the Data Center

Uncontrolled Communication

Secure Micro-Segmentation in the Data Center

OperationallyInfeasible

Secure Micro-Segmentation with VMware NSX

Controlled Communication

Scale-Out Performance

Automated Operational Model

NSX Distributed Firewall – Overview

Hypervisor Kernel Embedded Firewall:

• Built directly in to the Hypervisor

• Near Line-Rate Performance

• Removes dependence on Guest based Firewall

• L2-4 Stateful East/West Firewalling

Distributed to Every VM:

• No “Choke Point”

• Policy independent of VM location

• Enforcement closest to VM

• Removes Tromboning

Distributed Firewall -Use Cases

21

Dev

Test

Production

Isolation

Web

App

DB

NoCommunication Path

ControlledCommunication Path

Web

App

DB

Advanced Services ControlledCommunication Path

Segmentation Service Insertion

22

Internet

Security Policy

Perimeter Firewalls

CloudManagementPlatform

NSX Distributed Firewall for vMotion• Hypervisor-based, in kernel

distributed firewalling

• Platform-based automated provisioning and workload adds/moves/changes

CONFIDENTIAL 23

PCI Non-PCI Private

NSX Distributed Firewall: Better Load Distribution

Automated Security in a Software Defined Data CenterData Center Micro-Segmentation

CONFIDENTIAL 24

Network-Segmentation or Micro-Segmentation

CONFIDENTIAL 25

Web

App

Database

VM VM

VM VM VM

VM

NSX LoadBalancer

Multi-Tier, Multi-subnet

Multi-Tier, Single-subnet

NSX DistributedRouter

VM VM VM VM VM VM

Web App DB

NSXLoadBalancer

Or

Current SDN Technologies

CONFIDENTIAL26

Software Defined Networking - Layers

Co

nsu

mp

tio

nD

ata

Pla

ne

M

ana

ge

me

nt

How an end user consumes SDN

Build Networks and security services via WebUI, REST API (XML, JSON), Python Scripts etc

e.g. vRealize Automation, CloudForms, ServiceMesh, CloudFoundry

Configuration interface

REST XML API or WebUI

e.g. vCenter, NSX manager, APIC, Openstack

Forwards Packets

Provides: workload connectivity & services processing

e.g. hypervisors, physical switches and appliances

27

Co

ntr

ol P

lane

Programs Data Plane

Provides: API North side, Openflow or Proprietary Southbound

e.g. NSX Controller, ACI N9K Spine sw., Contrail, OpenDaylight

CONFIDENTIAL 28

Hardware-based SDN“H”DN?

CONFIDENTIAL 29

VMware NSX

The anatomy of the most agile & efficient data centers is SDDC

Custom Application

Google / Facebook /

Amazon Data Centers

Custom Platform

Any x86

Any Storage

Any IP network

Software / Hardware Abstraction

Software / Hardware Abstraction

Facebook “6-pack”:

the first open hardware

modular switch.

12 switching elements,

1.28Tbits/s each

“New IT” will be SDDC

Software Defined

Data Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center Virtualization

Public Data Center

Any Application

Any x86

Any Storage

Any IP network

Hybrid- Data Center

Any Application

Any x86

Any Storage

Any IP network

SDDC Platform

NSX Service Composer

CONFIDENTIAL32

NSX Service Composer

CONFIDENTIAL 33

Security services are consumed more efficiently in a software-defined datacenter

VMware Network and Security Platform

DeployApply Automate

Extensibility

Security TagsSecurity Groups Security PoliciesService Insertion

NSX Service Composer – Canvas View

NSX Service Composer – Security GroupSecurity Policies – collection of Security

Policy Objects (SPOs) assigned to this

Security Group.

• How you want to protect this container

• Can have multiples with weighting

e.g. “PCI Compliance Policy”

Included Security

Groups - Nested

containers

e.g. “Quarantine Zone” is

a sub group within “PCI

DSS Zone”

Virtual Machines that belong to this container.

e.g. “Apache-Web-VM”, “Exchange Server-vM”

Security Group (SG) - Container of VMs by IP, Security

tag, switch etc

• Defines what you want to protect.

• e.g. “PCI DSS Zone”, “DMZ”, “Quarantine Zone”

Guest Introspection

• Anti-virus

• Vulnerability Management

• Data Loss Prevention (DLP)

Firewall Rules

• Inbound, Outbound, Intra-Zone

• Allow, Deny, and Log

Network Introspection – 3rd party services

integrated via NetX

• Intrusion Prevention (IPS),

• Nextgen F/W

• WAN optimization, load balancing services.

Security Group = Virtual_Desktops

Members = {Connected to VDI-01-Logical-

Switch}

Policy = Standard Desktop

Automated Security in a Software Defined Data CenterQuarantine Vulnerable Systems until Remediated

36

Security Group = Quarantine Zone

Members = {Tag =

‘ANTI_VIRUS.VirusFound’}

Policy = Quarantine Zone

Policy Standard Desktop

Anti-Virus – Scan

Policy Quarantine Zone

Firewall – Permit remediation, deny all

Anti-Virus – Scan and remediate

Building a Zero-Trust Model

CONFIDENTIAL37

Forrester Zero Trust Model

http://csrc.nist.gov/cyberframework/rfi_comments/040813_forrester_research.pdf

“In short, Zero Trust flips the

mantra "trust but verify" into

"verify and never trust."

Zero-Trust with NSX – Stage 1

CONFIDENTIAL 39

CONFIDENTIAL 40

Zero-Trust with NSX – Stage 2

CONFIDENTIAL 41

Zero-Trust with NSX – Stage 3

CONFIDENTIAL 42

Zero-Trust with NSX – Stage 4

Resulting Policy

CONFIDENTIAL 43

Layer 4 – 7 Advanced Services Insertion

44

NSX and Palo Alto Networks VM Series Firewall

NSX Mgr

VM

Distributed FirewallOptimal Traffic Steering – Web Tier

Rule1: Any to Web – PAN Insertion

Rule2: Web to App – DFW Permit

Rule3: Web to Web – DFW Deny VM VM

Internet

Web

VM

App DB

Real-world Example of Firewall Sprawl – 22 Firewalls!

Complexity driven by applications / E-W traffic flows

North/South

East/West

• East-West traffic hairpins across the

perimeter Firewall

• Complex static inter zone routing

• Requires punching holes across security

zones

• Internal security zones exposed on

perimeter devices

Zero-Trust Model Implementation with NSX

Any devices over

any networks

App gateways

and perimeter devices

Admin jump points

Common ServicesApplications

EDS AD

DB

Edge Transport

Routing and

AV/AS

Client Access

Client

connectivity

Web services

Hub Transport

Routing and

policy

Mailbox

Storage of

mailbox items

25

50636135

389, 3268, 88,

53, 135

To AD

443

RPC808

5060, 5061

5062, dynamic

Unified

MessagingVoice mail and

voice access

Exchange

In Summary

A Good Security Approach Requires

• Zero-Trust: Don’t Trust Anyone, Verify Always

• Control at the Perimeter alone is not enough

NSX with Distributed Firewall Provides

• Easy Enforcement of East/West Policy

• Security Policy that Follows the Workload

• Enforcement at the Smallest Unit of Trust

• Easy Hardening of Data Centre Core through Micro-segmentation

• Integration with Best-of-Breed Security Vendors

CONFIDENTIAL 48

Thankyou!