NSX Seguridad de DC con la Microsegmentación

Esteban Prieto Senior Systems Engineer © 2015 VMware Inc. All rights reserved.

Como hace para: Moverse tan rapido como necesita el negocio al mismo tiempo que atiende un entorno cambiante y creciente, sin la necesidad de empezar de Nuevo ?

Usted necesita un Nuevo enfoque para el networking y la seguridad que le brinde: La agilidad y velocidad que necesita para soportar su negocio, mientras que proporciona una infraestructura mas segura.

The Software Defined Data Center Software Defined Data Center (SDDC) Any Application SDDC Platform Data Center Virtualization

Google / Facebook / Amazon Data Centers Custom Application Software / Hardware Abstraction

Custom Platform Software / Hardware Abstraction

Any x86

Any x86

Any Storage

Any Storage

Any IP network

Any IP network

4

Traditional network provisioning

interface e2/5 ip address 192.168.1.2/24 vrf membership vpc-keepalive vpc domain 1 peer-keepalive destination 192.168.1.1 source 192.168.1.2 vrf vpc-keepalive interface port-channel 1000 switchport mode trunk vpc peer-link interface e2/1-2 switchport mode trunk channel-group 1000 mode active interface e2/3 switchport mode trunk channel-group 1 mode active interface port-channel1 vpc 1

interface e1/5 ip address 192.168.1.1/24 vrf membership vpc-keepalive vpc domain 1 peer-keepalive destination 192.168.1.2 source 192.168.1.1 vrf vpc-keepalive interface port-channel 1000 switchport mode trunk vpc peer-link interface e1/1-2 switchport mode trunk channel-group 1000 mode active interface e1/3 switchport mode trunk channel-group 1 mode active interface port-channel1 vpc 1

...

...

Slow Non-centralized configuration Human Error

interface e1/5 ip address 192.168.1.1/24 vrf membership vpc-keepalive vpc domain 1 peer-keepalive destination 192.168.1.2 source 192.168.1.1 vrf vpc-keepalive interface port-channel 1000 switchport mode trunk vpc peer-link interface e1/1-2 switchport mode trunk channel-group 1000 mode active interface e1/3 switchport mode trunk channel-group 1 mode active interface port-channel1 vpc 1

Network and Security Virtualization

Orchestrator

Services Portal

NSX Manager

vSphere vSphere vSphere

Hardware independent Non-disruptive on productive network and security equipment

Why are breaches still happening? Unconstrained communication Little or no lateral controls inside perimeter Low priority systems are targeted first.

Attackers can move freely around the data center. Internet

10110100110 Attackers then gather and 101001010000010 exfiltrate data over weeks 1001110010100

or even months.

Data Center Perimeter

7

Security is needed everywhere, but we can’t have it everywhere Why can’t we have individual firewalls for every VM?

With traditional technology, this is operationally infeasible.

Physical firewalls Expensive and complex

Internet

Virtual firewalls Slow, costly, and complicated

Data Center Perimeter

8

Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible

Internet

Internet

Little or no lateral controls inside perimeter

Insufficient

Operationally Infeasible

Seguridad en Datacenter: Micro-Segmentación? Internet FW / IPS-IDS

INSIDE

DMZ VLAN

z

INSIDE VLAN

DMZ

Seguridad en Datacenter: Micro-Segmentación? Internet FW / IPS-IDS

INSIDE

DMZ

z

LATERALES

z z z

DMZ VLAN

CONTROLES

INSIDE VLAN

SIN

Seguridad en Datacenter: Micro-Segmentación? Internet FW / IPS-IDS

INSIDE

DMZ

IDS-IPS Alert/Action

z

LATERALES

z z z

DMZ VLAN

CONTROLES

INSIDE VLAN

SIN

Seguridad en Datacenter: Micro-Segmentación? Los controles

Internet FW / IPS-IDS

perimetrales son insuficientes

INSIDE

DMZ

SIN LATERALES

z z z

z INSIDE VLAN

z

DMZ VLAN

CONTROLES

z z z

SIN CONTROLES LATERALES

Seguridad en Datacenter: Micro-Segmentación con NSX Internet FW / IPS-IDS

INSIDE

z

DMZ VLAN

ZERO TRUST

INSIDE VLAN

DMZ

Solution: Leverage SDDC Approach for Micro-Segmentation • •

Hypervisor-based, in kernel distributed firewalling Security Policy

Platform-based automated provisioning and workload adds/moves/changes

Cloud Management Platform

Internet

Perimeter Firewalls

15

Advance Services Insertion Management Plane

Security Admin

Security Policy

Internet

Traffic Steering

Network Introspection

Security Automation Security Group = Quarantine Zone Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network}

Security Group = Web Tier

Policy Definition Standard Server VM Policy  Anti-Virus – Scan Quarantined VM Policy  Firewall – Block all except security tools  Anti-Virus – Scan and remediate

Guest Introspection

17

CONFIDENTIAL

18

Intelligent Policy Creation Groups defined by workload characteristics, not IP, port and protocol Operating System

Application Tier

Machine Name

Services

Regulatory Requirements

Security Posture

Security Automation

Guest Introspection

20

Security EcoSystem

• • • •

Anti-vírus Data Loss Prevention Vulnerability Scan Security tags

• • • •

NGFW IPS Malware Anti-Bot

NSX Value Proposition Network virtualization is at the core of the softwaredefined data center approach

Virtualization layer Network, storage, compute

22

The Next-Generation Networking Model Switching Routing

Load balancing Firewalling/ACLs

East-west firewalling High throughput rates Hardware independent

Network and security services now in the hypervisor

23

NSX Value Proposition

Virtual networks “Network platform” Virtualization layer Network, storage, compute

24

Security Micro-segmentation | Secure End User | DMZ Anywhere

Granular Policy Enforcement Enables zero trust security model with policy enforced at every workload

Web

App

DB

VM

VM

VM

VM VM

VM

VM

VM

VM

VM

VM

VM VM

VM

VM

VM

VM

VM

VM

VM VM

VM

VM

VM

VM

VM

VM

VM VM

VM

VM

VM

25

Getting Started and Operations

vRealize Network Insight Transformative Operations for NSX based Software-Defined Data Center

Plan Micro-segmentation Deployment and Audit Security Compliance

Optimize Network Performance with 3600 Visibility & Analytics

Offers Best Practices, Health and Availability of NSX Deployment

Across Virtual, Physical and Cloud

28

NSX & vRealize Network Insight Journey Evaluating

Day 1

Day 2

Assess

Deploy

Manage

East–West Data Center Traffic Profiling

Map Application Connectivity

Overlay-Underlay, V-to-P Visibility

Micro-Segmentation Recommendations

Security Groups and DFW Rule Recommendations

Google-like Search for Rapid Trouble-Shooting

NSX ROI Modeling

Best Practices

Audit & Compliance

29

Get Started Today with a Free VMware Network Assessment Understand how you can immediately benefit from micro-segmentation

Visibility

Recommendation

Value

31

NSX-T 2.1

CONFIDENTIAL

33

Thank you