Advanced Security & Micro Segmentation for your Network Platform
Paanob Mahanarongchai Account System Engineer VMWARE THAILAND
Impressive rates of change
First year this event was named “RSA Conference”
2000 2002 2008 2009 2010 2011 2012 2015
Rate of Change Security Inclusion
Problem: Data Center Network Security
Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Little or no
lateral controls
inside perimeter
Internet Internet
Insufficient Operationally Infeasible
Security is needed everywhere, but we can’t have it everywhere
4
Why can’t we have individual firewalls for every VM?
Data Center Perimeter
Internet
Expensive and complex
Physical firewalls
With traditional technology, this is operationally infeasible.
Slow, costly, and complicated
Virtual firewalls
NSX value proposition
Network Virtualization is at the core of an SDDC approach
Network, storage, compute
Virtualization layer
The next-generation networking model
Switching
Routing
Firewalling/ACLs
Load Balancing
Network and security services now in the hypervisor
Switching
Routing
Firewalling/ACLs
Load Balancing
High throughput
East-west firewalling
Native platform capability
The next-generation networking model
NSX value proposition
Network Virtualization is at the core of an SDDC approach
Network, storage, compute
Virtualization layer
“Network hypervisor”
Virtual networks
NSX Network HyperVisor
Business value
More secure and 1/3 the cost
of less secure infrastructure
NSX Security Delivering inherently secure infrastructure
Data Center Perimeter
Internet
DMZ
Secure User Environments
Security policies simplified
Logical groups enabled
Threats contained
Automated Security in a Software Defined Data Center Quarantine Vulnerable Systems until Remediated
1
0
Security Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2
Isolated Network}
Security Group = Web
Tier Policy Definition
Standard Desktop VM Policy
Anti-Virus – Scan
Quarantined VM Policy
Firewall – Block all except security tools
Anti-Virus – Scan and remediate
Automate security operations
Without VMware NSX
• Manual workflows
• No interoperability between best-of-breed security products
With VMware NSX
• Security is automated
• If one service finds something, then another service can do something about it
CONFIDENTIAL
Create repeatable, automated workflows
across best-of-breed security products with VMware NSX
Intelligent grouping
Groups defined by customized criteria
Operating System Machine Name
Application Tier
Services
Security Posture Regulatory
Requirements
Situation
OS no longer supported on several systems
These systems need policy which restricts
access to only email servers
Unsupported OS Group
Use case: Advance intelligent grouping for unsupported operating systems
Use Case: Advance Security in DR
10.0.10/24 10.0.20/24
10.0.10.21 10.0.20.21 Major RTO Impact
Change IP Address Reconfig Security 4
Primary Site Recovery Site
Recover the VM
3
Replicate VM & Storage
2 Physical Network Infrastructure Physical Network Infrastructure
SAN
1 Snapshot VM
SAN
Step 1&2 (e.g VMware SRM)
14
DR with NSX Network Virtualization
SAN SAN
10.0.30.21 10.0.30.21
Virtual Network 10.0.30/24
80% RTO NSX Controller NSX Controller
Snapshot Network & Security
2b
Primary Site Recovery Site
1 Snapshot VM Network & Security
already exists
Recover the VM
3
Physical Network Infrastructure Physical Network Infrastructure 2a
Replicate VM & Storage
10.0.10/24 10.0.20/24
Step 1&2 (e.g VMware SRM)
15
Virtual Network 10.0.30/24
Summary
SDDC with NSX is fundamentally a more effective security solution
Removing grouping
decisions from the
network topology
enables intelligent
security decisions
NSX equips security
teams with the ability
to automate and
adapt to changes
Paanob Mahanarongchai System Engineer VMWARE THAILAND