www.cloudsec.com | #CLOUDSEC
Virtualization as the Organizing Framework for Security Innovations
Brett Drayton, Senior Systems Engineer, Network and Security Business Unit, VMware
<img class="background-image"
style="left: -5px; top: -22px;
width: 590px; height: 387px;
transition-property: transform,
opacity; transition-duration:
0.6s, 0.3s;"
src="http://www.trbimg.com/img-
55d7ca0e/turbine/la-et-ct-
spotify-ceo-privacy-policy-
sorry-2015-001" data-
reactid=".0.4.$/@thenewsdesk/tec
hnology-
shjum1jiz?intent=0invite.0.1.$1.
1.0.0.$image.0.0.$=10:0.0.0">
data-
reactid=".0.4.$/@thenewsdesk/tec
hnology-
shjum1jiz?intent=0invite.0.1.$1.
1.0.1.1.$title-
text.5.0.1.0.1.0.1.$show-more-
menu-item-0.0">Report as
inappropriate</div></li></ul></d
iv></span></span></div></div></d
iv></div><span
data-
reactid=".0.4.$/@thenewsdesk
/technology-
shjum1jiz?intent=0invite.0.1
.$1.1.0.1.$1"></div></div><d
iv class="gridline-y"
style="left: 600px; top:
0px; width: 1px; height:
580px; position: absolute;"
data-
reactid=".0.4.$/@thenewsdesk
/technology-
shjum1jiz?intent=0invite.0.1
.$1.1.0.$1"></div></div></di
v>
Provisioning
Troubleshooting
!
Security
THE APP HAS EVOLVED
INTO A NETWORK
INFRASTRUCTURE HAS
EVOLVED INTO A
SOFTWARE PLATFORM
VIRTUALIZATION
Taking what we have learned….
Software
Hardware
Virtual
Machines
Compute Capacity Network Storage
Applications
Server Virtualization
• Intelligence in the virtualization layer
• Vendor independent x86 capacity
• Transformative operational model
• Automated configuration & management
Intelligence in hardware
Dedicated, vendor specific infrastructure
Manual configuration & management
Manual Operational Model
Automated Operational Model
Programmatically Create, Snapshot,
Store, Move,
Delete, Restore
Software
Hardware
Virtual
Machines
Virtual
Networks
Virtual
Storage
Compute Capacity
Network Capacity
Storage Capacity
Applications
Location Independence
Data Center Virtualization
Pooled compute, network and storage capacity
Vendor independent, best price/performance
Simplified configuration & management
Automated Operational Model
Programmatically Create, Snapshot,
Store, Move,
Delete, Restore
To deliver a Software Defined Data Center approach
VMware NSX: Virtualize the Network
VMware NSX: Virtualize the Network
VMware NSX: Virtualize the Network
Logical Switching
Logical Routing
Load Balancing
Physical to Virtual
Firewalling & Security
VMware NSX: Virtualize the Network
Logical Switching
Logical Routing
Load Balancing
Physical to Virtual
Firewalling & Security
One-Click Deployment via Cloud Management Platform
VMware NSX: Virtualize the Network
NSX Customers
1700+
Production Deployments (adding 25-50 per QTR)
250+
Organizations have spent over US$1M on NSX
100+
Stats as of end of Q4 2015
NSX Customer and Business Momentum
Security
Automation
Application Continuity
Why Network Virtualization?
17
Unconstrained communication Little or no lateral controls inside perimeter
Low priority systems are
targeted first.
Attackers can move freely
around the data center.
10110100110 101001010000010 1001110010100
Attackers then gather and
exfiltrate data over weeks
or even months.
Internet
Data Center Perimeter
Why are breaches still happening?
Why can’t we have individual firewalls for every VM?
Data Center Perimeter
Internet
Expensive and complex
Physical firewalls
With traditional technology, this is operationally infeasible.
Slow, costly, and complicated
Virtual firewalls
Security is needed everywhere, but we can’t have it everywhere
Protecting Datacenter Traffic Internet
North – South Traffic
East – West Traffic 30% 70%
Traditional approach doesn’t address Security needs
Internet
Security Block
Campus Users
Existing Systems
Perimeter Firewall
DC Firewall
DC Core Switch
(Layer 2)
Mobile Users Remote Users
Mobile Users
Segmentation Isolation Advanced Services
Controlled communication path within
a single network
Advanced services: the addition of
third-party security, as needed by policy
No communication path between
unrelated networks
Micro-Segmentation in Detail
Groups defined by customized criteria
Operating System Machine Name
Application Tier
Services
Security Posture Regulatory
Requirements
Intelligent grouping
Automation
Security
Application Continuity
Why Network Virtualization?
Physical Network Infrastructure
Application Workloads
Virtual Infrastructure
Internet
Automation
Provider
Automation by IT for IT
Cloud
Consumer
Automation by IT for End user
- Developer Cloud
Automation by IT for External Use
- Community Cloud - Services Cloud - IAAS
- Faster project on boarding - Elastic Services - Streamline Security Enforcement - Mergers & Acquisition
Self Service IT: Driving IT Agility
Application Continuity
Automation
Security
Why Network Virtualization?
Backup Site
Physical Network Infrastructure
Application Workloads
Virtual Infrastructure
28
Original Site
Physical Network Infrastructure
Application Workloads
Virtual Infrastructure
Internet Internet
Disaster Recovery Network configuration becomes easily replicable once it is software defined
29
On-Prem Data Center (Today) Containers
(2016)
Public Clouds (2016)
Virtual Desktop (VDI)
Mobile Devices (Airwatch)
Internet of Things (Roadmap)
Branch Offices (Partner)
Networking is Evolving
• H/W networks no longer under IT control (e.g. mobile, IoT, public clouds)
• Challenge is security, compliance and QoS
NSX Everywhere
• An overlay to manage network policy
• Spans many types of underlying networks
• Transparent app-level security across clouds
NSX Everywhere Managing Security and Connectivity for many Heterogeneous End Points
Brett Drayton
VMware ANZ
@BrettDray01
@nsxfundamentalsonline