Post on 04-May-2018
VMware NSX – A Perspective for Service Providers – part 2Using Software Defined Networking to harden DC security controls
Trevor GerdesStrategic Architect – Security and Networks
NSX for SPs Part 2 - Agenda
1 Case Studies
2 Data Centre Security
3 Distributed Firewall – Use Cases
4 Current SDN Technologies
5 NSX Service Composer
6 Building a Zero Trust Model
2
Case Studies
CONFIDENTIAL3
Australian MSP
• Existing vSphere customer
• Using 3rd party orchestration system (non-vmware)
• Wanted to improve service delivery times
• Looking at hybrid virtual solution using elements from Juniper, Cisco and VMware
Australian MSP
• Implemented NSX into new cloud offering inside 3 months
• Reduced service delivery time from 6 weeks to 3 days
• Brought forward revenue billing by 5 weeks
• Selected NSX over hybrid Cisco, VMware and Juniper solution due to all in one package of logical L2 networking, L3 routing and perimeter gateway services including VPN and LB services.
• Integrated NSX via API into 3rd party cloud solution inside 1 week using python scripts.
• Looking for next wave of feature integration and “value add” using NSX distributed FW and security partners.
CONFIDENTIAL 6
XFirst Problem – VM Conversion required
CustomerData Centre Cloud Hosting Service
CONFIDENTIAL 7
P
CustomerData Centre Cloud Hosting Service
CONFIDENTIAL 8
CustomerData Centre Cloud Hosting Service
What about a partial move?
CONFIDENTIAL 9
NSX – Providing Stretch Layer 2 (over Layer 3)
NSX
CustomerData Centre Cloud Hosting Service
Currently in use by a large Sydney-based Hosting Provider
10 Confidential
SDDC Micro-Segmentation Business Case - Sample
Data Center Environment Firewall Throughput Required for Micro-Segmentation
Number of VMs 1,000 Average Application Throughput per Host 7Gbps
Number of VMs per CPU 5 Throughput Required to Support All VMs 700 Gbps
Number of CPUs per Host 2 Segmentation Ratio (% of VMs requiring FW controls) 40%
Number of Hosts 100 Effective Firewall Throughput Requirement 280 Gbps
Firewalls Required (20Gbps each x2 for HA) 28 Firewalls
Firewall Cost
List Price of 20Gbps Firewalls $150,000
Total CAPEX for Firewalls $4,200,000
Note: Operationally Infeasible
NSX Cost
List Cost for NSX Platform ~$1,300,000
Note: Operationally Easy to Deploy 3x Difference in CAPEX Cost
11 Confidential
Large US Financial
25,000 VM deployment
$10m investment in NSX
$50m savings over 5 years
NSX improved host utilisation from 9:1 to 14:1
• NSX helped avoid hardware refresh on ESX hosts, Load
Balancers, Network hardware
• SDDC helped reduce labour costs by $8m
15 month PoC which morphed into full SDDC
PoC (vCAC, vCO, vCOps, LogInsight)
Rackspace
“NVP, combined with OpenStackis a game changer. Together we arebringing enterprise private networkingto the cloud.
LEW MOORMANPRESIDENT, RACKSPACE
• Rackspace Cloud Networks• $15-$20 million a year
savings by not overprovisioning servers
Deliver enterprise-class private networking in a public,
multi-tenant cloud.
Improved Server Utilization – less overprovisioning of servers
Without Network Virtualization 60% Asset Utilization
With Network Virtualization 90% Asset Utilization
Data Centre SecurityA Better Way
CONFIDENTIAL14
“Hard Shellon the Outside”
“Soft on the Inside”Physical Workloads
Yesterday’s Model for DC Security
Secure Micro-Segmentation in the Data Center
Uncontrolled Communication
Secure Micro-Segmentation in the Data Center
OperationallyInfeasible
Secure Micro-Segmentation with VMware NSX
Controlled Communication
Scale-Out Performance
Automated Operational Model
NSX Distributed Firewall – Overview
Hypervisor Kernel Embedded Firewall:
• Built directly in to the Hypervisor
• Near Line-Rate Performance
• Removes dependence on Guest based Firewall
• L2-4 Stateful East/West Firewalling
Distributed to Every VM:
• No “Choke Point”
• Policy independent of VM location
• Enforcement closest to VM
• Removes Tromboning
Distributed Firewall -Use Cases
21
Dev
Test
Production
Isolation
Web
App
DB
NoCommunication Path
ControlledCommunication Path
Web
App
DB
Advanced Services ControlledCommunication Path
Segmentation Service Insertion
22
Internet
Security Policy
Perimeter Firewalls
CloudManagementPlatform
NSX Distributed Firewall for vMotion• Hypervisor-based, in kernel
distributed firewalling
• Platform-based automated provisioning and workload adds/moves/changes
CONFIDENTIAL 23
PCI Non-PCI Private
NSX Distributed Firewall: Better Load Distribution
Automated Security in a Software Defined Data CenterData Center Micro-Segmentation
CONFIDENTIAL 24
Network-Segmentation or Micro-Segmentation
CONFIDENTIAL 25
Web
App
Database
VM VM
VM VM VM
VM
NSX LoadBalancer
Multi-Tier, Multi-subnet
Multi-Tier, Single-subnet
NSX DistributedRouter
VM VM VM VM VM VM
Web App DB
NSXLoadBalancer
Or
Current SDN Technologies
CONFIDENTIAL26
Software Defined Networking - Layers
Co
nsu
mp
tio
nD
ata
Pla
ne
M
ana
ge
me
nt
How an end user consumes SDN
Build Networks and security services via WebUI, REST API (XML, JSON), Python Scripts etc
e.g. vRealize Automation, CloudForms, ServiceMesh, CloudFoundry
Configuration interface
REST XML API or WebUI
e.g. vCenter, NSX manager, APIC, Openstack
Forwards Packets
Provides: workload connectivity & services processing
e.g. hypervisors, physical switches and appliances
27
Co
ntr
ol P
lane
Programs Data Plane
Provides: API North side, Openflow or Proprietary Southbound
e.g. NSX Controller, ACI N9K Spine sw., Contrail, OpenDaylight
CONFIDENTIAL 28
Hardware-based SDN“H”DN?
CONFIDENTIAL 29
VMware NSX
The anatomy of the most agile & efficient data centers is SDDC
Custom Application
Google / Facebook /
Amazon Data Centers
Custom Platform
Any x86
Any Storage
Any IP network
Software / Hardware Abstraction
Software / Hardware Abstraction
Facebook “6-pack”:
the first open hardware
modular switch.
12 switching elements,
1.28Tbits/s each
“New IT” will be SDDC
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
Public Data Center
Any Application
Any x86
Any Storage
Any IP network
Hybrid- Data Center
Any Application
Any x86
Any Storage
Any IP network
SDDC Platform
NSX Service Composer
CONFIDENTIAL32
NSX Service Composer
CONFIDENTIAL 33
Security services are consumed more efficiently in a software-defined datacenter
VMware Network and Security Platform
DeployApply Automate
Extensibility
Security TagsSecurity Groups Security PoliciesService Insertion
NSX Service Composer – Canvas View
NSX Service Composer – Security GroupSecurity Policies – collection of Security
Policy Objects (SPOs) assigned to this
Security Group.
• How you want to protect this container
• Can have multiples with weighting
e.g. “PCI Compliance Policy”
Included Security
Groups - Nested
containers
e.g. “Quarantine Zone” is
a sub group within “PCI
DSS Zone”
Virtual Machines that belong to this container.
e.g. “Apache-Web-VM”, “Exchange Server-vM”
Security Group (SG) - Container of VMs by IP, Security
tag, switch etc
• Defines what you want to protect.
• e.g. “PCI DSS Zone”, “DMZ”, “Quarantine Zone”
Guest Introspection
• Anti-virus
• Vulnerability Management
• Data Loss Prevention (DLP)
Firewall Rules
• Inbound, Outbound, Intra-Zone
• Allow, Deny, and Log
Network Introspection – 3rd party services
integrated via NetX
• Intrusion Prevention (IPS),
• Nextgen F/W
• WAN optimization, load balancing services.
Security Group = Virtual_Desktops
Members = {Connected to VDI-01-Logical-
Switch}
Policy = Standard Desktop
Automated Security in a Software Defined Data CenterQuarantine Vulnerable Systems until Remediated
36
Security Group = Quarantine Zone
Members = {Tag =
‘ANTI_VIRUS.VirusFound’}
Policy = Quarantine Zone
Policy Standard Desktop
Anti-Virus – Scan
Policy Quarantine Zone
Firewall – Permit remediation, deny all
Anti-Virus – Scan and remediate
Building a Zero-Trust Model
CONFIDENTIAL37
Forrester Zero Trust Model
http://csrc.nist.gov/cyberframework/rfi_comments/040813_forrester_research.pdf
“In short, Zero Trust flips the
mantra "trust but verify" into
"verify and never trust."
Zero-Trust with NSX – Stage 1
CONFIDENTIAL 39
CONFIDENTIAL 40
Zero-Trust with NSX – Stage 2
CONFIDENTIAL 41
Zero-Trust with NSX – Stage 3
CONFIDENTIAL 42
Zero-Trust with NSX – Stage 4
Resulting Policy
CONFIDENTIAL 43
Layer 4 – 7 Advanced Services Insertion
44
NSX and Palo Alto Networks VM Series Firewall
NSX Mgr
VM
Distributed FirewallOptimal Traffic Steering – Web Tier
Rule1: Any to Web – PAN Insertion
Rule2: Web to App – DFW Permit
Rule3: Web to Web – DFW Deny VM VM
Internet
Web
VM
App DB
Real-world Example of Firewall Sprawl – 22 Firewalls!
Complexity driven by applications / E-W traffic flows
North/South
East/West
• East-West traffic hairpins across the
perimeter Firewall
• Complex static inter zone routing
• Requires punching holes across security
zones
• Internal security zones exposed on
perimeter devices
Zero-Trust Model Implementation with NSX
Any devices over
any networks
App gateways
and perimeter devices
Admin jump points
Common ServicesApplications
EDS AD
DB
Edge Transport
Routing and
AV/AS
Client Access
Client
connectivity
Web services
Hub Transport
Routing and
policy
Mailbox
Storage of
mailbox items
25
50636135
389, 3268, 88,
53, 135
To AD
443
RPC808
5060, 5061
5062, dynamic
Unified
MessagingVoice mail and
voice access
Exchange
In Summary
A Good Security Approach Requires
• Zero-Trust: Don’t Trust Anyone, Verify Always
• Control at the Perimeter alone is not enough
NSX with Distributed Firewall Provides
• Easy Enforcement of East/West Policy
• Security Policy that Follows the Workload
• Enforcement at the Smallest Unit of Trust
• Easy Hardening of Data Centre Core through Micro-segmentation
• Integration with Best-of-Breed Security Vendors
CONFIDENTIAL 48
Thankyou!