Confidential ©2020 VMware, Inc.
Transcript of Confidential ©2020 VMware, Inc.
![Page 1: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/1.jpg)
Confidential │ ©2020 VMware, Inc.
![Page 2: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/2.jpg)
Confidential │ ©2020 VMware, Inc.©2021 VMware, Inc.
Welcome to VMware TechTuesday Webinar
The Secure Virtual Cloud Network – The Goldilocks Zone of Data Center Security
Tock Hiong NgSenior Manager,
Specialist Solutions Engineering, Networking, Security & Automation,
Southeast Asia & Korea, VMware
Chian Chong WongSpecialist Solutions Engineer,
Networking & Security,Southeast Asia & Korea,
VMware
Tyler ChenSenior Solutions Engineer,
Networking & Security, Asia Pacific & Japan,
VMware
![Page 3: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/3.jpg)
©2021 VMware, Inc.
Tock Hiong NgSenior Manager, Specialist Solutions Engineering, Networking, Security & Automation, Southeast Asia & Korea, VMware
![Page 4: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/4.jpg)
Confidential │ ©2021 VMware, Inc.
The Secure Virtual Cloud Network - The Goldilocks Zone of Data Center Security
Tock Hiong Ng
Senior Manager, SEAK Networking, Security and Automation, Solution Engineering
Wong Chian Chong
Senior Solution Engineer
Tyler Chen
Senior Solution Engineer
![Page 5: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/5.jpg)
Confidential │ ©2021 VMware, Inc.
Agenda
5
What is the Goldilocks Zone in Security
3 Steps to Advanced East West Protection
Intrinsic Security Demo
In Summary
![Page 6: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/6.jpg)
Confidential │ ©2021 VMware, Inc. 6
What is the Goldilocks zone?
![Page 7: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/7.jpg)
Confidential │ ©2021 VMware, Inc. 7
What is the Goldilocks zone in Security?
Endpoint Security
External Firewall
High Context
Low Isolation
High Isolation
Low Context
No Ubiquitous Enforcement
![Page 8: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/8.jpg)
Confidential │ ©2021 VMware, Inc. 8
What is the Goldilocks zone mean in Security?
Endpoint Security
External Firewall
Switching RoutingServiceMesh
Internal Firewall /
IPS
ADC/ALB/WAF
High Context
Low Isolation
High Isolation
Low Context
The Goldilocks Zone in Security
NSX Data Center and Cloud Platform
Physical Infrastructure
High Context
High Isolation
Zero Trust Enforcement
![Page 9: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/9.jpg)
Confidential │ ©2021 VMware, Inc. 9
LOAD BALANCER/WAF
FIREWALL
IDS/IPS
ANALYTICS
![Page 10: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/10.jpg)
Confidential │ ©2021 VMware, Inc. 10
Security at Scale
20 Tbps firewall
Traditional firewalls cost at leastmore than NSX Service-defined Firewall
Traditional Firewall NSX SDFW
Note: Internal calculation based on 4Gbps traffic/server, including CapEx and 3 years of support
Note: With 40Gbps links at capacity, traditional firewalls will be 10x more expensive
![Page 11: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/11.jpg)
Confidential │ ©2021 VMware, Inc. 11
The Power of IntrinsicEDR + NDR = XDR
SecurityData
Federation
Contextual workload data
Contextual network data+
Machine Learning
Human Expertise
An approach that leverages infrastructure across any app, any cloud, and any device to protect your apps and data everywhere.
![Page 12: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/12.jpg)
Confidential │ ©2021 VMware, Inc. 12
The Power of IntrinsicEDR + NDR = XDR
Machine Learning
Human Expertise
258K queries
Process[ abc123xyz.exe ]
is anomalous
BLOCK
X
SecurityData
FederationAn approach that leverages infrastructure across any app, any cloud, and any device to protect your apps and data everywhere.
![Page 13: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/13.jpg)
©2021 VMware, Inc.
Chian Chong WongSpecialist Solutions Engineer,Networking & Security,Southeast Asia & Korea, VMware
![Page 14: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/14.jpg)
14Confidential │ ©2021 VMware, Inc.
3 Steps to Advanced East-West Protection
![Page 15: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/15.jpg)
Confidential │ ©2021 VMware, Inc. 15
Segmentation NTA/NDRDistributedIDS/IPS
3 Steps to Advanced East-West Protection
![Page 16: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/16.jpg)
Confidential │ ©2021 VMware, Inc. 16
XDENIED!
Step 1: Segmentation and Port Blocking
AppFile
ServerWeb
DEVELOPMENT PRODUCTION
![Page 17: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/17.jpg)
Confidential │ ©2021 VMware, Inc. 17
STEP 1
Tag workload as "production” or “development”
![Page 18: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/18.jpg)
Confidential │ ©2021 VMware, Inc. 18
STEP 1
Create security groups
![Page 19: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/19.jpg)
Confidential │ ©2021 VMware, Inc. 19
STEP 2
Create "Environment Isolation" policy
![Page 20: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/20.jpg)
Confidential │ ©2021 VMware, Inc. 20
NSX Intelligence
![Page 21: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/21.jpg)
Confidential │ ©2021 VMware, Inc. 21
NSX Intelligence: Create new recommendation 1
You can select the duration of analysis, up to 1 month
You can select to create object/IP-based firewall objects
![Page 22: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/22.jpg)
Confidential │ ©2021 VMware, Inc. 22
NSX Intelligence: Create new recommendation 2
Select VMs to be included for analysis
![Page 23: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/23.jpg)
Confidential │ ©2021 VMware, Inc. 23
NSX Intelligence: Create new recommendation 3
![Page 24: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/24.jpg)
Confidential │ ©2021 VMware, Inc. 24
NSX Intelligence: Create new recommendation 4
![Page 25: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/25.jpg)
Confidential │ ©2021 VMware, Inc. 25
NSX Intelligence: Create new recommendation 5
![Page 26: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/26.jpg)
Confidential │ ©2021 VMware, Inc. 26
NSX Intelligence: Create new recommendation 6
You can add/delete/copy/clone rule before publishing
![Page 27: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/27.jpg)
Confidential │ ©2021 VMware, Inc. 27
NSX Intelligence: Create new recommendation 7
Position the order of the policy
Click publish to complete
![Page 28: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/28.jpg)
Confidential │ ©2021 VMware, Inc. 28
NSX Intelligence – monitoring of recommendations
Monitoring enabled
Changes detected
• Create a baseline recommendation, then let NSX Intelligence learn desired DFW policy
• Enables discovery of groups based on VM membership changes
• NSX Intelligence will generate new recommendations upon detecting changes to policy
• Can be enabled on recommendations with a status of:
– Ready to Publish
– No Recommendations Available
– Failed
Features
Benefit
![Page 29: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/29.jpg)
Confidential │ ©2021 VMware, Inc. 29
Steps and Process Comparison
Traditional Segmentation Workflow
108+ STEPS
NSX Segmentation Workflow
7 STEPS
Ordering Westworld Season 1, Episode 2 on HBO
7 STEPS
Internal VMware Analysis, Aug 2020
![Page 30: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/30.jpg)
Confidential │ ©2021 VMware, Inc. 30
Segmentation NTA/NDRDistributedIDS/IPS
3 Steps to Advanced East-West Protection
![Page 31: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/31.jpg)
Confidential │ ©2021 VMware, Inc. 31
Step 2: Port Blocking to In-band Inspection
App AppFile
ServerWeb
Per hop trafficanalysis
SMB Port!(WannaCry Signature)
![Page 32: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/32.jpg)
Confidential │ ©2021 VMware, Inc. 32
Web AppFile
Server
Virtual Patching with NSX Distributed IDS/IPS
ADC/LB/WAF [Avi]
www
NSX FirewallNSX FirewallNSX Firewall
![Page 33: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/33.jpg)
Confidential │ ©2021 VMware, Inc. 33
Finance_App Finance_Web
Finance_Db
File Server
File Server
NOTE: Figures are approximate, for illustrative purposes only.
From ~13k signatures…
IDS/IPS SIGNATURES
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
Finance_app IDPS
Apache IDS/IPS
MySQL IDS/IPS
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE>
>80%* in signatures evaluated at each IDPS engine
Exchange
35Apache
132
SQL Server
56
Tomcat
42
![Page 34: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/34.jpg)
Confidential │ ©2021 VMware, Inc. 34
DisabledCompute
DisabledManagement
vcsa-r
vcsa-r
ENABLE DISABLE
Cluster Name StatusvCenter
Enabled
Enabled
ENABLE
![Page 35: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/35.jpg)
Confidential │ ©2021 VMware, Inc. 35
Steps and Process Comparison
Traditional IDS/IPS Deployment
~71 STEPS
NSX IDS/IPSDeployment
1 STEP
Turning on theTelevision
1 STEP
Internal VMware Analysis, Aug 2020
![Page 36: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/36.jpg)
©2021 VMware, Inc.
Tyler Chen Senior Solutions Engineer, Networking & Security, Asia Pacific & Japan, VMware
![Page 37: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/37.jpg)
Confidential │ ©2021 VMware, Inc. 37
Segmentation NTA/NDRDistributedIDS/IPS
3 Steps to Advanced East-West Protection
![Page 38: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/38.jpg)
Confidential │ ©2021 VMware, Inc. 38
Suspicious MovementSuspicious Movement
SERVICEA
File Server
Suspicious content
NSX
App
Suspicious process
NSX
Suspicious user
NSX
NSX Intelligence
![Page 39: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/39.jpg)
Confidential │ ©2021 VMware, Inc. 39
Steps and Process Comparison
Traditional NTA Probe Deployment
50+ STEPS
NSX NTA Probe Deployment
0 STEPS
GhostingSomeone
0 STEPS
Internal VMware Analysis, Aug 2020
![Page 40: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/40.jpg)
Confidential │ ©2021 VMware, Inc. 40
EDR + NDR = XDR
File Server
Web App App App
258 queries
Process[ abc123xyz.exe ]
is anomalous
Machine Learning Human Expertise
X
VMware TAU
NSX Intelligence
![Page 41: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/41.jpg)
Confidential │ ©2021 VMware, Inc. 41
Strong East-West Protection
Segmentation
Per Application Micro-segmentation
Per Hop Distributed IDS/IPS
Multi-hop Network Traffic Analysis (NTA)
Endpoint Context + Network Context = XDR
![Page 42: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/42.jpg)
Confidential │ ©2021 VMware, Inc. 42*Internal VMware Customer Study: DICE ROI and Value Modeling
Up to
Reduction with Firewall + IDS/IPS
OpEx Improvement
Reduction in CapEx
Up to
Reduction with Firewall + IDS/IPS
5Large Firewall
Vendors**
Among the
**VMware is 1 of 5 enterprise firewall vendors (with greater than $500m in annual revenue) in the Forrester Now Tech: Enterprise Firewalls, Q1 2020
![Page 43: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/43.jpg)
43Confidential │ ©2021 VMware, Inc.
In Summary
![Page 44: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/44.jpg)
Confidential │ ©2021 VMware, Inc. 44
Protection through intrinsic security throughout the full stack
Secure Workloads Running Within Secure Infrastructure
Every VM can have:• Real-time workload Audit/Remediation• Next-Gen Antivirus• Workload EDR• Individual firewalls• Individual security policies• WAF and Load Balancing
Policies can be defined based on any context:• VM attributes• User attributes• Network attributes• Application attributes
Purpose-built for Cloud Foundation to deliver a unique and comprehensive data center security solution.
Integrated with infrastructure• Multi-layer security• Protection for infrastructure and workloads
![Page 45: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/45.jpg)
Confidential │ ©2021 VMware, Inc. 45
Intrinsic Security: VMware’s Differentiated Approach
Built-in Context-centricUnified
Security built-in to the distributed
infrastructure from endpoint to
cloud
Unified across disparate security tools and teams
working together
Understanding the applications and data you are trying to secure
![Page 46: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/46.jpg)
Confidential │ ©2021 VMware, Inc. 46
Advanced Security Services to Protect Applications
Security Beyond the Infrastructure
Storage
Data at rest encryption
Cluster-level key management
Hardware agnostic
Erasure Coding
Compute
VM-level encryption
Encrypted vMotion
Multi-factor authentication
TPM / vTPM 2.0 + VBS
Management
Governance
Compliance
Container registry services
vSphere Trust Authority
Micro-segmentation
VPN
Secure end user
Multi-Cloud Security
Network
VMware Cloud Foundation
NSX Advanced Load Balancer
CB
Carbon Black CloudNSX Distributed IDS/IPS
![Page 47: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/47.jpg)
Confidential │ ©2020 VMware, Inc.©2021 VMware, Inc.
Complete Survey Form
We value your feedback. Please scan the QR code or enter the URL below to complete the survey form.
https://bit.ly/3qk4QZv
![Page 48: Confidential ©2020 VMware, Inc.](https://reader033.fdocuments.net/reader033/viewer/2022051804/6281ee4a5f0b203df153cf93/html5/thumbnails/48.jpg)
Confidential │ ©2020 VMware, Inc.