Privileged Access Management for the Software-Defined Network

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Privileged Access Management for the Software-Defined Network

  1. 1. Privileged Access Management for the Software-Defined Network Shawn Hank Security CA Technologies Director, Presales SCT32T @shawnhank #CAWorld
  2. 2. 2 2015 CA. ALL RIGHTS [email protected] #CAWORLD 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
  3. 3. 3 2015 CA. ALL RIGHTS [email protected] #CAWORLD Abstract New extensions to CA Privileged Access Manager significantly expand the ability of the product to protect and defend resources in VMware NSX virtualized network environments. In this session, well examine and demonstrate those capabilities, which take advantage of new technologies and methods made available by the NSX infrastructure, in more detail. Shawn Hank CA Technologies Director, Presales
  4. 4. 4 2015 CA. ALL RIGHTS [email protected] #CAWORLD Network virtualization overview Decoupled Hardware Software General Purpose Networking Hardware Network Hypervisor Requirement: IP Transport Virtual Network Virtual Network Virtual Network Workload Workload Workload L2, L3, L4-7 Network Services General Purpose Server Hardware Server Hypervisor Requirement: x86 Virtual Machine Virtual Machine Virtual Machine Application Application Application x86 Environment
  5. 5. 5 2015 CA. ALL RIGHTS [email protected] #CAWORLD NSX Delivers the Operational Model of a VM for the Network Abstracts, pools, automates networking for the SDDC Reproduces L2/3 networking, L4-7 services Runs on any existing networking hardware Provides scale out/distributed switching, routing, firewalling
  6. 6. 6 2015 CA. ALL RIGHTS [email protected] #CAWORLD Distributed firewalling An NSX network is made up of distributed network elements embedded in each hypervisor, enabling each VM to have its own firewall. Firewalls/policies provisioned simultaneously with VMs Policies move with their VMs Retiring a VM deprovisions its firewall no possibility of stale rules NSX firewalling: fully distributed, embedded in every hypervisor in the data center
  7. 7. 7 2015 CA. ALL RIGHTS [email protected] #CAWORLD Configure policy with Security Groups Select elements to uniquely identify application workloads Use attributes to create Security Groups Apply policies to security groups 1 2 3 ABC DEF Group XYZ App 1 OS: Windows 8 TAG: Production Enforce policy based on logical constructs Reduce configuration errors Policy follows VM, not IP Reduce rule sprawl and complexity Group XYZ Policy 1 IPS for Desktops FW for Desktops Policy 2 AV for Production FW for Production Element type Static Dynamic Data center Virtual net Virtual machine vNIC VM name OS type User ID Security tag Use security groups to abstract policy from application workloads.
  8. 8. 8 2015 CA. ALL RIGHTS [email protected] #CAWORLD Automate security operations ACTION (then)ATTRIBUTE (if) Virus found IIS.EXE Vulnerability found (old software version) PCI Sensitive Data Found Allow & Encrypt* Restrict access while investigating OR Automated detection of security conditions (virus, vulnerability, etc.) Security policies define automated actions Security operations are automated and adapt to dynamic conditions Monitor VM with IPS Quarantine VM with Firewall
  9. 9. 9 2015 CA. ALL RIGHTS [email protected] #CAWORLD Achieving segmentation with NSX Each VM can now be its own perimeter Policies align with logical groups Control communication within a single VLAN Prevents threats from spreading NSX segmentation simplifies network security App DMZ Services DB Perimeter firewall Finance HR IT AD NTP DHCP DNS CERT Inside firewall
  10. 10. 10 2015 CA. ALL RIGHTS [email protected] #CAWORLD CA Privileged Access Manager for VMware NSX-V Integration Overview VMware vCenter HTTPS (443/tcp) CA Privileged Access Manager VM Network Windows Targets: RDP (3389/tcp) HTTP (80/tcp) & HTTPS (443/tcp) and more! Linux Targets: SSH (22/tcp) Telnet (23/tcp) HTTP (80/tcp) & HTTPS (443/tcp) and more! VMware UIs: vCloud Automation Center vCloud Director vShield Manager vSphere Web Client and more! Operational Dependencies: AD/LDAP/etc services RADIUS/TACACS+ servers NTP/DNS/Basic IP services SYSLOG services SAN/NAS/share (recordings) NSX Manager SSH (22/tcp) HTTPS (443/tcp) NSX Controllers SSH (22/tcp) Supported Authentication Types: Local, AD/LDAP, TACACS+, RADIUS, RSA, SMS/Mobile Token, SAML, and/or PIV/CAC/Smartcard
  11. 11. 11 2015 CA. ALL RIGHTS [email protected] #CAWORLD CA PAM for VMware NSX NSX Manager REST API Proxy The last mile for full NSX Manager administration visibility Users and scripts talk to the Proxy, not to NSX Manager, with different credentials, which may rotate on a policy or schedule CA PAM vaults and rotates the NSX Manager credentials Integrates with Application to Application (A2A) Closing the API Loop to the NSX management plane Consumer NSX Manager NAP NSX Manager API Proxy Logs A2A Requests Change Password Z-side Request/ResponseA-side Request/Response CA Privileged Access Manager
  12. 12. 12 2015 CA. ALL RIGHTS [email protected] #CAWORLD CA PAM for VMware NSX Dynamic Tagging and Grouping CA PAM Policy in lockstep with NSX Security Tags and Groups NSX Security Tags and Groups synced with CA PAM and tied to Policies As VMs enter/leave NSX Security Groups, CA PAM Access is provisioned/removed Synchronize CA PAM policies with changes in the NSX security posture VMware vCenter VM Network NSX Manager Sync CA Privileged Access Manager
  13. 13. 13 2015 CA. ALL RIGHTS [email protected] #CAWORLD CA PAM for VMware NSX Access Restrictor DFW Rules added and removed on-demand Rules added when connections are opened and removed when closed Removes the human element and potential for error Enables a highly-secure deny all environment where exceptions are forced through CA PAM and only CA PAM may access protected resources Automatic, runtime, ephemeral Distributed Firewall Rules maintained by CA PAM Client User Target VM NSX Manager DFWCA Privileged Access Manager
  14. 14. 14 2015 CA. ALL RIGHTS [email protected] #CAWORLD CA PAM for VMware NSX Service Composer Integration Deep integration with Service Composer As VMs enter or leave NSX Security Groups, CA PAM will: - Enable or disable session recording - Terminate sessions - Force CA PAM session re-authentication Trigger events in CA PAM via NSX Service Composer workflows User Session NSX Partner Ecosystem Product NSX Manager Vmware vCenter Admin Apply Tag Apply Tag Enable/Disable Session Recording Terminate Sessions Xsuite Re-Authentication CA Privileged Access Manager
  15. 15. 15 2015 CA. ALL RIGHTS [email protected] #CAWORLD Recommended Sessions SESSION # TITLE DATE/TIME SCT19T Defend Against Data Breaches With CA Privileged Access Management 11/18/2015 at 3:00 pm SCT07S Roadmap: Privileged Identity Management 11/19/15 at 4:30 pm SCT33S Protecting the Software-Defined Data Center from Data Breach 11/18/2015 at 2:00 pm
  16. 16. 16 2015 CA. ALL RIGHTS [email protected] #CAWORLD Must See Demos Positive Privileged User Authentication CA Privileged Access Manager Security Theater Fine-Grained Access Control for Servers CA Privileged Access Manager Server Control Security Theater Privileged Access Control CA Privileged Access Manager Security Theater Record and Analyze User Sessions CA Privileged Access Manager Security Theater
  17. 17. 17 2015 CA. ALL RIGHTS [email protected] #CAWORLD Follow On Conversations At Smart Bar CA Privileged Access Manager Security Theater Tech Talks Defend Against Data Breaches With CA Privileged Access Management SCT19T
  18. 18. 18 2015 CA. ALL RIGHTS [email protected] #CAWORLD Q & A
  19. 19. 19 2015 CA. ALL RIGHTS [email protected] #CAWORLD For More Information To learn more, please visit: CA World 15