VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers...
Transcript of VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers...
![Page 1: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/1.jpg)
VMware NSX – A Perspective for Service Providers – part 2Using Software Defined Networking to harden DC security controls
Trevor GerdesStrategic Architect – Security and Networks
![Page 2: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/2.jpg)
NSX for SPs Part 2 - Agenda
1 Case Studies
2 Data Centre Security
3 Distributed Firewall – Use Cases
4 Current SDN Technologies
5 NSX Service Composer
6 Building a Zero Trust Model
2
![Page 3: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/3.jpg)
Case Studies
CONFIDENTIAL3
![Page 4: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/4.jpg)
Australian MSP
• Existing vSphere customer
• Using 3rd party orchestration system (non-vmware)
• Wanted to improve service delivery times
• Looking at hybrid virtual solution using elements from Juniper, Cisco and VMware
![Page 5: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/5.jpg)
Australian MSP
• Implemented NSX into new cloud offering inside 3 months
• Reduced service delivery time from 6 weeks to 3 days
• Brought forward revenue billing by 5 weeks
• Selected NSX over hybrid Cisco, VMware and Juniper solution due to all in one package of logical L2 networking, L3 routing and perimeter gateway services including VPN and LB services.
• Integrated NSX via API into 3rd party cloud solution inside 1 week using python scripts.
• Looking for next wave of feature integration and “value add” using NSX distributed FW and security partners.
![Page 6: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/6.jpg)
CONFIDENTIAL 6
XFirst Problem – VM Conversion required
CustomerData Centre Cloud Hosting Service
![Page 7: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/7.jpg)
CONFIDENTIAL 7
P
CustomerData Centre Cloud Hosting Service
![Page 8: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/8.jpg)
CONFIDENTIAL 8
CustomerData Centre Cloud Hosting Service
What about a partial move?
![Page 9: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/9.jpg)
CONFIDENTIAL 9
NSX – Providing Stretch Layer 2 (over Layer 3)
NSX
CustomerData Centre Cloud Hosting Service
Currently in use by a large Sydney-based Hosting Provider
![Page 10: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/10.jpg)
10 Confidential
SDDC Micro-Segmentation Business Case - Sample
Data Center Environment Firewall Throughput Required for Micro-Segmentation
Number of VMs 1,000 Average Application Throughput per Host 7Gbps
Number of VMs per CPU 5 Throughput Required to Support All VMs 700 Gbps
Number of CPUs per Host 2 Segmentation Ratio (% of VMs requiring FW controls) 40%
Number of Hosts 100 Effective Firewall Throughput Requirement 280 Gbps
Firewalls Required (20Gbps each x2 for HA) 28 Firewalls
Firewall Cost
List Price of 20Gbps Firewalls $150,000
Total CAPEX for Firewalls $4,200,000
Note: Operationally Infeasible
NSX Cost
List Cost for NSX Platform ~$1,300,000
Note: Operationally Easy to Deploy 3x Difference in CAPEX Cost
![Page 11: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/11.jpg)
11 Confidential
Large US Financial
25,000 VM deployment
$10m investment in NSX
$50m savings over 5 years
NSX improved host utilisation from 9:1 to 14:1
• NSX helped avoid hardware refresh on ESX hosts, Load
Balancers, Network hardware
• SDDC helped reduce labour costs by $8m
15 month PoC which morphed into full SDDC
PoC (vCAC, vCO, vCOps, LogInsight)
![Page 12: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/12.jpg)
Rackspace
“NVP, combined with OpenStackis a game changer. Together we arebringing enterprise private networkingto the cloud.
LEW MOORMANPRESIDENT, RACKSPACE
• Rackspace Cloud Networks• $15-$20 million a year
savings by not overprovisioning servers
Deliver enterprise-class private networking in a public,
multi-tenant cloud.
![Page 13: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/13.jpg)
Improved Server Utilization – less overprovisioning of servers
Without Network Virtualization 60% Asset Utilization
With Network Virtualization 90% Asset Utilization
![Page 14: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/14.jpg)
Data Centre SecurityA Better Way
CONFIDENTIAL14
![Page 15: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/15.jpg)
“Hard Shellon the Outside”
“Soft on the Inside”Physical Workloads
Yesterday’s Model for DC Security
![Page 16: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/16.jpg)
Secure Micro-Segmentation in the Data Center
Uncontrolled Communication
![Page 17: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/17.jpg)
Secure Micro-Segmentation in the Data Center
OperationallyInfeasible
![Page 18: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/18.jpg)
Secure Micro-Segmentation with VMware NSX
Controlled Communication
Scale-Out Performance
Automated Operational Model
![Page 19: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/19.jpg)
NSX Distributed Firewall – Overview
Hypervisor Kernel Embedded Firewall:
• Built directly in to the Hypervisor
• Near Line-Rate Performance
• Removes dependence on Guest based Firewall
• L2-4 Stateful East/West Firewalling
Distributed to Every VM:
• No “Choke Point”
• Policy independent of VM location
• Enforcement closest to VM
• Removes Tromboning
![Page 20: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/20.jpg)
Distributed Firewall -Use Cases
![Page 21: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/21.jpg)
21
Dev
Test
Production
Isolation
Web
App
DB
NoCommunication Path
ControlledCommunication Path
Web
App
DB
Advanced Services ControlledCommunication Path
Segmentation Service Insertion
![Page 22: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/22.jpg)
22
Internet
Security Policy
Perimeter Firewalls
CloudManagementPlatform
NSX Distributed Firewall for vMotion• Hypervisor-based, in kernel
distributed firewalling
• Platform-based automated provisioning and workload adds/moves/changes
![Page 23: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/23.jpg)
CONFIDENTIAL 23
PCI Non-PCI Private
NSX Distributed Firewall: Better Load Distribution
![Page 24: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/24.jpg)
Automated Security in a Software Defined Data CenterData Center Micro-Segmentation
CONFIDENTIAL 24
![Page 25: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/25.jpg)
Network-Segmentation or Micro-Segmentation
CONFIDENTIAL 25
Web
App
Database
VM VM
VM VM VM
VM
NSX LoadBalancer
Multi-Tier, Multi-subnet
Multi-Tier, Single-subnet
NSX DistributedRouter
VM VM VM VM VM VM
Web App DB
NSXLoadBalancer
Or
![Page 26: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/26.jpg)
Current SDN Technologies
CONFIDENTIAL26
![Page 27: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/27.jpg)
Software Defined Networking - Layers
Co
nsu
mp
tio
nD
ata
Pla
ne
M
ana
ge
me
nt
How an end user consumes SDN
Build Networks and security services via WebUI, REST API (XML, JSON), Python Scripts etc
e.g. vRealize Automation, CloudForms, ServiceMesh, CloudFoundry
Configuration interface
REST XML API or WebUI
e.g. vCenter, NSX manager, APIC, Openstack
Forwards Packets
Provides: workload connectivity & services processing
e.g. hypervisors, physical switches and appliances
27
Co
ntr
ol P
lane
Programs Data Plane
Provides: API North side, Openflow or Proprietary Southbound
e.g. NSX Controller, ACI N9K Spine sw., Contrail, OpenDaylight
![Page 28: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/28.jpg)
CONFIDENTIAL 28
Hardware-based SDN“H”DN?
![Page 29: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/29.jpg)
CONFIDENTIAL 29
VMware NSX
![Page 30: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/30.jpg)
The anatomy of the most agile & efficient data centers is SDDC
Custom Application
Google / Facebook /
Amazon Data Centers
Custom Platform
Any x86
Any Storage
Any IP network
Software / Hardware Abstraction
Software / Hardware Abstraction
Facebook “6-pack”:
the first open hardware
modular switch.
12 switching elements,
1.28Tbits/s each
![Page 31: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/31.jpg)
“New IT” will be SDDC
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
Public Data Center
Any Application
Any x86
Any Storage
Any IP network
Hybrid- Data Center
Any Application
Any x86
Any Storage
Any IP network
SDDC Platform
![Page 32: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/32.jpg)
NSX Service Composer
CONFIDENTIAL32
![Page 33: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/33.jpg)
NSX Service Composer
CONFIDENTIAL 33
Security services are consumed more efficiently in a software-defined datacenter
VMware Network and Security Platform
DeployApply Automate
Extensibility
Security TagsSecurity Groups Security PoliciesService Insertion
![Page 34: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/34.jpg)
NSX Service Composer – Canvas View
![Page 35: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/35.jpg)
NSX Service Composer – Security GroupSecurity Policies – collection of Security
Policy Objects (SPOs) assigned to this
Security Group.
• How you want to protect this container
• Can have multiples with weighting
e.g. “PCI Compliance Policy”
Included Security
Groups - Nested
containers
e.g. “Quarantine Zone” is
a sub group within “PCI
DSS Zone”
Virtual Machines that belong to this container.
e.g. “Apache-Web-VM”, “Exchange Server-vM”
Security Group (SG) - Container of VMs by IP, Security
tag, switch etc
• Defines what you want to protect.
• e.g. “PCI DSS Zone”, “DMZ”, “Quarantine Zone”
Guest Introspection
• Anti-virus
• Vulnerability Management
• Data Loss Prevention (DLP)
Firewall Rules
• Inbound, Outbound, Intra-Zone
• Allow, Deny, and Log
Network Introspection – 3rd party services
integrated via NetX
• Intrusion Prevention (IPS),
• Nextgen F/W
• WAN optimization, load balancing services.
![Page 36: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/36.jpg)
Security Group = Virtual_Desktops
Members = {Connected to VDI-01-Logical-
Switch}
Policy = Standard Desktop
Automated Security in a Software Defined Data CenterQuarantine Vulnerable Systems until Remediated
36
Security Group = Quarantine Zone
Members = {Tag =
‘ANTI_VIRUS.VirusFound’}
Policy = Quarantine Zone
Policy Standard Desktop
Anti-Virus – Scan
Policy Quarantine Zone
Firewall – Permit remediation, deny all
Anti-Virus – Scan and remediate
![Page 37: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/37.jpg)
Building a Zero-Trust Model
CONFIDENTIAL37
![Page 38: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/38.jpg)
Forrester Zero Trust Model
http://csrc.nist.gov/cyberframework/rfi_comments/040813_forrester_research.pdf
“In short, Zero Trust flips the
mantra "trust but verify" into
"verify and never trust."
![Page 39: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/39.jpg)
Zero-Trust with NSX – Stage 1
CONFIDENTIAL 39
![Page 40: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/40.jpg)
CONFIDENTIAL 40
Zero-Trust with NSX – Stage 2
![Page 41: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/41.jpg)
CONFIDENTIAL 41
Zero-Trust with NSX – Stage 3
![Page 42: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/42.jpg)
CONFIDENTIAL 42
Zero-Trust with NSX – Stage 4
![Page 43: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/43.jpg)
Resulting Policy
CONFIDENTIAL 43
![Page 44: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/44.jpg)
Layer 4 – 7 Advanced Services Insertion
44
NSX and Palo Alto Networks VM Series Firewall
NSX Mgr
VM
Distributed FirewallOptimal Traffic Steering – Web Tier
Rule1: Any to Web – PAN Insertion
Rule2: Web to App – DFW Permit
Rule3: Web to Web – DFW Deny VM VM
Internet
Web
VM
App DB
![Page 45: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/45.jpg)
Real-world Example of Firewall Sprawl – 22 Firewalls!
![Page 46: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/46.jpg)
Complexity driven by applications / E-W traffic flows
North/South
East/West
• East-West traffic hairpins across the
perimeter Firewall
• Complex static inter zone routing
• Requires punching holes across security
zones
• Internal security zones exposed on
perimeter devices
![Page 47: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/47.jpg)
Zero-Trust Model Implementation with NSX
Any devices over
any networks
App gateways
and perimeter devices
Admin jump points
Common ServicesApplications
EDS AD
DB
Edge Transport
Routing and
AV/AS
Client Access
Client
connectivity
Web services
Hub Transport
Routing and
policy
Mailbox
Storage of
mailbox items
25
50636135
389, 3268, 88,
53, 135
To AD
443
RPC808
5060, 5061
5062, dynamic
Unified
MessagingVoice mail and
voice access
Exchange
![Page 48: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/48.jpg)
In Summary
A Good Security Approach Requires
• Zero-Trust: Don’t Trust Anyone, Verify Always
• Control at the Perimeter alone is not enough
NSX with Distributed Firewall Provides
• Easy Enforcement of East/West Policy
• Security Policy that Follows the Workload
• Enforcement at the Smallest Unit of Trust
• Easy Hardening of Data Centre Core through Micro-segmentation
• Integration with Best-of-Breed Security Vendors
CONFIDENTIAL 48
![Page 49: VMware NSX A Perspective for Service Providers part 2 NSX –A Perspective for Service Providers –part 2 Using Software Defined Networking to harden DC security controls Trevor Gerdes](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec5c8d7f8b9a3b2e8f10e0/html5/thumbnails/49.jpg)
Thankyou!