VMware vShield Presentation Pp en Dec10

8/3/2019 VMware vShield Presentation Pp en Dec10

1/34

1Confidential

Click to edit Master subtitle style

2009 VMware Inc. All rights reserved

VMware vShield Foundation for the Most Secure CloudDeployments


2/34

2Confidential

Agenda

Cloud Computing & Security

Security State of the Market

Virtualization Key Security Enabler

vShield Products

Use Cases

Summary


3/34

3Confidential

Security Market Overview

MarketSize in 2012

Endpoint SecurityAntivirus

Market GrowthRate

MarketSize(

$M)in2009

$27B Worldwide in 2009

Anti-Virus

$4,096(7%)

Application

Security

$2,987(15%)

SecurityOperations

Identity Mgmt

$3,565(20%)

Network Security

$9,136(8%)

Data Security

$3,258 (19%)Endpoint Security

$3,001

(2%)

$713

(8%)

Source: FORRESTER, 2009

NetworkSecurity

IdentityManagement

Others

Segments We Address


4/34

4Confidential

Security and Compliance are the Primary Concerns with Cloud

Internal IT

Public Cloud

Rate Card

Hands-off

Self-service

?Control

? Security

?Compliance

Virtualization forms the foundation for building private clouds.Security must change to support both.

Gartner, 2010


5/34

5Confidential

Agenda




vShield Products

Use Cases


6/34

6Confidential

VLAN sprawl Gap between policy and

enforcement Manual re-implementation of

security policies Heightened risk exposures

Limited control and visibility

Organizational confusion (VI,security, network)

Hindered IT compliance Slow provisioning Heightened risk exposures

Security Challenges

Traditional Security

Expensive

Specialized hardwareappliances

Multiple point solutions

Rigid

Policy directly tied toimplementation

Not virtualization and change-aware

Effect

Complex

Spaghetti of different rules andpolicies

Security rationing

Heightened risk exposures


7/34

7 Confidential

The vShield Advantage: Increased Security

Traditional Security vShield

Cost Effective

Single virtual appliance withbreadth of functionality Single framework for

comprehensive protection

Simple

No sprawl in rules, VLANs, agents Relevant visibility for VI Admins,network and security teams

Simplified compliance

Adaptive

Virtualization and change aware Program once, execute

everywhere Rapid remediation

Expensive

Specialized hardwareappliances Multiple point solutions

Rigid

Policy directly tied toimplementation

Not virtualization and change-aware

Complex

Spaghetti of different rules andpolicies

Deployments on VMware are more secure than physical


8/34

8 Confidential

VMware Transforms Security from Expensive to Cost Effective

Load balancer

firewallVPN

VMware vSphere

Load balancerFirewallVPN

Etc vShieldVirtualApplia

nce

vShield eliminates the need for multiple special purpose hardwareappliances 3-5x Savings Capex, Opex


9/34

9 Confidential

VMware Transforms Security from Complex

VMware vSphere

VLANs

agent

Complex

Policies, rules implementation - no clear separation of duties;organizational confusion

Many steps configure network, firewall and vSphere Spaghetti of VLANs, Sprawl - Firewall rules, agents

Policies, Rules

Networkadmin

Security

admin

VI admin

OverlappingRoles /Responsibilities

Many steps.Configure

Network

Firewall

vSphere

Def

ine,Implem

ent,Monito

r,Refine,

agent

agent

agent

agent

agent

agent

agent


10/34

10 Confidential

To Disruptively Simple

VMware vSphere

vShield Manager + vCenter

Few steps:

ConfigurevShield

Simple Clear separation of duties Few steps configure vShield Eliminate VLAN sprawl vNIC firewalls Eliminate firewall rules, agents sprawl

Networkadmin

Security

admin

VI admin

Clearseparation ofRoles /Responsibilities

Def

ine,Monitor,

Refine,

Implem

ent


11/34

11 Confidential

VMware Turns Security from Rigid

BEFORE vShield

Security groups tied to

physical servers

Air gaps, i.e. physical

isolation, between security

groups

VMs in a security group

cannot be vMotioned to

other hosts

DMZ PCI compliant

VMware vSphere +vCenter

Air gap

VMware vSphere +vCenter


12/34

12 Confidential

PCI CompliantDMZDMZDMZ PCI Compliant

.to Adaptive

AFTER vShield

Security groups becomes a

VM construct rather than

physical server construct

Security groups enforced

with VM movement

Mix VMs from different

groups on the same host

VMware vSphere + vCenter


13/34

13 Confidential

Agenda




vShield Products

Use cases

Summary


14/34

14 Confidential

Why VMware vShield is a Security Enabler ?

1. Unique introspection

2. Policy abstraction

Cost Effective Single virtual appliance with breadth

of functionality Single framework for comprehensive

protection

Simple No sprawl in rules, VLANs, agents Relevant visibility for VI Admins,

network and security teams Simplified compliance

Adaptive Virtualization and change aware Program once, execute everywhere Rapid remediation


15/34

15 Confidential

Security Enabler: Unique Introspection

Introspect detailed VM state and VM-to-VM communications

vSphere + vShield

Processor

memory

Network

Benefits Comprehensive host and VM

protection Reduced configuration errors Quick problem identification Reduced complexity no security

agents per VM required


16/34

16 Confidential

Security Enabler: Policy Abstraction

BeforevShield

VMware vSphere

Policy tied tothe physical

host; lostduring vMotion

Policy tied tological

attributes

AftervShield

+ vShield

Benefits

Create and enforce securitypolicies with live migration,automated VM load balancingand automated VM restart

Rapid provisioning of securitypolicies

Easier compliance with

continuous monitoring andcomprehensive logging

Separate the policy definition from the policy implementation

Policy tied tological

attributes; followvirtual machine


17/34

17 Confidential

Agenda




vShield Products

Use cases

Summary


18/34

18 Confidential

2010 Introducing vShield Products


Securing the Private Cloud End to End: from the Edge to the Endpoint

Edge

vShield Edge 1.0Secure the edge of thevirtual datacenter

Security ZonevShield App 1.0 andZones

Application protection fromnetwork based threats

Endpoint = VMvShield Endpoint 1.0

Enables offloaded anti-virus

Virtual Datacenter 1 Virtual Datacenter 2

DMZ PCI

compliant

HIPAA

compliant

Web ViewVMwarevShield

VMwarevShield

VMware vShield Manager

Shi ld Ed


19/34

19 Confidential

Multiple edge security services in one appliance

Stateful inspection firewall Network Address Translation (NAT) Dynamic Host Configuration Protocol (DHCP) Site to site VPN (IPsec) Web Load Balancer

Network isolation(edge port group isolation) Detailed network flow statistics for chargebacks, etc

Policy management through UI or REST APIs Logging and auditing based on industry standard syslog

format

vShield EdgeSecure the Edge of the Virtual Data Center

Features

Benefits

Lower cost and complexity by eliminating multiple specialpurpose appliances Ensure policy enforcement with network isolation Simplify management with vCenter integration andprogrammable interfaces

Easier scalability with one edge per org/tenant Rapid provisioning of edge security services Simplify IT compliance with detailed logging

VMware vSphere

Tenant A Tenant C Tenant X

VMware

vShield Edge

VMware

vShield Edge

VMwarevShield Edge

VPNLoad balancerFirewall

SecureVirtua

lAppliance

SecureVirtua

lAppliance

Secure

Virtual

Appliance


20/34

20 Confidential

vShield Lowers Cost of Security Significantly

Cost perMbps 50$45$40$35$3

0$25$20$15$1

0$5$

0$ .

5Gbps

1Gbps

10Gbps

100Gbps

Throughput

Network edge securitysolution

(Firewall + VPN + Load balancer)

vShield

Edge

Security appliances

>5x

Assumptions

100 VM per edge

vSphere & server costs

High availability

Mbps = Megabits/sec

Gbps = Gigabits/sec

Shi ld A


21/34

21 Confidential

vShield AppApplication Protection for Network Based Threats

Features

Hypervisor-level firewall Inbound, outbound connection control applied at

vNIC level Elastic security groups - stretch as virtual machines

migrate to new hosts Robust flow monitoring Policy Management

Simple and business-relevant policies Managed through UI or REST APIs

Logging and auditing based on industry standard syslogformat


22/34

22 Confidential

PCI CompliantDMZDMZDMZ PCI Compliant

vShield App Provides Adaptive Security with Policy Abstraction


Security groupsenforced withVM movement

Policies basedon logicalattributes

vShield App


23/34

23 Confidential

vShield AppApplication Protection for Network Based Threats

Features

Hypervisor-level firewall Inbound, outbound connection control applied at

vNIC level Elastic security groups - stretch as virtual machines

migrate to new hosts Robust flow monitoring Policy Management

Simple and business-relevant policies

Managed through UI or REST APIs Logging and auditing based on industry standard

syslog format

Benefits

Increase visibility for inter-VM communications Eliminate dedicated hardware and VLANs for different

security groups Optimize resource utilization while maintaining strict

security Simplified compliance with comprehensive logging of

inter VM activity

vShield Endpoint


24/34

24 Confidential

vShield EndpointOffload Anti-virus Processing for Endpoints

Benefits

Improve performance by offloading anti-virus functions intandem with AV partners

Improve VM performance by eliminating anti-virus storms Reduce risk by eliminating agents susceptible to attacks

and enforced remediation Satisfy audit requirements with detailed logging of AV

tasks

Features

Eliminate anti-virus agents in each VM; anti-virus off-

loaded to a security VM delivered by AV partners Enforce remediation using driver in VM Policy and configuration Management: through UI or

REST APIs Logging and auditing


25/34

25 Confidential

Agenda



Virtualization - Key Security Enabler

vShield Products

Use cases

Summary


26/34

26 Confidential

Service Provider - Offering Multi-Tenant Hosting Service

Company A Company B

VMware vSphere + vCenter + vShield

Company A

Company B

Company C

Company C

Solution vShield Edge,VMware Cloud Director Guarantee full confidentiality and protection of tenant

apps and data with built-in firewall and VPN Use enterprise directory services for security policies Accelerate compliance by logging all traffic information

on per-tenant basis Lower cost of security by 100+% by eliminating purpose

built appliances and by increasing utilization and VMdensity

Requirements

Host potentially hundreds or thousands of tenants in

shared infrastructure with: Traffic Isolation between the tenants Complete protection and confidentiality of tenant

apps and data Integration with enterprise directory services (e.g.Active Directory)

Complying with various audit requirements

Cisco VPN Juniper VPN

Checkpoint VPN

Vmware vCloud Director

vShield

Edge


27/34

27 Confidential

Enterprise - Securing Business Critical Applications

VMware vSphere + vShield

DMZ Finance

FinanceDevelopment

Development

Solution - vShield App + Edge

Protect data and applications with hypervisor levelfirewall

Create and enforce security policies with virtual machinemigration Facilitate compliance by monitoring all application traffic Improve performance and scalability with load balancer

and software based solution

Requirements

Deploy production and development applications in a

shared infrastructure with: Traffic segmentation between applications Authorized access to applications Strict monitoring and enforcement of rules on inter-

VM communications Ability to maintain security policies with VM

movement Compliance to various audit requirements

VMware

vShield App


28/34

28 Confidential

Enterprise - Secure View Deployments

Solution - vShield Endpoint+App+Edge

Improve performance by offloading AV processing Reduce costs by freeing up virtual machine resources

and eliminating agents

Improve security by streamlining AV functions to ahardened security virtual machine(SVM) Protect View application servers from threats Demonstrate compliance and satisfy audit requirements

with detailed logging of offloaded AV tasks

Requirements

Support thousands of internal and external View userswith:

Comprehensive security for View servers Anti virus agents to protect client data and

applications Optimal performance and scalabilityVMware vSphere + vShield

DMZ View Desktops

Remote User Local User

PublicNetwork

PrivateNetwork

VMware

vShield App


29/34

29 Confidential

Agenda




vShield Products

Use cases

Summary

Shi ld Ed 1 0 Shi ld Z 4 1 Shi ld A 1 0


30/34

30 Confidential

vShield Edge 1.0 vs. vShield Zones 4.1 vs. vShield App 1.0


31/34

31 Confidential

vShield Products

3131

Product SKUs List/VM SnS

vShield Edge 1.0 $150 Standard Basic, Production

vShield Endpoint 1.0 $50 Standard Basic, Production

vShield Zones for vSphere 4.1(Included in vSphere Advanced and above)

NA vSphere SnS applies

vShield App 1.0 (includes Endpoint andZones)

$150 Standard Basic, Production

Upgrade to full vShield Edge 1.0 fromVMware Cloud Director


Upgrade to vShield App 1.0 from vShieldEndpoint 1.0


Notes

VMware Cloud Director Includes vShield Edge subset(Firewall, DHCP, NAT)

vShield App Includes vShield Endpoint

VMware View 4.5 Premier SKUs Include vShield Endpoint 1.0

All SKUs Min 25-VM purchase

Shi ld Wi B t f VM ld 2010


32/34

32 Confidential

vShield Wins Best of VMworld 2010

VMware vShield marks a major improvement in security. It includes manyessential features for virtualization security, and the ability to isolate trafficfor different port groups is a highlight

Q t


33/34

33 Confidential

Quotes

Definitely, the integration of vShield, offering application, network and end point

security for the cloud, is a big step.. CloudAve, Krishnan Subramanian

The vision of moving legacy and new applications between public and private

clouds necessitates a virtual security approach that surpasses static edge filtering

commonly found in AV, IPS and firewalls. ComputerWorld, Eric Ogren

Youve got to hand it to VMware ..this weeks VMworld, the company

announced the VMware vShield family of security products. Enterprise Strategy

Group, Jon Oltsik

vShield should help IT managers ensure that VMs can be protected and isolated

in the virtual network with technology that is baked into the virtualization

infrastructure. eWEEK, Cameron Sturdevant

VMware has finally taken virtual machine security and added it through theentire virtualization stack.. The dark horse feature of this product? Load

balancing. I tried it in the lab it takes 30 seconds to set up load balancing. No

more need for expensive F5s this could be a real game changer. Brandon

Hahn


34/34

34 Confidential

Click to edit Master subtitle style

Thank You

VMware vShield Presentation Pp en Dec10

Documents

Transcript of VMware vShield Presentation Pp en Dec10