Download - Privileged Access Management for the Software-Defined Network

Privileged Access Management for the Software-Defined Network

Shawn Hank

Security

CA Technologies

Director, Presales

SCT32T

@shawnhank

#CAWorld

2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.

The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type of

warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.

For Informational Purposes Only

Terms of this Presentation


Abstract

New extensions to CA Privileged Access Manager significantly expand the ability of the product to protect and defend resources in VMware NSX virtualized network environments. In this session, we’ll examine and demonstrate those capabilities, which take advantage of new technologies and methods made available by the NSX infrastructure, in more detail.

Shawn Hank

CA Technologies

Director, Presales


Network virtualization overview

Decoupled

Hardware

Software

General Purpose Networking Hardware

Network Hypervisor

Requirement: IP Transport

Virtual

Network

Virtual

Network

Virtual

Network

Workload Workload Workload

L2, L3, L4-7 Network Services

General Purpose Server Hardware

Server Hypervisor

Requirement: x86

Virtual

Machine

Virtual

Machine

Virtual

Machine

Application Application Application

x86 Environment


NSX Delivers the Operational Model of a VM for the Network

Abstracts, pools, automates networking for the SDDC

Reproduces L2/3 networking, L4-7 services

Runs on any existing networking hardware

Provides scale out/distributed switching, routing, firewalling


Distributed firewalling

An NSX network is made up of distributed network elements embedded in each hypervisor,

enabling each VM to have its own firewall.

Firewalls/policies provisioned simultaneously with

VMs

Policies move with their VMs

Retiring a VM deprovisions its firewall – no

possibility of stale rules

NSX firewalling: fully distributed, embedded in every hypervisor in the

data center


Configure policy with Security Groups

Select elements to uniquely identify

application workloads

Use attributes to create Security Groups Apply policies to security groups1 2 3

ABCDEF

GroupXYZ

App 1

OS: Windows 8

TAG: “Production”

Enforce policy based on logical

constructs

Reduce configuration errors

Policy follows VM, not IP

Reduce rule sprawl and complexity

GroupXYZ

Policy 1“IPS for Desktops”“FW for Desktops”

Policy 2“AV for Production”“FW for Production”

Element typeStatic Dynamic

Data centerVirtual net

Virtual machinevNIC

VM nameOS typeUser ID

Security tag

Use security groups to abstract policy from application

workloads.


Automate security operations

ACTION (then)ATTRIBUTE (if)

Virus found

IIS.EXE

Vulnerability found (old software version)

“PCI”

Sensitive Data Found

Allow & Encrypt*

Restrict access while

investigating

OR

Automated detection of security

conditions

(virus, vulnerability, etc.)

Security policies define automated

actions

Security operations are automated and adapt to

dynamic conditions

Monitor VMwith IPS

Quarantine VM with Firewall


Achieving segmentation with NSX

Each VM can now be its

own perimeter

Policies align with

logical groups

Control communication

within a single VLAN

Prevents threats from

spreading

NSX segmentation simplifies network

security

App

DMZ

Services

DB

Perimeter

firewall

Finance HR IT

AD NTP DHCP DNS CERT

Inside

firewall


CA Privileged Access Manager for VMware NSX-V™Integration Overview

VMware vCenterHTTPS (443/tcp)

CA Privileged Access Manager

VM NetworkWindows Targets:RDP (3389/tcp)HTTP (80/tcp) & HTTPS (443/tcp)… and more!

Linux Targets:SSH (22/tcp)Telnet (23/tcp)HTTP (80/tcp) & HTTPS (443/tcp)… and more!

VMware UIs:vCloud Automation CentervCloud DirectorvShield ManagervSphere Web Client… and more!

Operational Dependencies:AD/LDAP/etc services

RADIUS/TACACS+ serversNTP/DNS/Basic IP services

SYSLOG servicesSAN/NAS/share (recordings)

NSX ManagerSSH (22/tcp)

HTTPS (443/tcp)

NSX ControllersSSH (22/tcp)

Supported Authentication Types:Local, AD/LDAP, TACACS+, RADIUS,RSA, SMS/Mobile Token, SAML, and/or PIV/CAC/Smartcard


CA PAM for VMware NSX – NSX Manager REST API Proxy

The last mile for full NSX Manager administration visibility Users and scripts talk to the Proxy, not to NSX Manager, with different credentials, which

may rotate on a policy or schedule

CA PAM vaults – and rotates – the NSX Manager credentials

Integrates with Application to Application (A2A)

Closing the “API Loop” to the NSX management plane

Consumer NSX Manager

NAP

NSX Manager API Proxy

Logs A2A Requests Change Password

Z-side Request/ResponseA-side Request/Response



CA PAM for VMware NSX – Dynamic Tagging and Grouping

CA PAM Policy in lockstep with NSX Security Tags and Groups NSX Security Tags and Groups synced with CA PAM and tied to Policies

As VMs enter/leave NSX Security Groups, CA PAM Access is provisioned/removed

Synchronize CA PAM policies with changes in the NSX security posture

VMware vCenterVM Network

NSX Manager

Sync



CA PAM for VMware NSX – Access Restrictor

DFW Rules added and removed on-demand Rules added when connections are opened and removed when closed

Removes the human element and potential for error

Enables a highly-secure “deny all” environment where exceptions are forced through CA PAM and only CA PAM may access protected resources

Automatic, runtime, ephemeral Distributed Firewall Rules maintained by CA PAM

Client

UserTarget VM

NSX Manager

DFWCA Privileged Access Manager


CA PAM for VMware NSX – Service Composer Integration

Deep integration with Service Composer As VMs enter or leave NSX Security Groups, CA PAM will:

- Enable or disable session recording- Terminate sessions- Force CA PAM session re-authentication

Trigger events in CA PAM via NSX Service Composer workflows

User

Session

NSX Partner Ecosystem Product

NSX Manager

VmwarevCenter

Admin

Apply Tag

Apply Tag

Enable/Disable Session Recording

Terminate Sessions

Xsuite Re-Authentication



Recommended Sessions

SESSION # TITLE DATE/TIME

SCT19TDefend Against Data Breaches With CA Privileged Access

Management11/18/2015 at 3:00 pm

SCT07S Roadmap: Privileged Identity Management 11/19/15 at 4:30 pm

SCT33SProtecting the Software-Defined Data Center

from Data Breach11/18/2015 at 2:00 pm


Must See Demos

Positive Privileged User Authentication


Security Theater

Fine-Grained Access Control for Servers

CA Privileged Access Manager Server Control

Security Theater

Privileged Access Control


Security Theater

Record and Analyze User Sessions


Security Theater


Follow On Conversations At…

Smart Bar


Security Theater

Tech TalksDefend Against Data Breaches With CA Privileged Access Management

SCT19T


Q & A


For More Information

To learn more, please visit:

http://cainc.to/Nv2VOe

CA World ’15

http://cainc.to/Nv2VOe

http://bit.ly/1wbjjqX