Privileged Access Management for the Software-Defined Network
Shawn Hank
Security
CA Technologies
Director, Presales
SCT32T
@shawnhank
#CAWorld
2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type of
warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation
3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
New extensions to CA Privileged Access Manager significantly expand the ability of the product to protect and defend resources in VMware NSX virtualized network environments. In this session, we’ll examine and demonstrate those capabilities, which take advantage of new technologies and methods made available by the NSX infrastructure, in more detail.
Shawn Hank
CA Technologies
Director, Presales
4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Network virtualization overview
Decoupled
Hardware
Software
General Purpose Networking Hardware
Network Hypervisor
Requirement: IP Transport
Virtual
Network
Virtual
Network
Virtual
Network
Workload Workload Workload
L2, L3, L4-7 Network Services
General Purpose Server Hardware
Server Hypervisor
Requirement: x86
Virtual
Machine
Virtual
Machine
Virtual
Machine
Application Application Application
x86 Environment
5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
NSX Delivers the Operational Model of a VM for the Network
Abstracts, pools, automates networking for the SDDC
Reproduces L2/3 networking, L4-7 services
Runs on any existing networking hardware
Provides scale out/distributed switching, routing, firewalling
6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Distributed firewalling
An NSX network is made up of distributed network elements embedded in each hypervisor,
enabling each VM to have its own firewall.
Firewalls/policies provisioned simultaneously with
VMs
Policies move with their VMs
Retiring a VM deprovisions its firewall – no
possibility of stale rules
NSX firewalling: fully distributed, embedded in every hypervisor in the
data center
7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Configure policy with Security Groups
Select elements to uniquely identify
application workloads
Use attributes to create Security Groups Apply policies to security groups1 2 3
ABCDEF
GroupXYZ
App 1
OS: Windows 8
TAG: “Production”
Enforce policy based on logical
constructs
Reduce configuration errors
Policy follows VM, not IP
Reduce rule sprawl and complexity
GroupXYZ
Policy 1“IPS for Desktops”“FW for Desktops”
Policy 2“AV for Production”“FW for Production”
Element typeStatic Dynamic
Data centerVirtual net
Virtual machinevNIC
VM nameOS typeUser ID
Security tag
Use security groups to abstract policy from application
workloads.
8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Automate security operations
ACTION (then)ATTRIBUTE (if)
Virus found
IIS.EXE
Vulnerability found (old software version)
“PCI”
Sensitive Data Found
Allow & Encrypt*
Restrict access while
investigating
OR
Automated detection of security
conditions
(virus, vulnerability, etc.)
Security policies define automated
actions
Security operations are automated and adapt to
dynamic conditions
Monitor VMwith IPS
Quarantine VM with Firewall
9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Achieving segmentation with NSX
Each VM can now be its
own perimeter
Policies align with
logical groups
Control communication
within a single VLAN
Prevents threats from
spreading
NSX segmentation simplifies network
security
App
DMZ
Services
DB
Perimeter
firewall
Finance HR IT
AD NTP DHCP DNS CERT
Inside
firewall
10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Privileged Access Manager for VMware NSX-V™Integration Overview
VMware vCenterHTTPS (443/tcp)
CA Privileged Access Manager
VM NetworkWindows Targets:RDP (3389/tcp)HTTP (80/tcp) & HTTPS (443/tcp)… and more!
Linux Targets:SSH (22/tcp)Telnet (23/tcp)HTTP (80/tcp) & HTTPS (443/tcp)… and more!
VMware UIs:vCloud Automation CentervCloud DirectorvShield ManagervSphere Web Client… and more!
Operational Dependencies:AD/LDAP/etc services
RADIUS/TACACS+ serversNTP/DNS/Basic IP services
SYSLOG servicesSAN/NAS/share (recordings)
NSX ManagerSSH (22/tcp)
HTTPS (443/tcp)
NSX ControllersSSH (22/tcp)
Supported Authentication Types:Local, AD/LDAP, TACACS+, RADIUS,RSA, SMS/Mobile Token, SAML, and/or PIV/CAC/Smartcard
11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – NSX Manager REST API Proxy
The last mile for full NSX Manager administration visibility Users and scripts talk to the Proxy, not to NSX Manager, with different credentials, which
may rotate on a policy or schedule
CA PAM vaults – and rotates – the NSX Manager credentials
Integrates with Application to Application (A2A)
Closing the “API Loop” to the NSX management plane
Consumer NSX Manager
NAP
NSX Manager API Proxy
Logs A2A Requests Change Password
Z-side Request/ResponseA-side Request/Response
CA Privileged Access Manager
12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – Dynamic Tagging and Grouping
CA PAM Policy in lockstep with NSX Security Tags and Groups NSX Security Tags and Groups synced with CA PAM and tied to Policies
As VMs enter/leave NSX Security Groups, CA PAM Access is provisioned/removed
Synchronize CA PAM policies with changes in the NSX security posture
VMware vCenterVM Network
NSX Manager
Sync
CA Privileged Access Manager
13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – Access Restrictor
DFW Rules added and removed on-demand Rules added when connections are opened and removed when closed
Removes the human element and potential for error
Enables a highly-secure “deny all” environment where exceptions are forced through CA PAM and only CA PAM may access protected resources
Automatic, runtime, ephemeral Distributed Firewall Rules maintained by CA PAM
Client
UserTarget VM
NSX Manager
DFWCA Privileged Access Manager
14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – Service Composer Integration
Deep integration with Service Composer As VMs enter or leave NSX Security Groups, CA PAM will:
- Enable or disable session recording- Terminate sessions- Force CA PAM session re-authentication
Trigger events in CA PAM via NSX Service Composer workflows
User
Session
NSX Partner Ecosystem Product
NSX Manager
VmwarevCenter
Admin
Apply Tag
Apply Tag
Enable/Disable Session Recording
Terminate Sessions
Xsuite Re-Authentication
CA Privileged Access Manager
15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
SCT19TDefend Against Data Breaches With CA Privileged Access
Management11/18/2015 at 3:00 pm
SCT07S Roadmap: Privileged Identity Management 11/19/15 at 4:30 pm
SCT33SProtecting the Software-Defined Data Center
from Data Breach11/18/2015 at 2:00 pm
16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Must See Demos
Positive Privileged User Authentication
CA Privileged Access Manager
Security Theater
Fine-Grained Access Control for Servers
CA Privileged Access Manager Server Control
Security Theater
Privileged Access Control
CA Privileged Access Manager
Security Theater
Record and Analyze User Sessions
CA Privileged Access Manager
Security Theater
17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Follow On Conversations At…
Smart Bar
CA Privileged Access Manager
Security Theater
Tech TalksDefend Against Data Breaches With CA Privileged Access Management
SCT19T
18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Q & A
19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15
Top Related