Virtualization Forum 2015, Praha, 7.10.2015
sál VMware
Jestliže SlideShare nezobrazí prezentaci korektně, můžete si ji stáhnout ve formátu .ppsx nebo .pdf.
4. S koncepcí definice datového centra v software
Software
Hardware
Virtuální
Servery
Virtuální
Sítě
Virtuální
Úložiště
Výpočetní
Kapacita
Propojovací
Kapacita
Datová
Kapacita
Aplikace
Data Center Virtualization
Komoditní HW kapacita
Stavové
programovatelné
ovládání
APIs
4
vRealize Suite nebo OpenStack
9. Neustále se setkáváme s krádežemi dat nebo čísel karet
9
Nekontrolovaná komunikace
Malá nebo laterální kontrola uvnitř perimetru
Aplikace nízké
priority jsou cílem
útoku na prvním
místě.
Útočník se může
svobodně pohybovat v
rámci zóny.
10110100110
101001010000010
1001110010100
Útočník se infiltruje v
řádu týdnů nebo
měsíců.
Internet
Data Center
Perimeter
10. Zabezpečení je potřebné všude, dnes to ale není možné
10
Proč není možné individuální firewall pro každý VM?
Data Center
Perimeter
Internet
Drahé a složité
Fyzický firewall
Tradiční technologie to
nedovolují.
Pomalé, drahé a
složité
Virtuální firewall
Nebezpečné, složité
Firewall na OS VM
11. Současný model bezpečnostních zón NSX Transparentní Zero-Trust bezpečnost
11
Zero–Trust bezpečnost detailně
Port Group “Web”
VLAN 91
FIREWALL
Port Group “Web”
VLAN 91
Bezpečnostní Skupina: Web
Pravidlo Firewallu: Nemožné Pravidlo Firewallu: Web na Web: DROP: LOG
FIREWALL
3-rd
Strany
WHY ARE BREACHES STILL HAPPENING?
What we at VMware have seen and what a lot of our customers have shared with us is that the networking industry (across all segments) has been approaching security with an outdated foundational model. The legacy approach believes that as long as you thoroughly secure the perimeter through firewalls at the network edge, intrusion prevention, etc, you would be able to keep threats on the outside and guard against threats, while the inside of the data center remains “trusted”.
What we’ve continued to see through high profile breaches such as those at Sony, Target, Home Depot, OPM etc, is that threats are still able to make it into the data center, whether through the data center perimeter firewall via low priority systems or other means. Once those threats are inside the data center, they are able to move relatively easily within the data center to higher priority systems.
PROBLEM: SECURITY HAS BEEN DISPROPORTIONATELY APPLIED TO THE PERIMETER
Because the focus has so disproportionately been placed on securing the data center perimeter, the inside of the data center has been left relatively unguarded. This means that once a breach has occurred the threat is able to spread relatively easily inside the perimeter from one server to another laterally, affecting high priority systems.
What becomes obvious when we take a step back, is that we need a lot more security inside the data center.
NSX introduces the uniform ability to transform data center networking, managed as a unit with the virtual machine and application.
NSX is VMware’s solution to extend the software defined technology benefit to data center architecture and operations. The software defined data center realized in NSX provides all of the expected features for data center networks - with the improved characteristics enjoyed by server compute virtualization, including reduced complexity under better control at scale.
Network services are provided by the same hypervisor management of shared infrastructure for compute and storage. This frees the network technology and associated traffic policy from the constraints imposed by physical placement. It is also the ideal opportunity to build security into the network platform – rather than added on to it.
The result is the SDDC enabling platform, enabled through familiar management tools, flexible and aligned to policy and business cases.
So, it’s now possible to meet the goal of delivering a data center for each application, on demand at reduced complexity.
By embedding these functions into the hypervisor, we are able to take advantage of some significant benefits that allow you to rethink the data center infrastructure itself. With this approach, we are able to realize very high throughput rates and secure east-west traffic between every single virtual machine. This is done natively to the platform by embedding these functions in every hypervisor in the data center.
WHY ARE BREACHES STILL HAPPENING?
What we at VMware have seen and what a lot of our customers have shared with us is that the networking industry (across all segments) has been approaching security with an outdated foundational model. The legacy approach believes that as long as you thoroughly secure the perimeter through firewalls at the network edge, intrusion prevention, etc, you would be able to keep threats on the outside and guard against threats, while the inside of the data center remains “trusted”.
What we’ve continued to see through high profile breaches such as those at Sony, Target, Home Depot, OPM etc, is that threats are still able to make it into the data center, whether through the data center perimeter firewall via low priority systems or other means. Once those threats are inside the data center, they are able to move relatively easily within the data center to higher priority systems.
PROBLEM: SECURITY HAS BEEN DISPROPORTIONATELY APPLIED TO THE PERIMETER
Because the focus has so disproportionately been placed on securing the data center perimeter, the inside of the data center has been left relatively unguarded. This means that once a breach has occurred the threat is able to spread relatively easily inside the perimeter from one server to another laterally, affecting high priority systems.
What becomes obvious when we take a step back, is that we need a lot more security inside the data center.
HOW DO WE ADD ADDITIONAL CONTROLS INSIDE THE DATA CENTER?
Ideally, we would like to provide security between every VM inside the Data Center to ensure security is applied everywhere. This has proven to be very difficult to accomplish with an underlying problem foundation.
Physical Firewalls
The first approach is to apply physical firewalls inside the data center, much like what is done at the perimeter. The challenge of implementing this approach is that the cost of purchasing so many physical firewalls would be astronomical, with many data centers now responsible for hundreds, thousands, or even tens of thousands of virtual machines. Next, and perhaps more difficult to address, is that managing this multitude of firewall rules is nearly impossible with any disruption or change affecting an impossible web of policies.
Virtual Firewalls
Virtual firewalls take the functionality of a physical firewall and virtualize them by placing firewalling on a virtual machine. While virtual firewalls marginally reduce cost, data centers are left with the same impossible web of policies to manage. On top of an unmanageable framework, virtual firewalls also have dramatically reduced performance with a tiny fraction of the firewalling throughput of a physical firewall.
HOW DO WE ADD ADDITIONAL CONTROLS INSIDE THE DATA CENTER?
Ideally, we would like to provide security between every VM inside the Data Center to ensure security is applied everywhere. This has proven to be very difficult to accomplish with an underlying problem foundation.
Physical Firewalls
The first approach is to apply physical firewalls inside the data center, much like what is done at the perimeter. The challenge of implementing this approach is that the cost of purchasing so many physical firewalls would be astronomical, with many data centers now responsible for hundreds, thousands, or even tens of thousands of virtual machines. Next, and perhaps more difficult to address, is that managing this multitude of firewall rules is nearly impossible with any disruption or change affecting an impossible web of policies.
Virtual Firewalls
Virtual firewalls take the functionality of a physical firewall and virtualize them by placing firewalling on a virtual machine. While virtual firewalls marginally reduce cost, data centers are left with the same impossible web of policies to manage. On top of an unmanageable framework, virtual firewalls also have dramatically reduced performance with a tiny fraction of the firewalling throughput of a physical firewall.
Kent add F5 logo between NSX and vCAC in diagram and add a value statement from capabilities on slide 26
If you can’t configure all your network services dynamically in the context of deploying and application, then you will need to add additional manual steps to your partially automated application deployment. vCloud Automation Center can dynamically provision NSX logical services customized to the specific needs of each applications. The combined capabilities of these products empower IT to fully automate the delivery of secure, scalable and high performing multi-tier applications.
vCAC creates NSX networks that are consumed by BigIP
vCAC applies NSX Security groups during deployment
vCAC deploys BigIP VE for SDAS support
vCAC deploys multi-tier service and VMs then adds them to networks, security groups and BigIP load balancer