PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
Improving Cyber Security with VMware NSX
1. Improving Cyber Security with VMware NSX
Improving Cyber Security with VMware NSX
Cyber security breaches across the Government and the Military are increasing. Through 2014, there has
been a 25% increase in the number of breaches from this time last year across the Public and Private
Sectors. Some of the recent cyber security breaches include US Postal Service (11/10/14) – 800,000
records exposed, Department of Public Health & Human services in TX (8/27) & MT (6/3/14) –
2,000,000 & 1,062,509 records exposed respectively, the IRS (7/7/14) – 1,400,000 records exposed; as
well as the NOAA (10/20) and DOS (11/16) (ITRC, 2014).
Security breaches are expensive, and even more so if sensitive data is exposed. The average per capita cost
of a data breach is $201/record, with a total organizational cost per breach of $5.85 Million (Ponemon
Institute, 2014). The reason cyber security breaches are increasing is that attackers have learned to defeat
the current operational model of physical networking security, with the emphasis on perimeter-centric
network security. This defense is analogous to the walls and moats we can still see around old towns and
cities – they were built at a time when they served a purpose, but that time passed with the invention of
large-caliber guns and the growth of the cities themselves.
Similarly, the network perimeter security strategy worked well when there were only a few PC's and a
mainframe attached to the network. This is no longer the case. The world is becoming more
interconnected, and the opportunities for cyber security breaches are increasing as a result. Attackers
typically attach to an authorized user to get inside the network, and once inside, move laterally from
workload to workload; exactly what happened at the NOAA breach. “The attack in September hit a Web
server that connects to many NOAA computers...The server had security protections, but the person
compared the security to leaving a house protected by “just a screen door”” (Flaherty, 2014).
Until now, it has been too costly (in both resources and money) for most organizations to protect the
workloads inside the network perimeter because it required manual intervention to wrap the security
controls around these workloads. VMware’s Networking Virtualization platform, NSX, bridges this gap by
enabling automated creation and management of firewalls and distributed control policies for workloads or
applications across all virtual interfaces. This allows a cost-effective and operationally feasible
implementation of Microsegmentation, or wrapping security controls around small clusters of virtualized
resources inside the network perimeter, thus, isolating internal applications and virtual networks from each
other and from the underlying physical infrastructure. Now IT can automate and operationalize firewalls
that branch across the entire infrastructure, manage them centrally, and alter their policies as they move.
NSX automated provisioning enables the provisioning of firewall policies as workloads are
programmatically created; policies follow the workload as it moves in or between datacenters (VMware,
2014).
VMware | Carahsoft Use Case
Year Number of Breaches Total Cost
2011 48 $280,200,000
2012 53 $310,050,000
2013 56 $327,600,000
2014 90 $526,500,000
*Costs are based on $5.85 Million cost per breach (Ponemon Institute, 2014 & ITRC, 2015)
1
2. Improving Cyber Security with VMware NSX
Improving Cyber Security with VMware NSX
NSX delivers 3 levels of security: isolation, segmentation and segmentation with advanced services.
Isolation: Virtual networks are isolated from each other and the underlying physical network infrastructure.
There are no physical subnets or firewall rules to enable the isolation. Hypervisor traffic is encapsulated,
allowing for separate address spaces for workloads connected to the VM's and the physical network
devices. Segmentation: multitier networks are supported by virtual networks, meaning multiple L2
segments with L3 segmentation or Micro-segmentation (with 3rd party introspection) where there are
controlled policies at each segment. The virtual network services tied to the workload are
programmatically created and distributed to the hypervisor vSwitch. Segmentation with advanced services:
By leveraging the SDDC platform and the networking services in the vSwitch, advanced and Third party
networking services can be applied in and across virtual networks (VMware, 2014).
VMware | Carahsoft Use Case
Flaherty, M. Samenow, J. & Rein, L. (2014, November 16). Chinese hack U.S. weather systems, satellite network. The Washington Post.
Retrieved from: http://www.washingtonpost.com/local/chinese-hack-us-weather-systems-satellite-network/2014/11/12/bef1206a-68e9-
11e4-b053-65cea7903f2e_story.html
Barrett, D. Stevens, L. Yadron, D. (2014). U.S. Postal Service Says It Was Victim of Data Breach. The Wall Street Journal. Retrieved from:
http://online.wsj.com/articles/u-s-postal-service-says-it-was-victim-of-data-breach-1415632126
Perlroth, N. (2014, November 16). State Department Targeted by Hackers in 4th Agency Computer Breach. The New York Times. Re-
trieved from: http://www.nytimes.com/2014/11/17/us/politics/state-department-targeted-by-hackers-in-4th-agency-computer-breach.
html?_r=1
Ponemon Institute. (2014). 2014 Cost of Data Breach Study: Global Analysis. Retrieved from: http://securityintelligence.com/me-
dia/2014-cost-of-data-breach-study-ponemon/#.VIGzqjHF_OG
VMware. (2014). Data Center Micro-Segmentation. A Software Defined Data Center Approach for a “Zero Trust” Security Strategy.
Retrieved from: http://blogs.vmware.com/networkvirtualization/files/2014/06/VMware-SDDC-Micro-Segmentation-White-Paper.pdf
Identity Theft Resource Center. (2014). Retrieved from: http://www.idtheftcenter.org/id-theft/data-breaches.html
http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html
http://www.idtheftcenter.org/images/breach/ITRC_Breach_Report_2014.pdf
http://www.idtheftcenter.org/images/breach/ITRC_Breach_Stats_Report_2014.pdf
http://www.idtheftcenter.org/images/breach/ITRCBreachStatsReportSummar
y2014.pdf
RESOURCES
Carahsoft:
David Hopland
NSX Specialist at Carahsoft
Tel: 703-230-7426
Email: david.hopland@carahsoft.com
2
The recent cyber security breaches at USPS, DOS, NOAA and the IRS could have been mitigated with NSX.
NSX makes both perimeter and workload security economically and operationally feasible. Rather than
manually configuring firewalls on the thousands of workloads entering/leaving the data center, NSX
dynamically automates this and scales out as workloads are added, and when the work is done, the firewalls
are automatically dismantled/deleted with the VM they are attached to. By bringing a firewall to each and
every workload and machine (virtual and physical), NSX creates a ‘zero trust’ policy inside the network.
Now, when your wall is breached, you have controls to find and stop the breach at a reasonable cost.
“
”
The average per capita cost of a data breach is
$201/record, with a total organizational cost per
breach of $5.85 million.
(Ponemon Institute, 2014)