Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

New Threats, New Approaches in Modern Data Centers


Published on

New Threats, New Approaches in Modern Data Centers - A Presentation by NPS at CENIC conference 11:00 am - 12:00 pm, Wednesday, March 22, 2017 – in San Diego, California

The standard approach to securing data centers has historically emphasized strong perimeter protection to keep threats on the outside of the network. However, this model is ineffective for handling new types of threats—including advanced persistent threats, insider threats, and coordinated attacks. A better model for data center security is needed: one that assumes threats can be anywhere and probably are everywhere and then, through automation, acts accordingly. Using micro-segmentation, fine-grained network controls enable unit-level trust, and flexible security policies can be applied all the way down to a network interface. In this joint presentation between customer, partner, and VMware, the fundamental tenants of micro-segmentation will be discussed. Presenters will describe how the Naval Postgraduate School has incorporated these principles into the architecture and design of a multi-tenant Cybersecurity Lab environment to deliver security training to national and international government personnel.

Edgar Mendoza, IT Specialist, Information Technology and Communications Services (ITACS) Naval Postgraduate School
Eldor Magat, Computer Specialist, ITACS, Naval Postgraduate School
Mike Monahan, Network Engineer, ITACS, Naval Postgraduate School
Iben Rodriguez, Brocade Resident SDN Delivery Consultant, ITACS, Naval Postgraduate School
Brian Recore, NSX Systems Engineer, VMware, Inc.

Copied from the program with corrections -

Published in: Technology
  • Be the first to comment

  • Be the first to like this

New Threats, New Approaches in Modern Data Centers

  2. 2. New Threats, New Approaches in Modern Data Centers
  3. 3. Why did we re-architect our Data Center • Understand the architecture and design requirements of multi-tenancy environment • Isolate threats through micro-segmentation and granular network controls • Apply flexible security policies at the VM level
  4. 4. Center for Cyberwarfare - CCW The lab is used to conduct research and education to provide the modern warfighter with tactical and operational responses to cyber threats.
  5. 5. • Built by CCW with pizza box servers using various adhoc storage systems. • ITACS took over responsibilities of maintaining the cyberlab project in late 2014. • Inadequate resources – not scalable. • Many single points of failure. • Missing adequate licensing for some services. • Not in a data center environment. Legacy lab implementation
  6. 6. Why have lab isolation? • Advanced Persistent Threats • Human error – Insider Threat • Protection against coordinated attacks • Provide researchers with sandbox for malware inspection • Offer a clean slate for each class room from quarter to quarter
  7. 7. Challenges overcome • Cyberlab 2.0 addresses the following issues: – Single points of failure removed – Replaced AD Controller and Load Balancer physical devices with virtual to decrease total cost of ownership – 2 racks of equipment consolidated to 2u HCI – Reduced time required to provision labs for classes each quarter – Ability to customize networks for class differences such as: firewall rules, student permissions, threat types
  8. 8. HOW WE DID IT
  9. 9. Adding VDI increased the security surface area • The converged infrastructure means virtual desktops run on the same infrastructure as servers. Data Center Perimeter Internet EastWest
  10. 10. Haven’t We Learned Anything from a Perimeter-Centric Focus? “The Empire doesn't consider a small one-man fighter to be any threat, or they'd have a tighter defense. An analysis of the plans provided by Princess Leia has demonstrated a weakness in the battle station. …The shaft leads directly to the reactor system. A precise hit will start a chain reaction which should destroy the station.” --General Dodanna A Long Time Ago…In a Galaxy Far Far Away... 14
  11. 11. The M&M Approach to Security 15 “In today’s new threat landscape, this M&M and ‘trust but verify’ is no longer an effective way of enforcing security.” Forrester Research In Response to NIST RF 130208119-3119-01I “Developing a Framework to Improve Critical Infrastructure Cyber-Security”
  12. 12. Trading Off Context and Isolation 16 Software Defined Data Center (SDDC) Any Application SDDC Platform Any x86 Any Storage Any IP network Data Center Virtualization SDDC Platform High Context Low Isolation High Isolation Low Context No Ubiquitous Enforcement Traditional Approach
  13. 13. The Compromise Between Desired End State & Operational Feasibility 17 WAN … “X” firewalls “X” + “1000 workloads vs A typical data center has: Directing all traffic (virtual + physical) through chokepoint firewalls is inefficient And a physical firewall per workload is cost prohibitive
  14. 14. SDDC Virtualization Layer – Delivers Both Context and Isolation 18 Software Defined Data Center (SDDC) Any Application SDDC Platform Any x86 Any Storage Any IP network Data Center Virtualization High Context High Isolation Ubiquitous Enforcement SDDC Approach Secure Host Introspection
  15. 15. Micro-segmentation with NSX SegmentationIsolation Advanced services Controlled communication path within a single network Advanced services: addition of 3rd party security, as needed by policy No communication path between unrelated networks 19
  16. 16. Move from “Network Centric” to “Class Centric” Deployments 20 DMZ/Web VLAN App VLAN Class-A Class-B Services/Management VLAN DB VLAN Class-AClass-B Services Mgmt Class-A Class-B Perimeter firewall Inside firewall Perimeter firewall DMZ/Web App DB Class-A App DMZ/Web DB Class-B Services Mgmt Services/Management Group Traditional Data Center NSX Data Center CONFIDENTIAL
  17. 17. FY16 House NDAA Report Cyber Defense Network Segmentation The committee is aware that the Department of Defense is looking at modifying the way it builds, maintains, and upgrades data center, including increased use of commercial cloud capabilities and public- private partnerships. The committee is aware that as the Department increasingly looks at software- defined networking, it could potentially reduce the mobility of cyber threats across data center and other networks by increasing the compartmentalization and segmentation between systems, and providing a mix of security techniques to enable access to those compartments. Such actions have the potential to lessen the chance of a widespread or catastrophic breach, including breaches caused by insider threats. The committee encourages the Department to explore ways to use compartmentalization or segmentation as part of a software-defined networking approach in order to increase the security of its networks. The Beginning of Policy Shifts….again
  18. 18. Combining Organic Capabilities with Best of Breed across the Larger Ecosystem Apply and visualize security policies for workloads, in one place. Automate workflows across best-of-breed services, without custom integration. Provision and monitor uptime of different services, using one method. NSX Network Virtualization Platform Deploy Apply Automate Built-In Services Firewall Data Security (DLP) Server Activity Monitoring VPN (IPSEC, SSL) Third-Party Services Antivirus DLP Firewall Vulnerability Management Intrusion Prevention Identity and Access Mgmt …and more in progress Security Policy Management External Network VDS Guest VM Partner Service 1 VM Slot 2 Slot 4 Traffic Redirection Module Slot 5 Partner Service 2 VM
  19. 19. High Scale NSX Topology • High scale multi-tenancy is enabled with multiple tiers of Edge interconnected via VxLAN transit uplink • Two tier Edges allow better scaling with administrative control based on traffic generated. • NSX Edge can scale up to 8 ECMP Edges for scalable routing • Support for overlapping IP addresses between Tenants connected to different first tier NSX Edges 23 External Network Tenant 1 Desktop Pool Logical Switch App LS DB LS … Desktop Pool Logical Switch Edge with HA NAT/LB features Single Adjacency to ECMP Edge ECMP Based NSX Edge X-Large (Route Aggregation Layer) ECMP NSX Edge VXLAN Uplinks VXLAN Uplinks VXLAN 5100 Transit App LS DB LS … E8E1
  20. 20. • Automation, Automation, Automation • Brocade Workflow Composer • Cloud Management Platform - OpenStack on VMware (VIO) • Plan to integrate physical devices (IoT, Robotics, Weather Sensors, etc) into virtual cyberlab • Dynamic routing • Hardware VTEP to bridge VLAN to VXLAN • Integration with NSX and Palo Alto Networks Virtual FW • Leverage Public Cloud - Amazon AWS Plans for 2017 and beyond
  21. 21. Stackstorm
  22. 22. VMware Integrated OpenStack VMware Integrated OpenStack (VIO) VMware SDDC Standard OpenStack Nova Neutron Cinder Keystone HeatHorizon Ceilometer Glance • VIO is an “Integrated Product” Approach to OpenStack • Standard DefCore Compliant OpenStack Distribution (delivered as OVA) • Deploys & Manages Proven Production Architecture on VMware SDDC • Fully Supported by VMware VIO Management Server (Deploy, configure, patch, upgrade …OpenStack) vSphere NSX vSphere Datastores: 3rd-party / Virtual SAN
  23. 23. The Need for a Comprehensive Security Solution VMware NSX Platform NSX Distributed Firewall VM level zoning without VLAN/VXLAN dependencies Line rate access control traffic filtering Distributed enforcement at Hypervisor level Palo Alto Networks Next Generation Security Next Generation Firewall Protection against known and unknown threats Visibility and safe application enablement User, device, and application aware policies Sophisticated Security Challenges Applications are not linked to port & protocols Distributed user and device population Modern Malware
  24. 24. AWS Global Infrastructure VMware Cloud™ on AWS Powered by VMware Cloud Foundation 28 AWS Global InfrastructureCustomer Datacenter vSphere vSAN NSX TECHNICAL PREVIEW Operational Management Native AWS Services Amazon EC2 Amazon S3 Amazon RDS AWS Direct Connect AWS IAMAWS IoT … … … … vRealize Suite, vSphere Integrated Containers, ISV ecosystem Availability expected in mid-2017 timeframe Technical Preview vCentervCenter VMware CloudTM on AWS VMware vSphere-based service, running on the AWS Cloud • ESXi on Dedicated Hardware • Support for VMs and Containers • vSAN on Flash and EBS Storage • Replication and DR Orchestration • NSX Spanning on- premises and cloud • Advanced Networking & Security Services
  25. 25. Questions