The document discusses how NSX security services can automate security operations and policies across virtualized environments through features like distributed firewalling, guest introspection, security groups, and integration with third-party security services. It provides an overview of how NSX improves visibility, context, performance, and automation compared to traditional network and host-based security controls. Use cases demonstrated include optimized vulnerability management and context-based isolation in VDI environments.
For the past 5 years, Canonical has engaged with dozens of communications service providers to design, build and operate virtualization infrastructure for network functions -- for the acronym lovers, delivering NFVI for VNFs. This presentation goes over the approach, challenges and learnings from multiple NFVI projects supporting multiple telco use cases.
KubeVirt (Kubernetes and Cloud Native Toronto)Stephen Gordon
Â
In this session Stephen will present the use cases for and current state of the KubeVirt project (http://www.kubevirt.io/), which aims to build a virtualization API for Kubernetes in order to manage virtual machines which themselves run in Kubernetes pods.
You will also hear how this project differs from, and is complementary to, the recently announced Katacontainers (https://katacontainers.io/) project.
Turning Virtual Machines Cloud-Native using KubeVirtSuman Chakraborty
Â
The talk was presented at OSCONF 2020 Hyderabad Virtual event, where I have discussed about CNCF sandbox project KubeVirt and its adoption into Cloud-Native ecosystem
Virtualization with KVM (Kernel-based Virtual Machine)Novell
Â
As a technical preview, SUSE Linux Enterprise Server 11 contains KVM, which is the next-generation virtualization software delivered with the Linux kernel. In this technical session we will demonstrate how to set up SUSE Linux Enterprise Server 11 for KVM, install some virtual machines and deal with different storage and networking setups.
To demonstrate live migration we will also show a distributed replicated block device (DRBD) setup and a setup based on iSCSI and OCFS2, which are included in SUSE Linux Enterprise Server 11 and SUSE Linux Enterprise 11 High Availability Extension.
VMworld 2013: Security Automation Workflows with NSX VMworld
Â
VMworld 2013
Gargi Keeling, VMware
Don Wood, McKesson
Troy Casey, McKesson
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
For the past 5 years, Canonical has engaged with dozens of communications service providers to design, build and operate virtualization infrastructure for network functions -- for the acronym lovers, delivering NFVI for VNFs. This presentation goes over the approach, challenges and learnings from multiple NFVI projects supporting multiple telco use cases.
KubeVirt (Kubernetes and Cloud Native Toronto)Stephen Gordon
Â
In this session Stephen will present the use cases for and current state of the KubeVirt project (http://www.kubevirt.io/), which aims to build a virtualization API for Kubernetes in order to manage virtual machines which themselves run in Kubernetes pods.
You will also hear how this project differs from, and is complementary to, the recently announced Katacontainers (https://katacontainers.io/) project.
Turning Virtual Machines Cloud-Native using KubeVirtSuman Chakraborty
Â
The talk was presented at OSCONF 2020 Hyderabad Virtual event, where I have discussed about CNCF sandbox project KubeVirt and its adoption into Cloud-Native ecosystem
Virtualization with KVM (Kernel-based Virtual Machine)Novell
Â
As a technical preview, SUSE Linux Enterprise Server 11 contains KVM, which is the next-generation virtualization software delivered with the Linux kernel. In this technical session we will demonstrate how to set up SUSE Linux Enterprise Server 11 for KVM, install some virtual machines and deal with different storage and networking setups.
To demonstrate live migration we will also show a distributed replicated block device (DRBD) setup and a setup based on iSCSI and OCFS2, which are included in SUSE Linux Enterprise Server 11 and SUSE Linux Enterprise 11 High Availability Extension.
VMworld 2013: Security Automation Workflows with NSX VMworld
Â
VMworld 2013
Gargi Keeling, VMware
Don Wood, McKesson
Troy Casey, McKesson
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
VMworld 2013
Jerry Breaud, VMware
Allen Shortnacy, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Get a technical understanding of the components of NSX, including how switching, routing, firewalling, load-balancing and other services work within NSX.
VMworld 2013
Azeem Feroz, VMware
Sachin Vaidya, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
2016ĺš´6ć25ćĽăŤéĺŹăăăHyper-Converged Infrastructure Community Meetup #3ăŤăŚçşčĄ¨ăăăEMC/VCEVxRackĺăłVBlockăŽčŁ˝ĺ誏ćčłćă§ăă
This is EMC/VCE VxRack and VBlock product presentation for HCI Community meetup #3. This presentation is written in Japanese.
A business driven approach to security policy management a technical perspec...AlgoSec
Â
In this era of digital transformation, globalization, and relentless cyber-attacks, security can no longer remain a technology issue that simply focuses on defending networks and data. It must become a strategic, business driver that transforms the next generation datacenter to both protect and power the agile enterprise. Security teams are therefore now looking to implement intelligent automation that injects business context into their security management.
Join Joe DiPietro, SE Director at AlgoSec for a technical webinar, where he will discuss a business-driven approach to security policy management â from automatically discovering application connectivity requirements, through ongoing change management and proactive risk analysis, to secure decommissioning â that will help make your organizations more agile, more secure and more compliant.
During the webinar, Joe will explain how to:
⢠Get holistic visibly of security risk and compliance across the enterprise network
⢠How to reduce risk and avoid application outages
⢠Tie cyber threats to business processes
⢠Enhance and automate business processes with business context, including impact analysis and risk approval
⢠Accelerate and ensure secure business transformation to the cloud
VMworld 2013: Operational Best Practices for NSX in VMware Environments VMworld
Â
VMworld 2013
Ben Basler, VMware
Roberto Mari, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
As more enterprises and small and medium (SMB) businesses move critical data and applications over to virtualized, multi-tenant systems in public and private clouds, cyber-criminals will aggressively attack potential security vulnerabilities. Security strategies and best practices must evolve to mitigate rapidly emerging, increasingly dangerous threats. The Cisco VMDC Cloud Security 1.0 solution protects against such threats, and provides a reference design for effectively and economically securing cloud-based physical and virtualized cloud data center deployments.
This design guide describes how to build security into cloud data center deployments. The VMDC Cloud Security 1.0 solution integrates additional security capabilities into data center design with minimal deployment risks, addresses governance and regulatory requirements, and provides improved technical controls to reduce security threats.
Providing end-to-end security for multi-tenant cloud data centers is a critical task that challenges service providers (SPs) and enterprises. However, deploying successful cloud data centers depends upon on end-to-end security in both data center infrastructures and the virtualized environments that host application and service loads for cloud consumers.
New Threats, New Approaches in Modern Data CentersIben Rodriguez
Â
New Threats, New Approaches in Modern Data Centers - A Presentation by NPS at CENIC conference 11:00 am - 12:00 pm, Wednesday, March 22, 2017 â in San Diego, California
The standard approach to securing data centers has historically emphasized strong perimeter protection to keep threats on the outside of the network. However, this model is ineffective for handling new types of threatsâincluding advanced persistent threats, insider threats, and coordinated attacks. A better model for data center security is needed: one that assumes threats can be anywhere and probably are everywhere and then, through automation, acts accordingly. Using micro-segmentation, fine-grained network controls enable unit-level trust, and flexible security policies can be applied all the way down to a network interface. In this joint presentation between customer, partner, and VMware, the fundamental tenants of micro-segmentation will be discussed. Presenters will describe how the Naval Postgraduate School has incorporated these principles into the architecture and design of a multi-tenant Cybersecurity Lab environment to deliver security training to national and international government personnel.
Edgar Mendoza, IT Specialist, Information Technology and Communications Services (ITACS) Naval Postgraduate School
Eldor Magat, Computer Specialist, ITACS, Naval Postgraduate School
Mike Monahan, Network Engineer, ITACS, Naval Postgraduate School
Iben Rodriguez, Brocade Resident SDN Delivery Consultant, ITACS, Naval Postgraduate School
Brian Recore, NSX Systems Engineer, VMware, Inc.
https://youtu.be/mYBbIbfKkGU?t=1h7m16s
Copied from the program with corrections - https://adobeindd.com/view/publications/b9fbbdf0-60f1-41dc-8654-3d2141b0bf54/nh4h/publication-web-resources/pdf/Conference_Agenda_2017_v1.pdf
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
Â
VMworld 2013
Merritte Stidston, McKesson
James Wiese, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
My view on VMware approach to Hybrid- and Software-Defined Infrastructure: NSX, Hybrid Cloud and OpenStack. Get the agility of a startup with the guarantees of Enterprise-class IT. Session delivered at asLAN Congress 2015 in Madrid on April 15th.
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld
Â
VMworld 2013
Bilal Malik, Palo Alto Networks
Adina Simu, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
VMware vRealize Network Insight delivers intelligent operations for software-defined networking and security across virtual, physical and multiple-clouds with micro-segmentation planning, 360 visibility and NSX operations.
Check Point Software Technologies: Secure Your AWS WorkloadsAmazon Web Services
Â
Hosting workloads on AWS provides organizations with agility, speed, efficiency, and reduced costs. Check Point vSEC further enhances this experience by delivering advanced, multi-layered threat prevention security for your AWS workloads, protecting assets and enabling secure connectivity from enterprise networks to your AWS resources. Register for our upcoming webinar to learn how Check Point vSEC on AWS provided customers with an advanced threat prevention solution to enable secure application delivery. Learn how to migrate your applications and workloads to AWS with vSECâs comprehensive security solution tailored to help protect your cloud environment.
Join us to learn:
⢠How Check Point vSEC enabled customers to confidently migrate from an on-premises infrastructure to AWS
⢠How to prevent network attacks and data breaches when hosting workloads in a cloud-based environment
⢠How Courtagen Life Sciences secured their cloud environment to maintain compliance, reduce IT expenses and leverage the full capabilities of the AWS Cloud
Who should attend:
IT Admins, Security Admins, Cloud Admins, Business Decision Makers, Compliance & governance officers, Line of Business leaders, DevOps engineers & architects
The session will be focusing how cloud-native security platform can continuously discovers workloads, identifies risk, and enforces security policies in any multi-cloud environment. Additionally it will also cover the Automated policy generation through agent-less security controls makes protecting data and applications the easiest thing to do in the cloud.
The Speaker of the session will be Dr. Ratinder Paul Singh Ahuja, Founder and Chief Research and Development Officer, Shield X, USA
Dr. Ratinder leads ShieldX and its mission as its central pivot point. Drawing from a career as a successful serial entrepreneur and corporate leader, he brings his unique blend of business acumen, industry network and deep technical knowledge.
At his previous start-ups, Internet Junction, Webstacks and Reconnex he served as Chief Technology Officer and Vice President of the Mobile and Network Security Business Units. His knowledge of innovation and emerging trends in networking, network security, and data-loss prevention are derived from years of industry experience. Dr. Ahuja holds a BS in Electronics & Electrical Engineering from Thapar University, in India, and a Masters and Ph.D. in Computer Engineering from Iowa State University. Dr. Ahuja has been granted 61 patents for security-based technologies, and has presented in many public forums, including the Content Protection Summit, IC3, IEEE Computer Society, McAfee FOCUS, and the Cloud Expo.
As service providers increasingly provide cloud-based services to enterprises and small businesses in virtual and multi-tenant environments, their security strategies must continually evolve to detect and mitigate emerging threats. In the VMDC reference architecture, physical and virtual infrastructure components such as networks (routers and switches), network-based services (firewalls and load balancers) - and computing and storage resources are shared among multiple tenants, creating shared multi-tenant environments.
Security is especially important in these environments because sharing physical and virtual resources increases the risk of tenants negatively impacting other tenants. Cloud deployment models must include critical regulatory compliance such as Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI DSS).
The VMDC Cloud Security 1.0 solution enables customers to:
⢠Detect, analyze, and stop advanced malware and advanced persistent threats across the attack continuum.
⢠Consistently enforce policies across networks and accelerate threat detection and response.
⢠Access global intelligence using the right context to make informed decisions and take fast,
appropriate action.
⢠Comply with security requirements for regulatory requisites such as FISMA, HIPAA, and PCI.
⢠Support secure access controls to prevent business losses.
⢠Secure data center services using application and content security.
Dev Dives: Train smarter, not harder â active learning and UiPath LLMs for do...UiPathCommunity
Â
đĽ Speed, accuracy, and scaling â discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Miningâ˘:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing â with little to no training required
Get an exclusive demo of the new family of UiPath LLMs â GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
đ¨âđŤ Andras Palfi, Senior Product Manager, UiPath
đŠâđŤ Lenka Dulovicova, Product Program Manager, UiPath
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Â
Clients donât know what they donât know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clientsâ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
Â
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
Â
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. Whatâs changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Â
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Â
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overviewâ
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
Â
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more âmechanicalâ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
Â
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Â
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Â
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
Â
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Â
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Â
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Â
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
2. Student Guide & Internal & Confidential Update Daily
https://goo.gl/VVmVZ0
Journey of the Deal: Best Practices from a VMware Cloud Management
Partner http://ouo.io/vBVQdO
The Practical Path to NSX and Network Virtualization http://ouo.io/47hme
Why an SSDC Approach with NSX is Better for Your Channel Business http://ouo.io/1hY4l
Justifying Network Virtualization forYour Customers http://ouo.io/OzBquQ
Reference Design for VMware NSX http://ouo.io/XaCMU
Logical Routing with VMware NSX http://ouo.io/oKcbu
Micro-segmentation with NSX and Distributed Firewalling http://ouo.io/BaoP8
NSX Security Deep Dive http://ouo.io/Qq8qqh
Operational Best Practices for VMware NSX http://ouo.io/nyVbwd
Self-service IT with vRealizeAutomation and NSX http://ouo.io/pHQ5kp
Intro to NSX http://ouo.io/gzAp1
3. Disclaimer
CONFIDENTIAL 3
⢠This presentation may contain product features that are currently under development.
⢠This overview of new technology represents no commitment from VMware to deliver these
features in any generally available product.
⢠Features are subject to change, and must not be included in contracts, purchase orders, or
sales agreements of any kind.
⢠Technical feasibility and market demand will affect final delivery.
⢠Pricing and packaging for any new technologies or features discussed or presented have not
been determined.
6. Agenda
CONFIDENTIAL 6
1 Challenges with existing security controls
2 Introducing NSX Security
3 Automating Security
4 Benefits
5 Use Cases
6 Summary & Next Steps
7. 1. Firewall Challenges in the SDDC
Physical Firewalls
⢠No Micro-segmentation
⢠Hardware CAPEX
⢠Choke point
⢠Rule sprawl (IP, MAC-based)
⢠Trombone Traffic
Src Dst
192.168.1.1 192.168.5.2
10.0.0.1 10.0.2.5
10.0.0.2 10.0.2.5
10.0.0.3 10.0.2.5
⢠Eliminate hardware
⢠Choke points w/ low performance
(1-3 Gbps)
⢠Rule sprawl (IP, MAC-based)Rule sprawl
Web
App
DB
VM
Virtual Firewalls VMs
CONFIDENTIAL 7
8. 2. Force Choosing between Context and Isolation
Guest VM
Hypervisor
Network
Host Based
Security Controls
Network Based
Security Controls
Low Context
High Isolation
High Context
Low Isolation
CONFIDENTIAL 8
ď§ Security controls prone to attack
ď§ Manual deployment and
policy management
ď§ No visibility into application,
process, file, user or overall
security posture
9. 3. Require In-guest Agents that Are Resource Intensive
Third-Party Management Consoles
Scheduled scans hit same underlying
infrastructure at the same time
Utilization
CPU
Memory
Storage
Consolidation Ratio
Low High
3
2
1 SeparateAgent required per VM per Service
Adding new services require manual deployment
at each guest
CONFIDENTIAL 9
10. 4. Hard to Automate Workflows across Services
ď§ Manual workflows due to lack of
interoperability and automation across
âbest-of-breedâ security products
ď§ Endpoint control events do not trigger
network controls
CONFIDENTIAL 10
12. Agenda
CONFIDENTIAL 12
1 Challenges with existing security controls
2 Introducing NSX Security
3 Benefits
4 Use Cases
5 Automating Security
6 Summary & Next Steps
13. NSX Transforms Security for Optimal Context and Isolation
While Minimizing Resource Overhead
UbiquityIsolation
fine-grained
containment
Context
better security
through
insight
Ecosystem of
Distributed Services
Switching Routing Firewalling
Core Services Built Into
Hypervisor Kernel
CONFIDENTIAL 13
14. NSX Provides Built-in Services to Manage the Security Posture
of Workloads at Scale
Guest Introspection
NSX driver pulls and shares file, user identity, process
(application), network connections, registry keys etc.
Shared Context
Network Introspection
Full network traffic visibility @vNIC, vSwitch,
or Edge
Built-In Services
Firewa
ll
Identity Firewall
Server Access
Monitoring
VPN (IPSEC,
SSL)
VMware Services
DLP
L2 and L3 Connectivity
CONFIDENTIAL 14
15. NSX Distributed Firewall
⢠Delivers Micro-Segmentation
⢠Efficient rule management
⢠Dynamic Policy (e.g:AV, DLP, Vulnerability Scan)
⢠No choke points with scale out performance (20 Gbps)
⢠Enabled for cloud automation
Src Dst
ANY Shared Service
Desktop WEB_GROUP
Rules based on logical containers
Platform for Distributed Services
WEB_ GROUP
âWeb Policyâ
ď˛Firewall â allow inbound
HTTP/S, allow outbound ANY
Firewall policies are pre-
approved, used repeatedly by
cloud automationWeb
App
DB
VM
NSX Distributed Firewall is Optimized for SDDC
14
CONFIDENTIAL
17. NSX Enables Using Third Party Services to Manage the Security
Posture of Workloads at Scale
Guest Introspection
NSX driver pulls and shares file, user identity, process
(application), network connections, registry keys etc.
Shared Context
Third-Party Services
DLP Firewall
Vulnerability
Management
Antivirus
Intrusion
Prevention
Identity and
Access Mgmt
âŚand more in progress
Security Policy
Management
Service Insertion Architecture
Network Introspection
Full network traffic visibility @vNIC, vSwitch,
or Edge
CONFIDENTIAL 17
19. Agenda
CONFIDENTIAL 19
1 Challenges with existing security controls
2 Introducing NSX Security
3 Automating Security
4 Benefits
5 Use Cases
6 Summary & Next Steps
20. Secure SDDC with VMware NSX
Security services are managed more efficiently in a software-defined datacenter
NSX Network Virtualization Platform
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Antivirus
Vulnerability
Management
Identity and
Access Mgmt
âŚand more in progress
Security Policy
Management
Deploy
Provision and monitor
uptime of different
services, using
oSenrviece mInseerttiohnod
CONFIDENTIAL 20
Apply
Apply and visualize
security policies for
workloads, in
Security Goronupes plSaeccuerity Policies
Automate
Automate workflows
across best-of-breed
services, without
custom integrationSecurity Tags
Built-In Services Third-Party Services
DLP Firewall
Intrusion
Prevention
21. Register Security Services with VMware NSX
Service Definitions: built-in and 3rd-party services
Firewalling VPN Data Security Activity Monitoring
Service categories, vendors, versions
are visible in one central view
Security
CONFIDENTIAL 21
23. Security Groups & Security Policies
⢠End-Users and CloudAdmins are able to define security policies based on service profiles
already defined or approved by the Security Admin.
⢠Security policies are applied to one or more security groups where workloads are members
WHAT you
want to
protect
HOinbWoundyHoTuTPw/S,ant
ďžtoIPpS râoptreevcentt DitOS
attacks, enforce
acceptable use
SECURITY GROUP
SECURITY POLICY
Members (VM, vNIC)
and Context
(user identity,
security posture)
âStandard Webâ
ď˛ Firewall â allow
allow outbound ANY
Services (firewall,
antivirus, IPS etc.) and
Profiles (labels
representing
specific policies)
CONFIDENTIAL 23
24. Security Policies and Security Groups
NSX simplifies provisioning, audit, troubleshooting of security
CONFIDENTIAL 23SECURITY GROUP
HOW you want
to protect it
SECURITY POLICY
WHAT you want
to protect
1 Policy Provisioning: Define once (policy), use many (security groups). Tied to
workload, not to infrastructure.
Audit: Validate controls in one place â available services, applied policies.2
3 Troubleshooting: When an app doesnât work, can start by observing the workload
and all related security policies â rather than infer from infrastructure security.
25. Dynamic Inclusion
Static Inclusion
Static Exclusion
Security Groups
Definition
Security Group :
(Dynamic Inclusion + Static Inclusions) â Static Exclusion
Computer OS name, Computer Name,
VM Name, Security Tag, Entity.
Security Group, Cluster,
Logical Switch, Network,
vAPP, Datacenter,
IP Sets,Active Directory Group,
MAC sets, Security Tag,
vNIC, VM, Resource Pool,
DVS Port Group.
VM-Centric
CONFIDENTIAL 25
Infrastructure-
Centric
Security Groups
26. Automate Security Operations
to respond to rapidly changing security conditions
⢠Security is automated
⢠If one service finds something, then
another service can do something
about it
With VMware NSX
⢠Manual workflows
⢠No interoperability between best-of-breed
security products
Without VMware NSX
Create repeatable, automated workflows
across best-of-breed security products with VMware NSX
CONFIDENTIAL 26
27. Advanced Services Insertion
1 2 3
Traditional Data Center NSX Data Center
ď§ Flexible service chain that
adapts to changing conditions
â more efficient use of services better security by sharing tags
ď§ Platform for integrating the
leading security products:
NSX enables dynamic actions to respond to
changing security conditions
CONFIDENTIAL 27
Static service chain Dynamic service chain
28. Agenda
CONFIDENTIAL 28
1 Challenges with existing security controls
2 Introducing NSX Guest Introspection
3 Automating Security
4 Benefits
5 Use Cases
6 Summary & Next Steps
29. 1. Optimized for Performance
Utilization
CPU
Memory
Storage
Consolidation Ratio
Low High
1 Reduces attack surface
Stronger protection - cannot
be turned off by malware
Eliminates overhead of agent
resources, management
4 Reduces VM footprint enables
higher consolidation
CONFIDENTIAL 29
2
3
30. 2. Automated Ubiquitous Deployment & Enforcement
1.ESX Host added to cluster
2.Automated: NSX Deploys
Guest Introspection
Framework, Service VMs
(Partner & VMW)
3. VM brought up on host
4.Automated:Appropriate
Security Policies applied
5.VM vMotions to a
different host
6.Automated:Appropriate
Security Policies applied
CONFIDENTIAL 30
31. 3. Visibility into In-guest Events
Users Logging In
Files Accessed
Network Connections
System Events
Applications Running
Canned Reports
CONFIDENTIAL 31
32. Identity Based Access Control
CONFIDENTIAL
Active Directory
Eric Frost
IP: 192.168.10.75
Logs
Eric Frost
User AD Group App Name Originating VM
Name
Destination VM
Name
Source IP Destination IP
Eric Frost Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78 31
35. 4. Simplified Policy Management & Automation across Services
Virtualization Platform
Security Policy
HOW you
want to
protect it
NSX Manager
2 NSX Admin
1 Security Admin
Security Group
WHAT
you
want to
protect
Cloud Management Portal
3 Cloud Architect
CONFIDENTIAL 35
37. Security-Centric View
Policies â collection of service
profiles - assigned to this
containerâŚto define HOW you
want to protect this container
e.g. âPCI Complianceâ or
âQuarantine Policyâ
Nested containers â
other groupings within
the container
e.g. âQuarantine Zoneâ
is a sub group within
âMy Data Centerâ
VMs (workloads) that belong to
this container
e.g. âApache-Web-VMâ, âExchange
Server-VMâ
Containers â Grouping of VMs, IPs, and
moreâŚto define WHAT you want to protect
e.g. âFinancial Applicationsâ, âDesktop
Usersâ, âQuarantine Zoneâ
Service profiles for *deployed*
services, assigned to
these policies
Services supported today:
⢠Distributed Virtual Firewall
⢠Anti-virus
⢠Vulnerability Management
⢠Network IPS
⢠Data Security (DLP scan)
⢠User Activity Monitoring
⢠File Integrity Monitoring
36CONFIDENTIAL
40. Monitor Uptime of Different Services
Service Deployments: installation and service status
Installation Status & Service Status
are visible in one central view
CONFIDENTIAL 40
41. Eliminate Policy Sprawl through Automation
No manual cleanup necessary during application decommissioning
SECURITY POLICY
âStandard Webâ
ď˛Firewall â allow
inbound HTTP/S,
allow outbound ANY
ď˛IPS â prevent DOS
attacks, enforce
acceptable use
SECURITY GROUP
SECURITY GROUP
CONFIDENTIAL 41
42. Increase Visibility into Service Availability
Virtualization Platform
Restart Security Virtual Appliances,
upon detection of service health failure
Error messages provide
insight into why service failed
CONFIDENTIAL 42
43. Increase Visibility into Service Availability
Virtualization Platform
Restart Security Virtual Appliances,
upon detection of service health failure
Error messages provide
insight into why service failed
CONFIDENTIAL 43
44. Agenda
CONFIDENTIAL 44
1 Challenges with existing security controls
2 Introducing NSX Guest Introspection
3 Automating Security
4 Benefits
5 Use Cases
6 Summary & Next Steps
45. Scenario 1: Vulnerability Management Optimized for SDDC
VMware Network and Security Platform
Built-In Services Third-Party Services
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Antivirus DLP Firewall
Vulnerability
Management
Intrusion
Prevention
Identity and
Access Mgmt
âŚand more in progress
Security Policy
Management
CONFIDENTIAL 45
46. Traditional Challenges in Vulnerability Management
Scan IP range for
asset inventory
(NMAP)
Run port scan on
live systems â set
of IPS alarms
1 Network
scanner
2
Whitelist scanner
IP address
on IPS
3
Scans return
inaccurate info4
Must secure system
credentials to run
accurate scans
5
Scans run over virtual
network, impacting
app performance
6
CONFIDENTIAL 46
47. Vulnerability Management Optimized for SDDC Using NSX
Guest Introspection
File, user identity, process
(application), network
connections, registry keys, etc.
Virtualization Platform
⢠No network scans required
⢠Get all VM asset inventory from vCenter
⢠Get all VM context - file, process, registry key - via NSX
Guest Introspection
⢠No credentials required for server scans â in-guest driver runs
credentialed scan
Simplified Deployment
Automated deployment of 3rd
party appliance to all selected
clusters in data center
CONFIDENTIAL 47
48. Scenario 2: Context Based Isolation in VDI Environment
VMware Network and Security Platform
Built-In Services Third-Party Services
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Antivirus DLP Firewall
Vulnerability
Management
Intrusion
Prevention
Identity and
Access Mgmt
âŚand more in progress
Security Policy
Management
CONFIDENTIAL 48
49. Virus Detection Triggers Isolation and Remediation
Employee Desktops
SG
Front Desk
SG
ITAdmin Desktops SG
Records
Scheduling
App
IT
Services
NSX
Shared Resources
Infected System SG
âAll Desktopsâ
ď˛ AV â
Agentless Scan
âAll Desktopsâ
ď˛ AV âScan And
Remediate
ď˛ DFW: Block
access to
applications
CONFIDENTIAL 49
50. Scenario 3: Minimizing Attack Surface
VMware Network and Security Platform
Built-In Services Third-Party Services
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Antivirus DLP Firewall
Vulnerability
Management
Intrusion
Prevention
Identity and
Access Mgmt
âŚand more in progress
Security Policy
Management
CONFIDENTIAL 50
52. Scenario 4: Traffic Redirection to Advanced Services â e.g. PAN
HďžONWetwoyrkoInutrowspaecntiotn
to protect it
SECURITY GROUP
SG-WEB
SECURITY POLICY
SP-PAN-Redirect
âPAN redirectâ
Services â Tomcat
Traffic from WEB to
APP : Redirect to PAN
Services:
Network
Introspection
Services
(= traffic
redirection)
VM VM
1 2
WEB Tier
(DVS P-G or
Logical Switch)
VM3 VM4
1.1.1.1 1.1.1.2 2.2.2.1 2.2.2.2
APP Tier
(DVS P-G or
Logical Switch)
SG-WEB SG-APP
Tomcat
Network Introspection Rule:
Any Tomcat traffic from WEB Tier to APP
Tier is redirected to PAN VM-Series FW
CONFIDENTIAL 52
Any other traffic from WEB Tier to APP
Tier is not redirected to PAN
Traffic hit first DFW and then traffic
redirection rule: Tomcat traffic must be
allowed on DFW rule otherwise it
cannot be redirected to PAN
Source Dest Service Action
Policyâs
SG
SG-APP Tomcat Redirect
to PAN
53. Security Partner Integrations
Partner Ecosystem
NSX is the platform for
integrating advanced
security services
Next-generation IPS
Granular protection of individual
VM workloads with customizable
policy definitions
Malware Protection
Data Center security with agentless
anti-malware and guest network
threat protection
Real-time, dynamic threat protection
and response for workloads moving
between hosts and virtual
data centers
Automation of advanced
malware interception
Unified management for physical
and virtual sensors
Vulnerability
Management
Automatic vulnerability risk assessment
Data Center wide real- time risk visibility
Auto segmentation of risky assets
Vulnerability prioritization for
effective remediation
Threat & Malware
Protection
Single virtual appliance
provides agentless:
Anti-malware with URL filtering
Vulnerability and software scanning
Detection of file changes
Intrusion Detection & Prevention
Next-Generation
Firewall
Multiple threat prevention disciplines
including firewall, IPS, and antimalware
Safe application enablement with
continuous content inspection for all threats
Granular user-based controls for apps,
content, users
CONFIDENTIAL 53
54. Agenda
CONFIDENTIAL 54
1 Challenges with existing security controls
2 Introducing NSX Guest Introspection
3 Benefits
4 Use Cases
5 Automating Security
6 Summary & Next Steps
55. Achieving Micro-Segmentation in Real World
Prepare
Security
Fabric
⢠Prepare Hosts
for Security
⢠Optional: Deploy
Security Vendor
Management
Consoles for
advanced services
⢠Optional: Deploy
security vendor
appliances
Monitor
Flows
⢠Brownfield: Leverage
existing knowledge
from Perimeter
firewalls
⢠Use NSX Built-In
Flow Monitoring,
IPFIX tools
⢠Integrate VMware
Log Insight to
analyze syslogs
Determine
Policy
Model
⢠Identify patterns
with flows
⢠Determine a policy
model based on
the patterns
Apply
Policy
Model
⢠Determine approach
: Firewall Rule Table
or Service Composer
Policy Model
CONFIDENTIAL 55
⢠Based on the Policy
Model â Create
grouping models
⢠Write Security Policy
56. Day 2 Operations
Continue
monitoring flow
patterns using
Log Insight.
Keep
advanced
services
updated.
Manage
FW rules
using Tufin,
Algosec
Drifts and Shifts in
workload flows
CONFIDENTIAL 56
Shifts in
policies
Keep services
like AV, IPS
updated with
signatures
57. NSX Transforms Security by Providing Context &
Minimizing Overhead
Guest VM
Network
Hypervisor
Isolation
Ubiquity
Context
CONFIDENTIAL 57
Share rich context on applications, users, data, etc.
Minimize attack targets like security controls (e.g.AV) and
telemetry (e.g. logs) by leveraging guest and network
isolation and micro-segmentation
Ensuring visibility and control points are everywhere to help
address coverage and scale challenges