![VMware Security Briefing ,[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/vmwaresecuritypresentation72109-12489648365834-phpapp03/85/Why-Security-Teams-should-care-about-VMware-1-320.jpg)
![Agenda ,[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Why Security Teams should care about VMware
Similar to Why Security Teams should care about VMware (20)
Why Security Teams should care about VMware
- 5. Extended Computing Stack and Guest Isolation Hypervisor Standard x86 VMware ESX
- 6. Isolation by design Security Design of the VMware Infrastructure Architecture http://www.vmware.com/resources/techresources/727
- 7. How Virtualization Affects Datacenter Security
- 9. vSphere - Virtual Datacenter OS from VMware Off-premise Cloud vCenter On-premise Infrastructure Make applications more scalable, secure and resilient in a virtual environment than physical. SaaS Linux Grid Windows J2EE .Net VMware Infrastructure -> virtual datacenter OS Application vServices Scalability Infrastructure vServices Security Availability vNetwork vStorage vCompute Cloud vServices …… . Web 2.0
- 20. Server-based Desktop Virtualization Profile Moving the desktop to a virtualized image in the data center allows the complex components to be protected and managed. File Server User Data Profile File Server App App App
- 21. Universal Operating System “Gold” Image Profile A single encapsulated hardware build for all users allows for better tuning and hardening of the underlying operating system. File Server User Data Profile File Server App App App
- 22. Patch Management in the Data Center Profile Patches can be delivered at data center network speeds, or virtual machines can be periodically destroyed and rebuilt cleanly. File Server User Data Profile File Server App App Patch Server App
- 23. Access Control Profile Controlling access to the virtualized desktops provides further protection to applications and user data. File Server User Data Profile File Server App App X App
- 24. Elimination of Complex Devices at the Edge Profile Users can be issued tamper-proof thin clients with no moving parts to complete the solution. File Server User Data Profile File Server App App App
- 25. Data Security - Backing Up With a fully virtualized desktop, backups are not only simplified, they’re actually possible. ? Profile File Server User Data Profiles File Server App App VM Template App
- 27. Portable Client-Side Virtualization The client device and it’s unsecured OS become irrelevant – the VM is the true working environment.
- 30. Integrated Virtualization Solution Profile Users can be issued tamper-proof ACE Instances with virtualized apps and network access only through VIEW instances to complete the solution. File Server User Data Profile File Server App App App
- 36. View is much simpler to set up and support
- 37. Competitive Pricing/Packaging Comparison * Experimental support only XenDesktop VMware View Advanced Enterprise Platinum Enterprise Premier Virtualization Platform Connection broker Secure remote access Storage Optimization Multi-backend support Application Virtualization Offline Desktop* High Availability Dynamic Provisioning Desktop Monitoring Partner Partner Pricing $195 $295 $395 $150 $250 x x x x x x x x x x x x x x x
- 38. Cost Comparison Vmware cost per user Premier Bundle $ 250.00 List price per user Premier Bundle Support and Maintenance $ 62.00 ESX Server HW $ 156.25 ESX server $10,000 64 users on 8 core system Provisioning Server HW Cost $ - Virtual Machine on ESX Connection Broker HW Cost $ - Virtual Machine on ESX Storage Costs $ 30.00 Space for Linked clone $ 498.25 Total per user cost Citrix cost per user Xen Desktop Advanced $ 295.00 List price per user XenDesktop Platinum Support and Maintenance $ 48.75 Xen Desktop Server Hw $ 312.50 XEN server $10,000 32 users on 8 core system Provisioning Server HW Cost $ 16.67 Physical server per documentation 300 users for $5,000 Connection Broker HW Cost $ 4.17 Physical server per documentation 1200 users for $5,000 Storage Costs $ 30.00 In theory, some costs but will be minimal $ 707.09 Total per user cost (+ additional server for XenApp, + TSCAL, +,+)
Editor's Notes
- 4 areas – continue to enhance core platform Pulling out console OS and vulinerable pience 32M code to eliminate attaches or code Integrate in extrenal technologies – use what they have Protection at the host level instead of the Host and policy driven security – clouds and SLAs and managing at an environment individual Platform security is a core area of focus on making sure the platform is hardened against attack. VMware takes the primary responsibility for this activity. The second is to ensure that existing security processes within the enterprise are enabled to make sure that VI can be operated in a secure fashion in the enterprise Virtual appliances help customers deploy more security than possible in physical datacenters, increasing the overall “density” of security in a virtualized datacenter Lastly, we believe that virtual can be more secure than physical systems. This is all built on the foundation of VMsafe-enabled products, but in addition, changes to the way customers can deploy and operate their systems in a virtual environment will make things more secure.
- Application vServices – to recap, are services provided by our platform to applications – uniformly, enabled by simple point and click in most cases. Let’s review the current application vServices provided by VMware and new vServices in 2009
- Partner solutions that utilize VMsafe have the following advantages over existing security mechanisms: They can protect VMs without needing to install agents inside each VM They can perform a multitude of tasks that protect a VM holistically ( monitor VM components on the host, nw traffic through the distributed switch) AV, Firewall, IPS can all be in one appliance. They can do all these tasks efficiently in a dynamic environment where the virtual machine moves from host to host. For e.g. if a VM is being monitored on a particular host, it carries its security state with it to the next host where another appliance starts monitoring it.
- vShield Zones is a new Application vService providing fundamental and critical network security for the VDC-OS Expanding virtualization deployments in the datacenter are encompassing multiple areas of trust such as DMZ (demilitarized zone) buffers to the Internet and senstive data such as credit card information subject to Payment Card Industry (PCI) compliance or corporate financial data covered by Sarbanes-Oxley. These varying trust zones must be segmented with firewalls and other network security. Existing physical appliances require diverting traffic to external chokepoints, splintering ESX resource pools into small fragments and disrupting the seamless vision of an internal computing cloud. vShield Zones is a vritual appliance that allows you to monitor and restrict inter-VM traffic within and between ESX hosts to provide security and compliance within shared resource pools. vCenter integration lets you create network zones based on familiar VI containers such as hosts, clusters, vswitches and VLAN’s vShield Zones scans VM’s for known applications to present network flows and security policies by application protocol rather than as raw network flows. Virtualization awareness and application awareness increases accuracy and reduces risk of misconfiguration and noncompliance. Consistent security policies can be assured throughout a VM lifecycle, from initial provisioning to VMotion across various hardware to final decommissioning. Comiplete view of virtual machines, networks and security policies allows you to audit security posture fully within the virtual environment to meet defined security SLA’s, irrespective of changes to your external physical network and perimeter.
- Here is a screenshot of what you see with the VM Flow monitoring capability The UI allows you to drill down and see what’s happening in more and more detail. Allowed vs. disallowed traffic; Protocol (UDP, TCP, etc); Incoming vs. outgoing Categorized (i.e. traffic which can be attributed to a particular application) vs. uncategorized (other) Application (i.e. which protocol is responsible); Source and destination
- The firewall feature in vShield Zones is called VM Wall. This configuration screen reveals one of the most important aspect of the product: the fact that you can create rules based not simply upon individual IP addresses, but upon logical zones. The zones in this case are the ones mentioned earlier: datacenter, cluster, VLAN Because you can create rules based upon zones instead of individual IP addresses, the total number of rules is far fewer than if you simply ported a physical firewall to a virtual appliance. For example, for a typical three-tier app with 4 hosts and 8 VMs per tier, you’d need more than 700 rules if you were using individual IP addresses! By contrast, using logical zones, the number of rules collapses down to a mere 12. A second important point is the fact that these rules need not simply be based on port number, but can be based on application. Due to the built-in application awareness, you can block traffic even for applications that use a range of ports or ephemeral ports. vShield Zones knows when an application is trying to communicate, and block all traffic for that application regardless of which port it tries to use
- ! Compliance and governance managers. This group is interested in the fact that a license has been deployed that requires authorization to use, and an audit trail exists that documents use procedures are established and followed. In this case, there need not be a difference between the virtualized and native applications, as either configuration will allow tracking and management of the license through the same tools used today. ThinApp virtualized applications register with WMI (similar to natively installed applications) and can be tracked by the same mechanisms used to inventory and track natively installed applications. Because the virtual package is an .MSI or .EXE, it can also be registered with the Definitive Software Library and tracked through normal change and configuration management and asset management systems used today by natively installed applications.
- Pricing considerations are of paramount interest for some customers, but make sure that they also see the value for what they are buying. VMware View is packaged starting at Citrix’s mid tier package offerings, but also compare what is purchased for each option. VMware View Premier offers capabilities not available in Citrix’s top offering, and is priced 36% less.