VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for Security Services in the SDDC

Introducing NSX Service Composer:
The New Consumption Model for Security Services
in the SDDC
Merritte Stidston, McKesson
James Wiese, VMware
SEC5749
#SEC5749

2
Agenda
 Cloud Security: The Challenge
 Customer Example: McKesson
 Introducing - NSX Service Composer
 Product Examples

3
Problems with Security Products in a Virtual Environment
 End Users Blame IT for being ‘Slow’
• Focus generally is only on Storage, Network, Compute but Security can drag
deployments – Need mechanism to apply policy to VM provisioning (make it stick)
 Bigger Datacenter Threat: Rapid Deployment From the Inside (Drift)
• Users Create Servers Instantly – Snapshot of a golden image used to provision many
instances of server instantly, New VMs are not connected to protection service
• Servers have stale configurations & vulnerable software which introduces threat
 Security Product Can Not “See” the VM
• VLANs can also segment out the network scanning services
• Is the VM on the right network? Is the right version of the agent there? Does the VM
agent have access to the security product console? What are the credentials?
 Security Products Do Not Interoperate
• No Ability to Detect Issue & Remediate without complicated scripts & process
• Many Ways to Identify a VM – Requires correlation for management (SID, IP, VMID)

4
Overall Challenge: Security in the SDDC
Cumbersome Provisioning
Complicated deployment and troubleshooting
processes make it difficult to maintain service
levels for security.
Manual, Cross-Service Workflows
Security and cloud admins volley back and
forth to identify, assess, plan, implement
security risks…a very inefficient process.
Security Policy ≠ Security Operations
Expecting cloud operators to manage security
policies is unrealistic and unfair. Security
architects define policy. Cloud operators
implement policy.
Cloud
Operator
✔ ?

5
Challenge: Firewall Roulette: Which VM is behind Which Wire?
CISO: We need to
make sure the
Firewall is protecting
the RED VMs
appropriately. Can
you confirm this?

6
Challenge: Detection Services Not Interoperable & Increase Process
Web Servers
Services
Monitor
Events
Identify Threat
Report
File Ticket
With NetBios ID
Receive Ticket
Notification
Correlate to IP
(Attempt)
Ask for
VLAN Tag
Determine
VM -> Subnet -> Tag
Realize NAT Issue?
Create
Rule
Verify RuleClose Ticket
Open Ticket
To Patch Machine

7
7
Challenge: 9-Dashboards of Wonder & Making Security Stick
Agile security is possible in
2012…
…if you identify workloads and
connect the system – by IP, by
SID, by subnet, by host, by user,
and don’t change anything…
Vulnerability
System
Antivirus
System
Firewall
vCenter
IDS System
DLP System

8
 No knowledge of internal traffic and potential threats
 Most breaches are not discovered by the breached party.
 Common point of purchase
Current state — head in the sand
"I know I am wearing rose-colored glasses; we
just haven't looked into this."

10
Agenda

11
Architectural Complexity: Securing Virtualization within the IT Infrastructure

12
Architectural Complexity: Securing Virtualization within the IT Infrastructure
Management & Admin Network
Zone
PCI Internal Service
Networks CoLo Internal Service
Network
ASP-MSP Internal
Service Network
McKIT Shared Service
Network
Network Core Layer McKIT
WAN-MPLS
B2B
Extranet
Internet McKesson CareBridge
Edge Perimeter Zone
Edge
Router
ISP 1
F/W
F/W
F/WF/W
F/W
F/W
CoLo’s
External HostingASP
MPS
Partners, Vendors,
Sub-Contractors
McKIT
Shared DMZ
PCI
DMZ
VPN
Remote Access
Core Edge Firewall Layer
O/S
Build
VM
Build
VM
Repository
HyTrust
Gateway
vCenter
vShield
App
Edge
Endpoint
Crypto
AV Agent
Auth-LDAP
Logs
VM1…n
Hypervisor Layer
B/U
Mngt. Agent
Hosts 1…n
vNet Fabric
vSwitch1 vSwitch2 vSwitch3 vSwitchn
Management &
Security
Services
(Physical)
Patch
Secure
VMs
B.U.R.N
VTLVTL
De-Dup
Back-up/Restore
Solution
Tape
* DASD
* SAN
* NAS
-NSF
-ISCI
-SMB
vSafe 1.6/API
vShield 1.6/API
ISP 2
Internal
Router
Infrastructure Distribution Layer
External Untrusted Layer
McK
Remote Offices
McK Remote Sites
Internal Trusted
Layer
ESXi
Mngt YF
vShield Endpoint
Patching
HP CSA SEIM
EKMDE
Directory Services
Central Logging
Key Management
vShield Edge
Backup & Recovery
Nessus
Vulnerability Scan
DLPIDS / IPS
Anti-virus
Inventory

13
What is Secure Lab?
 What were some of the business problems that prompted you to
pick up the security baton?
• A fundamental belief that security is everyone's responsibility
• Our business units requested it and our customers expect it
• Build infrastructure with a security 1st approach was a challenge
 What technical challenges made this an urgent need?
• No roadmap to help guide the way
• Multiple tools to integrate
• Common framework with common goals
• Decoupled software & hardware stack (Allows for future changes)

14
SecureLab
McKesson
Imaging
VDC
Developers &
App Support
ESXi
INTEL TXT INTEL TXT
VCD
ESXiESXiESXi
View 5 VDI
(hardened)
McKesson SecureLab: NGDC Architecture
Physical
desktops
& laptops
VDI “bastion host”
only access
App A
Web MW DB
VDI
VDI
VDI
VDI WebDBMW
App B
vShield App
All VDI instances
automatically
firewalled from
one another
vShield Edge
Network Gateway and
Secure Multi-tenancy
vShield App
VDI “group” to App access
allowed by vShield App
ESXi Trusted boot
with Intel TPM/TXT
TPM/TXT
Horizon
Clinicals
VDC
App C
WebDB MW
App D
DB

15
Agenda

16
NSX Service Composer
Security services can now be consumed more efficiently in the
software-defined data center.
Apply.
Apply and visualize
security policies for
workloads, in one
place.
Automate.
Automate
workflows across
different services,
without custom
integration.
Provision.
Provision and
monitor uptime of
different services,
using one method.

17
Concept – Apply Policies to Workloads
Security Groups
WHAT you want to
protect
Members (VM, vNIC…) and
Context (user identity, security
posture)
HOW you want to
protect it
Services (Firewall, antivirus…)
and Profiles (labels representing
specific policies)
APPLY
Define security policies based on service profiles already defined (or
blessed) by the security team. Apply these policies to one or more
security groups where your workloads are members.

18
NSX Service Composer – Canvas View

19
Introducing – NSX Service Composer
Policies – collection of service
profiles - assigned to this
container…to define HOW you
want to protect this container
e.g. “PCI Compliance” or
“Quarantine Policy’
Nested containers –
other groupings within
the container
e.g. “Quarantine Zone” is
a sub group within “My
Data Center”
VMs (workloads) that belong to this
container.
e.g. “Apache-Web-VM”, “Exchange Server-
VM”
Containers – Grouping of VMs, IPs, and
more…to define WHAT you want to protect.
e.g. “Financial Applications”, “Desktop Users”,
“Quarantine Zone”
Service profiles for *deployed*
services, assigned to these
policies
Services supported today:
• Distributed Virtual Firewall
• Anti-virus
• Vulnerability Management
• Network IPS
• Data Security (DLP scan)
• User Activity Monitoring
• File Integrity Monitoring

20
NSX Service Composer – Canvas View
Members: Apps and workloads that belong to this container.
e.g. “Apache-Web-VM”, “Exchange Server-VM”

22
Agenda

Corp
Cust Svc
Desktop
Engineering
Domain Controllers
Sales
Desktop
Sales
SAPSalesWeb
Extranet (DMZ)
External FTP
Servers
Corp External
Web
Eng Desktop
P1 – Corp Policy
Block Telnet, SSH from *
P2 – Department Policy
Block HTTP
P3 – Web App Policy
Allow 8080 from Desktops
Allow 443 from *
Block All Other
P4 – Eng Department Policy
Allow 80 HTTP from Internet
P5 – Desktop Policy
Block * to these from these
P6 – Sales Desktop Policy
Allow * from Sales/SAP
P7 – AD Policy
Allow * , TCP/UDP on port 137,445
Example: Firewall By Policy

24
Example: Orchestrating Security Between Multiple Services
SG: QuarantineSG: Web Servers
1.Web Server VM running IIS is deployed, unknowingly having a vulnerability
2.Vulnerability Scan is initiated on web server (e.g. Rapid7’s Nexpose product)
3.VM is tagged in NSX Manager with the CVE and CVSS Score
4.NSX Manager associates the VM with the Quarantine (VSM F/W Deny)
5.[Externally] Admin applies patches, Nexpose re-scans VMs, clears tag
6.NSX Manager removes the VM from Quarantine ; VM returns to it’s normal
duties
VSM F/W VSM F/W
Services Services
Membership: Include VMs which have CVSS score >= 9Membership: Include VMs which have been provisioned as “WebServer”
NSX Manager

25 Confidential
Example: Deploying Security Services On Demand
1. ESX Host added to cluster
2. Service Composer: Deploys Security VMs (Partner & VMW)
3. VM brought up on host
4. Service Composer: Appropriate Security Services applied
5. VM vMotions to different host
6. Service Composer: Appropriate Security Services applied

26
“Dev” “Test” “Stage”
wire FW wire FW
“Production”
wire LB FW IDS
FIM SVM AV LOG
wire LB FW IDS
FIM SVM AV LOG
Example: Precedence Enforced for Dev/Test to Production
Service Policy for
App

27
NSX Integrated Partners
NSX Controller & NSX Manager
NSX API
Partner Extensions
L2 Gateway FirewallADC/LB IDS/IPS
+
Cloud Management
Platforms
AV/FIM Vulnerability
Management
Security Services

28
VM Based Group Policy For Services
App
Consumer
Cloud
Operations
Infrastructure
(NOC)

29
NSX Service Composer Benefits
Streamline Service Provisioning
Fewer steps to deploy VMware and partner
content. Service outages are easy to
identify and troubleshoot.
Automate Workflows Across Services
Workflows between different services are
easily automated on this platform
Apply Policies in the SDDC
Workloads are easily organized (WHAT you
want to protect) and services can be easily
mapped to resources (HOW you want to
protect them), for consumption in the SDDC
AVFW
IPS DLP
Vuln. Mgmt
AVFWIPS DLPVuln. Mgmt
✔ ✔

30
Related Sessions
 SEC-5750: Security Automation Workflows with NSX
 SEC-5253: Get on with Business: Vmware Reference Architectures
Help Streamline Compliance Efforts
 HOL: HOL-SDC1303: VMware NSX Network Virtualized Platform

35
Concept – Service Profiles
Comprises One or More Services
At least one service is required to define a
service profile.
Container 1
Container 2
Container 3
Container Can Have Multiple
Service Profiles
Different profiles may need to apply to a single
container.
Precedence Must Be Enforced on
Service Profiles
Ultimately, these services manifest in real
security services so in the case of overlapping
services or conflicts, precedence must be
enforced.

36
Container 1
Concept – Containers
Contain VMs
Including machines, networks…anything that
could comprise an application But it could also
be empty, perhaps waiting for a state change.
Can Contain Other Containers
Nesting is a powerful concept that allows you
to group applications and resources more
flexibly.
Can Contain Object Defined by
Security Tags
Services have intelligence in the form of
visibility and control. They can find an issue
with a machine and tag it to identify the issue.
The mere act of tagging can add the machine
to a container.
Container 2 Container 3

37
VMware SDN & Security: Composite Policy Management
• Minimize Dedicated
Hardware
• Optimize Utilization
Security By Virtual Service
• Always Connected Security
• Scale Applications On-
demand
• Simplify Operations
VM Protection
• Integrated Management
• 3rd Party Extensible
Attach Services
• Dynamic Provisioning
• Detect & Remediate
Enable Policy-based
Automation
VMware Network & Security Virtualization

VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for Security Services in the SDDC

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (15)

Similar to VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for Security Services in the SDDC

Similar to VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for Security Services in the SDDC (20)

More from VMworld

More from VMworld (20)

Recently uploaded

Recently uploaded (20)

VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for Security Services in the SDDC