SlideShare a Scribd company logo

VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged User Control

VMworld
VMworld

VMworld 2013 Allen Shortnacy, VMware Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare

Technology
1 of 30
Download to read offline
NSX PCI Reference Architecture Workshop Session 2 - Privileged User Control Allen Shortnacy, VMware SEC5820 #SEC5820
2 Privileged User Risk
3 What Analysts Are Saying “A compromise of the virtualization platform is a worst-case security scenario that places all the VMs hosted on the virtualization platform at risk.” “Hypervisor security protection should be treated as a defense-in-depth problem, using multiple strategies to ensure the overall integrity of this critical layer.” - Gartner* * Gartner, Inc. “Hype Cycle for Virtualization, 2012”, Phil Dawson, Nathan Hill, July 24, 2012
4 Jason Cornish, former Shionogi Pharma IT Staffer Pled guilty to Feb ‘11 computer intrusion Events Demonstrate the Risk – Wiped out 88 virtual servers on 15 VMware hosts: email, order tracking, financial, & other services – Shionogi’s operations frozen for days  unable to ship product  unable to issue checks  unable to send email
5 About Privileged Users  Cloud and SDDC have expanded the universe of threats from privileged users • Administrators have accumulated more effective rights due to shared resources • Often times with poor accountability for actions, whether malicious or just dumb  Advanced persistent threats are real • If they are in your environment these privileged user accounts are likely targets for compromise • If you are using shared accounts tracking activities to a specific user very difficult  Few organizations rely on multi-factor authentication across all user communities • Solutions and techniques readily available to ensure identity of who is on your systems • Rarely ties to a comprehensive authorization policy for privileged user activities • Necessitates an approach to effectively monitor all activities tied to strongly identified privileged user sessions
6 Four Steps to Controlling Privileged Users in the SDDC  Create Controlled Access Points to the SDDC Edge • NSX Edge VPN Services or Partner such as Xceedium • Establish LDAP Role Based Access Controls to govern session criteria • Provide ‘jump box’ configured with desired client applications/browser  Establish NSX Identity Aware Firewall Policies • Propagate identity context of remote session to NSX Edge firewall • Ensures LDAP Group membership to access target application  Provide Prescribed Session for Conducting Administrative Activities • Time bound sessions, privileged user password vaulting, multi-factor authentication, etc. • Integration with other services to dynamically define session criteria  Leverage User Activity Monitoring for Audit • Expands typical source/destination log information to application context • Integrating syslog data with event correlation engine provides other integration possibilities
7 NSX Edge SSL VPN Services All SDDC and Application Admin Role Admin VSM 10.112.243.44 VPN External Interface- 10.112.243.45 Internal Interface- 192.168.1.1 InternetVirtual IP : 192.168.27.2 STEP-1 Enable SSL ServiceSTEP-2 Configure Private Network STEP-3 Dynamic IP Pool Remote User will get IP in this range. Step -4 Client Install Package Step -5 Configure User Authentication Methods •Local Database •AD •LDAP •Radius • RSA Configuration is now complete Corporate LAN 192.168.1.0/24 Remote User User is ready to Connect NSX Edge SSL-VPN provides controlled access to Jump Box with Administrative tools located in controlled location
8 NSX Edge VPN with AES-NI  Up to 40% performance increase by supporting the Intel® AES-NI (AES New Encryption Instruction Set).  The Edge offloads the AES encryption of data to the hardware on supported Intel Xeon and 2nd generation Intel Core processors.  No user configuration needed to enable – AES-NI support in hardware is auto-detected.  Supports both pre-shared key (PSK) and certificate authentication mode  Encryption algorithms – 3DES, AES (128 and 256 bits)  Performance - 1 Gbps throughput NSX
9 Role  SDDC Administrator  Application or Database Administrator Action NSX Edge Manager  Configure SSL-VPN/AD Integration  Configure ‘Jump Box’ Xceedium  Establish Policies for Admin actions on protected assets Step 1: Establish Secure Bastion Host DMZ with NSX Edge Providing access to tools used for administrative tasks must be controlled with role based access to an approved session VXLAN VXLAN Network Fabric WAN Internet .1Q .1Q VXLAN .1Q
VMworld2013 June,2013
The Problems We Solve – Protect Enterprises from Privileged User Risks – Manage Privileged Access Across Traditional, Virtualized, Cloud, and Hybrid Enterprises – Enforce Audit and Compliance Controls – PCI DSS, HIPAA/HITECH, NERC CIP, FISMA, SOX – Enable Secure Migration of Enterprise Applications to the Cloud – Federate Privileged Identity Across Hybrid Cloud Architectures © 2013 Xceedium, Inc. 11
Identity Integration Enterprise-Class Core Unified Policy Management Control and Audit All Privileged Access • Vault Credentials • Centralized Authentication • Federate Identity • Privileged Single Sign-on • Role-Based Access Control • Monitor & Record Activity • Full Attribution • Protect End Systems, Consoles, APIs 12 Introducing Privileged Identity Management for the New Enterprise Traditional Data Center Mainframe, Windows, Linux, Unix, Networking New Enterprise Virtualized Data Center VMware Console / APIs SaaS Applications SaaS App Console Public Cloud - IaaS Cloud Console /APIs Hardware Appliance Cloud ApplianceOVF Virtual Appliance
Xsuite for VMware PIM for VMware vSphere and vCloud Auto-Discovery and provisioning of all VMware Infrastructure Virtual Machine’s via VMware’s API. • Dynamic Discovery and provisioning for Access of Virtual Machines Roles Based Privileged Access Control & Single Sign-On Across: • Enterprise systems, vCenter, vShield, vCloud Director, and the New NSX Consoles, as well as Physical and Virtual Machines Separation of Duties for vCenter, vShield, vCloud Director, and NSX Console Full Audit Trail and Session Recording Across: • Enterprise systems, vCenter, vShield, vCloud Director, NSX Console, all Virtual Machines Privileged user Sessions • API Access to VMware vShield, & vCloud Password and Access Key Management: • Vaulting and lifecycle management of all privileged user credentials for: enterprise systems, vCenter, vShield, vCloud Director, and NSX Console, AD based Console users and Virtual Machines. Strong Authorization and Attributed Use: • Support for multi-factor authentication • Detailed record of who is using each account, even for shared accounts vCenter, vShield, vCloud Director, and the New NSX Console, Unix root accounts, Windows admin. accounts)
VMware Reference Architecture VMware VM Target Server Connection in Controlled, Audited, and Recorded Enterprise Network VMware vSphere Console Virtual Machines are discovered by the VIISDK API and provisioned via vCenter Tagging. VM Target Devices VMware vCloud Director VMware vShield Console VMware NSX Console VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices Post API/Sessions User is logged in as provisioned user to provisioned org will access, recording and audit. Privileged Users Xceedium Client AD/LDAP Radius Server User Authenticates to Xsuite with Credentials, PIV, CAC, or Smartcard Xsuite Authenticates User/Group with AD/LDAP & Radius Client Receives Transparent Access to Target Server PIV/CAC Revocation Server ADFS Server Xsuite OVF based Virtual Appliance Syslog Splunk VMware Log Insight Session Recordings Full Audit of all VMware Console & Virtual Machine Privileged User activity
15 Demo: Establish NSX Edge SSL-VPN and Partner Solutions
16 Role  SDDC Administrator  Application or Database Administrator Action In Service composer / Firewall  Edit source / destination  Edit identity based security groups Step 2: Protect Your Secure Zones with NSX Identity Firewall It is critical to provide purpose driven firewall rules that restrict access to controlled VMs to only those nodes which require access VXLAN VXLAN Network Fabric WAN Internet .1Q .1Q VXLAN .1Q
17 Identity Based Access Control Active Directory Eric Frost User AD Group App Name Originating VM Name Destination VM Name Source IP Destination IP Eric Frost DBA PGAdmin.exe Eric-Win7 vPostgres-GL 192.168.10.75 192.168.10.78 IP: 192.168.10.75 AD Source Destination Source IP Destination IP DBA vPostgres-GL 192.168.10.75 192.168.10.78 Rule Table Logs
18 Demo: Create NSX Firewall Rules for Controlling Access
19 Step 3: Access Prescribed Session for Governed Activities Providing a role based access controlled, multi-factor authenticated session creates a trusted, least privilege connection to the target VXLAN VXLAN Network Fabric WAN Internet .1Q .1Q VXLAN .1Q Role  Application or Database Administrator Action SSL-VPN or Xceedium Client  Authenticate to the Jump Box with Role Based Control  Leverage appropriate administrative tool(s) with identity firewall controlled access
20 Demo: Establish Secure Desktop Networking for Role Based Sessions
21 Step 4: Privileged User Activity Monitoring NSX provides logging of privileged user activity expanded to incorporate identity firewall rules as well as application used for access Role  SDDC Administrator  Information Risk Personnel Action In NSX Manager  Review session logs for approved activity In Xceedium  Record session for review VXLAN VXLAN Network Fabric WAN Internet .1Q .1Q VXLAN .1Q
22 What is VMware Activity Monitoring? Visibility into group, application and destination activity in the virtual environment which generates an activity log of: Applications running on virtual machines Server access by Desktop Pool, Security group or AD Group Interactions between groups (SG, AD, DP) Dev Security GroupDeveloper AD Group Desktop Pool Security Group AD Group
23 With / Without NSX: Visibility Comparison Active Directory Eric Frost Today Source Destination 172.16.254.1 172.16.112.2 With Activity Monitoring VM Tools User AD Group App Name Originating VM Name Destination VM Name Source IP Destination IP Eric DBA Pgadmin.exe Windows 7 PostgreSQL DB Server 192.168.10.75 192.168.10.78 VSMSVM Compute Management Gateway
24 Demo: Privileged User Activity Monitoring
25 Summary – Value Achieved via Privileged User Control  Leveraging NSX Edge and Partner technologies facilitates strong authentication and role based authorization to bastion host as a single point of entry  Establishing NSX Distributed Firewall Identity Based Rules extend the paradigm to support access of the target only via prescribed means  Supports enhanced integration with other processes like service desk requests or other deep packet monitoring tools to validate activities  Information Risk professionals and Auditors have access to information from Activity Based Monitoring and partner technologies like Xceedium to create irrefutable chains of evidence that only approved activities were conducted
26 VMworld: Security and Compliance Sessions Category Topic NSX • 5318: NSX Security Solutions In Action (201) • 5753: Dog Fooding NSX at VMware IT (201) • 5828: Datacenter Transformation (201) • 5582: Network Virtualization across Multiple Data Centers (201) NSX Firewall • 5893: Economies of the NSX Distributed Firewall (101) • 5755: NSX Next Generation Firewalls (201) • 5891: Build a Collapsed DMZ Architecture (301) • 5894: NSX Distributed Firewall (301) NSX Service Composer • 5749: Introducing NSX Service Composer (101) • 5750: NSX Automating Security Operations Workflows (201) • 5889: Troubleshooting and Monitoring NSX Service Composer (301) Compliance • 5428: Compliance Reference Architecture Framework Overview (101) • 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201) • 5253: Streamlining Compliance (201) • 5775: Segmentation (301) • 5820: Privileged User Control (301) • 5837: Operational Efficiencies (301) Other • 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in Virtualized Infrastructure (Catbird – Jefferson radiology) • 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust) • 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based IaaS provider better be doing! (Intel)
27 For More Information…  VMware Collateral  VMware Approach to Compliance  VMware Solution Guide for PCI  VMware Architecture Design Guide for PCI  VMware QSA Validated Reference Architecture PCI  Partner Collateral  VMware Partner Solution Guides for PCI  How to Engage?  compliance-solutions@vmware.com  @VMW_Compliance on Twitter
THANK YOU
NSX PCI Reference Architecture Workshop Session 2 - Privileged User Control Allen Shortnacy, VMware SEC5820 #SEC5820

Recommended

VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - SegmentationVMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - SegmentationVMworld
 
NSX for vSphere Logical Routing Deep Dive
NSX for vSphere Logical Routing Deep DiveNSX for vSphere Logical Routing Deep Dive
NSX for vSphere Logical Routing Deep DivePooja Patel
 
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX VMworld
 
VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments VMworld
 
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...VMworld
 
VMworld 2013: Deploying VMware NSX Network Virtualization
VMworld 2013: Deploying VMware NSX Network Virtualization VMworld 2013: Deploying VMware NSX Network Virtualization
VMworld 2013: Deploying VMware NSX Network Virtualization VMworld
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld
 
VMUG - NSX Architettura e Design
VMUG - NSX Architettura e DesignVMUG - NSX Architettura e Design
VMUG - NSX Architettura e DesignVMUG IT
 

Recommended

VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - SegmentationVMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - SegmentationVMworld
 
NSX for vSphere Logical Routing Deep Dive
NSX for vSphere Logical Routing Deep DiveNSX for vSphere Logical Routing Deep Dive
NSX for vSphere Logical Routing Deep DivePooja Patel
 
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX VMworld
 
VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments VMworld
 
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...VMworld
 
VMworld 2013: Deploying VMware NSX Network Virtualization
VMworld 2013: Deploying VMware NSX Network Virtualization VMworld 2013: Deploying VMware NSX Network Virtualization
VMworld 2013: Deploying VMware NSX Network Virtualization VMworld
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld
 
VMUG - NSX Architettura e Design
VMUG - NSX Architettura e DesignVMUG - NSX Architettura e Design
VMUG - NSX Architettura e DesignVMUG IT
 
VMware NSX primer 2014
VMware NSX primer 2014VMware NSX primer 2014
VMware NSX primer 2014Sanjay Basu
 
VMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld 2015: The Future of Network Virtualization with VMware NSXVMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld 2015: The Future of Network Virtualization with VMware NSXVMworld
 
VMware NSX and Arista L2 Hardware VTEP Gateway Integration
VMware NSX and Arista L2 Hardware VTEP Gateway IntegrationVMware NSX and Arista L2 Hardware VTEP Gateway Integration
VMware NSX and Arista L2 Hardware VTEP Gateway IntegrationBayu Wibowo
 
VMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectVMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectDavid Pasek
 
nsx overview with use cases 1.0
nsx overview with use cases 1.0nsx overview with use cases 1.0
nsx overview with use cases 1.0Ploynatcha Akkaraputtipat
 
VMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSXVMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSXVMworld
 
VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld
 
SEC8022_Securing_SDDC_NSX_Hammad_Shahzad
SEC8022_Securing_SDDC_NSX_Hammad_ShahzadSEC8022_Securing_SDDC_NSX_Hammad_Shahzad
SEC8022_Securing_SDDC_NSX_Hammad_Shahzadshezy22
 
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld
 
VMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSXVMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSXVMworld
 
VMworld 2013: Advanced VMware NSX Architecture
VMworld 2013: Advanced VMware NSX Architecture VMworld 2013: Advanced VMware NSX Architecture
VMworld 2013: Advanced VMware NSX Architecture VMworld
 
NSX Reference Design version 3.0
NSX Reference Design version 3.0NSX Reference Design version 3.0
NSX Reference Design version 3.0Doddi Priyambodo
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld
 
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...VMworld
 
VMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld
 
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...VMworld
 
VMUGbe 21 Filip Verloy
VMUGbe 21 Filip VerloyVMUGbe 21 Filip Verloy
VMUGbe 21 Filip VerloyFilip Verloy
 
The Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSXThe Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSXScott Lowe
 
VMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld
 
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015Dmitri Kalintsev
 
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014Amazon Web Services
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 

More Related Content

What's hot

VMware NSX primer 2014
VMware NSX primer 2014VMware NSX primer 2014
VMware NSX primer 2014Sanjay Basu
 
VMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld 2015: The Future of Network Virtualization with VMware NSXVMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld 2015: The Future of Network Virtualization with VMware NSXVMworld
 
VMware NSX and Arista L2 Hardware VTEP Gateway Integration
VMware NSX and Arista L2 Hardware VTEP Gateway IntegrationVMware NSX and Arista L2 Hardware VTEP Gateway Integration
VMware NSX and Arista L2 Hardware VTEP Gateway IntegrationBayu Wibowo
 
VMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectVMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectDavid Pasek
 
VMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSXVMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSXVMworld
 
VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld
 
SEC8022_Securing_SDDC_NSX_Hammad_Shahzad
SEC8022_Securing_SDDC_NSX_Hammad_ShahzadSEC8022_Securing_SDDC_NSX_Hammad_Shahzad
SEC8022_Securing_SDDC_NSX_Hammad_Shahzadshezy22
 
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld
 
VMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSXVMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSXVMworld
 
VMworld 2013: Advanced VMware NSX Architecture
VMworld 2013: Advanced VMware NSX Architecture VMworld 2013: Advanced VMware NSX Architecture
VMworld 2013: Advanced VMware NSX Architecture VMworld
 
NSX Reference Design version 3.0
NSX Reference Design version 3.0NSX Reference Design version 3.0
NSX Reference Design version 3.0Doddi Priyambodo
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld
 
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...VMworld
 
VMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld
 
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...VMworld
 
VMUGbe 21 Filip Verloy
VMUGbe 21 Filip VerloyVMUGbe 21 Filip Verloy
VMUGbe 21 Filip VerloyFilip Verloy
 
The Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSXThe Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSXScott Lowe
 
VMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld
 
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015Dmitri Kalintsev
 

What's hot (20)

VMware NSX primer 2014
VMware NSX primer 2014VMware NSX primer 2014
VMware NSX primer 2014
 
VMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld 2015: The Future of Network Virtualization with VMware NSXVMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld 2015: The Future of Network Virtualization with VMware NSX
 
VMware NSX and Arista L2 Hardware VTEP Gateway Integration
VMware NSX and Arista L2 Hardware VTEP Gateway IntegrationVMware NSX and Arista L2 Hardware VTEP Gateway Integration
VMware NSX and Arista L2 Hardware VTEP Gateway Integration
 
VMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectVMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real project
 
nsx overview with use cases 1.0
nsx overview with use cases 1.0nsx overview with use cases 1.0
nsx overview with use cases 1.0
 
VMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSXVMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSX
 
VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX
 
SEC8022_Securing_SDDC_NSX_Hammad_Shahzad
SEC8022_Securing_SDDC_NSX_Hammad_ShahzadSEC8022_Securing_SDDC_NSX_Hammad_Shahzad
SEC8022_Securing_SDDC_NSX_Hammad_Shahzad
 
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
 
VMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSXVMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSX
 
VMworld 2013: Advanced VMware NSX Architecture
VMworld 2013: Advanced VMware NSX Architecture VMworld 2013: Advanced VMware NSX Architecture
VMworld 2013: Advanced VMware NSX Architecture
 
NSX Reference Design version 3.0
NSX Reference Design version 3.0NSX Reference Design version 3.0
NSX Reference Design version 3.0
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep Dive
 
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
 
VMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSX
 
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
 
VMUGbe 21 Filip Verloy
VMUGbe 21 Filip VerloyVMUGbe 21 Filip Verloy
VMUGbe 21 Filip Verloy
 
The Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSXThe Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSX
 
VMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSX
 
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015
 

Viewers also liked

(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014Amazon Web Services
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
VMworld 2016 Recap
VMworld 2016 RecapVMworld 2016 Recap
VMworld 2016 RecapKevin Groat
 
もう一つのHCI VxRackとVBlock
もう一つのHCI VxRackとVBlockもう一つのHCI VxRackとVBlock
もう一つのHCI VxRackとVBlockGaku Takahashi
 
Emc vmax3 technical deep workshop
Emc vmax3 technical deep workshopEmc vmax3 technical deep workshop
Emc vmax3 technical deep workshopsolarisyougood
 
Blue Medora - VMware vROps Management Pack for VCE Vblock Overview
Blue Medora - VMware vROps Management Pack for VCE Vblock OverviewBlue Medora - VMware vROps Management Pack for VCE Vblock Overview
Blue Medora - VMware vROps Management Pack for VCE Vblock OverviewBlue Medora
 
Self service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxSelf service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxsolarisyougood
 
Emc recoverpoint technical
Emc recoverpoint technicalEmc recoverpoint technical
Emc recoverpoint technicalsolarisyougood
 
VMworld 2015: Site Recovery Manager and Policy Based DR Deep Dive with Engine...
VMworld 2015: Site Recovery Manager and Policy Based DR Deep Dive with Engine...VMworld 2015: Site Recovery Manager and Policy Based DR Deep Dive with Engine...
VMworld 2015: Site Recovery Manager and Policy Based DR Deep Dive with Engine...VMworld
 
VMworld 2016: Enforcing a vSphere Cluster Design with PowerCLI Automation
VMworld 2016: Enforcing a vSphere Cluster Design with PowerCLI AutomationVMworld 2016: Enforcing a vSphere Cluster Design with PowerCLI Automation
VMworld 2016: Enforcing a vSphere Cluster Design with PowerCLI AutomationVMworld
 
VMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use casesVMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use casesAngel Villar Garea
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld
 
Nsx security deep dive
Nsx security deep diveNsx security deep dive
Nsx security deep divesolarisyougood
 
AWS re:Invent 2016: Continuous Compliance in the AWS Cloud for Regulated Life...
AWS re:Invent 2016: Continuous Compliance in the AWS Cloud for Regulated Life...AWS re:Invent 2016: Continuous Compliance in the AWS Cloud for Regulated Life...
AWS re:Invent 2016: Continuous Compliance in the AWS Cloud for Regulated Life...Amazon Web Services
 
Network Virtualization with VMware NSX
Network Virtualization with VMware NSXNetwork Virtualization with VMware NSX
Network Virtualization with VMware NSXScott Lowe
 
VMware Site Recovery Manager - Architecting a DR Solution - Best Practices
VMware Site Recovery Manager - Architecting a DR Solution - Best PracticesVMware Site Recovery Manager - Architecting a DR Solution - Best Practices
VMware Site Recovery Manager - Architecting a DR Solution - Best Practicesthephuck
 
V mware nsx_network_virtualization_open_stack
V mware nsx_network_virtualization_open_stackV mware nsx_network_virtualization_open_stack
V mware nsx_network_virtualization_open_stackEMC
 

Viewers also liked (18)

(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
 
VMworld 2016 Recap
VMworld 2016 RecapVMworld 2016 Recap
VMworld 2016 Recap
 
もう一つのHCI VxRackとVBlock
もう一つのHCI VxRackとVBlockもう一つのHCI VxRackとVBlock
もう一つのHCI VxRackとVBlock
 
Emc vmax3 technical deep workshop
Emc vmax3 technical deep workshopEmc vmax3 technical deep workshop
Emc vmax3 technical deep workshop
 
Blue Medora - VMware vROps Management Pack for VCE Vblock Overview
Blue Medora - VMware vROps Management Pack for VCE Vblock OverviewBlue Medora - VMware vROps Management Pack for VCE Vblock Overview
Blue Medora - VMware vROps Management Pack for VCE Vblock Overview
 
Self service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxSelf service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsx
 
Emc recoverpoint technical
Emc recoverpoint technicalEmc recoverpoint technical
Emc recoverpoint technical
 
VMworld 2015: Site Recovery Manager and Policy Based DR Deep Dive with Engine...
VMworld 2015: Site Recovery Manager and Policy Based DR Deep Dive with Engine...VMworld 2015: Site Recovery Manager and Policy Based DR Deep Dive with Engine...
VMworld 2015: Site Recovery Manager and Policy Based DR Deep Dive with Engine...
 
NSX-MH
NSX-MHNSX-MH
NSX-MH
 
VMworld 2016: Enforcing a vSphere Cluster Design with PowerCLI Automation
VMworld 2016: Enforcing a vSphere Cluster Design with PowerCLI AutomationVMworld 2016: Enforcing a vSphere Cluster Design with PowerCLI Automation
VMworld 2016: Enforcing a vSphere Cluster Design with PowerCLI Automation
 
VMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use casesVMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use cases
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
 
Nsx security deep dive
Nsx security deep diveNsx security deep dive
Nsx security deep dive
 
AWS re:Invent 2016: Continuous Compliance in the AWS Cloud for Regulated Life...
AWS re:Invent 2016: Continuous Compliance in the AWS Cloud for Regulated Life...AWS re:Invent 2016: Continuous Compliance in the AWS Cloud for Regulated Life...
AWS re:Invent 2016: Continuous Compliance in the AWS Cloud for Regulated Life...
 
Network Virtualization with VMware NSX
Network Virtualization with VMware NSXNetwork Virtualization with VMware NSX
Network Virtualization with VMware NSX
 
VMware Site Recovery Manager - Architecting a DR Solution - Best Practices
VMware Site Recovery Manager - Architecting a DR Solution - Best PracticesVMware Site Recovery Manager - Architecting a DR Solution - Best Practices
VMware Site Recovery Manager - Architecting a DR Solution - Best Practices
 
V mware nsx_network_virtualization_open_stack
V mware nsx_network_virtualization_open_stackV mware nsx_network_virtualization_open_stack
V mware nsx_network_virtualization_open_stack
 

Similar to VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged User Control

VMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Cyberoam SSL VPN
Cyberoam SSL VPNCyberoam SSL VPN
Cyberoam SSL VPNAjay Nawani
 
DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...
DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...
DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...Cisco DevNet
 
Гибридное облако - эффективность в квадрате
Гибридное облако - эффективность в квадратеГибридное облако - эффективность в квадрате
Гибридное облако - эффективность в квадратеActiveCloud
 
Private cloud with vmware
Private cloud with vmwarePrivate cloud with vmware
Private cloud with vmwareAnton An
 
VMware vRealize Network Insight 3.4 whats new
VMware vRealize Network Insight 3.4 whats newVMware vRealize Network Insight 3.4 whats new
VMware vRealize Network Insight 3.4 whats newVMware
 
Reston Virtualization Group 9-18-2014
Reston Virtualization Group 9-18-2014 Reston Virtualization Group 9-18-2014
Reston Virtualization Group 9-18-2014 VMwareJenn
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-onCA Technologies
 
VMware overview presentation by alamgir hossain
VMware overview presentation by alamgir hossainVMware overview presentation by alamgir hossain
VMware overview presentation by alamgir hossainALAMGIR HOSSAIN
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017Micro Focus
 
vRA + NSX Technical Deep-Dive
vRA + NSX Technical Deep-DivevRA + NSX Technical Deep-Dive
vRA + NSX Technical Deep-DiveVMUG IT
 
Virtual private network
Virtual private networkVirtual private network
Virtual private networkVINAY GATLA
 
040711 webcast securing vmachine
040711 webcast securing vmachine 040711 webcast securing vmachine
040711 webcast securing vmachine Erin Banks
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...Amazon Web Services
 
Praktiline pilvekonverents - IT haldust hõlbustavad uuendused
Praktiline pilvekonverents - IT haldust hõlbustavad uuendusedPraktiline pilvekonverents - IT haldust hõlbustavad uuendused
Praktiline pilvekonverents - IT haldust hõlbustavad uuendusedPrimend
 
azure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfazure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfBenAissaTaher1
 
CloudStack Networking at CloudOpen Japan
CloudStack Networking at CloudOpen JapanCloudStack Networking at CloudOpen Japan
CloudStack Networking at CloudOpen JapanKimihiko Kitase
 
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 

Similar to VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged User Control (20)

VMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats New
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Cyberoam SSL VPN
Cyberoam SSL VPNCyberoam SSL VPN
Cyberoam SSL VPN
 
DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...
DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...
DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...
 
Гибридное облако - эффективность в квадрате
Гибридное облако - эффективность в квадратеГибридное облако - эффективность в квадрате
Гибридное облако - эффективность в квадрате
 
Private cloud with vmware
Private cloud with vmwarePrivate cloud with vmware
Private cloud with vmware
 
VMware vRealize Network Insight 3.4 whats new
VMware vRealize Network Insight 3.4 whats newVMware vRealize Network Insight 3.4 whats new
VMware vRealize Network Insight 3.4 whats new
 
Reston Virtualization Group 9-18-2014
Reston Virtualization Group 9-18-2014 Reston Virtualization Group 9-18-2014
Reston Virtualization Group 9-18-2014
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on
 
VMware overview presentation by alamgir hossain
VMware overview presentation by alamgir hossainVMware overview presentation by alamgir hossain
VMware overview presentation by alamgir hossain
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
 
vRA + NSX Technical Deep-Dive
vRA + NSX Technical Deep-DivevRA + NSX Technical Deep-Dive
vRA + NSX Technical Deep-Dive
 
Virtual private network
Virtual private networkVirtual private network
Virtual private network
 
040711 webcast securing vmachine
040711 webcast securing vmachine 040711 webcast securing vmachine
040711 webcast securing vmachine
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
 
Praktiline pilvekonverents - IT haldust hõlbustavad uuendused
Praktiline pilvekonverents - IT haldust hõlbustavad uuendusedPraktiline pilvekonverents - IT haldust hõlbustavad uuendused
Praktiline pilvekonverents - IT haldust hõlbustavad uuendused
 
azure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfazure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdf
 
CloudStack Networking at CloudOpen Japan
CloudStack Networking at CloudOpen JapanCloudStack Networking at CloudOpen Japan
CloudStack Networking at CloudOpen Japan
 
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 

More from VMworld

VMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld
 
VMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for HorizonVMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for HorizonVMworld
 
VMworld 2016: What's New with Horizon 7
VMworld 2016: What's New with Horizon 7VMworld 2016: What's New with Horizon 7
VMworld 2016: What's New with Horizon 7VMworld
 
VMworld 2016: Virtual Volumes Technical Deep Dive
VMworld 2016: Virtual Volumes Technical Deep DiveVMworld 2016: Virtual Volumes Technical Deep Dive
VMworld 2016: Virtual Volumes Technical Deep DiveVMworld
 
VMworld 2016: Advances in Remote Display Protocol Technology with VMware Blas...
VMworld 2016: Advances in Remote Display Protocol Technology with VMware Blas...VMworld 2016: Advances in Remote Display Protocol Technology with VMware Blas...
VMworld 2016: Advances in Remote Display Protocol Technology with VMware Blas...VMworld
 
VMworld 2016: The KISS of vRealize Operations!
VMworld 2016: The KISS of vRealize Operations! VMworld 2016: The KISS of vRealize Operations!
VMworld 2016: The KISS of vRealize Operations! VMworld
 
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld
 
VMworld 2016: Ask the vCenter Server Exerts Panel
VMworld 2016: Ask the vCenter Server Exerts PanelVMworld 2016: Ask the vCenter Server Exerts Panel
VMworld 2016: Ask the vCenter Server Exerts PanelVMworld
 
VMworld 2016: Virtualize Active Directory, the Right Way!
VMworld 2016: Virtualize Active Directory, the Right Way! VMworld 2016: Virtualize Active Directory, the Right Way!
VMworld 2016: Virtualize Active Directory, the Right Way! VMworld
 
VMworld 2015: Troubleshooting for vSphere 6
VMworld 2015: Troubleshooting for vSphere 6VMworld 2015: Troubleshooting for vSphere 6
VMworld 2015: Troubleshooting for vSphere 6VMworld
 
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...VMworld
 
VMworld 2015: Advanced SQL Server on vSphere
VMworld 2015: Advanced SQL Server on vSphereVMworld 2015: Advanced SQL Server on vSphere
VMworld 2015: Advanced SQL Server on vSphereVMworld
 
VMworld 2015: Virtualize Active Directory, the Right Way!
VMworld 2015: Virtualize Active Directory, the Right Way!VMworld 2015: Virtualize Active Directory, the Right Way!
VMworld 2015: Virtualize Active Directory, the Right Way!VMworld
 
VMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SANVMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SANVMworld
 
VMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes ConfigurationsVMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes ConfigurationsVMworld
 
VMworld 2015: Virtual Volumes Technical Deep Dive
VMworld 2015: Virtual Volumes Technical Deep DiveVMworld 2015: Virtual Volumes Technical Deep Dive
VMworld 2015: Virtual Volumes Technical Deep DiveVMworld
 
VMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's BackboneVMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's BackboneVMworld
 
VMworld 2015: The Best SDDC!
VMworld 2015: The Best SDDC!VMworld 2015: The Best SDDC!
VMworld 2015: The Best SDDC!VMworld
 
VMworld 2015: Conversation with the VMware CIO Suggestions on being an IT Leader
VMworld 2015: Conversation with the VMware CIO Suggestions on being an IT LeaderVMworld 2015: Conversation with the VMware CIO Suggestions on being an IT Leader
VMworld 2015: Conversation with the VMware CIO Suggestions on being an IT LeaderVMworld
 
VMware 2015: Next Horizon for Cloud Networking and Security
VMware 2015: Next Horizon for Cloud Networking and SecurityVMware 2015: Next Horizon for Cloud Networking and Security
VMware 2015: Next Horizon for Cloud Networking and SecurityVMworld
 

More from VMworld (20)

VMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep Dive
 
VMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for HorizonVMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for Horizon
 
VMworld 2016: What's New with Horizon 7
VMworld 2016: What's New with Horizon 7VMworld 2016: What's New with Horizon 7
VMworld 2016: What's New with Horizon 7
 
VMworld 2016: Virtual Volumes Technical Deep Dive
VMworld 2016: Virtual Volumes Technical Deep DiveVMworld 2016: Virtual Volumes Technical Deep Dive
VMworld 2016: Virtual Volumes Technical Deep Dive
 
VMworld 2016: Advances in Remote Display Protocol Technology with VMware Blas...
VMworld 2016: Advances in Remote Display Protocol Technology with VMware Blas...VMworld 2016: Advances in Remote Display Protocol Technology with VMware Blas...
VMworld 2016: Advances in Remote Display Protocol Technology with VMware Blas...
 
VMworld 2016: The KISS of vRealize Operations!
VMworld 2016: The KISS of vRealize Operations! VMworld 2016: The KISS of vRealize Operations!
VMworld 2016: The KISS of vRealize Operations!
 
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
 
VMworld 2016: Ask the vCenter Server Exerts Panel
VMworld 2016: Ask the vCenter Server Exerts PanelVMworld 2016: Ask the vCenter Server Exerts Panel
VMworld 2016: Ask the vCenter Server Exerts Panel
 
VMworld 2016: Virtualize Active Directory, the Right Way!
VMworld 2016: Virtualize Active Directory, the Right Way! VMworld 2016: Virtualize Active Directory, the Right Way!
VMworld 2016: Virtualize Active Directory, the Right Way!
 
VMworld 2015: Troubleshooting for vSphere 6
VMworld 2015: Troubleshooting for vSphere 6VMworld 2015: Troubleshooting for vSphere 6
VMworld 2015: Troubleshooting for vSphere 6
 
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
 
VMworld 2015: Advanced SQL Server on vSphere
VMworld 2015: Advanced SQL Server on vSphereVMworld 2015: Advanced SQL Server on vSphere
VMworld 2015: Advanced SQL Server on vSphere
 
VMworld 2015: Virtualize Active Directory, the Right Way!
VMworld 2015: Virtualize Active Directory, the Right Way!VMworld 2015: Virtualize Active Directory, the Right Way!
VMworld 2015: Virtualize Active Directory, the Right Way!
 
VMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SANVMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SAN
 
VMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes ConfigurationsVMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes Configurations
 
VMworld 2015: Virtual Volumes Technical Deep Dive
VMworld 2015: Virtual Volumes Technical Deep DiveVMworld 2015: Virtual Volumes Technical Deep Dive
VMworld 2015: Virtual Volumes Technical Deep Dive
 
VMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's BackboneVMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's Backbone
 
VMworld 2015: The Best SDDC!
VMworld 2015: The Best SDDC!VMworld 2015: The Best SDDC!
VMworld 2015: The Best SDDC!
 
VMworld 2015: Conversation with the VMware CIO Suggestions on being an IT Leader
VMworld 2015: Conversation with the VMware CIO Suggestions on being an IT LeaderVMworld 2015: Conversation with the VMware CIO Suggestions on being an IT Leader
VMworld 2015: Conversation with the VMware CIO Suggestions on being an IT Leader
 
VMware 2015: Next Horizon for Cloud Networking and Security
VMware 2015: Next Horizon for Cloud Networking and SecurityVMware 2015: Next Horizon for Cloud Networking and Security
VMware 2015: Next Horizon for Cloud Networking and Security
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Recently uploaded (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged User Control

  • 1. NSX PCI Reference Architecture Workshop Session 2 - Privileged User Control Allen Shortnacy, VMware SEC5820 #SEC5820
  • 3. 3 What Analysts Are Saying “A compromise of the virtualization platform is a worst-case security scenario that places all the VMs hosted on the virtualization platform at risk.” “Hypervisor security protection should be treated as a defense-in-depth problem, using multiple strategies to ensure the overall integrity of this critical layer.” - Gartner* * Gartner, Inc. “Hype Cycle for Virtualization, 2012”, Phil Dawson, Nathan Hill, July 24, 2012
  • 4. 4 Jason Cornish, former Shionogi Pharma IT Staffer Pled guilty to Feb ‘11 computer intrusion Events Demonstrate the Risk – Wiped out 88 virtual servers on 15 VMware hosts: email, order tracking, financial, & other services – Shionogi’s operations frozen for days  unable to ship product  unable to issue checks  unable to send email
  • 5. 5 About Privileged Users  Cloud and SDDC have expanded the universe of threats from privileged users • Administrators have accumulated more effective rights due to shared resources • Often times with poor accountability for actions, whether malicious or just dumb  Advanced persistent threats are real • If they are in your environment these privileged user accounts are likely targets for compromise • If you are using shared accounts tracking activities to a specific user very difficult  Few organizations rely on multi-factor authentication across all user communities • Solutions and techniques readily available to ensure identity of who is on your systems • Rarely ties to a comprehensive authorization policy for privileged user activities • Necessitates an approach to effectively monitor all activities tied to strongly identified privileged user sessions
  • 6. 6 Four Steps to Controlling Privileged Users in the SDDC  Create Controlled Access Points to the SDDC Edge • NSX Edge VPN Services or Partner such as Xceedium • Establish LDAP Role Based Access Controls to govern session criteria • Provide ‘jump box’ configured with desired client applications/browser  Establish NSX Identity Aware Firewall Policies • Propagate identity context of remote session to NSX Edge firewall • Ensures LDAP Group membership to access target application  Provide Prescribed Session for Conducting Administrative Activities • Time bound sessions, privileged user password vaulting, multi-factor authentication, etc. • Integration with other services to dynamically define session criteria  Leverage User Activity Monitoring for Audit • Expands typical source/destination log information to application context • Integrating syslog data with event correlation engine provides other integration possibilities
  • 7. 7 NSX Edge SSL VPN Services All SDDC and Application Admin Role Admin VSM 10.112.243.44 VPN External Interface- 10.112.243.45 Internal Interface- 192.168.1.1 InternetVirtual IP : 192.168.27.2 STEP-1 Enable SSL ServiceSTEP-2 Configure Private Network STEP-3 Dynamic IP Pool Remote User will get IP in this range. Step -4 Client Install Package Step -5 Configure User Authentication Methods •Local Database •AD •LDAP •Radius • RSA Configuration is now complete Corporate LAN 192.168.1.0/24 Remote User User is ready to Connect NSX Edge SSL-VPN provides controlled access to Jump Box with Administrative tools located in controlled location
  • 8. 8 NSX Edge VPN with AES-NI  Up to 40% performance increase by supporting the Intel® AES-NI (AES New Encryption Instruction Set).  The Edge offloads the AES encryption of data to the hardware on supported Intel Xeon and 2nd generation Intel Core processors.  No user configuration needed to enable – AES-NI support in hardware is auto-detected.  Supports both pre-shared key (PSK) and certificate authentication mode  Encryption algorithms – 3DES, AES (128 and 256 bits)  Performance - 1 Gbps throughput NSX
  • 9. 9 Role  SDDC Administrator  Application or Database Administrator Action NSX Edge Manager  Configure SSL-VPN/AD Integration  Configure ‘Jump Box’ Xceedium  Establish Policies for Admin actions on protected assets Step 1: Establish Secure Bastion Host DMZ with NSX Edge Providing access to tools used for administrative tasks must be controlled with role based access to an approved session VXLAN VXLAN Network Fabric WAN Internet .1Q .1Q VXLAN .1Q
  • 11. The Problems We Solve – Protect Enterprises from Privileged User Risks – Manage Privileged Access Across Traditional, Virtualized, Cloud, and Hybrid Enterprises – Enforce Audit and Compliance Controls – PCI DSS, HIPAA/HITECH, NERC CIP, FISMA, SOX – Enable Secure Migration of Enterprise Applications to the Cloud – Federate Privileged Identity Across Hybrid Cloud Architectures © 2013 Xceedium, Inc. 11
  • 12. Identity Integration Enterprise-Class Core Unified Policy Management Control and Audit All Privileged Access • Vault Credentials • Centralized Authentication • Federate Identity • Privileged Single Sign-on • Role-Based Access Control • Monitor & Record Activity • Full Attribution • Protect End Systems, Consoles, APIs 12 Introducing Privileged Identity Management for the New Enterprise Traditional Data Center Mainframe, Windows, Linux, Unix, Networking New Enterprise Virtualized Data Center VMware Console / APIs SaaS Applications SaaS App Console Public Cloud - IaaS Cloud Console /APIs Hardware Appliance Cloud ApplianceOVF Virtual Appliance
  • 13. Xsuite for VMware PIM for VMware vSphere and vCloud Auto-Discovery and provisioning of all VMware Infrastructure Virtual Machine’s via VMware’s API. • Dynamic Discovery and provisioning for Access of Virtual Machines Roles Based Privileged Access Control & Single Sign-On Across: • Enterprise systems, vCenter, vShield, vCloud Director, and the New NSX Consoles, as well as Physical and Virtual Machines Separation of Duties for vCenter, vShield, vCloud Director, and NSX Console Full Audit Trail and Session Recording Across: • Enterprise systems, vCenter, vShield, vCloud Director, NSX Console, all Virtual Machines Privileged user Sessions • API Access to VMware vShield, & vCloud Password and Access Key Management: • Vaulting and lifecycle management of all privileged user credentials for: enterprise systems, vCenter, vShield, vCloud Director, and NSX Console, AD based Console users and Virtual Machines. Strong Authorization and Attributed Use: • Support for multi-factor authentication • Detailed record of who is using each account, even for shared accounts vCenter, vShield, vCloud Director, and the New NSX Console, Unix root accounts, Windows admin. accounts)
  • 14. VMware Reference Architecture VMware VM Target Server Connection in Controlled, Audited, and Recorded Enterprise Network VMware vSphere Console Virtual Machines are discovered by the VIISDK API and provisioned via vCenter Tagging. VM Target Devices VMware vCloud Director VMware vShield Console VMware NSX Console VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices VM Target Devices Post API/Sessions User is logged in as provisioned user to provisioned org will access, recording and audit. Privileged Users Xceedium Client AD/LDAP Radius Server User Authenticates to Xsuite with Credentials, PIV, CAC, or Smartcard Xsuite Authenticates User/Group with AD/LDAP & Radius Client Receives Transparent Access to Target Server PIV/CAC Revocation Server ADFS Server Xsuite OVF based Virtual Appliance Syslog Splunk VMware Log Insight Session Recordings Full Audit of all VMware Console & Virtual Machine Privileged User activity
  • 15. 15 Demo: Establish NSX Edge SSL-VPN and Partner Solutions
  • 16. 16 Role  SDDC Administrator  Application or Database Administrator Action In Service composer / Firewall  Edit source / destination  Edit identity based security groups Step 2: Protect Your Secure Zones with NSX Identity Firewall It is critical to provide purpose driven firewall rules that restrict access to controlled VMs to only those nodes which require access VXLAN VXLAN Network Fabric WAN Internet .1Q .1Q VXLAN .1Q
  • 17. 17 Identity Based Access Control Active Directory Eric Frost User AD Group App Name Originating VM Name Destination VM Name Source IP Destination IP Eric Frost DBA PGAdmin.exe Eric-Win7 vPostgres-GL 192.168.10.75 192.168.10.78 IP: 192.168.10.75 AD Source Destination Source IP Destination IP DBA vPostgres-GL 192.168.10.75 192.168.10.78 Rule Table Logs
  • 18. 18 Demo: Create NSX Firewall Rules for Controlling Access
  • 19. 19 Step 3: Access Prescribed Session for Governed Activities Providing a role based access controlled, multi-factor authenticated session creates a trusted, least privilege connection to the target VXLAN VXLAN Network Fabric WAN Internet .1Q .1Q VXLAN .1Q Role  Application or Database Administrator Action SSL-VPN or Xceedium Client  Authenticate to the Jump Box with Role Based Control  Leverage appropriate administrative tool(s) with identity firewall controlled access
  • 20. 20 Demo: Establish Secure Desktop Networking for Role Based Sessions
  • 21. 21 Step 4: Privileged User Activity Monitoring NSX provides logging of privileged user activity expanded to incorporate identity firewall rules as well as application used for access Role  SDDC Administrator  Information Risk Personnel Action In NSX Manager  Review session logs for approved activity In Xceedium  Record session for review VXLAN VXLAN Network Fabric WAN Internet .1Q .1Q VXLAN .1Q
  • 22. 22 What is VMware Activity Monitoring? Visibility into group, application and destination activity in the virtual environment which generates an activity log of: Applications running on virtual machines Server access by Desktop Pool, Security group or AD Group Interactions between groups (SG, AD, DP) Dev Security GroupDeveloper AD Group Desktop Pool Security Group AD Group
  • 23. 23 With / Without NSX: Visibility Comparison Active Directory Eric Frost Today Source Destination 172.16.254.1 172.16.112.2 With Activity Monitoring VM Tools User AD Group App Name Originating VM Name Destination VM Name Source IP Destination IP Eric DBA Pgadmin.exe Windows 7 PostgreSQL DB Server 192.168.10.75 192.168.10.78 VSMSVM Compute Management Gateway
  • 24. 24 Demo: Privileged User Activity Monitoring
  • 25. 25 Summary – Value Achieved via Privileged User Control  Leveraging NSX Edge and Partner technologies facilitates strong authentication and role based authorization to bastion host as a single point of entry  Establishing NSX Distributed Firewall Identity Based Rules extend the paradigm to support access of the target only via prescribed means  Supports enhanced integration with other processes like service desk requests or other deep packet monitoring tools to validate activities  Information Risk professionals and Auditors have access to information from Activity Based Monitoring and partner technologies like Xceedium to create irrefutable chains of evidence that only approved activities were conducted
  • 26. 26 VMworld: Security and Compliance Sessions Category Topic NSX • 5318: NSX Security Solutions In Action (201) • 5753: Dog Fooding NSX at VMware IT (201) • 5828: Datacenter Transformation (201) • 5582: Network Virtualization across Multiple Data Centers (201) NSX Firewall • 5893: Economies of the NSX Distributed Firewall (101) • 5755: NSX Next Generation Firewalls (201) • 5891: Build a Collapsed DMZ Architecture (301) • 5894: NSX Distributed Firewall (301) NSX Service Composer • 5749: Introducing NSX Service Composer (101) • 5750: NSX Automating Security Operations Workflows (201) • 5889: Troubleshooting and Monitoring NSX Service Composer (301) Compliance • 5428: Compliance Reference Architecture Framework Overview (101) • 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201) • 5253: Streamlining Compliance (201) • 5775: Segmentation (301) • 5820: Privileged User Control (301) • 5837: Operational Efficiencies (301) Other • 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in Virtualized Infrastructure (Catbird – Jefferson radiology) • 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust) • 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based IaaS provider better be doing! (Intel)
  • 27. 27 For More Information…  VMware Collateral  VMware Approach to Compliance  VMware Solution Guide for PCI  VMware Architecture Design Guide for PCI  VMware QSA Validated Reference Architecture PCI  Partner Collateral  VMware Partner Solution Guides for PCI  How to Engage?  compliance-solutions@vmware.com  @VMW_Compliance on Twitter
  • 29.
  • 30. NSX PCI Reference Architecture Workshop Session 2 - Privileged User Control Allen Shortnacy, VMware SEC5820 #SEC5820