SlideShare a Scribd company logo
1 of 61
Kausum Kumar
VMware
NSX Security Deep Dive
NET4285
Student Guide & Internal & Confidential Update Daily
https://goo.gl/VVmVZ0
Journey of the Deal: Best Practices from a VMware Cloud Management
Partner http://ouo.io/vBVQdO
The Practical Path to NSX and Network Virtualization http://ouo.io/47hme
Why an SSDC Approach with NSX is Better for Your Channel Business http://ouo.io/1hY4l
Justifying Network Virtualization forYour Customers http://ouo.io/OzBquQ
Reference Design for VMware NSX http://ouo.io/XaCMU
Logical Routing with VMware NSX http://ouo.io/oKcbu
Micro-segmentation with NSX and Distributed Firewalling http://ouo.io/BaoP8
NSX Security Deep Dive http://ouo.io/Qq8qqh
Operational Best Practices for VMware NSX http://ouo.io/nyVbwd
Self-service IT with vRealizeAutomation and NSX http://ouo.io/pHQ5kp
Intro to NSX http://ouo.io/gzAp1
Disclaimer
CONFIDENTIAL 3
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these
features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or
sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not
been determined.
Finding Needles in the Haystack
CONFIDENTIAL 4
Finding Needles in the Haystack
CONFIDENTIAL 5
Agenda
CONFIDENTIAL 6
1 Challenges with existing security controls
2 Introducing NSX Security
3 Automating Security
4 Benefits
5 Use Cases
6 Summary & Next Steps
1. Firewall Challenges in the SDDC
Physical Firewalls
• No Micro-segmentation
• Hardware CAPEX
• Choke point
• Rule sprawl (IP, MAC-based)
• Trombone Traffic
Src Dst
192.168.1.1 192.168.5.2
10.0.0.1 10.0.2.5
10.0.0.2 10.0.2.5
10.0.0.3 10.0.2.5
• Eliminate hardware
• Choke points w/ low performance
(1-3 Gbps)
• Rule sprawl (IP, MAC-based)Rule sprawl
Web
App
DB
VM
Virtual Firewalls VMs
CONFIDENTIAL 7
2. Force Choosing between Context and Isolation
Guest VM
Hypervisor
Network
Host Based
Security Controls
Network Based
Security Controls
Low Context
High Isolation
High Context
Low Isolation
CONFIDENTIAL 8
 Security controls prone to attack
 Manual deployment and
policy management
 No visibility into application,
process, file, user or overall
security posture
3. Require In-guest Agents that Are Resource Intensive
Third-Party Management Consoles
Scheduled scans hit same underlying
infrastructure at the same time
Utilization
CPU
Memory
Storage
Consolidation Ratio
Low High
3
2
1 SeparateAgent required per VM per Service
Adding new services require manual deployment
at each guest
CONFIDENTIAL 9
4. Hard to Automate Workflows across Services
 Manual workflows due to lack of
interoperability and automation across
“best-of-breed” security products
 Endpoint control events do not trigger
network controls
CONFIDENTIAL 10
CPU
Memory
Storage
Software-based
solutions
Network
scanner
Lack isolation, attack
surface in guest 
security risks
Lack app context 
rule sprawl, complex
troubleshooting
Network-based
solutions
Security Today Isn’t Optimized for SDDC, with Negative Impact
to Agility, Cost
Impact
performance
1 32
CONFIDENTIAL 11
Agenda
CONFIDENTIAL 12
1 Challenges with existing security controls
2 Introducing NSX Security
3 Benefits
4 Use Cases
5 Automating Security
6 Summary & Next Steps
NSX Transforms Security for Optimal Context and Isolation
While Minimizing Resource Overhead
UbiquityIsolation
fine-grained
containment
Context
better security
through
insight
Ecosystem of
Distributed Services
Switching Routing Firewalling
Core Services Built Into
Hypervisor Kernel
CONFIDENTIAL 13
NSX Provides Built-in Services to Manage the Security Posture
of Workloads at Scale
Guest Introspection
NSX driver pulls and shares file, user identity, process
(application), network connections, registry keys etc.
Shared Context
Network Introspection
Full network traffic visibility @vNIC, vSwitch,
or Edge
Built-In Services
Firewa
ll
Identity Firewall
Server Access
Monitoring
VPN (IPSEC,
SSL)
VMware Services
DLP
L2 and L3 Connectivity
CONFIDENTIAL 14
NSX Distributed Firewall
• Delivers Micro-Segmentation
• Efficient rule management
• Dynamic Policy (e.g:AV, DLP, Vulnerability Scan)
• No choke points with scale out performance (20 Gbps)
• Enabled for cloud automation
Src Dst
ANY Shared Service
Desktop WEB_GROUP
Rules based on logical containers
Platform for Distributed Services
WEB_ GROUP
“Web Policy”
Firewall – allow inbound
HTTP/S, allow outbound ANY
Firewall policies are pre-
approved, used repeatedly by
cloud automationWeb
App
DB
VM
NSX Distributed Firewall is Optimized for SDDC
14
CONFIDENTIAL
Internet
Security Policy
Cloud
Management
Platform
Perimeter
Firewalls
Leverage Distributed Firewall for Micro-Segmentation
CONFIDENTIAL 16
• Hypervisor-based, in kernel
distributed firewalling
• Platform-based automated
provisioning and workload
adds/moves/changes
NSX Enables Using Third Party Services to Manage the Security
Posture of Workloads at Scale
Guest Introspection
NSX driver pulls and shares file, user identity, process
(application), network connections, registry keys etc.
Shared Context
Third-Party Services
DLP Firewall
Vulnerability
Management
Antivirus
Intrusion
Prevention
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
Service Insertion Architecture
Network Introspection
Full network traffic visibility @vNIC, vSwitch,
or Edge
CONFIDENTIAL 17
Advanced Services Insertion –
Example: Palo Alto Networks NGFW
Internet
Traffic
Steering
Security Policy
Security Admin
CONFIDENTIAL 18
Agenda
CONFIDENTIAL 19
1 Challenges with existing security controls
2 Introducing NSX Security
3 Automating Security
4 Benefits
5 Use Cases
6 Summary & Next Steps
Secure SDDC with VMware NSX
Security services are managed more efficiently in a software-defined datacenter
NSX Network Virtualization Platform
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Antivirus
Vulnerability
Management
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
Deploy
Provision and monitor
uptime of different
services, using
oSenrviece mInseerttiohnod
CONFIDENTIAL 20
Apply
Apply and visualize
security policies for
workloads, in
Security Goronupes plSaeccuerity Policies
Automate
Automate workflows
across best-of-breed
services, without
custom integrationSecurity Tags
Built-In Services Third-Party Services
DLP Firewall
Intrusion
Prevention
Register Security Services with VMware NSX
Service Definitions: built-in and 3rd-party services
Firewalling VPN Data Security Activity Monitoring
Service categories, vendors, versions
are visible in one central view
Security
CONFIDENTIAL 21
NSX Security Service Insertion Architecture
Network
6 Introspection
5 Guest Introspection
7 Host Modules
NSX Manager
1
Third-Party Management Console
2
3
NSX Built-in Security Services
(Distributed)
Logical Firewall Logical Switch
3
NSX Built-in Security Services
(Appliance per host)
4
NSX Partner Services
(Appliance per host)
CONFIDENTIAL 22
Security Groups & Security Policies
• End-Users and CloudAdmins are able to define security policies based on service profiles
already defined or approved by the Security Admin.
• Security policies are applied to one or more security groups where workloads are members
WHAT you
want to
protect
HOinbWoundyHoTuTPw/S,ant
toIPpS r–optreevcentt DitOS
attacks, enforce
acceptable use
SECURITY GROUP
SECURITY POLICY
Members (VM, vNIC)
and Context
(user identity,
security posture)
“Standard Web”
 Firewall – allow
allow outbound ANY
Services (firewall,
antivirus, IPS etc.) and
Profiles (labels
representing
specific policies)
CONFIDENTIAL 23
Security Policies and Security Groups
NSX simplifies provisioning, audit, troubleshooting of security
CONFIDENTIAL 23SECURITY GROUP
HOW you want
to protect it
SECURITY POLICY
WHAT you want
to protect
1 Policy Provisioning: Define once (policy), use many (security groups). Tied to
workload, not to infrastructure.
Audit: Validate controls in one place – available services, applied policies.2
3 Troubleshooting: When an app doesn’t work, can start by observing the workload
and all related security policies – rather than infer from infrastructure security.
Dynamic Inclusion
Static Inclusion
Static Exclusion
Security Groups
Definition
Security Group :
(Dynamic Inclusion + Static Inclusions) – Static Exclusion
Computer OS name, Computer Name,
VM Name, Security Tag, Entity.
Security Group, Cluster,
Logical Switch, Network,
vAPP, Datacenter,
IP Sets,Active Directory Group,
MAC sets, Security Tag,
vNIC, VM, Resource Pool,
DVS Port Group.
VM-Centric
CONFIDENTIAL 25
Infrastructure-
Centric
Security Groups
Automate Security Operations
to respond to rapidly changing security conditions
• Security is automated
• If one service finds something, then
another service can do something
about it
With VMware NSX
• Manual workflows
• No interoperability between best-of-breed
security products
Without VMware NSX
Create repeatable, automated workflows
across best-of-breed security products with VMware NSX
CONFIDENTIAL 26
Advanced Services Insertion
1 2 3
Traditional Data Center NSX Data Center
 Flexible service chain that
adapts to changing conditions
– more efficient use of services better security by sharing tags
 Platform for integrating the
leading security products:
NSX enables dynamic actions to respond to
changing security conditions
CONFIDENTIAL 27
Static service chain Dynamic service chain
Agenda
CONFIDENTIAL 28
1 Challenges with existing security controls
2 Introducing NSX Guest Introspection
3 Automating Security
4 Benefits
5 Use Cases
6 Summary & Next Steps
1. Optimized for Performance
Utilization
CPU
Memory
Storage
Consolidation Ratio
Low High
1 Reduces attack surface
Stronger protection - cannot
be turned off by malware
Eliminates overhead of agent
resources, management
4 Reduces VM footprint enables
higher consolidation
CONFIDENTIAL 29
2
3
2. Automated Ubiquitous Deployment & Enforcement
1.ESX Host added to cluster
2.Automated: NSX Deploys
Guest Introspection
Framework, Service VMs
(Partner & VMW)
3. VM brought up on host
4.Automated:Appropriate
Security Policies applied
5.VM vMotions to a
different host
6.Automated:Appropriate
Security Policies applied
CONFIDENTIAL 30
3. Visibility into In-guest Events
Users Logging In
Files Accessed
Network Connections
System Events
Applications Running
Canned Reports
CONFIDENTIAL 31
Identity Based Access Control
CONFIDENTIAL
Active Directory
Eric Frost
IP: 192.168.10.75
Logs
Eric Frost
User AD Group App Name Originating VM
Name
Destination VM
Name
Source IP Destination IP
Eric Frost Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78 31
Demo: VMware NSX Activity Monitoring
33
CONFIDENTIAL
4. Simplified Policy Management & Automation across Services
Virtualization Platform
Security Policy
HOW you
want to
protect it
NSX Manager
2 NSX Admin
1 Security Admin
Security Group
WHAT
you
want to
protect
Cloud Management Portal
3 Cloud Architect
CONFIDENTIAL 35
5. Automated Security Policy Enforcement
With increased visibility
CONFIDENTIAL 36
Security-Centric View
Policies – collection of service
profiles - assigned to this
container…to define HOW you
want to protect this container
e.g. “PCI Compliance” or
“Quarantine Policy’
Nested containers –
other groupings within
the container
e.g. “Quarantine Zone”
is a sub group within
“My Data Center”
VMs (workloads) that belong to
this container
e.g. “Apache-Web-VM”, “Exchange
Server-VM”
Containers – Grouping of VMs, IPs, and
more…to define WHAT you want to protect
e.g. “Financial Applications”, “Desktop
Users”, “Quarantine Zone”
Service profiles for *deployed*
services, assigned to
these policies
Services supported today:
• Distributed Virtual Firewall
• Anti-virus
• Vulnerability Management
• Network IPS
• Data Security (DLP scan)
• User Activity Monitoring
• File Integrity Monitoring
36CONFIDENTIAL
Workload-Centric View:
Security Groups & Tags Assigned to a VM
Any security issues?Protected in security group?
Virtual Machine
CONFIDENTIAL 37
Workload-Centric View:
All Security Policies Applied to a VM
CONFIDENTIAL
38
Monitor Uptime of Different Services
Service Deployments: installation and service status
Installation Status & Service Status
are visible in one central view
CONFIDENTIAL 40
Eliminate Policy Sprawl through Automation
No manual cleanup necessary during application decommissioning
SECURITY POLICY
“Standard Web”
Firewall – allow
inbound HTTP/S,
allow outbound ANY
IPS – prevent DOS
attacks, enforce
acceptable use
SECURITY GROUP
SECURITY GROUP
CONFIDENTIAL 41
Increase Visibility into Service Availability
Virtualization Platform
Restart Security Virtual Appliances,
upon detection of service health failure
Error messages provide
insight into why service failed
CONFIDENTIAL 42
Increase Visibility into Service Availability
Virtualization Platform
Restart Security Virtual Appliances,
upon detection of service health failure
Error messages provide
insight into why service failed
CONFIDENTIAL 43
Agenda
CONFIDENTIAL 44
1 Challenges with existing security controls
2 Introducing NSX Guest Introspection
3 Automating Security
4 Benefits
5 Use Cases
6 Summary & Next Steps
Scenario 1: Vulnerability Management Optimized for SDDC
VMware Network and Security Platform
Built-In Services Third-Party Services
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Antivirus DLP Firewall
Vulnerability
Management
Intrusion
Prevention
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
CONFIDENTIAL 45
Traditional Challenges in Vulnerability Management
Scan IP range for
asset inventory
(NMAP)
Run port scan on
live systems – set
of IPS alarms
1 Network
scanner
2
Whitelist scanner
IP address
on IPS
3
Scans return
inaccurate info4
Must secure system
credentials to run
accurate scans
5
Scans run over virtual
network, impacting
app performance
6
CONFIDENTIAL 46
Vulnerability Management Optimized for SDDC Using NSX
Guest Introspection
File, user identity, process
(application), network
connections, registry keys, etc.
Virtualization Platform
• No network scans required
• Get all VM asset inventory from vCenter
• Get all VM context - file, process, registry key - via NSX
Guest Introspection
• No credentials required for server scans – in-guest driver runs
credentialed scan
Simplified Deployment
Automated deployment of 3rd
party appliance to all selected
clusters in data center
CONFIDENTIAL 47
Scenario 2: Context Based Isolation in VDI Environment
VMware Network and Security Platform
Built-In Services Third-Party Services
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Antivirus DLP Firewall
Vulnerability
Management
Intrusion
Prevention
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
CONFIDENTIAL 48
Virus Detection Triggers Isolation and Remediation
Employee Desktops
SG
Front Desk
SG
ITAdmin Desktops SG
Records
Scheduling
App
IT
Services
NSX
Shared Resources
Infected System SG
“All Desktops”
 AV –
Agentless Scan
“All Desktops”
 AV –Scan And
Remediate
 DFW: Block
access to
applications
CONFIDENTIAL 49
Scenario 3: Minimizing Attack Surface
VMware Network and Security Platform
Built-In Services Third-Party Services
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Antivirus DLP Firewall
Vulnerability
Management
Intrusion
Prevention
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
CONFIDENTIAL 50
Vulnerability Scan Triggers Traffic Introspection
Employee Desktops
SG SG
Front Desk ITAdmin Desktops SG
Records
Scheduling
App
IT
Services
Shared Resources
NSX
“Applications”
 Vulnerability
Scan
“Vulnerable”
 IPS
Vulnerable
SG
CONFIDENTIAL 51
Shared Apps SG
Scenario 4: Traffic Redirection to Advanced Services – e.g. PAN
HONWetwoyrkoInutrowspaecntiotn
to protect it
SECURITY GROUP
SG-WEB
SECURITY POLICY
SP-PAN-Redirect
“PAN redirect”
Services – Tomcat
Traffic from WEB to
APP : Redirect to PAN
Services:
Network
Introspection
Services
(= traffic
redirection)
VM VM
1 2
WEB Tier
(DVS P-G or
Logical Switch)
VM3 VM4
1.1.1.1 1.1.1.2 2.2.2.1 2.2.2.2
APP Tier
(DVS P-G or
Logical Switch)
SG-WEB SG-APP
Tomcat
Network Introspection Rule:
Any Tomcat traffic from WEB Tier to APP
Tier is redirected to PAN VM-Series FW
CONFIDENTIAL 52
Any other traffic from WEB Tier to APP
Tier is not redirected to PAN
Traffic hit first DFW and then traffic
redirection rule: Tomcat traffic must be
allowed on DFW rule otherwise it
cannot be redirected to PAN
Source Dest Service Action
Policy’s
SG
SG-APP Tomcat Redirect
to PAN
Security Partner Integrations
Partner Ecosystem
NSX is the platform for
integrating advanced
security services
Next-generation IPS
Granular protection of individual
VM workloads with customizable
policy definitions
Malware Protection
Data Center security with agentless
anti-malware and guest network
threat protection
Real-time, dynamic threat protection
and response for workloads moving
between hosts and virtual
data centers
Automation of advanced
malware interception
Unified management for physical
and virtual sensors
Vulnerability
Management
Automatic vulnerability risk assessment
Data Center wide real- time risk visibility
Auto segmentation of risky assets
Vulnerability prioritization for
effective remediation
Threat & Malware
Protection
Single virtual appliance
provides agentless:
Anti-malware with URL filtering
Vulnerability and software scanning
Detection of file changes
Intrusion Detection & Prevention
Next-Generation
Firewall
Multiple threat prevention disciplines
including firewall, IPS, and antimalware
Safe application enablement with
continuous content inspection for all threats
Granular user-based controls for apps,
content, users
CONFIDENTIAL 53
Agenda
CONFIDENTIAL 54
1 Challenges with existing security controls
2 Introducing NSX Guest Introspection
3 Benefits
4 Use Cases
5 Automating Security
6 Summary & Next Steps
Achieving Micro-Segmentation in Real World
Prepare
Security
Fabric
• Prepare Hosts
for Security
• Optional: Deploy
Security Vendor
Management
Consoles for
advanced services
• Optional: Deploy
security vendor
appliances
Monitor
Flows
• Brownfield: Leverage
existing knowledge
from Perimeter
firewalls
• Use NSX Built-In
Flow Monitoring,
IPFIX tools
• Integrate VMware
Log Insight to
analyze syslogs
Determine
Policy
Model
• Identify patterns
with flows
• Determine a policy
model based on
the patterns
Apply
Policy
Model
• Determine approach
: Firewall Rule Table
or Service Composer
Policy Model
CONFIDENTIAL 55
• Based on the Policy
Model – Create
grouping models
• Write Security Policy
Day 2 Operations
Continue
monitoring flow
patterns using
Log Insight.
Keep
advanced
services
updated.
Manage
FW rules
using Tufin,
Algosec
Drifts and Shifts in
workload flows
CONFIDENTIAL 56
Shifts in
policies
Keep services
like AV, IPS
updated with
signatures
NSX Transforms Security by Providing Context &
Minimizing Overhead
Guest VM
Network
Hypervisor
Isolation
Ubiquity
Context
CONFIDENTIAL 57
Share rich context on applications, users, data, etc.
Minimize attack targets like security controls (e.g.AV) and
telemetry (e.g. logs) by leveraging guest and network
isolation and micro-segmentation
Ensuring visibility and control points are everywhere to help
address coverage and scale challenges
What’s Next…
• VMware NSX
• Hands-on Labs
• labs.hol.vmware.com
• VMware Booth #1229
• 3 NSX Demo Stations
• Explore, Engage, Evolve
• virtualizeyournetwork.com
• Network Virtualization Blog
• blogs.vmware.com/networkvirtualization
• NSX Product Page
• vmware.com/go/nsx
• NSX Training & Certification
• NSX Technical Resources
• Reference Designs
• vmware.com/products/nsx/resourc
es
• VMware NSX YouTube Channel
• youtube.com/user/vmwarensx
Play Learn Deploy
• www.vmware.com/go/NVtraining CONFIDENTIAL 58
Please submit your feedback
via our mobile app.
59
Thank You
61

More Related Content

What's hot

Vmware vSphere Api Best Practices
Vmware vSphere Api Best PracticesVmware vSphere Api Best Practices
Vmware vSphere Api Best PracticesPablo Roesch
 
What’s New in VMware vSphere 7?
What’s New in VMware vSphere 7?What’s New in VMware vSphere 7?
What’s New in VMware vSphere 7?Insight
 
VMware NSX 101: What, Why & How
VMware NSX 101: What, Why & HowVMware NSX 101: What, Why & How
VMware NSX 101: What, Why & HowAniekan Akpaffiong
 
VMware vCloud Suite
VMware vCloud SuiteVMware vCloud Suite
VMware vCloud SuiteVMware
 
Software defined datacenter SDDC
Software defined datacenter SDDCSoftware defined datacenter SDDC
Software defined datacenter SDDCpsjitha
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Ryan Jarvinen
 
OpenStack vs VMware vCloud
OpenStack vs VMware vCloudOpenStack vs VMware vCloud
OpenStack vs VMware vCloudRoozbeh Shafiee
 
VMware Virtual SAN Presentation
VMware Virtual SAN PresentationVMware Virtual SAN Presentation
VMware Virtual SAN Presentationvirtualsouthwest
 
Virtual Infrastructure Overview
Virtual Infrastructure OverviewVirtual Infrastructure Overview
Virtual Infrastructure Overviewvalerian_ceaus
 
VMware Tanzu Introduction
VMware Tanzu IntroductionVMware Tanzu Introduction
VMware Tanzu IntroductionVMware Tanzu
 
NSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxNSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxAtif Raees
 
vSphere7 with Tanzu
vSphere7 with Tanzu vSphere7 with Tanzu
vSphere7 with Tanzu VMware Tanzu
 
Server virtualization by VMWare
Server virtualization by VMWareServer virtualization by VMWare
Server virtualization by VMWaresgurnam73
 
VMware vSphere+ and vSAN+ Pricing and Packaging Partner Facing Deck EN (1).pptx
VMware vSphere+ and vSAN+ Pricing and Packaging Partner Facing Deck EN (1).pptxVMware vSphere+ and vSAN+ Pricing and Packaging Partner Facing Deck EN (1).pptx
VMware vSphere+ and vSAN+ Pricing and Packaging Partner Facing Deck EN (1).pptxssuser5824cf
 

What's hot (20)

Vmware vSphere Api Best Practices
Vmware vSphere Api Best PracticesVmware vSphere Api Best Practices
Vmware vSphere Api Best Practices
 
Red hat cloud platforms
Red hat cloud platformsRed hat cloud platforms
Red hat cloud platforms
 
What’s New in VMware vSphere 7?
What’s New in VMware vSphere 7?What’s New in VMware vSphere 7?
What’s New in VMware vSphere 7?
 
VMware NSX 101: What, Why & How
VMware NSX 101: What, Why & HowVMware NSX 101: What, Why & How
VMware NSX 101: What, Why & How
 
VMware vCloud Suite
VMware vCloud SuiteVMware vCloud Suite
VMware vCloud Suite
 
VMware vSphere
VMware vSphereVMware vSphere
VMware vSphere
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as code
 
Software defined datacenter SDDC
Software defined datacenter SDDCSoftware defined datacenter SDDC
Software defined datacenter SDDC
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
 
OpenStack vs VMware vCloud
OpenStack vs VMware vCloudOpenStack vs VMware vCloud
OpenStack vs VMware vCloud
 
VMware Virtual SAN Presentation
VMware Virtual SAN PresentationVMware Virtual SAN Presentation
VMware Virtual SAN Presentation
 
Virtual Infrastructure Overview
Virtual Infrastructure OverviewVirtual Infrastructure Overview
Virtual Infrastructure Overview
 
VMware Tanzu Introduction
VMware Tanzu IntroductionVMware Tanzu Introduction
VMware Tanzu Introduction
 
NSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxNSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptx
 
DevOps: Infrastructure as Code
DevOps: Infrastructure as CodeDevOps: Infrastructure as Code
DevOps: Infrastructure as Code
 
(ARC307) Infrastructure as Code
(ARC307) Infrastructure as Code(ARC307) Infrastructure as Code
(ARC307) Infrastructure as Code
 
vSphere7 with Tanzu
vSphere7 with Tanzu vSphere7 with Tanzu
vSphere7 with Tanzu
 
Server virtualization by VMWare
Server virtualization by VMWareServer virtualization by VMWare
Server virtualization by VMWare
 
VMware vSphere+ and vSAN+ Pricing and Packaging Partner Facing Deck EN (1).pptx
VMware vSphere+ and vSAN+ Pricing and Packaging Partner Facing Deck EN (1).pptxVMware vSphere+ and vSAN+ Pricing and Packaging Partner Facing Deck EN (1).pptx
VMware vSphere+ and vSAN+ Pricing and Packaging Partner Facing Deck EN (1).pptx
 
Nutanix
NutanixNutanix
Nutanix
 

Viewers also liked

VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
SEC8022_Securing_SDDC_NSX_Hammad_Shahzad
SEC8022_Securing_SDDC_NSX_Hammad_ShahzadSEC8022_Securing_SDDC_NSX_Hammad_Shahzad
SEC8022_Securing_SDDC_NSX_Hammad_Shahzadshezy22
 
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld
 
Network Virtualization with VMware NSX
Network Virtualization with VMware NSXNetwork Virtualization with VMware NSX
Network Virtualization with VMware NSXScott Lowe
 
An Introduction to VMware NSX
An Introduction to VMware NSXAn Introduction to VMware NSX
An Introduction to VMware NSXScott Lowe
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld
 
VMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld
 
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld
 
VMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSXVMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSXVMworld
 
もう一つのHCI VxRackとVBlock
もう一つのHCI VxRackとVBlockもう一つのHCI VxRackとVBlock
もう一つのHCI VxRackとVBlockGaku Takahashi
 
A business driven approach to security policy management a technical perspec...
A business driven approach to security policy management  a technical perspec...A business driven approach to security policy management  a technical perspec...
A business driven approach to security policy management a technical perspec...AlgoSec
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld
 
AutoIt for the rest of us - handout
AutoIt for the rest of us - handoutAutoIt for the rest of us - handout
AutoIt for the rest of us - handoutBecky Yoose
 
VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments VMworld
 

Viewers also liked (20)

VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
 
SEC8022_Securing_SDDC_NSX_Hammad_Shahzad
SEC8022_Securing_SDDC_NSX_Hammad_ShahzadSEC8022_Securing_SDDC_NSX_Hammad_Shahzad
SEC8022_Securing_SDDC_NSX_Hammad_Shahzad
 
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
 
Network Virtualization with VMware NSX
Network Virtualization with VMware NSXNetwork Virtualization with VMware NSX
Network Virtualization with VMware NSX
 
An Introduction to VMware NSX
An Introduction to VMware NSXAn Introduction to VMware NSX
An Introduction to VMware NSX
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep Dive
 
VMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSX
 
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
 
Nov. 19th meeting ppt.
Nov. 19th meeting ppt.Nov. 19th meeting ppt.
Nov. 19th meeting ppt.
 
VMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSXVMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSX
 
もう一つのHCI VxRackとVBlock
もう一つのHCI VxRackとVBlockもう一つのHCI VxRackとVBlock
もう一つのHCI VxRackとVBlock
 
A business driven approach to security policy management a technical perspec...
A business driven approach to security policy management  a technical perspec...A business driven approach to security policy management  a technical perspec...
A business driven approach to security policy management a technical perspec...
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
 
AutoIt for the rest of us - handout
AutoIt for the rest of us - handoutAutoIt for the rest of us - handout
AutoIt for the rest of us - handout
 
Crystal_Woods_2016 resume v2
Crystal_Woods_2016 resume v2Crystal_Woods_2016 resume v2
Crystal_Woods_2016 resume v2
 
VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments
 
IBMRedbook
IBMRedbookIBMRedbook
IBMRedbook
 
Accelerate Return on Data
Accelerate Return on DataAccelerate Return on Data
Accelerate Return on Data
 

Similar to Nsx security deep dive

VMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld
 
Self service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxSelf service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxsolarisyougood
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersIben Rodriguez
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Business Agility and Security with VMware
Business Agility and Security with VMwareBusiness Agility and Security with VMware
Business Agility and Security with VMwareAngel Villar Garea
 
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigmfanc1985
 
VMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use casesVMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use casesAngel Villar Garea
 
VMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware
 
Check Point Software Technologies: Secure Your AWS Workloads
 Check Point Software Technologies: Secure Your AWS Workloads Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS WorkloadsAmazon Web Services
 
Secure Desktop Computing In the Cloud
Secure Desktop Computing In the CloudSecure Desktop Computing In the Cloud
Secure Desktop Computing In the CloudIRJET Journal
 
Comment sécuriser les centres de données virtuels ou infonuagiques avec NSX
Comment sécuriser les centres de données virtuels ou infonuagiques avec NSXComment sécuriser les centres de données virtuels ou infonuagiques avec NSX
Comment sécuriser les centres de données virtuels ou infonuagiques avec NSXColloqueRISQ
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
#PCMVision: VMware NSX - Transforming Security
#PCMVision: VMware NSX - Transforming Security#PCMVision: VMware NSX - Transforming Security
#PCMVision: VMware NSX - Transforming SecurityPCM
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco Service Provider
 

Similar to Nsx security deep dive (20)

VMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSX
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
 
Self service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxSelf service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsx
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
nsx overview with use cases 1.0
nsx overview with use cases 1.0nsx overview with use cases 1.0
nsx overview with use cases 1.0
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Business Agility and Security with VMware
Business Agility and Security with VMwareBusiness Agility and Security with VMware
Business Agility and Security with VMware
 
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigm
 
VMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use casesVMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use cases
 
VMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats New
 
Check Point Software Technologies: Secure Your AWS Workloads
 Check Point Software Technologies: Secure Your AWS Workloads Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS Workloads
 
Secure Desktop Computing In the Cloud
Secure Desktop Computing In the CloudSecure Desktop Computing In the Cloud
Secure Desktop Computing In the Cloud
 
Comment sécuriser les centres de données virtuels ou infonuagiques avec NSX
Comment sécuriser les centres de données virtuels ou infonuagiques avec NSXComment sécuriser les centres de données virtuels ou infonuagiques avec NSX
Comment sécuriser les centres de données virtuels ou infonuagiques avec NSX
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield X
 
#PCMVision: VMware NSX - Transforming Security
#PCMVision: VMware NSX - Transforming Security#PCMVision: VMware NSX - Transforming Security
#PCMVision: VMware NSX - Transforming Security
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
 

More from solarisyougood

Emc recoverpoint technical
Emc recoverpoint technicalEmc recoverpoint technical
Emc recoverpoint technicalsolarisyougood
 
Emc vmax3 technical deep workshop
Emc vmax3 technical deep workshopEmc vmax3 technical deep workshop
Emc vmax3 technical deep workshopsolarisyougood
 
EMC Atmos for service providers
EMC Atmos for service providersEMC Atmos for service providers
EMC Atmos for service providerssolarisyougood
 
Cisco prime network 4.1 technical overview
Cisco prime network 4.1 technical overviewCisco prime network 4.1 technical overview
Cisco prime network 4.1 technical overviewsolarisyougood
 
Designing your xen desktop 7.5 environment with training guide
Designing your xen desktop 7.5 environment with training guideDesigning your xen desktop 7.5 environment with training guide
Designing your xen desktop 7.5 environment with training guidesolarisyougood
 
Ibm aix technical deep dive workshop advanced administration and problem dete...
Ibm aix technical deep dive workshop advanced administration and problem dete...Ibm aix technical deep dive workshop advanced administration and problem dete...
Ibm aix technical deep dive workshop advanced administration and problem dete...solarisyougood
 
Ibm power ha v7 technical deep dive workshop
Ibm power ha v7 technical deep dive workshopIbm power ha v7 technical deep dive workshop
Ibm power ha v7 technical deep dive workshopsolarisyougood
 
Power8 hardware technical deep dive workshop
Power8 hardware technical deep dive workshopPower8 hardware technical deep dive workshop
Power8 hardware technical deep dive workshopsolarisyougood
 
Power systems virtualization with power kvm
Power systems virtualization with power kvmPower systems virtualization with power kvm
Power systems virtualization with power kvmsolarisyougood
 
Power vc for powervm deep dive tips & tricks
Power vc for powervm deep dive tips & tricksPower vc for powervm deep dive tips & tricks
Power vc for powervm deep dive tips & trickssolarisyougood
 
Emc data domain technical deep dive workshop
Emc data domain  technical deep dive workshopEmc data domain  technical deep dive workshop
Emc data domain technical deep dive workshopsolarisyougood
 
Ibm flash system v9000 technical deep dive workshop
Ibm flash system v9000 technical deep dive workshopIbm flash system v9000 technical deep dive workshop
Ibm flash system v9000 technical deep dive workshopsolarisyougood
 
Emc vnx2 technical deep dive workshop
Emc vnx2 technical deep dive workshopEmc vnx2 technical deep dive workshop
Emc vnx2 technical deep dive workshopsolarisyougood
 
Emc isilon technical deep dive workshop
Emc isilon technical deep dive workshopEmc isilon technical deep dive workshop
Emc isilon technical deep dive workshopsolarisyougood
 
Emc ecs 2 technical deep dive workshop
Emc ecs 2 technical deep dive workshopEmc ecs 2 technical deep dive workshop
Emc ecs 2 technical deep dive workshopsolarisyougood
 
Cisco mds 9148 s training workshop
Cisco mds 9148 s training workshopCisco mds 9148 s training workshop
Cisco mds 9148 s training workshopsolarisyougood
 
Cisco cloud computing deploying openstack
Cisco cloud computing deploying openstackCisco cloud computing deploying openstack
Cisco cloud computing deploying openstacksolarisyougood
 
Se training storage grid webscale technical overview
Se training   storage grid webscale technical overviewSe training   storage grid webscale technical overview
Se training storage grid webscale technical overviewsolarisyougood
 

More from solarisyougood (20)

Emc vipr srm workshop
Emc vipr srm workshopEmc vipr srm workshop
Emc vipr srm workshop
 
Emc recoverpoint technical
Emc recoverpoint technicalEmc recoverpoint technical
Emc recoverpoint technical
 
Emc vmax3 technical deep workshop
Emc vmax3 technical deep workshopEmc vmax3 technical deep workshop
Emc vmax3 technical deep workshop
 
EMC Atmos for service providers
EMC Atmos for service providersEMC Atmos for service providers
EMC Atmos for service providers
 
Cisco prime network 4.1 technical overview
Cisco prime network 4.1 technical overviewCisco prime network 4.1 technical overview
Cisco prime network 4.1 technical overview
 
Designing your xen desktop 7.5 environment with training guide
Designing your xen desktop 7.5 environment with training guideDesigning your xen desktop 7.5 environment with training guide
Designing your xen desktop 7.5 environment with training guide
 
Ibm aix technical deep dive workshop advanced administration and problem dete...
Ibm aix technical deep dive workshop advanced administration and problem dete...Ibm aix technical deep dive workshop advanced administration and problem dete...
Ibm aix technical deep dive workshop advanced administration and problem dete...
 
Ibm power ha v7 technical deep dive workshop
Ibm power ha v7 technical deep dive workshopIbm power ha v7 technical deep dive workshop
Ibm power ha v7 technical deep dive workshop
 
Power8 hardware technical deep dive workshop
Power8 hardware technical deep dive workshopPower8 hardware technical deep dive workshop
Power8 hardware technical deep dive workshop
 
Power systems virtualization with power kvm
Power systems virtualization with power kvmPower systems virtualization with power kvm
Power systems virtualization with power kvm
 
Power vc for powervm deep dive tips & tricks
Power vc for powervm deep dive tips & tricksPower vc for powervm deep dive tips & tricks
Power vc for powervm deep dive tips & tricks
 
Emc data domain technical deep dive workshop
Emc data domain  technical deep dive workshopEmc data domain  technical deep dive workshop
Emc data domain technical deep dive workshop
 
Ibm flash system v9000 technical deep dive workshop
Ibm flash system v9000 technical deep dive workshopIbm flash system v9000 technical deep dive workshop
Ibm flash system v9000 technical deep dive workshop
 
Emc vnx2 technical deep dive workshop
Emc vnx2 technical deep dive workshopEmc vnx2 technical deep dive workshop
Emc vnx2 technical deep dive workshop
 
Emc isilon technical deep dive workshop
Emc isilon technical deep dive workshopEmc isilon technical deep dive workshop
Emc isilon technical deep dive workshop
 
Emc ecs 2 technical deep dive workshop
Emc ecs 2 technical deep dive workshopEmc ecs 2 technical deep dive workshop
Emc ecs 2 technical deep dive workshop
 
Emc vplex deep dive
Emc vplex deep diveEmc vplex deep dive
Emc vplex deep dive
 
Cisco mds 9148 s training workshop
Cisco mds 9148 s training workshopCisco mds 9148 s training workshop
Cisco mds 9148 s training workshop
 
Cisco cloud computing deploying openstack
Cisco cloud computing deploying openstackCisco cloud computing deploying openstack
Cisco cloud computing deploying openstack
 
Se training storage grid webscale technical overview
Se training   storage grid webscale technical overviewSe training   storage grid webscale technical overview
Se training storage grid webscale technical overview
 

Recently uploaded

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 

Recently uploaded (20)

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 

Nsx security deep dive

  • 2. Student Guide & Internal & Confidential Update Daily https://goo.gl/VVmVZ0 Journey of the Deal: Best Practices from a VMware Cloud Management Partner http://ouo.io/vBVQdO The Practical Path to NSX and Network Virtualization http://ouo.io/47hme Why an SSDC Approach with NSX is Better for Your Channel Business http://ouo.io/1hY4l Justifying Network Virtualization forYour Customers http://ouo.io/OzBquQ Reference Design for VMware NSX http://ouo.io/XaCMU Logical Routing with VMware NSX http://ouo.io/oKcbu Micro-segmentation with NSX and Distributed Firewalling http://ouo.io/BaoP8 NSX Security Deep Dive http://ouo.io/Qq8qqh Operational Best Practices for VMware NSX http://ouo.io/nyVbwd Self-service IT with vRealizeAutomation and NSX http://ouo.io/pHQ5kp Intro to NSX http://ouo.io/gzAp1
  • 3. Disclaimer CONFIDENTIAL 3 • This presentation may contain product features that are currently under development. • This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. • Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. • Technical feasibility and market demand will affect final delivery. • Pricing and packaging for any new technologies or features discussed or presented have not been determined.
  • 4. Finding Needles in the Haystack CONFIDENTIAL 4
  • 5. Finding Needles in the Haystack CONFIDENTIAL 5
  • 6. Agenda CONFIDENTIAL 6 1 Challenges with existing security controls 2 Introducing NSX Security 3 Automating Security 4 Benefits 5 Use Cases 6 Summary & Next Steps
  • 7. 1. Firewall Challenges in the SDDC Physical Firewalls • No Micro-segmentation • Hardware CAPEX • Choke point • Rule sprawl (IP, MAC-based) • Trombone Traffic Src Dst 192.168.1.1 192.168.5.2 10.0.0.1 10.0.2.5 10.0.0.2 10.0.2.5 10.0.0.3 10.0.2.5 • Eliminate hardware • Choke points w/ low performance (1-3 Gbps) • Rule sprawl (IP, MAC-based)Rule sprawl Web App DB VM Virtual Firewalls VMs CONFIDENTIAL 7
  • 8. 2. Force Choosing between Context and Isolation Guest VM Hypervisor Network Host Based Security Controls Network Based Security Controls Low Context High Isolation High Context Low Isolation CONFIDENTIAL 8  Security controls prone to attack  Manual deployment and policy management  No visibility into application, process, file, user or overall security posture
  • 9. 3. Require In-guest Agents that Are Resource Intensive Third-Party Management Consoles Scheduled scans hit same underlying infrastructure at the same time Utilization CPU Memory Storage Consolidation Ratio Low High 3 2 1 SeparateAgent required per VM per Service Adding new services require manual deployment at each guest CONFIDENTIAL 9
  • 10. 4. Hard to Automate Workflows across Services  Manual workflows due to lack of interoperability and automation across “best-of-breed” security products  Endpoint control events do not trigger network controls CONFIDENTIAL 10
  • 11. CPU Memory Storage Software-based solutions Network scanner Lack isolation, attack surface in guest  security risks Lack app context  rule sprawl, complex troubleshooting Network-based solutions Security Today Isn’t Optimized for SDDC, with Negative Impact to Agility, Cost Impact performance 1 32 CONFIDENTIAL 11
  • 12. Agenda CONFIDENTIAL 12 1 Challenges with existing security controls 2 Introducing NSX Security 3 Benefits 4 Use Cases 5 Automating Security 6 Summary & Next Steps
  • 13. NSX Transforms Security for Optimal Context and Isolation While Minimizing Resource Overhead UbiquityIsolation fine-grained containment Context better security through insight Ecosystem of Distributed Services Switching Routing Firewalling Core Services Built Into Hypervisor Kernel CONFIDENTIAL 13
  • 14. NSX Provides Built-in Services to Manage the Security Posture of Workloads at Scale Guest Introspection NSX driver pulls and shares file, user identity, process (application), network connections, registry keys etc. Shared Context Network Introspection Full network traffic visibility @vNIC, vSwitch, or Edge Built-In Services Firewa ll Identity Firewall Server Access Monitoring VPN (IPSEC, SSL) VMware Services DLP L2 and L3 Connectivity CONFIDENTIAL 14
  • 15. NSX Distributed Firewall • Delivers Micro-Segmentation • Efficient rule management • Dynamic Policy (e.g:AV, DLP, Vulnerability Scan) • No choke points with scale out performance (20 Gbps) • Enabled for cloud automation Src Dst ANY Shared Service Desktop WEB_GROUP Rules based on logical containers Platform for Distributed Services WEB_ GROUP “Web Policy” Firewall – allow inbound HTTP/S, allow outbound ANY Firewall policies are pre- approved, used repeatedly by cloud automationWeb App DB VM NSX Distributed Firewall is Optimized for SDDC 14 CONFIDENTIAL
  • 16. Internet Security Policy Cloud Management Platform Perimeter Firewalls Leverage Distributed Firewall for Micro-Segmentation CONFIDENTIAL 16 • Hypervisor-based, in kernel distributed firewalling • Platform-based automated provisioning and workload adds/moves/changes
  • 17. NSX Enables Using Third Party Services to Manage the Security Posture of Workloads at Scale Guest Introspection NSX driver pulls and shares file, user identity, process (application), network connections, registry keys etc. Shared Context Third-Party Services DLP Firewall Vulnerability Management Antivirus Intrusion Prevention Identity and Access Mgmt …and more in progress Security Policy Management Service Insertion Architecture Network Introspection Full network traffic visibility @vNIC, vSwitch, or Edge CONFIDENTIAL 17
  • 18. Advanced Services Insertion – Example: Palo Alto Networks NGFW Internet Traffic Steering Security Policy Security Admin CONFIDENTIAL 18
  • 19. Agenda CONFIDENTIAL 19 1 Challenges with existing security controls 2 Introducing NSX Security 3 Automating Security 4 Benefits 5 Use Cases 6 Summary & Next Steps
  • 20. Secure SDDC with VMware NSX Security services are managed more efficiently in a software-defined datacenter NSX Network Virtualization Platform Firewall Data Security (DLP) Server Activity Monitoring VPN (IPSEC, SSL) Antivirus Vulnerability Management Identity and Access Mgmt …and more in progress Security Policy Management Deploy Provision and monitor uptime of different services, using oSenrviece mInseerttiohnod CONFIDENTIAL 20 Apply Apply and visualize security policies for workloads, in Security Goronupes plSaeccuerity Policies Automate Automate workflows across best-of-breed services, without custom integrationSecurity Tags Built-In Services Third-Party Services DLP Firewall Intrusion Prevention
  • 21. Register Security Services with VMware NSX Service Definitions: built-in and 3rd-party services Firewalling VPN Data Security Activity Monitoring Service categories, vendors, versions are visible in one central view Security CONFIDENTIAL 21
  • 22. NSX Security Service Insertion Architecture Network 6 Introspection 5 Guest Introspection 7 Host Modules NSX Manager 1 Third-Party Management Console 2 3 NSX Built-in Security Services (Distributed) Logical Firewall Logical Switch 3 NSX Built-in Security Services (Appliance per host) 4 NSX Partner Services (Appliance per host) CONFIDENTIAL 22
  • 23. Security Groups & Security Policies • End-Users and CloudAdmins are able to define security policies based on service profiles already defined or approved by the Security Admin. • Security policies are applied to one or more security groups where workloads are members WHAT you want to protect HOinbWoundyHoTuTPw/S,ant toIPpS r–optreevcentt DitOS attacks, enforce acceptable use SECURITY GROUP SECURITY POLICY Members (VM, vNIC) and Context (user identity, security posture) “Standard Web”  Firewall – allow allow outbound ANY Services (firewall, antivirus, IPS etc.) and Profiles (labels representing specific policies) CONFIDENTIAL 23
  • 24. Security Policies and Security Groups NSX simplifies provisioning, audit, troubleshooting of security CONFIDENTIAL 23SECURITY GROUP HOW you want to protect it SECURITY POLICY WHAT you want to protect 1 Policy Provisioning: Define once (policy), use many (security groups). Tied to workload, not to infrastructure. Audit: Validate controls in one place – available services, applied policies.2 3 Troubleshooting: When an app doesn’t work, can start by observing the workload and all related security policies – rather than infer from infrastructure security.
  • 25. Dynamic Inclusion Static Inclusion Static Exclusion Security Groups Definition Security Group : (Dynamic Inclusion + Static Inclusions) – Static Exclusion Computer OS name, Computer Name, VM Name, Security Tag, Entity. Security Group, Cluster, Logical Switch, Network, vAPP, Datacenter, IP Sets,Active Directory Group, MAC sets, Security Tag, vNIC, VM, Resource Pool, DVS Port Group. VM-Centric CONFIDENTIAL 25 Infrastructure- Centric Security Groups
  • 26. Automate Security Operations to respond to rapidly changing security conditions • Security is automated • If one service finds something, then another service can do something about it With VMware NSX • Manual workflows • No interoperability between best-of-breed security products Without VMware NSX Create repeatable, automated workflows across best-of-breed security products with VMware NSX CONFIDENTIAL 26
  • 27. Advanced Services Insertion 1 2 3 Traditional Data Center NSX Data Center  Flexible service chain that adapts to changing conditions – more efficient use of services better security by sharing tags  Platform for integrating the leading security products: NSX enables dynamic actions to respond to changing security conditions CONFIDENTIAL 27 Static service chain Dynamic service chain
  • 28. Agenda CONFIDENTIAL 28 1 Challenges with existing security controls 2 Introducing NSX Guest Introspection 3 Automating Security 4 Benefits 5 Use Cases 6 Summary & Next Steps
  • 29. 1. Optimized for Performance Utilization CPU Memory Storage Consolidation Ratio Low High 1 Reduces attack surface Stronger protection - cannot be turned off by malware Eliminates overhead of agent resources, management 4 Reduces VM footprint enables higher consolidation CONFIDENTIAL 29 2 3
  • 30. 2. Automated Ubiquitous Deployment & Enforcement 1.ESX Host added to cluster 2.Automated: NSX Deploys Guest Introspection Framework, Service VMs (Partner & VMW) 3. VM brought up on host 4.Automated:Appropriate Security Policies applied 5.VM vMotions to a different host 6.Automated:Appropriate Security Policies applied CONFIDENTIAL 30
  • 31. 3. Visibility into In-guest Events Users Logging In Files Accessed Network Connections System Events Applications Running Canned Reports CONFIDENTIAL 31
  • 32. Identity Based Access Control CONFIDENTIAL Active Directory Eric Frost IP: 192.168.10.75 Logs Eric Frost User AD Group App Name Originating VM Name Destination VM Name Source IP Destination IP Eric Frost Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78 31
  • 33. Demo: VMware NSX Activity Monitoring
  • 35. 4. Simplified Policy Management & Automation across Services Virtualization Platform Security Policy HOW you want to protect it NSX Manager 2 NSX Admin 1 Security Admin Security Group WHAT you want to protect Cloud Management Portal 3 Cloud Architect CONFIDENTIAL 35
  • 36. 5. Automated Security Policy Enforcement With increased visibility CONFIDENTIAL 36
  • 37. Security-Centric View Policies – collection of service profiles - assigned to this container…to define HOW you want to protect this container e.g. “PCI Compliance” or “Quarantine Policy’ Nested containers – other groupings within the container e.g. “Quarantine Zone” is a sub group within “My Data Center” VMs (workloads) that belong to this container e.g. “Apache-Web-VM”, “Exchange Server-VM” Containers – Grouping of VMs, IPs, and more…to define WHAT you want to protect e.g. “Financial Applications”, “Desktop Users”, “Quarantine Zone” Service profiles for *deployed* services, assigned to these policies Services supported today: • Distributed Virtual Firewall • Anti-virus • Vulnerability Management • Network IPS • Data Security (DLP scan) • User Activity Monitoring • File Integrity Monitoring 36CONFIDENTIAL
  • 38. Workload-Centric View: Security Groups & Tags Assigned to a VM Any security issues?Protected in security group? Virtual Machine CONFIDENTIAL 37
  • 39. Workload-Centric View: All Security Policies Applied to a VM CONFIDENTIAL 38
  • 40. Monitor Uptime of Different Services Service Deployments: installation and service status Installation Status & Service Status are visible in one central view CONFIDENTIAL 40
  • 41. Eliminate Policy Sprawl through Automation No manual cleanup necessary during application decommissioning SECURITY POLICY “Standard Web” Firewall – allow inbound HTTP/S, allow outbound ANY IPS – prevent DOS attacks, enforce acceptable use SECURITY GROUP SECURITY GROUP CONFIDENTIAL 41
  • 42. Increase Visibility into Service Availability Virtualization Platform Restart Security Virtual Appliances, upon detection of service health failure Error messages provide insight into why service failed CONFIDENTIAL 42
  • 43. Increase Visibility into Service Availability Virtualization Platform Restart Security Virtual Appliances, upon detection of service health failure Error messages provide insight into why service failed CONFIDENTIAL 43
  • 44. Agenda CONFIDENTIAL 44 1 Challenges with existing security controls 2 Introducing NSX Guest Introspection 3 Automating Security 4 Benefits 5 Use Cases 6 Summary & Next Steps
  • 45. Scenario 1: Vulnerability Management Optimized for SDDC VMware Network and Security Platform Built-In Services Third-Party Services Firewall Data Security (DLP) Server Activity Monitoring VPN (IPSEC, SSL) Antivirus DLP Firewall Vulnerability Management Intrusion Prevention Identity and Access Mgmt …and more in progress Security Policy Management CONFIDENTIAL 45
  • 46. Traditional Challenges in Vulnerability Management Scan IP range for asset inventory (NMAP) Run port scan on live systems – set of IPS alarms 1 Network scanner 2 Whitelist scanner IP address on IPS 3 Scans return inaccurate info4 Must secure system credentials to run accurate scans 5 Scans run over virtual network, impacting app performance 6 CONFIDENTIAL 46
  • 47. Vulnerability Management Optimized for SDDC Using NSX Guest Introspection File, user identity, process (application), network connections, registry keys, etc. Virtualization Platform • No network scans required • Get all VM asset inventory from vCenter • Get all VM context - file, process, registry key - via NSX Guest Introspection • No credentials required for server scans – in-guest driver runs credentialed scan Simplified Deployment Automated deployment of 3rd party appliance to all selected clusters in data center CONFIDENTIAL 47
  • 48. Scenario 2: Context Based Isolation in VDI Environment VMware Network and Security Platform Built-In Services Third-Party Services Firewall Data Security (DLP) Server Activity Monitoring VPN (IPSEC, SSL) Antivirus DLP Firewall Vulnerability Management Intrusion Prevention Identity and Access Mgmt …and more in progress Security Policy Management CONFIDENTIAL 48
  • 49. Virus Detection Triggers Isolation and Remediation Employee Desktops SG Front Desk SG ITAdmin Desktops SG Records Scheduling App IT Services NSX Shared Resources Infected System SG “All Desktops”  AV – Agentless Scan “All Desktops”  AV –Scan And Remediate  DFW: Block access to applications CONFIDENTIAL 49
  • 50. Scenario 3: Minimizing Attack Surface VMware Network and Security Platform Built-In Services Third-Party Services Firewall Data Security (DLP) Server Activity Monitoring VPN (IPSEC, SSL) Antivirus DLP Firewall Vulnerability Management Intrusion Prevention Identity and Access Mgmt …and more in progress Security Policy Management CONFIDENTIAL 50
  • 51. Vulnerability Scan Triggers Traffic Introspection Employee Desktops SG SG Front Desk ITAdmin Desktops SG Records Scheduling App IT Services Shared Resources NSX “Applications”  Vulnerability Scan “Vulnerable”  IPS Vulnerable SG CONFIDENTIAL 51 Shared Apps SG
  • 52. Scenario 4: Traffic Redirection to Advanced Services – e.g. PAN HONWetwoyrkoInutrowspaecntiotn to protect it SECURITY GROUP SG-WEB SECURITY POLICY SP-PAN-Redirect “PAN redirect” Services – Tomcat Traffic from WEB to APP : Redirect to PAN Services: Network Introspection Services (= traffic redirection) VM VM 1 2 WEB Tier (DVS P-G or Logical Switch) VM3 VM4 1.1.1.1 1.1.1.2 2.2.2.1 2.2.2.2 APP Tier (DVS P-G or Logical Switch) SG-WEB SG-APP Tomcat Network Introspection Rule: Any Tomcat traffic from WEB Tier to APP Tier is redirected to PAN VM-Series FW CONFIDENTIAL 52 Any other traffic from WEB Tier to APP Tier is not redirected to PAN Traffic hit first DFW and then traffic redirection rule: Tomcat traffic must be allowed on DFW rule otherwise it cannot be redirected to PAN Source Dest Service Action Policy’s SG SG-APP Tomcat Redirect to PAN
  • 53. Security Partner Integrations Partner Ecosystem NSX is the platform for integrating advanced security services Next-generation IPS Granular protection of individual VM workloads with customizable policy definitions Malware Protection Data Center security with agentless anti-malware and guest network threat protection Real-time, dynamic threat protection and response for workloads moving between hosts and virtual data centers Automation of advanced malware interception Unified management for physical and virtual sensors Vulnerability Management Automatic vulnerability risk assessment Data Center wide real- time risk visibility Auto segmentation of risky assets Vulnerability prioritization for effective remediation Threat & Malware Protection Single virtual appliance provides agentless: Anti-malware with URL filtering Vulnerability and software scanning Detection of file changes Intrusion Detection & Prevention Next-Generation Firewall Multiple threat prevention disciplines including firewall, IPS, and antimalware Safe application enablement with continuous content inspection for all threats Granular user-based controls for apps, content, users CONFIDENTIAL 53
  • 54. Agenda CONFIDENTIAL 54 1 Challenges with existing security controls 2 Introducing NSX Guest Introspection 3 Benefits 4 Use Cases 5 Automating Security 6 Summary & Next Steps
  • 55. Achieving Micro-Segmentation in Real World Prepare Security Fabric • Prepare Hosts for Security • Optional: Deploy Security Vendor Management Consoles for advanced services • Optional: Deploy security vendor appliances Monitor Flows • Brownfield: Leverage existing knowledge from Perimeter firewalls • Use NSX Built-In Flow Monitoring, IPFIX tools • Integrate VMware Log Insight to analyze syslogs Determine Policy Model • Identify patterns with flows • Determine a policy model based on the patterns Apply Policy Model • Determine approach : Firewall Rule Table or Service Composer Policy Model CONFIDENTIAL 55 • Based on the Policy Model – Create grouping models • Write Security Policy
  • 56. Day 2 Operations Continue monitoring flow patterns using Log Insight. Keep advanced services updated. Manage FW rules using Tufin, Algosec Drifts and Shifts in workload flows CONFIDENTIAL 56 Shifts in policies Keep services like AV, IPS updated with signatures
  • 57. NSX Transforms Security by Providing Context & Minimizing Overhead Guest VM Network Hypervisor Isolation Ubiquity Context CONFIDENTIAL 57 Share rich context on applications, users, data, etc. Minimize attack targets like security controls (e.g.AV) and telemetry (e.g. logs) by leveraging guest and network isolation and micro-segmentation Ensuring visibility and control points are everywhere to help address coverage and scale challenges
  • 58. What’s Next… • VMware NSX • Hands-on Labs • labs.hol.vmware.com • VMware Booth #1229 • 3 NSX Demo Stations • Explore, Engage, Evolve • virtualizeyournetwork.com • Network Virtualization Blog • blogs.vmware.com/networkvirtualization • NSX Product Page • vmware.com/go/nsx • NSX Training & Certification • NSX Technical Resources • Reference Designs • vmware.com/products/nsx/resourc es • VMware NSX YouTube Channel • youtube.com/user/vmwarensx Play Learn Deploy • www.vmware.com/go/NVtraining CONFIDENTIAL 58
  • 59. Please submit your feedback via our mobile app. 59
  • 61. 61