Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Andy Kennedy - Scottish VMUG April 2016

558 views

Published on

NSX Keynote session from the Scottish VMUG event in Glasgow on the 22nd April, 2016.

Key theme is a discussion on how security "blind spots" can occur through the adoption of new compute models, further highlighting the necessity for the industry to have a platform which provides the virtues of micro-segmentation and a zero trust model, irrespective of the technology being used to host modern applications.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Andy Kennedy - Scottish VMUG April 2016

  1. 1. 1 ScottishVMUG April, 2016 From untrust to zero trust… Securing what comes next for the SDDC Andy Kennedy (@packetdiscards) Networking & Security Business Unit, EMEA +44 7766 250030 akennedy@vmware.com
  2. 2. • This presentation may contain product features that are currently under development. • This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. • Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. • Technical feasibility and market demand will affect final delivery. • Pricing and packaging for any new technologies or features discussed or presented have not been determined. Disclaimer 2
  3. 3. From untrust to zero trust… Securing what comes next for the SDDC © 2016 VMware Inc. All rights reserved. Andy Kennedy (@packetdiscards) Networking & Security Business Unit, EMEA +44 7766 250030 akennedy@vmware.com
  4. 4. From Shadow IT to the Next Unit of Compute - The blind spot indicator for cyber security 4
  5. 5. Cloud Silos PublicManagedPrivate 5
  6. 6. Application Silos Traditional Applications Cloud-Native Applications 6
  7. 7. Device Proliferation ApplicationsContent 7
  8. 8. One Cloud Any Application Any Device 8
  9. 9. Bridging Two Worlds Mobile Cloud Era Client-Server Era
  10. 10. High-Level Architecture Isolation Segmentation ServiceInsertion GuestIntrosepction Orchestration Configuration Management DR Backup & recovery Log Management SIEM Operations Dashboard Virtual Domain RBAC / AAAPolicy Management Policy Enforcement Monitoring & Analytics Backup & Disaster Recovery Physical Domain Hybrid CloudInfrastructure People & Process
  11. 11. Operations App Team 3rd Platform Enables New Types of Apps in the Mobile-CloudEra Hardware OS Application App Team x86 OS Application Operations App Team x86 Linux Application 1st Platform (Servers) 2nd Platform (Virtualization) 3rd Platform (Cloud) x86 Linux
  12. 12. Major NSX use cases Intra-Datacenter Micro-Segmentation DMZAnywhere Secure User Environments Security IT Automating IT Developer Clouds Multi-tenantInfrastructure Agility Disaster Recovery Metro Pooling Hybrid Cloud Networking Application Continuity
  13. 13. 13 Microsegmentation
  14. 14. 14
  15. 15. 15
  16. 16. 16
  17. 17. 17
  18. 18. Topology Driven Security Little or no lateral controls inside perimeter Internet Internet
  19. 19. Topology Driven Security Internet Internet Operationally Infeasible
  20. 20. 20 Centralized firewalls • Create firewall rules before provisioning • Update firewall rules when movingor changing • Delete firewall rules when app decommissioned • Problem increases with more east-westtraffic Internet The challenge of topology driven security in the SDDC
  21. 21. Internet How an SDDC Approach Makes Micro-segmentation Feasible 21 Security policy Perimeter firewalls Cloud Management Platform
  22. 22. Creating a zero trust model Isolation Explicit allow comm. Secure communications Structured secure comms. NGFW IPS IPS NGFW IPS WAF And align your controls to what you are protecting AllowHTTPS
  23. 23. 23 Adapting to Change
  24. 24. Application Silos Traditional Applications Cloud-Native Applications 24
  25. 25. Developer IT Challenges with Containers Different Units of Management Partial Visibility Limited Security No Compatability Tools 25
  26. 26. Containers without compromise Today Container Engine Linux vSphere Integrated Containers 26
  27. 27. Security Today vSphere Integrated Containers Hardware Level IsolationOS Level Isolation 27
  28. 28. Container Security 28 Vulnerable Application Vault Vault Website Website Website Website Internet Database Port 80 Internal network
  29. 29. Docker libnetwork – Options 29 – Bridge: Implements a way to configure new networks as isolated L2 bridges on single Docker hosts. The scope is ‘local’ – Overlay: Implements VXLAN based overlay networking to create L2 segments to attach containers running on multiple Docker Hosts. – Remote: Implements an API to externalize network functions to 3rd party vendor / solutions. Bridge Networking Multi-Host (Overlay) Driver Remote (Vendor) Driver
  30. 30. Docker libnetwork – The Container Network Model (CNM) 30 • Sandbox – A Sandbox contains the configuration of a container's network stack. This includes management of the container's interfaces, routing table and DNS settings. An implementation of a Sandbox could be a Linux Network Namespace, a FreeBSD Jail or other similar concept. • Endpoint – An Endpoint joins a Sandbox to a Network. An implementation of an Endpoint could be a veth pair, an Open vSwitch internal port or similar • Network – A Network is a group of Endpoints that are able to communicate with each-other directly. An implementation of a Network could be a VXLAN Segment, a Linuxbridge, a VLAN, etc. Source: https://github.com /docker/li bnetwork/bl ob/m aster/docs/ design.md External network G/w Bridge
  31. 31. Containers – do we still need a Hypervisor? 31 Privilege escalation can lead to container host compromise Vault Vault Website Website Website Website Internet Database Port 80 Internal network Confidential Information
  32. 32. Containers – do we still need a Hypervisor? 32 Lack of isolation allows an attacker to move around Vault Vault Website Website Website Website Internet Database Port 80 Internal network Confidential Information
  33. 33. Containers – do we still need a Hypervisor? 33 NSX provides segmentation, visibility and integration Website Website Website Website Internet Port 80 Internal network Physical Network Infrastructure Vault Vault Database Datacenter HONEY POT VULNERABILITY SCANNER Micro- segmentation Alert Connection to data center
  34. 34. vSphere Integrated Containers Latest… 34 https://github.com/vmware/vic http://blogs.vmware.com/cloudnative/introducing-vsphere-integrated-containers-open-source-software/
  35. 35. Hypervisor (ESXi & KVM) Minion VM Pod vif DFW eth1 Pod eth2 vif DLR Minion VM Pod vif DFW eth2 Pod eth1 vif eth0 Minion Mgmt. IP Stack eth0 Minion Mgmt. IP Stack mgmt network Lx bridge Lx bridge Lx bridge Lx bridge mgmt network Kubernetes - POC
  36. 36. Kubernetes – POC 36
  37. 37. Kubernetes – POC 37
  38. 38. Micro- segmentation Alert Connection to data center Benefits of NSX and containers 38 Micro- segmentation Alert Connection to data center • Micro-segmentation to establish clear boundaries • Stop compromises at container or application level • Central visibility into connectivity acrossthe data center • Per-flow tracking • Alerts for suspicious behavior • Virtual taps at a per- container level • Integration with the rest of your IT infrastructure • Monitoring, incident response, forensics • Access to databases, backup, system updates
  39. 39. Cloud Silos PublicManagedPrivate 39
  40. 40. Public Cloud – The New Silo Infrastructure? 40
  41. 41. The Challenge: Connectivity Across Multiple Clouds 41
  42. 42. Data Center IT Administrator Internet … AWS Cloud Developer 42 Ubiquitous Security for Public Cloud Workloads
  43. 43. NSX + Public Cloud + Containers 43 Sydney Hong Kong Palo Alto Chicago Dallas Virginia Seattle 500 Web Servers 7 data centers 3 continents 2 public clouds + 1 on premise …in 5 minutes https://www.youtube.com/watch?v=RBJ-KoAM-OQ
  44. 44. 44 Operational Focus
  45. 45. 45
  46. 46. EMC Smarts for NSX – Virtual + Physical Topology Virtual Network Physical Network Logical Switch Logical Router Leaf01 Spine01 Hypervisor
  47. 47. Hyper-V On-Premises Data Center Public Cloud 3rd Gen Applications Virtual Desktop Mobile Devices 47 Design for the New & Accommodate The Old
  48. 48. Network Virtualization Next Steps with VMware NSX 48 virtualizeyournetwork.com The online resource for the people, teams and organizationsthat are adopting networkvirtualization communities.vmware.com Connect and engage with network virtualization experts and fellow VMware NSX users vmware.com/go/NVtraining Build knowledge and expertise for the next step in your career labs.hol.vmware.com Test drive the capabilities of VMware NSX
  49. 49. Technology Previews 49 https://youtu.be/RBJ-KoAM-OQ https://youtu.be/bjodui_ZhM8 Containers & Public Cloud Tech Preview Distributed Network Encryption Tech Preview Kubernetes & NSX Tech Preview

×