NSX Seguridad de DC con la Microsegmentación
Esteban Prieto Senior Systems Engineer © 2015 VMware Inc. All rights reserved.
Como hace para: Moverse tan rapido como necesita el negocio al mismo tiempo que atiende un entorno cambiante y creciente, sin la necesidad de empezar de Nuevo ?
Usted necesita un Nuevo enfoque para el networking y la seguridad que le brinde: La agilidad y velocidad que necesita para soportar su negocio, mientras que proporciona una infraestructura mas segura.
The Software Defined Data Center Software Defined Data Center (SDDC) Any Application SDDC Platform Data Center Virtualization
Google / Facebook / Amazon Data Centers Custom Application Software / Hardware Abstraction
Custom Platform Software / Hardware Abstraction
Any x86
Any x86
Any Storage
Any Storage
Any IP network
Any IP network
4
Traditional network provisioning
interface e2/5 ip address 192.168.1.2/24 vrf membership vpc-keepalive vpc domain 1 peer-keepalive destination 192.168.1.1 source 192.168.1.2 vrf vpc-keepalive interface port-channel 1000 switchport mode trunk vpc peer-link interface e2/1-2 switchport mode trunk channel-group 1000 mode active interface e2/3 switchport mode trunk channel-group 1 mode active interface port-channel1 vpc 1
interface e1/5 ip address 192.168.1.1/24 vrf membership vpc-keepalive vpc domain 1 peer-keepalive destination 192.168.1.2 source 192.168.1.1 vrf vpc-keepalive interface port-channel 1000 switchport mode trunk vpc peer-link interface e1/1-2 switchport mode trunk channel-group 1000 mode active interface e1/3 switchport mode trunk channel-group 1 mode active interface port-channel1 vpc 1
...
...
Slow Non-centralized configuration Human Error
interface e1/5 ip address 192.168.1.1/24 vrf membership vpc-keepalive vpc domain 1 peer-keepalive destination 192.168.1.2 source 192.168.1.1 vrf vpc-keepalive interface port-channel 1000 switchport mode trunk vpc peer-link interface e1/1-2 switchport mode trunk channel-group 1000 mode active interface e1/3 switchport mode trunk channel-group 1 mode active interface port-channel1 vpc 1
Network and Security Virtualization
Orchestrator
Services Portal
NSX Manager
vSphere vSphere vSphere
Hardware independent Non-disruptive on productive network and security equipment
Why are breaches still happening? Unconstrained communication Little or no lateral controls inside perimeter Low priority systems are targeted first.
Attackers can move freely around the data center. Internet
10110100110 Attackers then gather and 101001010000010 exfiltrate data over weeks 1001110010100
or even months.
Data Center Perimeter
7
Security is needed everywhere, but we can’t have it everywhere Why can’t we have individual firewalls for every VM?
With traditional technology, this is operationally infeasible.
Physical firewalls Expensive and complex
Internet
Virtual firewalls Slow, costly, and complicated
Data Center Perimeter
8
Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Internet
Internet
Little or no lateral controls inside perimeter
Insufficient
Operationally Infeasible
Seguridad en Datacenter: Micro-Segmentación? Internet FW / IPS-IDS
INSIDE
DMZ VLAN
z
INSIDE VLAN
DMZ
Seguridad en Datacenter: Micro-Segmentación? Internet FW / IPS-IDS
INSIDE
DMZ
z
LATERALES
z z z
DMZ VLAN
CONTROLES
INSIDE VLAN
SIN
Seguridad en Datacenter: Micro-Segmentación? Internet FW / IPS-IDS
INSIDE
DMZ
IDS-IPS Alert/Action
z
LATERALES
z z z
DMZ VLAN
CONTROLES
INSIDE VLAN
SIN
Seguridad en Datacenter: Micro-Segmentación? Los controles
Internet FW / IPS-IDS
perimetrales son insuficientes
INSIDE
DMZ
SIN LATERALES
z z z
z INSIDE VLAN
z
DMZ VLAN
CONTROLES
z z z
SIN CONTROLES LATERALES
Seguridad en Datacenter: Micro-Segmentación con NSX Internet FW / IPS-IDS
INSIDE
z
DMZ VLAN
ZERO TRUST
INSIDE VLAN
DMZ
Solution: Leverage SDDC Approach for Micro-Segmentation • •
Hypervisor-based, in kernel distributed firewalling Security Policy
Platform-based automated provisioning and workload adds/moves/changes
Cloud Management Platform
Internet
Perimeter Firewalls
15
Advance Services Insertion Management Plane
Security Admin
Security Policy
Internet
Traffic Steering
Network Introspection
Security Automation Security Group = Quarantine Zone Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network}
Security Group = Web Tier
Policy Definition Standard Server VM Policy Anti-Virus – Scan Quarantined VM Policy Firewall – Block all except security tools Anti-Virus – Scan and remediate
Guest Introspection
17
CONFIDENTIAL
18
Intelligent Policy Creation Groups defined by workload characteristics, not IP, port and protocol Operating System
Application Tier
Machine Name
Services
Regulatory Requirements
Security Posture
Security Automation
Guest Introspection
20
Security EcoSystem
• • • •
Anti-vírus Data Loss Prevention Vulnerability Scan Security tags
• • • •
NGFW IPS Malware Anti-Bot
NSX Value Proposition Network virtualization is at the core of the softwaredefined data center approach
Virtualization layer Network, storage, compute
22
The Next-Generation Networking Model Switching Routing
Load balancing Firewalling/ACLs
East-west firewalling High throughput rates Hardware independent
Network and security services now in the hypervisor
23
NSX Value Proposition
Virtual networks “Network platform” Virtualization layer Network, storage, compute
24
Security Micro-segmentation | Secure End User | DMZ Anywhere
Granular Policy Enforcement Enables zero trust security model with policy enforced at every workload
Web
App
DB
VM
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM VM
VM
VM
VM
25
Getting Started and Operations
vRealize Network Insight Transformative Operations for NSX based Software-Defined Data Center
Plan Micro-segmentation Deployment and Audit Security Compliance
Optimize Network Performance with 3600 Visibility & Analytics
Offers Best Practices, Health and Availability of NSX Deployment
Across Virtual, Physical and Cloud
28
NSX & vRealize Network Insight Journey Evaluating
Day 1
Day 2
Assess
Deploy
Manage
East–West Data Center Traffic Profiling
Map Application Connectivity
Overlay-Underlay, V-to-P Visibility
Micro-Segmentation Recommendations
Security Groups and DFW Rule Recommendations
Google-like Search for Rapid Trouble-Shooting
NSX ROI Modeling
Best Practices
Audit & Compliance
29
Get Started Today with a Free VMware Network Assessment Understand how you can immediately benefit from micro-segmentation
Visibility
Recommendation
Value
31
NSX-T 2.1
CONFIDENTIAL
33
Thank you