Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
SAI2803BU
#VMworld #SAI2803BU
The Road to Micro- Segmentation with VMware NSX
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Stijn VanveerdeghemGeoff Wilmington - @vWilmo
SAI2803BU
#Vmworld #SAI2803BU
The Road to Micro-segmentation with VMware NSX
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
4
1 Security in the Datacenter with NSX
2 Deploying NSX Micro-Segmentation
3 Micro-Segmentation Policy Creation
4 AutomationVMworld 2017 Content: N
ot for publicatio
n or distribution
Security in the DC with NSXRequirements for a Software-Defined Datacenter
Visibility ExtensibilityControl
Common Policy
Lifecycle Management and Automation
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX
Security in the DC with NSXNSX Security Platform
Visibility ExtensibilityControl
Common Policy
Lifecycle Management and Automation
Datacenter, application and host
Context-driven micro-segmentation
Best-of-breed partner integration
VMworld 2017 Content: Not fo
r publication or distri
bution
Security in the DC with NSXWhat is Zero Trust ?
7
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
8
1 Security in the Datacenter with NSX
2 Deploying NSX Micro-Segmentation
3 Micro-Segmentation Policy Creation
4 AutomationVMworld 2017 Content: N
ot for publicatio
n or distribution
Deploying NSX Micro-SegmentationDeployment Options: Distributed Segmentation
• Controlled Communication or Isolation between workloads on the same or different VLAN
• Distributed Firewall applied to each vNIC
• East-West Filtering by NSX Distributed Firewall
• Existing physical firewall only handles North—South communication
• Traffic discovery to determine required flows/rules.
• Advanced Partner Services can be inserted at each vNIC
STOP
ControlledCommunication
STOP
Stateful DFW
Stateful DFW
PhysicalRouter
Policy
9
VMworld 2017 Content: Not fo
r publication or distri
bution
Deploying NSX Micro-SegmentationDeployment Options: Distributed Segmentation and Network Overlays
• Logical Switches based on overlays to isolate/segment independent of the underlying physical network
• Distributed Logical Routers to optimize East-West Routing
• Edge Services Gateway can also be leveraged for N-S routing, N-S firewalling, load balancing, NAT, VPN
• Distributed Firewall providing Controlled Communication or Isolation between workloads on the same or different Logical Switch (overlay)
• Advanced Partner Services can be inserted at each vNIC
STOP
STOP
Stateful DFW
Stateful DFW
ControlledCommunication
Distributed Logical Router
Policy
10
VMworld 2017 Content: Not fo
r publication or distri
bution
Deploying NSX Micro-Segmentation
• Pre-existing and Management and Compute clusters can be leveraged
• NSX Manager deployed in the Mgmt cluster and peered with the existing vCenter server
• VDS is required for all compute clusters
• Host preparation installs NSX VIB to all hosts in a cluster
• Non-disruptive operation
• Distributed Firewall is enabled on every VM with a default allow-all policy
11
Deployment Steps: Deploying NSX Manager, VDS and Host Prep
VLAN 10 VLAN 20 VLAN 30
L2
L3
VDS
Management Cluster
Compute Clusters
VMworld 2017 Content: Not fo
r publication or distri
bution
Deploying NSX Micro-Segmentation
• Policy and Grouping Methodology
• Application Discovery
• Policy Model
• Service Composer/Firewall Rule Table
Deployment Steps: Determine and Configure Appropriate Policies
12
VMworld 2017 Content: Not fo
r publication or distri
bution
Deploying NSX Micro-Segmentation
▪ Move the default GW function from the perimeter firewall to the aggregation layer or deploy NSX Distributed Routing
▪ Remove E-W Rules from the perimeter firewall
▪ Perimeter Firewall now only handles N-S flows
▪ Can be done gradually
Deployment Steps: Reduce the Scope of the Perimeter Firewall (Brownfield)
VLAN 10 VLAN 20 VLAN 30
N-S
Flo
ws
13
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
14
1 Security in the Datacenter with NSX
2 Deploying NSX Micro-Segmentation
3 Micro-Segmentation Policy Creation
4 AutomationVMworld 2017 Content: N
ot for publicatio
n or distribution
Micro-Segmentation Policy CreationPolicy and Grouping Methodology
15
• Choose the policy and grouping
methodology BEFORE beginning
the process.
• Will provide a clear direction on
how to tackle challenges along
the way.
NETWORK
INFRASTRUCTURE
APPLICATION
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy CreationWhitelisting and Blacklisting
16
Whitelisting
Definition – A list of approved items. Anything not on this list is disallowed.
Advantages
• More secure
• High degree of accuracy
• Minimizes false positives
• Easy to customize
• Can be established easily in different areas of the enterprise
Disadvantages
• More time to manage
• Requires additional time to install
Blacklisting
Definition – A list of unapproved items.
Anything not on this list is allowed.
Advantages• Easy to manage
• Easy to install
• Updates quickly
Disadvantages• Exponential growth
• High rate of false positives, even
possibly blocking necessary
access
• Continual updates requires
• Hard to transition to whitelisting
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy CreationFirewall Rule Table and Service Composer
17
Firewall Rule Table
• Analogous to typical Firewall rule table
• Provides overview of all rules in the system
• DFW Rules and Network Introspection
• Sections enable rule grouping
• UI and API Driven
Service Composer
• One or more Security policies can
be applied to Security Groups
• Policies define DFW rules and
Service Chain.
• Abstraction enables efficient
service deployment
• Independent policies are
combined specific to each
workload
• UI and API Driven
VMworld 2017 Content: Not fo
r publication or distri
bution
VM SG
Security Group
Security PolicyVirtual MachineSecurity Tag
ST
Members (VM, vNIC) and Context (user identity, security posture)
Guest Introspection, Distributed Firewall and Network Introspection Policies
Micro-Segmentation Policy Creation
• Security Groups allow abstraction and grouping of workloads from the underlying virtual infrastructure
• End-Users and Cloud Admins are able to define application-centric security policies
• Security policies are applied to one or more security groups where workloads are members
• Security Tags are applied to Virtual Machines and can be used for dynamic Security Group membership
Policy and Grouping Methodology
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy CreationDynamic Policy using Security Tags – Example
Requirements
• Apply differentiated policy based on
OS, Environment, …
• Automate policy application for new
appliations being provisioned
Upon vRA Blueprint deployment
• All VMs part of an application are
placed into a new Security Group
• Every VM is tagged with multiple tags
identifying: Function, Zone, OS,
Environment and Tenant
App1 –Apache
App1 -WLS
App1 -ORADB
Apache
DMZ_PROD_RHEL
WLS
TRUSTED_PROD_RHEL
ORADB
RESTRICTED_PROD_RHEL
App1 – Security Group
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy CreationZero Trust Policy Model
20
Default Rule = Deny
Emergency Rules
Infrastructure Rules
Environment Rules
Inter-Application Rules
Intra-Application Rules
Used for Quarantine and/or Allow Rules
Global Rules – AD, DNS, NTP, DHCP, Backup, Mgmt Servers
Rules between Zones – Prod vs Dev, PCI vs Non PCI, Inter BU rules
Rules between Applications
Rules between the app tiers or the rules or between micro-services
Whitelisting / Zero Trust
VRNI /ARM / EM VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy Creation
• Leveraging Existing Firewall Policy
• vRealize Network Insight
• NSX Application Rule Manager and Endpoint Monitoring
• vRealize Log Insight – Firewall Log
Application Discovery - Methods and Tools
?
21
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy Creation
• Mostly relevant for Infrastructure and Environment Rules
• Analyze existing zones and rules and isolate North-South rules from East–West rules.
– Determine flow patterns that are hair-pinned (East-west traffic).
– Also, helps you understand how to replace hair-pinned traffic with logical switches and routing using overlays via NSX.
• Correlate flow NSX patterns/logs with rules collected from perimeter firewalls.
Leveraging the existing FW policy
22
STOP
HR
Apps
Engineering
Apps
Shared
Services
HR-Web
Vlan 10
HR-App
Vlan 11
HR-DB
Vlan 12
ENG-Web
Vlan 20
ENG-App
Vlan 21
ENG-DB
Vlan 22
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy CreationLeveraging the existing FW policy – Rule Migration
23
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy Creation
1. Create Security Groups for your application
2. Create catch-all rules to log traffic
3. Monitor Logs to determine required rules
4. Create or update Shared Services rules
5. Create E-W Intra-Application Rules
6. Continue for other applications
vRealize Log Insight - Distributed Firewall Logs
Per Application
24
Web
Tier
App
Tier
DB
Tier
Application
Logging Rules
Any/Any Rule: Allow and Log
Any/Any Rule: Block and Log
DFW System Default: Allow or Block
Application Policy
Web
Tier
App
TierDB
Tier
Default Block and Log
DFW System Default: Allow or Block
Block and Log Rule
Allow App to DB
Allow Web to App
Allow Any to Web
Intra-Application Rules
Application Policy
Web
Tier
App
Tier
DB
Tier
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy CreationNSX Micro-Segmentation Visibility and Planning Tools
• Profile applications both on the wire and on the guest. Can be used on a per application basis.
• End-to-end visibility and rule creation/enforcement
• Empowers app team = visibility and rule creation – streamlines deployment
• Drives “whitelisting” model – default deny and open up the necessities
• Fast app operationalizationVMworld 2017 Content: N
ot for publicatio
n or distribution
Micro-Segmentation Policy Creation
• Leverages flow monitoring to monitors all flows for select VNICs
• Flows are de-duplicated, correlated and filtered
• Optimized Flow tables are presented to users
• IP addresses/ports are replaced with objects
• Users can further optimize flow table
• Firewall rules are generated and can be published after review
NSX Micro-Segmentation Visibility and Planning Tools: Application Rule Manager
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy Creation
• Micro-Segment SAP HANA using Application Rule Manager
Demo: Application Rule Manager
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy Creation
Optimize Network
Performance with 3600
Visibility & Analytics
Ensure Best Practices,
Health and Availability of
NSX Deployment
Plan Micro-segmentation
Deployment and Ensure
Compliance
Across Virtual, Physical and Cloud
vRealize Network Insight
28
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy Creation
Network Insight can model the appropriate security groups and firewall rules for the entire environment.
• Comprehensive net flow (IPFIX) assessment and analysis to model Security Groups and Firewall Rules
• Recommendations to make micro-segmentation easier to deploy
• Continuously monitor and audit compliance posture over time
vRealize Network Insight - Security Planning
29
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy Creation
• Analyze flows between applications or between tiers of an application
• Quickly add VMs to an application tier using vCenter Tags or search wildcards
• Support for modeling application tiers by multiple criteria (IP, tags, IPsets, folders,…)
• Support for physical IP addresses in micro-segmentation planning and application tiers
• Export of All rules for applications, tiers, or security groups with one click
vRealize Network Insight: Application Modeling
30
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation Policy Creation
• Micro-Segment SAP HANA using vRNI
• VRNI to Suggest Recommended Rules
• VRNI 3.5 New functionality
– IPFIX for DFW
Demo: vRealize Network Insight
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
32
1 Security in the Datacenter with NSX
2 Deploying NSX Micro-Segmentation
3 Micro-Segmentation Policy Creation
4 Security AutomationVMworld 2017 Content: N
ot for publicatio
n or distribution
Security Automation
• VM sprawl requires more granular security controls
• Manual configuration breaks the cloud model
• Auditing and control are harder in dynamic environment
The need for Automating Security
Security Admin
Internet
Automated Policy
Automating security configuration
reduces risk and labor
VMworld 2017 Content: Not fo
r publication or distri
bution
Security Automation
• Provides application context to enable a policy based approach to security
• Granular security requires a mix of options:
– Existing or On-Demand Security Groups
– App Isolation to block traffic across deployments
Automating Security with vRA and NSX
web-sv-001 web-sv-002
Web Tier Security
Group
app-sv-001
App Tier Security
Group
db-sv-001
DB Tier Security
Group
App Isolation Security
Group UUID-01
Permit only
Tomcat (TCP
8443)from Web
Permit only
MySQL (TCP
3306)from App
web-sv-003 web-sv-004
Web Tier
Security Group
app-sv-002
App Tier Security
Group
db-sv-002
DB Tier Security
Group
Permit only
Tomcat (TCP
8443)from Web
Permit only
MySQL (TCP
3306)from App
App Isolation Security
Group UUID-02
External
Access
Permit only
SSH, HTTP,
HTTPS from Any
VMworld 2017 Content: Not fo
r publication or distri
bution
Security AutomationAutomating and Scaling Security with vRA - Example
VDI Desktops
NSX Security Group - VDI
HSW
NSX Security Group - HSW
HSW
HSW
Hyperspace Web ServersClinicians Hyperspace Web Servers
HSW
HSW
NSX Security Group - HSW
VDI Desktops
NSX Security Group - VDI
Clinicians
VMworld 2017 Content: Not fo
r publication or distri
bution
Key TakeawaysThe Road to Micro-segmentation with VMware NSX
• NSX Micro-Segmentation enables a Zero-Trust architecture
• Choosing an appropriate policy and grouping methodology is
critical
• Application discovery is key to determining the appropriate rules in
a Zero-Trust model
• NSX Application Rule Manager and vRealize Network Insight
enable a quick road to Micro-Segmenting your applications
• vRealize Automation delivers NSX micro-segmentation in a fully
automated environment.
36
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution