SIE3196BU Limit Your Cyber Attack Footprint with Endpoint ... · PDF fileOn-Premise Data Centers ... Port: 8443 VMworld 2017 Content: Not for publication ... “@airwatch” in description

Martin Kniffin, Product Manager, VMwareKausum Kumar, Senior Product Manager, NSX, VMwareTerry Chatman, Information Systems Specialist,Vallejo Sanitation

SIE3196BU

#VMworld #SIE3196BU

Limit Your Cyber Attack Footprint with Endpoint Security and Micro-Segmentation from VMware NSX and AirWatch

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

#SIE3196BU CONFIDENTIAL 2



bution

Agenda

1 VMware for Security

2 Introducing Workspace One & AirWatch

3 Integration of AirWatch and NSX

4 Customer Deployment Story




bution

Why VMware for Security




bution

Strategic IT Priorities

Modernize

Data Center

Integrate

Public Clouds

Empower

Digital Workspace

Transform

Security

Digital Transformation

Business Agility & InnovationExceptional

Mobile Experiences

Protect Brand

& Customer Trust

Business Outcomes




bution

6

Key Security Objectives to Address

Maintain Security & Compliance

Trust Any User

Secure Any Application

Manage Any Endpoint

Protect Data Center

Detect Cyber Threats

Integrated and Seamless End-to-End Security

#SIE3196BU CONFIDENTIAL



bution

VMware Vision to Transform Security


A ubiquitous software layer across application infrastructure and endpoints

On-Premise Data Centers

New app frameworks

Mobile Devices

Virtual Desktops(VDI)

Branch offices

Public clouds

vCloud AirNetwork



bution

…This Means Security Is Everywhere


Visibility Policy

Service Insertion

Context

Ubiquitous software layer



bution

Workspace ONE




bution

Internally developed

mobile apps

Native public mobile apps

SaaS apps

Internal web apps

Modern Windows apps

Legacy Windows apps

Virtualized management

desktops

Workspace ONE

10#SIE3196BU CONFIDENTIAL



bution

VMware AirWatch

11

Any Endpoint Any Use Case

Knowledge

workerCorporate | BYO

Task workerLine of Business

No userKiosk | IOT

Modern Management Framework

Out of box

configuration

Policies and

security settings

Over-the-air

management and

updates

Asset

tracking

Full lifecycle

management




bution

AirWatch Application Security

12

Add security and management capability to already-developed

applications

Application Wrapping

Standard for enterprise apps to interpret configurations and

policies

Add advanced security and management capabilities during

development

Software Development Kit (SDK)

Native O/S MAM

via Workspace Services ProfileStand Alone MAM

via App Container




bution

Per-App VPN

• seamless user experience with minimal interaction

• simplified and automatic certificate management via WS1

• per-app versus whole-device model

• licensing included with WS1

• streamlined maintenance




bution

Enhanced Network

Security

• App-level, enhanced security

•TLS v1.2

•SSL Pinning

•Compliance Validation

• Multiple factors of authentication:

APPLICATION

USER

DEVICE

Certificate Authentication

VMware Tunnel – Enhanced Network Security




bution

Any App, Any Device


Enterprise

Systems

VMwareTunnel



bution

Device Restriction > App Restriction > Domain Restriction > Network Restriction




bution

VMware NSX




bution

DMZ like security tailored

for any endpoint & any application

Personalized DMZ




bution

VMware AirWatch and NSX

Integration extends security

beyond your mobile device and

into the datacenter by integrating

identity, application, and

enterprise mobility management

with micro-segmentation.

AirWatch & NSX

Integration




bution

“Network platform”

Virtual networks

Network

storage

compute

Virtualization layer

The network virtualization

solution for the Software-

Defined Data Center

Network and security

services now in the

hypervisor

VMVM

VMVM

APPVMVM

VMVM

APPVMVM

VMVM

APP

NSX Value Proposition




bution

21

Web App DB

VMVM

VMVM

VMVM

VMVMVMVM

VMVM

VMVM

VMVMVMVM

VMVM

VMVM

VMVMVMVM

VMVM

VMVM

VMVM

Micro-SegmentationA firewall for every workload

Granular Policy EnforcementEnables zero trust security model with policy enforced at every workload




bution

Introducing the AirWatch & NSX Integration




bution

Device Level VPN

Full Network Access

App Level VPN

Select Network Access

App Level VPN

Full Network Access

AirWatch & NSX Integration

Data center security for mobile workflows

EMM Data

Center Policies

Intelligent

Networking

Micro

Segmentation




bution

Who Can Use VMware AirWatch and NSX Integration?

Workspace™ ONE™

Advanced & EnterpriseBlue & Yellow Advanced & Enterprise




bution

Integrated Solution Components

• VMware AirWatch 8.3+

– AirWatch Tunnel Server

– AirWatch Cloud Connector (For SaaS Customers)

• VMware NSX 6.2.x or 6.3.x

– NSX Manager

– NSX Distributed Firewall

– NSX Edge Services Gateway (Optional)

Note: vSphere hypervisor required for NSX




bution

Device Support Per App VPN APIs built into these Platforms

iOS 7+ Android 5.0+ Windows 10




bution

Application Support

Public Internal Built In Proprietary




bution

Mobile Apps Accessing the Datacenter


Perimeter

Firewall

Internet

Firewall

App1 Servers

App2 Servers

App3 Servers

App-Level VPN

Full Network Access

Corporate Data

Centre Apps

Port: 8443

Internet DMZ Intranet

How do I create an App specific

“Personal DMZ” in here?



bution

NSX Micro-segmentation


NSX secures East-West communication of the App

Perimeter

Firewall

Internet

Firewall

App-Level VPN

Full Network Access

Corporate Data

Centre Apps

Internet DMZ

Security

Group “App1”

Security Group

“App2”

Security Group

“App3”

NSX Distributed Firewall

Port: 8443



bution

Personal DMZSecuring access to an application from a mobile device

Perimeter

Firewall

Internet

Firewall

VMware Tunnel

Server

Security Group

“Proxy”

Security Group

“Intranet”

Security Group

“Sensitive Data”

Security Group “Chrome-App”

“@airwatch” in description

IP Set “Chrome-App”{10.1.1.8/30}

10.1.1.0/24

Chrome App VPN

Source = 10.1.1.9

“Chrome” App VPN



NSX Manager

1

3 Security Policy2

X

SG “Chrome-App”

4

5

6




bution

Personal DMZHigh Availability

Perimeter

FirewallInternet

Firewall

Airwatch Tunnel

Server B

Security Group

“Proxy”

Security Group

“Intranet”

Security Group





10.1

.1.0

/24

Chrome App VPN

Source = 10.1.1.9

Security Policy

Xx 50,000*

Chrome App VPN

Source = 10.1.1.10

Airwatch Tunnel

Server A

x 50,000*

* 4 CPU Cores, 16GB RAM

NSX Edge LB(SSL Pass-through,

Sticky Session)




bution

Personal DMZHigh Availability and Multiple Apps

Perimeter

Firewall

Airwatch Tunnel

Server B

Security Group

“Proxy”

Security Group

“Intranet”

Security Group





10.1

.1.0

/24

Chrome App VPN

Source = 10.1.1.9

Chrome App VPN

Source = 10.1.1.10

Airwatch Tunnel

Server A

* 4 CPU Cores, 16GB RAM


“Oracle” App VPN

“Oracle” App VPN


Oracle App VPN

Source = 10.1.1.13

Oracle App VPN

Source = 10.1.1.14

Security Group “Oracle-App”


IP Set “Oracle-App”{10.1.1.12/30}

SG “Oracle-App”

X

Internet

Firewall

x 50,000*

x 50,000*

NSX Edge LB(SSL Pass-through,

Sticky Session)




bution

NSX and AirWatch Integration

Stateful DFW

Distributed Segmentation with Network Overlay Isolation

NSX Manager

NSX for AirWatchAdmin Console

VMware Enterprise Systems Connector

SG4

STOP

ControlledCommunication NSX Edge

Distributed Logical RouterPolicy

SG1 SG2 SG3

LogicalSwitch

LogicalSwitch

VLAN backedDVS

TransitNetwork

NSX Edge(LB, SSL Pass-through,

sticky session)

VMware Tunnel

VMware Tunnel

Datacenter




bution

NSX Administration




bution

Syncing Security Groups in AirWatch




bution

Mapping Mobile Apps to Security Groups in AirWatch




bution

VMware AirWatch & NSX Policies

3737

Advanced security between an AirWatch-managed device and

the NSX micro-segmented cloud data center




bution

38

Demo Video




bution




bution

Real World Use Cases and Customer Example




bution

Real World Use CasesEnd-to-End Security for the Digital Workspace

Healthcare

Simplify mobile

security access and

control for clinician

mobility

Data Center Security for

Mobile Workflows

Government

Remove hurdles for

supporting access to

enterprise

mobile apps

Accelerate BYOD

Deployments

Retail

Treat all mobile users

and applications as

insecure inside the

datacenter

Policy Defined Network

Access for Mobile

Finance

Limit access to

corporate data if user,

device, app or network

is compromised

Limit EMM Footprint

Inside Datacenter




bution

Vallejo SanitationSuccess StoryTerry Chatman

Information Systems

Vallejo Sanitation and Flood Control District




bution

Vallejo’s Solution Components

• VMware NSX 6.2.0

– NSX Manager

– NSX Distributed Firewall

– NSX Edge Services Gateway (Optional)

• VMware Horizon 6.2.1

• VMware 5.5

• VMware AirWatch 8.3+

– AirWatch Tunnel Server

– AirWatch Cloud Connector (For SaaS Customers)

• Palo Alto Networks

– HV-1000-VM 7.19

– PanoRama 8.0

– Pan OS 7.18

– PaloAlto Traps




bution

Who Are We and How Did We Get There?

• Located near San Francisco

• Service 120,000 residents

• 84 Employees employed at the District

• Manage over 300 devices in core network

• 8 Physical Hosts, 4 with VDI acceleration

• 150 Virtual machines and Templates

• Energy savings around $50k a year after moving to 97% virtualization

• Cut costs without having to buy networking hardware, able to provision in a matter of minutes, not weeks, keep staffing and OT to a minimum level




bution

Out with the Old Way of Thinking…

#SIE3196BU CONFIDENTIAL 45Corporate Network

APP DMZ

SQL DMZ

ESX HOST ESX HOST



bution

Micro-segmentation

ESX HOSTESX HOST




bution

Virtual Machine

Active Server

Virtual Network

Physical HostPhysical Host Physical HostPhysical Host

Shared Storage

Virtual Machine NSX ESG


47



bution

AirWatch Blue

RDSH Pool

VMware NSX

VM-1000-HV

Panorama

AirWatch Tunnel




bution

Pain Points

How did we fit NSX into our existing Brownfield Environment?

Best practice to obtain a wildcard cert by an outside Certificate Authority, get away from any self signed certs!

Use VMware standard ports on vSphere, it will come back and bite you!!

Obtain Palo Alto NSX bundle, not separate Virtual firewalls

Migration of previous provider firewall rules into NSX, and Palo Alto

CentOS for AirWatch was a barebones install, will have to install many components for AirWatch tunnel

Troubleshoot with NSX in mind, don’t get into the Bang-Head-Here scenario!!

Evaluate the different level of packages before you purchase, you may need a feature down the road that your platform does not support!!




bution

What NSX with Palo Alto Networks IntegrationAllows Us to Do

#SIE3196BU CONFIDENTIAL 50Phishing Attempt?

Spam!Ransomware?

Malware?



bution

Learn More & Free Trials

LEARN MORE

VMware AirWatch

www.airwatch.com/

VMware NSX

www.vmware.com/products/nsx/

FREE TRIALS

VMware AirWatch

http://www.airwatch.com/lp/free-trial

VMware NSX www.vmware.com/products/nsx/nsx-hol




bution

http://www.airwatch.com/

http://www.vmware.com/products/nsx/

http://www.airwatch.com/lp/free-trial

http://www.vmware.com/products/nsx/nsx-hol



bution



bution

Documents

SIE3196BU Limit Your Cyber Attack Footprint with Endpoint ... · PDF fileOn-Premise Data Centers ... Port: 8443 VMworld 2017 Content: Not for publication ... “@airwatch” in description