Upload
kevin-groat
View
208
Download
2
Embed Size (px)
Citation preview
“NSX will transform what’s possible for our IT team in terms of network and security operations.”
NSX is the future
This is YOUR opportunity to be the thought leader for your customers.
NSX is the network virtualization platform for the SDDC, transforming data center networking and making a new level of security possible.
OSI Layers & Platforms
1 Physical
2 Datalink
3 Network
4 Transport
5 Session
6 Presentation
7 Application
1 Physical
2 Datalink
3 Network
4 Transport
5 Session
6 Presentation
7 ApplicationvCNS NSX
NSX is the Future
Legacy Computing Model
Zoning (dpar / lpar)
Sun Solaris
Sun Sparc
Vendor-specific HW (Sun e10K)
Any Applications
Legacy Networking Model
Proprietary Features
Platform-dependent NOS
Custom ASIC
Vendor-specific HW
Any Applications
NSX is the Future
VSWITCH
OS
Hypervisor
Network & Security Services Now in the Hypervisor
L2 Switching
L3 Routing
Firewalling/ACLs
Load Balancing
Next Gen Networking Model
Virtual Machines
Virtual Networks
Virtual Storage
Data Center Virtualization
Location Independence
Software
Hardware
Pooled compute, network and storage capacity; Vendor independent, best price/perf; Simplified config and mgt.
ComputeCapacity
NetworkCapacity
Storage Capacity
Software
Any Applications
Data center micro-segmentationbecomes operationally feasible
East / West is now reality.
This is the future of data center networking and security
Micro-Segmentation
Self-Service IT
NSX Across Data Centers
CONFIDENTIAL 8
Automated Policy Mgt & Operations, Distributed EnforcementKernel-based Performance, Distributed Scale-out Capacity (20 Gbps/host)
Distributed Firewalling
Host
VM VMVM
Hypervisor
Host
VM VMVM
Hypervisor
Host
VM VMVM
Hypervisor
Host
VM VMVM
Hypervisor
Hypervisor
Host
VM VMVM
Traditional Firewall Rule Mgt & OperationsPhysical Firewalls (2 – 100 Gbps)
Traditional Firewall Rule Mgt & OperationsVirtual Firewalls (1 – 3 Gbps)
Virtual Firewalls
Physical Firewalls
There is a BIG difference…
Why NSX for MicroSegmentation?
Hypervisor-based, in kernel distributed firewalling• High throughput rates on a per hypervisor basis• Every hypervisor adds additional east-west firewalling capacity• Native feature of the VMware NSX platform
Platform-based automation• Automated provisioning and workload adds/moves/changes• Accurate firewall policies follow workloads as they move• Centralized management of single logical, distributed firewall
NSX vSwitch
VMVMVM
VM
Hypervisor
So how do we fix this problem?
#1. Assume everything is a threat: “Zero Trust Security”
#2. Security Design Principle: Micro-segmentation
Isolation and segmentation1
VM
VM VM
Unit-level trust / least privilege2
VM
Ubiquity and centralized control3
VM VM VM VM VM
Ensure all resources are accessed securely regardless of location.
Adopt a least privilege strategy and strictly enforce access control.
Inspect and log all traffic.
1
2
3
So how do we fix this problem?
Each VM can now be its own perimeter Policies align with logical groups Prevents threats from spreading
Segmentation simplifies network security
App
DMZ
Services
DB
Perimeterfirewall
AD NTP DHCP DNS CERT
Insidefirewall
Finance Engineering
VM
VM
VM
VM
VM
VM
HR
VM
VM
VM
VDI VDI VDI VDI VDI
12
Secure Micro-Segmentation with NSX
LogicalSwitching
Web Tier
App Tier
DB Tier
DistributedFirewalling
Micro-Segmentation Deployment Examples
13
Perimeterfirewall
DMZ/Web
VM VM
App
VM VM
DB
VM VM
HR Group
VM VM
App
VM VM
DMZ/Web
VM VM
DB
Finance Group
Services
VMVM
Mgmt
Services/Management Group
NSX Data Center
Perimeterfirewall
DMZ/Web
VM VM
App
VM VM
DB
VM VM
HR Group
VM VMApp
VM VM
DMZ/Web
VM VMDB
Finance Group
Services
VMVM
Mgmt
Services/Management Group
Perimeterfirewall
DMZ/Web
VM VM
App
VM VM
DB
VM VM
HR Group
VM VMApp
VM VM
DMZ/Web
VM VMDB
Finance Group
Services
VMVM
Mgmt
Services/Management Group
Network Segmentation / DMZ Multi-Tenancy with Adv. Service
Isolation
Tenant 1
Tenant 2
Scale
100,000 Virtual Machines
30,000 Virtual Networks
vSphere 5.5 vCenter limits 1,000 hosts, 15,000 VMs (registered), 10,000 VMs (concurrent), 10,000 networks
Controller
Controller
Controller
Today’s VDI Security Challenges
15
A converged infrastructure means virtual desktops run on the same infrastructure as servers…
Bringing desktops into the data center opens up new risks for attack.
And a matrix of policies is needed on centralized, choke-point firewalls for the correct security posture.
Desktops
VDI
VDI to VDIDesktop-to-desktop hacking inside the DC
VDI to VMDesktop-to-server hacking inside the DC
Servers
Finance
HR
Engineering
VDIVDI
16
Solving VDI Security with NSX Micro-Segmentation
VM
VDI VDI VDIVDI VDI VDI
VM VM
VDI VDI VDI
Ent
erpr
ise
App
licat
ions
Virt
ual
Des
ktop
s
VM VMVM VMVM VM VM VMSha
red
Infra
stru
ctur
e
Firewall based on Logical Grouping
BENEFITS
Distributed Firewall providesIsolation & Segmentation
3rd Party Integration for AV, IPS/IDS, NGFW, etc.
Programmable & AutomatedApplication of Networking & Security
Self-Service IT with VMware NSX
NSX vSwitch
HypervisorNSX
vSwitchHypervisor
NSX vSwitch
HypervisorNSX
vSwitchHypervisor
NSX vSwitch
HypervisorNSX
vSwitchHypervisor
NSX vSwitch
HypervisorNSX
vSwitchHypervisor
LogicalSwitching
LogicalRouting
LoadBalancing
Physicalto Virtual
Firewalling& Security
Cloud Management Platform
18
More to vCloud Air
The updated iteration of vCloud Air will now include NSX capabilities!
19
NSX for Data Center Multi-Site Extensions
L2 Extensions
Data Center 2
NSX NSX
Data Center 1 Logical Switch ExtensionL2 VPN
vCloud Air
Software-based solution with support for Logical Switching, Distributed Routing, Distributed Firewall
20
NSX for Data Center Multi-Site Extensions
Data Center 2
NSX NSX
Data Center 1
SRM-based Disaster Recovery
No Re-IPing, Instantaneous Availability of Apps upon DisasterFailover of Logical Switching, Routing & Firewall Rules
Visibility with vRealize Operations Manager
Thank you
@kgroat