You are on page 1of 38

NET3305-S

Virtualize your Network with


VMware NSX
Martin Casado, VMware, Inc

Disclaimer
This presentation may contain product features that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these

features in any generally available product.


Features are subject to change, and must not be included in contracts, purchase orders, or

sales agreements of any kind.


Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new technologies or features discussed or presented have not

been determined.

CONFIDENTIAL

Guidance from Giants


Traditional Data Center

Modern SaaS
Data Center

Any Application

Custom Application

L2/L3 or
Proprietary Network

Opex/Capex = $$$$
Innovation = HW design cycle

Security
Fault Isolation
Service Chaining
Discovery
Load balancing

Security
Fault Isolation
Service Chaining
Discovery
Load balancing

IP Network

Opex/Capex = $
Innovation = SW design cycle
CONFIDENTIAL

What is VMware NSX?

Internet

CONFIDENTIAL

What is VMware NSX?

CONFIDENTIAL

What is VMware NSX?

Internet

CONFIDENTIAL

What is VMware NSX?

Internet

CONFIDENTIAL

What is VMware NSX?

Internet

CONFIDENTIAL

VMware NSX Momentum: Customers

4 of 5

Leading global

top investment banks

enterprises & service providers

CONFIDENTIAL

Three Reasons Companies Virtualize Their Network

Speed On Demand Apps and Services

Economics Opex Efficiency & Capex Cost Savings

Security Re-Architect Datacenter


Security

CONFIDENTIAL

10

Security Use Case

A Picture of Diminishing Returns


The only thing outpacing security spend is security losses

2010

2011
IT Spend

Security Spend

2012

2013
Security Breaches

CONFIDENTIAL

12

A Modern Attack
Malware/attack vectors tested against known signatures & are often VM-aware

1 PREP

1
Human Recon

2
Attack Vector R&D

3
Primary Attack

CONFIDENTIAL

13

Leverage endpoints that circumvent perimeter controls

2 INTRUSION

Strain B
Dormant

4
Compromise
Primary Entry Point
(Phishing, Waterholes, etc.)

Strain A
Active

Install Command
& Control I/F

CONFIDENTIAL

14

Leverage hyper-connected computing base, accessible topology info & shared components

3 RECON

8
Install C2 I/F
Wipe Tracks
Escalate Priv

Strain A
Active

6
Escalate Privileges on
Primary Entry Point

Lateral
Movement

8
CONFIDENTIAL

15

Sensor, alerts and logs easily accessible

4 RECOVERY

Strain C
Dormant

Strain B
Active

Wake Up & Modify


Next Dormant Strain

Strain A
Active

Attack
Identified

Response

CONFIDENTIAL

16

Exploit weak visibility and limited internal control points

5 ACT ON INTENT

10
Break into
Data Stores

11
Parcel &
Obfuscate

6 EXFILTRATION

12

13

Exfiltrate

Cleanup

CONFIDENTIAL

17

The modern kill chain is highly targeted, interactive, and stealthy

13
Cleanup

CONFIDENTIAL

18

A Modern Kill Chain


is highly targeted, interactive and stealthy
Perimeter-Centric
80% of resources focused
on preventing intrusion
1IPREP

Limited visibility and control


inside the datacenter
to detect and respond to attacks
2 INTRUSION

3RECON

4 RECOVERY

5 ACT ON INTENT

6EXFILTRATION

1
Recon

2
Attack Vector R&D

3
Primary Attack

4
Compromise
Primary Entry
Point

Strain A
Active

Install Command &


Control (C2) I/F

Strain C
Dormant

Install C2 I/F
Wipe Tracks
Escalate Priv.

Strain B
Dormant

6
Escalate Privileges on
Primary Entry Point

Lateral Movement

Strain B
Active

10

Wake Up & Modify Next


Dormant Strain

11

Break into Data Parcel &


Stores
Obfuscate

12
Exfiltrate

13
Cleanup

Attack
Response
Identified

CONFIDENTIAL

19

Micro-Segmentation with NSX

CONFIDENTIAL

21

Problem: Data Center Network Security


Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible

Internet

Internet

Little or no
lateral controls
inside perimeter

Insufficient

Operationally
Infeasible CONFIDENTIAL

22

Using Network Virtualization For Micro-Segmentation

Cloud
Management
Platform

Internet

Perimeter
Firewalls

CONFIDENTIAL

23

Using Network Virtualization For Micro-Segmentation

Cloud
Management
Platform

Internet

Perimeter
Firewalls

CONFIDENTIAL

24

Using Network Virtualization For Micro-Segmentation

Cloud
Management
Platform

Internet

Perimeter
Firewalls

CONFIDENTIAL

25

Using Network Virtualization For Micro-Segmentation


Security Policy

Cloud
Management
Platform

Internet

Perimeter
Firewalls

CONFIDENTIAL

26

Using Network Virtualization For Micro-Segmentation

Cloud
Management
Platform

Internet

Perimeter
Firewalls

CONFIDENTIAL

27

Using Network Virtualization For Micro-Segmentation

Cloud
Management
Platform

Internet

Perimeter
Firewalls

CONFIDENTIAL

28

Using Network Virtualization For Micro-Segmentation

Cloud
Management
Platform

Internet

Perimeter
Firewalls

CONFIDENTIAL

29

Using Network Virtualization For Micro-Segmentation

Cloud
Management
Platform

Internet

Perimeter
Firewalls

CONFIDENTIAL

30

Looking Into the Future

The Goldilocks Zone

Too Hot

Too Cold

CONFIDENTIAL

32

Trading Off Context and Isolation


Traditional Approach
Software Defined
Data Center (SDDC)

High Context
Low Isolation

Any Application
SDDC Platform
Data Center Virtualization

Any x86

No Ubiquitous Enforcement

Any Storage

Any IP network

High Isolation
Low Context

CONFIDENTIAL

33

Delivering Both Context and Isolation


Software Defined
Data Center (SDDC)

Secure Host Introspection

Any Application
SDDC Platform
Data Center Virtualization

High Context
High Isolation
Ubiquitous Enforcement

Any x86

Any Storage

Any IP network

CONFIDENTIAL

34

Broad Impact Across Many Security Verticles

Vulnerability Management

Malware Protection

Network Protection

Gain previously impossible vulnerability


intelligence based on application
purpose, data class and user roles to
drive rich, policy driven response,
including in-place quarantine.

Real-time, dynamic threat response


that follows applications as they migrate
between hosts, data centers and cloud
environments.

Leverages platform to move IPS


features from dedicated edge function
to distributed enforcement with rich,
policy-driven response, including
in-place quarantine.
CONFIDENTIAL

35

Thank You

Fill out a survey


Every completed survey is entered
into a drawing for a $25 VMware
company store gift certificate

NET3305-S

Virtualize your Network with


VMware NSX
Martin Casado, VMware, Inc