Professional Documents
Culture Documents
1
The Industry is in a Mega Transition
By 2020
2015
3rd Platform Cloud spending
IoT > $1.7T > $500B
Cloud, mobile, social,
and data analytics
• Examples:
Traditional
Enterprise
Network Advisor
Internet
Border Border
Primary Data DCI DCI Secondary
Center Data Center
Fabric Fabric
Visibility Visibility
Analytics Analytics
Branch Office NFV
Campus
Switches
WiFi
Automation &
Orchestration Network
Advisor
INTERNET DC INTERCONNECT
Core
Core
SUPER SPINE
WAN
EDGE
Agg
LEAF 10G
Source: https://code.facebook.com/posts/360346274145943/introducing-data-center-fabric-the-
next-generation-facebook-data-center-network/
SPINE
LEAF
LAG LAG
Border Leaf
BORDER
LEAF
SPINE
LEAF
10G 10G
Compute and Infrastructure/Management Racks Compute and Infrastructure/Management Racks Edge Racks
Same Software
• Clos Topology
• Topology Agnostic • Layer 3 Fabric IP Transport
• Layer 2 Fabric TRILL Transport • Open Automation
• Embedded Automation • Scale to 100’s of Switches
• Scale to 48 Switches
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC 9
Brocade Data Center Design Stack
Controller based
VMware NSX, VXLAN
Virtualization
Controller-less
BGP-EVPN, VXLAN
Automation
Automation Python, Ansible, Puppet, YANG model, REST, Netconf, OpenStack,
VMware vRealize plugins, OpenFlow
• RT/RD Import Export Policies VRF VRF VRF VRF VRF VRF
supported
• Scale 2000 Tenants/TOR
Controller-less Overlay
Standards based BGP/EVPN control plane VXLAN data plane
BGP-EVPN
Mac/ IP
Mac/ IP
CORE
NSX
OVSdb
CORE
VCS IP
vCenter
VTEP Gateway
LAG LAG
vRealize
VCS IP
Logical
Chassis
Future Today
Brocade
Workflow
Composer
LAG LAG
Automation &
Integration Framework
(A&I) © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC 16
Automation & Integration
Value of Integration
Private ASN
SIEM
SDN Forensics
SDN
Stream 1 IDS / IPS
NPM
Stream 2
IT Management
Stream n
Network Taps / Span Ports APM
Existing Existing
Router Router
DC Interconnect
Existing Existing
Router Router
Multi-hop
eBGP
Underlay
ASN 64201
VDX 6740 VDX 6740
DC Interconnect
VTEP Gateway
Mac/ IP
EVI EVI
NSX
Controller-based solution from
Controller-less native Ethernet VMware that integrates with Controller-less overlay tunnel
Fabric multi-tenancy solution based Brocade VCS to seamlessly extend solution using BGP/EVPN
on TRILL Fine Grained Labeling VXLAN networks between virtual supporting multi-tenancy and
and non-virtualized assets. VLAN extension
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC 24
…And With More Experience Than Anyone Else
Think Big, Start Now.
We are so Confident in Our Solution You Can Remove Us Anytime You Want
27
Huntsville Technology Day
May 10, 2016
Rick Simmons
Director, Federal Software Sales
Nov Jan Jan Jun Aug Dec Nov Feb Mar July Nov
2012 2013 2014 2014 2014 2014 2015 2015 2015 2015 2015
BRCD BRCD Platinum BRCD BRCD BRCD wins BRCD Opens BRCD ACQUISITIONS
acquires Vyatta Membership Sets vRouter Virtualizes 2014 NFV
Innovator of Europe VistaPointe Riverbed
Speed Record ADC Services the Year from Analytics SteelApp
Software R&D
Technology Offices Connectem
Marketing
vEPC
Corporation
Why Brocade?
#2 Datacenter Software Networking Enterprise, Cloud Open Innovation Large Partners Solutions
Network Vendor Leadership & NFV Architecture
Worldwide © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 2
The Brocade vADC Family
A Comprehensive Approach To Application Delivery
Services Director
Powerful Programmability
Hyper-Scale and
Legacy Performance on Demand
Hardware ADC
Apply customized
rules to inspect and
block attacks against
your network
Fed Civilian
PIVi Card
Resident
Authority
(RA) Web
Application
Customer /
User
Taken from “Micro-Segmentation: A Better Way to Defend the Data Center”; eWeek, Chris Preimesberger; posted July 28, 2015
* Information taken from “Micro-Segmentation: A Better Way to Defend the Data Center”; eWeek, Chris Preimesberger; posted July
28, 2015
User Requests
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 17
Application Micro-Segmentation
Micro-Segmentation using vTM & Web App Firewall –
Role Based Access
PKI Validation
Authority
Certificate Status
Check
Web App
User Requests Firewall
(typical)
Darren
Larry
Brocade vADC
Carol Identity/Attribute
Check
Identity/Attribute
Management Server
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 18
Application Micro-Segmentation
Micro-Segmentation using vTM & Web App Firewall – Group 1 Servers
PKI Validation
Authority
Certificate Status
Check
Web App
Firewall
User Requests
(typical)
Group 1 Brocade vADC
Group 2
Identity/Attribute
Group 3 Check
Legend
Identity/Attribute
Red Green Purple Management Server Group 3 Servers
User User User © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 19
Application Micro-Segmentation
Public Key Brocade Virtual Traffic Brocade Web App
Infrastructure Manager Firewall
Scottie Ray
@H20nly
sray@vmware.com
Staff Systems Engineer
VMware Network & Security Team
Public Sector
© 2014 VMware Inc. All rights reserved.
The Paradigm in the Domain of CYBER
“In physical space, the reconnaissance is
almost always easier than the
operation…in the CYBER domain, the
reconnaissance is usually a more difficult
task than the follow on operation…it is
tougher to penetrate a network and live
on it undetected while extracting large
volumes of data from it than it is to
‘digitally speaking’ kick in the front door
and fry a circuit or two. ….An attack on a
network to degrade it or destroy
information on it is generally a lesser
included case of the technology and
operational art needed to spy on that
same network.”
CONFIDENTIAL 2
Trading Off Context and Isolation
Traditional Approach
Software Defined
Data Center (SDDC) High Context
Low Isolation
Any Application
SDDC Platform
Data Center Virtualization
Any x86
No Ubiquitous Enforcement
Any Storage
3
The M&M Approach to Security
CONFIDENTIAL 4
But Micro-Segmentation has NOT been
Operationally Feasible
WAN
“X” firewalls
vs
… “X” + “1000
workloads
Directing all traffic (virtual + physical) through And a physical firewall per workload is cost
chokepoint firewalls is inefficient prohibitive
CONFIDENTIAL 5
SDDC Virtualization Layer – Delivers Both Context and Isolation
Any x86
Any Storage
Any IP network
6
Taking a Step Towards “Zero-Trust”
Traditional Data Center NSX Data Center
Perimeter Perimeter
firewall firewall
Mission-A
DB DB
Services Mgmt
DB VLAN Services/Management
Mission-B
Group
Mission-B Mission-A
Services Mgmt
CONFIDENTIAL 7
The Beginning of Policy Shifts….again
The committee is aware that the Department of Defense is looking at modifying the way it builds,
maintains, and upgrades data center, including increased use of commercial cloud capabilities
and public-private partnerships. The committee is aware that as the Department increasingly
looks at software-defined networking, it could potentially reduce the mobility of cyber threats
across data center and other networks by increasing the compartmentalization and segmentation
between systems, and providing a mix of security techniques to enable access to those
compartments. Such actions have the potential to lessen the chance of a widespread or
catastrophic breach, including breaches caused by insider threats. The committee encourages
the Department to explore ways to use compartmentalization or segmentation as part of a
software-defined networking approach in order to increase the security of its networks.
Security Groups & Security Policies
Designated Consumers & Cloud Admins are able to select pre-defined security policies
already approved by the Security Admin in NSX
Security policies are applied to one or more security groups where workloads are
members
These security groups are created
on-demand by vRA at deployment time “Standard Web” Services (Firewall,
Firewall – allow
antivirus, IPS etc.) and
HOW you want
inbound HTTP/S,
allow outbound ANY Profiles (labels
to protect it
IPS – prevent DOS
representing specific
attacks, enforce
acceptable use policies)
SECURITY POLICY
Members (VM, vNIC) WHAT you
and Context (user want to
identity, security protect
posture)
SECURITY GROUP
Programmatic Approach to Security: An Example
NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF
user selects a “Mission A” application, THEN place the VM in the “Mission A” security
group
INFRASTRUCTURE
NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF
user selects a “Mission A” application, THEN place the VM in the “Mission A” security
group
Service
Catalog APPS
INFRASTRUCTURE
Step 4: VM is automatically deployed
with its Security Tag WHAT Ayou
SG=Mission
want to
protect
Step 5: VM is dynamically assigned to
the relevant pre-defined Security
Group
Security Groups & Tags assigned to a VM - Workload-Centric
View
Virtual Machine
CONFIDENTIAL 12
Combining Organic Capabilities with Best of Breed
External Network
14
Workload-Centric View:
All Security Policies Applied to a VM
CONFIDENTIAL
15
Automated Security in a Software Defined Data Center
Quarantine Vulnerable Systems until Remediated
Security Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2
Isolated Network}
Security Group = Web
Policy Definition Tier
Quarantined VM Policy
Firewall – Block all except security tools
Anti-Virus – Scan and remediate
16
Understanding SDDC Network Virtualization
17
The Operational Model of a VM for the Networking
Internet
Native Isolation 192.168.2.11
192.168.2.11
192.168.2.10
192.168.2.10
Support for Physical Workloads and VLANs
NSX with a Cloud Management Platform
Dynamic Configuration and Deployment of Logical Network & Security Services
Logical Switch
Resource
Reservation
VM VM VM
Web
Logical Router
Cloud
Management VM VM
Platform
App
Logical Firewall VM
Multi-Machine
Database
Blueprint
Network Profiles
Thank you
CONFIDENTIAL
22