Professional Documents
Culture Documents
06 - CIGRAS 2018 - Esteban Prieto - Seguridad de DC Con Microsegmentacion NSX
06 - CIGRAS 2018 - Esteban Prieto - Seguridad de DC Con Microsegmentacion NSX
Esteban Prieto
Senior Systems Engineer
© 2015 VMware Inc. All rights reserved.
Como hace para:
Moverse tan rapido como necesita el negocio al mismo
tiempo que atiende un entorno cambiante y creciente,
sin la necesidad de empezar de Nuevo ?
Usted necesita un Nuevo enfoque
para el networking y la seguridad que
le brinde:
La agilidad y velocidad que necesita para soportar su
negocio, mientras que proporciona una infraestructura
mas segura.
The Software Defined Data Center
4
Traditional network provisioning
interface e2/5
ip address 192.168.1.2/24
vrf membership vpc-keepalive
vpc domain 1
peer-keepalive destination 192.168.1.1
source 192.168.1.2 vrf vpc-keepalive
interface port-channel 1000
switchport mode trunk
vpc peer-link
interface e2/1-2
switchport mode trunk
channel-group 1000 mode active
interface e2/3
switchport mode trunk
channel-group 1 mode active
interface port-channel1
vpc 1
interface e1/5
ip address 192.168.1.1/24
vrf membership vpc-keepalive
vpc domain 1
peer-keepalive destination 192.168.1.2
source 192.168.1.1 vrf vpc-keepalive
interface port-channel 1000
switchport mode trunk
...
vpc peer-link
interface e1/1-2
switchport mode trunk
channel-group 1000 mode active
interface e1/3
switchport mode trunk
channel-group 1 mode active
interface port-channel1
vpc 1
...
interface e1/5
ip address 192.168.1.1/24
vrf membership vpc-keepalive
vpc domain 1
peer-keepalive destination 192.168.1.2
Non-centralized configuration
switchport mode trunk
channel-group 1000 mode active
interface e1/3
switchport mode trunk
channel-group 1 mode active
Human Error
interface port-channel1
vpc 1
Network and Security Virtualization
Orchestrator
Services Portal
NSX Manager
vSphere
vSphere
vSphere
Hardware independent
Non-disruptive on productive network and security equipment
Why are breaches still happening?
Unconstrained communication
Little or no lateral controls inside perimeter
Low priority systems are
targeted first.
Internet
7
Security is needed everywhere, but we can’t have it everywhere
Why can’t we have individual firewalls for every VM? With traditional technology,
this is operationally infeasible.
Physical firewalls
Expensive and complex
Internet
Virtual firewalls
Slow, costly, and complicated
Data Center
Perimeter
8
Problem: Data Center Network Security
Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Internet Internet
Little or no
lateral controls
inside perimeter
Insufficient Operationally
Infeasible
Seguridad en Datacenter: Micro-Segmentación?
Internet
FW / IPS-IDS
DMZ INSIDE
DMZ VLAN
INSIDE VLAN
Seguridad en Datacenter: Micro-Segmentación?
Internet
FW / IPS-IDS
DMZ INSIDE
SIN
CONTROLES z
DMZ VLAN
LATERALES
INSIDE VLAN
z
z
Seguridad en Datacenter: Micro-Segmentación?
Internet
FW / IPS-IDS
DMZ INSIDE
IDS-IPS
Alert/Action
SIN
CONTROLES z
DMZ VLAN
LATERALES
INSIDE VLAN
z
z
Seguridad en Datacenter: Micro-Segmentación?
Internet
Los controles
FW / IPS-IDS perimetrales son
insuficientes
DMZ INSIDE
SIN
CONTROLES z z
DMZ VLAN
LATERALES
INSIDE VLAN
SIN
z z
CONTROLES
z z LATERALES
z z
Seguridad en Datacenter: Micro-Segmentación con NSX
Internet
FW / IPS-IDS
DMZ INSIDE
ZERO z
DMZ VLAN
TRUST
INSIDE VLAN
Solution: Leverage SDDC Approach for Micro-Segmentation
• Hypervisor-based, in kernel
distributed firewalling
Security Policy
• Platform-based automated
provisioning and workload
Cloud
adds/moves/changes Management
Platform
Internet
Perimeter
Firewalls
15
Advance Services Insertion
Management Plane
Security Admin
Security Policy
Internet
Traffic
Steering
Network Introspection
Security Automation
Security Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network}
Policy Definition
Quarantined VM Policy
Firewall – Block all except security tools
Anti-Virus – Scan and remediate
Guest Introspection 17
CONFIDENTIAL 18
Intelligent Policy Creation
Groups defined by workload characteristics, not IP, port and protocol
Guest Introspection 20
Security EcoSystem
• Anti-vírus • NGFW
• Data Loss Prevention • IPS
• Vulnerability Scan • Malware
• Security tags • Anti-Bot
NSX Value Proposition
Network virtualization is at
the core of the software-
defined data center
approach
Virtualization layer
22
The Next-Generation Networking Model
Switching Load balancing
Routing Firewalling/ACLs
East-west firewalling
Network and
High throughput rates security services
now in the
Hardware independent hypervisor
23
NSX Value Proposition
Virtual networks
“Network platform”
Virtualization layer
24
Security
Micro-segmentation | Secure End User | DMZ Anywhere
VM VM VM VM VM VM VM VM
VM VM VM VM VM VM VM VM
VM VM VM VM VM VM VM VM
VM VM VM VM VM VM VM VM
Web App DB
25
Getting Started and Operations
vRealize Network Insight
Transformative Operations for NSX based Software-Defined Data Center
28
NSX & vRealize Network Insight Journey
Evaluating Day 1 Day 2
29
Get Started Today with a Free VMware Network Assessment
Understand how you can immediately benefit from micro-segmentation
31
NSX-T 2.1
CONFIDENTIAL 33
Thank you