06 - CIGRAS 2018 - Esteban Prieto - Seguridad de DC Con Microsegmentacion NSX

NSX
Seguridad de DC con la Microsegmentación
Esteban Prieto
Senior Systems Engineer
© 2015 VMware Inc. All rights reserved.
Como hace para:
Moverse tan rapido como necesita el negocio al mismo
tiempo que atiende un entorno cambiante y creciente,
sin la necesidad de empezar de Nuevo ?
Usted necesita un Nuevo enfoque
para el networking y la seguridad que
le brinde:
La agilidad y velocidad que necesita para soportar su
negocio, mientras que proporciona una infraestructura
mas segura.
The Software Defined Data Center
Software Defined Google / Facebook /

Data Center (SDDC) Amazon Data Centers
Custom Application
Any Application Software / Hardware Abstraction
SDDC Platform Custom Platform

Data Center Virtualization Software / Hardware Abstraction
Any x86 Any x86
Any Storage Any Storage
Any IP network Any IP network
4
Traditional network provisioning
interface e2/5
ip address 192.168.1.2/24
vrf membership vpc-keepalive
vpc domain 1
peer-keepalive destination 192.168.1.1
source 192.168.1.2 vrf vpc-keepalive
interface port-channel 1000
switchport mode trunk
vpc peer-link
interface e2/1-2
channel-group 1000 mode active
interface e2/3
interface port-channel1
vpc 1
interface e1/5
ip address 192.168.1.1/24
vpc domain 1
source 192.168.1.1 vrf vpc-keepalive
...
vpc peer-link
interface e1/1-2
interface e1/3
vpc 1
...
interface e1/5
ip address 192.168.1.1/24
vpc domain 1
Slow source 192.168.1.1 vrf vpc-keepalive

vpc peer-link
interface e1/1-2
Non-centralized configuration
interface e1/3
Human Error
vpc 1
Network and Security Virtualization
Orchestrator
Services Portal
NSX Manager
vSphere
vSphere
vSphere
Hardware independent
Non-disruptive on productive network and security equipment
Why are breaches still happening?
Unconstrained communication
Little or no lateral controls inside perimeter
Low priority systems are
targeted first.
Attackers can move freely

around the data center.
Internet
10110100110 Attackers then gather and

101001010000010 exfiltrate data over weeks
1001110010100
or even months.
Data Center
Perimeter
7
Security is needed everywhere, but we can’t have it everywhere
Why can’t we have individual firewalls for every VM? With traditional technology,
this is operationally infeasible.
Physical firewalls
Expensive and complex
Internet
Virtual firewalls
Slow, costly, and complicated
Data Center
Perimeter
8
Problem: Data Center Network Security
Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Internet Internet
Little or no
lateral controls
inside perimeter
Insufficient Operationally
Infeasible
Seguridad en Datacenter: Micro-Segmentación?
Internet
FW / IPS-IDS
DMZ INSIDE
DMZ VLAN
INSIDE VLAN
Internet
FW / IPS-IDS
DMZ INSIDE
SIN
CONTROLES z
DMZ VLAN
LATERALES
INSIDE VLAN
z
z
Internet
FW / IPS-IDS
DMZ INSIDE
IDS-IPS
Alert/Action
SIN
CONTROLES z
DMZ VLAN
LATERALES
INSIDE VLAN
z
z
Internet
Los controles
FW / IPS-IDS perimetrales son
insuficientes
DMZ INSIDE
SIN
CONTROLES z z
DMZ VLAN
LATERALES
INSIDE VLAN
SIN
z z
CONTROLES
z z LATERALES
z z
Seguridad en Datacenter: Micro-Segmentación con NSX
Internet
FW / IPS-IDS
DMZ INSIDE
ZERO z
DMZ VLAN
TRUST
INSIDE VLAN
Solution: Leverage SDDC Approach for Micro-Segmentation
• Hypervisor-based, in kernel
distributed firewalling
Security Policy
• Platform-based automated
provisioning and workload
Cloud
adds/moves/changes Management
Platform
Internet
Perimeter
Firewalls
15
Advance Services Insertion
Management Plane
Security Admin
Security Policy
Internet
Traffic
Steering
Network Introspection
Security Automation
Security Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network}
Security Group = Web Tier
Policy Definition
Standard Server VM Policy

 Anti-Virus – Scan
Quarantined VM Policy
 Firewall – Block all except security tools
 Anti-Virus – Scan and remediate
Guest Introspection 17
CONFIDENTIAL 18
Intelligent Policy Creation
Groups defined by workload characteristics, not IP, port and protocol
Operating System Machine Name Services
Application Tier Regulatory Security Posture

Requirements
Security Automation
Guest Introspection 20
Security EcoSystem
• Anti-vírus • NGFW
• Data Loss Prevention • IPS
• Vulnerability Scan • Malware
• Security tags • Anti-Bot
NSX Value Proposition
Network virtualization is at
the core of the software-
defined data center
approach
Virtualization layer
Network, storage, compute
22
The Next-Generation Networking Model
Switching Load balancing
Routing Firewalling/ACLs
East-west firewalling
Network and
High throughput rates security services
now in the
Hardware independent hypervisor
23
NSX Value Proposition
Virtual networks
“Network platform”
Virtualization layer
Network, storage, compute
24
Security
Micro-segmentation | Secure End User | DMZ Anywhere
Granular Policy Enforcement

Enables zero trust security model with
policy enforced at every workload
VM VM VM VM VM VM VM VM
Web App DB
25
Getting Started and Operations
vRealize Network Insight
Transformative Operations for NSX based Software-Defined Data Center
Plan Micro-segmentation Optimize Network Offers Best Practices,

Deployment and Audit Performance with 3600 Health and Availability of
Security Compliance Visibility & Analytics NSX Deployment
Across Virtual, Physical and Cloud
28
NSX & vRealize Network Insight Journey
Evaluating Day 1 Day 2
Assess Deploy Manage
East–West Data Center Map Application Overlay-Underlay,

Traffic Profiling Connectivity V-to-P Visibility
Micro-Segmentation Security Groups and DFW Google-like Search for

Recommendations Rule Recommendations Rapid Trouble-Shooting
NSX ROI Modeling Best Practices Audit & Compliance
29
Get Started Today with a Free VMware Network Assessment
Understand how you can immediately benefit from micro-segmentation
Visibility Recommendation Value
31
NSX-T 2.1
CONFIDENTIAL 33
Thank you

06 - CIGRAS 2018 - Esteban Prieto - Seguridad de DC Con Microsegmentacion NSX

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

06 - CIGRAS 2018 - Esteban Prieto - Seguridad de DC Con Microsegmentacion NSX

Uploaded by

Copyright:

Available Formats

NSX

Seguridad de DC con la Microsegmentación

Software Defined Google / Facebook /

SDDC Platform Custom Platform

Any x86 Any x86

Any Storage Any Storage

Any IP network Any IP network

Slow source 192.168.1.1 vrf vpc-keepalive

Attackers can move freely

10110100110 Attackers then gather and

Security Group = Web Tier

Standard Server VM Policy

Operating System Machine Name Services

Application Tier Regulatory Security Posture

Network, storage, compute

Network, storage, compute

Granular Policy Enforcement

Plan Micro-segmentation Optimize Network Offers Best Practices,

Across Virtual, Physical and Cloud

Assess Deploy Manage

East–West Data Center Map Application Overlay-Underlay,

Micro-Segmentation Security Groups and DFW Google-like Search for

NSX ROI Modeling Best Practices Audit & Compliance

Visibility Recommendation Value

You might also like