Automating Advanced

Security Services in SDDC

Environments with Flair
Advanced Security for the SDDC
with VMware NSX
The Data Center is Transforming
Today’s businesses have to deliver more—and deliver it faster than ever before.

80% 40%
1 1 1 1 0 0 0 1 1 1
of servers will be of data will be stored or 0 0 1 0 1 0 1 0 1
virtualized by 20161 processed by the cloud 0 0 0 1 1 1 1 1 0
by 20203 1 1 0 1 0 0 0 0 1
0 0 0 0 1 1 0 0

$ 5.4B 61%
Size of the software-defined of businesses used a hybrid cloud
data center market by 20182 environment by the end of 20144

1. Gartner, “Virtualization Key Initiative Overview,” July 22, 2011

2. IDC, The Digital Universe in 2020: Big Data, Bigger Digital Shadows, and Biggest Growth in Far East. Dec. 2012
3. Cisco Global Cloud Index: Forecast and Methodology, 2013-2018. .

4. RightScale 2014 State of the Cloud Survey 3

Data Center Security is also transforming
Increased attack surface

Only 50
% of data that 40% of attacks
needs protection is protected1 target servers3

80%+ of businesses use 345 new threats

cloud apps without knowledge arise every minute4
or support of corporate IT2 (almost 6 per second)

Mean cost of data breaches per minute: $7900—up 41% since 20105
Sources:
1. IDC, The Digital Universe in 2020: Big Data, Bigger Digital Shadows, and Biggest Growth in Far East. Dec. 2012
2. Stratecast, The Hidden Truth Behind Shadow IT. November 2013. http://www.mcafee.com/us/resources/reports/rp-six-trends-security.pdf
3. Verizon 2013 State of the Enterprise Cloud Report
4. McAfee Labs August 2015 Threats Report .

5. Ponemon Institute, 2013 Cost of Data Center Outages 4

Cornerstone for a “New Style of IT”
Exploiting the Full Potential of Converged Infrastructure

Software-Defined Data Center

All infrastructure is virtualized and delivered
as a service, and the control of this
datacenter is entirely automated by software.

• Fully virtualized infrastructure Abstract. Pool. Automate.

• Flexible mix of private and hybrid clouds
• Vendor independent Secure.
• Simplified configuration and management
• Good price/performance
• Fundamentally more secure than traditional
data centers .

5
SDI – The Application Defines the System
The evolution to software-defined infrastructure
One application One application Applications DEFINE
per system per virtual system the system

Applications
Applications
Compute application

Network application
VM Manager
Storage Network Compute
Resource pool
Storage application

Traditional Abstracting Abstracting the

Hardware the Hardware Data Center .

6
SDDC: Automating
Server Security
SDDC: Familiar Territory for IT – Server Virtualization
Advantages of Server Virtualization

Automated Operational Model

Programmatically:
• Create
• Snapshot • Intelligence in the virtualization layer
Applications
• Store • Vendor independent x86 capacity
• Move Virtual
• Delete Machines • Transformative operational model
• Restore
• Automated configuration and management
Software Server Virtualization
Hardware Compute Network Storage
Capacity Capacity Capacity

Manual Model • Intelligence in hardware

• Dedicated, vendor-specific infrastructure
• Manual configuration and management

.
Automating Advanced Security for SDDC
Optimized Antivirus

Ease of Management
Resource Optimization

McAfee ePO

Enhanced Performance
.
Traditional AV vs. Optimized AV for Virtualization
TRADITIONAL AV OPTIMIZED AV FOR
FOR VIRTUALIZED VIRTUALIZED
ENVIRONMENTS ENVIRONMENTS

Resource Bottlenecks
Resource Availability

Painful Management
Experience Easy Management
Experience
Peak Overloading on the
Hypervisor Optimized Resources on
Every Hypervisor
Wasted Resources
.
McAfee MOVE AV – Optimized for Virtualized Servers
Agentless deployment for VMware environments

GTI File McAfee ePO

Reputation
Move
VM VM Security
Appliance
VSE
MOVE VSE
MOVE

OS OS
VSE
VMtools VMtools
MOVE AV

Features
VMware NSX OR vShield Endpoint • Optimized Antivirus by offloading file scanning
Virtual Infrastructure
• Three deployment modes:
• Agentless through vCNS (vSphere only)
• Agentless through NSX (vSphere only)
• Multi-platform for ALL hypervisors
(unique in the industry)
Data Center • Simple ePO-based deployment

11
New: McAfee MOVE AV Integration with NSX
Automating Advanced Security
McAfee ePO
Intelligent Optimized Antivirus
Automatic SVA AV Scans
deployment
Automatic
detection of NSX
New ePO policies are
seen instantly on NSX
console and vice versa
VM VM
VM VM
VM
NSX VM

ePO page shows

vCNS or NSX Automatic (rule-based) movement
info of certain VMs in NSX from one
security group to another

The security you need; the flexibility you deserve. .

VMware NSX Network
Virtualization
Taking What We Have Learned…
Advantages of Server Virtualization

Automated Operational Model

Programmatically:
• Create
• Snapshot • Intelligence in the virtualization layer
Applications
• Store • Vendor independent x86 capacity
• Move Virtual
• Delete Machines • Transformative operational model
• Restore
• Automated configuration and management
Software Server Virtualization
Hardware Compute Network Storage
Capacity Capacity Capacity

Manual Model • Intelligence in hardware

• Dedicated, vendor-specific infrastructure
• Manual configuration and management

.
To Deliver the Software-Defined Data Center Approach

Speed – Efficiency - Lower Cost

Automated Operational Model
Programmatically: Automation and orchestration with RESTful APIs
• Create
• Snapshot Applications
• Store
• Move Virtual Virtual Virtual
• Delete Machines Networks Storage
• Restore
Software Data Center Virtualization
Hardware
Compute Network Storage
Capacity Capacity Capacity
• Pooled compute, network, and storage
Automated Operational Model • Vendor independent, best price/performance
• Simplified configuration and management

Location Independence/
Infrastructure Convergence
.
Perimeter Security Alone Does Not Prevent Breaches
Internal controls are often weak

• Strong perimeter defense

is typical
• Sophistical threats reach Low-priority
low-priority servers servers High-priority
servers

• Threats spread from server

to server

16
Perimeter Security Alone Does Not Prevent Breaches
Internal controls are often weak

High Medium Low

Security Security Security
Server Server Server
Perimeter
firewall DMZ

Inside
firewall
APP

DB

Services

17
East-West Traffic in the Private Cloud
Perimeter defense remains effective while decreased in relevance

SDI Private Cloud

Network
• Workloads migrate

• New workloads spin up

Perimeter
and down
firewall
vSwitch vSwitch vSwitch

APP Hypervisor Hypervisor Hypervisor

DB 76% of traffic in the cloud/data center remains

within it*

*Source: Cisco, http://www.zdnet.com/article/cisco-projects-data-center-cloud-traffic-to-triple-by-2017/

.

18
East-West Traffic in the Private Cloud
Cases for Security Control Alignment

East-West Workload New workload Varied security

traffic migration protection requirements

Security inspection Widely distributed Inspect new Multiple security

within the perimeter inspection capability workload traffic functions supported
immediately

19
Software-Defined Data Center Approach
Network Virtualization
Micro-Segmentation
Advanced Security Services Insertion

.
NSX Native Security Capabilities

• High throughput rates on a

per-hypervisor basis with in-
kernel DFW
• Every hypervisor adds additional
east-west firewalling capacity
• Enforcement at virtual interface
• Policies follow workloads
• Standard NSX tagging for context
sharing across security controls

.
NSX Automates Security Operations

Platform-based automation
• Automated
provisioning and
workload
adds/moves/changes
• Centralized
management of single,
logical, distributed
firewall

.
NSX Platform Extensibility… with Advanced Security
Add leading security solutions, like McAfee Network Security Platform, to your micro-segmentation deployment for
greater security

Apply the SDDC operational model to third-party security products

Adapt to changing security conditions in the data center by enabling security solutions to share intelligence

1 2 3

Traditional Data Center NSX Data Center

Static Service Chain
In a traditional data center, security services must be configured when the
network is architected, meaning the “chain” of services is locked in once
deployed. This is an inefficient use of resources and cannot defend
against changing threat conditions or protect dynamic workloads.
Dynamic Service Chain
In an NSX data center, McAfee Network Security Platform uses NSX
security tags to share intelligence, adapting to changing security
conditions. NSX automatically applies the correct security function, as
needed.

.
SDDC/NSX: The Foundation for Practical Micro-Segmentation
Isolation Segmentation Service Insertion

Dev Web Web

Test App App

Production DB DB

No Controlled Advanced Service Controlled

Communication Path Communication Path Communication Path
Intel Security’s vNSP provides isolation, segmentation, and advanced services
.

24
Intel Security Controller
The Intel Security Controller
NSX enables dynamic insertion of advanced security

Security
ISC orchestration and APIs Functions
Catalog
Distributed
Intel® Security Controller Virtual Appliances

Support for SDN controllers and

VMware vCenter VMware NSX
virtualization environments

Exposure of IA power
and functions
(Intel DPDK, HyperScan, AES-NI etc.)

.
 Intel Security Controller in VMware environments
VNF 1 VNF 2
(McAfee (McAfee
vNSP) vNSP)
Application vSphere/vCenter VIM

SFV
Intel Security Controller
Orchestration
Network
VMware NSX Controller
Virtualization

Hypervisor VMware ESX

Silicon IA-based bare metal

ISC integrates with VMware NSX and vSphere to orchestrate advanced security
.

27
ISC Security Implementation with VMWare NSX

•Connect ISC to managers and VMware NSX

Inspect all traffic to/from blue •Create distributed security appliances
group with DB security policy ISC

•Install security services on desired clusters

•Create security groups
•Create security Policy
VM
V
VM VM
V
VM NSX •Apply policy to security groups
VM S VM VM S VM
F F
VM VM VM VM

NSX Agent NSX Agent

•Push updated signature files to DA instances
vSwitch vSwitch Security
Mgmt.

.
VMware NSX Micro-Segmentation with McAfee NSP
Advanced threat protection for east-west traffic flows

Finance HR Production
Security Security Security
Security Group Group Group
Management Perimeter vNSP vNSP
firewall
DMZ
McAfee Network
Security Manager Inside
vNSP vNSP
firewall
APP

Security
Functions
Catalog vNSP vNSP
DB
Intel® Security
Controller

Services

29
 Separation of Duties

Security Automated Infrastructure

Administrator Functionality Administrator
Intel® Security
Manages Controller
security Deploys and
policies Security deletes services
Functions
Catalog
Manages
security
Manages Injects security
groups
security services based on
appliances policy in workflow SDN Controller

Security Manager Alerts &

analysis Software-Defined Orchestrates
Data Center services Virtualization
Management
.

30
 Use Case: VMware NSX East-West Traffic Protection
Intel Security Controller

Security Infrastructure
Administrator Administrator
Intel® Security Quarantine
Quarantine VM Controller
Alerts (Security Response API) Quarantine action

Security orchestration
Bulk, dynamic provisioning,
and policy updates
Attacks detected
& blocked
Security
management
VMware
vCenter
vNSP vNSP vNSP
McAfee Network
Security Manager VMware
NSX Agent NSX Agent NSX Agent NSX Manager

31
Multi-Tenancy (e.g. MSP)

Tenant
Perspective Air gap
Must be fully Tenant DARK’s Tenant LIGHT’s
isolated Cloud Cloud

VSF VSF
Logical
Tenant DARK’s Tenant LIGHT’s
Perspective Security Group Security Group
Require IPS
inspection at edge All network
traffic

Intel®
Practical Security
Controller
Perspective Virt. Management
Must share VSF VSF
Security Infrastructure
resources Security
Manager Administrator
Administrator
SDN .

32
Summary
Benefits of the Joint Intel Security & VMware NSX
McAfee vNSP, Intel® Security Controller, McAfee MOVE AV, VMware NSX

Data center protection that Just-in-time provisioning of Automated security policy

scales and provides security services deployment reduces
internal protection complexity in large-scale
operations

34
Where to start projects? Where to get started
A tangible place to get the most bang per buck The things you need to do…

Visit the Resource Centers

Test out NSX in the free hands-on Lab

Chat with NSX experts

Intra-data center IT automating IT

micro-segmentation
Thank you