Transforming Security with NSX Micro-Segmentation

Transforming Security with NSX Micro-Segmentation
InfoSec 2015
Peter Bury, VMware SDDC Security and Compliance
@Peter_Bury
© 2015 VMware Inc. All rights reserved.
Why do breaches still occur?
Today’s data centers are protected
by strong perimeter defense…
But threats and exploits still infect servers. Lowpriority systems are often the target.
Threats can lie dormant, waiting for the
right moment to strike.
10110100110
101001010000010
1001110010100
Attacks spread inside the data center, where
internal controls are often weak. Critical
systems are targeted.
Server-server traffic growth has outpaced
client-server traffic. The attack spreads
and goes unnoticed.
Possibly after months of reconnaissance,
the infiltration relays secret data to the
attacker.
2
The legacy security model
emphasized perimeter security
Perimeter-centric network security has proven insufficient
Internet
Data Center
Perimeter
And is incompatible with a world where
security is needed everywhere
Adding more internal security…
requires placing more firewalls across workloads
Physical Firewalls
Cost prohibitive with complex configurations
Internet
Virtual Firewalls
Slower performance, costly and complicated
Data Center
Perimeter
Making it possible - Network intelligence in software
Software Defined
Data Center (SDDC)
Network & Security Services Now in the Hypervisor
Any Application
Firewalling/ACLs
Load Balancing
L2 Switching
L3 Routing
SDDC Platform
Data Center Virtualization
Any x86
Any Storage
Any IP network
5
CONFIDENTIAL
6
NSX Distributed Firewalling
Hypervisor Kernel Embedded Firewall:
• Is built directly in to the Hypervisor
• “Line Rate” Performance No VM can circumvent Firewall
(egress and ingress packets are always processed by
firewall).
– In case of extreme load (CPU saturated or memory
completely full) the Distributed Firewall behaves as fail
open: no packet will pass the FW.
V
M
V
M
Distributed Virtual Firewall:
V
M
V
M
V
M
V
M
V
M
• No “Choke Point”
• Scale Out
• Enforcement closest to VM at vNIC level
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
7 | 35
Higher levels of data center security: micro-segmentation
1
Isolation and
segmentation
2
Unit-level trust /
least privilege
3
Ubiquity and
centralized control
Micro-segmentation:
Isolation
No communication path between
unrelated networks
Segmentation
Controlled communication path within
a single network
Advanced services
Advanced services: addition of 3rd
party security, as needed by policy
9
Micro-segmentation and Security Groups
Finance
HR
Engineering
Perimeter
firewall
DMZ
Inside
firewall
 Each VM can now be its own perimeter
App
 Policies align with logical groups
 Prevents threats from spreading
DB
Services
AD
NTP
DHCP
DNS
CERT
10
Visibility & Adaptable Security – User Identity
Differentiate control based on what is running inside the workload (data, app) & who is accessing it
Finance
HR
Engineering
Threat Reduction:
Limit access to micro-segments based on user identity
Restrict access
using Identity
Firewall
Threat Response:
Dynamic policies to enable adaptive security for ever-changing
environments
CONFIDENTIAL
11
Extensibility to Partner Ecosystem
CONFIDENTIAL
12
In Summary …NSX Enhanced Security
•
Micro-segmentation places simpler security controls at
the application
•
Micro-segmentation focuses simpler security policies on
users and applications
•
Micro-segmentation creates pervasive E/W visibility
•
Micro-segmentation simplifies all security technologies
CONFIDENTIAL
13
Thank You
14