confidential ©2020 vmware, inc
TRANSCRIPT
Confidential │ ©2020 VMware, Inc.
Confidential │ ©2020 VMware, Inc.©2021 VMware, Inc.
Welcome to VMware TechTuesday Webinar
The Secure Virtual Cloud Network – The Goldilocks Zone of Data Center Security
Tock Hiong NgSenior Manager,
Specialist Solutions Engineering, Networking, Security & Automation,
Southeast Asia & Korea, VMware
Chian Chong WongSpecialist Solutions Engineer,
Networking & Security,Southeast Asia & Korea,
VMware
Tyler ChenSenior Solutions Engineer,
Networking & Security, Asia Pacific & Japan,
VMware
©2021 VMware, Inc.
Tock Hiong NgSenior Manager, Specialist Solutions Engineering, Networking, Security & Automation, Southeast Asia & Korea, VMware
Confidential │ ©2021 VMware, Inc.
The Secure Virtual Cloud Network - The Goldilocks Zone of Data Center Security
Tock Hiong Ng
Senior Manager, SEAK Networking, Security and Automation, Solution Engineering
Wong Chian Chong
Senior Solution Engineer
Tyler Chen
Senior Solution Engineer
Confidential │ ©2021 VMware, Inc.
Agenda
5
What is the Goldilocks Zone in Security
3 Steps to Advanced East West Protection
Intrinsic Security Demo
In Summary
Confidential │ ©2021 VMware, Inc. 6
What is the Goldilocks zone?
Confidential │ ©2021 VMware, Inc. 7
What is the Goldilocks zone in Security?
Endpoint Security
External Firewall
High Context
Low Isolation
High Isolation
Low Context
No Ubiquitous Enforcement
Confidential │ ©2021 VMware, Inc. 8
What is the Goldilocks zone mean in Security?
Endpoint Security
External Firewall
Switching RoutingServiceMesh
Internal Firewall /
IPS
ADC/ALB/WAF
High Context
Low Isolation
High Isolation
Low Context
The Goldilocks Zone in Security
NSX Data Center and Cloud Platform
Physical Infrastructure
High Context
High Isolation
Zero Trust Enforcement
Confidential │ ©2021 VMware, Inc. 9
LOAD BALANCER/WAF
FIREWALL
IDS/IPS
ANALYTICS
Confidential │ ©2021 VMware, Inc. 10
Security at Scale
20 Tbps firewall
Traditional firewalls cost at leastmore than NSX Service-defined Firewall
Traditional Firewall NSX SDFW
Note: Internal calculation based on 4Gbps traffic/server, including CapEx and 3 years of support
Note: With 40Gbps links at capacity, traditional firewalls will be 10x more expensive
Confidential │ ©2021 VMware, Inc. 11
The Power of IntrinsicEDR + NDR = XDR
SecurityData
Federation
Contextual workload data
Contextual network data+
Machine Learning
Human Expertise
An approach that leverages infrastructure across any app, any cloud, and any device to protect your apps and data everywhere.
Confidential │ ©2021 VMware, Inc. 12
The Power of IntrinsicEDR + NDR = XDR
Machine Learning
Human Expertise
258K queries
Process[ abc123xyz.exe ]
is anomalous
BLOCK
X
SecurityData
FederationAn approach that leverages infrastructure across any app, any cloud, and any device to protect your apps and data everywhere.
©2021 VMware, Inc.
Chian Chong WongSpecialist Solutions Engineer,Networking & Security,Southeast Asia & Korea, VMware
14Confidential │ ©2021 VMware, Inc.
3 Steps to Advanced East-West Protection
Confidential │ ©2021 VMware, Inc. 15
Segmentation NTA/NDRDistributedIDS/IPS
3 Steps to Advanced East-West Protection
Confidential │ ©2021 VMware, Inc. 16
XDENIED!
Step 1: Segmentation and Port Blocking
AppFile
ServerWeb
DEVELOPMENT PRODUCTION
Confidential │ ©2021 VMware, Inc. 17
STEP 1
Tag workload as "production” or “development”
Confidential │ ©2021 VMware, Inc. 18
STEP 1
Create security groups
Confidential │ ©2021 VMware, Inc. 19
STEP 2
Create "Environment Isolation" policy
Confidential │ ©2021 VMware, Inc. 20
NSX Intelligence
Confidential │ ©2021 VMware, Inc. 21
NSX Intelligence: Create new recommendation 1
You can select the duration of analysis, up to 1 month
You can select to create object/IP-based firewall objects
Confidential │ ©2021 VMware, Inc. 22
NSX Intelligence: Create new recommendation 2
Select VMs to be included for analysis
Confidential │ ©2021 VMware, Inc. 23
NSX Intelligence: Create new recommendation 3
Confidential │ ©2021 VMware, Inc. 24
NSX Intelligence: Create new recommendation 4
Confidential │ ©2021 VMware, Inc. 25
NSX Intelligence: Create new recommendation 5
Confidential │ ©2021 VMware, Inc. 26
NSX Intelligence: Create new recommendation 6
You can add/delete/copy/clone rule before publishing
Confidential │ ©2021 VMware, Inc. 27
NSX Intelligence: Create new recommendation 7
Position the order of the policy
Click publish to complete
Confidential │ ©2021 VMware, Inc. 28
NSX Intelligence – monitoring of recommendations
Monitoring enabled
Changes detected
• Create a baseline recommendation, then let NSX Intelligence learn desired DFW policy
• Enables discovery of groups based on VM membership changes
• NSX Intelligence will generate new recommendations upon detecting changes to policy
• Can be enabled on recommendations with a status of:
– Ready to Publish
– No Recommendations Available
– Failed
Features
Benefit
Confidential │ ©2021 VMware, Inc. 29
Steps and Process Comparison
Traditional Segmentation Workflow
108+ STEPS
NSX Segmentation Workflow
7 STEPS
Ordering Westworld Season 1, Episode 2 on HBO
7 STEPS
Internal VMware Analysis, Aug 2020
Confidential │ ©2021 VMware, Inc. 30
Segmentation NTA/NDRDistributedIDS/IPS
3 Steps to Advanced East-West Protection
Confidential │ ©2021 VMware, Inc. 31
Step 2: Port Blocking to In-band Inspection
App AppFile
ServerWeb
Per hop trafficanalysis
SMB Port!(WannaCry Signature)
Confidential │ ©2021 VMware, Inc. 32
Web AppFile
Server
Virtual Patching with NSX Distributed IDS/IPS
ADC/LB/WAF [Avi]
www
NSX FirewallNSX FirewallNSX Firewall
Confidential │ ©2021 VMware, Inc. 33
Finance_App Finance_Web
Finance_Db
File Server
File Server
NOTE: Figures are approximate, for illustrative purposes only.
From ~13k signatures…
IDS/IPS SIGNATURES
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
Finance_app IDPS
Apache IDS/IPS
MySQL IDS/IPS
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE><SIGNATURE>
<SIGNATURE><SIGNATURE>
>80%* in signatures evaluated at each IDPS engine
Exchange
35Apache
132
SQL Server
56
Tomcat
42
Confidential │ ©2021 VMware, Inc. 34
DisabledCompute
DisabledManagement
vcsa-r
vcsa-r
ENABLE DISABLE
Cluster Name StatusvCenter
Enabled
Enabled
ENABLE
Confidential │ ©2021 VMware, Inc. 35
Steps and Process Comparison
Traditional IDS/IPS Deployment
~71 STEPS
NSX IDS/IPSDeployment
1 STEP
Turning on theTelevision
1 STEP
Internal VMware Analysis, Aug 2020
©2021 VMware, Inc.
Tyler Chen Senior Solutions Engineer, Networking & Security, Asia Pacific & Japan, VMware
Confidential │ ©2021 VMware, Inc. 37
Segmentation NTA/NDRDistributedIDS/IPS
3 Steps to Advanced East-West Protection
Confidential │ ©2021 VMware, Inc. 38
Suspicious MovementSuspicious Movement
SERVICEA
File Server
Suspicious content
NSX
App
Suspicious process
NSX
Suspicious user
NSX
NSX Intelligence
Confidential │ ©2021 VMware, Inc. 39
Steps and Process Comparison
Traditional NTA Probe Deployment
50+ STEPS
NSX NTA Probe Deployment
0 STEPS
GhostingSomeone
0 STEPS
Internal VMware Analysis, Aug 2020
Confidential │ ©2021 VMware, Inc. 40
EDR + NDR = XDR
File Server
Web App App App
258 queries
Process[ abc123xyz.exe ]
is anomalous
Machine Learning Human Expertise
X
VMware TAU
NSX Intelligence
Confidential │ ©2021 VMware, Inc. 41
Strong East-West Protection
Segmentation
Per Application Micro-segmentation
Per Hop Distributed IDS/IPS
Multi-hop Network Traffic Analysis (NTA)
Endpoint Context + Network Context = XDR
Confidential │ ©2021 VMware, Inc. 42*Internal VMware Customer Study: DICE ROI and Value Modeling
Up to
Reduction with Firewall + IDS/IPS
OpEx Improvement
Reduction in CapEx
Up to
Reduction with Firewall + IDS/IPS
5Large Firewall
Vendors**
Among the
**VMware is 1 of 5 enterprise firewall vendors (with greater than $500m in annual revenue) in the Forrester Now Tech: Enterprise Firewalls, Q1 2020
43Confidential │ ©2021 VMware, Inc.
In Summary
Confidential │ ©2021 VMware, Inc. 44
Protection through intrinsic security throughout the full stack
Secure Workloads Running Within Secure Infrastructure
Every VM can have:• Real-time workload Audit/Remediation• Next-Gen Antivirus• Workload EDR• Individual firewalls• Individual security policies• WAF and Load Balancing
Policies can be defined based on any context:• VM attributes• User attributes• Network attributes• Application attributes
Purpose-built for Cloud Foundation to deliver a unique and comprehensive data center security solution.
Integrated with infrastructure• Multi-layer security• Protection for infrastructure and workloads
Confidential │ ©2021 VMware, Inc. 45
Intrinsic Security: VMware’s Differentiated Approach
Built-in Context-centricUnified
Security built-in to the distributed
infrastructure from endpoint to
cloud
Unified across disparate security tools and teams
working together
Understanding the applications and data you are trying to secure
Confidential │ ©2021 VMware, Inc. 46
Advanced Security Services to Protect Applications
Security Beyond the Infrastructure
Storage
Data at rest encryption
Cluster-level key management
Hardware agnostic
Erasure Coding
Compute
VM-level encryption
Encrypted vMotion
Multi-factor authentication
TPM / vTPM 2.0 + VBS
Management
Governance
Compliance
Container registry services
vSphere Trust Authority
Micro-segmentation
VPN
Secure end user
Multi-Cloud Security
Network
VMware Cloud Foundation
NSX Advanced Load Balancer
CB
Carbon Black CloudNSX Distributed IDS/IPS
Confidential │ ©2020 VMware, Inc.©2021 VMware, Inc.
Complete Survey Form
We value your feedback. Please scan the QR code or enter the URL below to complete the survey form.
https://bit.ly/3qk4QZv
Confidential │ ©2020 VMware, Inc.