net3389bus integrating threat defense lifecycle or ... · integrating threat defense lifecycle...

Amit Chakrabarty Jeremiah Cornelius

NET3389BUS

#VMworld #NET3389BUS

Integrating Threat Defense Lifecycle Security Services with VMware NSX

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2#NET3389BUS CONFIDENTIAL



bution

Agenda

3

1 NSX at the heart of VMware cloud vision

2 Threat Defense Terrain

3 McAfee Cloud Security

#NET3389BUS CONFIDENTIAL



bution

Intel ConfidentialMcAfee Confidential

The information contained in this document is for informational purposes only and should not be deemed an offer by Intel Security or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtract features or functionality, or modify its products, at its sole discretion, without notice and without incurring further obligations.

Disclaimer



bution

Forecast ahead: Growing clouds on the horizon

This can feel like an

incredible opportunity.

To get there, partner

technologies need to

be ready.

Analysts predict increasing

cloud adoption

Speed is the new currency

Public cloud market by

2020, up from $146B in

2017 – Forrester *1

Projected growth for

IaaS market in 2017,

the highest for cloud

services – Gartner *2

of organizations

committed to hybrid

architectures by 2018

– IDC *3

$236B 37% 80%

1. “The Public Cloud Services Market Will Grow Rapidly To $236 Billion in 2020”. Forrester. September 1, 2016.

2. “http://www.gartner.com/newsroom/id/3616417

3. “Enterprise Adoption Driving Strong Growth of Public Cloud Infrastructure as a Service, According to IDC.” Press release. IDC. July 14, 2016. #NET3389BUS CONFIDENTIAL 5



bution

PUBLICCLOUD WORLD

BENEFITS

PRIVATECLOUD WORLD

BENEFITS

Your teams, tools & skills investments

Fine-tuned to run your applications

Governed by you

Consumption economics

Unique services

Scale and reach

NOT ALWAYS, AND

NOT EASILY.

Operational Consistency

Existing Skillsets & Tools

Control,Manage, Secure

Enterprise-class App SLA

Compatibilitywith Apps

CAN REQUIREMENTS BE MET ACROSS BOTH WORLDS?

#NET3389BUS CONFIDENTIAL 6



bution

Providing Operational Consistency, while Leveraging Existing Skill-Sets and Tools Across Their IT Environment


Operational Consistency

Existing Skillsets & Tools

Control,Manage, Secure

Enterprise-class App SLA

Compatibilitywith Apps



bution

We are Bringing our Leading Capabilities Together to Deliver a Truly Compelling and Differentiated Solution


Chasm

• Leading compute, storage and network

virtualization capabilities

• Support for broad range of workloads

• De-facto standard for the enterprise DC

• Flexible consumption economics

• Broadest set of cloud services

• Global scale and reach

Jointly engineered solution delivers the best of VMware and AWS for customers

+



bution

Making the Hybrid Cloud Real


Extend Cloud Foundation into the public cloud and consume as a service

vSphere NSXvSAN

9

Delivered as a service

VMware Cloud

Foundation

YOUR INFRASTRUCTURE:

OwnedOTHERS’ INFRASTRUCTURE:

Operated

Private cloud Public cloud



bution

…Enabling Powerful Hybrid Use-Cases


Scenario 1:

Maintain and Expand

ExpandMaintain

Regional

Capacity

Disaster

Recovery

Scenario 2:

Consolidate and Migrate

MigrateConsolidate

Data Center

Consolidation

Application

Migration

Scenario 3:

Workload Flexibility

Dev/Test

Burst

Capacity

Flex as needed

Customer Can Decide Strategically across On-Prem DC and Cloud



bution

Unmatched Flexibility & Choice for “Business First”


Cloud infrastructure

Sales and Operations

Location VMware Data

CentersAWS Global Regions IBM Data Centers

VMware Cloud Foundation

VMware Operated VMware Operated IBM Operated

vCloud Air Cloud on AWS

Introducing

vCAN Partner Data

Centers

vCAN Partner

Operated

VMware SDDC

Access to hybrid IT services like Hybrid Cloud

Manager, Advanced Networking and DR

Services

Access to AWS Services like S3, Redshift,

CloudFront

Access to IBM Managed Services, 30 data center

locations

Access to over 4,000 service provider partners in 100+ countries to meet data sovereignty needs

Cloud Management

vRealize Suite



bution

APP

The goals haven’t changed…

Focus on the app

Security of applications and data

Speed of delivery

Application availability

…but everything else has

Changes in threats landscapeAttack Sophistication | Persistent Threats | Weaponization of Cyberspace

Changes in application architecturesContainerization | Microservices | PaaS

Changes to infrastructureConvergence | Private Cloud | Public Cloud




bution

What’s the Big Deal in the Datacenter?




bution

What Do We Need?

Visibility ExtensibilityControl

Common Policy

Lifecycle Management and Automation




bution

APP APPAPP APPSERVICES

Step 1. Gain Visibility


APP APPAPP APP

APP APPAPP APP

OTHERSERVICESSHARED

SERVICES

APP APPAPP APP

APP APPAPP APP OTHER



bution

APP APPAPP APPSERVICES

Step 2. Deploy Granular Controls


APP APPAPP APP

APP APPAPP APP

OTHERSERVICESSHARED

SERVICES

APP APPAPP APP




bution

Step 3. Insert Best-of-breed Services


OTHER


AV IPS NGFW

AV IPS NGFW

AV IPS NGFW

AV IPS NGFW

SERVICESSERVICESSHARED

SERVICES

AV IPS NGFW



bution

What Is a Software-Defined Data Center (SDDC)?

19

Hardware

Software

Data center virtualization layer

Pooled compute, network, and storage capacity

Vendor independent, best price/performance/service

Simplified configuration and management

Intelligence in software

Operational model of VM for data center

Automated provisioning and configuration




bution

Provides


A faithful reproduction of network and security services in software

Management APIs, UI

Switching Routing

Firewalling

Loadbalancing

VPN

Connectivity to physical networks

Policies, groups, tags

Data security Activity monitoring



bution

NSX

NSX Security Platform


Visibility

Datacenter, application

and host

Extensibility

Enhanced capabilities

through integration with

best-of-breed partners

Control

Context-driven policy

definition and

enforcement

Common Policy

Lifecycle Management and Automation



bution

NSX Value Proposition

Network virtualization is at the core of the software-defined data center approach

Network, storage, compute

Virtualization layer




bution

Network and security services now in the hypervisor

Switching

Routing Firewalling/ACLs

Load balancing

High throughput rates

East-west firewalling

Native platform capability

The Next-generation Networking Model




bution

NSX Value Proposition

Network, storage, compute

Virtualization layer

“Network platform”

Virtual networks




bution

NSX

NSX Security Platform

Visibility

Datacenter, application

and host

Extensibility

Enhanced capabilities

through integration with

best-of-breed partners

Control

Context-driven policy

definition and

enforcement

Common Policy

Lifecycle Management and AutomationBack to extensibility and service insertion




bution

Network Introspection: Packet Flow

Hypervisor

Virtual Switch

• NSX Firewall installs a dvFilter on Guest

VM vNIC

• Packet emerging from Guest VM is

redirected to Service VM

• Service VM inspects packet and applies

Security Policy

• Packet is forwarded to the virtual switch

• Rules to re-direct traffic Service VM are

configured in NSX

• Partner Service VM is deployed and

connected to NSX Firewall

NSX Distributed FirewallFilter

Re-direct




bution

Advanced Security for High Risk Applications

• Advanced security based on

risk/compliance requirements

• Grouping based on network

constructs/vCenter/NSX

objects

• Automated policy application

based for new workloads

• Granular redirection policy

based on multiple parameters

• Redirect “Confidential” and

Web Server traffic

Tier 2:

Internal

Tier 1:

ConfidentialTier 3:

Public

Tier 4:

Non-Prod.

Web Server

App Server

DB Server

SRC DST Servic

e

Action

ANY TIER

1

ANY Redirect

TIER1 ANY ANY Redirect

SRC DST Servic

e

Action

ANY WEB-

Server

ANY Redirect

Web-

Server

ANY ANY Redirect




bution

NSX Guest Introspection Strikes Balance between Context and Isolation

28

UbiquityIsolation Context

Ecosystem of

Distributed Services

Core Services Built Into

Hypervisor Kernel

better security

through

insight

fine-grained

containment

Switching Routing Firewalling




bution


Legacy Data Center to Virtual + Cloud

Connected World

29



bution


Threat Landscape – Crime & War

FBI reports that “hackers linked to Anonymous accessed and stole

sensitive US government information”

Anthem Health hacked for ~80 million names, birthdays, social

security numbers, street addresses, …

30

Hacking and Influence in the U.S. Election



bution

MCAFEE CONFIDENTIAL

McAfee Confidential

Data Center and Cloud Defense



bution

MCAFEE CONFIDENTIAL

Current Threat Landscape Realities

Time to Recover

Months -Weeks

Time to Discover

Years - Months

$$$ Catastrophic

Impact $$$

Overwhelmed

Security Teams

Minimal

Adversarial Effort

Time to Compromise

Minutes

32



bution

MCAFEE CONFIDENTIAL

Business and Security Outcomes

Time to Recover

Minutes

Time to Discover

Hours

$ Minimized

Impact $

Optimized

Security Teams

Significant

Adversarial Effort

Time to Compromise

Months

33



bution

MCAFEE CONFIDENTIAL

Top 3 Concerns for Securing Hybrid Infrastructures

How do I detect breaches including advanced targeted

attacks?

How do I gain visibility into all workloads

including off-premises?

How can I solve the overall complexity and

efficiency issue?

Security is now a boardroom discussion

CIOs and CISOs are getting more scrutiny from the C-suite

34



bution

MCAFEE CONFIDENTIAL

McAfee Confidential

Visibilty



bution

MCAFEE CONFIDENTIAL 36

Challenge

Visibility into all workloads, on-premises & off-premises

Desired Outcome

Security visibility across

physical & virtual

infrastructure, on-premises

& off-premises



bution

MCAFEE CONFIDENTIAL

Comprehensive Visibility

37

Source: Verizon 2015 Data Breach Investigations Report

McAfee provides VISIBILITY of security posture for hybrid cloud infrastructures

Across private and public clouds

Across local and global threat intelligence



bution

MCAFEE CONFIDENTIAL

Reality of Shadow IT

38

Source: Cloud Adoption Practices & Priorities Survey, January 2015

>82%Of companies don’t know scope of shadow IT at their organization1



bution

MCAFEE CONFIDENTIAL

Automatically discover your virtual & physical machines

Show location of virtual machines

▪ Cloud Workload Discovery for Amazon Web Services (AWS), Microsoft Azure, Vmware vSphere, and OpenStack

Simplify management with scan reports

Find unprotected endpoints

Determine security compliance

View OS memory protection

Instant Discovery and Control



bution

MCAFEE CONFIDENTIAL

Innovations in server security

40

McAfee Server Security Suite Advanced

Cloud Workload Discovery

▪ Discovery for networks and storage – not only virtual machines

▪ Workload discovery across multi-cloud environments, with central management console



bution

MCAFEE CONFIDENTIAL

Visibility

How do I get visibility on

workloads running across

multi-cloud environment?



bution

MCAFEE CONFIDENTIAL



bution

MCAFEE CONFIDENTIAL

Cloud Workload Discovery for Hybrid Clouds

43

Deep visibility, detailed security posture assessment, and fast remediation

Discovercloud infrastructure

Monitorand assess for risk and threats

Compute Storage Network

Benefits

▪ Assess end-to-end security posture (workloads and platforms)

▪ Protect workloads across all private and public clouds

▪ Maintain regulatory compliance

McAfee ePolicy Orchestrator or DevOps Tools



bution

MCAFEE CONFIDENTIAL

McAfee Database Security

44

Feature Benefit

Discover

Assess

▪ Discover database instance workloads across the environment

▪ Discover sensitive and classified data

▪ Discover high-privileged accounts

▪ Assess databases security posture with over 5,000 database-specific checks

▪ Evaluate risk across all known threat vectorsVMworld 2017 Content: Not fo


bution

MCAFEE CONFIDENTIAL

McAfee Confidential

McAfee vNSP + NSX

Integration



bution

46April 2017, NSBUMcAfee Restricted

Bulk, dynamic provisioning and policy updates

Security management

Quarantine VM(Security Response API)Alerts

Attacks detected & blocked

Workflow of Software Defined Security

46

VMM

VSF

VMM

VSF

VMM

VSF

McAfee NetworkSecurity Manager

Virtualization Management

Security orchestration

Securityadministrator

Infrastructureadministrator

Quarantine

Quarantine action

SDN Controller

Intel® SecurityController

Native Integration with VMware NSX 6.3/vSphere 6.5



bution


Deployment ArchitectureProtecting workloads on VMware NSX

ESX ESX1 ESX2 ESX3

ISC NSM vIPS

Tools Tools Tools

Tools Tools Tools

vIPS vIPS vIPS

Management Infrastructure Virtual Workloads

VMware NSX

Deployment ArchitectureProtecting workloads on VMware NSX



bution

48April 2017, NSBUMcAfee Restricted 4

8

Available on VMware Solution Exchange

NSX – 6.3xVMworld 2017 Content: N

ot for publicatio

n or distribution

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE

McAfee MOVE AntiVirus for Private CloudsWindows and Linux virtual machines

McAfee ePO

Unified Policy Management

VMware vSphere

VM

VMtools

VM

VMtools

VMware NSX or vCNS Endpoint

MOVE

SVMVM

MOVE

VM

MOVE

Virtual Infrastructure

MOVE

SVM

VM

MOVE

VM

MOVE

VM

MOVE


VM

MOVE


MOVE

SVM

MOVESVM

Manager

NSX/vCNSManager

VMware vSphere

VM

VMtools

VM

VMtools

VMware NSX or vCNS Endpoint

MOVE

SVM

Agentless (VMware)Multiplatform (any hypervisor)



bution


Availability Zone #1

security group

McAfee

Virtual Network

Sensor

Cloud Workload Security

Controller

Network Security Platform

VPC

peering

Internet

gateway

Internet

Elastic Load

Balancing

VPC Flow-logs

Cloudtrail

AWS Inspector

Availability Zone #2

security group

McAfee

Virtual Network

Sensor

Use Case

North/South

NetworkSecurityManager

Admin

NetworkSecurityManager

McAfee

Virtual Network

Sensor

NS Series SensozrsOn-Premisescustomer

gateway

VPN

1



bution




bution

net3389bus integrating threat defense lifecycle or ... · integrating threat defense lifecycle...

Documents