nsx 9 core use cases
TRANSCRIPT
© 2015 VMware Inc. All rights reserved.
NSX Core CasesSecure & Scale Beyond the Network.
Today’s Network / Security Paradigm.
Why Are We Still at Risk?Little or no lateral controls inside perimeter
Low priority systems are targeted first.
Attackers can move freely around the data center.
101101001101010010100000101001110010100
Attackers then gather and exfiltrate data over weeks or even months.
Internet
Data Center Perimeter
Today’s Network / Security Paradigm.
It’s Not Just Servers, but Users and the Controls.…and controls make it even harder to manage.
VDI
VDI to VDIDesktop-to-desktop hacking inside the DC
VDI to VMDesktop-to-server hacking inside the DC
VDIVDI
Bringing desktops into the data center opens up new risks for attack.
And a matrix of policies is needed on centralized, choke-point firewalls for the correct security posture.
Desktops
Servers
Finance
HR
Engineering
Security.Secure holistically from the Datacenter, to the VM, to the Network and beyond.
1. Datacenter Security1
Data Center Perimeter
Internet
DMZ
• Micro-segmentation allows each machine to retain it’s own hypervisor level firewall.
• Attackers can no longer move freely once access is gained to the datacenter.
• Virtual machines retain their firewall security as the migrate to ensure portability and security retention.
• The firewall is outside the scope of the VM, ensuring attackers are unable to compromise from the VM
Security.Secure holistically from the Datacenter, to the VM, to the Network and beyond.
1. Virtual Machine Security2 • Firewall and filter traffic for VMs based upon logical groupings, or based upon provisioning for VDI
• Threats to the datacenter from user interaction are eliminated through micro-segmentation
• Service-chaining with AV and NGFW partners deliver automated, policy integrated AV/malware protection, IPS/IDS, etc.
VDI
VDIVDI
FinanceMarketing HREngineering
• The attack surface increases when all machines are consolidated into a single infrastructure
• VDI deployments increase complexity for security due to user interaction and internal access of trusted resources.
Security.Secure holistically from the Datacenter, to the VM, to the Network and beyond.
1. Mobile Device Security3 • Mobile devices gain access to infrastructure resources through mobile applications
• Users cannot discern which data they’re interacting with, and datacenter controls cannot programmatically manage control
• Administration can granularly control which data streams are secured
• Control can be applied per device, per user/group or based upon business case or point of access, etc.
• NSX and AirWatch together can address the issue of "overprovisioning," in which users get access to more apps and data that they need to do their jobs
Scale & Elasticity.Create the ability to scale and shrink as needed, while not compromising security.
1. IT Automation4 IT automating IT• Faster project on boarding
Elastic Services• Streamline Security Enforcement• Mergers & Acquisition
Developer cloud• Leverage vSphere investment• Faster application development• Brings power of cloud on-prem
Multi-tenant infrastructure• Robust security to isolate each
tenant organization• Multi-tenancy for legacy apps
Switching
Routing
LoadBalancing
Connectivity to Physical Networks
Firewalling
VPN
Data Security
Activity Monitoring
Scale & Elasticity.Create the ability to scale and shrink as needed, while not compromising security.
1. Developer Clouds5 • NSX can be used in a DevOps model, setting up developer environments through APIs quickly.
• Using libnetwork, containers can leverage strong, granular security in real time.
• libnetwork is a community supported framework that enables Docker plugin models and has been endorsed by the networking community
• Containers all share the same kernel. If a contained application is hijacked with a privilege escalation vulnerability, all running containers and the host are compromised.
• Since containers are effectively managed by the kernel, a kernel-level exploit has the opportunity of compromising the applications running inside containers
Scale & Elasticity.Create the ability to scale and shrink as needed, while not compromising security.
1. MultiTenant Infrastructure • NSX provides isolation between different groups within an organization, or different tenants
• Some companies need isolation but may also want overlapping IP addresses for multitenancy, or for going from development and testing into production, and NSX can provide this
• NSX integrates directly into VMware’s vRealize Automation platform, allowing for self service creation of secure, scalable networks across tenants and platforms
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitchvSwitch
Hypervisor vSwitch
Hypervisor vSwitch
Hypervisor
vSwitch
Hypervisor
6
1. Disaster Recovery7 • NSX plays a big role in disaster recovery scenarios, ensuring that networking and security configurations are kept in place when a failure occurs and workloads have to be moved across data centers
• NSX can also ensure that firewalls and networking constructs are protected to provide ease of recovery and solidity of business continuity
Security.Secure holistically from the Datacenter, to the VM, to the Network and beyond.
vCenter B / SRM B
Prod_W
eb_V130
Prod_W
eb_V130
Prod_W
eb_V120
Prod_W
eb_V120
Prod_W
eb_V110
Prod_W
eb_V110
Universal Logical Switch
vCenter A / SRM A
Implicit Mapping
Implicit Mapping
Implicit Mapping
Primary Secondary
Data Center 2Data Center 1
SRM-based Disaster Recovery
Scale & Elasticity.Create the ability to scale and shrink as needed, while not compromising security.
1. Hybrid Networking Services8 • NSX is a key enabling technology for moving workloads between different clouds
• NSX is also part of VMware's "cross-cloud vMotion" technology, which allows running virtual machines to be moved from a private cloud to a public cloud. VMVM
VM
L2 Extensions
Scale & Elasticity.Create the ability to scale and shrink as needed, while not compromising security.
1. Metro Pooling9 • NSX makes it possible for customers to run virtual data centers in which compute, storage and networking are all driven through the hypervisor. Admins can use NSX to create pools of resources, each with their own distinct service level agreements and quality of service rules, which is core to the cloud computing model.
• NSX lets customers run an app in multiple data centers with Layer 2 stretched across them