security with vmware nsx data center
TRANSCRIPT
Confidential │ ©2019 VMware, Inc.
Security withVMware NSX Data Center
Brian WilsonSLED SEM SDDC East25 February 2020
2Confidential │ ©2019 VMware, Inc.
“In short, software is eating the world.”
Marc Andreessen
General Partner, Andreessen Horowitz and Netscape co-founder
Confidential │ ©2019 VMware, Inc. 3
ESX
NSX Evolution
BRANCH
DC
EDGE/IOT
PUBLIC CLOUD
PRIVATE CLOUDvSphere
Confidential │ ©2019 VMware, Inc. 4
vSphere
BRANCH
BRANCH
EDGE/IOT
TELCO/NFV
BRANCH
BRANCHDCDC
DC
EDGE/IOT
Virtual Cloud NetworkNSX Evolution
Tied Together.Everywhere.
vRNI
CLEAR VISIBILITY
Virtual Machines | Containers | Bare Metal
VCN
Confidential │ ©2019 VMware, Inc. 5
The Foundation of the Virtual Cloud NetworkVMware NSX Portfolio
NETWORK AND SECURITY VIRTUALIZATION
Security Integration Extensibility Automation Elasticity
NETWORKING AND SECURITY MANAGEMENT AND AUTOMATION
vRealize AutomationEnd-to-end workload automation
Network InsightNetwork discovery and insights
Cloud-Based Management Workflow Automation Blueprints / Templates Insights / Discovery Visibility
AppDefenseModern application
security
NSX SD-WANby VeloCloud
WAN connectivity services
NSX Data CenterNetworking and security for data center workloads
NSX CloudNetworking and
security for Public Cloud workloads
NSX Hybrid ConnectData center and cloud
workload migration
NSX IntelligenceSecurity Analytics
6Confidential │ ©2019 VMware, Inc.
How does VMware NSX Data Center deliver on the promise of network virtualization?
Confidential │ ©2019 VMware, Inc. 7
There Has Been a Lot of Innovation and Virtualization in the Data CenterThe Data Center Networking Challenge
Except for one area…
Compute Storage Networking
Confidential │ ©2019 VMware, Inc. 8
The Lack of Networking Virtualization is Holding Back Your Ability to…The Data Center Networking Challenge
Keep up with the pace of business
Secure your data centers
Control cost
Compute Storage Networking
Confidential │ ©2019 VMware, Inc. 9
From Data Centers to Centers of Data
IOT / BRANCH
CLOUD
SaaS
PaaS IaaS DATA CENTER
SECURITY AND CONTROL
10Confidential │ ©2019 VMware, Inc.
SaaS
PaaS IaaS
IOT / BRANCH
CLOUD
DATA CENTER
SECURITY AND CONTROL
From Data Centers to Centers of Data
Confidential │ ©2019 VMware, Inc. 11
NSX Data Center
DATA CENTER
Virtualization Layer
NSX Platform
Physical Infrastructure
Hypervisor
Confidential │ ©2019 VMware, Inc. 12
NSX Data Center
DATA CENTER
Virtualization Layer
NSX Platform
Workloads
vSwitch
Confidential │ ©2019 VMware, Inc. 13
NSX Data Center
DATA CENTER
Virtualization Layer
NSX Platform
Workloads
vSwitch
Confidential │ ©2019 VMware, Inc. 14
NSX Data Center
DATA CENTER
Virtualization Layer
NSX Platform
Workloads
vSwitch
Confidential │ ©2019 VMware, Inc. 15
NSX Data Center &NSX Cloud
DATA CENTER CLOUD
vSwitch
Native Clouds
VMware Clouds
16©2019 VMware, Inc.
Networking in the Multi-Cloud EraFirst & only network & security platform across all apps, sites, and clouds. VM, Container, Physical, Private, Public
Network Infrastructure as
Code
Ops. Simple. Consistent.
Cloud Scale Platform
Intrinsic Security
Bare-metalVMs VMwareCloud
Public Cloud
PhysicalSwitching OutpostsContainers
17Confidential │ ©2019 VMware, Inc.
Ops. Simple. Consistent.The simplest way to run your network
Bare-metalVMs VMwareCloud
Public Cloud
PhysicalSwitching OutpostsContainers
Day 0Install in one click
Day 1Guided configuration with
end-to-end network visibility
Day 2UI built for anyone to run the
network
In one place, wherever your app runs
Intrinsic SecurityNetwork Infrastructure as Code Ops. Simple. Consistent. Cloud Scale
Platform
18Confidential │ ©2019 VMware, Inc.
Cloud-Scale Platform, for Anyone
From Four Hosts
• Install in one click
• Guided configuration with end-to-end network visibility
• UI built for anyone to run the network
To A Thousand Hosts
• Hardware Accelerated Performance (DPDK) on distributed, centralized, and bare-metal network services
• Carrier-Grade Networking at Scale thousands of hosts, multi-tenant, IPv6,
• ResilientNew clustered distributed platform, iBGP, Inter-SR, Multipath AS, BFD convergence
Intrinsic SecurityNetwork Infrastructure as Code Ops. Simple. Consistent. Cloud Scale
Platform
19Confidential │ ©2019 VMware, Inc.
Intrinsic Security
Baremetal
VMsVMC
on AWS
Public Clouds,
AWS, AzureContainers
Micro-segmentation
Zone Firewalling
Realtime visibility
Net-SecAnalytics
Data Center Branch VMC Cloud
Intrinsic SecurityNetwork Infrastructure as Code Ops. Simple. Consistent. Cloud Scale
Platform Intrinsic Security
Unified Management Plane
Layer 4-7
Edge appliance
URL Classification
Layer 4-7
Identity Firewalling
URL Whitelisting
Endpoint Protection
Confidential │ ©2019 VMware, Inc. 20
What’s New in NSX-T 2.5 Advanced Analytics &Visibility, Multi-Cloud & Security
Analytics & Visibility
Flow-based analytics and visibility for VMs and containers
Multi-Cloud Security
Flexible bimodal cloud policy enforcement
Extended Security
Extended L7, service insertion, and VPN capabilities
Operational Simplicity
Simplified Firewall Operations and Capacity monitoring
Enhanced ComplianceFIPS 140-2 Compliance and Reporting
21©2019 VMware, Inc.
NSX Data Center Use Cases
Security Multi-Cloud Networking
Automation Cloud-NativeApps
Confidential │ ©2019 VMware, Inc. 22
Our Security RealitiesWhen Threats Breach the Perimeter, It’s Hard to Stop Lateral Spread
Low priority systems are often targeted first
Attackers can move freely around the data center
Attackers then gather and exfiltrate the valuable data
Network Perimeter
Internet
Confidential │ ©2019 VMware, Inc. 23
What If You Could…Build in Zero Trust at the Most Granular Level of the Data Center?
Every Workload can have:
Individual firewalls
Individual security policies
Policies can be defined based on any context
VM attributes
Network attributes
Application attributes
PCIScope
Network Perimeter
Confidential │ ©2019 VMware, Inc.
Challenges with Traditional Network Operations Tools
Traditional network management tools are inadequate for modern virtual networks and multi-cloud environments
24
Siloed, Complex Tools
New, Dynamic Environment
Operational visibility, control, and compliance are challenging
NetFlow Analyzers
Packet-Capture Solutions
Network Management Tools
Lack end-to-end troubleshooting
Not scalable, lack security perspective Lack visibility into
virtual network and security infra
Limited Visibility
Confidential │ ©2019 VMware, Inc. 25
VMware Network InsightAccelerate application security and networking across private, public, and hybrid clouds
25
Use Cases
Plan Application Security and Migration
• Accelerate micro-segmentation deployment
• Troubleshoot security for SDDC, native AWS, and hybrid applications
• Minimize business risk during application migration
Optimize and Troubleshoot Virtual and Physical Networks
• Reduce mean time to resolution for application-connectivity issues
• Optimize application performance by eliminating network bottlenecks
• Audit network and security changes over time
Manage and Scale NSX
• Scale across multiple NSX managers
• Boost uptime by proactively detecting misconfiguration errors
• Ensure compliance for NSX
Visualization
Interfaces
NSX IntelligenceA powerful Network and Security Analytics platform
Intelligent Policy Formulation
Security Analytics
Network Analytics
( … )
NSX Intelligence Platform
Distributed Analytics Single Pass Inline Processing Layer 2 to Layer 7
(…)
vRealizeNetwork Insight
3rd party Threat Intelligence
27Confidential │ ©2019 VMware, Inc.
“ I can’t overstate how much easier it is with NSX-T to ensue that all the environments with cardholder data is segmented into their own little section of the network.”
Nesta CampbellSenior Systems Administrator
Confidential │ ©2019 VMware, Inc. 28
The SDDC Is Not Fully AutomatedNetworking & Security are often manual, causing bottlenecks
Networking and security is manual, slow, error-prone
Deploying and moving apps has significant time and resource costs
Decommissioning apps is highly labor intensive
Minutes
Multiple days
Minutes
Any updates restart the process again
Networking Package DeploymentCompute
MonitoringSecurityStorage
Confidential │ ©2019 VMware, Inc. 29
Automated Networking & SecurityCompletes the Vision of the SDDC
Networking and security handled in software
App services can be blueprinted and consumed in self-service portals
Blueprinted policies follow apps throughout lifecycle
Minutes
Networking Package DeploymentCompute
MonitoringSecurityStorage
NSX DataCenter
vRealize Automation
Blueprints
Confidential │ ©2019 VMware, Inc. 30
NSX for Cloud-Native AppsCloud-Native Network Services Platform for Cloud-Native Apps
Enterprise-grade networking & security for containers
Automated with platform integration, architected in as part of developer workflow
Consistent policy across traditional & cloud-native apps
Microservices visibility, connectivity, security & load balancing
On-Premises – vSphere, Bare-metal and KVM
Business App 2 / LOB 2
CF K8s
Business App 1 / LOB 1
CF K8s
NSX Platform
Confidential │ ©2019 VMware, Inc. 31
The result of organizational silos Multi-Cloud Challenges
Manual Process
Private Cloud Public Cloud Public Cloud Public Cloud
Security Policies
Security Policies
Security Policies
Security Policies
Confidential │ ©2019 VMware, Inc. 32
Ready for the future
Reinvent Wide Area Networking (WAN)
Reinvent security
Expand the network
Value from the network
Rethink networking
Software-Defined Data Center
Nicira
Insights
Automation
Multi-Cloud andMulti-Hypervisor
App Security
Connectivity and Hybridity
Network Virtualization
NSX
Network Insight (Arkin)
vRealize Automation
NSX-T
AppDefense
Micro-Segmentation
vSphere Distributed Switch
NSX SD-WAN by VeloCloud
NSX Hybrid Connect
Container Frameworks Pivotal Container Service (PKS)
Public Cloud AWS, IBM and Azure
Virtual Cloud Network
VMware Advancing Business Transformation with Networking and Security in Software
Confidential │ ©2019 VMware, Inc. 33
Driving value with our NSX partner ecosystem
Cloud Network Infrastructure
Networking & Security Services
Orchestration & Management
HCI Platforms
vSANReady Node
BARE METAL
vRealize Automation
vCloud Director
vRealize Orchestrator VIO
Network Insight
Log Insight
Confidential │ ©2019 VMware, Inc. 34
VMware Networking Customer and Partner Momentum
Approaching 10,000NSX customers
Broad AdoptionSmall-to-large enterprises
across all verticals
82%Of the Fortune 100 run NSX
70%Fortune Global 500 Telcos
Confidential │ ©2019 VMware, Inc. 35
You don’t need to go it alone. VMware is here to help you every step of the way.
We’ve helped thousands of organizations succeed with NSX through
Professional Services
Training
VMUG community
Confidential │ ©2019 VMware, Inc. 36
Where to Get Started
Join the NSX VMUG Communityvmug.com/nsxConnect with your Peerscommunities.vmware.com
Embrace the NSX Mindsetnsxmindset.comFind NSX Resourcesvmware.com/go/networkingRead the Network Virtualization Blogblogs.vmware.com/networkvirtualization Free Hands-on Labs
Test drive NSX with expert-led or self-paces hands-on labslabs.hol.vmware.com
VMware Education - Training and Certificationvmware.com/go/nsxtraining
Free NSX Training on Courseravmware.com/go/coursera
Engage and Learn
Try
Take
Confidential │ ©2019 VMware, Inc.
Thank You