NSX Keynote session from the Scottish VMUG event in Glasgow on the 22nd April, 2016.
Key theme is a discussion on how security "blind spots" can occur through the adoption of new compute models, further highlighting the necessity for the industry to have a platform which provides the virtues of micro-segmentation and a zero trust model, irrespective of the technology being used to host modern applications.
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Andy Kennedy - Scottish VMUG April 2016
1. 1
ScottishVMUG
April, 2016
From untrust
to zero trust…
Securing what comes next for the SDDC
Andy Kennedy (@packetdiscards)
Networking & Security Business Unit, EMEA
+44 7766 250030
akennedy@vmware.com
2. • This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these
features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or
sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not
been determined.
Disclaimer
2
11. Operations
App Team
3rd Platform Enables New Types of Apps in the Mobile-CloudEra
Hardware
OS
Application
App Team
x86
OS
Application
Operations
App Team
x86
Linux
Application
1st
Platform
(Servers)
2nd Platform
(Virtualization)
3rd
Platform
(Cloud)
x86
Linux
12. Major NSX use cases
Intra-Datacenter Micro-Segmentation
DMZAnywhere
Secure User Environments
Security
IT Automating IT
Developer Clouds
Multi-tenantInfrastructure
Agility
Disaster Recovery
Metro Pooling
Hybrid Cloud Networking
Application Continuity
20. 20
Centralized
firewalls
• Create firewall rules before provisioning
• Update firewall rules when movingor changing
• Delete firewall rules when app decommissioned
• Problem increases with more east-westtraffic
Internet
The challenge of topology driven security in the SDDC
21. Internet
How an SDDC Approach Makes Micro-segmentation Feasible
21
Security policy
Perimeter
firewalls
Cloud
Management
Platform
22. Creating a zero trust model
Isolation Explicit allow comm. Secure communications Structured secure comms.
NGFW
IPS
IPS
NGFW
IPS
WAF
And align your controls to what you are protecting
AllowHTTPS
29. Docker libnetwork – Options
29
– Bridge: Implements a way to configure new networks as isolated L2 bridges on single Docker hosts.
The scope is ‘local’
– Overlay: Implements VXLAN based overlay networking to create L2 segments to attach containers
running on multiple Docker Hosts.
– Remote: Implements an API to externalize network functions to 3rd
party vendor / solutions.
Bridge Networking
Multi-Host (Overlay)
Driver
Remote (Vendor)
Driver
30. Docker libnetwork – The Container Network Model (CNM)
30
• Sandbox
– A Sandbox contains the configuration of a container's network stack. This includes management of the container's
interfaces, routing table and DNS settings. An implementation of a Sandbox could be a Linux Network Namespace,
a FreeBSD Jail or other similar concept.
• Endpoint
– An Endpoint joins a Sandbox to a Network. An implementation of an Endpoint could be a veth pair, an Open vSwitch
internal port or similar
• Network
– A Network is a group of Endpoints that are able to communicate with each-other directly. An implementation of a
Network could be a VXLAN Segment, a Linuxbridge, a VLAN, etc.
Source:
https://github.com /docker/li bnetwork/bl ob/m aster/docs/
design.md
External
network
G/w
Bridge
31. Containers – do we still need a Hypervisor?
31
Privilege escalation can lead to container host compromise
Vault
Vault
Website
Website
Website
Website
Internet
Database
Port 80
Internal
network
Confidential Information
32. Containers – do we still need a Hypervisor?
32
Lack of isolation allows an attacker to move around
Vault
Vault
Website
Website
Website
Website
Internet
Database
Port 80
Internal
network
Confidential Information
33. Containers – do we still need a Hypervisor?
33
NSX provides segmentation, visibility and integration
Website
Website
Website
Website
Internet
Port 80
Internal
network
Physical Network Infrastructure
Vault
Vault
Database
Datacenter
HONEY POT
VULNERABILITY
SCANNER
Micro-
segmentation
Alert Connection
to data center
38. Micro-
segmentation
Alert Connection
to data center
Benefits of NSX and containers
38
Micro-
segmentation
Alert Connection
to data center
• Micro-segmentation to
establish clear boundaries
• Stop compromises at
container or application level
• Central visibility into
connectivity acrossthe data
center
• Per-flow tracking
• Alerts for suspicious
behavior
• Virtual taps at a per-
container level
• Integration with the rest of
your IT infrastructure
• Monitoring, incident
response, forensics
• Access to databases,
backup, system updates
43. NSX + Public Cloud + Containers
43
Sydney
Hong Kong
Palo
Alto
Chicago
Dallas
Virginia
Seattle
500 Web Servers
7 data centers
3 continents
2 public clouds + 1 on premise
…in 5 minutes
https://www.youtube.com/watch?v=RBJ-KoAM-OQ
47. Hyper-V On-Premises Data Center
Public Cloud
3rd Gen Applications
Virtual Desktop
Mobile Devices
47
Design for the
New &
Accommodate
The Old
48. Network Virtualization Next Steps with VMware NSX
48
virtualizeyournetwork.com
The online resource for the people, teams and
organizationsthat are adopting networkvirtualization
communities.vmware.com
Connect and engage with network virtualization
experts and fellow VMware NSX users
vmware.com/go/NVtraining
Build knowledge and expertise for the next step in
your career
labs.hol.vmware.com
Test drive the capabilities of VMware NSX