Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
© 2014 VMware Inc. All rights reserved.
Business Values of Network and Security VirtualizationVMware NSX in the context of the Software Defined Data Center
Klaus JansenVirtual Networks Sales Specialist VMware NSBU
Agenda
(1) Context: Software Defined Data Center and Virtual Networks
(2) Cost and Security: Increased security through fine grained segmentation
(3) Security: Total privacy for multiple tenants on a shared infrastructure
(4) Security: Compliance in Architecture, Operations and Auditing
(5) Cost and Security with Choice: Integration of 3rd party security solutions
(6) Cost and Agility: Automation for Private Cloud and Self Service IT
(1) Context: Software Defined Data Center and Virtual Networks
The Software Defined Data Center (SDDC) is an approach to virtualize all aspects
of data center infrastructure independent of underlying compute, storage or
networking hardware.
VMware NSX represents a faithful reproduction of physical networks and security
in software at full scale. It is an overlay network running on top of current data
center networks. It‘s a key element in the SDDC architecture.
(1) SDDC Within, Between and Across Data Centers
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
Inter- Data Center
Any Application
Any x86
Any Storage
Any IP network
Hybrid- Data Center
Any Application
Any x86
Any Storage
Any IP network
SDDC Platform
State of the Art: Gartner Data Center Networking Magic Quadrant
5
“The NSX solution should be considered by existing VMware customers as a way of providing network agility and reducing network operational challenges within the data center.”
Gartner Data Center Networking Magic Quadrant, April 24, 2014
Most of the leading vendors of physical data center networking share our vision and provide technology for seamless integration of bare metal servers, perimeter security and other non-virtualized workloads.
SDDC – A Platform for Industry Innovation
6
(2) Data Center Security? Micro-segmentation is the answer
7
Internet
Internet
Security in the data center that so far was technically, financially and organisationally unfeasable!
Granular, Distributed Controls
Reduce attack surface
Visibility of all traffic
Block lateral movement
Zero Trust Model
(2) NSX Distributed Firewall with Micro Segmentation saves cost
CONFIDENTIAL
8
Perimeter firewall: fewer devices, smaller devices, less complex device configurations, more choice of vendors
Rule sets: better visibility, no unnecessary rules kept forever, less operational cost, easier to deploy and maintain
Data Center Netwok: less complex configurations, better utilization, saves costly links due to reductions of East-West traffic
between phyiscal hosts, frees network capacity, likely no need to invest in a new network now
(2) Micro Segmentation – Use Cases
Self-Service IT
Dev X
Dev A
Test X
Test A
• DevOps Cloud
End-to-end Programmatic Provisioning
(Network, Security etc)
“Guard-Rails” for Private Cloud
Key Requirements
Use Cases
Enterprise Apps/Zones
• Virtual DMZ Deployments
• Virtual Desktop (VDI)
• Enterprise Zone Segmentation
Flexible Micro-Segmentation
Additional Layer of Security
Visibility and Operations
Audit and Compliance
Key Requirements
Use Cases
Multi-Tenant
• SP: Multi-tenant Cloud
• Enterprise: On-boarding M&A
Multi-tenant Deployment
Programmatic L2, L3, Security
Overlapping IP Addressing
Open for 3rd party cloud management
Key Capabilities
Use Cases
(3) Total privacy for multiple tenants on a shared infrastructure
10
When Enterprise IT acts like a Service Provider
Tenant 1 Tenant 2
Tenant
firewall
DMZ/Web
App
DB
HR Group
App
DMZ/Web
DB
Finance Group
Services Mgmt
Services/Management
Group
Tenant
firewall
DMZ/Web
App
DB
HR Group
App
DMZ/Web
DB
Finance Group
Services Mgmt
Services/Management
Group
Completely separate unrelated networks
Add advanced services based on virtual network, network segment, or security group
Differentiated network services for different tenants
Total Isolation
App VLAN
(4) Compliance in Architecture, Operations and Auditing
DMZ VLAN
Services VLAN
DB VLAN
Perimeter
firewall
Inside
firewall
Finance
Finance
Finance
HR
HR
HR
IT
IT
IT
AD NTP DHCP DNS CERT
Before
• All Apps on a VLAN can communicate freely
• Once one App is compromised, lateral movement cannot be restricted
• No visibility of App to App traffic
Now with NSX
• Full visibility of App to App traffic
• Micro-segmentation can granularly control apps even on shared VLAN
• Ability to monitor, report and audit e.g. with „vRealize Log Insight“
PCI relevant customer data now isolated
(5) Multi-Layer Security with 3rd party Integration
[Confidential] For designated groups and individuals
NSX
Security
Groups
Tags
VM
Use NSX security
groups in 3rd party
policy rules
Consume1Remediate infected VMs
by triggering by 3rd party
security solution
Contribute3Enforce policy rules
through 3rd party
physical & virtual GWs
Enforce2
Checkpoint, Palo Alto,Trend Micro, McAfee, ....
(6) Cost and Agility: AutomationPrivate Cloud / Self-Service IT
On Demand Application
Including NSX Network & Security
and 3rd party vendors
Web
App
Database
V
M
Web
App
DatabaseVM
Any upstream Router
LogicalRouter
ROUTED
Web
App
DatabaseVM
PRIVATE
No external connectivity
Web
App
DatabaseVM
Any upstream Router
LogicalRouter
NAT
NAT Gateway
Logical Switch
Logical Router
NSX
Logical Firewall
Logical Load Balancer
Clo
ud M
anagem
ent
Thank you
CONFIDENTIAL14