Not for with NSX Data Center - cms.vmworldonline.com · VMware NSX Data Center Security Management . Security services are managed more efficiently in a software-defined data center

#vmworld

How to Design Multi-layered Security with NSX Data Center

John Krueger, VMware, Inc.Tim Burkard, VMware, Inc.

SAI1133BU

#SAI1133BUVMworld 2018 Content: Not for publication or distribution

Disclaimer

2©2018 VMware, Inc.

This presentation may contain product features orfunctionality that are currently under development.

This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.

Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.

VMworld 2018 Content: Not for publication or distribution


BRANCH

BRANCH

BRANCH

BRANCH

BRANCH

BRANCH

BRANCH

BRANCH

TELCO/NFV

TELCO/NFV

EDGE/IOT

TELCO/NFV

BRANCH

BRANCH

EDGE/IOT

EDGE/IOT

The Virtual Cloud NetworkConnect and Protect your Business



Identity

Apps and Data

Policy ScalabilityAnalytics and Insights

Secure Connectivity Availability

Users

Private Data Centers

VMs, Containers, Microservices

Branch Offices

Public Clouds

Telco Networks

Things

Virtual Cloud NetworkingConnect & Protectany workload across any environment

Built-in

Automated

Programmable

Application Centric


Agenda


1. Security features of VMware vCenter

2. Securing the ESXi Host

3. Securing Virtual Machines

4. Security features of VMware NSX Data Center

5. Securing traffic using the Edge Gateway VPN



Security Features of vCenter



Certificate management services provide the services necessary for end -to-end certificate administration in a vSphere infrastructure.

Certificate Management Services

Platform Services Controller

Identity Management

Lookup Service SSO

Identity Management Service

Secure Token Service

VMware Directory

VMware Certificate Authority

VMware Endpoint

Certificate Store

Certificate Services

VECS



• The vCenter server installs with the default domain of vsphere.local, default administrator account is [email protected]

• You can join a Platform Services Controller appliance or a vCenter Server Appliance with an embedded Platform Services Controller to an Active Directory domain and attach the users and groups from this Active Directory domain to your vCenter Single Sign-On domain

• You can join a Platform Services Controller or a vCenter Server Appliance with an embedded Platform Services Controller only to an Active Directory domain with a writable domain controller

• Once vCenter has been added to the Active Directory domain, AD accounts can be used to assign rights and authenticate to vCenter

vCenter Can Be Joined to an Active Directory Domain



• Supports Private VLANs (PVLANs)

• Increased visibility of inter-virtual machine traffic through Netflow

• Improved monitoring through port mirroring (dvMirror)

• Support for LLDP (Link Layer Discovery Protocol), a vendor-neutral protocol

• Additional port security is enabled through traffic filtering support

• Multiple TCP/IP Stack for vMotion - Allows vMotion traffic a dedicated networking stack. Simplifies IP address management with a dedicated default gateway for vMotion traffic.

Distributed Switch Security Features



Securing the ESXi Host



Lockdown Mode and the DCUI

In vSphere 6.0, you can select normal lockdown mode or strict lockdown mode:

• Normal lockdown mode: The DCUI service is not stopped

• Strict lockdown mode: The DCUI service is stopped

Accounts on the exception user list and users in the DCUI.Access list can access the DCUI:

• DCUI.Access list: A list of users that can disable lockdown mode

• Exception user list: Users do not lose their privileges when the host enters lockdown modeVMworld 2018 Content: Not for publication or distribution


+

vSphere 6.0 Update 2 added authentication supporting RSA SecurID and smart-card support for vSphere Web Client and the DCUI.

Users are prompted for the smart-card and PIN combination in addition to the default prompt for a user name and password.

DCUI Smart-Card Authentication



In vSphere 5.x, ESXi hosts log actions by named vCenter Server users as vpxuser.

In vSphere 6.0, ESXi hosts log actions by named vCenter Server users as the correct user name.

Improved Audit Trail of ESXi Administrative Tasks



UEFI Secure Boot for ESXi Hosts

Secure Boot is part of the Unified Extensible Firmware Interface (UEFI) firmware standard:

• With Secure Boot enabled, the UEFI firmware validates the digital signature of the ESXi kernel against a digital certificate in the UEFI firmware, ensuring that only a properly signed kernel boots

• A machine refuses to load any UEFI driver unless the operating system bootloader is cryptographically signed

With vSphere 6.5, ESXi supports Secure Boot if it is enabled in the hardware.

UEFI FirmwareUEFI CADigital

Certificate

ESXiSoftware

VMwarePublic Key

UEFI Secure Boot-Enabled Machine



UEFI Secure Boot Sequence for ESXi Hosts

ESXi 6.5 supports UEFI Secure Boot at each level of the boot stack.

The boot sequence proceeds as follows:1. The UEFI firmware validates the bootloader and

the VMkernel.2. The Secure Boot VIB verifier verifies every VIB

package that is installed on the system.

If the security verifications pass during the boot sequence, the entire system is booted up, with the root of trust in certificates that are part of the UEFI firmware. UEFI FirmwareUEFI CA Digital

Certificate

Bootloader

VMkernel

Secure Boot VIB Verifier

ESXi Base System

Drivers and Modules

Management(hostd, DCUI, and so on)

VMwarePublic Key

VMwarePublic Key



ESXI Host Firewall

68 (Default) DHCP Client Incoming and outgoing UDP

161 (Default) SNMP Server Incoming UDP

53 (Default) DNS Client Incoming and outgoing UDP

80 (Default) vSphere Fault Tolerance (FT) (outgoing TCP, UDP)

HTTP access

Incoming TCP

Outgoing TCP, UDP

111 (Default) RPC service used for the NIS register by vCenter Virtual Appliance Incoming and outgoing TCP

123 NTP Client Outgoing UDP

135 (Default) For the vCenter Virtual Appliance, this port is designated for Active Directory authentication Incoming and outgoing TCP

427 (Default) The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers. Incoming and outgoing UDP

443 (Default) HTTPS access

vCenter Server access to ESXi hosts

Default SSL Web port

vSphere Client access to vCenter Server

Incoming TCP

513 (Default) vCenter Virtual Appliance used for logging activity Incoming UDP

902 (Default) Host access to other hosts for migration and provisioning

Authentication traffic for ESXi and remote console traffic (xinetd/vmware-authd)

Incoming and outgoing TCP, outgoing UDP



Securing Virtual Machines



UEFI Secure Boot for Virtual Machines

You can enable Secure Boot in a virtual machine if the following prerequisites are met:

• The virtual machine uses EFI firmware• The virtual hardware is version 13• The guest operating system supports UEFI

Secure Boot

To properly support UEFI Secure Boot in a virtual machine, see the guest OS vendor documentation for the proper way to configure and use EFI firmware.



About Virtual Machine Encryption

vSphere 6.5 introduces virtual machine encryption, which provides the following functionality:

• Encryption:– Protection of virtual machine files, virtual disk files, and core dump files– Multilayer key protection

• Orchestration:– Simplified deployment using storage policies– Agnostic to storage and guest operating system

• Key control:– Key management provided by key servers– Use of the Key Management Interoperability Protocol (KMIP),

an industry standard for the management of security keys– Nonpersistence of keys for added security

• Access control:– New role for administrators without cryptography permissions– Cryptographic tasks authorized only to administrators with

appropriate permissions



Advantages of Virtual Machine Encryption

vSphere 6.5 virtual machine encryption has several advantages over similar offerings in the market:

• Does not require in-guest agents• Uniform methodology across all guest

operating systems• Protects all virtual machine data, including

virtual disk and swap files• Finely detailed key control: virtual machines

and disks can use different keys• Easy orchestration through virtual machine

storage policies



Managing Virtual Machine Encryption

By default, the vCenter Server Administrator role has cryptographic privileges.

But not all administrators should be able to control encryption operations and have access to keys.

In vSphere 6.5, vCenter Server has a new role called No Cryptography Administrator, which enables you to control which administrators have encryption privileges. ESXi

vCenterServer

Third-PartyKMS

vSphere

VM Encryption

Virtual Machine Key

VM1VM2

✔✔

Security administratormanages your KMS and keys.

A subset of vSphere administrators should manage encryption within vSphere.



vCenter Server Role: No Cryptographic Administrator

The No Cryptographic Administrator role has most of the same virtual machine privileges as Administrator, including:

• Power on, power off, shut down• Boot• Migrate

This role does not include the following privileges:• None of the cryptographic operations, such as

encrypting and decrypting• No console access to encrypted virtual machines• No download or upload of encrypted virtual machines



Encrypted vSphere vMotion secures confidentiality, integrity, and authenticity of data that is transferred with vSphere vMotion.

Encrypted vSphere vMotion supports all variants of vSphere vMotion for unencrypted virtual machines, including migration across vCenter Server systems.

About Encrypted vSphere vMotion

generates

vCenter Server

Encrypted

vSphere vMotion Network

Migrate Spec:Including

Encryption Key;Nonce;



Security Features of VMware NSX



NETWORKING AND SECURITY MANAGEMENT AND AUTOMATION

vRealize AutomationEnd-to-end workload automation

Network InsightNetwork discovery and insights

Cloud-Based Management Workflow Automation Blueprints / Templates Insights / Discovery Visibility

NETWORK AND SECURITY VIRTUALIZATION

AppDefenseModern application

security

NSX SD-WANby VeloCloud

WAN connectivity services

NSX Hybrid ConnectData center and cloud

workload migration

NSX Data CenterNetworking and

security for data centerworkloads

NSX CloudNetworking and

security for Cloud workloads

Security Integration Extensibility Automation Elasticity

VMware NSX PortfolioThe Foundation of the Virtual Cloud Network



VMware NSX Data Center Security Management Security services are managed more efficiently in a software-defined data center.

Apply and visualize security policies for

workloads, in one place.

Automate workflows across best-of-breed

services, without custom integration.

Provision and monitor uptime of different

services, using one method.

VMware NSX Network Virtualization Platform

Deploy Apply Automate

Built-In Services

NSX Edge Firewall Distributed Firewall

Server Activity Monitoring VPN (IPsec, SSL)

Third-Party Services

Antivirus DLP Firewall

Vulnerability Management

Intrusion Prevention

Identity and Access Management

Security Policy Management



Perimeter-centric network security has proven insufficient. And before network virtualization, microsegmentation was operationally infeasible.

Data Center Network Security

Few or NoLateral ControlsInside Perimeter

Internet

Insufficient

Internet

OperationallyInfeasible

Before VMware NSX



The distributed firewall provides micro-segmentation, which addresses many security challenges.

Using the SDDC Approach for Microsegmentation

Internet

Security Policy

Perimeter Firewalls

CloudManagementPlatform



The distributed firewall performs firewall filtering closest to the virtual machine.

Efficiency of Distributed Security: Same-Host Example



The distributed firewall provides optimal firewall filtering even when the virtual machines are on different ESXi hosts.

Efficiency of Distributed Security: Different-Host Example



The NSX Edge services gateway is optimized for north-south traffic filtering. The distributed firewall is optimized for east-west traffic filtering.

VMware NSX Firewalls

Web

Application

Database



The NSX Edge services gateway virtual machine form factors influence rule-processing capabilities. Idle TCP connections count toward the connection count.

NSX Edge Firewall Capabilities

Size vCPU RAM Number of Connections

Number of Rules

Comments

Compact 1 512 MB 64,000 2,000 Suitable for a basic firewall

Large 2 1 GB 1,000,000 2,000 Suitable for a medium-level firewall

QuadLarge

4 2 GB 1,000,000 2,000 Suitable for a high-performance firewall

ExtraLarge

6 8 GB 1,000,000 2,000 Suitable for a high-performance firewall,plus load balancerVMworld 2018 Content: Not for publication or distribution


The distributed firewall provides security filtering and service chaining functions on every host prepared for VMware NSX:

• Ensures consistent (ubiquitous) application of policy rules• Optimizes traffic: no firewall hairpins• Provides distributed enforcement of policy rules

The throughput scales as hypervisors are added.

The distributed firewall provides centralized configuration using the VMware vSphere® Web Client.

Distributed Firewall



Intelligent GroupingSecurity groups can be defined by customized criteria

Operating System

Machine Name

Application Tier

Services

Security Posture

Regulatory Requirements



Dynamic Inclusion

Static Inclusion

Static Exclusion

Security GroupsDefinition

Security Group:(Dynamic Inclusion + Static Inclusions) – Static Exclusion

Computer OS Name, Computer Name, VM Name, Security Tag, Entity

Security Group, Cluster, Logical Switch, Network, vApp, Data Center, IP Sets, Active Directory Group, MAC Sets, Security Tag, vNIC, VM, Resource Pool, Distributed Port Group

Static and Dynamic Group CriteriaOptions are available when defining group membership



A security policy can contain the following services:• Guest introspection services:

– Antivirus– Vulnerability management– Data security and data loss prevention solutions

• Network introspection services:– Intrusion detection and intrusion prevention systems

• Firewall rules

Security PoliciesA collection of network and security services to be applied to a security group

Security Groups

Members: VM, vNIC

Context: User identity, security posture

Security PoliciesServices: Firewall, antivirus

Profiles: Labels representing specific policies

APPLYVMworld 2018 Content: Not for publication or distribution


Service Composer Security Policy Rules

Distributed Firewall Rules

Guest Introspection Rules

Network Introspection Rules

• Antimalware and Antivirus

• Vulnerability Management

• File Integrity Monitoring

• Only L3/L4 FW Rules

• IDS/IPS Services• Firewall Services (L7)



Security services can be automatically applied to compromised virtual machines based on assigned tags.

Automated Quarantine

Security Group = Quarantine ZoneMembers = {Tag = ‘ANTI_VIRUS.VirusFound’}

Security Group = Standard

Policy Definitions:

Standard VM PolicyAntivirus: Scan

Quarantined VM PolicyFirewall: Block all except security toolsAntivirus: Scan and remediate

CloudManagementPlatform



Securing Traffic Using the Edge Gateway VPN



VMware NSX Data Center supports several types of VPNs:• Layer 2 VPN: Used to join layer 2 networks between locations• IPsec VPN: Used for site-to-site connectivity• SSL VPN-Plus: Enables remote users to connect to a private network behind

an NSX Edge gateway

VMware NSX Data Center VPNs



Public Cloud

Logical Layer 2 VPN

Features• SSL-based • Web-proxy support • L2 bridge to cloud

Scale and Performance• High performance:

AES-NI acceleration• 1.5 Gbps throughput

per tenant

Use Cases• Cloud onboarding• Cloud bursting• Data center migration



Site-to-Site (IPsec) VPN

Features• Interoperable IPsec tested

with major vendors• Encryption: 3DES, AES128,

AES256, AES-GCM• AESNI H/W Offload • NAT and perimeter firewall

traversal • Certificate authentication and

preshared key mode• IP Unicast traffic• 64 tunnels across a maximum

Scale and Performance• High performance:

AES-NI acceleration • Up to 2 Gb/s throughput

per tenant

Use Cases• Cloud to corporate• Cloud on-boarding



SSL VPN-Plus

Features• Clients on all major operating

systems: Windows, Mac OS, Linux

• Remote authentication through Active Directory, RSA Secure ID, LDAP, Radius

• TCP acceleration • Encryption: 3DES, AES128,

AES256

Use Cases• Remote office or

branch office• Remote managementVMworld 2018 Content: Not for publication or distribution


NSX Security Hardening Guidehttps://www.vmware.com/security/hardening-guides.html



Join the NSX VMUG Communityvmug.com/nsxConnect with your Peerscommunities.vmware.com

Embrace the NSX Mindsetnsxmindset.comFind NSX Resourcesvmware.com/products/nsx

Read the Network Virtualization Blogblogs.vmware.com/networkvirtualization

Where to Get Started

Attend the Networking and Security SessionsShowcases, breakouts, quick talks & group discussions

Visit the VMware BoothProduct overviews, use-case demos

Visit Technical Partner BoothsIntegration demos – Infrastructure, security, operations, visibility, and more

Meet the ExpertsJoin our experts in an intimate roundtable discussion

Free Hands-on LabsTest drive NSX with expert-led or self-paces hands-on labslabs.hol.vmware.com

VMware Education - Training and Certificationvmware.com/go/nsxtraining

Free NSX Training on Courseravmware.com/go/coursera

Engage and Learn Experience

Try Take


http://vmug.com/nsx

https://communities.vmware.com/community/vmtn/nsx

http://www.vmwarensxmindset.com/

http://vmware.com/products/nsx

http://blogs.vmware.com/networkvirtualization

http://labs.hol.vmware.com/

http://www.vmware.com/go/nsxtraining

http://www.vmware.com/go/coursera

PLEASE FILL OUTYOUR SURVEY.Take a survey and enter a drawingfor a VMware company store gift card.

#vmworld #SAI1133BUVMworld 2018 Content: Not for publication or distribution

THANK YOU!

#vmworld #SAI1133BUVMworld 2018 Content: Not for publication or distribution

Documents

Not for with NSX Data Center - cms.vmworldonline.com · VMware NSX Data Center Security Management . Security services are managed more efficiently in a software-defined data center