Download Report

Presenting the VMware NSX ECO System
May 2015
Geert Bussé| Westcon Group
Solutions Sales Specialist, Northern Europe
Agenda
10:15 - 11:00 VMware NSX, the Network Virtualization Platform
11.15 - 12.00 Palo Alto - Finally, Data Center Security without Compromise
12.00 - 12.45 Juniper - QFX & MetaFabric - the Integration of VMware NSX
12:45 - 13:30 Lunch
13:30 - 14:15 Trend Micro - Optimised Security for Modern Data Centre
14:15 - 15:00 F5 - Discover how F5 and VMware deliver a software-defined data center
by providing simplified end-to-end networking through an
application-centric approach
15:00 - 15:15 Break
15:15 - 16:00 Check Point - Automating Multi-tiered Security in the NSX Eco system
16:00 - 16:15 Q&A
16:15 - 18:00 Network Drink with WINE TASTING
Securing the Software Defined Data Center
• Typical Security Challenges in (Traditional) Data Centers
• SDDC: Definition and Components
• From Traditional to Software Defined Data Center
• Security Solutions
• Layered Architecture
• Key Takeaways
Typical Security Challenges in (Traditional)
Data Centers
• Different layers and trust levels: Web - App – DB
• Process intensive to apply security between VM’s.
(100-1000’s of VM’s)
• Lateral movement once compromised
• Speed of server provisioning: avoid ‘instant on’ security gaps
• Security impact on availability and performance
Typical Security Challenges in (Traditional)
Data Centers
• Handling encrypted traffic (SSL)
• Measure and monitor compliance
• Application traffic vs. file system traffic
• Cloud readiness
The Software Defined Data Center: Definition
Definition: Refers to a data center where all infrastructure is
virtualized and delivered as a service.
The core architectural components:
• Computer virtualization
• Software-defined networking (SDN)
• Software-defined storage (SDS)
• Management and automation software
From Traditional to Software Defined Data
Centers Security with NSX
• Perimeter Security still required
• Micro segmentation becomes feasible.
• The automated provisioning of firewall policies when a workload is
programmatically created.
• Distributed enforcement at every virtual interface and in-kernel, distributed
to every hypervisor and baked into the platform.
• Native Isolation: No physical subnets, no VLANs, no ACLs are required.
• Segmentation is enforced at the virtual interface and advanced security
services can be added.
Software Defined Data Center: Security
Solutions
• Data center firewall to secure datacenter access
• Network segmentation firewall to secure inter VM traffic
• DDOS protection: cloud & on premise
• Web application firewall
• Web Access Management
Software Defined Data Center: Security
Solutions
• IPS for virtual patching
• Data leakage prevention
• Anti malware detection and cleaning
• Compliance monitoring
Layered Architecture
Cloud Scrubbing Center DataCenter Firewall
Volumetric DDOS attacks IPS
Known signature attacks Sandboxing
DLP
Application Delivery Controler
Web Application Firewall
Anti DDOS
Network Segmentation Firewall
IPS – Anti Malware – Compl.
Web
App
VM
Finance
VM
VM
VM
HR
VM
Engineering
DB
VM
VM
VM
VM
Layered Architecture
Cloud Scrubbing Center
Volumetric DDOS attacks
Known signature attacks
• Multiple TB attack mitigation bandwidth
• Multiple scrubbing datacenters
• Fast mitigation
• Limited false positives
• Up to L7
• Customer portal with centralized attack and threat
monitoring reports
Layered Architecture
DataCenter Firewall
•
IPS
Sandboxing
DLP
High new connections per second
(Application Traffic)
• High number of concurrent connections
• Scalable architecture: processing power
and connectivity
• User identity and application awareness
• Platform for additional security modules
• Policy integration with Network
Segmentation Firewall
Layered Architecture
Application Delivery Controller
Web Application Firewall
Web Application Firewall:
• OWASP top 10 threats
• Cover Zero Day Attacks by Positive Security
Model
• HTTP anti-DDoS
• Integration with Vulnerability Management
Solution
• Detection and Prevention of Web Scraping
• PCI compliance
Software Defined Data Center: Web Application
Firewall
Layered Architecture
Anti DDOS
On Premise DDOS protections
• Application Visibility
• Threat Intelligence
• Built in SSL decryption
• Real Time Reporting and Forensics
Layered Architecture
• Integration via API with Virtualized Network
Network Segmentation Firewall
Web
and Compute
App
DB
• Security is completely decoupled from
logical network topology.
VM
Finance
VM
• The firewall function is brought directly to the
VM
VM. Any traffic sent or received by this VM
processed by the NSF.
VM
HR
VM
• Application Visibility
Engineering
VM
VM
VM
VM
Layered Architecture
• Virtual Patching via IPS
IPS- Anti Malware – Compl.
Web
• Agentless Anti Malware
App
DB
• Hypervisor integrity Monitoring
• Data Encryption
VM
Finance
VM
• DLP
VM
• Server Compliance Monitoring
• System Log inspection
VM
HR
VM
• Automatically quarantining of compromised VM’s
Engineering
VM
VM
VM
VM
Key Takeaways
• Perimeter Security ‘only’ is not sufficient in today’s world of advanced threats
• NSX simplifies significantly inter VM security and makes it feasable but you
still need additional security solutions from leading security vendors to
increase security effectiveness.
• Don’t forget Anti DDOS, WAF & Anti Malware
• Talk to our vendors today about your requirements and needs
Enjoy the rest of the day!