View
37
Download
0
Category
Preview:
Citation preview
Satish Yadavalli, General Manager & Global Practice HeadWipro Limited
Bhanu Reddy, Practice ManagerWipro Limited
Thomas Vigneron, SDDC Specialist – NSXVmware Networking and Security – VCDX #220
SIE2034BE
#VMworld #SIE2034BE
Securing your VMware Horizon Virtualized Apps and Desktop Investments with NSX
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
“We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry.
If all of this is true – even inevitable – then
cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.”
- Ginni Rometty, IBM Chairman, CEO and President
3#SIE2034BE CONFIDENTIAL 3
VMworld 2017 Content: Not fo
r publication or distri
bution
1,935
What’s Keeping Your CISO Up at Night?
4
Enterprise IT Security in the Headlines
1. Source: Verizon 2017 Data Breach Investigation Report
2. Ponemon Institute: Cost of Data Breach Study 2017
confirmed data
breaches in 20161
$3.62Maverage cost per
security breach2
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Attacks and attackers have become more sophisticated…
5
Organized
crimeInsiders Cyber terrorists/
hacktivistsNation
states
ADVANCED PERSISTENT THREATS WEAPONIZATION OF CYBERSPACE
5#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
6
Bridging End User Computing Silos
6
Web
WindowsClient-Server
Mobile
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
#SIE2034BE CONFIDENTIAL 7
Windows apps represent
50-70% of the apps
today in the enterprise
and are difficult and
costly to secure
and support. 50-70%
VMworld 2017 Content: Not fo
r publication or distri
bution
8
Transforming Security with Desktop Virtualization
1 Centralized Data and Delivery
2 Trusted Images – OS and App
3 Policy Based Access
4 Secure Endpoints
5 Network Security
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Centralized Data and Delivery
9
No endpoint data loss
(device loss, theft,
damage)
Enterprise class
datacenter safeguards
Reduced branch
infrastructure footprint
(file/print/email
servers etc.)
Efficient recovery
✔
✔
✔
✔Virtual Desktops
Data Center
Users
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Pristine, Trusted Images for Every Desktop
10
ONE IMAGESimplified, consistent management
No patch maintenance window
Provisioning on-demand
Space efficient
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Smart Polices
11
True SSO
Experience
Policy-Managed
Client Features
Access Point
Authentication
Common Criteria /
FIPS 140-2
Contextual access based on device or location
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Securing the Endpoints
Extensive selection of secure, easy-to-manage clients to suit your budget, application, and
performance needs.
Desktop All-in-one Mobile
ThinOSInherently virus resistant and
extremely secure
ThinLinuxHardened and optimized OS with
latest Linux libraries
Embedded WindowsAdditional security layer can be added
with defense software
#SIE2034BE CONFIDENTIAL 12
VMworld 2017 Content: Not fo
r publication or distri
bution
What about security for the VDI network?
14
DATACENTER
NETWORK
ENDPOINTS
Hardened endpoints, access policies
Centralized data, pristine images
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Current Challenges in the Data Center
15
Large attack surface within the data center
Multiple, discrete “east-west” flows between desktops and infrastructureUser behaviors
Zero-day threats
Compromised
internet websites
Desktop-to-desktop
hacking
Desktop-to-server
hacking
EAST WEST
Virtual DesktopData
Center
SAP, Oracle Exchange, etc.
Enterprise StorageOther
Users
WWW
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Regional Pediatric
Hospital Group
Extensive VDI use Persistent virtual
desktops follow
providers from room to
room, giving instant
access to critical
medical information
Friday, 8pm
Compromised VDI
DesktopUNRESTRICTED LATERAL MOVEMENT
Attacker was able to move freely between desktops and
servers in the data center, gaining access to sensitive patient
data and critical systems.
Anatomy of an Attack
16
RECENT VDI DATA BREACH
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Friday, 11pm Saturday, 9am
Security Response
Begins.
Sensitive Patient Data
Exfiltrated
Despite having been reported to IT when it occurred,
a response to the attack was not quick enough to prevent a
significant loss
#SIE2034BE CONFIDENTIAL 17
VMworld 2017 Content: Not fo
r publication or distri
bution
Security is needed for every desktop VM… so can’t we have it everywhere??
18
Why can’t we have individual firewalls for every desktop VM?
Data Center Perimeter
With traditional technology,this is operationally infeasible.
Cost prohibitive with complex configurations
Physical Firewalls
Slower performance, costly and complicated
Virtual Firewalls
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Securing East-West within VDI Environments
• Hard to implement
• Lots of physical infrastructure required
• Complex to manage
19
Organizations with focus on compliancy and risk mitigation will implementsecurity zones to protect East-West flows within the data center.
Centralized Virtual
Desktops
Sharedsvcs
DMZ
DBZone
Remote workforce
Zone
EngZone
DevZone
FinancialZone
CorpZone
PCIZone
AdminZone
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Traditional Networking & Security is complex!
20
SharedsvcsDMZ
DBZone
Remote workforce
Zone
EngZone
DevZone
FinancialZone
CorpZone
Internet Internal Networks
PCIZone
AdminZone
Centralized Virtual
Desktops
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX and Horizon
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Network, Storage,
Compute
Virtualization Layer
“Network Hypervisor”
Virtual networks
NSX Value PropositionNSX Network Virtualization and Security platform makes micro-segmentation a reality
22
VMworld 2017 Content: Not fo
r publication or distri
bution
23
Isolation and segmentation
Unit-level trust / least privilege
Ubiquity and centralized control
321
Delivering higher levels of data center security
Micro-segmentation
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX vSwitch
With NSX
Distributed Virtual Firewall
Before NSX
More Efficient Firewalls with NSX
24
Nexus 7000
UCS Fabric A UCS Fabric B
UCS Blade 1
vswitch
6 wire hops
Nexus 7000
6 wire hops
UCS Fabric A UCS Fabric B
UCS Blade 1 UCS Blade 2
vswitch vswitch
Nexus 7000
UCS Fabric A UCS Fabric B
0 wire hops
Nexus 7000
UCS Fabric A UCS Fabric B
UCS Blade 1 UCS Blade 2
With NSX
Distributed Virtual Firewall
Before NSX
East-West Firewalling / Same host East-West Firewalling / Host to host
2 wire hops
NSX vSwitch
UCS Blade 1
Fewer hops, more efficient and precise VM networking
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX for Horizon VDI Deployment
25
• Allows for elasticity and agility to spin up/down new pools or expand existing
• Desktop to Desktop control
• Desktop to Enterprise App control
• Security Services e.g. Agentless AV, NGFW, IPS
• Load balancing,
• Edge firewall
• NAT
• VPN
Internal Developer Pool
External Developer Pool
Internal Developer Network
External Developer Network
Horizon I
nfr
a
Micro-segmentation Edge Services Network Virtualization
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Horizon with NSX: Simplify Networking & Making it Secure!
26
Example Order of Adoption
Firewalling& Security
LoadBalancing
LogicalSwitching
LogicalRouting
Physicalto Virtual
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Segmentation of a Horizon Environment
27
• AD Group Based Identity Firewall (IDFW).
• Data Security to identifysensitive data.
• Desktop to Desktop control
• Desktop to Enterprise App control
• 3rd party Security Services e.g.
Agentless AV, NGFW, IPS
• External world to Horizon components control
• Access control between various Horizon components
Internal Developer Pool
External Developer Pool
Protecting Horizon Infrastructure
Protecting Desktop Pools
User / Data based access control.
Internal Developer Pool
3 Tier Enterprise App
Web App DB
Horizon Components (Connection Servers, Unified Access Gateway, View Composer, vCenter)
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Protecting Infrastructure
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Virtualized Apps
(ThinApps)
VMware Identity
ManagerVMware Horizon View
User Environment
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations for
Horizon
Database
(SQL)
VMware vSphere + NSX + VSAN
Virtual Desktop Pools
Windows 10
Instant Clone
Windows 10
3D Desktop
Applications
(VMware App Volumes)
Linux
Clone
SaaS, Mobile
Apps
Horizon
Connection
Servers
View
Composer
Hosted RDS
Desktops & Apps
IT Settings
User Profile
Horizon Clients
VMware Horizon Architecture Overview
29
User Workspace
Unified
Access
Gateways
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/
vmware-horizon-7-end-user-computing-network-ports.pdf30
VMworld 2017 Content: Not fo
r publication or distri
bution
Easy Service Definition
31#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro-Segmentation – Sample Configuration
32
Infrastructure Rules
Desktop and Application
Rules
VMworld 2017 Content: Not fo
r publication or distri
bution
Identity Based FirewallPolicy driven micro-segmentation of the user
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX - Identity Based Firewall Rules (IDFW)
• DFW offers Identity Based Firewall (IDFW) functionalities:
‒ Specific AD security groups of users can be used to create DFW rules
– DFW rules are defined based on Active Directory (AD) membership (e.g. doctors or surgeons group):
‒ Define a NSX Security Group that contains an AD security group and apply it as the source of the DFW policy rule
• Users can use physical or virtual systems that have been joined to the AD Domain as the source - Destination system must be a VM.
34
Source Destination Service Action
Doctors (security
group)
Patient Record
Servers
Any Allow
Any Any Any Deny
Policy Rule:
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX - Identity Based Firewall Rules & EUC
35
Before NSX
• All Desktops on a VLAN can communicate freely.
• Once one Desktop is compromised, lateral movement cannot be restricted.
With NSX
• Micro-segmentation can granularly control desktops even on shared VLAN.
• User/Group based Access Control
• Control VDI to Apps access using NGFW redirection when needed.
Jennifer(Finance)
Files HR Finance Email SharePoint
Network
Bob(HR)
Human Resources Finance
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Admin
Sales
Developer
Secure Just in Time Desktops
36
Network Policyfrom NSX
Sales
Developer
Admin
Sales
Developer
Admin
Application Layersfrom App Volumes
Sales
Dev.
Admin
Personalizationfrom UEM
Role-Based Desktop Creation & Customization
Salesdesktop
Admindesktop
Developerdesktop
Single Pool
StatelessdesktopSales
Developer
Admin
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Extensibility: Partner Dynamic Service-Chaining
37
Partner AV scan detects virus/malware
Tags Desktop VM for NSX
NSX Manager /Control Plane
NSX places Desktop VM under network lock-down
No traffic in or out
NSX Ecosystem Partner AV scan on desktop
Ex: Trend Deep Security
McAfee MOVE
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Device Level VPN
App Level VPN
Micro Segmentation
App Level VPN
AirWatch Per-App VPN and VMware NSX
38#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Wipro as a VMware Customer
• VMware AirWatch deployment of 150,000+
employees
• 4,000 VDI instances
• VMware virtualization
Wipro
• 30+ years in-depth experience
in infrastructure services
• Cloud advisory, Cloud
Migration, DevOps, and Cloud
Security
Wipro-VMware 360º Partnership Overview
39
Accelerate Clients’ IT Transformation to the Next Generation Data Center
VMware
• Leading cloud infrastructure and business
mobility provider
Wipro and VMware Alliance
• Strategic partnership
• Wipro’s transformation services
plus VMware’s disruptive
technologies
• VMware Premier Partner
Wipro as
a VMware
Customer
VMware
Wipro and
VMware
Alliance
Wipro
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Boundary-less ODCs for Wipro
40
~4,000 Users
Full VMware stackNSX for micro
segmentation, Horizon for
VDI, AppVolumes for real
time app delivery
6 RegionsUsers spread across
6 regional centers
in India
100% VDI Windows & Linux
Persistent Desktops
End points100% Thin Clients
Environment Scope Solution Benefits
Boundary-less
ODCsPhysical desk/port is not
tagged to any project/ODC
30% reductionIn overall costs
Software
Defined Storage
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Wipro Environment
41
4000 Virtual DesktopsLeveraging clones, AppVolumes
50 ESXi Vsphere
6.0 servers
2 vCentersNSX Distributed firewall
41#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Security
Benefits
42
Secure access to desktops from anywhere, at any time
Rapid, centralized updates and patching– OS updates through clones
– Application updates through AppStacks
Instant recovery in the event of crashes, malware proliferation
Micro-segmentation for each development center
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Case Study: Largest Women only University
43
Technology Implemented VMware Horizon View 6.0
Number of Virtual
desktops / Users8000 +
VDI concurrent license 5000
Hardware152 X UCS B250 M2 and
16 x UCS B200 M2
Operating System
Hypervisor : ESXi 5.5
Server OS : Windows 2012 R2
Desktop OS : Windows 7
Support Model Onsite Support
Client is the World’s largest women only university with a
capacity to enroll over 40000+ students, 10000+ faculties
Campus has a 700-bed hospital equipped with
state-of-the-art facilities
Infrastructure Manage VDI Infrastructure used by Students and Faculty
Enable seamless access to University applications and internet
browsing.
Roll out additional thin clients Year-on-Year
Business Benefits
Single point of ownership
Service and Technology transformation – Streamlined operations
Standardization of Services and policy based service management –
Repeatability and scalability
Central governance towards compliance and policies
Project Scope
Client Profile
#SIE2034BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Learn More
Hands on Labs:http://labs.hol.vmware.com
Web:https://www.vmware.com/products/horizon/horizon-nsx.html
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Recommended