Karen Law Senior Systems Consultant VMware Hong Kong Ltd

Advancing Security with Software Defined Datacenter

• Why Micro-segmentation? • Understanding SDDC Network Virtualization • Why Network Hypervisor? • Use Cases

2

AGENDA

• Why Micro-segmentation? • Understanding SDDC Network Virtualization • Why Network Hypervisor? • Use Cases

3

AGENDA

4

BREACHES OCCUR IN DATA CENTERS

1 2 3

4 5 6

Today’s data centers are protected by strong perimeter defense…

But threats and exploits still infect servers. Low-priority systems are often the target, and SSL is no guarantee of protection.

Threats can lie dormant, waiting for the right moment to strike.

Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted.

Server-server traffic growth has outpaced client-server traffic. The attack spreads and goes unnoticed.

Possibly after months of reconnaissance, the infiltration relays secret data to the attacker.

Targeted system

Critical system

5

THE PROBLEM: NETWORK SECURITY

Perimeter-centric network security has proven insufficient

Internet

IT Spend Security Spend Security Breaches

Today’s security model focuses on perimeter defense

But continued security breaches show this model is not enough

6

THE SOLUTION: MICRO-SEGMENTATION

A new model for data center security

STARTING ASSUMPTIONS DESIGN PRINCIPLES

Assume everything is a threat and act

accordingly.

1

2

3

Isolation and segmentation

Unit-level trust / least privilege

Ubiquity and centralized control

7

HOWEVER… …

micro-segmentation has not been operationally infeasible

Internet

…

2 firewalls

1000 workloads

vs

A typical data center has:

Directing all traffic (virtual + physical) through chokepoint firewalls is inefficient

And a physical firewall per workload is cost prohibitive

8

SDDC APPROACH FOR MICRO-SEGMENTATION

Control Plane NSX Manager

Physical workloads and VLANS

Data Plane Distributed switching, routing, firewall

Management Plane vCenter

• Why Micro-segmentation? • Understanding SDDC Network Virtualization • Why Network Hypervisor? • Use Cases

9

AGENDA

10

NETWORK CAPACITY

Internet

11

COMPUTE CAPACITY

Internet

12

DATA CENTER VIRTUALIZATION LAYER

Internet

13

A “NETWORK HYPERVISOR”

Internet

14

OPERATION MODEL OF A VM

Internet

15

NON-DISRUPTIVE DEPLOYMENT

16

PROGRAMMATICALLY PROVISION

17

SERVICE DISTRIBUTION TO VIRTUAL SWITCH

18

BETTER SECURITY: NATIVE ISOLATION

192.168.2.10

192.168.2.10

192.168.2.11

192.168.2.11

19

SECURITY SERVICE DISTRIBUTION

• Why Micro-segmentation? • Understanding SDDC Network Virtualization • Why Network Hypervisor? • Use Cases

20

AGENDA

21

THE “GOLDILOCK” ZONE

Too Hot Too Cold

22

HYPERVISOR IS SECURITY “GOLDILOCKS ZONE”

Software Defined Data Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center Virtualization

SDDC Platform

L2 Switching L3 Routing

Firewalling/ACLs Load Balancing

Network & Security Services Now in the Hypervisor

High Context High Isolation Ubiquitous Enforcement

SDDC Approach

23

MISSION IMPOSSIBLE TO POSSIBLE

Little or no lateral controls

inside perimeter

Internet Internet

Micro-Segmentation is Possible By Network Hypervisor

24

BENEFITS BY NETWORK HYPERVISOR

Dev

Test

Production

Web

App

DB

No Communication Path

Controlled Communication Path

Web

App

DB

Advanced Services Controlled Communication Path

Isolation Segmentation Segmentation With Advanced Services

• Why Micro-segmentation? • Understanding SDDC Network Virtualization • Why Network Hypervisor? • Use Cases

25

AGENDA

26

SIMPLIFY DATA CENTER NETWORK

Security policies no longer tied to network topology

Logical groups can be defined

Prevents threats from spreading

App

Web

DB

Finance Development HR Production

ADVANCED DATA CENTER PROTECTION

27

Security Group = Web Tier

Policy Definition Standard Desktop VM Policy Anti-Virus – Scan Quarantined VM Policy Firewall – Block all except security tools Anti-Virus – Scan and remediate

28

VM MOBILITY IN A SECURE WAY

29

REMOVE SECURITY HOLE

30

KEY TAKEAWAYS

Challenge

Internet

Securing east-west traffic

Answer

Micro-segmentation

Value

Simplified management of security policies

Elastic security solution

Allow complicated security measurement

Karen Law Senior Systems Consultant VMware Hong Kong Ltd