Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Karen Law Senior Systems Consultant VMware Hong Kong Ltd
Advancing Security with Software Defined Datacenter
• Why Micro-segmentation? • Understanding SDDC Network Virtualization • Why Network Hypervisor? • Use Cases
2
AGENDA
• Why Micro-segmentation? • Understanding SDDC Network Virtualization • Why Network Hypervisor? • Use Cases
3
AGENDA
4
BREACHES OCCUR IN DATA CENTERS
1 2 3
4 5 6
Today’s data centers are protected by strong perimeter defense…
But threats and exploits still infect servers. Low-priority systems are often the target, and SSL is no guarantee of protection.
Threats can lie dormant, waiting for the right moment to strike.
Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted.
Server-server traffic growth has outpaced client-server traffic. The attack spreads and goes unnoticed.
Possibly after months of reconnaissance, the infiltration relays secret data to the attacker.
Targeted system
Critical system
5
THE PROBLEM: NETWORK SECURITY
Perimeter-centric network security has proven insufficient
Internet
IT Spend Security Spend Security Breaches
Today’s security model focuses on perimeter defense
But continued security breaches show this model is not enough
6
THE SOLUTION: MICRO-SEGMENTATION
A new model for data center security
STARTING ASSUMPTIONS DESIGN PRINCIPLES
Assume everything is a threat and act
accordingly.
1
2
3
Isolation and segmentation
Unit-level trust / least privilege
Ubiquity and centralized control
7
HOWEVER… …
micro-segmentation has not been operationally infeasible
Internet
…
2 firewalls
1000 workloads
vs
A typical data center has:
Directing all traffic (virtual + physical) through chokepoint firewalls is inefficient
And a physical firewall per workload is cost prohibitive
8
SDDC APPROACH FOR MICRO-SEGMENTATION
Control Plane NSX Manager
Physical workloads and VLANS
Data Plane Distributed switching, routing, firewall
Management Plane vCenter
• Why Micro-segmentation? • Understanding SDDC Network Virtualization • Why Network Hypervisor? • Use Cases
9
AGENDA
10
NETWORK CAPACITY
Internet
11
COMPUTE CAPACITY
Internet
12
DATA CENTER VIRTUALIZATION LAYER
Internet
13
A “NETWORK HYPERVISOR”
Internet
14
OPERATION MODEL OF A VM
Internet
15
NON-DISRUPTIVE DEPLOYMENT
16
PROGRAMMATICALLY PROVISION
17
SERVICE DISTRIBUTION TO VIRTUAL SWITCH
18
BETTER SECURITY: NATIVE ISOLATION
192.168.2.10
192.168.2.10
192.168.2.11
192.168.2.11
19
SECURITY SERVICE DISTRIBUTION
• Why Micro-segmentation? • Understanding SDDC Network Virtualization • Why Network Hypervisor? • Use Cases
20
AGENDA
21
THE “GOLDILOCK” ZONE
Too Hot Too Cold
22
HYPERVISOR IS SECURITY “GOLDILOCKS ZONE”
Software Defined Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
SDDC Platform
L2 Switching L3 Routing
Firewalling/ACLs Load Balancing
Network & Security Services Now in the Hypervisor
High Context High Isolation Ubiquitous Enforcement
SDDC Approach
23
MISSION IMPOSSIBLE TO POSSIBLE
Little or no lateral controls
inside perimeter
Internet Internet
Micro-Segmentation is Possible By Network Hypervisor
24
BENEFITS BY NETWORK HYPERVISOR
Dev
Test
Production
Web
App
DB
No Communication Path
Controlled Communication Path
Web
App
DB
Advanced Services Controlled Communication Path
Isolation Segmentation Segmentation With Advanced Services
• Why Micro-segmentation? • Understanding SDDC Network Virtualization • Why Network Hypervisor? • Use Cases
25
AGENDA
26
SIMPLIFY DATA CENTER NETWORK
Security policies no longer tied to network topology
Logical groups can be defined
Prevents threats from spreading
App
Web
DB
Finance Development HR Production
ADVANCED DATA CENTER PROTECTION
27
Security Group = Web Tier
Policy Definition Standard Desktop VM Policy Anti-Virus – Scan Quarantined VM Policy Firewall – Block all except security tools Anti-Virus – Scan and remediate
28
VM MOBILITY IN A SECURE WAY
29
REMOVE SECURITY HOLE
30
KEY TAKEAWAYS
Challenge
Internet
Securing east-west traffic
Answer
Micro-segmentation
Value
Simplified management of security policies
Elastic security solution
Allow complicated security measurement
Karen Law Senior Systems Consultant VMware Hong Kong Ltd