Upload
doquynh
View
218
Download
0
Embed Size (px)
Citation preview
Thomas KretzschmarPDS NSX, ALPS
Netzwerkvirtualisierung – wozu? Beispiele aus der Praxis
© 2017 VMw are Inc. All rights reserved.
We built them with a problem in mind and it is very difficult to
adapt them to a different situation,
new arms or tactics…
Ever wondered why we are not building
traditional fortresses anymore?
VMware NSX – Networking Virtualization & Security Platform
We built them with a problem in mind and it is very difficult to
adapt them to a different situation,
new arms or tactics…
In 2017 Networking & Security Services provisioning is still hard
8~10 weeks
PresentPast
1 or more weeks!
Creating the VM is fast but we still have to wait for other services…
VLAN
networks
Firewall
IDS,
security,
monitoring
VPN
Load
Balancer
Culture Clash
Network Culture
Likes
• consistent design
• stability & redundancy
• scale without design change
Dislikes
• frequent “hey joe” changes
• “unorthodox” design variations
• “special” solutions
Application Culture
Likes
• flexibility
• mobility
• selective scalability
Dislikes
• “we can’t do this”
• “it will take a week”
• “we don’t know whether it works”
8
Network Heaven
• simple homogenous design
• built in one go
• built to last forever
Application Heaven
• exceptions are the rule
• never finished
• ad-hoc extensions
Different culture, different results
9
What is Software-Defined Data Center (SDDC)?
Hardware
Software
Data center virtualization layer
Pooled compute, network, and storage capacity
Vendor independent, best price/performance/service
Simplified configuration and management
Intelligence in software
Operational model of VM for data center
Automated provisioning and configuration
Compute
Storage
Network
Compute
Storage
Network
Network
Hardware Constraints
11
The network, still defined by hardware, limits a virtualized environment
VIRTUALIZATION PLATFORM PROGRESS
SDDC
StorageCompute
Compute Storage Network
VMVM
VMVM
APP
VMVM
VMVM
APPVMVM
VMVM
APP
VMVM
VMVM
APPVMVM
VMVM
APP
VMVM
VMVM
APPVMVM
VMVM
APP
VMVM
VMVM
APP
Compute Storage Network
VIRTUALIZATION PLATFORM PROGRESS
SDDC
Hardware Constraints
12
The network, still defined by hardware, limits a virtualized environment
VMVM
VMVM
APP
VMVM
VMVM
APPVMVM
VMVM
APP
VMVM
VMVM
APPVMVM
VMVM
APP
VMVM
VMVM
APPVMVM
VMVM
APP
VMVM
VMVM
APP
“Network platform”
Virtual networks
Network,
storage,
compute
Virtualization layer
Network virtualization
is at the core of the
Software-Defined Data
Center approach Network and security
services now in the
hypervisor
VMVM
VMVM
APPVMVM
VMVM
APPVMVM
VMVM
APP
NSX value proposition
Deliver Networking & Security Services in Software Independent of the Underlying Hardware
Zero Trust - Micro-Segmentation –Service Insertion - Service Chaining
Efficiency - Changing the Operational Model
1
2
3
Network Virtualization & Security Platform – Top 5 Benefits
Agility - Speed & Automation - Reducing Networking & Security Services Provisioning Times
Cost Reduction
4
5
Organization structures
15
IT organizations working with siloes
Siloed compute, storage, networking, and security teams NetworkStorage SecurityCompute
Align performance incentives with cross-functional team work
Current reality
How to evolve for NSX
Create cross-functional teams
Don’t have dedicated resources
Gartner's 2016 Magic Quadrant for Data Center Networking
17
Visionary: Positioned the furthest for completeness of vision
Gartner “Magic Quadrant for Data Center Networking”
by Mark Fabbi, Andrew Lerner, Danilo Ciscato,
May 16, 2016
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
VMware NSX Network Virtualization Platform
“If your organization is interested in improving the agility, security, and economic efficiency of your networks, ESG Lab recommends taking a close look at VMware NSX”
18
ESG Lab Review, 02. Feb. 2017
VMware Blog: https://blogs.vmware.com/networkvirtualization/2017/03/esg-lab-review-vmware-nsx.html
ESG Lab Review: http://research.esg-global.com/reportaction/VMwareNSXNetworkVirtualizationPlatform/Toc
Networking Virtualization Vision
20
Managing Security and Connectivity for many Heterogeneous End Points
Automation
IT at the Speed of Business
Security
Inherently Secure Infrastructure
Application Continuity
Data Center Anywhere
On-Premise Data Center
New app frameworks
Mobile Devices(Airwatch)
Virtual Desktop(VDI)
Branch offices (Partner)
Internet of things
Public clouds
VMware NSX-v Functionality
24
A faithful reproduction of network and security services in software
Management APIs, UI
Switching Routing
Firewalling
Loadbalancing
VPN
Connectivity to physical networks
Policies, Groups, Tags
Data security Activity monitoring
Der Aufbau von VMware NSX
32
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
SDDC Platform
Switching Routing
Firewalling Load Balancing
Network & Security: now in the Hypervisor
Physical view
33
VMs in a single logical switch
NSX Logical Switch (VXLAN-backed)
192.168.150.51 192.168.150.52 192.168.250.51
172.16.10.11 172.16.10.12 172.16.10.13
VM1 VM2 VM3
vSphere Distributed Switch
Physical network
Traffic Flow
34
VXLAN-backed VDS
vSphere distributed switch (VDS)
VXLAN overlay
Host A Host B
IP fabric
In this setup, VM1 and VM2 are on different hosts but belong to the same logical switch
When these VMs communicate, a VXLAN overlay is established between the two hosts
VTEP = VXLAN Tunnel End Point
Traffic Flow
35
VXLAN-backed VDS
vSphere distributed switch (VDS)
Assume VM1 sends some traffic to VM2:
L2 frame L2 frame
VXLAN overlay
L2 frame
Host A Host B
IP/UDP/VXLAN
IP fabric
1 VM1 sends L2 frame to local VTEP
VTEP adds VXLAN, UDP and IP headers
2
Physical transport network forwards
as a regular IP packet3
Destination hypervisor VTEP de-
encapsulates frame4
L2 frame delivered to VM25
Disaster recovery today (simple view)
37
10.0.10/24 10.0.20/24
10.0.10.2110.0.20.21 Major
RTOimpact
Change IP address,reconfigure security4
Primary site Recovery site
Recoverthe VM
3
Replicate VM and storage
2Physical network infrastructure Physical network infrastructure
SAN
1
Snapshot VM
SAN
Step 1&2(e.g VMware SRM)
Disaster recovery with NSX network virtualization (simple view)
SAN SAN
10.0.30.21 10.0.30.21
Virtual Network10.0.30/24
80%RTO
Virtual Network10.0.30/24
NSX Controller NSX Controller
Snapshotnetwork security
2b
1
Snapshot VM
Network and securityalready exists
Recoverthe VM
3
Physical network infrastructure Physical network infrastructure2a
Replicate VM and storage
10.0.10/24 10.0.20/24
Step 1 & 2(e.g VMware SRM)
38
Primary site Recovery Site
40Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 09.03.17
Source: http://ec.europa.eu/justice/data-protection/
European General Data Protection Regulation
41
GDPR (EU Regulation 2016/679)
Mapping GDPR to NSX Capabilities
Co-branded whitepaper “Product Applicability Guide for the European GDPR” authored by 3rd
party Assessor, Coalfire Systems Inc.’s concludes:
– VMware NSX can be used to dynamically control where workloads can send and receive data and support a micro-segmentation architecture.
– Used ISO framework to validate VMware NSX products mapping to GDPR requirements
42
NSXISO27001GDPR
European General Data Protection Regulation
43
VMware GDPR White Paper
Source: http://campaign.vmware.com/imgs/emea/campaign/36825/VMware_EGDPR_WP.PDF
Vorentwurf für die Revision des Schweizer Datenschutzgesetzes (DSG)
45
Quelle: https://blog.kpmg.ch/die-juengsten-entwicklungen-im-schweizer-datenschutzgesetz/
Ein Netzwerk mit Firewall – kein Hindernis
49
https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf
Bei RUAG konnte die Perimeter-Firewall nicht helfen
Die Angreifen konnten ungehindert im internen Netz weiter vordringen
Regional Pediatric
Hospital Group
Extensive VDI use Persistent virtual
desktops follow
providers from room to
room, giving instant
access to critical
medical information
Friday, 8pm
Compromised VDI
DesktopUNRESTRICTED LATERAL MOVEMENT
Malware was able to move freely between desktops, gaining
access to sensitive patient data and critical systems.
Anatomy of an Attack
RECENT VDI DATA BREACH
Friday, 11pm Saturday, 9am
Security Response
Begins.
Sensitive Patient Data
Exfiltrated
Despite having been reported to IT when it occurred,
a response to the attack was not quick enough to prevent a
significant loss
Physical view
52
VMs in a single logical switch & Firewall, Micro-Segmentation
172.16.10.11 172.16.10.12 172.16.10.13
VM1 VM2 VM3
vSphere Distributed Switch
Physical network
Physical view
53
VMs in a single logical switch & Firewall, Micro-Segmentation
NSX Logical Switch (VXLAN-backed)
192.168.150.51 192.168.150.52 192.168.250.51
172.16.10.11 172.16.10.12 172.16.10.13
VM1 VM2 VM3
vSphere Distributed Switch
Physical network
• Each VM can now be its own perimeter
• Policies align with logical groups
• Prevents threats from spreading
NSX Distributed Firewalling
54
Micro-segmentation
App
DMZ
Services
DB
Perimeter
firewall
AD NTP DHCP DNS CERT
Inside
firewall
Finance EngineeringHR
VMworld: SEC8348 – Deploying Security in a Brownfield Environment
VMware NSX
55
Micro-segmentation
Source: http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmware-nsx-microsegmentation.pdf
Granular Service Insertion
• Service Insertion can be dynamically
– created,
– configured,
– inserted,
– and deleted
between any two endpoints in the infrastructure
• Allows
– automated, and
– orchestrated
service deployment and configuration
57
Referred to as a service chain or service graph
Granular Service Insertion
Two families of infrastructure services available
• Network Introspection Services
– Data in Motion
– Inspect and act on information stream
– Typical examples includesFirewall, IDS/IPS, and load balancing services
• Guest Introspection Services
– Data at Rest
– Acts on endpoints, or compute constructs
– Pertains to compute and storage attributes
– Typical examples includesAgentless Anti-Malware, event logging, data security, and file integrity monitoring
58
Network and Guest Introspection
NSX Partner Ecosystem
Source: http://www.vmware.com/products/nsx/technology-partners.html
Centralized Policyand Logging/Reporting
Customer Requirement: Secure Inter-VM Traffic in Virtual Environments
FortiAnalyzer
North-South
Data Center Edge
East-West
FortiManagerRequirements
Inter-VM traffic visibility
Keep state during live migration events (i.e.
vMotion)
Orchestrated security across clusters
(policies follow the VM independent of host
location)
Distributed firewall rules across distributed
virtual switch
Enable security control on VXLAN
segments
Centralized management across physical and
virtual firewalls
Virtual Machine Firewall(East <-> West)
Data Center Firewall(North <-> South)
Overcome visibility and enforcement challenges with inter-VM traffic and logical networks
vSphere
FortiGate-VMX
Security Node
vSphere
FortiGate-VMX
Security Node
NSX Manager
FortiGate
Service Manager
Ground-breaking use cases
63
Enterprises can often justify the cost of NSX through a single use case
Ground-breaking use cases
64
Enterprises can often justify the cost of NSX through a single use case
Compute asset consolidation
65
Access available compute capacity anywhere in the data center
Up to 85% asset
utilization
Less than 40%
asset utilization
Transformation
Militär eines europäischen Staates
- Serverkonsolidierung- Vorher:
- 320 Hosts, - 1000e VMs, - 9 Security-Zonen
- Nachher: - 16 Hosts, - Noch mehr VMs- 9 Security Zonen
Ground-breaking use cases
67
Enterprises can often justify the cost of NSX through a single use case
Transportbetriebe einer grossen europäischen Stadt
- Ausgangslage: - 8 Datacenter in Stadt - Zu hoher Aufwand diese zu betreiben
- Ziel: auf 2 konsolidieren- Budget: 4 Mio
- Nach dem Projekt:- Mit 0.8Mio und in der Hälfte der Zeit
konnte das Projekt dank NSX abgeschlossen werden
Ground-breaking use cases
69
Enterprises can often justify the cost of NSX through a single use case
About
Challenge
Solution
Business Value
Leading provider of advanced technology solutions for the global travel industry
Amadeus Takes Off With OpenStack And Clouds
Travel technology solutions provider goes software-defined for more reliability
Wanted to find a way to bring improved, innovative services to market in a quicker timeframe
Deployed a software-defined data center to build Amadeus Cloud Services – a container-based platform connecting the operations of all its customers
“VMware is a key partner for Amadeus and we are collaborating very closely to build our next
generation of platforms, whether that’s containers, VMs, bare metal or OpenStack.
Automation with NSX gives us the flexibility to deploy on the public or private cloud.”
Wolfgang Krips, EVP Global Operations & General Manager, Amadeus IT Group
IT Outcomes
Can bring more innovative services to
market ahead of competitors
Customers can rely on the infrastructure
to support their operations
IT can react quicker to customer
demands
Can maintain an average availability of
99.99%
Streamlined operations and driving cost-
efficiencies through automation
Modernize Data Centers, Transform Security
Ground-breaking use cases
71
Enterprises can often justify the cost of NSX through a single use case
About
Challenge
Solution
Business Value
Large private charity donor raising money
through five European charity lotteries.
Processes 8.5 million lottery tickets each
month, equivalent to 1.4 billion Euros
Keeping Charitable Donations Safe
Large private charity donor maintains security with VMware NSX
Scalable IT platform to keep pace with
growth
Provide a highly secure environment
Lower IT costs in order to donate more
money to charity
Private cloud features VMware vCloud
Suite and VMware NSX
Things can happen in seconds or minutes
rather than hours or days. That’s a big
advantage for such a dynamic environment.
I’m confident that NSX is going to be an
industry standard.
Dharminder Debisarun, Head of IT, Novamedia
IT Outcomes
Robust security protects the billions of
Euros it handles
Highly automated system increased
efficiency, reducing IT spend by 10%,
allowing more money to be donated to
charity
Segmented VMs all individually
firewalled so any attack is isolated and
blocked at source
Lowered IT costs increases money
donated to charity
Modernize Data Centers, Transform Security
About
Challenge
Solution
Business Value
The Free University of Bolzano was founded in 1997 at the behest of the Autonomous Province of Bolzano. The University has five faculties with a total of 3500 students.
The IT team at the Free University of Bolzano was at a crossroads: a network that needs to handle increasing amounts of traffic, a series of hardware devices that can no longer meet operational needs and others which are nearing the end of their useful life, a network management that has grown ever more complex.
The University decided to abandon a traditional network model in favour of a Software-Defined Network using VMware NSX.
IT Outcomes
Simplification and increased efficiency in network
management tasks, while achieving higher levels
of security than in the past
Lower new hardware acquisition costs
"We decided to abandon a traditional network model in favour of a Software-Defined Network, by implementing a VMware NSX solution on 16 nodes
of our ESX cluster.”
Cristiano Cumer,
Systems Engineer, Free University of Bolzano
Free University of Bolzano
A network enhanced. Through software.
Greater scalability in the provision of increasing
amounts of computing resources on the network.
Drastic reduction in preparation times for new
virtual machines.
Efficient processing load distribution on all hosts
Transform Security
About
Challenge
Solution
Business Value
Founded in 1871, an Italian bank with over 350 branches. The bank has over 2,600 employees and offers banking, financial and insurance services to a range of customers
Banca Popolare di Sondrio Innovates Securely
Leading Italian Bank provides seamless, secure customer experiences with NSX
Created a SDDC environment based on vSphere and vCenter, before adding NSX for a fully-secure virtual network
VMware is helping our data center and cloud strategies in many ways: we use vSphere as a
backbone for the virtualization infrastructure, we use vRealize Automation for all the automation
tasks and private clouds provisioning and so on, we use NSX for network virtualization, we use
vSAN for software defined storage.
Piergiorgio Spagnolatti, Head of Infrastructure
IT Outcomes
New applications can be developed for
customers to use
Customers get the latest, most intuitive
services
IT can react quicker to business
demands
Micro-segmentation ensures the Bank is
industry compliant
All development is carried out in a
completely secure environment
The bank needs to keep innovating in order to
provide a seamless, innovative user
experience for its customers. But this needs to
be underpinned with a fully-secure and
compliant environment
Modernize Data Centers, Transform Security
Ground-breaking use cases
75
Enterprises can often justify the cost of NSX through a single use case
Dt. Hersteller von Schrauben und passiven Elementen
- Ausgangslage:- IT konnte die Anforderungen der Fachabteilungen
zeitlich nicht erfüllen (virtuelle Maschinen bereit stellen)- Virenausbruch Anfang 2016, schnelle Ausbreitung
- Lösung:- Fachabteilungen bestellen VMs via
Self-Service Portal (vRealize Automation)- Agentless AV + NSX schützen automatisch
Ground-breaking use cases
77
Enterprises can often justify the cost of NSX through a single use case
About
Blog
Challenge
Solution
Business Value
The Swiss insurance company Helvetia is one of the most renowned insurance companies in Switzerland and has its group headquarters in St. Gallen
- Additional improvement of existing IT security
- Reducing administrative tasks while maintaining productivity
- Reducing costs
By implementing VMware NSX in combination with vSEC from CheckPoint, Helvetia’s automation of IT in general as well as IT security processes in the network in particular were improved and business continuity was promoted using simplified management processes
IT Outcomes
Increased efficiency and business
continuity
European subsidiaries that are supported
with IT services are much more satisfied
Quick response to the rising demands on
infrastructureThanks to VMware NSX we no longer need to manually
change server IP addresses. Firewall regulations can be managed centrally using a tool and security zones
are transferred automatically during server deployment.
Michael Welte, Head of Service and Cloud Management at Helvetia
Digital transformation of Helvetia Insurance:
IT infrastructure ready for the future
Secure provision of standardized systems
Transform Security
Ground-breaking use cases
79
Enterprises can often justify the cost of NSX through a single use case
Provider in der Schweiz
- Automatisierte Infrastruktur für mehrere Kunden- Kunden können VMs von ihrem RZ mit im
laufenden Betrieb verschieben
Ground-breaking use cases
81
Enterprises can often justify the cost of NSX through a single use case
Krankenkasse in der Schweiz
- Audit: Datenbank mit Kundeninformationen nicht durch Firewall vor Insider-Angriffen geschützt
- Nach dem Projekt: Distributed Firewall schützt die Datenbenk. Eine Änderung im Netzwerk war nicht notwendig.
Ground-breaking use cases
83
Enterprises can often justify the cost of NSX through a single use case
Kleiner Schlosspark einer deutschsprachigen Hauptstadt
- Agentless AV + NSX schützen automatisch- Umgebung ist umfasst nur 4 CPUs
Schweizer Händler von Beschlägen
- NSX verhindert Kommunikation zwischen VDIs- Umgebung ist umfasst nur 8 CPUs
Kleine Universität im deutschsprachigen Raum
Ausgangslage:- Seminare und Prüfungen wurden auf VDI Umgebung- Notendurchschnitte verbesserten sich
Grund: - Studenten konnten sich Nachrichten
untereinander senden
Nach dem Projekt: - Seit der Einführung von NSX haben sich die
Notendurchschnitte wieder "normalisert„
Deliver Networking & Security Services in Software Independent of the Underlying Hardware
Zero Trust - Micro-Segmentation –Service Insertion - Service Chaining
Efficiency - Changing the Operational Model
1
2
3
Network Virtualization & Security Platform – Top 5 Benefits
Agility - Speed & Automation - Reducing Networking & Security Services Provisioning Times
Cost Reduction
4
5
VMware NSX – Links
• VMware NSX product pagehttp://www.vmware.com/products/nsx.html
• NSX Documentation Centerhttps://www.vmware.com/support/pubs/nsx_pubs.html
• NSX Design Guidehttps://communities.vmware.com/docs/DOC-27683
• NSX Data Sheethttp://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmware-nsx-datasheet.pdf
• NSX @YouTubehttps://www.youtube.com/user/vmwarensx, https://www.youtube.com/watch?v=PciyGPCykLI
• VMware Validated Designshttps://www.vmware.com/support/pubs/vmware-validated-design-pubs.html
88