SIE2034BE Securing your VMware Horizon Virtualized Apps or ...€¦ · •Desktop to Desktop control •Desktop to Enterprise App control •Security Services e.g. Agentless AV, NGFW,

Satish Yadavalli, General Manager & Global Practice HeadWipro Limited

Bhanu Reddy, Practice ManagerWipro Limited

Thomas Vigneron, SDDC Specialist – NSXVmware Networking and Security – VCDX #220

SIE2034BE

#VMworld #SIE2034BE

Securing your VMware Horizon Virtualized Apps and Desktop Investments with NSX

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2#SIE2034BE CONFIDENTIAL



bution

“We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry.

If all of this is true – even inevitable – then

cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.”

- Ginni Rometty, IBM Chairman, CEO and President

3#SIE2034BE CONFIDENTIAL 3



bution

1,935

What’s Keeping Your CISO Up at Night?

4

Enterprise IT Security in the Headlines

1. Source: Verizon 2017 Data Breach Investigation Report

2. Ponemon Institute: Cost of Data Breach Study 2017

confirmed data

breaches in 20161

$3.62Maverage cost per

security breach2

#SIE2034BE CONFIDENTIAL



bution

Attacks and attackers have become more sophisticated…

5

Organized

crimeInsiders Cyber terrorists/

hacktivistsNation

states

ADVANCED PERSISTENT THREATS WEAPONIZATION OF CYBERSPACE




bution

6

Bridging End User Computing Silos

6

Web

WindowsClient-Server

Mobile




bution

#SIE2034BE CONFIDENTIAL 7

Windows apps represent

50-70% of the apps

today in the enterprise

and are difficult and

costly to secure

and support. 50-70%



bution

8

Transforming Security with Desktop Virtualization

1 Centralized Data and Delivery

2 Trusted Images – OS and App

3 Policy Based Access

4 Secure Endpoints

5 Network Security




bution

Centralized Data and Delivery

9

No endpoint data loss

(device loss, theft,

damage)

Enterprise class

datacenter safeguards

Reduced branch

infrastructure footprint

(file/print/email

servers etc.)

Efficient recovery

✔

✔

✔

✔Virtual Desktops

Data Center

Users




bution

Pristine, Trusted Images for Every Desktop

10

ONE IMAGESimplified, consistent management

No patch maintenance window

Provisioning on-demand

Space efficient




bution

Smart Polices

11

True SSO

Experience

Policy-Managed

Client Features

Access Point

Authentication

Common Criteria /

FIPS 140-2

Contextual access based on device or location




bution

Securing the Endpoints

Extensive selection of secure, easy-to-manage clients to suit your budget, application, and

performance needs.

Desktop All-in-one Mobile

ThinOSInherently virus resistant and

extremely secure

ThinLinuxHardened and optimized OS with

latest Linux libraries

Embedded WindowsAdditional security layer can be added

with defense software




bution

What about security for the VDI network?

14

DATACENTER

NETWORK

ENDPOINTS

Hardened endpoints, access policies

Centralized data, pristine images




bution

Current Challenges in the Data Center

15

Large attack surface within the data center

Multiple, discrete “east-west” flows between desktops and infrastructureUser behaviors

Zero-day threats

Compromised

internet websites

Desktop-to-desktop

hacking

Desktop-to-server

hacking

EAST WEST

Virtual DesktopData

Center

SAP, Oracle Exchange, etc.

Enterprise StorageOther

Users

WWW




bution

Regional Pediatric

Hospital Group

Extensive VDI use Persistent virtual

desktops follow

providers from room to

room, giving instant

access to critical

medical information

Friday, 8pm

Compromised VDI

DesktopUNRESTRICTED LATERAL MOVEMENT

Attacker was able to move freely between desktops and

servers in the data center, gaining access to sensitive patient

data and critical systems.

Anatomy of an Attack

16

RECENT VDI DATA BREACH




bution

Friday, 11pm Saturday, 9am

Security Response

Begins.

Sensitive Patient Data

Exfiltrated

Despite having been reported to IT when it occurred,

a response to the attack was not quick enough to prevent a

significant loss




bution

Security is needed for every desktop VM… so can’t we have it everywhere??

18

Why can’t we have individual firewalls for every desktop VM?

Data Center Perimeter

With traditional technology,this is operationally infeasible.

Cost prohibitive with complex configurations

Physical Firewalls

Slower performance, costly and complicated

Virtual Firewalls




bution

Securing East-West within VDI Environments

• Hard to implement

• Lots of physical infrastructure required

• Complex to manage

19

Organizations with focus on compliancy and risk mitigation will implementsecurity zones to protect East-West flows within the data center.

Centralized Virtual

Desktops

Sharedsvcs

DMZ

DBZone

Remote workforce

Zone

EngZone

DevZone

FinancialZone

CorpZone

PCIZone

AdminZone




bution

Traditional Networking & Security is complex!

20

SharedsvcsDMZ

DBZone

Remote workforce

Zone

EngZone

DevZone

FinancialZone

CorpZone

Internet Internal Networks

PCIZone

AdminZone

Centralized Virtual

Desktops




bution

NSX and Horizon




bution

Network, Storage,

Compute

Virtualization Layer

“Network Hypervisor”

Virtual networks

NSX Value PropositionNSX Network Virtualization and Security platform makes micro-segmentation a reality

22



bution

23

Isolation and segmentation

Unit-level trust / least privilege

Ubiquity and centralized control

321

Delivering higher levels of data center security

Micro-segmentation




bution

NSX vSwitch

With NSX

Distributed Virtual Firewall

Before NSX

More Efficient Firewalls with NSX

24

Nexus 7000

UCS Fabric A UCS Fabric B

UCS Blade 1

vswitch

6 wire hops

Nexus 7000

6 wire hops


UCS Blade 1 UCS Blade 2

vswitch vswitch

Nexus 7000


0 wire hops

Nexus 7000


UCS Blade 1 UCS Blade 2

With NSX

Distributed Virtual Firewall

Before NSX

East-West Firewalling / Same host East-West Firewalling / Host to host

2 wire hops

NSX vSwitch

UCS Blade 1

Fewer hops, more efficient and precise VM networking



bution

NSX for Horizon VDI Deployment

25

• Allows for elasticity and agility to spin up/down new pools or expand existing

• Desktop to Desktop control

• Desktop to Enterprise App control

• Security Services e.g. Agentless AV, NGFW, IPS

• Load balancing,

• Edge firewall

• NAT

• VPN

Internal Developer Pool

External Developer Pool

Internal Developer Network

External Developer Network

Horizon I

nfr

a

Micro-segmentation Edge Services Network Virtualization




bution

Horizon with NSX: Simplify Networking & Making it Secure!

26

Example Order of Adoption

Firewalling& Security

LoadBalancing

LogicalSwitching

LogicalRouting

Physicalto Virtual




bution

Segmentation of a Horizon Environment

27

• AD Group Based Identity Firewall (IDFW).

• Data Security to identifysensitive data.

• Desktop to Desktop control

• Desktop to Enterprise App control

• 3rd party Security Services e.g.

Agentless AV, NGFW, IPS

• External world to Horizon components control

• Access control between various Horizon components


External Developer Pool

Protecting Horizon Infrastructure

Protecting Desktop Pools

User / Data based access control.


3 Tier Enterprise App

Web App DB

Horizon Components (Connection Servers, Unified Access Gateway, View Composer, vCenter)




bution

Protecting Infrastructure




bution

Virtualized Apps

(ThinApps)

VMware Identity

ManagerVMware Horizon View

User Environment

Core

Infrastructure

Active

Directory

vCenter

Server

vRealize

Operations for

Horizon

Database

(SQL)

VMware vSphere + NSX + VSAN

Virtual Desktop Pools

Windows 10

Instant Clone

Windows 10

3D Desktop

Applications

(VMware App Volumes)

Linux

Clone

SaaS, Mobile

Apps

Horizon

Connection

Servers

View

Composer

Hosted RDS

Desktops & Apps

IT Settings

User Profile

Horizon Clients

VMware Horizon Architecture Overview

29

User Workspace

Unified

Access

Gateways




bution

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/

vmware-horizon-7-end-user-computing-network-ports.pdf30



bution

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-7-end-user-computing-network-ports.pdf

Easy Service Definition




bution

Micro-Segmentation – Sample Configuration

32

Infrastructure Rules

Desktop and Application

Rules



bution

Identity Based FirewallPolicy driven micro-segmentation of the user



bution

VMware NSX - Identity Based Firewall Rules (IDFW)

• DFW offers Identity Based Firewall (IDFW) functionalities:

‒ Specific AD security groups of users can be used to create DFW rules

– DFW rules are defined based on Active Directory (AD) membership (e.g. doctors or surgeons group):

‒ Define a NSX Security Group that contains an AD security group and apply it as the source of the DFW policy rule

• Users can use physical or virtual systems that have been joined to the AD Domain as the source - Destination system must be a VM.

34

Source Destination Service Action

Doctors (security

group)

Patient Record

Servers

Any Allow

Any Any Any Deny

Policy Rule:




bution

VMware NSX - Identity Based Firewall Rules & EUC

35

Before NSX

• All Desktops on a VLAN can communicate freely.

• Once one Desktop is compromised, lateral movement cannot be restricted.

With NSX

• Micro-segmentation can granularly control desktops even on shared VLAN.

• User/Group based Access Control

• Control VDI to Apps access using NGFW redirection when needed.

Jennifer(Finance)

Files HR Finance Email SharePoint

Network

Bob(HR)

Human Resources Finance




bution

Admin

Sales

Developer

Secure Just in Time Desktops

36

Network Policyfrom NSX

Sales

Developer

Admin

Sales

Developer

Admin

Application Layersfrom App Volumes

Sales

Dev.

Admin

Personalizationfrom UEM

Role-Based Desktop Creation & Customization

Salesdesktop

Admindesktop

Developerdesktop

Single Pool

StatelessdesktopSales

Developer

Admin




bution

Extensibility: Partner Dynamic Service-Chaining

37

Partner AV scan detects virus/malware

Tags Desktop VM for NSX

NSX Manager /Control Plane

NSX places Desktop VM under network lock-down

No traffic in or out

NSX Ecosystem Partner AV scan on desktop

Ex: Trend Deep Security

McAfee MOVE




bution

Device Level VPN

App Level VPN

Micro Segmentation

App Level VPN

AirWatch Per-App VPN and VMware NSX




bution

Wipro as a VMware Customer

• VMware AirWatch deployment of 150,000+

employees

• 4,000 VDI instances

• VMware virtualization

Wipro

• 30+ years in-depth experience

in infrastructure services

• Cloud advisory, Cloud

Migration, DevOps, and Cloud

Security

Wipro-VMware 360º Partnership Overview

39

Accelerate Clients’ IT Transformation to the Next Generation Data Center

VMware

• Leading cloud infrastructure and business

mobility provider

Wipro and VMware Alliance

• Strategic partnership

• Wipro’s transformation services

plus VMware’s disruptive

technologies

• VMware Premier Partner

Wipro as

a VMware

Customer

VMware

Wipro and

VMware

Alliance

Wipro




bution

Boundary-less ODCs for Wipro

40

~4,000 Users

Full VMware stackNSX for micro

segmentation, Horizon for

VDI, AppVolumes for real

time app delivery

6 RegionsUsers spread across

6 regional centers

in India

100% VDI Windows & Linux

Persistent Desktops

End points100% Thin Clients

Environment Scope Solution Benefits

Boundary-less

ODCsPhysical desk/port is not

tagged to any project/ODC

30% reductionIn overall costs

Software

Defined Storage




bution

Wipro Environment

41

4000 Virtual DesktopsLeveraging clones, AppVolumes

50 ESXi Vsphere

6.0 servers

2 vCentersNSX Distributed firewall




bution

Security

Benefits

42

Secure access to desktops from anywhere, at any time

Rapid, centralized updates and patching– OS updates through clones

– Application updates through AppStacks

Instant recovery in the event of crashes, malware proliferation

Micro-segmentation for each development center




bution

Case Study: Largest Women only University

43

Technology Implemented VMware Horizon View 6.0

Number of Virtual

desktops / Users8000 +

VDI concurrent license 5000

Hardware152 X UCS B250 M2 and

16 x UCS B200 M2

Operating System

Hypervisor : ESXi 5.5

Server OS : Windows 2012 R2

Desktop OS : Windows 7

Support Model Onsite Support

Client is the World’s largest women only university with a

capacity to enroll over 40000+ students, 10000+ faculties

Campus has a 700-bed hospital equipped with

state-of-the-art facilities

Infrastructure Manage VDI Infrastructure used by Students and Faculty

Enable seamless access to University applications and internet

browsing.

Roll out additional thin clients Year-on-Year

Business Benefits

Single point of ownership

Service and Technology transformation – Streamlined operations

Standardization of Services and policy based service management –

Repeatability and scalability

Central governance towards compliance and policies

Project Scope

Client Profile




bution

Learn More

Hands on Labs:http://labs.hol.vmware.com

Web:https://www.vmware.com/products/horizon/horizon-nsx.html



bution

http://labs.hol.vmware.com/

https://www.vmware.com/products/horizon/horizon-nsx.html



bution



bution

Documents

SIE2034BE Securing your VMware Horizon Virtualized Apps or ...€¦ · •Desktop to Desktop control •Desktop to Enterprise App control •Security Services e.g. Agentless AV, NGFW,