Software Defined Data CentersNetwork Virtualization & Security

Jeremy van DoornDirector of Systems EngineeringEMEA, Network & Security

1

2

“My business and its IT organization are being engulfed by a torrent of digital opportunities. We cannot respond in a timely fashion, and this threatens the success of the business and the credibility of the IT organization.”

— Worldwide CIO Survey Gartner, 2014

3

4

To stimulate growth and drive competitive advantage

Amaze customers and empower employees

Manage risk and protect brand value

The Driving Forces Behind the Liquid World

CONFIDENTIAL7

CLOUDMOBILE011010100100101

011010100100101

011010100100101

011010100100101

011010100100101

011010100100101

011010100100101

SLOW TECHNOLOGYADOPTION RATES

Harnessing Mobile and Cloud Is Challenging

CONFIDENTIAL8

HIGH USER EXPECTATIONS

SLOW REPONSES

PRIVACYISSUES

INTEGRATION PROBLEMS

SERVICE OUTAGES

SHORTAGE OF RIGHT SKILLS

DECLINING BUDGET

DIFFERENT APPLICATIONS AGING INFRASTRUCTURE

SECURITY

PROLIFERATIONOF DEVICES

FRAGMENTEDDATA CENTER

LIMITED RESOURCES

CLOUD SILOSSECURITY

PROLIFERATIONOF DEVICES

FRAGMENTEDDATA CENTER

CLOUD SILOS

Time for a New Model of IT

9

Optimized for rapid

development and delivery

of all applications, for safe

consumption on any deviceFLUIDINSTANT SECURE

Software-Defined Agility

Instant provisioning,delivery, and access from

data center to device

SeamlessHybridity

Unified private and publicclouds to dynamically

deploy any app or workload

IntrinsicSecurity

Enhanced security nativeto apps, infrastructure,

and devices

VMware: Your Best Partner for Brave New IT

INSTANT FLUIDSECURE

10

Conventional Approach to IT

11

Traditional Applications

Modern, Cloud Applications

On-Premises Public CloudOutsourced

AnyApplication

Traditional Applications

Modern, Cloud Applications

VMware Architecture for IT

Traditional Applications

Modern, Cloud Applications

OneCloud

Build-Your-OwnConverged

InfrastructureHyper-Converged

Infrastructure

Cloud Management

HYBRID CLOUD

PRIVATE

YourData Center

PUBLIC

vCloud Air

MANAGED

vCloud AirNetwork

Virtualized Compute, Network, Storage

AnyDevice

Business Mobility: Applications | Devices | Content

Software Defined Data Center

12

One Cloud, Any Application

13

Any Application,

Anywhere

Architect, deploy, and

run all traditional and

modern applications

Open

Management

Flexible choice to manage

your cloud infrastructure

and your applications

Unified Platform

On- and off-premise cloud with a common

Software-Defined Data Center platform, built on

VMware’s best-in-class compute, network, and

storage virtualization solutions

HYBRID CLOUD

PRIVATE MANAGED

Your Data Center

vCloud AirNetwork

PUBLIC

vCloudAir

The Software-Defined Data Center Approach

Ideal Architecture for the Hybrid Cloud

• All infrastructure services virtualized: compute, networking, storage

• Control of data center automated by software (management, security)

• Unified platform for existing and new apps, delivered to many devices

14

Hybrid Cloud

Compute Networking Storage

Management

Two Different Paths Forward:Hardware-Defined or Software-Defined Architecture?

1515

Software-Defined ApproachHardware-Defined Approach

Proprietary

HardwareIntelligence

Software Layer

Manual Operations

IT Struggles to Keep UpIT Moves at the Speed

of the Business

Existing

Hardware

Software

Layer

Intelligence

Automated Operations

Is SDDC a Proven Architecture?

16

Custom Application

Google / Facebook /

Amazon Data Centers

Custom Platform

Any x86

Any Storage

Any IP network

Software / Hardware Abstraction

Software / Hardware Abstraction

Software Defined

Data Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center Virtualization

Hardware Defined

Data Center (HDDC)

Any Application

HDDC Platform

Integrated x86

Integrated Storage

Vendor Specific

Network

Ve

rtic

al In

teg

ratio

n

SDDC Architecture is Future proof

17

Data Center Virtualization

Inter- Data Center

Any Application

Any x86

Any Storage

Any IP network

Hybrid- Data Center

Any Application

Any x86

Any Storage

Any IP network

Software Defined

Data Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center VirtualizationSDDC Platform

Cloud OperationsIntelligent, automated

operations with

comprehensive visibility

from apps to storage

Service Health

Capacity Optimization

Configuration Standards

VMware Cloud Management

18

The Control Plane for the Software-Defined Data Center and the Hybrid Cloud

Cloud AutomationAutomated, self-service

delivery of personalized

IT services

Service Catalog

Governance

Release Automation

Cloud BusinessComplete transparency

into costs and quality of

all IT services

Cost Transparency

Benchmarking

Service Quality Mgmt

• A cloud management platform purpose-built for heterogeneous datacenters and hybrid cloud

• Extends vCloud Suite to manage OpenStack, AWS, Hyper-V, KVM, and vCloud Air

• Works with modern and traditional application architectures

• Choice of on-prem or SaaS delivery model

OpenStack Runs Best on VMware

Deliver the OpenStack APIs Developers Want

Best-of-breed compute,

network, storage

Elegant, rapid, and

simplified operations

Single support

contact

Best of All: Free for vSphere Enterprise Plus Users

VMware Integrated OpenStack

+ VMware

19

vSphere – The Best Platform for All Applications

20

Scale-Up Apps /

Business Critical

AppsContainers

Integrated

OpenStackDesktop

Virtualization

Scale-Out

Applications

Capabilities

• Scalability enhancements (VMs and Clusters) for all application

workloads

• Desktop Virtualization – 2D/3D Graphics, Instant Clone

• OpenStack on vSphere = Success

• Big Data Extensions and Pivotal CF (PaaS) Support

• Linux Container Support

Benefits and Proof Points

• Increased scalability and performance

• SAP Hana – 400% performance gains over RDBMS

and 9x gains in planning load times

• Rapid deployment of desktop virtual machines in seconds

• 10x faster than in previous releases

• Productivity and portability for application developers

• Deliver Choice of Architecture

And Many More…

Rapid development, automated

deployment and secure consumption of all

enterprise apps

Choice in datacenter automation

and management

Best-in-class VMware technologies

across hybrid clouds

Unified Platform Any Application Flexible Control

VMware Software-Defined Storage Architecture

VMware Virtual SAN™

VMware vSphere

Storage-Policy Based Management

Virtual VolumesVVOL-enabled arrays

Storage

Partners

21

Network Virtualization

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

New Model for Security: Micro Segmentation

Virtual Network Virtual NetworkVirtual Network

VMware NSX™: The Network Hypervisor

50+ additional

partners

22

BridgingTwo Worlds

Software DefinedData Center Approach

Traditional Approach

Network Virtualization is at the core of an SDDC approach

Network, storage, compute

Virtualization layer

Non-Disrupting Deployment

Network, storage, compute

Virtualization layer

“Network hypervisor”

Virtual Data Centers

Network Virtualization is at the core of an SDDC approach

Non-Disrupting Deployment

The Power of Distributed Services

Switching

Routing

Firewalling/ACLs

Load Balancing

Network and security services now distributed in the hypervisor

Switching

Routing

Firewalling/ACLs

Load Balancing

High throughput rates

East-west firewalling

Native platform capability

The Power of Distributed Services

Programmatically Provisioned

Network & Security Services Distributed to the Virtual SwitchPhysical Network becomes high-speed IP backplane

Native Isolation

192.168.2.10

192.168.2.10

192.168.2.11

192.168.2.11

Support for Physical Workloads and VLANs

Security in the Software Defined Data Center

33

Copyright 2014 Trend Micro Inc. 34

$71.1 BWW 2014 Information

Security spending

46%Increase in 2015 security

technology spend

1,208# of new cybersecurity companies (solutions)

since 2010

43%

More Security Spend ≠ More Secure

Yet …

312Average # of Days a zero-day vulnerability goes un-

detected and/or un-patched

>$455 BTotal cost of cybercrime in

2014% of orgs. reported

datacenter breaches in 2014

Traditional security has little meaning in a borderless

Software Defined Data Center

Insufficient visibility into East-West traffic & inter-VM attacks Static policies cannot keep up with dynamic workloads

Service Provisioning is Slow, Complex & Error-prone

Disparate security solutions and lack of uniform policies

across clouds creates an operational nightmare

Traditional approaches to reduce breaches inside Data Center perimeter...

Adding more internal security…

Requires placing more security controls across

workloads

• Optimized for Data Center Perimeter

• Cost prohibitive: thousands needed

• Configuration and security policies restricted by network

topology

• Inefficient “choke point”

• Impractical for lateral coverage

Physical Security Appliances

Data Center Perimeter

Internet

• Lacks selective traffic inspection for smarter security

• Hair-pinning impacts performance

• Limited segmentation capabilities

• Lacks dynamic provisioning, deployment and scale out

Virtual Security Appliances Today

Data Center Security Options

37

Secure Perimeter

vs.

Zero-Trust Pervasive Security

Problem: Data Center Network SecurityPerimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible

Little or no

lateral controls

inside perimeter

Internet Internet

Insufficient OperationallyInfeasible

Why traditional approaches are operationally infeasible…

39

Internet

Perimeter Firewalls

• Create firewall rules before provisioning

• Update Firewall rules when move or change

• Delete firewall rules when app decommissioned

• Problem increases with more East-West traffic

How an SDDC approach makes micro-segmentation feasible

40

Internet

Security Policy

Perimeter Firewalls

CloudManagement

Platform

A “Zero Trust” model becomes operationally feasibleLogically align controls to what you are protecting

Isolation Explicit Allow Comm. Secure Communications

IPS

FIM

AM

WR

Se

rvic

e I

nse

rtio

n

Application A

Application B

App Tier

DB Tier

(e.g

TC

P,1

433)

No Communication Path

Intrusion Protection

File Integrity

Anti-Malware

Web Reputation

Isolation and segmentation

Unit-level trust / least privilege

Ubiquity and centralized control

321

Delivers higher levels of data center security

Micro-segmentation

Intelligent groupingGroups defined by customized criteria

Operating System Machine Name

Application Tier

Services

Security PostureRegulatory

Requirements

There is a BIG difference…

• Traditional Rule Mgt &

Operations

• Chokepoint Enforcement

• Virtual Firewalls

(~1Gbps)

Virtual Firewalls

Physical Firewalls

• Traditional Rule Mgt &

Operations

• Chokepoint Enforcement

• Physical Firewalls (~100

Gbps)

Distributed Firewalling

• Automated Policy Mgt & Operations

• Distributed Enforcement

• vSphere Kernel-based Performance

• Distributed Scale-out Capacity (20

Gbps/host)

SDDC Platform – “Zero Trust” is Now Operationally Feasible

45

Hypervisor-based, in kernel distributed firewalling

• High throughput rates on a per hypervisor basis

• Every hypervisor adds additional east-west firewalling capacity

• Native feature of the VMware NSX platform

Platform-based automation

• Automated provisioning and workload adds/moves/changes

• Accurate firewall policies follow workloads as they move

Audit Compliance

20 Gbps Firewallingthroughput per host

Data center micro-segmentationbecomes operationally feasible

NSX Platform Extensibility…With Advanced Security

• Add leading security solutions to your micro-segmentation deployment for greater security

• Apply the SDDC operational model to 3rd-party security products

• Adapt to changing security conditions in the data center by enabling security solutions to share intelligence

Traditional Data Center

Static service chain

In a traditional data center, security services must be configured when the

network is architected, meaning the “chain” of services is locked in once

deployed. This is an inefficient use of resources and cannot defend against

changing threat conditions.

NSX Data Center

Dynamic service chain

In an NSX data center, 3rd-party security solutions use NSX security tags

to share intelligence, adapting to changing security conditions. NSX

automatically applies the correct security function as needed.

1 32

Advanced Services Insertion – Example: Palo Alto Networks NGFW

Internet

Security Policy

Security Admin

TrafficSteering

Automated Security in a Software Defined Data CenterQuarantine Vulnerable Systems until Remediated

48

Security Group = Quarantine

Members = {Tag = ‘ANTI_VIRUS.VirusFound’}

Security Group = StandardPolicy Definition

Standard Policy

Anti-Virus – Scan

Quarantined Policy

Firewall – Block all except security tools

Anti-Virus – Scan and remediate

Benefits of Taking a Software Defined Data Center Approach

49

Multi-tenant Infrastructure

IT Automating IT

Developer CloudDMZ Anywhere

Micro-segmentation

Secure End User

Metro Pooling

Hybrid Cloud Networking

Reduce infrastructure

provisioning time from

weeks to minutes

Secure infrastructure

at 1/3 the cost

Reduce RTO by 80%

Disaster Recovery

Security Speed & Agility Application Continuity

Value

NSX customer momentum

Service Providers

Global Financials

Retail

Healthcare

Integrators

Media & Communications

Transportation

Government

Education

Starting Point

For a full listing of other NSX related sessions at VMworld: http://virtualizeyournetwork.com/vmworld2015us/

Technical DiscoveryThe things you need to do…

First Step virutalizeyournetwork.com

Connect & Engage

communities.vmware.com

Education & Certification

vmware.com/go/NVtraining

Test Drive

labs.hol.vmware.com

The things you need to read…

Thank you