Upload
vmworld
View
273
Download
0
Embed Size (px)
DESCRIPTION
VMworld 2013 Bilal Malik, Palo Alto Networks Adina Simu, VMware Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Citation preview
VMware NSX with Next-Generation Security by Palo
Alto Networks
Bilal Malik, Palo Alto Networks
Adina Simu, VMware
SEC5755
#SEC5755
2
Session Objectives
Discuss security challenges in virtualized environments
Introduce NSX Firewall and Palo Alto Networks Panorama
and VM-Series
Review the complete security solution that VMware and Palo Alto
Networks have built jointly
3
Recommended Sessions & Labs
NET5716 – Advanced NSX Architecture
NET5266 – Bringing Network Virtualization to VMware
Environments with NSX
NET5270 – Virtualized Network Services Model with NSX
NET5522 – VMware NSX Extensibility: Network and Security
Services from 3rd-Party Vendors
Hands on labs on NSX and NSX Firewall: HOL-SDC-1303
4
Agenda
Datacenter Transformation
What are the security barriers to transformation?
What is the solution?
How does the solution work?
Q&A
5
Infrastructure
Server Virtualization Cloud
The software defined data center is agile, flexible, elastic and simple
• Fast workload provisioning – weeks to hours
• Unlimited workload placement & mobility
• IT as a service with performance and scalability
• Simplified data center operations & economics
Its about Speed - Software Defined Data Center Transformation
6
Agenda
Datacenter Transformation
What are the security barriers to transformation?
What is the solution?
How does the solution work?
Q&A
7
Typical Data Center Physical Firewall Deployment
Gateway placement designed
around expectation of L3
segmentation
VM to VM traffic Hair Pinned to FW
No “VM” awareness
VLAN Complexities
FW as Performance bottleneck
Complex Rule Sets
Traditional physical firewalls limit your data center
8
Security Policies Cannot Keep Up …
Manual Security Rule changes
No VM Context
Not integrated into automated workflows
9
Applications Have Evolved …
10
Threats Come from Surprising Places …
Application Usage and Threat Report – February 2013
“Application Usage and Threat Report” (Palo Alto Networks) February 2013
Aggregates application and threat logs
3,000+ organizations across the globe
95% of all exploit logs came from just
10 applications
9 of 10 are common business apps
in data centers
MS-SQL
MS-RPC
SMB
MS SQL Monitor
MS Office Communicator
SIP
Active Directory
RPC
DNS
11
Agenda
Datacenter Transformation
What are the security barriers to transformation?
What is the solution?
How does the solution work?
Q&A
12
The Need for a Comprehensive Security Solution
VMware NSX Platform
NSX Distributed Firewall
VM level zoning without
VLAN/VXLAN
dependencies
Line rate access control
traffic filtering
Distributed enforcement at
Hypervisor level
Palo Alto Networks Next
Generation Security
Next Generation Firewall
Protection against known
and unknown threats
Visibility and safe
application enablement
User, device, and
application aware policies
Sophisticated Security
Challenges
Disappearance of standard
application behavior
Distributed user and
device population
Modern Malware
13
VMware NSX and Next-Generation Security Integrated Solution
Any Application
(without modification)
Virtual Networks
VMware NSX Network Virtualization Platform
Logical L2
Any Network Hardware
Any Cloud Management Platform
Logical
Firewall Logical
Load Balancer
Logical L3
Logical
VPN
Any Hypervisor
Palo Alto Networks Next
Generation Security
Security Provisioning
Palo Alto Networks VM-Series
Palo Alto Networks
PA-5000 Series
Components:
• VMware NSX (including NSX Manager and NSX API – cloud provisioning,
VMware NSX Firewall – Native, kernel-based firewall and traffic steering)
• Palo Alto Networks Panorama – security provisioning
• Palo Alto Networks VM-Series – next-generation security platform
14
NSX Distributed Firewall
Scale-out architecture
• Embedded in the Hypervisor
Line rate performance
• 10Gbps+ per host
Flexible access control
architecture
• NSX Logical Containers
• VM Tags
• User Identity and Active Directory
support
No VM can circumvent the
firewall
• Rules follow the VMs
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
15
VM-Series Firewall
PAN-OS firewall in virtual machine form factor
Separation of management and data plane
Complete Next-Gen firewall features
• App-ID
• User-ID
• Content-ID
• WildFire
Dynamic Address Groups
Centrally managed through Panorama
16
Agenda
Datacenter Transformation
What are the security barriers to transformation?
What is the solution?
How does the solution work?
Q&A
17
Example: How to secure a MS Sharepoint deployment
MS
SQ
L 1
Share
Poin
t 1
IIS
Web F
ront E
nd 2
Dom
ain
Contr
olle
r 1
IIS
Web F
ront E
nd 1
WEB Tier Application Tier Database Tier
18
Setup
19
20
Three steps:
1
Register the Next Generation Palo Alto Networks Firewall with NSX Manager
2
Deploy NSX Firewall and Palo Alto Networks VM-Series appliances
3
Define and consume security policies
21
Next-Gen Firewall Service Registration
22
23
Three steps:
1
Register the Next Generation Palo Alto Networks Firewall with NSX Manager
2
Deploy NSX Firewall and Palo Alto Networks VM-Series appliances
3
Define and consume security policies
24
Automated Deployment of all solution components
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Cloud Admin
Security Admin
25
Next-Gen Firewall Service Deployment
26
27
Three steps:
1
Register the Next Generation Palo Alto Networks Firewall with NSX Manager
2
Deploy NSX Firewall and Palo Alto Networks VM-Series appliances
3
Define and consume security policies
28
Define NSX Logical Containers and attach policy
VM
VM
VM VM
VM VM
VM
VM
VM VM
VM
VM
VM
VM
VM VM VM
VM VM VM VM
VM VM
VM VM VM
VM
VM
VM
VM
VM
VM
VM VM
VM VM
VM
VM
VM VM
VM
VM
VM
VM
VM VM VM
VM VM VM VM
VM VM
VM VM VM
VM
VM
VM
VM
Simplify application management boundaries
29
Populate VM context into Next Gen Firewalls
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
NSX Manager
NSX Logical Containers
Virtualization Context
Policy Rules and
Configuration
30
How to create NSX Logical Containers and traffic steering policy
32
Next-Gen Firewall Rules and Traffic Inspection
34
Securing the application scale-out
36
Complete protection - Protect against malware
MS
SQ
L 1
Share
Poin
t 1
IIS
Web F
ront E
nd 2
Dom
ain
Contr
olle
r 1
IIS
Web F
ront E
nd 1
WEB Tier Application Tier Database Tier
37
Exploit Example
39
An Integrated Solution for Securing the Software Defined Data Center
VMware NSX and Palo Alto Networks Next-Generation Security benefits:
Accelerate application delivery with transparent security enforcement
Optimize operational efficiency via simplified business policies
Address security and compliance mandates with next-gen protection
40
Come to the Palo Alto Networks booth
Booth #2305
More DEMOS
& Giveaways
THANK YOU
VMware NSX with Next-Generation Security by Palo
Alto Networks
Bilal Malik, Palo Alto Networks
Adina Simu, VMware
SEC5755
#SEC5755