VMworld 2014: Virtualize your Network with VMware NSX

Virtualize your Network with VMware NSX

NET3305-S

Martin Casado, VMware, Inc

CONFIDENTIAL 2

Disclaimer• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

CONFIDENTIAL 3

Traditional Data Center

Any Application

L2/L3 or Proprietary Network

Guidance from GiantsModern SaaSData Center

Custom Application

IP Network

SecurityFault IsolationService ChainingDiscoveryLoad balancing

SecurityFault IsolationService ChainingDiscoveryLoad balancing

Opex/Capex = $$$$Innovation = HW design cycle

Opex/Capex = $Innovation = SW design cycle

CONFIDENTIAL 4

What is VMware NSX?

Internet

CONFIDENTIAL 5

What is VMware NSX?

CONFIDENTIAL 6

Internet

What is VMware NSX?

CONFIDENTIAL 7

Internet

What is VMware NSX?

CONFIDENTIAL 8

Internet

What is VMware NSX?

CONFIDENTIAL 9

VMware NSX Momentum: Customers

4of 5top investment banks enterprises & service providers

Leading global

CONFIDENTIAL 10

Three Reasons Companies Virtualize Their Network…

Speed – On Demand Apps and Services11

Economics – Opex Efficiency & Capex Cost Savings22

Security – Re-Architect Datacenter Security33

Security Use Case

CONFIDENTIAL 12

2010 2011 2012 2013IT Spend Security Spend Security Breaches

A Picture of Diminishing ReturnsThe only thing outpacing security spend is security losses

CONFIDENTIAL 13

A Modern AttackMalware/attack vectors tested against known signatures & are often VM-aware

11Human Recon

22Attack Vector R&D

33Primary Attack

1 PREP

CONFIDENTIAL 14

44CompromisePrimary Entry Point(Phishing, Waterholes, etc.)

55Install Command& Control I/F

Strain BDormant

Strain AActive

2 INTRUSION

Leverage endpoints that circumvent perimeter controls

CONFIDENTIAL 15

66Escalate Privileges onPrimary Entry Point

3 RECON

Strain AActive 77

Lateral Movement

88Install C2 I/FWipe TracksEscalate Priv

88

88

Leverage hyper-connected computing base, accessible topology info & shared components

CONFIDENTIAL 16

99Wake Up & ModifyNext Dormant Strain

Strain AActive

4 RECOVERY

Attack Identified Response

Strain BActive

Strain CDormant

Sensor, alerts and logs easily accessible

CONFIDENTIAL 17

5 ACT ON INTENT

1010Break into Data Stores

1111Parcel &Obfuscate

1212Exfiltrate

1313Cleanup

6 EXFILTRATION

Exploit weak visibility and limited internal control points

CONFIDENTIAL 18

The modern kill chain is highly targeted, interactive, and stealthy

13Cleanup

CONFIDENTIAL 19

A Modern Kill Chain… is highly targeted, interactive and stealthy

INTRUSION2 RECOVERY4 ACT ON INTENT5 EXFILTRATION6RECON3IPREP18

Install C2 I/FWipe TracksEscalate Priv.

9Wake Up & Modify Next Dormant Strain

10Break into Data Stores

11Parcel & Obfuscate

12Exfiltrate

13Cleanup5

Install Command & Control (C2) I/F

6Escalate Privileges on Primary Entry Point

7Lateral Movement

8

8

1Recon

2Attack Vector R&D

3Primary Attack

4Compromise Primary Entry Point

Strain AActive

Strain BDormant Strain B

Active

Strain CDormant

Attack Identified

Response

Perimeter-Centric80% of resources focusedon preventing intrusion

Limited visibility and controlinside the datacenterto detect and respond to attacks

Micro-Segmentation with NSX

CONFIDENTIAL 21

CONFIDENTIAL 22

Problem: Data Center Network SecurityPerimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible

Little or nolateral controls

inside perimeter

Internet Internet

Insufficient OperationallyInfeasible

CONFIDENTIAL 23

Using Network Virtualization For Micro-Segmentation

Internet

Perimeter Firewalls

CloudManagementPlatform

CONFIDENTIAL 24


Internet

Perimeter Firewalls


CONFIDENTIAL 25


Internet

Perimeter Firewalls


CONFIDENTIAL 26


Internet

Security Policy

Perimeter Firewalls


CONFIDENTIAL 27


Internet

Perimeter Firewalls


CONFIDENTIAL 28


Internet

Perimeter Firewalls


CONFIDENTIAL 29


Internet

Perimeter Firewalls


CONFIDENTIAL 30


Internet

Perimeter Firewalls


Looking Into the Future

CONFIDENTIAL 32

The “Goldilocks Zone”

Too Hot Too Cold

CONFIDENTIAL 33

Trading Off Context and Isolation

Software DefinedData Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center Virtualization

High Context Low Isolation

High IsolationLow Context

No Ubiquitous Enforcement

Traditional Approach

CONFIDENTIAL 34

Delivering Both Context and Isolation

Software DefinedData Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center Virtualization

High ContextHigh IsolationUbiquitous Enforcement

Secure Host Introspection

CONFIDENTIAL 35

Broad Impact Across Many Security Verticles

Gain previously impossible vulnerability intelligence based on application purpose, data class and user roles to drive rich, policy driven response, including in-place quarantine.

Vulnerability Management Malware Protection Network ProtectionReal-time, dynamic threat response that follows applications as they migrate between hosts, data centers and cloud environments.

Leverages platform to move IPS features from dedicated edge function to distributed enforcement with rich, policy-driven response, including in-place quarantine.

Thank You

Fill out a surveyEvery completed survey is entered

into a drawing for a $25 VMware company store gift certificate

Virtualize your Network with VMware NSX

NET3305-S

Martin Casado, VMware, Inc

Technology

VMworld 2014: Virtualize your Network with VMware NSX