ROD STUHLMULLER

Sr. Director of Product Marketing

Networking & Security Business Unit, VMware

ITS TIME FOR NEW IT

SLOW TECHNOLOGY
ADOPTION RATES

SLOW
REPONSES

SERVICE
OUTAGES

PROLIFERATION
OF DEVICES

SECURITY

HIGH USER
EXPECTATIONS

CLOUD SILOS

DECLINING BUDGET
INTEGRATION
PROBLEMS

PRIVACY
ISSUES

DIFFERENT
APPLICATIONS

FRAGMENTED
DATA CENTER
AGING INFRASTRUCTURE

LIMITED
RESOURCES

SHORTAGE
OF RIGHT
SKILLS

ITS TIME TO VIRTUALIZE THE DATA CENTER

The Software Defined

Data Center
Optimized for rapid
development and delivery
of all applications, for safe
INSTANT
consumption on any device

FLUID

SECURE

Sounds good, BUT

How do we move as fast as the business needs us to move,
while maintaining our current environment and without
having to start over?

You need a new approach to

networking and security that gives you:
the agility and speed you need to support the exisiting
business, while providing an inherently more agile &
secure path forward.

Google, Facebook, Amazon

Custom Distributed
Application Design
(Security, Application Load Balancing,
Routing, HA, etc.)

Enterprise IT
Enterprise Applications
(Network & Security delivered by
infrastructure)

Data Center
Virtualization Layer

Compute

Compute

Storage

Storage

Network

Network

Google, Facebook, Amazon

Custom Distributed
Application Design
(Security, Application Load Balancing,
Routing, HA, etc.)

Enterprise IT
Enterprise Applications
(Network & Security delivered by
infrastructure)

Data Center
Virtualization Layer

Compute

Compute

Storage

Storage

Network

Network

Enterprise IT
Enterprise Applications
(Network & Security delivered by
infrastructure)

Data Center
Virtualization Layer

Compute
Storage
Network

The operational model

of a VM for the
entire data center
Programmatically Create
Snapshot
Save
Move
Delete
Restore

Bridging
Two Worlds
Traditional
Approach

Software Defined
Data Center Approach

Network Virtualization is
at the core of an SDDC
approach

Virtualization layer
Network, storage, compute

Network Virtualization is
at the core of an SDDC
approach

Virtual Data Centers

Network hypervisor
Virtualization layer
Network, storage, compute

The next-generation networking model

Routing
Load Balancing

Switching

Firewalling/ACLs

Network and security services now

distributed in the hypervisor

The next-generation networking model

Routing
Load Balancing

High throughput rates

Switching
East-west firewalling
Firewalling/ACLs

Native platform capability

The next-generation networking model

All Software Construct

Web Tier
L3 Subnet
Internet

App Tier
NAT

L3 Subnet

DB Tier
L3 Subnet

Physical Network

Programmatically Provisioned

Network & Security Services Distributed to the Virtual Switch

Physical Network becomes high-speed IP backplane

Native Isolation

192.168.2.11
192.168.2.11

192.168.2.10
192.168.2.10

DR Today (simple view)

Primary Site

Recovery Site

Snapshot VM
Change IP Address
4 Reconfig Security
10.0.20.21

10.0.10.21

SAN

SAN

3 Recover
the VM

Major
RTO
Impact

Step 1&2
(e.g VMware SRM)

10.0.10/24

Physical Network Infrastructure

Physical Network Infrastructure

Replicate
VM & Storage

10.0.20/24

21

DR with NSX Network Virtualization (simple view)

Primary Site

Recovery Site

Virtual Network
10.0.30/24

Virtual Network
10.0.30/24

1
10.0.30.21

2b

Snapshot VM

Network & Security

already exists

Snapshot
Network &
Security

NSX Controller

NSX Controller

SAN

3
Recover
the VM

10.0.30.21

80%
RTO

SAN

Step 1&2
(e.g VMware SRM)

10.0.10/24

Physical Network Infrastructure

2a

Physical Network Infrastructure

Replicate
VM & Storage

10.0.20/24

22

Support for Physical Workloads and VLANs

Support for Physical Workloads and VLANs

Non-Disruptive Deployment

The Power of Distributed Network & Security Services & Policies

Problem: Data Center Network Security

Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible

Internet

Internet

Little or no
lateral controls
inside perimeter

Insufficient

Operationally
Infeasible

Why traditional approaches are operationally infeasible

Create firewall rules before provisioning

Update F irewall rules when move or change
Delete firewall rules when app decommissioned
Problem increases with more East-West traffic

Internet

Perimeter
Firewalls

28

How an SDDC approach makes micro-segmentation feasible

Cloud
Management
Platform
Security Policy

Internet

Perimeter
Firewalls

29

Defining Security Policy for Automation & Audit Compliance

10.0.2.34

10.0.4.72

production
src,dest,port,protocol
database tier
allow<=application tier>
customer Data
allow<appid=3456>
pci data
allow<appid=6789>
quarantine
cvss=2

production
src,dest,port,protocol
database tier
allow<=application tier>
customer Data
allow<appid=3456>
pci data
allow<appid=6789>
quarantine
cvss=2

Security Policy

Development Workload

Test Workload

Production Workload

Web Tier

App Tier

Data Base Tier

Application Type: Customer Data

Application Type: PCI Data

Quarantine: If CVSS>5

Audit
30

There is a BIG difference

Physical Firewalls

Traditional Rule Mgt & Operations

Chokepoint Enforcement
Physical Firewalls (~100 Gbps)

Virtual Firewalls

Distributed Firewalling

Automated Policy Mgt & Operations

Distributed Enforcement
vSphere Kernel-based Performance

Distributed Scale-out Capacity (20 Gbps/host)

Traditional Rule Mgt & Operations

Chokepoint Enforcement
Virtual F irewalls (~1Gbps)

NSX Distributed Firewalling Performance

20Gbps Per Host of Firewall Performance

with Negligible CPU Impact
32

NSX Distributed Firewalling Performance

80K CPS with 100+ Rules per Host

A Typical Virtual Appliance does ~6K CPS per VM
A Physical Appliance performs 300K 400K CPS per appliance

CONFIDENTIAL

33

SDDC Platform Native Security Capabilities

Hypervisor-based, in kernel distributed firewalling
High throughput rates on a per hypervisor basis
Every hypervisor adds additional east-west firewalling capacity
Native feature of the VMware NSX platform
Platform-based automation
Automated provisioning and workload adds/moves/changes
Accurate firewall policies follow workloads as they move
Audit Compliance
20 Gbps Firewalling
throughput per host

Data center micro-segmentation

becomes operationally feasible
34

A Zero Trust model becomes operationally feasible

Logically align controls to what you are protecting

App Tier

No Communication Path

Application B

DB Tier

Secure Communications

Service Insertion

Application A

Explicit Allow Comm.

(e.g TCP,1433)

Isolation

NGFW
IPS
IPS
NGFW

Advanced Services Insertion Example: Palo Alto Networks NGFW

Security Admin

Security Policy

Internet

Traffic
Steering

Intelligent grouping
Groups defined by customized criteria
Operating System

Application Tier

Machine Name

Services

Regulatory
Requirements

Security Posture

Automated Security in a Software-Defined Data Center

Data Center Micro-Segmentation

CONFIDENTIAL

38

Automated Security in a Software-Defined Data Center

Data Center Micro-Segmentation

CONFIDENTIAL

39

Benefits of Taking a Software Defined Data Center Approach

Security

Value

Speed & Agility

Application Continuity

Micro-segmentation

IT Automating IT

Disaster Recovery

Secure infrastructure
at 1/3 the cost

Reduce infrastructure
provisioning time from
weeks to minutes

Reduce RTO by 80%

DMZ Anywhere

Developer Cloud

Metro Pooling

Secure End User

Multi-tenant
Infrastructure

Hybrid Cloud
Networking

40

NSX customer momentum

Service Providers
Global Financials
Retail
Healthcare
Integrators
Media & Communications
Transportation
Government
Education

NSX partner ecosystem

Physical Infrastructure
Security
Operations
Application Delivery

SUPPORT FOR EVERY STEP OF YOUR IT JOURNEY

Strategy and
planning expertise

Advanced
technology capabilities

Industry and
domain expertise

Compatibility
and integration

Industry specific
solutions

Global and
local presence

1,000+

100+

75,000

1,100

4,000

VMware Service
Professionals

Consulting
Partners

Solution
Partners

Technology
Partners

vCloud Air
Network Partners

Jump in

Thank you!