VMWorld 2014 - Virtualize Your Network With VMware NSX

NET3305-S
Virtualize your Network with

VMware NSX
Martin Casado, VMware, Inc
Disclaimer
This presentation may contain product features that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these
features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or
sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new technologies or features discussed or presented have not
been determined.
CONFIDENTIAL
Guidance from Giants

Traditional Data Center
Modern SaaS
Data Center
Any Application
Custom Application
L2/L3 or
Proprietary Network
Opex/Capex = $$$$
Innovation = HW design cycle
Security
Fault Isolation
Service Chaining
Discovery
Load balancing
Security
Fault Isolation
Service Chaining
Discovery
Load balancing
IP Network
Opex/Capex = $
Innovation = SW design cycle
CONFIDENTIAL
What is VMware NSX?
Internet
CONFIDENTIAL
What is VMware NSX?
CONFIDENTIAL
What is VMware NSX?
Internet
CONFIDENTIAL
What is VMware NSX?
Internet
CONFIDENTIAL
What is VMware NSX?
Internet
CONFIDENTIAL
VMware NSX Momentum: Customers
4 of 5
Leading global
top investment banks
enterprises & service providers
CONFIDENTIAL
Three Reasons Companies Virtualize Their Network
Speed On Demand Apps and Services
Economics Opex Efficiency & Capex Cost Savings
Security Re-Architect Datacenter

Security
CONFIDENTIAL
10
Security Use Case
A Picture of Diminishing Returns

The only thing outpacing security spend is security losses
2010
2011
IT Spend
Security Spend
2012
2013
Security Breaches
CONFIDENTIAL
12
A Modern Attack
Malware/attack vectors tested against known signatures & are often VM-aware
1 PREP
1
Human Recon
2
Attack Vector R&D
3
Primary Attack
CONFIDENTIAL
13
Leverage endpoints that circumvent perimeter controls
2 INTRUSION
Strain B
Dormant
4
Compromise
Primary Entry Point
(Phishing, Waterholes, etc.)
Strain A
Active
Install Command
& Control I/F
CONFIDENTIAL
14
Leverage hyper-connected computing base, accessible topology info & shared components
3 RECON
8
Install C2 I/F
Wipe Tracks
Escalate Priv
Strain A
Active
6
Escalate Privileges on
Primary Entry Point
Lateral
Movement
8
CONFIDENTIAL
15
Sensor, alerts and logs easily accessible
4 RECOVERY
Strain C
Dormant
Strain B
Active
Wake Up & Modify

Next Dormant Strain
Strain A
Active
Attack
Identified
Response
CONFIDENTIAL
16
Exploit weak visibility and limited internal control points
5 ACT ON INTENT
10
Break into
Data Stores
11
Parcel &
Obfuscate
6 EXFILTRATION
12
13
Exfiltrate
Cleanup
CONFIDENTIAL
17
The modern kill chain is highly targeted, interactive, and stealthy
13
Cleanup
CONFIDENTIAL
18
A Modern Kill Chain

is highly targeted, interactive and stealthy
Perimeter-Centric
80% of resources focused
on preventing intrusion
1IPREP
Limited visibility and control

inside the datacenter
to detect and respond to attacks
2 INTRUSION
3RECON
4 RECOVERY
5 ACT ON INTENT
6EXFILTRATION
1
Recon
2
Attack Vector R&D
3
Primary Attack
4
Compromise
Primary Entry
Point
Strain A
Active
Install Command &

Control (C2) I/F
Strain C
Dormant
Install C2 I/F
Wipe Tracks
Escalate Priv.
Strain B
Dormant
6
Escalate Privileges on
Primary Entry Point
Lateral Movement
Strain B
Active
10
Wake Up & Modify Next

Dormant Strain
11
Break into Data Parcel &

Stores
Obfuscate
12
Exfiltrate
13
Cleanup
Attack
Response
Identified
CONFIDENTIAL
19
Micro-Segmentation with NSX
CONFIDENTIAL
21
Problem: Data Center Network Security

Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Internet
Internet
Little or no
lateral controls
inside perimeter
Insufficient
Operationally
Infeasible CONFIDENTIAL
22
Using Network Virtualization For Micro-Segmentation
Cloud
Management
Platform
Internet
Perimeter
Firewalls
CONFIDENTIAL
23
Cloud
Management
Platform
Internet
Perimeter
Firewalls
CONFIDENTIAL
24
Cloud
Management
Platform
Internet
Perimeter
Firewalls
CONFIDENTIAL
25

Security Policy
Cloud
Management
Platform
Internet
Perimeter
Firewalls
CONFIDENTIAL
26
Cloud
Management
Platform
Internet
Perimeter
Firewalls
CONFIDENTIAL
27
Cloud
Management
Platform
Internet
Perimeter
Firewalls
CONFIDENTIAL
28
Cloud
Management
Platform
Internet
Perimeter
Firewalls
CONFIDENTIAL
29
Cloud
Management
Platform
Internet
Perimeter
Firewalls
CONFIDENTIAL
30
Looking Into the Future
The Goldilocks Zone
Too Hot
Too Cold
CONFIDENTIAL
32
Trading Off Context and Isolation

Traditional Approach
Software Defined
Data Center (SDDC)
High Context
Low Isolation
Any Application
SDDC Platform
Data Center Virtualization
Any x86
No Ubiquitous Enforcement
Any Storage
Any IP network
High Isolation
Low Context
CONFIDENTIAL
33
Delivering Both Context and Isolation

Software Defined
Data Center (SDDC)
Secure Host Introspection
Any Application
SDDC Platform
Data Center Virtualization
High Context
High Isolation
Ubiquitous Enforcement
Any x86
Any Storage
Any IP network
CONFIDENTIAL
34
Broad Impact Across Many Security Verticles
Vulnerability Management
Malware Protection
Network Protection
Gain previously impossible vulnerability

intelligence based on application
purpose, data class and user roles to
drive rich, policy driven response,
including in-place quarantine.
Real-time, dynamic threat response

that follows applications as they migrate
between hosts, data centers and cloud
environments.
Leverages platform to move IPS

features from dedicated edge function
to distributed enforcement with rich,
policy-driven response, including
in-place quarantine.
CONFIDENTIAL
35
Thank You
Fill out a survey

Every completed survey is entered
into a drawing for a $25 VMware
company store gift certificate
NET3305-S
Virtualize your Network with

VMware NSX
Martin Casado, VMware, Inc

VMWorld 2014 - Virtualize Your Network With VMware NSX

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

VMWorld 2014 - Virtualize Your Network With VMware NSX

Hochgeladen von

Copyright:

Verfügbare Formate

NET3305-S

Virtualize your Network with

features in any generally available product.

sales agreements of any kind.

Guidance from Giants

What is VMware NSX?

What is VMware NSX?

What is VMware NSX?

What is VMware NSX?

What is VMware NSX?

VMware NSX Momentum: Customers

top investment banks

enterprises & service providers

Three Reasons Companies Virtualize Their Network

Speed On Demand Apps and Services

Economics Opex Efficiency & Capex Cost Savings

Security Re-Architect Datacenter

Security Use Case

A Picture of Diminishing Returns

Leverage endpoints that circumvent perimeter controls

Sensor, alerts and logs easily accessible

Wake Up & Modify

Exploit weak visibility and limited internal control points

The modern kill chain is highly targeted, interactive, and stealthy

A Modern Kill Chain

Limited visibility and control

Install Command &

Wake Up & Modify Next

Break into Data Parcel &

Micro-Segmentation with NSX

Problem: Data Center Network Security

Using Network Virtualization For Micro-Segmentation

Using Network Virtualization For Micro-Segmentation

Using Network Virtualization For Micro-Segmentation

Using Network Virtualization For Micro-Segmentation

Using Network Virtualization For Micro-Segmentation

Using Network Virtualization For Micro-Segmentation

Using Network Virtualization For Micro-Segmentation

Using Network Virtualization For Micro-Segmentation

Looking Into the Future

The Goldilocks Zone

Trading Off Context and Isolation

Delivering Both Context and Isolation

Secure Host Introspection

Broad Impact Across Many Security Verticles

Gain previously impossible vulnerability

Real-time, dynamic threat response

Leverages platform to move IPS

Fill out a survey

Virtualize your Network with

Das könnte Ihnen auch gefallen