NSX and Microsegmentation

The next big opportunity.

Oliver Zängerle
Senior Systems Engineer
Agenda

1. Network Virtualization

2. Security

3. Automation

CONFIDENTIAL 2
What is a Software Defined Data Center (SDDC)?

Software
Data Center Virtualization Layer

Hardware Software
IntelligenceNetwork
Compute, in Hardware
and Storage Capacity
Operational
Dedicated,
Pooled, Model
Vendor
Vendor of VM forInfrastructure
Specific
Independent, Data
BestCenter
Price/Performance Infrastructure
Automated
Manual Configuration
Configuration
Simplified Configuration &&Management
Management
& Management
 Taking what we have learned….

Automated Operational Model

Programmatically Create,
Snapshot, Applications
Store, • Intelligence in the virtualization layer
Move, • Vendor independent x86 capacity
Delete, Virtual
Restore Machines • Transformative operational model
• Automated configuration & management
Software Server Virtualization

Manual Operational Model

Hardware Compute
Capacity Network Storage

Intelligence in hardware
Dedicated, vendor specific infrastructure
Manual configuration & management
 To deliver a Software Defined Data Center approach

Automated Operational Model

Programmatically Create,
Snapshot, Applications
Store,
Move,
Delete, Virtual Virtual Virtual
Restore Machines Networks Storage

Software Data Center Virtualization

Hardware Compute Network Storage

Capacity Capacity Capacity

Pooled compute, network and storage capacity

Vendor independent, best price/performance
Simplified configuration & management

Location Independence
 Provides
A Faithful Reproduction of Network & Security Services in Software

Switching Routing Load Connectivity to

Balancing Physical Networks
Management
APIs, UI

Firewalling VPN Data Security Activity Monitoring

Policies,
Groups, Tags

CONFIDENTIAL 6
VMware NSX: Virtualize the Network

CONFIDENTIAL 7
VMware NSX: Virtualize the Network

CONFIDENTIAL 8
VMware NSX: Virtualize the Network

CONFIDENTIAL 9
VMware NSX: Virtualize the Network

Logical
Switching

Logical
Routing

Load
Balancing

Physical
to Virtual

Firewalling
& Security

CONFIDENTIAL 10
VMware NSX: Virtualize the Network

Logical
Switching

Logical
Routing

Load
Balancing

Physical
to Virtual

Firewalling
& Security

One-Click Deployment via Cloud Management Platform

CONFIDENTIAL 11
Proven approach, now being consumed by enterprise

Custom Application Software

Including routing, load balancing,
security, location independence,
hardware independence.

Software Defined
Data Center

Simple “Lego Block” Style Modular Capacity

12
Agenda

1. Network Virtualization

2. Security

3. Automation

CONFIDENTIAL 16
Perimeter-Focused Security

Unconstrained Communication
Little or no lateral controls inside perimeter Sophisticated attackers
bypass perimeter defenses.
The system that is initially
compromised is often one of
low value.

Because of a lack of internal

controls, attackers can move
freely around the data center
and over time infect systems
Internet with sensitive data.

10110100110 Attackers then gather and

101001010000010
exfiltrate data over weeks or
1001110010100 even months.

Data Center
Perimeter

17
Micro-Segmentation

Why can’t we have individual firewalls for every VM? With traditional technology,
this is operationally infeasible.

Physical firewalls
Cost prohibitive with
complex configurations

Internet
Virtual firewalls
Slower performance,
costly, and complicated

Data Center
Perimeter

18
Secure Micro-Segmentation in the Data Center
Security Policy

Cloud
Management
Platform

Internet

Perimeter
Firewalls

19
There is a BIG difference…

20
Micro-segmentation in Detail
Isolation
No communication path between
unrelated networks
• No cross-talk between networks
• Overlay technology assures networks
are separated by default
Segmentation
Controlled communication path within
a single network
• Fine-grained enforcement of security
• Security policies based on logical
groupings of VMs
Advanced services
Advanced services: addition of 3rd
party security, as needed by policy
• Platform for including leading
security solutions
• Dynamic addition of advanced
security to adapt to changing
21
security conditions
 NSX for Horizon
Internal Developer Pool
External Developer Pool
Micro-segmentation for • Allows for elasticity and agility
– Desktop to Desktop control
– Desktop to Enterprise App
control
– Quarantine infected (AV)
desktops
Horizon Infra
Internal Developer Network
External Developer Network
• NSX services for horizon
to spin up/down new pools or infrastructure
expand existing using logical
switching, routing and
firewalling
CONFIDENTIAL 22
SDDC Platform – Native Security Capabilities

Hypervisor-based, in kernel distributed firewalling

• High throughput rates on a per hypervisor basis
• Every hypervisor adds additional east-west firewalling capacity
• Native feature of the VMware NSX platform

Platform-based automation
• Automated provisioning and workload adds/moves/changes
• Accurate firewall policies follow workloads as they move

Data center micro-segmentation

20 Gbps Firewalling becomes operationally feasible
throughput per host

23
Agenda

1. Network Virtualization

2. Security

3. Automation

CONFIDENTIAL 24
Use Cases

Security Automation Application Continuity

25
Automation
Application Workloads

Virtual Infrastructure

Physical Network Infrastructure

Internet

26
Platform Services Enable Robust Ecosystem
We expect the vast majority of this functionality to come from partners

Applications and End Hosts

Virtual Infrastructure

Physical Network Infrastructure

Internet
27
 Self Service IT: Driving IT Agility

Automation by IT Automation by IT Automation by IT

for IT for End user for External Use

Cloud
Consumer

Provider

- Faster project on boarding - Developer Cloud - Community Cloud

- Elastic Services - Services Cloud
- Streamline Security Enforcement - IAAS
- Mergers & Acquisition

CONFIDENTIAL 28
Software Defined Data Center Deployed

All Software Construct Web Tier

L3 Subnet

Internet

App Tier
NAT
L3 Subnet

DB Tier

L3 Subnet

Physical Network
Use Cases

Security Automation Application Continuity

31
Hardware Refresh
Virtual infrastructure decouples applications from hardware

Virtual Machines

Virtual Infrastructure

Isolation

Physical Network Infrastructure

Internet
Disaster Recovery
Network configuration becomes easily replicable once it is software defined

Application Workloads Application Workloads

Virtual Infrastructure Virtual Infrastructure

Physical Network Infrastructure Physical Network Infrastructure

Internet Internet

Original Site Backup Site

33
 NSX Packaging Summary
Enterprise Customer Service Provider

EDITION vSphere Multi-Hypervisor vSphere Multi-Hypervisor

LICENSE
Perpetual Perpetual Term Perpetual Term Usage Usage
MODEL

Direct + Direct + Direct + Direct +

RTM Direct + Channel VSPP VSPP
Channel Channel Channel Channel

METRIC per CPU per CPU per VM per CPU per VM Per VM per VM

Stand-alone
PACKAGE Stand-alone Suite Add-On Stand-alone Stand-alone Stand-alone Stand-alone

LICENSE MSRP $5,995 $3,495 $408/ Year $6,995 $480 / Year 20 Points / VM / Mo 25 Points / VM / Mo
(Commercial)

• SnS is required and in addition to the license price

• Basic SnS : 21% of License
• Production SnS : 25% of License
• VSPP Point pricing includes SnS
• Public and Academic pricing available
Thank you
Mehr Informationen:
http://www.vmware.com/products/nsx/resources.html

CONFIDENTIAL
35