VMworld 2013 Allen Shortnacy, VMware Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare

1. NSX PCI Reference Architecture Workshop Session 1
- Segmentation
Allen Shortnacy, VMware
SEC5775
#SEC5775

2. © 2013 VMware Inc. All rights reserved© 2013 VMware Inc. All rights reserved
SEC5775 - NSX PCI Reference Architecture
Workshop Session 1 - Segmentation
August 2013

3. 33
Importance of Segmentation

4. 44
About Segmentation
 At a fundamental level the SDDC is about the:
• Pooling of physical compute and storage into groups
• Coupled with networks that allow for access to these resources
• Administrative and kernel networks for ESXi shell access and operations like vMotion
• APIs that allow us to interact with those resources
 Auditors rely on ‘scope’ to define those items that should be audited
• In the SDDC it is easy to declare that everything is in ‘scope’ due to shared resources
• We need effective tools to declare ‘scopes’ and their usage as well as their join rules
• For those workloads that serve business function we want coherent policies
 Value Propositions of Segmenting with NSX
• Reducing the ‘scope’ of the infrastructure subject to audit will reduce audit costs
• Leverage NSX to establish networks with policies that are transitive across datacenter
• Clearly define and orchestrate VMware and Technology Partners to monitor ‘layers’

5. 55
Four Steps to Segmenting the SDDC
 vSphere and Networking
• Hosts and Storage should also be segmented
• VLANs may still be used but are not relied upon as a control mechanism
• Dedicated cluster for SDDC Management VMs like vCenter, ActiveDirectory
 Establish VXLAN for Workloads
• Allows for Layer 2 subnets across compliant hosts/clusters
• Provides routes to traverse from Layer 2 to other VXLAN and Edge Shared Services
 Establish Zones for Shared Services, DMZ, etc. with Edge
• Active Directory serving Enterprise users, DNS, Messaging, Email, etc.
• Defining bastion host networks for access to administer these services
 Establish Service Composer Firewall Policies
• Firewall and other technologies, declaratively enabled, follow the workload
• Workloads that come out of policy for any reason have access restricted

6. 66
Groups
 vSphere Storage Networks
 ESXi Hosts/Clusters to LUNs
Usage
vSphere, Porticor
 Create Encrypted iSCSI LUNs
 Consume via Storage vSwitches
Step 1: Segment Storage for Consumption
Segmenting Storage with Encryption and dedicated vSwitches eases
consumption while maintaining compliance

7. 77
Porticor Solution
State of the art encryption
• AES 256 / SHA 2 – standards based…
• … yet implemented with best-in-class
performance
• Streaming, caching, stateless servers, cloud
scale solution
Cloud key management - The
“banker”
• Metaphor: a physical safety deposit box is
behind strong walls, and… requires two keys
to open/lock: one for the customer, the other
for the banker
• The secret sauce: “split key” and
“homomorphic” technology creates this in a
virtual environment

8. 88
The “Swiss Banker” metaphor
Customer has a key, “Banker” has a key
Master key with Homomorphic key encryption
Key-splitting and Homomorphic Technology together deliver Trust

9. 99
Demo: Create Encrypted iSCSI LUNs and Map to vSwitch

10. 1010
Groups
 ESXi Hosts/Clusters
 vSwitch/Port Groups to VLANs
Usage
vSphere, HyTrust
 Identify vSphere assets
 Label in HyTrust as ‘PCI’
 VLANs inherited from Port
Groups
Step 2: Identify and Label vSphere Components
Identifying Hosts, Storage and Network Assets for compliance scope
is the initial step in Segmentation

11. © 2013, HyTrust, Inc. www.hytrust.com | 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 | Phone: 650-681-8100 | email: info@hytrust.com
HyTrust
Multi-Tenancy Wizard

12. © 2013, HyTrust, Inc. www.hytrust.com | 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 | Phone: 650-681-8100 | email: info@hytrust.com
With Great Power Comes Great Responsibility….
Significant Risk of
Catastrophic Failure
12

13. © 2013, HyTrust, Inc. www.hytrust.com | 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 | Phone: 650-681-8100 | email: info@hytrust.com
How HyTrust Protects VMware

14. 1414
Demo: Identify and Tag Core vSphere Asset Groups

15. 1515
PCI DSS 2.0 on VLANs and Segmentation
“Relying on Virtual LAN (VLAN) based
segmentation alone is not sufficient. For
example, having the CDE on one VLAN and the
WLAN on a separate VLAN does not adequately
segment the WLAN and take it out of PCI DSS
scope. VLANs were designed for managing
large LANs efficiently. As such, a hacker can
hop across VLANs using several known
techniques if adequate access controls between
VLANs are not in place.”

16. 1616
NSX Architecture
vCD/vCAC
vCenter Server NSX Manager
1:1
Management Plane
Control Plane
NSX Edge
Distributed
Router
Controller
Data Plane
NSX Edge
Services Router
VXLAN DR DFWSecurity VXLAN DR DFWSecurity
1:Many
VXLAN DR DFWSecurity

17. 1717
Management Plane Components
 Self service and on-
demand Provisioning of
Infrastructure
 Abstracted pool of services
(Compute/Storage/Network
)
 Catalogue of applications
vCD/vCAC
vCenter Server NSX Manager
1:1
Management Plane
 Provisioning and
Management of
 Compute/Memory
 Storage
 Virtual Switch
 Provisioning and
Management of Network and
Network services
 VXLAN Preparation
 Logical Network Consumption
 Network Services
Configuration
vCD/vCAC vCenter Server NSX Manager

18. 1818
Control Plane Components
 Dynamic Routing
 VXLAN – VLAN Bridging
 Scale Out
 VXLAN - no Multicast
 ARP suppression
 Distributed Routing
Control Plane
NSX Edge
Distributed
Router
Controller
NSX Edge Distributed Router Controller

19. 1919
Data Plane Components
 Kernel Modules
 Message Bus
 User World Agent
 NAT
 DHCP
 LB
 VPN
Data Plane
NSX Edge
Services Router
ESX Host NSX Edge Services Router
VXLAN DR DFWSecurity VXLAN DR DFWSecurityVXLAN DR DFWSecurity

20. 2020
Communication Between The Three Planes
vCD/vCAC
vCenter Server NSX Manager
Management Plane
Control Plane
NSX Edge
Distributed
Router
Controller
Data Plane
NSX Edge
Services Router
VXLAN DR DFWSecurity VXLAN DR DFWSecurityVXLAN DR DFWSecurity
vSphere API
REST APIvSphere API
REST API
VIXAPI
vSphereAPI REST API
REST API
MessageBus

21. 2121
VXLAN NSX for vSphere
vSphere Host
VM1
vSphere Distributed Switch
VXLAN Transport Network
vSphere Host
VM2
vSphere Host
VXLAN 5001
VTEP1 10.20.10.10 VTEP2 10.20.10.11 VTEP3 10.20.11.10
vSphere Host
VTEP4 10.20.11.11
VM3 VM4
Unicast Traffic
Controller
Cluster
VXLAN Transport Subnet A 10.20.10.0/24 VXLAN Transport Subnet B 10.20.11.0/24

22. 2222
Components Mapped to Physical Infrastructure
WAN
Internet
Compute Racks Infra Racks Edge Racks
Hypervisor
Modules
Controller, VC,
NSX Manager
On/off Ramp

23. 2323
Step 3 : NSX Distributed Edge VXLAN Networks
 vSwitch/Port Groups to VLANs
 NSX Edge VXLANs
Groups
 Create vDS for VXLAN in vSphere
 NSX Manager prepare hosts, add
logical networks and deploy Edges
Usage
NSX provides Distributed Logical Routers as well as Distributed
Services like Firewall through Edge deployments

24. 2424
DB Tier
Web Tier
App Tier
WAN
Internet
L2
L3
VXLAN
802.1Q
VXLAN
VXLAN
VXLAN
VXLAN
VXLAN
VXLAN
VXLAN
Network
Fabric
Service Placement – Distributed Design
VXLAN
.1Q
.1Q

25. 2525
Demo: Create Segmented VXLAN Overlay Networks

26. 2626
Hypervisor Kernel Embedded Firewall
Benefits…
• Built into the Hypervisor
• “Line Rate” Performance (15Gbps/Host)
• Better compliance model

27. 2727
Distributed Virtual Firewall
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Benefits…
• No “Choke Point”
• Scale Out
• Enforcement closest to VM

28. 2828
Step 4: Establish NSX App Distributed Firewall Rules
NSX simplifies the steps for creating firewall rules used for
segmenting workload tiers and tenants
 vApp Patterns to Firewall Rules
 NSX Edge Firewall Security Groups
Groups
 vSphere create vDS for VXLAN
 NSX Manager prepare hosts, add
logical networks and deploy Edges
Usage

29. 2929
Demo: Create Firewall Policies For Controlling vApp Network Access

30. 3030
Step 4: Establish NSX App Distributed Firewall Rules
NSX enables migration across segmentation policy controlled hosts
while maintaining routing and firewall rule consistency
 vSwitch/Port Groups to VLANs
 NSX Edge VXLANs
Groups
 vSphere create vDS for VXLAN
 NSX Manager prepare hosts, add
logical networks and deploy Edges
Usage

31. 3131
Compute Racks Infrastructure Racks (Storage,
vCenter and vCloud Director)
Edge Racks
vCenter 1
vCenter 2
(Up-to Max supported
VMs by vCenter)
(Up-to Max supported
VMs by vCenter) VM
VM
ESXi Clusters
WAN
Internet
Capex Value Expressed in Infrastructure Utilization

32. 3232
Summary – Value Achieved via Segmentation
 Segmentation techniques provide uniform consumption of SDDC while
maintaining controls needed for compliance
 Dynamic routing and overlay networks provide isolation needed for SDDC
resources to be consumed
 Centralized Policy Management eases the administrative burden by providing
networking and firewall rules that are always ‘in context’
 Reduced Audit Costs by providing controls of core SDDC elements such as
storage and compute bound to networks thereby limiting scope
 Get hands on experience! Partner Hands On Lab with HyTrust, Catbird and
LogRhythm to go with VMware NSX Hands On Labs
 Visit the HyTrust booth and Porticor online at http://www.porticor.com/porticor-for-
vmware/ for more information

33. 3333
VMworld: Security and Compliance Sessions
Category Topic
NSX
• 5318: NSX Security Solutions In Action (201)
• 5753: Dog Fooding NSX at VMware IT (201)
• 5828: Datacenter Transformation (201)
• 5582: Network Virtualization across Multiple Data Centers (201)
NSX Firewall
• 5893: Economies of the NSX Distributed Firewall (101)
• 5755: NSX Next Generation Firewalls (201)
• 5891: Build a Collapsed DMZ Architecture (301)
• 5894: NSX Distributed Firewall (301)
NSX Service
Composer
• 5749: Introducing NSX Service Composer (101)
• 5750: NSX Automating Security Operations Workflows (201)
• 5889: Troubleshooting and Monitoring NSX Service Composer (301)
Compliance
• 5428: Compliance Reference Architecture Framework Overview (101)
• 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201)
• 5253: Streamlining Compliance (201)
• 5775: Segmentation (301)
• 5820: Privileged User Control (301)
• 5837: Operational Efficiencies (301)
Other
• 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in
Virtualized Infrastructure (Catbird – Jefferson radiology)
• 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A
Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust)
• 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based
IaaS provider better be doing! (Intel)

34. 3434
For More Information…
 VMware Collateral
 VMware Approach to Compliance
 VMware Solution Guide for PCI
 VMware Architecture Design Guide for PCI
 VMware QSA Validated Reference Architecture PCI
 Partner Collateral
 VMware Partner Solution Guides for PCI
How to Engage?
 compliance-solutions@vmware.com
 @VMW_Compliance on Twitter

35. 3535
Other VMware Activities Related to This Session
 HOL:
HOL-SDC-1315
vCloud Suite Use Cases - Control & Compliance
HOL-SDC-1317
vCloud Suite Use Cases - Business Critical Applications
HOL-PRT-1306
Compliance Reference Architecture- Catbird, HyTrust and LogRhythm
 Group Discussions:
SEC1002-GD
Compliance Reference Architecture: Integrating Firewall, Antivirus,
Logging and IPS in the SDDC with Allen Shortnacy

36. THANK YOU

38. NSX PCI Reference Architecture Workshop Session 1
- Segmentation
Allen Shortnacy, VMware
SEC5775
#SEC5775