VMworld 2013
Bilal Malik, Palo Alto Networks
Adina Simu, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Strategies for Landing an Oracle DBA Job as a Fresher
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
1. VMware NSX with Next-Generation Security by Palo
Alto Networks
Bilal Malik, Palo Alto Networks
Adina Simu, VMware
SEC5755
#SEC5755
2. 2
Session Objectives
Discuss security challenges in virtualized environments
Introduce NSX Firewall and Palo Alto Networks Panorama
and VM-Series
Review the complete security solution that VMware and Palo Alto
Networks have built jointly
3. 3
Recommended Sessions & Labs
NET5716 – Advanced NSX Architecture
NET5266 – Bringing Network Virtualization to VMware
Environments with NSX
NET5270 – Virtualized Network Services Model with NSX
NET5522 – VMware NSX Extensibility: Network and Security
Services from 3rd-Party Vendors
Hands on labs on NSX and NSX Firewall: HOL-SDC-1303
5. 5
Infrastructure
Server Virtualization Cloud
The software defined data center is agile, flexible, elastic and simple
• Fast workload provisioning – weeks to hours
• Unlimited workload placement & mobility
• IT as a service with performance and scalability
• Simplified data center operations & economics
Its about Speed - Software Defined Data Center Transformation
7. 7
Typical Data Center Physical Firewall Deployment
Gateway placement designed
around expectation of L3
segmentation
VM to VM traffic Hair Pinned to FW
No “VM” awareness
VLAN Complexities
FW as Performance bottleneck
Complex Rule Sets
Traditional physical firewalls limit your data center
8. 8
Security Policies Cannot Keep Up …
Manual Security Rule changes
No VM Context
Not integrated into automated workflows
10. 10
Threats Come from Surprising Places …
Application Usage and Threat Report – February 2013
“Application Usage and Threat Report” (Palo Alto Networks) February 2013
Aggregates application and threat logs
3,000+ organizations across the globe
95% of all exploit logs came from just
10 applications
9 of 10 are common business apps
in data centers
MS-SQL
MS-RPC
SMB
MS SQL Monitor
MS Office Communicator
SIP
Active Directory
RPC
DNS
12. 12
The Need for a Comprehensive Security Solution
VMware NSX Platform
NSX Distributed Firewall
VM level zoning without
VLAN/VXLAN
dependencies
Line rate access control
traffic filtering
Distributed enforcement at
Hypervisor level
Palo Alto Networks Next
Generation Security
Next Generation Firewall
Protection against known
and unknown threats
Visibility and safe
application enablement
User, device, and
application aware policies
Sophisticated Security
Challenges
Disappearance of standard
application behavior
Distributed user and
device population
Modern Malware
13. 13
VMware NSX and Next-Generation Security Integrated Solution
Any Application
(without modification)
Virtual Networks
VMware NSX Network Virtualization Platform
Logical L2
Any Network Hardware
Any Cloud Management Platform
Logical
Firewall
Logical
Load Balancer
Logical L3
Logical
VPN
Any Hypervisor
Palo Alto Networks Next
Generation Security
Security Provisioning
Palo Alto Networks VM-Series
Palo Alto Networks
PA-5000 Series
Components:
• VMware NSX (including NSX Manager and NSX API – cloud provisioning,
VMware NSX Firewall – Native, kernel-based firewall and traffic steering)
• Palo Alto Networks Panorama – security provisioning
• Palo Alto Networks VM-Series – next-generation security platform
14. 14
NSX Distributed Firewall
Scale-out architecture
• Embedded in the Hypervisor
Line rate performance
• 10Gbps+ per host
Flexible access control
architecture
• NSX Logical Containers
• VM Tags
• User Identity and Active Directory
support
No VM can circumvent the
firewall
• Rules follow the VMs
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
15. 15
VM-Series Firewall
PAN-OS firewall in virtual machine form factor
Separation of management and data plane
Complete Next-Gen firewall features
• App-ID
• User-ID
• Content-ID
• WildFire
Dynamic Address Groups
Centrally managed through Panorama
17. 17
Example: How to secure a MS Sharepoint deployment
MSSQL1
SharePoint1
IISWebFrontEnd2
Domain
Controller1
IISWebFrontEnd1
WEB Tier Application Tier Database Tier
27. 27
Three steps:
1
Register the Next Generation
Palo Alto Networks Firewall with
NSX Manager
2
Deploy NSX Firewall and Palo
Alto Networks VM-Series
appliances
3
Define and consume security
policies
28. 28
Define NSX Logical Containers and attach policy
VM
VM
VM VM
VMVM
VM
VM
VMVM
VM
VM
VM
VM
VM VM VM
VMVMVMVM
VM VM
VM VM VM
VM
VM
VM
VM
VM
VM
VM VM
VMVM
VM
VM
VMVM
VM
VM
VM
VM
VM VM VM
VMVMVMVM
VM VM
VM VM VM
VM
VM
VM
VM
Simplify application management boundaries
29. 29
Populate VM context into Next Gen Firewalls
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
NSX Manager
NSX Logical Containers
Virtualization Context
Policy Rules and
Configuration
30. 30
How to create NSX Logical Containers
and traffic steering policy
39. 39
An Integrated Solution for Securing the Software Defined Data Center
VMware NSX and Palo Alto Networks Next-Generation Security benefits:
Accelerate application delivery with transparent security enforcement
Optimize operational efficiency via simplified business policies
Address security and compliance mandates with next-gen protection
40. 40
Come to the Palo Alto Networks booth
Booth #2305
More DEMOS
& Giveaways