SlideShare ist ein Scribd-Unternehmen logo

VMworld 2016: Migrating from a hardware based firewall to NSX to improve performance and compliance, with iain leiter

Als PPTX, PDF herunterladen
VMworld
VMworld

Iain Leiter from A.T. Still University discussed their organization's migration from a hardware-based firewall to NSX to improve performance and compliance. Some key advantages of NSX include distributed firewalling for high performance and scalability, pay-as-you-grow flexibility, and advanced security features like microsegmentation. Their deployment process involved installing NSX, defining security groups, building security policies using syslog data from "recon rules", and applying a common services policy. Discoveries included many backdoors, application architecture issues, and the security benefits of microsegmentation.

Technologie
1 von 28
Group Discussion: Migrating from a Hardware Based Firewall to NSX to Improve Performance and Compliance, with Iain Leiter Iain Leiter, ATSU NET10706-GD #NET10706
Introduction Who are you and what is A.T. Still University? iain leiter Network Engineer 10+ years of IT networking experience – Certified VMware VCIX6-NV Responsibilities include LAN, WAN, Wireless, Network Security, plus lots more in a technologically diverse medical university environment www.linkedin.com/in/iainleiter
Agenda • Technical and business challenges • Technology evaluation process • The advantages of NSX as a firewall solution • Our microsegmentation design • Our deployment process • Discoveries we’ve made along the way
Technical and Business Challenges • Need to separate sensitive clinical, academic, and business systems • Firewall sizing risks - possible future scalability issues • Performance Requirements • High Resolution Histology Imaging application • Academic classroom video capture and VOD • Ongoing firewall bandwidth constraints • Reduce costs
Firewall Segmentation Goals
Firewall Technologies Considered or Evaluated • More physical firewalls • OS-based software firewalls • Windows Firewall • Linux Firewalls • AV Firewalls • Virtualized firewalls from other vendors • Cisco ASAv • Cisco ASA1000V • Cisco VSG • SDN/SDDC solutions • ACI + hardware • NSX
The advantages of NSX (DFW) as a firewall solution • Distributed firewalling provides high performance and scalability • Security Policies applied to the VM’s vNIC • Firewall bandwidth capacity grows as server hardware is added
The advantages of NSX (DFW) as a firewall solution • Pay as you grow flexibility • Buy what you need • No firewall sizing risk
The advantages of NSX (DFW) as a firewall solution • Firewall capacity mobility – move firewall capacity between sites (licenses)
The advantages of NSX (DFW) as a firewall solution • Additional visibility for improved compliance Monitor firewalling between VMs on the same segment
The advantages of NSX (DFW) as a firewall solution • Advanced Security Features – Microsegmentation & Automation! • Security Benefit - Firewall policy is enforced at the VM’s vNIC • Independent of the guest OS or underlying network hardware • BONUS – Additional NSX Features (*VXLAN, Routing, Load-Balancing) • SIDENOTE: *NSX Distributed Firewall is not dependent on VXLAN • Simplified incremental migration • Enable Security Policy one application or VM at a time
Our microsegmentation design • Use Service Composer • Application X and Y are isolated from each other even though they are on the same subnet. • The Security Policies of the tiers of each application only permit the necessary ports required for inter-tier communication
Our deployment process (“brown field”) • Install NSX Manager Virtual Appliance ova & register with VCenter • Deploy the firewall VIB bundles to hosts • Change Security Policy ”Default Applied To” value: Security Groups • Use centralized logging (Log Insight or Splunk) • Create ”COMMON-SERVICES” Security Policy • With last rule of DENY ANY-ANY • Define Security Groups and their members • Build Security Policy for each Security Group (based on Syslog) • Final Step – Apply “COMMON-SERVICES” Security Policy to the SG
Set Security Policy to apply to Security Groups 1 2
Use centralized logging (Log Insight or Splunk) CRITICAL STEP! • Visibility • Troubleshooting
Create ”COMMON-SERVICES” Security Policy With last rule of DENY ANY-ANY Ports required by all • NTP-OUT • DNS-OUT • SYSLOG-OUT • SNMP-IN • DHCP-OUT? • WINDOWS UPDATES • AV-OUT • ADMIN-PORTS-IN • LAST RULE • ANY-ANY DENY (enable logging)
Brown Field Firewall Policy Assumptions • Default allow all traffic any-any out of the box (don’t kill the environment!) • Incremental migration to zero-trust (whitelist) for all applications • Use “recon rules” with Splunk to build policy for brown field systems (this process could also be used to troubleshoot green field deployment)
Rule creation process using ”Recon Rules” & Splunk • Create a new Security Group & Security Policy for the Application • Assign SP to the SG and create two firewall “recon” rules • ANY-OUT (allow and LOG) • ANY-IN (allow and LOG) • Monitor Splunk and use the log data to build new rules for valid traffic • Each new permit rule should be created ABOVE the recon rules (no logging) • Once all valid traffic is defined, remove the recon rules and assign the ”COMMON-SERVICES” Security Policy (any traffic not matching a rule will ultimately be dropped by implicit deny).
Security Groups and Security Policies 1. Define Security Groups for each Application and Application Tier (Add VMs or Create Dynamic Membership Rule) 2. Build Security Policy & apply to Security Group (Create rules for traffic based on Syslog data) 3. Final Step – Apply “COMMON-SERVICES” Security Policy to the SG (FIREWALL IS NOW ACTIVE – Drops will be logged)
Discoveries we’ve made along the way • Prevalence of vendor installed remote support backdoors • Identification and mitigation of internal application architecture security issues • The profound security implications of a microsegmented design • (VM) Monitor > Service Composer > Firewall Rules (See ALL rules assigned to the VM!) • Centralized Syslog provides great visibility for troubleshooting and auditing • Self-cleaning Firewall Policies – Less stale ACLs to pick through! • Basic firewall policy automation – Not difficult
Firewall Policy Automation .. Dynamic SG Membership
Firewall Policy Automation .. for mere mortals
Key Feature: View all rules applied to a VM
Recommended Resources NSX Hands on Labs (HOL) http://labs.hol.vmware.com/ • HOL-SDC-1603 VMware NSX Introduction • HOL-SDC-1625 VMware NSX Advanced VMworld Sessions • SEC8348 Deploying Security in a Brownfield Environment • NET7944 NSX Brownfield Deployment Best Practice LucidChart.com – 100% Web-based diagramming tool with live collaboration Splunk or LogInsight
Questions? iain leiter Network Engineer 10+ years of IT networking experience – Certified VMware VCIX6-NV Responsibilities include LAN, WAN, Wireless, Network Security, plus lots more in a diverse medical university environment www.linkedin.com/in/iainleiter
CONFIDENTIAL26
Group Discussion: Migrating from a Hardware Based Firewall to NSX to Improve Performance and Compliance, with Iain Leiter Iain Leiter, ATSU NET10706-GD #NET10706

Empfohlen

VMware Tanzu Application Service as an Integration Platform
VMware Tanzu Application Service as an Integration PlatformVMware Tanzu Application Service as an Integration Platform
VMware Tanzu Application Service as an Integration Platform
VMware Tanzu
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
Kamesh Pemmaraju
 
Speed Up Your Kubernetes Upgrades For Your Kafka Clusters
Speed Up Your Kubernetes Upgrades For Your Kafka ClustersSpeed Up Your Kubernetes Upgrades For Your Kafka Clusters
Speed Up Your Kubernetes Upgrades For Your Kafka Clusters
Vanessa Vuibert
 
VMware Ready vRealize Automation Program
VMware Ready vRealize Automation ProgramVMware Ready vRealize Automation Program
VMware Ready vRealize Automation Program
Virtualization and Cloud Management Solutions
 
VMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectVMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real project
David Pasek
 
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기
Ian Choi
 
NSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxNSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptx
Atif Raees
 
DATABASE AUTOMATION with Thousands of database, monitoring and backup
DATABASE AUTOMATION with Thousands of database, monitoring and backupDATABASE AUTOMATION with Thousands of database, monitoring and backup
DATABASE AUTOMATION with Thousands of database, monitoring and backup
Saewoong Lee
 

Empfohlen

VMware Tanzu Application Service as an Integration Platform
VMware Tanzu Application Service as an Integration PlatformVMware Tanzu Application Service as an Integration Platform
VMware Tanzu Application Service as an Integration Platform
VMware Tanzu
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
Kamesh Pemmaraju
 
Speed Up Your Kubernetes Upgrades For Your Kafka Clusters
Speed Up Your Kubernetes Upgrades For Your Kafka ClustersSpeed Up Your Kubernetes Upgrades For Your Kafka Clusters
Speed Up Your Kubernetes Upgrades For Your Kafka Clusters
Vanessa Vuibert
 
VMware Ready vRealize Automation Program
VMware Ready vRealize Automation ProgramVMware Ready vRealize Automation Program
VMware Ready vRealize Automation Program
Virtualization and Cloud Management Solutions
 
VMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectVMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real project
David Pasek
 
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기
[OpenStack] 공개 소프트웨어 오픈스택 입문 & 파헤치기
Ian Choi
 
NSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptxNSX-T Architecture and Components.pptx
NSX-T Architecture and Components.pptx
Atif Raees
 
DATABASE AUTOMATION with Thousands of database, monitoring and backup
DATABASE AUTOMATION with Thousands of database, monitoring and backupDATABASE AUTOMATION with Thousands of database, monitoring and backup
DATABASE AUTOMATION with Thousands of database, monitoring and backup
Saewoong Lee
 
Secure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key VaultSecure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key Vault
Davide Benvegnù
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorial
mestery
 
VMware VSAN Technical Deep Dive - March 2014
VMware VSAN Technical Deep Dive - March 2014VMware VSAN Technical Deep Dive - March 2014
VMware VSAN Technical Deep Dive - March 2014
David Davis
 
OpenStack Networking
OpenStack NetworkingOpenStack Networking
OpenStack Networking
Ilya Shakhat
 
SD-WAN PROTOCOLS
SD-WAN PROTOCOLSSD-WAN PROTOCOLS
SD-WAN PROTOCOLS
bilal anjum
 
Virtual Infrastructure Overview
Virtual Infrastructure OverviewVirtual Infrastructure Overview
Virtual Infrastructure Overview
valerian_ceaus
 
Virtual SAN 6.2, hyper-converged infrastructure software
Virtual SAN 6.2, hyper-converged infrastructure softwareVirtual SAN 6.2, hyper-converged infrastructure software
Virtual SAN 6.2, hyper-converged infrastructure software
Duncan Epping
 
Hyper-V vs. vSphere: Understanding the Differences
Hyper-V vs. vSphere: Understanding the DifferencesHyper-V vs. vSphere: Understanding the Differences
Hyper-V vs. vSphere: Understanding the Differences
SolarWinds
 
Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm
 
Multi-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroMulti-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with Velero
Kublr
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
xKinAnx
 
What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18
ShapeBlue
 
Software-Defined Data Center Case Study – Financial Institution and VMware
Software-Defined Data Center Case Study – Financial Institution and VMwareSoftware-Defined Data Center Case Study – Financial Institution and VMware
Software-Defined Data Center Case Study – Financial Institution and VMware
VMware
 
Meetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStackMeetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStack
Vietnam Open Infrastructure User Group
 
Scaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million UsersScaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million Users
Amazon Web Services
 
Accelerate Adoption of SAP S/4HANA with Intelligent, Continuous Automation
Accelerate Adoption of SAP S/4HANA with Intelligent, Continuous AutomationAccelerate Adoption of SAP S/4HANA with Intelligent, Continuous Automation
Accelerate Adoption of SAP S/4HANA with Intelligent, Continuous Automation
Worksoft
 
Sap on azure airlift architecture (2)
Sap on azure airlift architecture (2)Sap on azure airlift architecture (2)
Sap on azure airlift architecture (2)
Rahim Abdul Kader
 
KVM High Availability Regardless of Storage - Gabriel Brascher, VP of Apache ...
KVM High Availability Regardless of Storage - Gabriel Brascher, VP of Apache ...KVM High Availability Regardless of Storage - Gabriel Brascher, VP of Apache ...
KVM High Availability Regardless of Storage - Gabriel Brascher, VP of Apache ...
ShapeBlue
 
An Introduction to VMware NSX
An Introduction to VMware NSXAn Introduction to VMware NSX
An Introduction to VMware NSX
Scott Lowe
 
Trend Micro Big Data Platform and Apache Bigtop
Trend Micro Big Data Platform and Apache BigtopTrend Micro Big Data Platform and Apache Bigtop
Trend Micro Big Data Platform and Apache Bigtop
Evans Ye
 
VMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSX
VMworld
 
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hyper-V vs. vSphere: Understanding the Differences
Hyper-V vs. vSphere: Understanding the DifferencesHyper-V vs. vSphere: Understanding the Differences
Hyper-V vs. vSphere: Understanding the Differences
SolarWinds
 
Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm
 
Multi-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroMulti-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with Velero
Kublr
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
xKinAnx
 
Scaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million UsersScaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million Users
Amazon Web Services
 
KVM High Availability Regardless of Storage - Gabriel Brascher, VP of Apache ...
KVM High Availability Regardless of Storage - Gabriel Brascher, VP of Apache ...KVM High Availability Regardless of Storage - Gabriel Brascher, VP of Apache ...
KVM High Availability Regardless of Storage - Gabriel Brascher, VP of Apache ...
ShapeBlue
 

Was ist angesagt? (20)

Secure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key VaultSecure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key Vault
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorial
 
VMware VSAN Technical Deep Dive - March 2014
VMware VSAN Technical Deep Dive - March 2014VMware VSAN Technical Deep Dive - March 2014
VMware VSAN Technical Deep Dive - March 2014
 
OpenStack Networking
OpenStack NetworkingOpenStack Networking
OpenStack Networking
 
SD-WAN PROTOCOLS
SD-WAN PROTOCOLSSD-WAN PROTOCOLS
SD-WAN PROTOCOLS
 
Virtual Infrastructure Overview
Virtual Infrastructure OverviewVirtual Infrastructure Overview
Virtual Infrastructure Overview
 
Virtual SAN 6.2, hyper-converged infrastructure software
Virtual SAN 6.2, hyper-converged infrastructure softwareVirtual SAN 6.2, hyper-converged infrastructure software
Virtual SAN 6.2, hyper-converged infrastructure software
 
Hyper-V vs. vSphere: Understanding the Differences
Hyper-V vs. vSphere: Understanding the DifferencesHyper-V vs. vSphere: Understanding the Differences
Hyper-V vs. vSphere: Understanding the Differences
 
Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0
 
Multi-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroMulti-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with Velero
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
 
What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18
 
Software-Defined Data Center Case Study – Financial Institution and VMware
Software-Defined Data Center Case Study – Financial Institution and VMwareSoftware-Defined Data Center Case Study – Financial Institution and VMware
Software-Defined Data Center Case Study – Financial Institution and VMware
 
Meetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStackMeetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStack
 
Scaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million UsersScaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million Users
 
Accelerate Adoption of SAP S/4HANA with Intelligent, Continuous Automation
Accelerate Adoption of SAP S/4HANA with Intelligent, Continuous AutomationAccelerate Adoption of SAP S/4HANA with Intelligent, Continuous Automation
Accelerate Adoption of SAP S/4HANA with Intelligent, Continuous Automation
 
Sap on azure airlift architecture (2)
Sap on azure airlift architecture (2)Sap on azure airlift architecture (2)
Sap on azure airlift architecture (2)
 
KVM High Availability Regardless of Storage - Gabriel Brascher, VP of Apache ...
KVM High Availability Regardless of Storage - Gabriel Brascher, VP of Apache ...KVM High Availability Regardless of Storage - Gabriel Brascher, VP of Apache ...
KVM High Availability Regardless of Storage - Gabriel Brascher, VP of Apache ...
 
An Introduction to VMware NSX
An Introduction to VMware NSXAn Introduction to VMware NSX
An Introduction to VMware NSX
 
Trend Micro Big Data Platform and Apache Bigtop
Trend Micro Big Data Platform and Apache BigtopTrend Micro Big Data Platform and Apache Bigtop
Trend Micro Big Data Platform and Apache Bigtop
 

Andere mochten auch

Andere mochten auch (20)

VMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSX
 
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
 
VMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep Dive
 
VMworld 2016: Enforcing a vSphere Cluster Design with PowerCLI Automation
VMworld 2016: Enforcing a vSphere Cluster Design with PowerCLI AutomationVMworld 2016: Enforcing a vSphere Cluster Design with PowerCLI Automation
VMworld 2016: Enforcing a vSphere Cluster Design with PowerCLI Automation
 
VMworld 2016: What's New with Horizon 7
VMworld 2016: What's New with Horizon 7VMworld 2016: What's New with Horizon 7
VMworld 2016: What's New with Horizon 7
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep Dive
 
NSX for vSphere Logical Routing Deep Dive
NSX for vSphere Logical Routing Deep DiveNSX for vSphere Logical Routing Deep Dive
NSX for vSphere Logical Routing Deep Dive
 
VMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld 2015: The Future of Network Virtualization with VMware NSXVMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld 2015: The Future of Network Virtualization with VMware NSX
 
VMworld 2016: Virtual Volumes Technical Deep Dive
VMworld 2016: Virtual Volumes Technical Deep DiveVMworld 2016: Virtual Volumes Technical Deep Dive
VMworld 2016: Virtual Volumes Technical Deep Dive
 
VMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for HorizonVMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for Horizon
 
VMworld 2016: Virtualize Active Directory, the Right Way!
VMworld 2016: Virtualize Active Directory, the Right Way! VMworld 2016: Virtualize Active Directory, the Right Way!
VMworld 2016: Virtualize Active Directory, the Right Way!
 
Network Virtualization with VMware NSX
Network Virtualization with VMware NSXNetwork Virtualization with VMware NSX
Network Virtualization with VMware NSX
 
VMworld 2016: Ask the vCenter Server Exerts Panel
VMworld 2016: Ask the vCenter Server Exerts PanelVMworld 2016: Ask the vCenter Server Exerts Panel
VMworld 2016: Ask the vCenter Server Exerts Panel
 
VMworld 2016: Advances in Remote Display Protocol Technology with VMware Blas...
VMworld 2016: Advances in Remote Display Protocol Technology with VMware Blas...VMworld 2016: Advances in Remote Display Protocol Technology with VMware Blas...
VMworld 2016: Advances in Remote Display Protocol Technology with VMware Blas...
 
VMworld 2016: The KISS of vRealize Operations!
VMworld 2016: The KISS of vRealize Operations! VMworld 2016: The KISS of vRealize Operations!
VMworld 2016: The KISS of vRealize Operations!
 
Reference design for v mware nsx
Reference design for v mware nsxReference design for v mware nsx
Reference design for v mware nsx
 
Nsx security deep dive
Nsx security deep diveNsx security deep dive
Nsx security deep dive
 
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
 
VMUG - NSX Architettura e Design
VMUG - NSX Architettura e DesignVMUG - NSX Architettura e Design
VMUG - NSX Architettura e Design
 
VMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes ConfigurationsVMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes Configurations
 

Ähnlich wie VMworld 2016: Migrating from a hardware based firewall to NSX to improve performance and compliance, with iain leiter

Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementCisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
AlgoSec
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
Iben Rodriguez
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
6° Sessione VMware NSX: la piattaforma di virtualizzazione della rete per il ...
6° Sessione VMware NSX: la piattaforma di virtualizzazione della rete per il ...6° Sessione VMware NSX: la piattaforma di virtualizzazione della rete per il ...
6° Sessione VMware NSX: la piattaforma di virtualizzazione della rete per il ...
Jürgen Ambrosi
 

Ähnlich wie VMworld 2016: Migrating from a hardware based firewall to NSX to improve performance and compliance, with iain leiter (20)

CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
VMworld 2013: VMware NSX: A Customer’s Perspective
VMworld 2013: VMware NSX: A Customer’s Perspective VMworld 2013: VMware NSX: A Customer’s Perspective
VMworld 2013: VMware NSX: A Customer’s Perspective
 
VMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSX
 
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementCisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
 
Self service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxSelf service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsx
 
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
 
Reston Virtualization Group 9-18-2014
Reston Virtualization Group 9-18-2014 Reston Virtualization Group 9-18-2014
Reston Virtualization Group 9-18-2014
 
VMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats New
 
tcp cloud in AVG
tcp cloud in AVGtcp cloud in AVG
tcp cloud in AVG
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use Cases
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - Overview
 
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
 
OVNC 2015-Software-Defined Networking: Where Are We Today?
OVNC 2015-Software-Defined Networking: Where Are We Today?OVNC 2015-Software-Defined Networking: Where Are We Today?
OVNC 2015-Software-Defined Networking: Where Are We Today?
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
6° Sessione VMware NSX: la piattaforma di virtualizzazione della rete per il ...
6° Sessione VMware NSX: la piattaforma di virtualizzazione della rete per il ...6° Sessione VMware NSX: la piattaforma di virtualizzazione della rete per il ...
6° Sessione VMware NSX: la piattaforma di virtualizzazione della rete per il ...
 
VMware-vShield-Presentation-pp-en-Dec10.pptx
VMware-vShield-Presentation-pp-en-Dec10.pptxVMware-vShield-Presentation-pp-en-Dec10.pptx
VMware-vShield-Presentation-pp-en-Dec10.pptx
 
Simplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public CloudsSimplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public Clouds
 

Mehr von VMworld

VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld
 
VMworld 2015: Advanced SQL Server on vSphere
VMworld 2015: Advanced SQL Server on vSphereVMworld 2015: Advanced SQL Server on vSphere
VMworld 2015: Advanced SQL Server on vSphere
VMworld
 
VMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's BackboneVMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's Backbone
VMworld
 
VMware 2015: Next Horizon for Cloud Networking and Security
VMware 2015: Next Horizon for Cloud Networking and SecurityVMware 2015: Next Horizon for Cloud Networking and Security
VMware 2015: Next Horizon for Cloud Networking and Security
VMworld
 

Mehr von VMworld (17)

VMworld 2015: Troubleshooting for vSphere 6
VMworld 2015: Troubleshooting for vSphere 6VMworld 2015: Troubleshooting for vSphere 6
VMworld 2015: Troubleshooting for vSphere 6
 
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
 
VMworld 2015: Advanced SQL Server on vSphere
VMworld 2015: Advanced SQL Server on vSphereVMworld 2015: Advanced SQL Server on vSphere
VMworld 2015: Advanced SQL Server on vSphere
 
VMworld 2015: Virtualize Active Directory, the Right Way!
VMworld 2015: Virtualize Active Directory, the Right Way!VMworld 2015: Virtualize Active Directory, the Right Way!
VMworld 2015: Virtualize Active Directory, the Right Way!
 
VMworld 2015: Site Recovery Manager and Policy Based DR Deep Dive with Engine...
VMworld 2015: Site Recovery Manager and Policy Based DR Deep Dive with Engine...VMworld 2015: Site Recovery Manager and Policy Based DR Deep Dive with Engine...
VMworld 2015: Site Recovery Manager and Policy Based DR Deep Dive with Engine...
 
VMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SANVMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SAN
 
VMworld 2015: Virtual Volumes Technical Deep Dive
VMworld 2015: Virtual Volumes Technical Deep DiveVMworld 2015: Virtual Volumes Technical Deep Dive
VMworld 2015: Virtual Volumes Technical Deep Dive
 
VMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's BackboneVMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's Backbone
 
VMworld 2015: The Best SDDC!
VMworld 2015: The Best SDDC!VMworld 2015: The Best SDDC!
VMworld 2015: The Best SDDC!
 
VMworld 2015: Conversation with the VMware CIO Suggestions on being an IT Leader
VMworld 2015: Conversation with the VMware CIO Suggestions on being an IT LeaderVMworld 2015: Conversation with the VMware CIO Suggestions on being an IT Leader
VMworld 2015: Conversation with the VMware CIO Suggestions on being an IT Leader
 
VMware 2015: Next Horizon for Cloud Networking and Security
VMware 2015: Next Horizon for Cloud Networking and SecurityVMware 2015: Next Horizon for Cloud Networking and Security
VMware 2015: Next Horizon for Cloud Networking and Security
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep Dive
 
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep DiveVMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
 
VMworld 2015: Introducing Application Self service with Networking and Security
VMworld 2015: Introducing Application Self service with Networking and SecurityVMworld 2015: Introducing Application Self service with Networking and Security
VMworld 2015: Introducing Application Self service with Networking and Security
 
VMworld 2015: How To Troubleshoot Using vRealize Operations Manager (Deep Liv...
VMworld 2015: How To Troubleshoot Using vRealize Operations Manager (Deep Liv...VMworld 2015: How To Troubleshoot Using vRealize Operations Manager (Deep Liv...
VMworld 2015: How To Troubleshoot Using vRealize Operations Manager (Deep Liv...
 
VMworld 2015: Extreme Performance Series - vSphere Compute & Memory
VMworld 2015: Extreme Performance Series - vSphere Compute & MemoryVMworld 2015: Extreme Performance Series - vSphere Compute & Memory
VMworld 2015: Extreme Performance Series - vSphere Compute & Memory
 
VMworld 2015: Extreme Performance Series - vCenter Performance Best Practices
VMworld 2015: Extreme Performance Series - vCenter Performance Best PracticesVMworld 2015: Extreme Performance Series - vCenter Performance Best Practices
VMworld 2015: Extreme Performance Series - vCenter Performance Best Practices
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Kürzlich hochgeladen (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

VMworld 2016: Migrating from a hardware based firewall to NSX to improve performance and compliance, with iain leiter

  • 1. Group Discussion: Migrating from a Hardware Based Firewall to NSX to Improve Performance and Compliance, with Iain Leiter Iain Leiter, ATSU NET10706-GD #NET10706
  • 2. Introduction Who are you and what is A.T. Still University? iain leiter Network Engineer 10+ years of IT networking experience – Certified VMware VCIX6-NV Responsibilities include LAN, WAN, Wireless, Network Security, plus lots more in a technologically diverse medical university environment www.linkedin.com/in/iainleiter
  • 3. Agenda • Technical and business challenges • Technology evaluation process • The advantages of NSX as a firewall solution • Our microsegmentation design • Our deployment process • Discoveries we’ve made along the way
  • 4. Technical and Business Challenges • Need to separate sensitive clinical, academic, and business systems • Firewall sizing risks - possible future scalability issues • Performance Requirements • High Resolution Histology Imaging application • Academic classroom video capture and VOD • Ongoing firewall bandwidth constraints • Reduce costs
  • 6. Firewall Technologies Considered or Evaluated • More physical firewalls • OS-based software firewalls • Windows Firewall • Linux Firewalls • AV Firewalls • Virtualized firewalls from other vendors • Cisco ASAv • Cisco ASA1000V • Cisco VSG • SDN/SDDC solutions • ACI + hardware • NSX
  • 7. The advantages of NSX (DFW) as a firewall solution • Distributed firewalling provides high performance and scalability • Security Policies applied to the VM’s vNIC • Firewall bandwidth capacity grows as server hardware is added
  • 8. The advantages of NSX (DFW) as a firewall solution • Pay as you grow flexibility • Buy what you need • No firewall sizing risk
  • 9. The advantages of NSX (DFW) as a firewall solution • Firewall capacity mobility – move firewall capacity between sites (licenses)
  • 10. The advantages of NSX (DFW) as a firewall solution • Additional visibility for improved compliance Monitor firewalling between VMs on the same segment
  • 11. The advantages of NSX (DFW) as a firewall solution • Advanced Security Features – Microsegmentation & Automation! • Security Benefit - Firewall policy is enforced at the VM’s vNIC • Independent of the guest OS or underlying network hardware • BONUS – Additional NSX Features (*VXLAN, Routing, Load-Balancing) • SIDENOTE: *NSX Distributed Firewall is not dependent on VXLAN • Simplified incremental migration • Enable Security Policy one application or VM at a time
  • 12. Our microsegmentation design • Use Service Composer • Application X and Y are isolated from each other even though they are on the same subnet. • The Security Policies of the tiers of each application only permit the necessary ports required for inter-tier communication
  • 13. Our deployment process (“brown field”) • Install NSX Manager Virtual Appliance ova & register with VCenter • Deploy the firewall VIB bundles to hosts • Change Security Policy ”Default Applied To” value: Security Groups • Use centralized logging (Log Insight or Splunk) • Create ”COMMON-SERVICES” Security Policy • With last rule of DENY ANY-ANY • Define Security Groups and their members • Build Security Policy for each Security Group (based on Syslog) • Final Step – Apply “COMMON-SERVICES” Security Policy to the SG
  • 14. Set Security Policy to apply to Security Groups 1 2
  • 15. Use centralized logging (Log Insight or Splunk) CRITICAL STEP! • Visibility • Troubleshooting
  • 16. Create ”COMMON-SERVICES” Security Policy With last rule of DENY ANY-ANY Ports required by all • NTP-OUT • DNS-OUT • SYSLOG-OUT • SNMP-IN • DHCP-OUT? • WINDOWS UPDATES • AV-OUT • ADMIN-PORTS-IN • LAST RULE • ANY-ANY DENY (enable logging)
  • 17. Brown Field Firewall Policy Assumptions • Default allow all traffic any-any out of the box (don’t kill the environment!) • Incremental migration to zero-trust (whitelist) for all applications • Use “recon rules” with Splunk to build policy for brown field systems (this process could also be used to troubleshoot green field deployment)
  • 18. Rule creation process using ”Recon Rules” & Splunk • Create a new Security Group & Security Policy for the Application • Assign SP to the SG and create two firewall “recon” rules • ANY-OUT (allow and LOG) • ANY-IN (allow and LOG) • Monitor Splunk and use the log data to build new rules for valid traffic • Each new permit rule should be created ABOVE the recon rules (no logging) • Once all valid traffic is defined, remove the recon rules and assign the ”COMMON-SERVICES” Security Policy (any traffic not matching a rule will ultimately be dropped by implicit deny).
  • 19. Security Groups and Security Policies 1. Define Security Groups for each Application and Application Tier (Add VMs or Create Dynamic Membership Rule) 2. Build Security Policy & apply to Security Group (Create rules for traffic based on Syslog data) 3. Final Step – Apply “COMMON-SERVICES” Security Policy to the SG (FIREWALL IS NOW ACTIVE – Drops will be logged)
  • 20. Discoveries we’ve made along the way • Prevalence of vendor installed remote support backdoors • Identification and mitigation of internal application architecture security issues • The profound security implications of a microsegmented design • (VM) Monitor > Service Composer > Firewall Rules (See ALL rules assigned to the VM!) • Centralized Syslog provides great visibility for troubleshooting and auditing • Self-cleaning Firewall Policies – Less stale ACLs to pick through! • Basic firewall policy automation – Not difficult
  • 21. Firewall Policy Automation .. Dynamic SG Membership
  • 22. Firewall Policy Automation .. for mere mortals
  • 23. Key Feature: View all rules applied to a VM
  • 24. Recommended Resources NSX Hands on Labs (HOL) http://labs.hol.vmware.com/ • HOL-SDC-1603 VMware NSX Introduction • HOL-SDC-1625 VMware NSX Advanced VMworld Sessions • SEC8348 Deploying Security in a Brownfield Environment • NET7944 NSX Brownfield Deployment Best Practice LucidChart.com – 100% Web-based diagramming tool with live collaboration Splunk or LogInsight
  • 25. Questions? iain leiter Network Engineer 10+ years of IT networking experience – Certified VMware VCIX6-NV Responsibilities include LAN, WAN, Wireless, Network Security, plus lots more in a diverse medical university environment www.linkedin.com/in/iainleiter
  • 27.
  • 28. Group Discussion: Migrating from a Hardware Based Firewall to NSX to Improve Performance and Compliance, with Iain Leiter Iain Leiter, ATSU NET10706-GD #NET10706