New Threats, New Approaches in Modern Data Centers - A Presentation by NPS at CENIC conference 11:00 am - 12:00 pm, Wednesday, March 22, 2017 – in San Diego, California The standard approach to securing data centers has historically emphasized strong perimeter protection to keep threats on the outside of the network. However, this model is ineffective for handling new types of threats—including advanced persistent threats, insider threats, and coordinated attacks. A better model for data center security is needed: one that assumes threats can be anywhere and probably are everywhere and then, through automation, acts accordingly. Using micro-segmentation, fine-grained network controls enable unit-level trust, and flexible security policies can be applied all the way down to a network interface. In this joint presentation between customer, partner, and VMware, the fundamental tenants of micro-segmentation will be discussed. Presenters will describe how the Naval Postgraduate School has incorporated these principles into the architecture and design of a multi-tenant Cybersecurity Lab environment to deliver security training to national and international government personnel. Edgar Mendoza, IT Specialist, Information Technology and Communications Services (ITACS) Naval Postgraduate School Eldor Magat, Computer Specialist, ITACS, Naval Postgraduate School Mike Monahan, Network Engineer, ITACS, Naval Postgraduate School Iben Rodriguez, Brocade Resident SDN Delivery Consultant, ITACS, Naval Postgraduate School Brian Recore, NSX Systems Engineer, VMware, Inc. https://youtu.be/mYBbIbfKkGU?t=1h7m16s Copied from the program with corrections - https://adobeindd.com/view/publications/b9fbbdf0-60f1-41dc-8654-3d2141b0bf54/nh4h/publication-web-resources/pdf/Conference_Agenda_2017_v1.pdf

1. NAVAL POSTGRADUATE SCHOOL

2. New Threats, New Approaches
in Modern Data Centers

3. Why did we re-architect our Data
Center
• Understand the architecture and design
requirements of multi-tenancy environment
• Isolate threats through micro-segmentation
and granular network controls
• Apply flexible security policies at the VM
level

4. Center for Cyberwarfare - CCW
The lab is used to conduct research
and education to provide the modern
warfighter with tactical and
operational responses to cyber threats.

6. • Built by CCW with pizza box servers using
various adhoc storage systems.
• ITACS took over responsibilities of maintaining
the cyberlab project in late 2014.
• Inadequate resources – not scalable.
• Many single points of failure.
• Missing adequate licensing for some services.
• Not in a data center environment.
Legacy lab implementation

7. Why have lab isolation?
• Advanced Persistent Threats
• Human error – Insider Threat
• Protection against coordinated attacks
• Provide researchers with sandbox for malware
inspection
• Offer a clean slate for each class room from quarter
to quarter

8. Challenges overcome
• Cyberlab 2.0 addresses the following issues:
– Single points of failure removed
– Replaced AD Controller and Load Balancer physical
devices with virtual to decrease total cost of
ownership
– 2 racks of equipment consolidated to 2u HCI
– Reduced time required to provision labs for classes
each quarter
– Ability to customize networks for class differences
such as: firewall rules, student permissions, threat
types

9. HOW WE DID IT

10. Adding VDI increased the security surface area
• The converged infrastructure means virtual desktops run on the
same infrastructure as servers.
Data Center
Perimeter
Internet
EastWest

11. Haven’t We Learned Anything from a
Perimeter-Centric Focus?
“The Empire doesn't consider a small
one-man fighter to be any threat, or
they'd have a tighter defense. An analysis
of the plans provided by Princess Leia has
demonstrated a weakness in the battle
station. …The shaft leads directly to the
reactor system. A precise hit will start a
chain reaction which should destroy the
station.”
--General Dodanna
A Long Time Ago…In a Galaxy Far Far Away...
14

12. The M&M Approach to Security
15
“In today’s new threat
landscape, this M&M and
‘trust but verify’ is no longer
an effective way of enforcing
security.”
Forrester Research
In Response to NIST RF 130208119-3119-01I
“Developing a Framework to Improve Critical Infrastructure
Cyber-Security”

13. Trading Off Context and Isolation
16
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
SDDC Platform
High Context
Low Isolation
High Isolation
Low Context
No Ubiquitous Enforcement
Traditional Approach

14. The Compromise Between Desired End
State & Operational Feasibility
17
WAN
…
“X” firewalls
“X” + “1000
workloads
vs
A typical data center has:
Directing all traffic (virtual + physical) through chokepoint
firewalls is inefficient
And a physical firewall per workload is cost
prohibitive

15. SDDC Virtualization Layer – Delivers Both
Context and Isolation
18
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
High Context
High Isolation
Ubiquitous Enforcement
SDDC Approach
Secure Host Introspection

16. Micro-segmentation with NSX
SegmentationIsolation Advanced services
Controlled communication path within a
single network
Advanced services: addition of 3rd
party security, as needed by policy
No communication path between unrelated
networks
19

17. Move from “Network Centric” to “Class
Centric” Deployments
20
DMZ/Web VLAN
App VLAN
Class-A
Class-B
Services/Management VLAN
DB VLAN
Class-AClass-B
Services Mgmt
Class-A Class-B
Perimeter
firewall
Inside firewall
Perimeter
firewall
DMZ/Web
App
DB
Class-A
App
DMZ/Web
DB
Class-B
Services Mgmt
Services/Management
Group
Traditional Data Center NSX Data Center
CONFIDENTIAL

18. FY16 House NDAA Report
Cyber Defense Network Segmentation
The committee is aware that the Department of Defense is looking at modifying the way it builds,
maintains, and upgrades data center, including increased use of commercial cloud capabilities and public-
private partnerships. The committee is aware that as the Department increasingly looks at software-
defined networking, it could potentially reduce the mobility of cyber threats across data center and other
networks by increasing the compartmentalization and segmentation between systems, and providing a
mix of security techniques to enable access to those compartments. Such actions have the potential to
lessen the chance of a widespread or catastrophic breach, including breaches caused by insider threats.
The committee encourages the Department to explore ways to use compartmentalization or segmentation
as part of a software-defined networking approach in order to increase the security of its networks.
The Beginning of Policy Shifts….again

19. Combining Organic Capabilities with Best
of Breed across the Larger Ecosystem
Apply and visualize security
policies for workloads, in
one place.
Automate workflows across
best-of-breed services,
without custom integration.
Provision and monitor uptime
of different services, using one
method.
NSX Network Virtualization Platform
Deploy Apply Automate
Built-In Services
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Third-Party Services
Antivirus DLP Firewall
Vulnerability
Management
Intrusion
Prevention
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
External Network
VDS
Guest VM
Partner
Service 1 VM
Slot
2
Slot
4
Traffic
Redirection
Module
Slot
5
Partner
Service 2 VM

20. High Scale NSX Topology
• High scale multi-tenancy is enabled with
multiple tiers of Edge interconnected via
VxLAN transit uplink
• Two tier Edges allow better scaling with
administrative control based on traffic
generated.
• NSX Edge can scale up to 8 ECMP Edges for
scalable routing
• Support for overlapping IP addresses
between Tenants connected to different
first tier NSX Edges
23
External Network
Tenant 1
Desktop Pool Logical
Switch
App LS DB LS
…
Desktop Pool Logical
Switch
Edge with HA
NAT/LB features
Single Adjacency
to ECMP Edge
ECMP Based
NSX Edge X-Large
(Route Aggregation Layer)
ECMP NSX Edge
VXLAN Uplinks VXLAN Uplinks
VXLAN 5100
Transit
App LS DB LS
… E8E1

21. • Automation, Automation, Automation
• Brocade Workflow Composer
• Cloud Management Platform - OpenStack on VMware (VIO)
• Plan to integrate physical devices (IoT, Robotics,
Weather Sensors, etc) into virtual cyberlab
• Dynamic routing
• Hardware VTEP to bridge VLAN to VXLAN
• Integration with NSX and Palo Alto Networks Virtual FW
• Leverage Public Cloud - Amazon AWS
Plans for 2017 and beyond

22. Stackstorm

23. VMware Integrated OpenStack
VMware Integrated OpenStack (VIO)
VMware SDDC
Standard OpenStack
Nova Neutron Cinder
Keystone HeatHorizon Ceilometer
Glance
• VIO is an “Integrated Product” Approach to OpenStack
• Standard DefCore Compliant OpenStack Distribution (delivered as OVA)
• Deploys & Manages Proven Production Architecture on VMware SDDC
• Fully Supported by VMware
VIO Management Server
(Deploy, configure, patch,
upgrade …OpenStack)
vSphere NSX
vSphere Datastores:
3rd-party / Virtual SAN

24. The Need for a Comprehensive Security Solution
VMware NSX Platform
NSX Distributed Firewall
VM level zoning without
VLAN/VXLAN
dependencies
Line rate access control
traffic filtering
Distributed enforcement at
Hypervisor level
Palo Alto Networks Next
Generation Security
Next Generation Firewall
Protection against known
and unknown threats
Visibility and safe
application enablement
User, device, and
application aware policies
Sophisticated Security
Challenges
Applications are not linked to
port & protocols
Distributed user and device
population
Modern Malware

25. AWS Global Infrastructure
VMware Cloud™ on AWS
Powered by VMware Cloud Foundation
28
AWS Global InfrastructureCustomer Datacenter
vSphere vSAN NSX
TECHNICAL PREVIEW
Operational Management Native AWS Services
Amazon
EC2
Amazon
S3
Amazon
RDS
AWS Direct
Connect
AWS IAMAWS IoT
…
…
…
…
vRealize Suite, vSphere Integrated Containers, ISV ecosystem
Availability expected in mid-2017 timeframe
Technical
Preview
vCentervCenter
VMware CloudTM on AWS
VMware vSphere-based service, running on the AWS Cloud
• ESXi on Dedicated
Hardware
• Support for VMs and
Containers
• vSAN on Flash and EBS
Storage
• Replication and DR
Orchestration
• NSX Spanning on-
premises and cloud
• Advanced Networking
& Security Services

27. Questions

28. NAVAL POSTGRADUATE SCHOOL