The document discusses how NSX security services can automate security operations and policies across virtualized environments through features like distributed firewalling, guest introspection, security groups, and integration with third-party security services. It provides an overview of how NSX improves visibility, context, performance, and automation compared to traditional network and host-based security controls. Use cases demonstrated include optimized vulnerability management and context-based isolation in VDI environments.
2. Student Guide & Internal & Confidential Update Daily
https://goo.gl/VVmVZ0
Journey of the Deal: Best Practices from a VMware Cloud Management
Partner http://ouo.io/vBVQdO
The Practical Path to NSX and Network Virtualization http://ouo.io/47hme
Why an SSDC Approach with NSX is Better for Your Channel Business http://ouo.io/1hY4l
Justifying Network Virtualization forYour Customers http://ouo.io/OzBquQ
Reference Design for VMware NSX http://ouo.io/XaCMU
Logical Routing with VMware NSX http://ouo.io/oKcbu
Micro-segmentation with NSX and Distributed Firewalling http://ouo.io/BaoP8
NSX Security Deep Dive http://ouo.io/Qq8qqh
Operational Best Practices for VMware NSX http://ouo.io/nyVbwd
Self-service IT with vRealizeAutomation and NSX http://ouo.io/pHQ5kp
Intro to NSX http://ouo.io/gzAp1
3. Disclaimer
CONFIDENTIAL 3
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these
features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or
sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not
been determined.
6. Agenda
CONFIDENTIAL 6
1 Challenges with existing security controls
2 Introducing NSX Security
3 Automating Security
4 Benefits
5 Use Cases
6 Summary & Next Steps
7. 1. Firewall Challenges in the SDDC
Physical Firewalls
• No Micro-segmentation
• Hardware CAPEX
• Choke point
• Rule sprawl (IP, MAC-based)
• Trombone Traffic
Src Dst
192.168.1.1 192.168.5.2
10.0.0.1 10.0.2.5
10.0.0.2 10.0.2.5
10.0.0.3 10.0.2.5
• Eliminate hardware
• Choke points w/ low performance
(1-3 Gbps)
• Rule sprawl (IP, MAC-based)Rule sprawl
Web
App
DB
VM
Virtual Firewalls VMs
CONFIDENTIAL 7
8. 2. Force Choosing between Context and Isolation
Guest VM
Hypervisor
Network
Host Based
Security Controls
Network Based
Security Controls
Low Context
High Isolation
High Context
Low Isolation
CONFIDENTIAL 8
Security controls prone to attack
Manual deployment and
policy management
No visibility into application,
process, file, user or overall
security posture
9. 3. Require In-guest Agents that Are Resource Intensive
Third-Party Management Consoles
Scheduled scans hit same underlying
infrastructure at the same time
Utilization
CPU
Memory
Storage
Consolidation Ratio
Low High
3
2
1 SeparateAgent required per VM per Service
Adding new services require manual deployment
at each guest
CONFIDENTIAL 9
10. 4. Hard to Automate Workflows across Services
Manual workflows due to lack of
interoperability and automation across
“best-of-breed” security products
Endpoint control events do not trigger
network controls
CONFIDENTIAL 10
12. Agenda
CONFIDENTIAL 12
1 Challenges with existing security controls
2 Introducing NSX Security
3 Benefits
4 Use Cases
5 Automating Security
6 Summary & Next Steps
13. NSX Transforms Security for Optimal Context and Isolation
While Minimizing Resource Overhead
UbiquityIsolation
fine-grained
containment
Context
better security
through
insight
Ecosystem of
Distributed Services
Switching Routing Firewalling
Core Services Built Into
Hypervisor Kernel
CONFIDENTIAL 13
14. NSX Provides Built-in Services to Manage the Security Posture
of Workloads at Scale
Guest Introspection
NSX driver pulls and shares file, user identity, process
(application), network connections, registry keys etc.
Shared Context
Network Introspection
Full network traffic visibility @vNIC, vSwitch,
or Edge
Built-In Services
Firewa
ll
Identity Firewall
Server Access
Monitoring
VPN (IPSEC,
SSL)
VMware Services
DLP
L2 and L3 Connectivity
CONFIDENTIAL 14
15. NSX Distributed Firewall
• Delivers Micro-Segmentation
• Efficient rule management
• Dynamic Policy (e.g:AV, DLP, Vulnerability Scan)
• No choke points with scale out performance (20 Gbps)
• Enabled for cloud automation
Src Dst
ANY Shared Service
Desktop WEB_GROUP
Rules based on logical containers
Platform for Distributed Services
WEB_ GROUP
“Web Policy”
Firewall – allow inbound
HTTP/S, allow outbound ANY
Firewall policies are pre-
approved, used repeatedly by
cloud automationWeb
App
DB
VM
NSX Distributed Firewall is Optimized for SDDC
14
CONFIDENTIAL
17. NSX Enables Using Third Party Services to Manage the Security
Posture of Workloads at Scale
Guest Introspection
NSX driver pulls and shares file, user identity, process
(application), network connections, registry keys etc.
Shared Context
Third-Party Services
DLP Firewall
Vulnerability
Management
Antivirus
Intrusion
Prevention
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
Service Insertion Architecture
Network Introspection
Full network traffic visibility @vNIC, vSwitch,
or Edge
CONFIDENTIAL 17
19. Agenda
CONFIDENTIAL 19
1 Challenges with existing security controls
2 Introducing NSX Security
3 Automating Security
4 Benefits
5 Use Cases
6 Summary & Next Steps
20. Secure SDDC with VMware NSX
Security services are managed more efficiently in a software-defined datacenter
NSX Network Virtualization Platform
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Antivirus
Vulnerability
Management
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
Deploy
Provision and monitor
uptime of different
services, using
oSenrviece mInseerttiohnod
CONFIDENTIAL 20
Apply
Apply and visualize
security policies for
workloads, in
Security Goronupes plSaeccuerity Policies
Automate
Automate workflows
across best-of-breed
services, without
custom integrationSecurity Tags
Built-In Services Third-Party Services
DLP Firewall
Intrusion
Prevention
21. Register Security Services with VMware NSX
Service Definitions: built-in and 3rd-party services
Firewalling VPN Data Security Activity Monitoring
Service categories, vendors, versions
are visible in one central view
Security
CONFIDENTIAL 21
23. Security Groups & Security Policies
• End-Users and CloudAdmins are able to define security policies based on service profiles
already defined or approved by the Security Admin.
• Security policies are applied to one or more security groups where workloads are members
WHAT you
want to
protect
HOinbWoundyHoTuTPw/S,ant
toIPpS r–optreevcentt DitOS
attacks, enforce
acceptable use
SECURITY GROUP
SECURITY POLICY
Members (VM, vNIC)
and Context
(user identity,
security posture)
“Standard Web”
Firewall – allow
allow outbound ANY
Services (firewall,
antivirus, IPS etc.) and
Profiles (labels
representing
specific policies)
CONFIDENTIAL 23
24. Security Policies and Security Groups
NSX simplifies provisioning, audit, troubleshooting of security
CONFIDENTIAL 23SECURITY GROUP
HOW you want
to protect it
SECURITY POLICY
WHAT you want
to protect
1 Policy Provisioning: Define once (policy), use many (security groups). Tied to
workload, not to infrastructure.
Audit: Validate controls in one place – available services, applied policies.2
3 Troubleshooting: When an app doesn’t work, can start by observing the workload
and all related security policies – rather than infer from infrastructure security.
25. Dynamic Inclusion
Static Inclusion
Static Exclusion
Security Groups
Definition
Security Group :
(Dynamic Inclusion + Static Inclusions) – Static Exclusion
Computer OS name, Computer Name,
VM Name, Security Tag, Entity.
Security Group, Cluster,
Logical Switch, Network,
vAPP, Datacenter,
IP Sets,Active Directory Group,
MAC sets, Security Tag,
vNIC, VM, Resource Pool,
DVS Port Group.
VM-Centric
CONFIDENTIAL 25
Infrastructure-
Centric
Security Groups
26. Automate Security Operations
to respond to rapidly changing security conditions
• Security is automated
• If one service finds something, then
another service can do something
about it
With VMware NSX
• Manual workflows
• No interoperability between best-of-breed
security products
Without VMware NSX
Create repeatable, automated workflows
across best-of-breed security products with VMware NSX
CONFIDENTIAL 26
27. Advanced Services Insertion
1 2 3
Traditional Data Center NSX Data Center
Flexible service chain that
adapts to changing conditions
– more efficient use of services better security by sharing tags
Platform for integrating the
leading security products:
NSX enables dynamic actions to respond to
changing security conditions
CONFIDENTIAL 27
Static service chain Dynamic service chain
28. Agenda
CONFIDENTIAL 28
1 Challenges with existing security controls
2 Introducing NSX Guest Introspection
3 Automating Security
4 Benefits
5 Use Cases
6 Summary & Next Steps
29. 1. Optimized for Performance
Utilization
CPU
Memory
Storage
Consolidation Ratio
Low High
1 Reduces attack surface
Stronger protection - cannot
be turned off by malware
Eliminates overhead of agent
resources, management
4 Reduces VM footprint enables
higher consolidation
CONFIDENTIAL 29
2
3
30. 2. Automated Ubiquitous Deployment & Enforcement
1.ESX Host added to cluster
2.Automated: NSX Deploys
Guest Introspection
Framework, Service VMs
(Partner & VMW)
3. VM brought up on host
4.Automated:Appropriate
Security Policies applied
5.VM vMotions to a
different host
6.Automated:Appropriate
Security Policies applied
CONFIDENTIAL 30
31. 3. Visibility into In-guest Events
Users Logging In
Files Accessed
Network Connections
System Events
Applications Running
Canned Reports
CONFIDENTIAL 31
32. Identity Based Access Control
CONFIDENTIAL
Active Directory
Eric Frost
IP: 192.168.10.75
Logs
Eric Frost
User AD Group App Name Originating VM
Name
Destination VM
Name
Source IP Destination IP
Eric Frost Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78 31
35. 4. Simplified Policy Management & Automation across Services
Virtualization Platform
Security Policy
HOW you
want to
protect it
NSX Manager
2 NSX Admin
1 Security Admin
Security Group
WHAT
you
want to
protect
Cloud Management Portal
3 Cloud Architect
CONFIDENTIAL 35
37. Security-Centric View
Policies – collection of service
profiles - assigned to this
container…to define HOW you
want to protect this container
e.g. “PCI Compliance” or
“Quarantine Policy’
Nested containers –
other groupings within
the container
e.g. “Quarantine Zone”
is a sub group within
“My Data Center”
VMs (workloads) that belong to
this container
e.g. “Apache-Web-VM”, “Exchange
Server-VM”
Containers – Grouping of VMs, IPs, and
more…to define WHAT you want to protect
e.g. “Financial Applications”, “Desktop
Users”, “Quarantine Zone”
Service profiles for *deployed*
services, assigned to
these policies
Services supported today:
• Distributed Virtual Firewall
• Anti-virus
• Vulnerability Management
• Network IPS
• Data Security (DLP scan)
• User Activity Monitoring
• File Integrity Monitoring
36CONFIDENTIAL
40. Monitor Uptime of Different Services
Service Deployments: installation and service status
Installation Status & Service Status
are visible in one central view
CONFIDENTIAL 40
41. Eliminate Policy Sprawl through Automation
No manual cleanup necessary during application decommissioning
SECURITY POLICY
“Standard Web”
Firewall – allow
inbound HTTP/S,
allow outbound ANY
IPS – prevent DOS
attacks, enforce
acceptable use
SECURITY GROUP
SECURITY GROUP
CONFIDENTIAL 41
42. Increase Visibility into Service Availability
Virtualization Platform
Restart Security Virtual Appliances,
upon detection of service health failure
Error messages provide
insight into why service failed
CONFIDENTIAL 42
43. Increase Visibility into Service Availability
Virtualization Platform
Restart Security Virtual Appliances,
upon detection of service health failure
Error messages provide
insight into why service failed
CONFIDENTIAL 43
44. Agenda
CONFIDENTIAL 44
1 Challenges with existing security controls
2 Introducing NSX Guest Introspection
3 Automating Security
4 Benefits
5 Use Cases
6 Summary & Next Steps
45. Scenario 1: Vulnerability Management Optimized for SDDC
VMware Network and Security Platform
Built-In Services Third-Party Services
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Antivirus DLP Firewall
Vulnerability
Management
Intrusion
Prevention
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
CONFIDENTIAL 45
46. Traditional Challenges in Vulnerability Management
Scan IP range for
asset inventory
(NMAP)
Run port scan on
live systems – set
of IPS alarms
1 Network
scanner
2
Whitelist scanner
IP address
on IPS
3
Scans return
inaccurate info4
Must secure system
credentials to run
accurate scans
5
Scans run over virtual
network, impacting
app performance
6
CONFIDENTIAL 46
47. Vulnerability Management Optimized for SDDC Using NSX
Guest Introspection
File, user identity, process
(application), network
connections, registry keys, etc.
Virtualization Platform
• No network scans required
• Get all VM asset inventory from vCenter
• Get all VM context - file, process, registry key - via NSX
Guest Introspection
• No credentials required for server scans – in-guest driver runs
credentialed scan
Simplified Deployment
Automated deployment of 3rd
party appliance to all selected
clusters in data center
CONFIDENTIAL 47
48. Scenario 2: Context Based Isolation in VDI Environment
VMware Network and Security Platform
Built-In Services Third-Party Services
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Antivirus DLP Firewall
Vulnerability
Management
Intrusion
Prevention
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
CONFIDENTIAL 48
49. Virus Detection Triggers Isolation and Remediation
Employee Desktops
SG
Front Desk
SG
ITAdmin Desktops SG
Records
Scheduling
App
IT
Services
NSX
Shared Resources
Infected System SG
“All Desktops”
AV –
Agentless Scan
“All Desktops”
AV –Scan And
Remediate
DFW: Block
access to
applications
CONFIDENTIAL 49
50. Scenario 3: Minimizing Attack Surface
VMware Network and Security Platform
Built-In Services Third-Party Services
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Antivirus DLP Firewall
Vulnerability
Management
Intrusion
Prevention
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
CONFIDENTIAL 50
52. Scenario 4: Traffic Redirection to Advanced Services – e.g. PAN
HONWetwoyrkoInutrowspaecntiotn
to protect it
SECURITY GROUP
SG-WEB
SECURITY POLICY
SP-PAN-Redirect
“PAN redirect”
Services – Tomcat
Traffic from WEB to
APP : Redirect to PAN
Services:
Network
Introspection
Services
(= traffic
redirection)
VM VM
1 2
WEB Tier
(DVS P-G or
Logical Switch)
VM3 VM4
1.1.1.1 1.1.1.2 2.2.2.1 2.2.2.2
APP Tier
(DVS P-G or
Logical Switch)
SG-WEB SG-APP
Tomcat
Network Introspection Rule:
Any Tomcat traffic from WEB Tier to APP
Tier is redirected to PAN VM-Series FW
CONFIDENTIAL 52
Any other traffic from WEB Tier to APP
Tier is not redirected to PAN
Traffic hit first DFW and then traffic
redirection rule: Tomcat traffic must be
allowed on DFW rule otherwise it
cannot be redirected to PAN
Source Dest Service Action
Policy’s
SG
SG-APP Tomcat Redirect
to PAN
53. Security Partner Integrations
Partner Ecosystem
NSX is the platform for
integrating advanced
security services
Next-generation IPS
Granular protection of individual
VM workloads with customizable
policy definitions
Malware Protection
Data Center security with agentless
anti-malware and guest network
threat protection
Real-time, dynamic threat protection
and response for workloads moving
between hosts and virtual
data centers
Automation of advanced
malware interception
Unified management for physical
and virtual sensors
Vulnerability
Management
Automatic vulnerability risk assessment
Data Center wide real- time risk visibility
Auto segmentation of risky assets
Vulnerability prioritization for
effective remediation
Threat & Malware
Protection
Single virtual appliance
provides agentless:
Anti-malware with URL filtering
Vulnerability and software scanning
Detection of file changes
Intrusion Detection & Prevention
Next-Generation
Firewall
Multiple threat prevention disciplines
including firewall, IPS, and antimalware
Safe application enablement with
continuous content inspection for all threats
Granular user-based controls for apps,
content, users
CONFIDENTIAL 53
54. Agenda
CONFIDENTIAL 54
1 Challenges with existing security controls
2 Introducing NSX Guest Introspection
3 Benefits
4 Use Cases
5 Automating Security
6 Summary & Next Steps
55. Achieving Micro-Segmentation in Real World
Prepare
Security
Fabric
• Prepare Hosts
for Security
• Optional: Deploy
Security Vendor
Management
Consoles for
advanced services
• Optional: Deploy
security vendor
appliances
Monitor
Flows
• Brownfield: Leverage
existing knowledge
from Perimeter
firewalls
• Use NSX Built-In
Flow Monitoring,
IPFIX tools
• Integrate VMware
Log Insight to
analyze syslogs
Determine
Policy
Model
• Identify patterns
with flows
• Determine a policy
model based on
the patterns
Apply
Policy
Model
• Determine approach
: Firewall Rule Table
or Service Composer
Policy Model
CONFIDENTIAL 55
• Based on the Policy
Model – Create
grouping models
• Write Security Policy
56. Day 2 Operations
Continue
monitoring flow
patterns using
Log Insight.
Keep
advanced
services
updated.
Manage
FW rules
using Tufin,
Algosec
Drifts and Shifts in
workload flows
CONFIDENTIAL 56
Shifts in
policies
Keep services
like AV, IPS
updated with
signatures
57. NSX Transforms Security by Providing Context &
Minimizing Overhead
Guest VM
Network
Hypervisor
Isolation
Ubiquity
Context
CONFIDENTIAL 57
Share rich context on applications, users, data, etc.
Minimize attack targets like security controls (e.g.AV) and
telemetry (e.g. logs) by leveraging guest and network
isolation and micro-segmentation
Ensuring visibility and control points are everywhere to help
address coverage and scale challenges