2. VMware – Who we are…
Headquartered in Palo Alto
• Campus the size of Disneyland
Over $25 billion in revenues
17 years old
Over 55,000 partners worldwide
~17,800 employees worldwide
Fastest Software Company in
history to grow to $5 billion in
sales (and did it with one
product)
Corporate Mascot: Turtle
3. VMware Software Defined Enterprise
3
Policy-based
Management &
Automation
Cloud Automation Cloud Operations Cloud Business
Software-Defined Data Center
Private
Clouds
Public
Clouds
vCHS
Virtualized Infrastructure
Abstract & Pool
Applications
End User
Computing
Desktop Mobile
Virtual Workspace
Modern SaaSTraditional
Compute Network Security Storage Availability
vSphere NSX vSAN SRM
vCenter Server
vCenter Automation Center (VCAC)
vCenter Operations
(vCOPS)
ITBM
Horizon Workspace
Horizon View
Horizon Mirage
4. Agenda
1 SDDC/NSX Overview
2 The Killer Use Case // Micro-segmentation
3 Current Customers and Benchmarks
4 VMware AppDefense
4Confidential
5. IT’S TIME FOR A NEW IT APPROACH
SLOW TECHNOLOGY
ADOPTION RATES
HIGH USER
EXPECTATIONS
SLOW
REPONSES
PRIVACY
ISSUES
INTEGRATION
PROBLEMS
SERVICE
OUTAGES
SHORTAGE
OF RIGHT
SKILLS
DECLINING BUDGET
DIFFERENT
APPLICATIONS AGING INFRASTRUCTURE
SECURITY
PROLIFERATION
OF DEVICES
FRAGMENTED
DATA CENTER
LIMITED
RESOURCES
CLOUD SILOS
SECURITY
PROLIFERATION
OF DEVICES
FRAGMENTED
DATA CENTER
CLOUD SILOS
6. We are in the 3rd fundamental structural transition in the history of IT
Client Server Cloud/MDM/SDDC
We are here
Mainframe
Mainframe
PC Revolution
Client/Server
Cloud
Cloud
• Mobile Devices & Clouds
(public & private)
• Software Defined
• Local Applications
• Minor role for networking
• Desktops & Servers
• Campus Networks
• Data Centers
7. What Is a Software-Defined Data Center (SDDC)?
7
Hardware
Software
Data center virtualization layer
Pooled compute, network, and storage capacity
Vendor independent, best price/performance/service
Simplified configuration and management
Intelligence in software
Operational model of VM for data center
Automated provisioning and configuration
CONFIDENTIAL
8. NSX value proposition
Network virtualization is at
the core of the software-
defined data center
approach
Network, storage, compute
Virtualization layer
8CONFIDENTIAL
9. Network and
security services
now in the
hypervisor
Switching
Routing Firewalling/ACLs
Load balancing
East-west firewalling
High throughput rates
Hardware independent
The Next-generation Networking Model
9CONFIDENTIAL
11. 11
SECURITY
Architecting security as an inherent part of the
data center infrastructure
Network Virtualization
How is it being used today?
AUTOMATION
Automating IT processes to deliver IT at the
speed of business
APPLICATION CONTINUITY
Enabling applications and data to reside and
be accessible anywhere
CONFIDENTIAL
13. Increased Security Spending Has Not Decreased Breaches
CONFIDENTIAL 13
IT Spend Security Spend Security Breaches
Annual Cost of Security
Breaches: $445B
(Source: Center for Strategic and
International Studies)
Security as a
Percentage of IT Spend:
2012: 11%
2015: 21 %
(Source: Forrester)
Projected Growth Rate in
IT Spend from 2014-2019:
Zero (Flat)
(Source: Gartner)
14. Digital makes reliance on data lucrative for thieves
Security investments are increasing, yet the cost of breaches are rising faster
14
Underfunding security
isn’t the problem.
15. Improved Data Center Network Security
Perimeter-centric network security has proven insufficient, and HW micro-segmentation is operationally infeasible
Little or no
lateral controls
inside perimeter
Internet Internet
Traditional Edge FW NSX dFW
20. Coalfire Benchmark Report
CONFIDENTIAL 20
• Does VMware NSX functionally
satisfy NIST recommendations?
• Are the precepts of micro-
segmentation, as defined in the
complete definition, satisfied
conceptually and in testing by NSX?
• Can real-world threats be stopped by
NSX in E-W and N-S, using industry-
standard Penetration Testing tools?
21. Expanding Security to Scale with
the Business
Columbia Sportswear continues to stay ahead
of competitors and threats by combining
advanced, automated security inside the data
center.
“There just wasn’t a great
way to insert security in order
to address east-west traffic
between VMs, nor have the
security tied to the
applications as they moved
around dynamically.”
John Spiegel
Network Manager
Columbia Sportswear
23. Abstraction layer between infrastructure and apps
23
We call this the
“Goldilocks Zone”
We can use this zone
to transform endpoint
detection and response
Hypervisor
AppDefense
NSX
Hypervisor
AppDefense
NSX
Hypervisor
AppDefense
NSX
VMware AppDefense
24. Hypervisor
IT
provisions a
new app
1
Visibility and context into application lifecycle
24
Automated collection
of intended state
across app lifecycle
IT provisions a
change to the app
3
AppDefense
notes the change
4
AppDefense
collects intended
state of the app
2
AppDefense
NSX
Insert security into
DevOps process
VMware AppDefense
25. Hypervisor
Automated detection & response
25
Compare intended state
against run-time state
to detect deviations
Automate response
through vSphere
and NSX:
• Quarantine
• Modify security policy
• Increase logging
AppDefense
NSX
Attacker
compromise
s an app
1
AppDefense
automatically
responds
2
Hypervisor
AppDefense
NSX
Hypervisor
AppDefense
NSX
VMware AppDefense
26. Hypervisor
AppDefense
NSX
Isolation from attack surface
26
Isolated environment
to monitor and control
all endpoints
AppDefense itself is
protected from attacks
Attacker
compromise
s an app
1
AppDefense is
protected from the
attack surface
2
Hypervisor
AppDefense
NSX
Hypervisor
AppDefense
NSX
VMware AppDefense
27. “Simple works, especially in
InfoSec…I can sleep easy at night
knowing that when AppDefense
detects a problem, it will respond
automatically.”
Brad Doctor
Senior Director, Information Security
VMware
VMware’s Information
Security team uses
AppDefense in our SOC to
protect the critical security
systems that secure our
business applications.
VMware Information Security – Case Study
Fulfilling our vision to empower people and organizations has made VMware the industry-leading virtualization software company.
More than 500,000 customers, from small and midsize companies to large enterprises—including 99 percent of Fortune 500 and 100 percent of Fortune Global 100 companies—use VMware technologies and services.
More than 55,000 partners, including technology and consulting partners, top distributors and resellers, and system vendors and integrators, help provide customers with freedom and choice.
Through the broadest set of cloud service provider partners—more than 10,000 of them—VMware is making the hybrid cloud a reality.
VMware stays close to customers with offices in more than 100 countries.
Innovation begins with the more than 13,000 VMware employees.
Let’s quickly look at how this advanced insertion works, using Palo Alto Networks as an example…
Panorama, the Palo Alto Network management console, registers with the NSX Controller.
The Controller then distributes the Palo Alto Networks VM Series application to each hypervisor in the SDDC virtualization layer.
Then, security policies are created and connected to the NSX firewall policies and VMs are provisioned,
If the workloads policy requires the advanced feature set and deep packet inspection offered by the Palo Alto next gen firewall
the NSX firewalling steers traffic into the Palo Alto Networks VM.
And, if the VMs move, the NSX platform automates moving the security policies with it.
OBJECTIVES OF THIS COALFIRE NSX MICRO-AUDIT
VMware NSX-based micro-segmentation purports to meet all four of these recommendations. Coalfire Systems’ testing of the NSX product during this “micro-audit” intends to examine the form and function of NSX to determine the following:
Does VMware NSX functionally satisfy NIST SP 800-125B recommendations VM-FW-R1, VM- FW-R2, VM-FW-R3 and VM-FW-R4?
Are the precepts of micro-segmentation, as defined in the complete definition, satisfied conceptually and in testing by NSX?
Can real-world threats be stopped by NSX in E-W (peer transits on the L2 network) and N-S (network to network transits via L3), using industry-standard Penetration Testing tools?
Based on the determination of these three objectives, Coalfire will also render an opinion on the potential suitability of the VMware NSX product to deliver effective security controls to real-world legacy and emerging virtualized software-defined data centers.