VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational Efficiencies

1. NSX PCI Reference Architecture Workshop Session 3 - Operational Efficiencies Allen Shortnacy, VMware SEC5837 #SEC5837

2. 2 Operational Efficiencies

3. 3 About Operational Efficiencies  Cloud and SDDC have evolved from IT silos including security and compliance • ITSM, ITIL and other mature processes will need to evolve with the SDDC • Impact of network and storage virtualization siloes will require more bi-directional interaction from legacy infrastructure teams  Policies and Procedures regarding security and compliance will also change • Understanding how different solutions interact with the platform and each other to accommodate compliance becomes a must not just for design but also operations • Due to the nature of the SDDC, workloads under regulatory compliance become untethered from the physical topology but require coherent, near real time logging and correlation strategy to understand inter-layer impact of events  Building and revising SDDC architectures will become SDLC like • Opportunities to take out OPEX and operate at greater scale on the VI Admin/workload ratio are many and with demonstrable ROI • Will require some new skill sets like DevOps to automate APIs and generate new task oriented interfaces

4. 4 Security and Compliance Challenges in the SDDC Cumbersome Provisioning Complicated deployment and troubleshooting processes make it difficult to maintain service levels for security. Manual, Cross-Service Workflows Security and cloud admins volley back and forth to identify, assess, plan, implement security risks…a very inefficient process. Policy ≠ Operations Security and Compliance are roadblocks to cloud but expecting security architects to manage cloud operations is unrealistic and unfair. Architects design define policy. Operators implement. Security Architect ✔ ?

5. 5 5 Compliance Challenges: Many Systems - Dashboards of Wonder Vulnerability Mgmt System Antivirus System Firewall vCenter IDS System DLP System

6. 6 Four Steps to Gaining Operational Efficiencies in the SDDC  Define and Manage Partner Solutions from NSX Service Composer • Deploy and monitor partner solutions and their availability • Define parameters for inter-operating NSX and Partner Solutions • Create NSX and Partner Services Policies that can be re-used across trust zones  Leverage integration of NSX and Partner Solutions for Workflows • Creating common tags across NSX and Partner solutions allows for broader administrative activities formerly accomplished through error prone ‘swivel chair’  Discover SDDC processes that are manual but repeatable, with little variation • Leverage REST APIs and development toolkit such as Puppet, Chef or vCenter Orchestrator to automate tasks • Reduce ‘swivel chair’ operations across consoles providing greater scale or complete end to end automation with logging for utility computing approach  Abstract SDDC Security and Compliance Policies into self-service governance • Declare at deploy time the requirements for an application with regards to regulations

7. 7 Function  Service Composer enables creation of partner services  Service Composer templates provide reusable methods for distributed policy management Usage NSX Service Composer  Define Security Services  Define settings for services  Apply to new trust zones  Monitor for readiness Step 1: Managing NSX and Partner Solutions w/ Service Composer NSX and NSX Partner Solutions are integrated for deployment, initialization and definition of common parameters

8. vSphere and Partner console already deployed Install vShield Manager Install vShield Endpoint Register Endpoint with VC Add VC to Partner Console Install required drivers on hosts Deploy Partner SVA Activate Partner SVA Activate VMs Start managing security policies Challenge – Security Product Provisioning in Cloud Infrastructure • Remains Complex • Unclear Ownership • Lack of SLAs VI Admin Security Admin *vShield Endpoint example

9. 9 Troubleshooting Security Services Requires Considerable Back and Forth Between Virtual Admins and Security Admins  If a service goes down, where do you start with troubleshooting steps? Security solution or Virtualization solution?  What if there was a configuration change in the infrastructure that caused an outage? How could this change be determined?

10. 10 NSX Service Composer Provisioning Compute Management Gateway Host Prep  Install Kernel Modules - VXLAN, Distributed Router and Distributed FW  Simple One Click install per Cluster  All modules installed together 1 Logical Network Prep  Configure VTEP IP, MTU, Teaming per cluster  Create Transport Zones (Network Scope) 2 Deploy Controller  Simple UI in VSM deploys Controller OVF and configures it  No other configuration required!  Min 3-Node controller required for HA 3 Register Services  Log in!  Some services are pre- registered (Data Security, Identity, Trend Micro, Rapid 7, McAfee )  Register Symantec Antivirus Solution  Register Symantec IPS Solution 4 Deploy Services  Some services are pre- deployed (Data Security, Identity)  Deploy Symantec Antivirus solution 5 Partner Mgmt. Consoles Registered Troubleshooting Services  Power off or suspend data security VM  Observe failure message and root cause  Initiate ‘resolve’ (repair)  Observe progress and final status 6

11. 11 NSX Service Composer: Security Ready for Consumption Security Groups WHAT you want to protect Members: VM, vNIC, network (virtual/Logical Switch, physical), Distributed Virtual PG, cluster, data center, Resource Pool, vApp, other container, IP address, MAC Context: User identity, sensitive data, security posture HOW you want to protect it Services: Firewall, antivirus, intrusion prevention, vulnerability management and more. Profiles: Security policies from VMware and third-party solutions that are defined by the security architect but implemented by the cloud operator. APPLY

12. 12 Step 2 : Establish Workflow Integration between NSX and Partner NSX and Partner Solutions are integrate by APIs either by making direct calls to NSX or by setting machine metadata SG: Web Servers VSM F/W Services SG: Quarantine VSM F/W Services Function  Service Composer enables creation of ‘Tags’ for integrating Partner Solutions  NSX and Partner Solutions leverage one another Usage NSX Service Composer  Define Security Groups  Define Tags for dynamic inclusion in NSX Security Groups  Define Partner Solution Tags to be set

13. 13 Demo: Orchestrating Security Between Multiple Products

14. 14 Step 3: NSX RESTful Automation NSX provides REST APIs which means you can create, delete or manipulate NSX SDDC constructs with HTTP POST and GET Function  Identify repeatable NSX Provisioning or Config tasks  Determine target integration types and choose dev toolkit Usage NSX REST APIs  Unit test functionality with HTTP tools (curl, Firefox RESTclient)  Integrate into larger scope processes with vCenter Orchestrator, etc.

15. 15 Most Requested Deployment Models for Multi-Tiered Apps Multi-tiered app, Multiple networks Multi-tiered app, single network APP DATABASE WEB WEB APP DATABASE

16. 16 Most Requested Network and Security Services NSX provides built-in, logical networks and services to address the most common (and challenging) requests for cloud service automation. Firewall Networks (switches) Load Balancer Router

17. 17 Deployment Tools, Process, Best Practices Package Catalog Packaging Factory VMware Cloud Application Deployment Toolkit - Details Enterprise ISVs CustomersDeploy Factory (Managed Service Providers) 1. Packaging Factory A “factory” for producing reusable, Cloud-ready deployment packages for the most popular business apps 3. Deploy Factory A controller to download packages, provision secured deployment environment and orchestrate automated deployment of the application 2. Package Catalog Cloud based, access controlled repository to store application packages

18. 18 Deployment Tools, Process, Best Practices Package Catalog Packaging Factory How Does this Work – Packaging Factory Enterprise ISVs CustomersDeploy Factory (Managed Service Providers) vFabric Application Director Chef & VMware Studio Subversion Server Build Controller Application Blueprint Cookbook Node Template • Packaging factory infrastructure consists of subversion server, VMware Studio, vFabric Application Director and Chef Application• Application binaries remain unchanged • Deployment information is captured in various levels of details in application blue prints, node templates and deployment scripts (cook books)

19. 19 Deployment Tools, Process, Best Practices Package Catalog Packaging Factory How Does this Work – Package Catalog Enterprise ISVs CustomersDeploy Factory (Managed Service Providers) • An application package is uploaded to a cloud based repository • Service provider gets access to the repository using an access-controlled portal • Application package is downloaded into service provider’s cloud

20. 20 Deployment Tools, Process, Best Practices Package Catalog Packaging Factory How Does this Work – Deploy Factory Enterprise ISVs CustomersDeploy Factory (Managed Service Providers) vFabric Application Director vCloud Director VMware Studio & Chef Deployment Controller vApp • Deploy Factory infrastructure consists of vCloud Director, vFabric Application Director, VMware Studio, Chef and Deployment Controller Virtual Network • (Optional) Create private network to place application into • vApp(s) are deployed in the target environment • Application is installed via Application Blueprints • Each node is configured using Chef VM VM VM

21. 21 Demo: RESTful Automation of NSX Edge Deployment

22. 22 Step 4: Use NSX Automation in Self-Service Provisioning NSX metadata exposed in vCAC Self-Service Catalog allows for declarative binding of network and services policies such as Firewall Request 3-tiered app Request network and services Function  vCloud Automation Center self- service provisioning  NSX dynamic policy profile inclusion Usage vCloud Automation Center  New workload request  Bind to NSX Networks and Services

23. 23 vCloud Automation Center Policy Management Business Groups B A C USERS A C B A Authentication & Role-Based Authorization Authorized Users Resource Reservations Cost Profile A Tier 1 Public Physical Virtual Shared Infrastructure Service Blueprints A Requisition Cost Profile Provision Manage Retire Public Physical Virtual C B B A B A C BA

24. 24 vCloud Automation Center Extensibility Spectrum Flexibility without Complexity

25. 25 Where We Are Today Create On- Demand Leverage Existing Infrastructure APP DATABASE WEB Requires customization Pre-Created, Logical Networks Apps can be spun up on-demand using logical networks that have already been created. Creating logical networks in advance is still more agile than provisioning physical networks. APP DATABASEWEB

26. 26 Where We Are Today Create On- Demand Leverage Existing Infrastructure APP DATABASE WEB Requires customization Networks Explicitly Assigned App blueprints may require networks with NAT, routed, or private connectivity. Admin must directly specify network information. APP DATABASEWEB NAT Network A.B.C.#X.Y.Z.# Routed Network A.B.C.# A.B.C.#

27. 27 Where We Are Today Create On- Demand Leverage Existing Infrastructure Requires customization Pre-created, Firewall Rules Apps can be added to existing security groups. APP DATABASE WEB WEB APP DATABASE

28. 28 Where We Are Today Create On- Demand Leverage Existing Infrastructure Requires customization Pre-created, Load Balancer Pool Apps can be added to existing load balancer pools. APP DATABASE WEB WEB APP DATABASEServices Edge (Load Balancer) Services Edge (Load Balancer)

29. 29 Discovery of vCNS Resources and Policies VM VM VM VM VM VM VM VM VM Resources Policies ► Clone Templates ► Customization Spec. ► Host/Host Clusters ► CPU, Memory, Storage, ► Networking vCNS Manager VXLANs ► Security Groups► VXLANs ► Load Balancers PoliciesResources Managed Endpoint VMware vCenter Add a vCNS Manager address and credentials to a vSphere (vCenter) Endpoint definition

30. 30 Reserving vCNS Resources for Each Group • VXLANs appear as network paths in resource reservations • Security Groups, Load Balancers − Can be specified as custom properties on the reservation or on the blueprint VXLANs can be reserved by Provisioning Group

31. 31 Configuring Service Blueprints to Leverage vCNS VCAC Blueprint Custom Properties define the Load Balancer and Security Groups, that will be associated with the Machine being provisioned.

32. 32 Future Direction Create On- Demand Leverage Existing Infrastructure APP DATABASE WEB WEB APP DATABASE Services Edge (Load Balancer) Requires customization Services Edge (Load Balancer) Cloud Automation + Network Virtualization Spin up and tear down logical networks and services as needed, to deliver application infrastructure on-demand.

33. 33 Future Direction Create On- Demand Leverage Existing Infrastructure Requires customization On-Demand Networks Multi-machine blueprints can create new VMs and place them on networks created on-demand using NSX (or vCloud Networking and Security). These networks can be torn down once app lease times are up. APP DATABASE WEB WEB APP DATABASE Logical Router Logical Router

34. 34 Future Direction Create On- Demand Leverage Existing Infrastructure Requires customization Network Profiles Take the guesswork out of requesting networks (IP addressing, connectivity) by PRIVATE NAT ROUTED

35. 35 Future Direction Create On- Demand Leverage Existing Infrastructure Requires customization On-Demand Load Balancer Blueprint admins or power users can create new load balancer services using new or existing Edge gateways. APP DATABASE WEB WEB APP DATABASEServices Edge (Load Balancer) Services Edge (Load Balancer)

36. 36 Firewall Rules Multi Network Model Use security group to isolate entire app, virtual firewall to control traffic between tiers. Flat Network Model Use security groups to isolate entire app and app tiers, virtual firewall to control all traffic. Distributed Virtual Firewall Distributed Virtual Firewall App firewall rules are consumed by placing workloads in existing security groups. NSX security administrator should pre-create these groups with necessary firewall rules.

37. 37 Summary – Value Achieved via Operational Efficiencies  Single interface to manage deployment and enablement of NSX and Partner Solutions taking out many manual steps previously required • Automates not only previously manual steps but also error prone handoff between roles  NSX Service Composer to design and plan for orchestration of events and actions by integrating NSX and Partner Solutions via ‘Tags’ • Rather than pivot between interfaces to respond to events NSX Service Composer and Partner Solutions integrate to leverage one another in a prescribed manner  NSX RESTful APIs enable automation of repeatable tasks taking out OPEX • Can be part of a larger orchestration or put into a workflow set of task oriented screens  vCloud Automation Center provides policy driven governance and entitlement • Attach required policies to vCAC provisioning process by leveraging NSX Networks and NSX Services by assigning ‘Tags’ to deployed workloads That which can be Automated can be Easily Measured!

38. 38 VMworld: Security and Compliance Sessions Category Topic NSX • 5318: NSX Security Solutions In Action (201) • 5753: Dog Fooding NSX at VMware IT (201) • 5828: Datacenter Transformation (201) • 5582: Network Virtualization across Multiple Data Centers (201) NSX Firewall • 5893: Economies of the NSX Distributed Firewall (101) • 5755: NSX Next Generation Firewalls (201) • 5891: Build a Collapsed DMZ Architecture (301) • 5894: NSX Distributed Firewall (301) NSX Service Composer • 5749: Introducing NSX Service Composer (101) • 5750: NSX Automating Security Operations Workflows (201) • 5889: Troubleshooting and Monitoring NSX Service Composer (301) Compliance • 5428: Compliance Reference Architecture Framework Overview (101) • 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201) • 5253: Streamlining Compliance (201) • 5775: Segmentation (301) • 5820: Privileged User Control (301) • 5837: Operational Efficiencies (301) Other • 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in Virtualized Infrastructure (Catbird – Jefferson radiology) • 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust) • 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based IaaS provider better be doing! (Intel)

39. 39 For More Information…  VMware Collateral  VMware Approach to Compliance  VMware Solution Guide for PCI  VMware Architecture Design Guide for PCI  VMware QSA Validated Reference Architecture PCI  Partner Collateral  VMware Partner Solution Guides for PCI How to Engage?  compliance-solutions@vmware.com  @VMW_Compliance on Twitter

41. THANK YOU

42. NSX PCI Reference Architecture Workshop Session 3 - Operational Efficiencies Allen Shortnacy, VMware SEC5837 #SEC5837

VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational Efficiencies

VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational Efficiencies

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente(20)

Destacado

Destacado(20)

Similar a VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational Efficiencies

Similar a VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational Efficiencies(20)

Más de VMworld

Más de VMworld(20)

Último

Último(20)

VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational Efficiencies