VMworld 2013 Allen Shortnacy, VMware Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare

1. NSX PCI Reference Architecture Workshop Session 3
- Operational Efficiencies
Allen Shortnacy, VMware
SEC5837
#SEC5837

2. 2
Operational Efficiencies

3. 3
About Operational Efficiencies
 Cloud and SDDC have evolved from IT silos including security and compliance
• ITSM, ITIL and other mature processes will need to evolve with the SDDC
• Impact of network and storage virtualization siloes will require more bi-directional
interaction from legacy infrastructure teams
 Policies and Procedures regarding security and compliance will also change
• Understanding how different solutions interact with the platform and each other to
accommodate compliance becomes a must not just for design but also operations
• Due to the nature of the SDDC, workloads under regulatory compliance become
untethered from the physical topology but require coherent, near real time logging and
correlation strategy to understand inter-layer impact of events
 Building and revising SDDC architectures will become SDLC like
• Opportunities to take out OPEX and operate at greater scale on the VI Admin/workload
ratio are many and with demonstrable ROI
• Will require some new skill sets like DevOps to automate APIs and generate new task
oriented interfaces

4. 4
Security and Compliance Challenges in the SDDC
Cumbersome Provisioning
Complicated deployment and
troubleshooting processes make it difficult
to maintain service levels for security.
Manual, Cross-Service Workflows
Security and cloud admins volley back and
forth to identify, assess, plan, implement
security risks…a very inefficient process.
Policy ≠ Operations
Security and Compliance are roadblocks to
cloud but expecting security architects to
manage cloud operations is unrealistic and
unfair. Architects design define policy.
Operators implement.
Security
Architect
✔ ?

5. 5
5
Compliance Challenges: Many Systems - Dashboards of Wonder
Vulnerability
Mgmt System
Antivirus
System
Firewall
vCenter
IDS System
DLP System

6. 6
Four Steps to Gaining Operational Efficiencies in the SDDC
 Define and Manage Partner Solutions from NSX Service Composer
• Deploy and monitor partner solutions and their availability
• Define parameters for inter-operating NSX and Partner Solutions
• Create NSX and Partner Services Policies that can be re-used across trust zones
 Leverage integration of NSX and Partner Solutions for Workflows
• Creating common tags across NSX and Partner solutions allows for broader
administrative activities formerly accomplished through error prone ‘swivel chair’
 Discover SDDC processes that are manual but repeatable, with little variation
• Leverage REST APIs and development toolkit such as Puppet, Chef or vCenter
Orchestrator to automate tasks
• Reduce ‘swivel chair’ operations across consoles providing greater scale or complete
end to end automation with logging for utility computing approach
 Abstract SDDC Security and Compliance Policies into self-service governance
• Declare at deploy time the requirements for an application with regards to regulations

7. 7
Function
 Service Composer enables
creation of partner services
 Service Composer templates
provide reusable methods for
distributed policy management
Usage
NSX Service Composer
 Define Security Services
 Define settings for services
 Apply to new trust zones
 Monitor for readiness
Step 1: Managing NSX and Partner Solutions w/ Service Composer
NSX and NSX Partner Solutions are integrated for deployment,
initialization and definition of common parameters

8. vSphere and
Partner console
already
deployed
Install
vShield
Manager
Install
vShield
Endpoint
Register
Endpoint
with VC
Add VC
to Partner
Console
Install
required
drivers on
hosts
Deploy
Partner
SVA
Activate
Partner
SVA
Activate
VMs
Start
managing
security
policies
Challenge – Security Product Provisioning in Cloud Infrastructure
• Remains Complex
• Unclear Ownership
• Lack of SLAs
VI Admin Security
Admin
*vShield Endpoint example

9. 9
Troubleshooting Security Services Requires Considerable Back
and Forth Between Virtual Admins and Security Admins
 If a service goes down, where do
you start with troubleshooting
steps? Security solution or
Virtualization solution?
 What if there was a configuration
change in the infrastructure that
caused an outage? How could this
change be determined?

10. 10
NSX Service Composer Provisioning
Compute Management Gateway
Host Prep
 Install Kernel Modules -
VXLAN, Distributed
Router and Distributed
FW
 Simple One Click install
per Cluster
 All modules installed
together
1
Logical Network Prep
 Configure VTEP IP, MTU,
Teaming per cluster
 Create Transport Zones
(Network Scope)
2
Deploy Controller
 Simple UI in VSM deploys
Controller OVF and
configures it
 No other configuration
required!
 Min 3-Node controller
required for HA
3
Register Services
 Log in!
 Some services are pre-
registered (Data Security,
Identity, Trend Micro,
Rapid 7, McAfee )
 Register Symantec
Antivirus Solution
 Register Symantec IPS
Solution
4
Deploy Services
 Some services are pre-
deployed (Data Security,
Identity)
 Deploy Symantec
Antivirus solution
5
Partner Mgmt.
Consoles
Registered
Troubleshooting Services
 Power off or suspend data
security VM
 Observe failure message
and root cause
 Initiate ‘resolve’ (repair)
 Observe progress and
final status
6

11. 11
NSX Service Composer: Security Ready for Consumption
Security Groups
WHAT you want to
protect
Members: VM, vNIC, network
(virtual/Logical Switch, physical),
Distributed Virtual PG, cluster, data
center, Resource Pool, vApp, other
container, IP address, MAC
Context: User identity, sensitive
data, security posture
HOW you want to
protect it
Services: Firewall, antivirus,
intrusion prevention, vulnerability
management and more.
Profiles: Security policies from
VMware and third-party solutions
that are defined by the security
architect but implemented by the
cloud operator.
APPLY

12. 12
Step 2 : Establish Workflow Integration between NSX and Partner
NSX and Partner Solutions are integrate by APIs either by making
direct calls to NSX or by setting machine metadata
SG: Web Servers
VSM F/W
Services
SG: Quarantine
VSM F/W
Services
Function
 Service Composer enables
creation of ‘Tags’ for integrating
Partner Solutions
 NSX and Partner Solutions
leverage one another
Usage
NSX Service Composer
 Define Security Groups
 Define Tags for dynamic
inclusion in NSX Security
Groups
 Define Partner Solution Tags to
be set

13. 13
Demo: Orchestrating Security Between Multiple Products

14. 14
Step 3: NSX RESTful Automation
NSX provides REST APIs which means you can create, delete or
manipulate NSX SDDC constructs with HTTP POST and GET
Function
 Identify repeatable NSX
Provisioning or Config tasks
 Determine target integration
types and choose dev toolkit
Usage
NSX REST APIs
 Unit test functionality with HTTP
tools (curl, Firefox RESTclient)
 Integrate into larger scope
processes with vCenter
Orchestrator, etc.

15. 15
Most Requested Deployment Models for Multi-Tiered Apps
Multi-tiered app,
Multiple networks
Multi-tiered app,
single network
APP
DATABASE
WEB
WEB APP DATABASE

16. 16
Most Requested Network and Security Services
NSX provides built-in, logical networks and services to
address the most common (and challenging) requests for
cloud service automation.
Firewall
Networks
(switches)
Load Balancer Router

17. 17
Deployment Tools, Process, Best Practices
Package
Catalog
Packaging
Factory
VMware Cloud Application Deployment Toolkit - Details
Enterprise
ISVs
CustomersDeploy Factory
(Managed
Service Providers)
1. Packaging Factory
A “factory” for producing
reusable, Cloud-ready
deployment packages for the
most popular business apps
3. Deploy Factory
A controller to download
packages, provision secured
deployment environment and
orchestrate automated
deployment of the application
2. Package Catalog
Cloud based, access
controlled repository to store
application packages

18. 18
Deployment Tools, Process, Best Practices
Package
Catalog
Packaging
Factory
How Does this Work – Packaging Factory
Enterprise
ISVs
CustomersDeploy Factory
(Managed
Service Providers)
vFabric Application Director
Chef & VMware Studio
Subversion Server
Build Controller
Application Blueprint
Cookbook
Node Template
• Packaging factory infrastructure
consists of subversion server,
VMware Studio, vFabric
Application Director and Chef
Application• Application binaries remain
unchanged
• Deployment information is
captured in various levels of
details in application blue prints,
node templates and deployment
scripts (cook books)

19. 19
Deployment Tools, Process, Best Practices
Package
Catalog
Packaging
Factory
How Does this Work – Package Catalog
Enterprise
ISVs
CustomersDeploy Factory
(Managed
Service Providers)
• An application package is
uploaded to a cloud based
repository
• Service provider gets access
to the repository using an
access-controlled portal
• Application package is
downloaded into service
provider’s cloud

20. 20
Deployment Tools, Process, Best Practices
Package
Catalog
Packaging
Factory
How Does this Work – Deploy Factory
Enterprise
ISVs
CustomersDeploy Factory
(Managed
Service Providers)
vFabric Application Director
vCloud Director
VMware Studio & Chef
Deployment Controller
vApp
• Deploy Factory infrastructure
consists of vCloud Director, vFabric
Application Director, VMware Studio,
Chef and Deployment Controller
Virtual Network
• (Optional) Create private network
to place application into
• vApp(s) are deployed in the target
environment
• Application is installed via
Application Blueprints
• Each node is configured using Chef
VM VM VM

21. 21
Demo: RESTful Automation of NSX Edge Deployment

22. 22
Step 4: Use NSX Automation in Self-Service Provisioning
NSX metadata exposed in vCAC Self-Service Catalog allows for
declarative binding of network and services policies such as Firewall
Request 3-tiered app
Request network and services
Function
 vCloud Automation Center self-
service provisioning
 NSX dynamic policy profile
inclusion
Usage
vCloud Automation Center
 New workload request
 Bind to NSX Networks and
Services

23. 23
vCloud Automation Center Policy Management
Business
Groups
B
A
C
USERS
A
C
B
A
Authentication &
Role-Based
Authorization
Authorized
Users
Resource
Reservations
Cost Profile
A
Tier 1
Public
Physical
Virtual
Shared Infrastructure
Service
Blueprints
A
Requisition
Cost Profile
Provision
Manage
Retire
Public
Physical
Virtual
C
B
B
A
B
A
C
BA

24. 24
vCloud Automation Center Extensibility Spectrum
Flexibility without Complexity

25. 25
Where We Are Today
Create On-
Demand
Leverage Existing
Infrastructure
APP
DATABASE
WEB
Requires
customization
Pre-Created, Logical Networks
Apps can be spun up on-demand using logical networks that have already been
created. Creating logical networks in advance is still more agile than
provisioning physical networks.
APP DATABASEWEB

26. 26
Where We Are Today
Create On-
Demand
Leverage Existing
Infrastructure
APP
DATABASE
WEB
Requires
customization
Networks Explicitly Assigned
App blueprints may require networks with NAT, routed, or private connectivity.
Admin must directly specify network information.
APP DATABASEWEB
NAT
Network
A.B.C.#X.Y.Z.#
Routed
Network A.B.C.#
A.B.C.#

27. 27
Where We Are Today
Create On-
Demand
Leverage Existing
Infrastructure
Requires
customization
Pre-created, Firewall Rules
Apps can be added to existing security groups.
APP
DATABASE
WEB
WEB
APP DATABASE

28. 28
Where We Are Today
Create On-
Demand
Leverage Existing
Infrastructure
Requires
customization
Pre-created, Load Balancer Pool
Apps can be added to existing load balancer pools.
APP
DATABASE
WEB WEB
APP DATABASEServices
Edge
(Load Balancer)
Services
Edge
(Load Balancer)

29. 29
Discovery of vCNS Resources and Policies
VM VM VM
VM VM VM
VM
VM VM
Resources Policies
► Clone Templates
► Customization Spec.
► Host/Host Clusters
► CPU, Memory, Storage,
► Networking
vCNS
Manager VXLANs
► Security Groups► VXLANs
► Load Balancers
PoliciesResources
Managed
Endpoint
VMware
vCenter
Add a vCNS Manager address and
credentials to a vSphere (vCenter)
Endpoint definition

30. 30
Reserving vCNS Resources for Each Group
• VXLANs appear as
network paths
in resource reservations
• Security Groups, Load
Balancers
− Can be specified as custom
properties on the reservation
or on the blueprint
VXLANs can be reserved by
Provisioning Group

31. 31
Configuring Service Blueprints to Leverage vCNS
VCAC Blueprint Custom Properties define the
Load Balancer and Security Groups, that will be associated
with the Machine being provisioned.

32. 32
Future Direction
Create On-
Demand
Leverage Existing
Infrastructure
APP
DATABASE
WEB
WEB
APP DATABASE
Services
Edge
(Load Balancer)
Requires
customization
Services
Edge
(Load Balancer)
Cloud Automation + Network Virtualization
Spin up and tear down logical networks and services as needed, to deliver
application infrastructure on-demand.

33. 33
Future Direction
Create On-
Demand
Leverage Existing
Infrastructure
Requires
customization
On-Demand Networks
Multi-machine blueprints can create new VMs and place them on networks
created on-demand using NSX (or vCloud Networking and Security). These
networks can be torn down once app lease times are up.
APP
DATABASE
WEB
WEB APP DATABASE
Logical
Router
Logical
Router

34. 34
Future Direction
Create On-
Demand
Leverage Existing
Infrastructure
Requires
customization
Network Profiles
Take the guesswork out of requesting networks (IP addressing, connectivity) by
PRIVATE
NAT
ROUTED

35. 35
Future Direction
Create On-
Demand
Leverage Existing
Infrastructure
Requires
customization
On-Demand Load Balancer
Blueprint admins or power users can create new load balancer services using
new or existing Edge gateways.
APP
DATABASE
WEB WEB
APP DATABASEServices
Edge
(Load Balancer)
Services
Edge
(Load Balancer)

36. 36
Firewall Rules
Multi Network Model
Use security group to isolate entire app,
virtual firewall to control traffic between tiers.
Flat Network Model
Use security groups to isolate entire app and
app tiers, virtual firewall to control all traffic.
Distributed
Virtual
Firewall
Distributed
Virtual
Firewall
App firewall rules are consumed by placing workloads in existing security
groups. NSX security administrator should pre-create these groups with
necessary firewall rules.

37. 37
Summary – Value Achieved via Operational Efficiencies
 Single interface to manage deployment and enablement of NSX and Partner
Solutions taking out many manual steps previously required
• Automates not only previously manual steps but also error prone handoff between roles
 NSX Service Composer to design and plan for orchestration of events and
actions by integrating NSX and Partner Solutions via ‘Tags’
• Rather than pivot between interfaces to respond to events NSX Service Composer and
Partner Solutions integrate to leverage one another in a prescribed manner
 NSX RESTful APIs enable automation of repeatable tasks taking out OPEX
• Can be part of a larger orchestration or put into a workflow set of task oriented screens
 vCloud Automation Center provides policy driven governance and entitlement
• Attach required policies to vCAC provisioning process by leveraging NSX Networks and
NSX Services by assigning ‘Tags’ to deployed workloads
That which can be Automated can be Easily Measured!

38. 38
VMworld: Security and Compliance Sessions
Category Topic
NSX
• 5318: NSX Security Solutions In Action (201)
• 5753: Dog Fooding NSX at VMware IT (201)
• 5828: Datacenter Transformation (201)
• 5582: Network Virtualization across Multiple Data Centers (201)
NSX Firewall
• 5893: Economies of the NSX Distributed Firewall (101)
• 5755: NSX Next Generation Firewalls (201)
• 5891: Build a Collapsed DMZ Architecture (301)
• 5894: NSX Distributed Firewall (301)
NSX Service
Composer
• 5749: Introducing NSX Service Composer (101)
• 5750: NSX Automating Security Operations Workflows (201)
• 5889: Troubleshooting and Monitoring NSX Service Composer (301)
Compliance
• 5428: Compliance Reference Architecture Framework Overview (101)
• 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201)
• 5253: Streamlining Compliance (201)
• 5775: Segmentation (301)
• 5820: Privileged User Control (301)
• 5837: Operational Efficiencies (301)
Other
• 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in
Virtualized Infrastructure (Catbird – Jefferson radiology)
• 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A
Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust)
• 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based
IaaS provider better be doing! (Intel)

39. 39
For More Information…
 VMware Collateral
 VMware Approach to Compliance
 VMware Solution Guide for PCI
 VMware Architecture Design Guide for PCI
 VMware QSA Validated Reference Architecture PCI
 Partner Collateral
 VMware Partner Solution Guides for PCI
How to Engage?
 compliance-solutions@vmware.com
 @VMW_Compliance on Twitter

41. THANK YOU

42. NSX PCI Reference Architecture Workshop Session 3
- Operational Efficiencies
Allen Shortnacy, VMware
SEC5837
#SEC5837