Advanced Grouping capabilities in vShield App allow even more sophisticated policies to be managed with ease
Layer 2 protection coupled with APIs enable automatic quarantining of compromised VMs
vShield Data Security provides knowledge of protected data across cloud environments and lowers cost of compliance by helping define scope
Enterprise roles in vShield Manager provides the separation of duties required by security and compliance standards
2. Enterprise Security today – not virtualized, not cloud ready
Enterprise VDC
Users DMZ Web Servers Apps / DB Tier
Sites
Perimeter/DMZ Interior security Endpoint security
- Firewall, VPN - VLAN or subnet based - AV, DLP agent based
- Load balancers policies security
Challenges Challenges Challenges
- Sprawl: hardware, FW - Sprawl: VLANs, - Sprawl: agents in all VMs
rules, VLANs hardware, FW rules – drain resources
- Blind spots: inter-VM - Risk: agents in guest
traffic VMs – not hardened
3. vShield 5.0
Securing the Private Cloud End to End: from the Edge to the Endpoint
vShield App with Data
vShield Edge Security vShield Endpoint
Edge Endpoint = VM
Security Zone
Secure the edge of Offload anti-virus processing
the virtual datacenter • Create segmentation
between silos of workloads
• Sensitive Data Discovery
DMZ
vShield Manager
Application 1 Application 2 Endpoint = VM
Centralized Management
4. vShield Edge 5.0
Overview
vShield vShield vShield
Tenant A
Edge
Tenant C
Edge
Tenant X
Edge
• Provides common edge security
services around a virtual
datacenter. Example uses:
• Extranets
Secure Secure
• Multi-tenant cloud environments
Secure
Virtual Virtual Virtual
Appliance Appliance Appliance
Firewall Load balancer VPN
4
5. vShield Edge 5.0
vShield vShield vShield
Primary functionality
Edge Edge Edge • Stateful inspection firewall
Tenant A Tenant C Tenant X
• Dynamic Host Configuration
Protocol (DHCP)
• Site to site VPN
• (NEW) Static Routing
Secure Secure Secure
Virtual
Appliance
Virtual
Appliance
Virtual
Appliance Management features
• REST APIs for scripting
• Logging of activity
Firewall Load balancer VPN
5
6. vShield Edge 5.0
Benefits
vShield vShield vShield
Tenant A
Edge
Tenant C
Edge
Tenant X
Edge
• Reduce cost and complexity
• Centralized management for all
protected environments
• Eliminates need for multiple
special-purpose appliances
Secure
Virtual
Appliance
Secure
Virtual
Appliance
Secure
Virtual
Appliance
• Increased agility for cloud
environments
• Enables rapid provisioning edge
services
• Ability to automate and integrate
into overall provisioning and
management workflow
Firewall Load balancer VPN
6
7. vShield App 5.0
Overview
• vShield App: virtualization-
built firewall featuring
• VM-level enforcement
• Intuitive business
language policy
• Robust flow monitoring
• Logging and auditing
• REST API
8. vShield App Design
Hypervisor-Level
vShield vShield
App Firewall
App
• Inbound/outbound
connection control enforced
at the virtual NIC level
vSphere vSphere • Dynamic protection as virtual
machines migrate
• Protects at Layer 3 and
Layer 2
vShield
ESXi Host ESXi Host Manager
vSphere vCenter
Client Server
9. vShield App Group-based Policies
MAC
Internet Set
Resource
Security Pools
Groups
Finance HR Marketing
Web Group Web Web Web
IP
Set
DB Group Database Database Database
10. vShield App 5.0
Benefits
• Complete visibility and
control to the Inter VM traffic
• Enables multiple trust zones
on same ESX cluster.
• Ability to audit traffic for
compliance and security
• Fewer misconfiguration
mistakes, lower operating
overhead by eliminating
• VLAN trunking
• Complex rules management
• Ability to automate and
integrate into overall
provisioning and
management workflow
11. vShield Data Security (vSDS)
Overview
• Discover and report sensitive data
across virtual machines
• Scans occur continuously,
transparent to the virtual machine
! ! !
Cloud Infrastructure
(vSphere, vCenter, vShield, vCloud Director)
12. vShield Data Security (vSDS)
Select from many industry, local, and international policies
14. vShield Data Security (vSDS)
Benefits
• Reduces risk of non-compliance
with automated scans, rapid
assessment and reporting
• Improve performance by offloading
data discovery functions to a
virtual appliance
! ! !
Cloud Infrastructure
(vSphere, vCenter, vShield, vCloud Director)
16. vShield Endpoint
Overview
• Offload file activity to Security VM
• Enforce Remediation using driver
in VM
• Security VM provided by best-of-
breed AV partners: Trend Micro,
others
Benefits
• Improve VM performance by
eliminating anti-virus storms
• Reduce risk by eliminating
agents susceptible to attacks