SlideShare a Scribd company logo

SEC8022_Securing_SDDC_NSX_Hammad_Shahzad

Download as PPTX, PDF
shezy22
shezy22

This presentation discusses implementing agentless antivirus (AV) and intrusion detection/prevention system (IDS/IPS) security solutions with VMware NSX. It covers using NSX guest introspection for agentless AV and network introspection for IPS/IDS. The presentation demonstrates how these technologies can be tied together and automated through common security policies. It also includes a demo of using NSX features like security groups and distributed firewall to quarantine systems and enforce security policies.

1 of 30
Implementing Agentless AV and IPS/IDS Security Solutions with NSX Hammad Alam, VMware Shahzad Ali, VMware SEC8022 #SEC8022
• This presentation may contain product features that are currently under development. • This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. • Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. • Technical feasibility and market demand will affect final delivery. • Pricing and packaging for any new technologies or features discussed or presented have not been determined. Disclaimer 2
1 Securing The SDDC 2 Guest Introspection For Agentless AV 3 Network Introspection for IPS/IDS 4 Demo 5 Key Take Aways / QA Agenda SDDC_Security_Shahzad_Hammad
Secure SDDC Blueprint Operationalization Automation Policy - The Common Language Network Introspection (NI) Distributed Firewall (DFW) Guest Introspection (GI) Application SDDC_Security_Shahzad_Hammad
Tying the Technologies Together ESXi Hypervisor OS APP vNIC VMTool VM VDS 3 Distributed Firewall NSX Manager 1 4 Network Introspection GI SERVICE VM (SVM) NI SERVICE VM (SVM) 2 Guest Introspection GI NIDFW SDDC_Security_Shahzad_Hammad
Policy - The Common Language SDDC_Security_Shahzad_Hammad
Guest Introspection Protecting Data and Integrity of VM Guest Introspection Application
NSX-GI Components GI process is constantly inspecting OS and App Data GI offloads “File Scanning Tasks” from Guest VM to a Service VM on same host • GI Native Capabilities • Activity Monitoring • Identity Firewall (IDFW) • OS/Apps: Prone to Virus attacks • In-guest AV agents • Hackable • Resource intensive OS APP GUEST VM …ESXi Host Based Security Controls GI SERVICE VMs AD Group AD Group VDI Security Group App Level Monitoring VMTool VMCI IP MUX SDDC_Security_Shahzad_Hammad
Implementation: NSX GI – Recorded Demo Implementation: NSX GI
Implementation: Partner IntegrationImplementation: Partner Integration
Automated Security in a Software Defined Data Center Quarantine Vulnerable Systems until Remediated Security Group = Quarantine Members = {Tag = ‘ANTI_VIRUS.VirusFound’} Policy = {L2 Isolated Network, Scan + Remediate} Security Group = VDI-VMsPolicy Definition VDI Security Policy  Anti-Virus – Scan Quarantined Security Policy  Firewall – Block all except security tools  Anti-Virus – Scan and remediate SDDC_Security_Shahzad_Hammad
Implementation: Security Groups and Security Policy - VOD Implementation: Security Groups and Security Policy
Distributed Firewall Line Rate, Stateful L2-L4 firewall DFW GI App
Message Bus MGMT Network Firewall Rules Distributed Firewall (DFW) • Line Rate (20+ Gbps) • Stateful • Enforcement at both ingress and egress • L2-L4 • Packet Capturing • Monitoring • Traffic between VM and vSwitch always transit through the Firewall Kernel Module VNIC NSX Manager vSwitchFirewall Kernel Module Rule Table Kernel Space User Space ESXi Host Physical switch DFW SDDC_Security_Shahzad_Hammad
Adding DFW to Security Policy - DEMO Adding DFW to Security Policy
Implementation: Quarantine Group and Policy - DEMO Implementation: Quarantine Group and Policy
Network Introspection Host Based Deep Packet Inspection NI DFW GI App
NSX-NI Components TCP/5671 TCP/443 NSX Manager TCP/443 TCP/443 NSX ManagervCenter Partner Management Console ESXi Host … Partner SERVICE VM (SVM) OS APP vNIC VM VDS SDDC_Security_Shahzad_Hammad
Packet Flow with DFW and NetX ESXi User World KernelDFW OS APP vNIC VM Partner SERVICE VM (SVM) Redirect Rule Table Packet Punting VDS SDDC_Security_Shahzad_Hammad
Policy Bringing the Technologies Together Policy NI DFW GI App
Policy: The Common Language
End to End Demo in Action End-to-End Demo
Automation & Operations Automation and Operations Policy NI DFW GI App
Security Integrated and Automated Application Deployment Accelerate workload deployment Avoid risk from human errors Compliance and auditability Application Deployment App request NETWORKING SECURITY Automated Security Enforcement Security Policies API Security Groups CMP vRealize Orchestrator vRealize Automation SDDC_Security_Shahzad_Hammad
Operations, Monitoring and Troubleshooting NSX Native VMware Products Partner Products Traceflow Central CLI vSphere Native IPFIX vRealize Log Insight Activity Monitoring Flow Monitoring vRealize Network Insight Infrastructure Navigator NetFlow Syslog Port Mirroring Partner Native Tools Gigamon Tufin AlgoSec Splunk SDDC_Security_Shahzad_Hammad
Key Take Away Operationalization Automation Policy - The Common Language Network Introspection (NI) Distributed Firewall (DFW) Guest Introspection (GI) Application SDDC_Security_Shahzad_Hammad
Q&A SDDC_Security_Shahzad_Hammad
NSX partner ecosystem Physical Infrastructure Security Application Delivery Operations and Visibility DYNAMIC INSERTION OF PARTNER SERVICES
SDDC_Security_Shahzad_Hammad Learn Connect & Engage communities.vmware.com NSX Product Page & Technical Resources vmware.com/products/nsx Network Virtualization Blog blogs.vmware.com/networkvirtualization VMware NSX on YouTube youtube.com/user/vmwarensx Where to get started Experience 70+ Unique NSX Sessions Spotlights, breakouts, quick talks & group discussions Visit the VMware Booth Use case demos, chat with NSX experts Visit NSX Technical Partner Booths Integration demos – EPSec & NetX, Hardware VTEP, Ops & Visibility Test Drive NSX with free Hands-on Labs Expert-led or Self-paced. labs.hol.vmware.com Use NSX Proactive Support Service Optimize performance based on data monitoring and analytics to help resolve problems, mitigate risk and improve operational efficiency. vmware.com/consulting Take Training and Certification Several paths to professional certifications. Learn more at the Education & Certification Lounge. vmware.com/go/nsxtraining SDDC_Security_Shahzad_Hammad
SEC8022_Securing_SDDC_NSX_Hammad_Shahzad

Recommended

NET8935_Small_DC_Shahzad_Ali
NET8935_Small_DC_Shahzad_AliNET8935_Small_DC_Shahzad_Ali
NET8935_Small_DC_Shahzad_Alishezy22
 
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld
 
VMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld 2015: The Future of Network Virtualization with VMware NSXVMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld 2015: The Future of Network Virtualization with VMware NSXVMworld
 
VMware NSX and Arista L2 Hardware VTEP Gateway Integration
VMware NSX and Arista L2 Hardware VTEP Gateway IntegrationVMware NSX and Arista L2 Hardware VTEP Gateway Integration
VMware NSX and Arista L2 Hardware VTEP Gateway IntegrationBayu Wibowo
 
VMworld 2013: Deploying VMware NSX Network Virtualization
VMworld 2013: Deploying VMware NSX Network Virtualization VMworld 2013: Deploying VMware NSX Network Virtualization
VMworld 2013: Deploying VMware NSX Network Virtualization VMworld
 
VMUG - NSX Architettura e Design
VMUG - NSX Architettura e DesignVMUG - NSX Architettura e Design
VMUG - NSX Architettura e DesignVMUG IT
 
VMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectVMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectDavid Pasek
 
VMware NSX + Cumulus Networks: Software Defined Networking
VMware NSX + Cumulus Networks: Software Defined NetworkingVMware NSX + Cumulus Networks: Software Defined Networking
VMware NSX + Cumulus Networks: Software Defined NetworkingCumulus Networks
 

Recommended

NET8935_Small_DC_Shahzad_Ali
NET8935_Small_DC_Shahzad_AliNET8935_Small_DC_Shahzad_Ali
NET8935_Small_DC_Shahzad_Alishezy22
 
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld 2016: How to Deploy VMware NSX with Cisco InfrastructureVMworld
 
VMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld 2015: The Future of Network Virtualization with VMware NSXVMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld 2015: The Future of Network Virtualization with VMware NSXVMworld
 
VMware NSX and Arista L2 Hardware VTEP Gateway Integration
VMware NSX and Arista L2 Hardware VTEP Gateway IntegrationVMware NSX and Arista L2 Hardware VTEP Gateway Integration
VMware NSX and Arista L2 Hardware VTEP Gateway IntegrationBayu Wibowo
 
VMworld 2013: Deploying VMware NSX Network Virtualization
VMworld 2013: Deploying VMware NSX Network Virtualization VMworld 2013: Deploying VMware NSX Network Virtualization
VMworld 2013: Deploying VMware NSX Network Virtualization VMworld
 
VMUG - NSX Architettura e Design
VMUG - NSX Architettura e DesignVMUG - NSX Architettura e Design
VMUG - NSX Architettura e DesignVMUG IT
 
VMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectVMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectDavid Pasek
 
VMware NSX + Cumulus Networks: Software Defined Networking
VMware NSX + Cumulus Networks: Software Defined NetworkingVMware NSX + Cumulus Networks: Software Defined Networking
VMware NSX + Cumulus Networks: Software Defined NetworkingCumulus Networks
 
NSX for vSphere Logical Routing Deep Dive
NSX for vSphere Logical Routing Deep DiveNSX for vSphere Logical Routing Deep Dive
NSX for vSphere Logical Routing Deep DivePooja Patel
 
NSX Reference Design version 3.0
NSX Reference Design version 3.0NSX Reference Design version 3.0
NSX Reference Design version 3.0Doddi Priyambodo
 
VMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSXVMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSXVMworld
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld
 
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...VMworld
 
VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld
 
The Vision for the Future of Network Virtualization with VMware NSX
The Vision for the Future of Network Virtualization with VMware NSXThe Vision for the Future of Network Virtualization with VMware NSX
The Vision for the Future of Network Virtualization with VMware NSXScott Lowe
 
VMware NSX primer 2014
VMware NSX primer 2014VMware NSX primer 2014
VMware NSX primer 2014Sanjay Basu
 
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...VMworld
 
VMworld 2013: vSphere Distributed Switch – Design and Best Practices
VMworld 2013: vSphere Distributed Switch – Design and Best Practices VMworld 2013: vSphere Distributed Switch – Design and Best Practices
VMworld 2013: vSphere Distributed Switch – Design and Best Practices VMworld
 
VMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSXVMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSXVMworld
 
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX VMworld
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld
 
nsx overview with use cases 1.0
nsx overview with use cases 1.0nsx overview with use cases 1.0
nsx overview with use cases 1.0Ploynatcha Akkaraputtipat
 
VMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld
 
VMworld 2013: Advanced VMware NSX Architecture
VMworld 2013: Advanced VMware NSX Architecture VMworld 2013: Advanced VMware NSX Architecture
VMworld 2013: Advanced VMware NSX Architecture VMworld
 
VMUGbe 21 Filip Verloy
VMUGbe 21 Filip VerloyVMUGbe 21 Filip Verloy
VMUGbe 21 Filip VerloyFilip Verloy
 
NSX-MH
NSX-MHNSX-MH
NSX-MHsethuraman ramanathan
 
VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments VMworld
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld
 
Nsx security deep dive
Nsx security deep diveNsx security deep dive
Nsx security deep divesolarisyougood
 
VMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld
 

More Related Content

What's hot

NSX for vSphere Logical Routing Deep Dive
NSX for vSphere Logical Routing Deep DiveNSX for vSphere Logical Routing Deep Dive
NSX for vSphere Logical Routing Deep DivePooja Patel
 
NSX Reference Design version 3.0
NSX Reference Design version 3.0NSX Reference Design version 3.0
NSX Reference Design version 3.0Doddi Priyambodo
 
VMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSXVMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSXVMworld
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld
 
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...VMworld
 
VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld
 
The Vision for the Future of Network Virtualization with VMware NSX
The Vision for the Future of Network Virtualization with VMware NSXThe Vision for the Future of Network Virtualization with VMware NSX
The Vision for the Future of Network Virtualization with VMware NSXScott Lowe
 
VMware NSX primer 2014
VMware NSX primer 2014VMware NSX primer 2014
VMware NSX primer 2014Sanjay Basu
 
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...VMworld
 
VMworld 2013: vSphere Distributed Switch – Design and Best Practices
VMworld 2013: vSphere Distributed Switch – Design and Best Practices VMworld 2013: vSphere Distributed Switch – Design and Best Practices
VMworld 2013: vSphere Distributed Switch – Design and Best Practices VMworld
 
VMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSXVMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSXVMworld
 
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX VMworld
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld
 
VMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld
 
VMworld 2013: Advanced VMware NSX Architecture
VMworld 2013: Advanced VMware NSX Architecture VMworld 2013: Advanced VMware NSX Architecture
VMworld 2013: Advanced VMware NSX Architecture VMworld
 
VMUGbe 21 Filip Verloy
VMUGbe 21 Filip VerloyVMUGbe 21 Filip Verloy
VMUGbe 21 Filip VerloyFilip Verloy
 
VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments VMworld
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld
 

What's hot (20)

NSX for vSphere Logical Routing Deep Dive
NSX for vSphere Logical Routing Deep DiveNSX for vSphere Logical Routing Deep Dive
NSX for vSphere Logical Routing Deep Dive
 
NSX Reference Design version 3.0
NSX Reference Design version 3.0NSX Reference Design version 3.0
NSX Reference Design version 3.0
 
VMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSXVMworld Europe 2014: Advanced Network Services with NSX
VMworld Europe 2014: Advanced Network Services with NSX
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep Dive
 
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Opt...
 
VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld 2013: Virtualized Network Services Model with VMware NSX
VMworld 2013: Virtualized Network Services Model with VMware NSX
 
The Vision for the Future of Network Virtualization with VMware NSX
The Vision for the Future of Network Virtualization with VMware NSXThe Vision for the Future of Network Virtualization with VMware NSX
The Vision for the Future of Network Virtualization with VMware NSX
 
VMware NSX primer 2014
VMware NSX primer 2014VMware NSX primer 2014
VMware NSX primer 2014
 
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distribu...
 
VMworld 2013: vSphere Distributed Switch – Design and Best Practices
VMworld 2013: vSphere Distributed Switch – Design and Best Practices VMworld 2013: vSphere Distributed Switch – Design and Best Practices
VMworld 2013: vSphere Distributed Switch – Design and Best Practices
 
VMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSXVMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSX
 
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
 
nsx overview with use cases 1.0
nsx overview with use cases 1.0nsx overview with use cases 1.0
nsx overview with use cases 1.0
 
VMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSXVMworld 2014: Introduction to NSX
VMworld 2014: Introduction to NSX
 
VMworld 2013: Advanced VMware NSX Architecture
VMworld 2013: Advanced VMware NSX Architecture VMworld 2013: Advanced VMware NSX Architecture
VMworld 2013: Advanced VMware NSX Architecture
 
VMUGbe 21 Filip Verloy
VMUGbe 21 Filip VerloyVMUGbe 21 Filip Verloy
VMUGbe 21 Filip Verloy
 
NSX-MH
NSX-MHNSX-MH
NSX-MH
 
VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments VMworld 2013: Operational Best Practices for NSX in VMware Environments
VMworld 2013: Operational Best Practices for NSX in VMware Environments
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
 

Viewers also liked

Nsx security deep dive
Nsx security deep diveNsx security deep dive
Nsx security deep divesolarisyougood
 
VMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld
 
Lynne McCarthy Arbor Networks TMS cert
Lynne McCarthy Arbor Networks TMS certLynne McCarthy Arbor Networks TMS cert
Lynne McCarthy Arbor Networks TMS certLynne McCarthy
 
2.13.14 v mware software defined data center (sddc) in 2014 slide deck
2.13.14 v mware software defined data center (sddc) in 2014 slide deck2.13.14 v mware software defined data center (sddc) in 2014 slide deck
2.13.14 v mware software defined data center (sddc) in 2014 slide deckMcOWLMarketing
 
VMworld 2013: SDDC is Here and Now: A Success Story
VMworld 2013: SDDC is Here and Now: A Success Story VMworld 2013: SDDC is Here and Now: A Success Story
VMworld 2013: SDDC is Here and Now: A Success Story VMworld
 
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld
 
AFDC_Cyber2016_SponsorInfo
AFDC_Cyber2016_SponsorInfoAFDC_Cyber2016_SponsorInfo
AFDC_Cyber2016_SponsorInfoDavid Simpson
 
Setting the Foundation for Data Center Virtualization
Setting the Foundation for Data Center Virtualization Setting the Foundation for Data Center Virtualization
Setting the Foundation for Data Center Virtualization Cisco Canada
 
The Foundation of the Software Defined Data Center
The Foundation of the Software Defined Data CenterThe Foundation of the Software Defined Data Center
The Foundation of the Software Defined Data CenterArraya Solutions
 
Benefits and Winners - HyTrust 2016 Cloud and SDDC Study
Benefits and Winners - HyTrust 2016 Cloud and SDDC StudyBenefits and Winners - HyTrust 2016 Cloud and SDDC Study
Benefits and Winners - HyTrust 2016 Cloud and SDDC StudyJason Lackey
 
VMworld 2015: Container Orchestration with the SDDC
VMworld 2015: Container Orchestration with the SDDCVMworld 2015: Container Orchestration with the SDDC
VMworld 2015: Container Orchestration with the SDDCVMworld
 
Development on Cloud,PaaS and SDDC
Development on Cloud,PaaS and SDDCDevelopment on Cloud,PaaS and SDDC
Development on Cloud,PaaS and SDDCseungdon Choi
 
Whitepaper: Software Defined Data Center – An Implementation view - Happiest ...
Whitepaper: Software Defined Data Center – An Implementation view - Happiest ...Whitepaper: Software Defined Data Center – An Implementation view - Happiest ...
Whitepaper: Software Defined Data Center – An Implementation view - Happiest ...Happiest Minds Technologies
 
SDDC Study: SDDC Goes Mainstream
SDDC Study: SDDC Goes MainstreamSDDC Study: SDDC Goes Mainstream
SDDC Study: SDDC Goes MainstreamJason Lackey
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
もう一つのHCI VxRackとVBlock
もう一つのHCI VxRackとVBlockもう一つのHCI VxRackとVBlock
もう一つのHCI VxRackとVBlockGaku Takahashi
 
VMworld 2016 Recap
VMworld 2016 RecapVMworld 2016 Recap
VMworld 2016 RecapKevin Groat
 
Self service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxSelf service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxsolarisyougood
 

Viewers also liked (20)

Nsx security deep dive
Nsx security deep diveNsx security deep dive
Nsx security deep dive
 
VMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSXVMworld 2016: Advanced Network Services with NSX
VMworld 2016: Advanced Network Services with NSX
 
Lynne McCarthy Arbor Networks TMS cert
Lynne McCarthy Arbor Networks TMS certLynne McCarthy Arbor Networks TMS cert
Lynne McCarthy Arbor Networks TMS cert
 
2.13.14 v mware software defined data center (sddc) in 2014 slide deck
2.13.14 v mware software defined data center (sddc) in 2014 slide deck2.13.14 v mware software defined data center (sddc) in 2014 slide deck
2.13.14 v mware software defined data center (sddc) in 2014 slide deck
 
VMworld 2013: SDDC is Here and Now: A Success Story
VMworld 2013: SDDC is Here and Now: A Success Story VMworld 2013: SDDC is Here and Now: A Success Story
VMworld 2013: SDDC is Here and Now: A Success Story
 
Nov. 19th meeting ppt.
Nov. 19th meeting ppt.Nov. 19th meeting ppt.
Nov. 19th meeting ppt.
 
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
 
AFDC_Cyber2016_SponsorInfo
AFDC_Cyber2016_SponsorInfoAFDC_Cyber2016_SponsorInfo
AFDC_Cyber2016_SponsorInfo
 
Setting the Foundation for Data Center Virtualization
Setting the Foundation for Data Center Virtualization Setting the Foundation for Data Center Virtualization
Setting the Foundation for Data Center Virtualization
 
The Foundation of the Software Defined Data Center
The Foundation of the Software Defined Data CenterThe Foundation of the Software Defined Data Center
The Foundation of the Software Defined Data Center
 
Benefits and Winners - HyTrust 2016 Cloud and SDDC Study
Benefits and Winners - HyTrust 2016 Cloud and SDDC StudyBenefits and Winners - HyTrust 2016 Cloud and SDDC Study
Benefits and Winners - HyTrust 2016 Cloud and SDDC Study
 
VMworld 2015: Container Orchestration with the SDDC
VMworld 2015: Container Orchestration with the SDDCVMworld 2015: Container Orchestration with the SDDC
VMworld 2015: Container Orchestration with the SDDC
 
SDDC
SDDCSDDC
SDDC
 
Development on Cloud,PaaS and SDDC
Development on Cloud,PaaS and SDDCDevelopment on Cloud,PaaS and SDDC
Development on Cloud,PaaS and SDDC
 
Whitepaper: Software Defined Data Center – An Implementation view - Happiest ...
Whitepaper: Software Defined Data Center – An Implementation view - Happiest ...Whitepaper: Software Defined Data Center – An Implementation view - Happiest ...
Whitepaper: Software Defined Data Center – An Implementation view - Happiest ...
 
SDDC Study: SDDC Goes Mainstream
SDDC Study: SDDC Goes MainstreamSDDC Study: SDDC Goes Mainstream
SDDC Study: SDDC Goes Mainstream
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
 
もう一つのHCI VxRackとVBlock
もう一つのHCI VxRackとVBlockもう一つのHCI VxRackとVBlock
もう一つのHCI VxRackとVBlock
 
VMworld 2016 Recap
VMworld 2016 RecapVMworld 2016 Recap
VMworld 2016 Recap
 
Self service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxSelf service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsx
 

Similar to SEC8022_Securing_SDDC_NSX_Hammad_Shahzad

Reston Virtualization Group 9-18-2014
Reston Virtualization Group 9-18-2014 Reston Virtualization Group 9-18-2014
Reston Virtualization Group 9-18-2014 VMwareJenn
 
VMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
VMworld 2014: vCloud Hybrid Service Networking Technical Deep DiveVMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
VMworld 2014: vCloud Hybrid Service Networking Technical Deep DiveVMworld
 
GAMO VMware vCloud Air
GAMO VMware vCloud AirGAMO VMware vCloud Air
GAMO VMware vCloud AirGAMO a.s.
 
Simplifying the secure data center
Simplifying the secure data centerSimplifying the secure data center
Simplifying the secure data centerCisco Canada
 
VMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use casesVMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use casesAngel Villar Garea
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - OverviewIrsandi Hasan
 
Andy Kennedy - Scottish VMUG April 2016
Andy Kennedy - Scottish VMUG April 2016Andy Kennedy - Scottish VMUG April 2016
Andy Kennedy - Scottish VMUG April 2016Andy Kennedy
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld
 
VMware-vShield-Presentation-pp-en-Dec10.pptx
VMware-vShield-Presentation-pp-en-Dec10.pptxVMware-vShield-Presentation-pp-en-Dec10.pptx
VMware-vShield-Presentation-pp-en-Dec10.pptxAbasse KPEGOUNI
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - SegmentationVMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - SegmentationVMworld
 
VMware overview presentation by alamgir hossain
VMware overview presentation by alamgir hossainVMware overview presentation by alamgir hossain
VMware overview presentation by alamgir hossainALAMGIR HOSSAIN
 
Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?Cisco Canada
 
IaaS with Software Defined Networking
IaaS with Software Defined NetworkingIaaS with Software Defined Networking
IaaS with Software Defined NetworkingPrasenjit Sarkar
 
Vmug 2017 Guido Frabotti
Vmug 2017 Guido FrabottiVmug 2017 Guido Frabotti
Vmug 2017 Guido FrabottiVMUG IT
 
Cisco Evolving virtual switching to applications & cloud
Cisco Evolving virtual switching to applications & cloudCisco Evolving virtual switching to applications & cloud
Cisco Evolving virtual switching to applications & cloudsolarisyougood
 
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSXOVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSXOVHcloud
 
f5_synthesis_cisco_connect.pdf
f5_synthesis_cisco_connect.pdff5_synthesis_cisco_connect.pdf
f5_synthesis_cisco_connect.pdfGrigoryShkolnik1
 
VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...
VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...
VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...VMworld
 
Fortinet & VMware integration
Fortinet & VMware integrationFortinet & VMware integration
Fortinet & VMware integrationVMUG IT
 

Similar to SEC8022_Securing_SDDC_NSX_Hammad_Shahzad (20)

Reston Virtualization Group 9-18-2014
Reston Virtualization Group 9-18-2014 Reston Virtualization Group 9-18-2014
Reston Virtualization Group 9-18-2014
 
VMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
VMworld 2014: vCloud Hybrid Service Networking Technical Deep DiveVMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
VMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
 
GAMO VMware vCloud Air
GAMO VMware vCloud AirGAMO VMware vCloud Air
GAMO VMware vCloud Air
 
Simplifying the secure data center
Simplifying the secure data centerSimplifying the secure data center
Simplifying the secure data center
 
VMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use casesVMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use cases
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - Overview
 
Andy Kennedy - Scottish VMUG April 2016
Andy Kennedy - Scottish VMUG April 2016Andy Kennedy - Scottish VMUG April 2016
Andy Kennedy - Scottish VMUG April 2016
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep Dive
 
VMware-vShield-Presentation-pp-en-Dec10.pptx
VMware-vShield-Presentation-pp-en-Dec10.pptxVMware-vShield-Presentation-pp-en-Dec10.pptx
VMware-vShield-Presentation-pp-en-Dec10.pptx
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - SegmentationVMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
 
VMware overview presentation by alamgir hossain
VMware overview presentation by alamgir hossainVMware overview presentation by alamgir hossain
VMware overview presentation by alamgir hossain
 
Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?
 
IaaS with Software Defined Networking
IaaS with Software Defined NetworkingIaaS with Software Defined Networking
IaaS with Software Defined Networking
 
Vmug 2017 Guido Frabotti
Vmug 2017 Guido FrabottiVmug 2017 Guido Frabotti
Vmug 2017 Guido Frabotti
 
Cisco Evolving virtual switching to applications & cloud
Cisco Evolving virtual switching to applications & cloudCisco Evolving virtual switching to applications & cloud
Cisco Evolving virtual switching to applications & cloud
 
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSXOVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
 
f5_synthesis_cisco_connect.pdf
f5_synthesis_cisco_connect.pdff5_synthesis_cisco_connect.pdf
f5_synthesis_cisco_connect.pdf
 
VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...
VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...
VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...
 
Fortinet & VMware integration
Fortinet & VMware integrationFortinet & VMware integration
Fortinet & VMware integration
 

SEC8022_Securing_SDDC_NSX_Hammad_Shahzad

  • 1. Implementing Agentless AV and IPS/IDS Security Solutions with NSX Hammad Alam, VMware Shahzad Ali, VMware SEC8022 #SEC8022
  • 2. • This presentation may contain product features that are currently under development. • This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. • Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. • Technical feasibility and market demand will affect final delivery. • Pricing and packaging for any new technologies or features discussed or presented have not been determined. Disclaimer 2
  • 3. 1 Securing The SDDC 2 Guest Introspection For Agentless AV 3 Network Introspection for IPS/IDS 4 Demo 5 Key Take Aways / QA Agenda SDDC_Security_Shahzad_Hammad
  • 4. Secure SDDC Blueprint Operationalization Automation Policy - The Common Language Network Introspection (NI) Distributed Firewall (DFW) Guest Introspection (GI) Application SDDC_Security_Shahzad_Hammad
  • 5. Tying the Technologies Together ESXi Hypervisor OS APP vNIC VMTool VM VDS 3 Distributed Firewall NSX Manager 1 4 Network Introspection GI SERVICE VM (SVM) NI SERVICE VM (SVM) 2 Guest Introspection GI NIDFW SDDC_Security_Shahzad_Hammad
  • 6. Policy - The Common Language SDDC_Security_Shahzad_Hammad
  • 7. Guest Introspection Protecting Data and Integrity of VM Guest Introspection Application
  • 8. NSX-GI Components GI process is constantly inspecting OS and App Data GI offloads “File Scanning Tasks” from Guest VM to a Service VM on same host • GI Native Capabilities • Activity Monitoring • Identity Firewall (IDFW) • OS/Apps: Prone to Virus attacks • In-guest AV agents • Hackable • Resource intensive OS APP GUEST VM …ESXi Host Based Security Controls GI SERVICE VMs AD Group AD Group VDI Security Group App Level Monitoring VMTool VMCI IP MUX SDDC_Security_Shahzad_Hammad
  • 9. Implementation: NSX GI – Recorded Demo Implementation: NSX GI
  • 11. Automated Security in a Software Defined Data Center Quarantine Vulnerable Systems until Remediated Security Group = Quarantine Members = {Tag = ‘ANTI_VIRUS.VirusFound’} Policy = {L2 Isolated Network, Scan + Remediate} Security Group = VDI-VMsPolicy Definition VDI Security Policy  Anti-Virus – Scan Quarantined Security Policy  Firewall – Block all except security tools  Anti-Virus – Scan and remediate SDDC_Security_Shahzad_Hammad
  • 12. Implementation: Security Groups and Security Policy - VOD Implementation: Security Groups and Security Policy
  • 13. Distributed Firewall Line Rate, Stateful L2-L4 firewall DFW GI App
  • 14. Message Bus MGMT Network Firewall Rules Distributed Firewall (DFW) • Line Rate (20+ Gbps) • Stateful • Enforcement at both ingress and egress • L2-L4 • Packet Capturing • Monitoring • Traffic between VM and vSwitch always transit through the Firewall Kernel Module VNIC NSX Manager vSwitchFirewall Kernel Module Rule Table Kernel Space User Space ESXi Host Physical switch DFW SDDC_Security_Shahzad_Hammad
  • 15. Adding DFW to Security Policy - DEMO Adding DFW to Security Policy
  • 16. Implementation: Quarantine Group and Policy - DEMO Implementation: Quarantine Group and Policy
  • 17. Network Introspection Host Based Deep Packet Inspection NI DFW GI App
  • 18. NSX-NI Components TCP/5671 TCP/443 NSX Manager TCP/443 TCP/443 NSX ManagervCenter Partner Management Console ESXi Host … Partner SERVICE VM (SVM) OS APP vNIC VM VDS SDDC_Security_Shahzad_Hammad
  • 19. Packet Flow with DFW and NetX ESXi User World KernelDFW OS APP vNIC VM Partner SERVICE VM (SVM) Redirect Rule Table Packet Punting VDS SDDC_Security_Shahzad_Hammad
  • 20. Policy Bringing the Technologies Together Policy NI DFW GI App
  • 21. Policy: The Common Language
  • 22. End to End Demo in Action End-to-End Demo
  • 23. Automation & Operations Automation and Operations Policy NI DFW GI App
  • 24. Security Integrated and Automated Application Deployment Accelerate workload deployment Avoid risk from human errors Compliance and auditability Application Deployment App request NETWORKING SECURITY Automated Security Enforcement Security Policies API Security Groups CMP vRealize Orchestrator vRealize Automation SDDC_Security_Shahzad_Hammad
  • 25. Operations, Monitoring and Troubleshooting NSX Native VMware Products Partner Products Traceflow Central CLI vSphere Native IPFIX vRealize Log Insight Activity Monitoring Flow Monitoring vRealize Network Insight Infrastructure Navigator NetFlow Syslog Port Mirroring Partner Native Tools Gigamon Tufin AlgoSec Splunk SDDC_Security_Shahzad_Hammad
  • 26. Key Take Away Operationalization Automation Policy - The Common Language Network Introspection (NI) Distributed Firewall (DFW) Guest Introspection (GI) Application SDDC_Security_Shahzad_Hammad
  • 28. NSX partner ecosystem Physical Infrastructure Security Application Delivery Operations and Visibility DYNAMIC INSERTION OF PARTNER SERVICES
  • 29. SDDC_Security_Shahzad_Hammad Learn Connect & Engage communities.vmware.com NSX Product Page & Technical Resources vmware.com/products/nsx Network Virtualization Blog blogs.vmware.com/networkvirtualization VMware NSX on YouTube youtube.com/user/vmwarensx Where to get started Experience 70+ Unique NSX Sessions Spotlights, breakouts, quick talks & group discussions Visit the VMware Booth Use case demos, chat with NSX experts Visit NSX Technical Partner Booths Integration demos – EPSec & NetX, Hardware VTEP, Ops & Visibility Test Drive NSX with free Hands-on Labs Expert-led or Self-paced. labs.hol.vmware.com Use NSX Proactive Support Service Optimize performance based on data monitoring and analytics to help resolve problems, mitigate risk and improve operational efficiency. vmware.com/consulting Take Training and Certification Several paths to professional certifications. Learn more at the Education & Certification Lounge. vmware.com/go/nsxtraining SDDC_Security_Shahzad_Hammad

Editor's Notes

  1. Shahzad Ali: Final ready to be uploaded to public: Sep. 19 . 2016
  2. Shahzad.Aug.11.2016.Done
  3. Shahzad.Aug.11.2016.Done
  4. Shahzad.Aug.11.2016.Done
  5. HOL-SDC-1741 – Trend Micro and NSX Integration (Agentless-AV)
  6. Implementation: NSX GI
  7. Implementation: Partner Integration – Recorded DEMO
  8. Implementation: Security Groups and Security Policy – Recorded DEMO
  9. Overall goal: VM is secured next step is the line rate firewall --- stateful – kernel level – 20GBPS We have many sessions already – high level
  10. Adding DFW to Security Policy
  11. Implementation: Quarantine Group and Policy - VOD
  12. SPO-9976 – Palo Alto Networks and NSX Integration Deep Dive HOL-1723 – Hands On Lab
  13. NetX enables partners to integrate their solution with NSX Host based service insertion mechanism Utilizes the DFW framework Implemented at vNIC level Creates a tap-point (filter) on the vNic Partner deploys a virtual appliance ( Partner-SVM) on each host Based on the rule, traffic is redirected to Partner-SVM for processing Partner-SVM does deep packet inspection (L7) Depending on the decided action, packet is dropped or punted back into the hypervisor kernel
  14. vSIP is a Kernel Module that has the ability to deal with multiple tap points and vms running Vsip has taps on to the packet flow that is going in and out of the VM There are 2 tap points shown here for vSIP in the packet flow DFW For SVM ====== Formerly vShield App Stateful Firewall at vNIC layer with ALG (Reverse Proxy) capabilities. TRUTH – ALG means that for 5 predefined services that commonly use Dynamic Ports setup during initial communciation the vSIP module becomes a Reverse Proxy that will monitor the first session setup and look into Packet Payload for first few initial packets to determine what the communication ports are that need to be opened. We will then open those ports and stop Looking into the packet payload. Services ARE FTP, Oracle, DCRPC, SUNRPC, MSRPC. Firewall rules and SGs stored in the PostGres database on NSX Manager. ======
  15. SPO-9976 – Palo Alto Networks and NSX Integration Deep Dive HOL-1723 – Hands On Lab
  16. NSX Security Policy – Recorded Demo
  17. Combined Demo
  18. SPO-9976 – Palo Alto Networks and NSX Integration Deep Dive HOL-1723 – Hands On Lab
  19. Talking points: Give audience analogy of a secure bank Physical Security Camera Heat Sensors Motion Sensor Light Sensors Locks Door Vault Layered security model Outside the bank Bank Perimeter Inside Bank Vault is very secure security layer ------------------------------------------------------------------------------ Security is needed from all aspects Layard Security Model – Analogy Banks SDDC needs Secure inside the VM (the actual data, files and OS) Guest Introspection (Agentless-AV) Secure IP Data leaving the VM Firewall (Distributed) Secure IP Data entering into the VM Firewall (Distributed) Provide Deep IP Packet Inspection (@L7) Network Introspection (IDS/IPS) With all the above we need automation, speed and high performance
  20. Think about NSX as a platform, it is not a point product. A true platform requires successful participation of a third-party ecosystem. NSX has developed a RICH ecosystem of partners that span across physical to virtual, operations and visibility, app delivery services, and security services categories. This extensible, distributed service platform supports the novel concept of dynamic service chain that provides multiple platform integration points and automates the deployment, orchestration, and scale-out of partner services.