andy kennedy - scottish vmug april 2016
TRANSCRIPT
![Page 1: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/1.jpg)
1
ScottishVMUGApril, 2016
From untrustto zero trust…Securing what comes next for the SDDC
Andy Kennedy (@packetdiscards)
Networking & Security Business Unit, EMEA+44 7766 [email protected]
![Page 2: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/2.jpg)
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2
![Page 3: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/3.jpg)
From untrust to zero trust…Securing what comes next for the SDDC
© 2016 VMware Inc. All rights reserved.
Andy Kennedy (@packetdiscards)
Networking & Security Business Unit, EMEA+44 7766 [email protected]
![Page 4: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/4.jpg)
From Shadow IT to the Next Unit of Compute- The blind spot indicator for cyber security
4
![Page 5: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/5.jpg)
CloudSilos
PublicManagedPrivate
5
![Page 6: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/6.jpg)
ApplicationSilos
Traditional Applications Cloud-Native Applications
6
![Page 7: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/7.jpg)
DeviceProliferation
ApplicationsContent
7
![Page 8: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/8.jpg)
One Cloud Any Application Any Device
8
![Page 9: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/9.jpg)
BridgingTwo Worlds
Mobile Cloud Era
Client-Server Era
![Page 10: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/10.jpg)
High-Level Architecture
Isol
atio
n
Segm
enta
tion
Serv
ice
Inse
rtion
Gue
st In
trose
pctio
n
Orchestration Configuration Management
DR
Backup & recovery
Log Management
SIEM
Operations Dashboard
Virtual Domain
RBAC / AAAPolicy Management
Policy EnforcementMonitoring & Analytics
Backup & Disaster Recovery
Physical Domain Hybrid CloudInfrastructure
People & Process
![Page 11: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/11.jpg)
Operations
App Team
3rd Platform Enables New Types of Apps in the Mobile-Cloud Era
Hardware
OS
Application
App Team
x86
OS
Application
Operations
App Team
x86
Linux
Application
1st Platform(Servers)
2nd Platform(Virtualization)
3rd Platform(Cloud)
x86
Linux
![Page 12: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/12.jpg)
Major NSX use cases
Intra-Datacenter Micro-Segmentation
DMZ Anywhere
Secure User Environments
SecurityIT Automating IT
Developer Clouds
Multi-tenant Infrastructure
AgilityDisaster Recovery
Metro Pooling
Hybrid Cloud Networking
Application Continuity
![Page 13: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/13.jpg)
13
Microsegmentation
![Page 14: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/14.jpg)
14
![Page 15: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/15.jpg)
15
![Page 16: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/16.jpg)
16
![Page 17: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/17.jpg)
17
![Page 18: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/18.jpg)
Topology Driven Security
Little or nolateral controlsinside perimeter
Internet
Internet
![Page 19: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/19.jpg)
Topology Driven Security
Internet Internet
OperationallyInfeasible
![Page 20: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/20.jpg)
20
Centralizedfirewalls
• Create firewall rules before provisioning• Update firewall rules when moving or changing• Delete firewall rules when app decommissioned• Problem increases with more east-west traffic
Internet
The challenge of topology driven security in the SDDC
![Page 21: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/21.jpg)
Internet
How an SDDC Approach Makes Micro-segmentation Feasible
21
Security policy
Perimeterfirewalls
CloudManagement
Platform
![Page 22: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/22.jpg)
Creating a zero trust model
Isolation Explicit allow comm. Secure communications Structured secure comms.
NGFW
IPS
IPS
NGFW
IPS
WAF
And align your controls to what you are protecting
Allow HTTPS
![Page 23: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/23.jpg)
23
Adapting toChange
![Page 24: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/24.jpg)
ApplicationSilos
Traditional Applications Cloud-Native Applications
24
![Page 25: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/25.jpg)
Developer IT
Challenges with ContainersDifferent Units of Management
Partial Visibility Limited Security No Compatability
Tools
25
![Page 26: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/26.jpg)
Containers without compromise
Today
Container Engine
Linux
vSphereIntegrated Containers
26
![Page 27: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/27.jpg)
Security
Today vSphereIntegrated Containers
Hardware Level IsolationOS Level Isolation
27
![Page 28: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/28.jpg)
Container Security
28
Vulnerable Application
Vaul
t
Vaul
t
Web
site
Web
site
Web
site
Web
site
Internet
Dat
abas
e
Port 80
Internalnetwork
![Page 29: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/29.jpg)
Docker libnetwork – Options
29
– Bridge: Implements a way to configure new networks as isolated L2 bridges on single Docker hosts. The scope is ‘local’
– Overlay: Implements VXLAN based overlay networking to create L2 segments to attach containers running on multiple Docker Hosts.
– Remote: Implements an API to externalize network functions to 3rd party vendor / solutions.
Bridge Networking Multi-Host (Overlay) Driver
Remote (Vendor) Driver
![Page 30: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/30.jpg)
Docker libnetwork – The Container Network Model (CNM)
30
• Sandbox– A Sandbox contains the configuration of a container's network stack. This includes management of the container's
interfaces, routing table and DNS settings. An implementation of a Sandbox could be a Linux Network Namespace, a FreeBSD Jail or other similar concept.
• Endpoint– An Endpoint joins a Sandbox to a Network. An implementation of an Endpoint could be a veth pair, an Open vSwitch
internal port or similar
• Network– A Network is a group of Endpoints that are able to communicate with each-other directly. An implementation of a
Network could be a VXLAN Segment, a Linux bridge, a VLAN, etc.
Source: https://github.com /docker/li bnetwork /bl ob/m aster/docs/design.md
ExternalnetworkG/w
Bridge
![Page 31: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/31.jpg)
Containers – do we still need a Hypervisor?
31
Privilege escalation can lead to container host compromise
Vaul
t
Vaul
t
Web
site
Web
site
Web
site
Web
site
Internet
Dat
abas
e
Port 80
Internalnetwork
Confidential Information
![Page 32: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/32.jpg)
Containers – do we still need a Hypervisor?
32
Lack of isolation allows an attacker to move around
Vaul
t
Vaul
t
Web
site
Web
site
Web
site
Web
site
Internet
Dat
abas
e
Port 80
Internalnetwork
Confidential Information
![Page 33: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/33.jpg)
Containers – do we still need a Hypervisor?
33
NSX provides segmentation, visibility and integration
Web
site
Web
site
Web
site
Web
site
Internet
Port 80
Internalnetwork
Physical Network Infrastructure
Vaul
t
Vaul
t
Dat
abas
e
Dat
acen
ter
HONEY POT
VULNERABILITYSCANNER
Micro-segmentation Alert Connection
to data center
![Page 34: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/34.jpg)
vSphere Integrated Containers Latest…
34
https://github.com/vmware/vic
http://blogs.vmware.com/cloudnative/introducing-vsphere-integrated-containers-open-source-software/
![Page 35: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/35.jpg)
Hypervisor(ESXi &
KVM)
MinionVM
Pod
vif
DFW
eth1
Pod
eth2
vifDLR
MinionVM
Pod
vif
DFW
eth2
Pod
eth1
vif
eth0
Minion Mgmt. IP Stack
eth0
Minion Mgmt. IP Stack
mgmtnetwork
Lx bridge
Lx bridge
Lx bridge
Lx bridge
mgmtnetwork
Kubernetes - POC
![Page 36: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/36.jpg)
Kubernetes – POC
36
![Page 37: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/37.jpg)
Kubernetes – POC
37
![Page 38: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/38.jpg)
Micro-segmentation Alert Connection
to data center
Benefits of NSX and containers
38
Micro-segmentation Alert Connection
to data center
• Micro-segmentation to establish clear boundaries
• Stop compromises at container or application level
• Central visibility into connectivity across the data center
• Per-flow tracking• Alerts for suspicious
behavior• Virtual taps at a per-
container level
• Integration with the rest of your IT infrastructure
• Monitoring, incident response, forensics
• Access to databases, backup, system updates
![Page 39: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/39.jpg)
CloudSilos
PublicManagedPrivate
39
![Page 40: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/40.jpg)
Public Cloud – The New Silo Infrastructure?
40
![Page 41: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/41.jpg)
The Challenge: Connectivity Across Multiple Clouds
41
![Page 42: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/42.jpg)
Data CenterIT Administrator
Internet
…
AWS CloudDeveloper
42
Ubiquitous Securityfor Public Cloud Workloads
![Page 43: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/43.jpg)
NSX + Public Cloud + Containers
43
Sydney
Hong KongPalo Alto
Chicago
Dallas Virginia
Seattle
500 Web Servers7 data centers3 continents2 public clouds + 1 on premise…in 5 minutes
https://www.youtube.com/watch?v=RBJ-KoAM-OQ
![Page 44: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/44.jpg)
44
Operational Focus
![Page 45: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/45.jpg)
45
![Page 46: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/46.jpg)
EMC Smarts for NSX – Virtual + Physical TopologyVirtual Network
Physical Network
Logical Switch
Logical Router
Leaf01Spine01
Hypervisor
![Page 47: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/47.jpg)
Hyper-V On-Premises Data Center
Public Cloud
3rd Gen Applications
Virtual Desktop
Mobile Devices
47
Design for the New &Accommodate The Old
![Page 48: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/48.jpg)
Network Virtualization Next Steps with VMware NSX
48
virtualizeyournetwork.com
The online resource for the people, teams and organizations that are adopting network virtualization
communities.vmware.com
Connect and engage with network virtualization experts and fellow VMware NSX users
vmware.com/go/NVtraining
Build knowledge and expertise for the next step in your career
labs.hol.vmware.com
Test drive the capabilities of VMware NSX
![Page 49: Andy Kennedy - Scottish VMUG April 2016](https://reader031.vdocument.in/reader031/viewer/2022030311/58ef96371a28abe3288b45bd/html5/thumbnails/49.jpg)
Technology Previews
49
https://youtu.be/RBJ-KoAM-OQ https://youtu.be/bjodui_ZhM8
Containers & Public Cloud Tech Preview
Distributed Network Encryption Tech PreviewKubernetes & NSX
Tech Preview