© 2014 VMware Inc. All rights reserved.

Business Values of Network and Security VirtualizationVMware NSX in the context of the Software Defined Data Center

Klaus JansenVirtual Networks Sales Specialist VMware NSBU

Agenda

(1) Context: Software Defined Data Center and Virtual Networks

(2) Cost and Security: Increased security through fine grained segmentation

(3) Security: Total privacy for multiple tenants on a shared infrastructure

(4) Security: Compliance in Architecture, Operations and Auditing

(5) Cost and Security with Choice: Integration of 3rd party security solutions

(6) Cost and Agility: Automation for Private Cloud and Self Service IT

(1) Context: Software Defined Data Center and Virtual Networks

The Software Defined Data Center (SDDC) is an approach to virtualize all aspects

of data center infrastructure independent of underlying compute, storage or

networking hardware.

VMware NSX represents a faithful reproduction of physical networks and security

in software at full scale. It is an overlay network running on top of current data

center networks. It‘s a key element in the SDDC architecture.

(1) SDDC Within, Between and Across Data Centers

Software Defined

Data Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center Virtualization

Inter- Data Center

Any Application

Any x86

Any Storage

Any IP network

Hybrid- Data Center

Any Application

Any x86

Any Storage

Any IP network

SDDC Platform

State of the Art: Gartner Data Center Networking Magic Quadrant

5

“The NSX solution should be considered by existing VMware customers as a way of providing network agility and reducing network operational challenges within the data center.”

Gartner Data Center Networking Magic Quadrant, April 24, 2014

Most of the leading vendors of physical data center networking share our vision and provide technology for seamless integration of bare metal servers, perimeter security and other non-virtualized workloads.

SDDC – A Platform for Industry Innovation

6

(2) Data Center Security? Micro-segmentation is the answer

7

Internet

Internet

Security in the data center that so far was technically, financially and organisationally unfeasable!

Granular, Distributed Controls

Reduce attack surface

Visibility of all traffic

Block lateral movement

Zero Trust Model

(2) NSX Distributed Firewall with Micro Segmentation saves cost

CONFIDENTIAL

8

Perimeter firewall: fewer devices, smaller devices, less complex device configurations, more choice of vendors

Rule sets: better visibility, no unnecessary rules kept forever, less operational cost, easier to deploy and maintain

Data Center Netwok: less complex configurations, better utilization, saves costly links due to reductions of East-West traffic

between phyiscal hosts, frees network capacity, likely no need to invest in a new network now

(2) Micro Segmentation – Use Cases

Self-Service IT

Dev X

Dev A

Test X

Test A

• DevOps Cloud

End-to-end Programmatic Provisioning

(Network, Security etc)

“Guard-Rails” for Private Cloud

Key Requirements

Use Cases

Enterprise Apps/Zones

• Virtual DMZ Deployments

• Virtual Desktop (VDI)

• Enterprise Zone Segmentation

Flexible Micro-Segmentation

Additional Layer of Security

Visibility and Operations

Audit and Compliance

Key Requirements

Use Cases

Multi-Tenant

• SP: Multi-tenant Cloud

• Enterprise: On-boarding M&A

Multi-tenant Deployment

Programmatic L2, L3, Security

Overlapping IP Addressing

Open for 3rd party cloud management

Key Capabilities

Use Cases

(3) Total privacy for multiple tenants on a shared infrastructure

10

When Enterprise IT acts like a Service Provider

Tenant 1 Tenant 2

Tenant

firewall

DMZ/Web

App

DB

HR Group

App

DMZ/Web

DB

Finance Group

Services Mgmt

Services/Management

Group

Tenant

firewall

DMZ/Web

App

DB

HR Group

App

DMZ/Web

DB

Finance Group

Services Mgmt

Services/Management

Group

Completely separate unrelated networks

Add advanced services based on virtual network, network segment, or security group

Differentiated network services for different tenants

Total Isolation

App VLAN

(4) Compliance in Architecture, Operations and Auditing

DMZ VLAN

Services VLAN

DB VLAN

Perimeter

firewall

Inside

firewall

Finance

Finance

Finance

HR

HR

HR

IT

IT

IT

AD NTP DHCP DNS CERT

Before

• All Apps on a VLAN can communicate freely

• Once one App is compromised, lateral movement cannot be restricted

• No visibility of App to App traffic

Now with NSX

• Full visibility of App to App traffic

• Micro-segmentation can granularly control apps even on shared VLAN

• Ability to monitor, report and audit e.g. with „vRealize Log Insight“

PCI relevant customer data now isolated

(5) Multi-Layer Security with 3rd party Integration

[Confidential] For designated groups and individuals

NSX

Security

Groups

Tags

VM

Use NSX security

groups in 3rd party

policy rules

Consume1Remediate infected VMs

by triggering by 3rd party

security solution

Contribute3Enforce policy rules

through 3rd party

physical & virtual GWs

Enforce2

Checkpoint, Palo Alto,Trend Micro, McAfee, ....

(6) Cost and Agility: AutomationPrivate Cloud / Self-Service IT

On Demand Application

Including NSX Network & Security

and 3rd party vendors

Web

App

Database

V

M

Web

App

DatabaseVM

Any upstream Router

LogicalRouter

ROUTED

Web

App

DatabaseVM

PRIVATE

No external connectivity

Web

App

DatabaseVM

Any upstream Router

LogicalRouter

NAT

NAT Gateway

Logical Switch

Logical Router

NSX

Logical Firewall

Logical Load Balancer

Clo

ud M

anagem

ent

Thank you

CONFIDENTIAL14