confidential ©2020 vmware, inc

Confidential │ ©2020 VMware, Inc.©2021 VMware, Inc.

Welcome to VMware TechTuesday Webinar

The Secure Virtual Cloud Network – The Goldilocks Zone of Data Center Security

Tock Hiong NgSenior Manager,

Specialist Solutions Engineering, Networking, Security & Automation,

Southeast Asia & Korea, VMware

Chian Chong WongSpecialist Solutions Engineer,

Networking & Security,Southeast Asia & Korea,

VMware

Tyler ChenSenior Solutions Engineer,

Networking & Security, Asia Pacific & Japan,

VMware

©2021 VMware, Inc.

Tock Hiong NgSenior Manager, Specialist Solutions Engineering, Networking, Security & Automation, Southeast Asia & Korea, VMware


The Secure Virtual Cloud Network - The Goldilocks Zone of Data Center Security

Tock Hiong Ng

Senior Manager, SEAK Networking, Security and Automation, Solution Engineering

Wong Chian Chong

Senior Solution Engineer

Tyler Chen

Senior Solution Engineer


Agenda

5

What is the Goldilocks Zone in Security

3 Steps to Advanced East West Protection

Intrinsic Security Demo

In Summary

Confidential │ ©2021 VMware, Inc. 6

What is the Goldilocks zone?


What is the Goldilocks zone in Security?

Endpoint Security

External Firewall

High Context

Low Isolation

High Isolation

Low Context

No Ubiquitous Enforcement


What is the Goldilocks zone mean in Security?

Endpoint Security

External Firewall

Switching RoutingServiceMesh

Internal Firewall /

IPS

ADC/ALB/WAF

High Context

Low Isolation

High Isolation

Low Context

The Goldilocks Zone in Security

NSX Data Center and Cloud Platform

Physical Infrastructure

High Context

High Isolation

Zero Trust Enforcement


LOAD BALANCER/WAF

FIREWALL

IDS/IPS

ANALYTICS


Security at Scale

20 Tbps firewall

Traditional firewalls cost at leastmore than NSX Service-defined Firewall

Traditional Firewall NSX SDFW

Note: Internal calculation based on 4Gbps traffic/server, including CapEx and 3 years of support

Note: With 40Gbps links at capacity, traditional firewalls will be 10x more expensive


The Power of IntrinsicEDR + NDR = XDR

SecurityData

Federation

Contextual workload data

Contextual network data+

Machine Learning

Human Expertise

An approach that leverages infrastructure across any app, any cloud, and any device to protect your apps and data everywhere.


The Power of IntrinsicEDR + NDR = XDR

Machine Learning

Human Expertise

258K queries

Process[ abc123xyz.exe ]

is anomalous

BLOCK

X

SecurityData

FederationAn approach that leverages infrastructure across any app, any cloud, and any device to protect your apps and data everywhere.

©2021 VMware, Inc.

Chian Chong WongSpecialist Solutions Engineer,Networking & Security,Southeast Asia & Korea, VMware

14Confidential │ ©2021 VMware, Inc.

3 Steps to Advanced East-West Protection


Segmentation NTA/NDRDistributedIDS/IPS



XDENIED!

Step 1: Segmentation and Port Blocking

AppFile

ServerWeb

DEVELOPMENT PRODUCTION


STEP 1

Tag workload as "production” or “development”


STEP 1

Create security groups


STEP 2

Create "Environment Isolation" policy


NSX Intelligence


NSX Intelligence: Create new recommendation 1

You can select the duration of analysis, up to 1 month

You can select to create object/IP-based firewall objects



Select VMs to be included for analysis



You can add/delete/copy/clone rule before publishing



Position the order of the policy

Click publish to complete


NSX Intelligence – monitoring of recommendations

Monitoring enabled

Changes detected

• Create a baseline recommendation, then let NSX Intelligence learn desired DFW policy

• Enables discovery of groups based on VM membership changes

• NSX Intelligence will generate new recommendations upon detecting changes to policy

• Can be enabled on recommendations with a status of:

– Ready to Publish

– No Recommendations Available

– Failed

Features

Benefit


Steps and Process Comparison

Traditional Segmentation Workflow

108+ STEPS

NSX Segmentation Workflow

7 STEPS

Ordering Westworld Season 1, Episode 2 on HBO

7 STEPS

Internal VMware Analysis, Aug 2020


Step 2: Port Blocking to In-band Inspection

App AppFile

ServerWeb

Per hop trafficanalysis

SMB Port!(WannaCry Signature)


Web AppFile

Server

Virtual Patching with NSX Distributed IDS/IPS

ADC/LB/WAF [Avi]

www

NSX FirewallNSX FirewallNSX Firewall


Finance_App Finance_Web

Finance_Db

File Server

File Server

NOTE: Figures are approximate, for illustrative purposes only.

From ~13k signatures…

IDS/IPS SIGNATURES

<SIGNATURE><SIGNATURE><SIGNATURE>


























Finance_app IDPS

Apache IDS/IPS

MySQL IDS/IPS




<SIGNATURE><SIGNATURE>



<SIGNATURE>




<SIGNATURE><SIGNATURE>

>80%* in signatures evaluated at each IDPS engine

Exchange

35Apache

132

SQL Server

56

Tomcat

42


DisabledCompute

DisabledManagement

vcsa-r

vcsa-r

ENABLE DISABLE

Cluster Name StatusvCenter

Enabled

Enabled

ENABLE



Traditional IDS/IPS Deployment

~71 STEPS

NSX IDS/IPSDeployment

1 STEP

Turning on theTelevision

1 STEP



Suspicious MovementSuspicious Movement

SERVICEA

File Server

Suspicious content

NSX

App

Suspicious process

NSX

Suspicious user

NSX

NSX Intelligence



Traditional NTA Probe Deployment

50+ STEPS

NSX NTA Probe Deployment

0 STEPS

GhostingSomeone

0 STEPS



EDR + NDR = XDR

File Server

Web App App App

258 queries

Process[ abc123xyz.exe ]

is anomalous

Machine Learning Human Expertise

X

VMware TAU

NSX Intelligence


Strong East-West Protection

Segmentation

Per Application Micro-segmentation

Per Hop Distributed IDS/IPS

Multi-hop Network Traffic Analysis (NTA)

Endpoint Context + Network Context = XDR

Confidential │ ©2021 VMware, Inc. 42*Internal VMware Customer Study: DICE ROI and Value Modeling

Up to

Reduction with Firewall + IDS/IPS

OpEx Improvement

Reduction in CapEx

Up to

Reduction with Firewall + IDS/IPS

5Large Firewall

Vendors**

Among the

**VMware is 1 of 5 enterprise firewall vendors (with greater than $500m in annual revenue) in the Forrester Now Tech: Enterprise Firewalls, Q1 2020


Protection through intrinsic security throughout the full stack

Secure Workloads Running Within Secure Infrastructure

Every VM can have:• Real-time workload Audit/Remediation• Next-Gen Antivirus• Workload EDR• Individual firewalls• Individual security policies• WAF and Load Balancing

Policies can be defined based on any context:• VM attributes• User attributes• Network attributes• Application attributes

Purpose-built for Cloud Foundation to deliver a unique and comprehensive data center security solution.

Integrated with infrastructure• Multi-layer security• Protection for infrastructure and workloads


Intrinsic Security: VMware’s Differentiated Approach

Built-in Context-centricUnified

Security built-in to the distributed

infrastructure from endpoint to

cloud

Unified across disparate security tools and teams

working together

Understanding the applications and data you are trying to secure


Advanced Security Services to Protect Applications

Security Beyond the Infrastructure

Storage

Data at rest encryption

Cluster-level key management

Hardware agnostic

Erasure Coding

Compute

VM-level encryption

Encrypted vMotion

Multi-factor authentication

TPM / vTPM 2.0 + VBS

Management

Governance

Compliance

Container registry services

vSphere Trust Authority

Micro-segmentation

VPN

Secure end user

Multi-Cloud Security

Network

VMware Cloud Foundation

NSX Advanced Load Balancer

CB

Carbon Black CloudNSX Distributed IDS/IPS

Confidential │ ©2020 VMware, Inc.©2021 VMware, Inc.

Complete Survey Form

We value your feedback. Please scan the QR code or enter the URL below to complete the survey form.

https://bit.ly/3qk4QZv

confidential ©2020 vmware, inc

Documents