designing the modern data center network · pdf file1 designing the modern data center network...
TRANSCRIPT
1975 Mainframes, PCsSNA arch, private lines
1st Platform
1995Client-serverLAN/WAN, Internet, and IP networks
2nd Platform
3rd PlatformCloud, mobile, social, and data analytics
2015
The Industry is in a Mega Transition
Cloud spending> $500BIoT > $1.7T
> 1.5B people affected by data hacks
Mobile phones> 2.1B
By 2020
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 2
Evolutionary Steps to Revolutionary Results• We understand that change can
be difficult…• …we de-risk the transformation
by encouraging an evolutionary approach to revolutionary results
• Examples:‒ Branch Office SDN/Network Virtualization.‒ Hybrid Cloud with Fabrics, SDN and VNFs‒ Automate Management of Existing Infrastructure
with Brocade SDN Controller‒ Encryption for Securing the New IP Edge
• Change at your pace, in your own way
Conventional Strategy
Non-Linear Strategy
Traditional
Enterprise
Digitized Enterprise
Enterprise as
Digital Business
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 3
Reference Architecture
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 4
Primary Data Center
Fabric
BorderDCI
VisibilityAnalytics
ServersStorage Virtualization
Secondary Data Center
ServersStorage Virtualization
Fabric
BorderDCI
VisibilityAnalytics
Branch Office
Campus Switches
WiFi
NFV
Internet
NFV
Network Advisor
Automation & Orchestration Network
Advisor
Evolution of Datacenter Architectures
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC 5
3-tier Architecture
Core
Agg
Acce
ss
Scale-out Layer 2 Fabric Architecture
Overlays with NSX or Virtual Fabrics
Leaf
/ Sp
ine
Core
Scale Out
Scale-out Layer 3 Fabric Architecture
Overlays with NSX or BGP/EVPN
10G
DC POD N Edge Services POD
SUPER SPINE
BORDER LEAF
WAN EDGE
INTERNET DC INTERCONNECT
DC POD 1
SPINE
LEAF
Learning from Massive Scale Deployments
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC 6
Source: https://code.facebook.com/posts/360346274145943/introducing-data-center-fabric-the-next-generation-facebook-data-center-network/
#ASKBROCADE
Datacenter POD
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. 7
SPINE
LEAF
IP Routing Core
COMPUTE Firewall Firewall
Border Leaf
Traditional Clos Architecture
LAG LAG
Datacenter Multi-fabric Physical Architecture(5-stage folded Clos)
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. 8
BORDER LEAF
SPINE
LEAF 10G 10G
10G 10G 10G 10G
DC POD N
Compute and Infrastructure/Management Racks Edge Racks
Edge Services POD
SUPER SPINE
WAN EDGE
INTERNET DC INTERCONNECT
L2 LinksL3 Links
#ASKBROCADE
10G 10G 10G 10G
DC POD 1
Compute and Infrastructure/Management Racks
Choosing the Right Fabric
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC 9
• Topology Agnostic• Layer 2 Fabric TRILL Transport• Embedded Automation • Scale to 48 Switches
VCS IP
• Clos Topology• Layer 3 Fabric IP Transport• Open Automation • Scale to 100’s of Switches
Same Hardware
Same Software
Brocade Data Center Design Stack
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC 10
Automation
Virtualization
VCS FabricLayer 2 Optimized Fabric
IP FabricLayer 3 Optimized Fabric
Controller based VMware NSX, VXLAN
AutomationPython, Ansible, Puppet, YANG model, REST, Netconf, OpenStack,
VMware vRealize plugins, OpenFlow
Controller-less BGP-EVPN, VXLAN
Brocade Network Operating System (NOS)
Brocade VDX Ethernet SwitchesPlatforms
Fabrics
VRF
L3 Multi-Tenancy w/ VxLAN
• VxLAN Based L3 Multi-Tenancy
• VRF + L3 VNI • Standards based Interop• No MPLS complexity• RT/RD Import Export Policies
supported• Scale 2000 Tenants/TOR
S1 S2 S3 S4
L3 VNI L3 VNI
VRF
L3 VNI
VRFVRF
L3 VNI L3 VNI
VRF VRF
L3 VNI
L3-VNIL3-VNI
Controller-less Overlay
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. 12#ASKBROCADE
Standards based BGP/EVPN control plane VXLAN data plane
CORE
Severs/Blades Severs/Blades Severs/Blades Severs/Blades
Border Leaf Border Leaf
eBGP Underlay eBGP OverlayiBGP Underlay
EVI EVI
Mac/ IP
EVI
Mac/ IP
BGP-EVPN
Controller-based Overlay
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. 13#ASKBROCADE
VMware Integration - NSX
CORE
Severs/Blades Severs/Blades Severs/Blades Severs/Blades
Border Leaf Border Leaf
NSX
OVSdb
VMware Integration
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 14
VTEP Gateway
vCenter
vRealize
LAG LAG
Rack Level IntegrationFabric Level Integration
VCS IP
Operational Workflow Categories
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 15
Operations & ManagementTroubleshooting & Remediation
Data CollectionInfrastructure, Service Provisioning, Validation
Data Center Automation
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC 16
Logical Chassis
LAGLAG
Brocade Workflow Composer
Future Today
Automation & Integration Framework
(A&I)
VCS IP
Automation & Integration
Feed back from Data Center Resources
Perform actions and changes to Data Center Resources
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 17
Private ASN
Network InfrastructureCloud
Infrastructure Operations Support Services
Points of Integration
Value of Integration
Data Center Compute Infrastructure Storage
Network Validation with InSpecBringing CI/CD practices to networking
• Configuration Automation is important…
• ... Network Validation shows you didnt break something!
• Built on common CI/CD tool from Chef (InSpec)‒ Based on rSpec testing framework
• Extend for network use cases
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 18
Change Config
Validate Change
Proceed or Rollback?
Bring continuous integration and testing, to
network deployments
Data Center Network VisibilityBlind Spots Where More Visibility is Required
Security Virtualization Overlays Data Recording
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 19
Palo AltoFireEye
VMwareHyper-VKVM
VxLANNVGRE
NSA Massive Data RepositoryBig Data Analytics
Analytics ToolsData Center Network
(Brocade)Packet Broker
Brocade Network Visibility Architecture
SIEM
Forensics
IDS / IPS
NPM
IT Management
APM
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 20
Visibility Manager API Interface
Stream 1
Stream 2
Stream n
Brocade Flow Optimizer
Network Taps / Span Ports
SDNSDN
Data Center Interconnect
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 21
VDX 6740
VDX 6740
VDX 6740
VDX 6740
Existing Router
Existing Router
Existing Router
Existing Router
WAN(MPLS/IP)
Existing Router
Existing Router
VDX 6740 VDX 6740
DC Interconnect
Underlay Control Plane• Multi-hop eBGP between DCI Edges• Private 4 byte ASN• Each DCI Edge switch peers with all other
DCI Edge switches
THREE DATA CENTER ARCHITECTURE
Data Center 3Networks
Data Center 1Networks
Data Center 2Networks
Data Center Interconnect
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 22
VDX 6740
VDX 6740
VDX 6740
VDX 6740
Existing Router
Existing Router
Existing Router
Existing Router
WAN(MPLS/IP)
Existing Router
Existing Router
VDX 6740 VDX 6740
DC Interconnect
ASN 64101
ASN 64301
ASN 64201
Underlay Control Plane• Multi-hop eBGP between DCI Edges• Private 4 byte ASN• Each DCI Edge switch peers with all other
DCI Edge switches
Controller-less Overlay• BGP/EVPN• Each DCI Edge pair configured as VTEP• VXLAN tunnels between DCI Edges• Layer 2 or Layer 3 extension services
Multi-hop eBGP
Underlay
EVPN OverlayData Center 1Networks
Data Center 3Networks
Data Center 2Networks
UNDERLAY / OVERLAY NETWORKING
A Portfolio of Purpose-Built Fabrics
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC.
Campus FabricStorage Fabrics Data Center Fabrics
2
Network Virtualization Options
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC 24
VMware NSX IntegrationVirtual Fabrics BGP/EVPN
Controller-less native Ethernet Fabric multi-tenancy solution based
on TRILL Fine Grained Labeling
Controller-based solution from VMware that integrates with
Brocade VCS to seamlessly extend VXLAN networks between virtual
and non-virtualized assets.
VTEP Gateway
NSX
Controller-less overlay tunnel solution using BGP/EVPN
supporting multi-tenancy and VLAN extension
EVI EVI
Mac/ IP
VCS IPVCS IP
…And With More Experience Than Anyone ElseThink Big, Start Now.
Brocade is changing the networking landscape
and shaking up the industry with our core
beliefs – we will not compromise our vision and focus on the new IP and what it stands for…
We’re All In.
Open With a Purpose
Innovation-Centric, Software-Enabled
EcosystemDriven
Your Own Pace,Your Own Way
The New Wayof Doing Business
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 25
In SummaryEvolutionary Steps to Revolutionary Results
Move Faster and Be More Efficient Than Your Competitors
The Data Center is Everywhere, and Anywhere
The New IP as an Architecture Allows You To Do More with Security
We are so Confident in Our Solution You Can Remove Us Anytime You Want
Never Buy Another Network Again… Ever
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 26
Huntsville Technology DayMay 10, 2016
Rick SimmonsDirector, Federal Software Sales
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
Brocade Software Networking Leadership
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 2
Nov
2012
Jan
2013
BRCDacquires Vyatta
Why Brocade?
Software NetworkingLeadership
OpenArchitecture
Enterprise, Cloud& NFV
#2 DatacenterNetwork Vendor
Worldwide
Large PartnersInnovation Solutions
Mar
2015
Dec
2014
BRCD Selected
for Domain 2.0
Feb
2015
VistaPointeAnalytics
Industry-Leading vRouter Benchmark
Aug
2014
LaunchesvRouter
SDN & NFVIn Production
Jan
2014
BRCD PlatinumMembership
LaunchesvRouter
Jun
2014
BRCDSets vRouter
Speed Record
Nov
2015
BRCD OpensEurope
Software R&DOffices
July
2015
Industry-FirstCommercial Release
BRCD ACQUISITIONS
RiverbedSteelApp
ConnectemvEPC
BRCDVirtualizes
ADC Services
Nov
2015
BRCD wins 2014 NFV
Innovator of the Year from Technology Marketing
Corporation
The Brocade vADC FamilyA Comprehensive Approach To Application Delivery
© 2015 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only 3
• Load Balancer / Traffic Manager / ADC• Provides reliability, availability, offload,
security, scripting, and more• Traffic Script
• Web Application Firewall• Defends your web applications against
Layer-7 attacks
• Elastic and adaptive services director
• Automates licensing, & metering of ADC services
• Disruptive licensing model
Services Director
Virtual Traffic Manager
Virtual Web Application Firewall
How Brocade is DifferentBorn Virtual. Not all virtual products live up to their name.
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 4
Software ADC
Legacy Hardware ADC
The Competition Brocade
Purpose Built for Software:
Virtual and Cloud
Process Automation:
Get Ready for the SDN World
Hyper-Scale and
Performance on Demand
Powerful Programmability
Build the network you need
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. 5
Reduce your networking expenses
Distribute resources from a shared pool, allowing you to reduce your server footprint and ensure cost savings
Guard against increased cyber security risks
Apply customized rules to inspect and block attacks against your network
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 6
Brocade Application Delivery
Controller (ADC) – A Layered
Security Solution
Great Start to Securing Data
Public Key Infrastructure (PKI)Customer /
User
Resident Authority
(RA)
Certificate Authority
(CA)
Certificate Validation Authority
(VA)
Web Application
Fed Civilian PIVi Card
DoD CAC Card
Today’s world...circle of trust
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 10
“Meet the Parents” Robert De Niro to Ben Stiller
Application Micro-Segmentation: Securing the Enterprise
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
Micro-Segmentation“East-west (machine-to-machine) data movement is increasing in volume as workloads become movable and thus more demanding on their infrastructures. At the same time, perimeter-only, firewall-based security has proved weak in a world of advanced cyber-attacks. Evolving security models, such as software-defined and distributed firewalls, are beneficial, but they also create new management complexities. In these environments, IT teams are finding it difficult to deploy a tight approach to security. To improve security profiles, organizations are now turning to techniques such as micro-segmentation to amplify and distribute current defenses. Micro-segmentation divides a network into smaller zones and provides protection by making security adaptive and multilayered. It provisions services closer to the applications, between application tiers and even to the machines within tiers.
Taken from “Micro-Segmentation: A Better Way to Defend the Data Center”; eWeek, Chris Preimesberger; posted July 28, 2015
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 13
Benefits of Micro-Segmentation• Zero Trust Security*
In the micro-segmentation model, there is no default trust for any entity—users, devices, applications and network—regardless of placement or location. The entire mechanism is based on denying all communication until explicitly allowed (via explicit policies) and permitting only what is necessary from trusted sources………
• Application-Aware Security*Micro-segmentation policy groups are generally created based on application tiers, workload profiles, placement zones and other factors. They are not based on rigid IP addresses or subnets. Policies also are enforced right at the virtual machines or containers hosting the application tiers. Workloads and data access are secured at the source as an application-centric securitymodel.
• DevOps Alignment*Micro-segmentation allows application owners to be responsible for their own app's security while allowing them to see only what they are entitled to see. This allows operators to analyze and manage applications more effectively and efficiently, without being granted universal control. These specific security clearances can prevent insider attacks and interference by barring actors from moving beyond individual purview.
• High Agility and OPEX Efficiency*Breaches in data centers can remain undetected for extended periods of time. Micro-segmentation enables the data center to be far more agile and quick to react with the ability to identify the breach almost immediately and to contain it within a narrow fault domain. At the same time, its multiple layers of security help to slow the attack's spread and enable operators to lock down the hacker and secure uncompromised data at a faster rate. It's a more agile, cost-effective approach to security.
* Information taken from “Micro-Segmentation: A Better Way to Defend the Data Center”; eWeek, Chris Preimesberger; posted July 28, 2015
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 14
Application Micro-Segmentation w/ vADC
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
“Duct taping an airbag on a 1965 Mustang to make it modern is almost impossible to work”
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
Tony Scott, Federal CIO *Brocade Federal Forum 2015
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 17
Micro-Segmentation w/ vADC
User Requests
Application Micro-SegmentationMicro-Segmentation using vTM & Web App Firewall –Role Based Access
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 18
Brocade vADC
PKI ValidationAuthority
Darren
Larry
Carol
Identity/Attribute Management Server
User Requests
Certificate Status Check
Identity/Attribute Check
Web AppFirewall (typical)
Application Micro-SegmentationMicro-Segmentation using vTM & Web App Firewall –Workload Access
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 19
Brocade vADC
PKI ValidationAuthority
Group 1
Group 2
Group 3
Identity/Attribute Management Server
User Requests
Certificate Status Check
Identity/Attribute Check
Web AppFirewall (typical)
Group 1 Servers
Group 2 Servers
Group 3 Servers
Legend
RedUser
GreenUser
PurpleUser
Application Micro-Segmentation
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 20
• Meets Government standards / mandates
• Deployed throughout Federal Government
• Validates Digital Certificate using PKI
• Authenticates User(s)
Public Key Infrastructure
• Utilizes multi-factor authentication, more than two factor if needed
• Enforces Fine Grain Access permissions
• Enforces Micro-Segmentation based on policy, i.e. Role or Workload Based
• Utilizes PKI Validation and ID/Attribute Management
Brocade Virtual Traffic Manager
Brocade Web App Firewall
• Locks down Web Application vulnerabilities
• Highly agile and flexible for rapid deployment
• Enforces Zero Trust model and Application-Aware Security
Micro-Segmentation w/ vADCImpacts of Micro-Segmentation Achieves the defined Benefits of Micro-Segmentation
– Zero Trust Security Model• No internal or external user request is trusted - every user request is validated, authenticated, and authorized using multi-factor
authentication• Utilizes explicit policy enforcement to validate and authenticate user access – every user credential/request is validated and
authenticated using multi-factor authentication for fine grain access– Application Aware Security
• Utilizes defined Policy Groups, i.e. Application Tiers, Workload Profiles, etc. to enforce authorization and access• Security is enforced at the application/virtual machine level, i.e. web application firewall for each application or virtual machine
– DevOps Alignment• Multi-factor authentication, fine grain access and web application firewalls allow application owners to control security at the
application level• Fine grain access limits user purview, restricting any movement beyond, preventing or limiting insider threats and attacks.
– High Agility and OpEx Efficiency• Software based solution for both vTM and WAF provide a highly agile and flexible solution with the ability to deploy additional (or
contract and re-deploy) the number of instances rapidly • Multi-factor authentication, fine grain access, and web application firewall provide a cost effective layered security solution for
immediate breach identification and containment
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 21
© 2014 VMware Inc. All rights reserved.
The Domain of CYBER & How to Respond to it’s Inherent Architectural Challenges
Scottie Ray@[email protected] Systems EngineerVMware Network & Security TeamPublic Sector
The Paradigm in the Domain of CYBER
CONFIDENTIAL 2
“In physical space, the reconnaissance is almost always easier than the
operation…in the CYBER domain, the reconnaissance is usually a more difficult
task than the follow on operation…it is tougher to penetrate a network and live on it undetected while extracting large
volumes of data from it than it is to ‘digitally speaking’ kick in the front door
and fry a circuit or two. ….An attack on a network to degrade it or destroy
information on it is generally a lesser included case of the technology and operational art needed to spy on that
same network.”
Trading Off Context and Isolation
3
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
SDDC Platform
High Context
Low Isolation
High Isolation
Low Context
No Ubiquitous Enforcement
Traditional Approach
The M&M Approach to Security
CONFIDENTIAL 4
“In today’s new threat landscape, this M&M and ‘trust but verify’ is no longer an effective way of enforcing security.”
Forrester ResearchIn Response to NIST RF 130208119-3119-01I
“Developing a Framework to Improve Critical Infrastructure Cyber-Security”
But Micro-Segmentation has NOT been Operationally Feasible
CONFIDENTIAL 5
WAN
…
“X” firewalls
“X” + “1000 workloads
vs
A typical data center has:
Directing all traffic (virtual + physical) through chokepoint firewalls is inefficient
And a physical firewall per workload is cost prohibitive
SDDC Virtualization Layer – Delivers Both Context and Isolation
6
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
High Context
High Isolation
Ubiquitous Enforcement
SDDC Approach
Secure Host Introspection
Taking a Step Towards “Zero-Trust”
7
DMZ/Web VLAN
App VLAN
Mission-A
Mission-B
Services/Management VLAN
DB VLAN
Mission-AMission-B
Services Mgmt
Mission-A Mission-B
Perimeter
firewall
Inside firewall
Perimeter
firewall
DMZ/Web
App
DB
Mission-A
App
DMZ/Web
DB
Mission-B
Services Mgmt
Services/Management
Group
Traditional Data Center NSX Data Center
CONFIDENTIAL
FY16 House NDAA Report
Cyber Defense Network Segmentation
The committee is aware that the Department of Defense is looking at modifying the way it builds,
maintains, and upgrades data center, including increased use of commercial cloud capabilities
and public-private partnerships. The committee is aware that as the Department increasingly
looks at software-defined networking, it could potentially reduce the mobility of cyber threats
across data center and other networks by increasing the compartmentalization and segmentation
between systems, and providing a mix of security techniques to enable access to those
compartments. Such actions have the potential to lessen the chance of a widespread or
catastrophic breach, including breaches caused by insider threats. The committee encourages
the Department to explore ways to use compartmentalization or segmentation as part of a
software-defined networking approach in order to increase the security of its networks.
The Beginning of Policy Shifts….again
Security Groups & Security Policies
Designated Consumers & Cloud Admins are able to select pre-defined security policies
already approved by the Security Admin in NSX
Security policies are applied to one or more security groups where workloads are
members
These security groups are created
on-demand by vRA at deployment time
WHAT you
want to
protect
HOW you want
to protect it
SECURITY GROUP
SECURITY POLICYMembers (VM, vNIC) and Context (user identity, security posture)
“Standard Web” Firewall – allow
inbound HTTP/S,
allow outbound ANY
IPS – prevent DOS
attacks, enforce
acceptable use
Services (Firewall, antivirus, IPS etc.) and Profiles (labels representing specific policies)
Programmatic Approach to Security: An Example
NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF
user selects a “Mission A” application, THEN place the VM in the “Mission A” security
group
INFRASTRUCTURE
APPS
Security Admin
“Mission A Policy” IF Tag = “Mission
A” THEN add VM
to Security Group
“Mission A” with
Security Policy
“Mission A”
Step 1: Security Admin pre-defines a Security Group and a Security Policy with dynamic membership based on a Security Tag
“Mission A App” Set Tag
“Mission A”
Cloud Admin
Multi-
Machine
Blueprint
Step 2: Cloud Admin creates a Multi-Machine Blueprint which sets a Security Tag. Cloud Admin needs no knowledge of Security Groups or Security Policies.
Programmatic Approach to Security: An Example (cont.)
NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF
user selects a “Mission A” application, THEN place the VM in the “Mission A” security
group
INFRASTRUCTURE
APPS
Requests “Mission A App”
Service
Catalog
Step 3: End-User requests Application via the Service Catalog
Cloud
Consumer
Step 4: VM is automatically deployed with its Security Tag WHAT you
want to
protect
Step 5: VM is dynamically assigned to the relevant pre-defined Security Group
SG=Mission A
Security Groups & Tags assigned to a VM - Workload-Centric View
CONFIDENTIAL 12
Assigned Security TAG
Security Group VM belongs to
Virtual Machine
Combining Organic Capabilities with Best of Breed
Apply and visualize
security policies for
workloads, in one place.
Automate workflows
across best-of-breed
services, without custom
integration.
Provision and monitor
uptime of different services,
using one method.
NSX Network Virtualization Platform
Deploy Apply Automate
Built-In Services
Firewall Data Security (DLP)
Server Activity Monitoring VPN (IPSEC, SSL)
Third-Party Services
Antivirus DLP Firewall
Vulnerability
Management
Intrusion
Prevention
Identity and
Access Mgmt
…and more in progress
Security Policy
Management
Service Insertion Security PoliciesSecurity Groups Security Tags
External Network
VDS
Guest VMPartner
Service 1 VM
DFW
Filtering Module
Slot 2
Slot 4Traffic
Redirection
Module
Service Chaining
• DVSFilter contains 16 slots. Slots 0-3 and 13-16 are reserved for VMware use.
• Services are assigned the remaining slots in their registration order.
• Traffic comes out of the first service and is then sent to the next service in the order.
• Services are managed via a Guest or Network Introspection Policy creation
14
Network Security Services
Slot 5
Filtering Module
Partner
Service 2 VM
Automated Security in a Software Defined Data CenterQuarantine Vulnerable Systems until Remediated
16
Security Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2
Isolated Network}
Security Group = Web
TierPolicy Definition
Standard Desktop VM Policy
Anti-Virus – Scan
Quarantined VM Policy
Firewall – Block all except security tools
Anti-Virus – Scan and remediate
Logical Switch
Logical Router
NSX
Logical Firewall
Logical Load Balancer
NSX with a Cloud Management PlatformDynamic Configuration and Deployment of Logical Network & Security Services
On Demand Application DeliveryvRealize Automation
Resource Reservation
Multi-Machine
Blueprint
Service Catalog
Cloud
Management
Platform
Network Profiles
Security Policies
Security Groups
Web
App
Database
VM VM
VM VM VM
VM