The New Normal: A More Secure Data Center

Leveraging the Power of SDDC Network & Security Services Distribution

for Data Center Micro-Segmentation

CONFIDENTIAL
25

Problem: Data Center Network Security

Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible

Insufficient

Data Center Perimeter

Little or no
lateral controls
inside perimeter

Data Center Perimeter

Internet

Internet

Operationally
Infeasible

Solution: Leverage SDDC Approach for Micro-Segmentation

Hypervisor-based, in kernel
distributed firewalling
VM

Platform-based automated
provisioning and workload
adds/moves/changes

Cloud
Management
Platform

VM

VM

VM

VM

vSwitch
Hypervisor
Physical Host

Security Policy

Internet

Perimeter
Firewalls

VM
VM

vSwitch

Hypervisor

Physical Host

27

There is a BIG difference

VM

VM
VM

Hypervisor

VM

VM
VM

Hypervisor

VM

VM
VM

Host
Hypervisor

VM

VM
VM

Host
Hypervisor
Host

VM

VM
VM

Physical Firewalls
Traditional Firewall Rule Mgt & Operations
Physical Firewalls (2 100 Gbps)

Distributed Firewalling
Host

Automated Policy Mgt & Operations, Distributed Enforcement

Kernel-based Performance, Distributed Scale-out Capacity (20 Gbps/host)

Hypervisor

Host

Virtual Firewalls
Traditional Firewall Rule Mgt & Operations
Virtual Firewalls (1 3 Gbps)

28

NSX Distributed Firewalling Performance

20Gbps Per Host of Firewall Performance

with Negligible CPU Impact
29

NSX Distributed Firewalling Performance

80K CPS with 100+ Rules per Host

A Typical Virtual Appliance does ~6K CPS per VM
A Physical Appliance performs 300K 400K CPS per appliance

CONFIDENTIAL

30

SDDC Platform Native Security Capabilities

VM

VM

Hypervisor-based, in kernel distributed firewalling

High throughput rates on a per hypervisor basis
Every hypervisor adds additional east-west firewalling capacity
Native feature of the VMware NSX platform

VM

NSX
NSX vSwitch
vSwitch

Hypervisor

Platform-based automation
Automated provisioning and workload adds/moves/changes
Accurate firewall policies follow workloads as they move

Physical Host

20 Gbps Firewalling
throughput per host

Data center micro-segmentation

becomes operationally feasible
31

Isolation

Segmentation

Segmentation with
Advanced Services

Dev

Web

Web

Test

App

App

Production

DB

DB

No
Communication Path

Controlled
Communication Path

Advanced Services Controlled

Communication Path

32

Advanced Services Insertion Example: Palo Alto Networks NGFW

NSX
Controller
Security Admin

Security Policy

VM
VM

Traffic
Steering

vSwitch

VM
VM

Internet

vSwitch

Hypervisor

Hypervisor

Physical Host

Physical Host

Automated Security in a Software-Defined Data Center

Data Center Micro-Segmentation

CONFIDENTIAL

34

Automated Security in a Software-Defined Data Center

Data Center Micro-Segmentation

W
W

D
A
W

W
A
D

CONFIDENTIAL

35

Automated Security in a Software Defined Data Center

Quarantine Vulnerable Systems until Remediated

SecurityGroup=QuarantineZone
Members={Tag=ANTI_VIRUS.VirusFound,L2
IsolatedNetwork}

SecurityGroup=Web
Tier

Policy Definition
Standard
Standard Desktop
Desktop VM
VM Policy
Policy

Anti-Virus
Anti-Virus Scan
Scan

Software Defined Data Center

Quarantined
Quarantined VM
VM Policy
Policy

Firewall
Firewall Block
Block all
all except
except security
security tools
tools

Anti-Virus
Anti-Virus Scan
Scan and
and remediate
remediate

Virtual Network

Service Composer

Cloud Management

36

SDDC Platform Enables a More Secure Data Center

VM

VM
VM

NSX
NSX vSwitch
vSwitch

Hypervisor

Microsegmentation now possible in dynamic, multi-tenant

environment
High performance, in kernel distributed firewalling
Platform-based automation
Integration with best-of-breed security partners (e.g.,
Palo Alto Networks)

Physical Host

37

Thank you

CONFIDENTIAL
38