Deep Security and VMware NSX Advanced Security Framework for the Software-Defined Data Center Anand Patil National Sales Manager, SDDC CONFIDENTIAL1

Your data center Let’s begin with how things are, and how things should be… 2

The Evolving Architecture – The Neo IT Model 3 On-Premise Data Center New app frameworks Mobile Devices Virtual Desktop (VDI) Branch offices (Partner) Internet of things Public clouds

Data Center Virtualization Layer Intelligence in Software Operational Model of VM for Data Center Automated Configuration & Management What is a Software Defined Data Center (SDDC)? Intelligence in Hardware Dedicated, Vendor Specific Infrastructure Manual Configuration & Management Software Hardware Compute, Network and Storage Capacity Pooled, Vendor Independent, Best Price/Performance Infrastructure Simplified Configuration & Management

Compute Storage Network Custom Distributed Applications (Security, Application Load Balancing, Routing, HA, etc.) Google, Facebook, Amazon Software Automation Agility & Speed Network Services Distributed out to Applications Simplified Increased Stability & Reliability Lower Cost

Compute Storage Network Custom Distributed Applications (Security, Application Load Balancing, Routing, HA, etc.) Google, Facebook, Amazon Compute Storage Network Enterprise Applications Enterprise IT Data Center Virtualization Layer

Compute Storage Network Custom Distributed Application Design (Security, Application Load Balancing, Routing, HA, etc.) Google, Facebook, Amazon Compute Storage Network Enterprise Applications Enterprise IT Data Center Virtualization Layer

Compute Storage Network Enterprise Applications Enterprise IT Data Center Virtualization Layer The operational model of a VM for the entire data center Programmatically Create Snapshot Store Move Delete Restore The operational model of a VM for the entire data center Programmatically Create Snapshot Store Move Delete Restore

Demystifying Data Center Security 9 Perimeter FW Internal FW DMZ IPS Converged Infrastructure, running on data center compute resources and vSphere hypervisors Internet End user computing/desktops Application infrastructure Internet-facing servers: Web, , DNS, etc. Also for VDI: Horizon View Security Server A/V Other server security Client

Why do breaches still occur? Data Center Perimeter Today’s data centers are protected by strong perimeter defense… But threats and exploits still infect servers. Low- priority systems are often the target. Threats can lie dormant, waiting for the right moment to strike. Server-server traffic growth has outpaced client-server traffic. The attack spreads and goes unnoticed. Possibly after months of reconnaissance, the infiltration relays secret data to the attacker. Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted

Problem: Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible Little or no lateral controls inside perimeter Internet InsufficientOperationally Infeasible

Why traditional approaches are operationally infeasible… 12 Internet Perimeter Firewalls Create firewall rules before provisioning Update Firewall rules when move or change Delete firewall rules when app decommissioned Problem increases with more East-West traffic

Let’s start with a story about a firewall The Data Center Traditional Firewall Rule Mgt & Operations Physical Firewalls (2 – 100 Gbps) Physical Firewalls 13

Traditional Firewall Rule Mgt & Operations Physical Firewalls (2 – 100 Gbps) Physical Firewalls The Data Center Traditional Firewall Rule Mgt & Operations Virtual Firewalls (1 – 3 Gbps) Virtual Firewalls 14

Traditional Firewall Rule Mgt & Operations Virtual Firewalls (1 – 3 Gbps) Virtual Firewalls Automated Policy Mgt & Operations, Distributed Enforcement Kernel-based Performance, Distributed Scale-out Capacity (20 Gbps/host) Distributed Firewalling The Data Center 15

The Data Center 16

SDDC Platform – “Zero Trust” is Now Operationally Feasible 17 Hypervisor-based, in kernel distributed firewalling High throughput rates on a per hypervisor basis Every hypervisor adds additional east-west firewalling capacity Native feature of the VMware NSX platform Platform-based automation Automated provisioning and workload adds/moves/changes Accurate firewall policies follow workloads as they move Audit Compliance 20 Gbps Firewalling throughput per host Data center micro-segmentation becomes operationally feasible

Micro-segmentation simplifies network security  Each VM can now be its own perimeter  Policies align with logical groups  Prevents threats from spreading App DMZ Services DB Perimeter firewall AD NTPDHCPDNSCERT Inside firewall Finance Engineering HR

Network Virtualization is at the core of an SDDC approach Network, storage, compute Virtualization layer Non-Disrupting Deployment

Network, storage, compute Virtualization layer “Network hypervisor” Virtual Data Centers Network Virtualization is at the core of an SDDC approach Non-Disrupting Deployment

Intelligent Grouping Groups defined by customized criteria Operating System Machine Name Application Tier Services Security PostureRegulatory Requirements CONFIDENTIAL21

Automated Security in a Software-Defined Data Center Data Center Micro-Segmentation CONFIDENTIAL22

IsolationExplicit Allow Comm.Secure Communications IPS FIM AM WR Service Insertion Application A Application B App Tier DB Tier (e.g TCP,1433) No Communication Path Intrusion Protection File Integrity Anti-Malware Web Reputation Inserting Advanced Security Services For Fine-Grained Policy & Control

Copyright 2015 Trend Micro Inc.24 Internet Traffic Steering NSX: Advanced Partner Security Services Security Policy

Add Trend Micro advanced services to your micro-segmentation deployment for greater security Apply the NSX operational model to your advanced security products Adapt to changing security conditions in the data center by enabling security solutions that share intelligence Traditional Data Center Static service chain In a traditional data center, security services must be configured when the network is architected, meaning the “chain” of services is locked in once deployed. This is an inefficient use of resources and cannot defend against changing threat conditions. NSX Data Center Dynamic service chain In an NSX data center, 3 rd -party security solutions use NSX security tags to share intelligence, adapting to changing security conditions. NSX automatically applies the correct security function as needed NSX: Security Extensible Platform

Copyright 2015 Trend Micro Inc.26 Build security into the application lifecycle With VMware NSX and their partners, security is enforced through every step of an application’s lifecycle Prepare Deploy security service Create security groups and policies Instantiate Dynamically assign security groups and policies Monitor Run periodic automated scans for threats Monitor applications for vulnerabilities Monitor and record system changes Manage Address known threats & vulnerabilities Respond to emergent attacks Adjust security policy as app changes over time Decommission security services Report compliance and generate audit logs Decommission

NSX Vision Managing Security and Connectivity for many Heterogeneous End Points 27 Automation IT at the Speed of Business Security Inherently Secure Infrastructure Application Continuity Data Center Anywhere On-Premise Data Center New app frameworks Mobile Devices (Airwatch) Virtual Desktop (VDI) Branch offices (Partner) Internet of things Public clouds

Compute Virtualization Network Virtualization Software-Defined Storage Hybrid Cloud Mobile Workspace Intrinsic Security Server Virtualization 2000 Software-Defined Data Center 2011 Software-Defined Business 2016 VMware: Fearless Innovator of “Software-Defined” 28

Thank You!

Thank you

CONFIDENTIAL31