Micro segmentation with Next Generation Firewall and Vmware NSX Daniel Bortolazo Thiago Koga

$445 100+ CYBERCRIME NOW billion industry CYBER WARFARE nations What’s changed? THE EVOLUTION OF THE ATTACKER CYBERCRIME NOW $445 billion industry CYBER WARFARE 100+ nations Over the last two years in particular we’ve seen a dramatic change in both the attacker and the techniques they use. By many estimates cybercrime is now a $1+ trillion industry. And like any industry, opportunity fuels more investment and it is clear this “industry” isn’t being deprived. But like any industry investment decisions are made based on the expectation of profit. The best way to get an industry to collapse on itself is take away that potential for profit. Our strategy is quite simple - make it so unbelievably hard for cybercriminals to achieve their objectives that their only recourse is to invest more and more resources to stage a successful attack, or give up and move on to someone else. Today there are more than 100 nations who are actively building cyber military capabilities. Out of the 100 there are about 20 who are considered serious players. These nation states follow a completely different set of motives, and are not concerned about profit. These new units are accelerating the weaponization of vulnerabilities. They’re launching sophisticated campaigns at our employees looking to take advantage of weak defensive links. They are not motivated by profit. They’re motivated by warfare, terrorism, theft of secrets that may give their country an advantage. Equally so, we need to make it unbelievably hard for these nations to achieve their objectives. To achieve this we must consider a new approach. --------------------------------------------------------- Facts & Credits The $445B comes from a study administered by the Center for Strategic and International Studies (CSIS) and released June 2014. Peter W. Singer, director of the Center for 21st Century Security and Intelligence at the Brookings Institution, said 100 nations are building cyber military commands, and of that there are about 20 that are serious players and a smaller number could carry out a complete cyberwar campaign. The barrier to entry for attackers has come down significantly in the last couple of years with the accessibility of exploit kits that may be easily purchased online with full support.

What’s changed? Organizational risk THE EVOLUTION OF THE ATTACK Mobility threat Organizational risk Identity compromise Zero-day exploits / vulnerabilities Unknown & polymorphic malware Evasive command-and-control Known threats This new approach must account for the realities that today’s attacks are not only multi-dimensional in nature, but also use an increasingly sophisticated set of techniques that are constantly in a state of change. As these techniques evolve the risk of breach increases. And as we all know an organization is only as strong as its weakest entry point, therefore an effective strategy must include multiple kill-points working together to prevent all aspects of an attack. This includes Blocking the different techniques attackers might use to evade detection and establish command-and-control channels Preventing installation of malware – including unknown and polymorphic malware Blocking the different techniques that attackers must follow in order to exploit a vulnerability Closely monitoring and controlling communications within the organization to protect against the unabated lateral movement when legitimate identities are hijacked With the evolution of the attack and the attacker as a backdrop, let’s take a quick look at where some of the breakdowns in approaches are occurring. --------------------------------------------------------- Facts & Credits Today we detect and analyze over 2M forms of new malware within WildFire. This trend line is increasing monthly.

Changing data center characteristics Virtualized Compute, Network and Storage VM VM VM Virtualized Compute, Network & Storage Virtualized Compute, Network & Storage VM VM VM VM VM VM VM VM Hypervisor Today’s data center (Dedicated Servers + Virtualization) Software Defined data center (Private Cloud) Hybrid (Private + Public Cloud) Shift to dynamic, scalable, self-provisioned compute infrastructure Eliminate compute silos and restrictions of where a workload can run In addition to the challenges you face in controlling access to DC apps and data, while protecting them from threats, how many of you have virtualization projects in the works? Many of you may fall into the 2nd or 3rd example here – either a mix of HW and private cloud or a mix of HW/Private/Public cloud There is huge value to your business in this migration but significant challenges around security

Our changing landscape UI UI Service UI APP Storage DB WEB WEB WEB WEB Service Service APP APP APP APP Service Service Service NETWORK COMPUTE STORAGE NETWORK STORAGE COMPUTE DB DB DB DB Service Service Service Storage Storage Storage Storage Service Service Monolithic stack Multi-tiered distributed architecture Composed services on converged infrastructure

Hyper-connected compute base Lateral movement Comingled policy Web W W W W W W App APP APP APP APP APP APP DB DB DB DB DB DB DB Storage VM VM VM VM VM VM

Datacenter applications are heavily targeted Crunchy perimeter, gooey interior? 10 out of 1,395 applications generated 97% of the exploit logs 9 of these were datacenter applications <Optional slide> This is yet another proof point that your DC and infrastructure apps are heavily targetted. This data comes from one of our recent Application usage and threat reports. It’s a global view into enterprise application usage and the associated threats summarized from network traffic assessments conducted across more than 3,000 global organizations. This isn’t a survey, it is real data collected from live traffic. We share our insights in our “Application Usage and Threat Report”. The 2013 report reveals 10 of the 1,395 applications represented 97% of the 60 Million exploit logs found. 9 of those applications are business critical. - internal or infrastructure-related applications that are integral to many business functions. Here are the most heavily targeted – [list a few of them off] – “let me see a show of hands – how many of you can say you are not using any of these applications?” Source: Palo Alto Networks, Application Usage and Threat Report. Jan. 2013.

Requirements for the future DETECT AND PREVENT THREATS AT EVERY POINT ACROSS THE ORGANIZATION Cloud DATA CENTER DATA CENTER DATA CENTER At the mobile device At the internet edge Between employees and devices within the LAN At the data center edge, and between VM’s Within private, public and hybrid clouds Your architecture must also be able to detect and prevent threats at every point across the organization: Attacks targeting your mobile workers Attacks targeting your perimeter Attacks moving between employees and devices within your LAN, or from guests or other 3rd party contractors that might have access to your network Attacks targeting the heart of your virtualized data center Attacks targeting your cloud-based infrastructure, both private and public

APPLIED TO THE CONNECTED INFRASTUCTURE Warehouse Corporate HQ Stores - small to large Store Manager Station POS Wifi WMS Inventory/Distribution Tacking and all corporate functions Internet Private WAN Private WAN Internet Partners and Suppliers Datacenter(s) Internet and extranet DMZ zones ERP & corporate functions Inventory mgt Analytics Other corporate functions eCommerce Customer support & management Online Consumers Internet Credit card authorization & transactions Private WAN Now that we’ve gone through all aspects of our enterprise platform. How does it apply specifically to a distributed retail environment.? This graphic is meant to be a representative view of what a retail environment might look like. (great opportunity to ask the customer about how many stores they have, their landscape,…) External Access

END-TO-END PROTECTION AND PREVENTION Internet Gateway: Visibility and control of ALL internet traffic Control over partners/suppliers access (segmentation) Inspection of all traffic for known and unknown threats Warehouse Corporate HQ WMS Inventory/Distribution Tacking and all corporate functions Stores - small to large Store Manager Station POS Internet Wifi Private WAN Private WAN Internet Partners and Suppliers Inventory mgt ERP & corporate functions Internet and extranet DMZ zones Online Consumers Internet Analytics Other corporate functions Credit card authorization & transactions Firewall(s) FirewalL Private WAN eCommerce Customer support & management Before we talk about how to secure the POS environment. Let’s talk about opportunities to bring better security to the core of you network. It’s worth noting that many of the high-profile retail breaches that were targeted at the POS and credit card data actually intruded of the network from the core through a partner or a phishing campaign against your employee. This is why it’s so important to move from a flat network to a more structured environment where assets of similar profile at grouped in a security zone and isolated from the rest of the network. External Access

END-TO-END PROTECTION AND PREVENTION Warehouse Corporate HQ WMS Inventory/Distribution Tacking and all corporate functions Stores - small to large Store Manager Station POS Internet Wifi Private WAN Private WAN Internet Partners and Suppliers Inventory mgt ERP & corporate functions Internet and extranet DMZ zones Online Consumers Internet Analytics Other corporate functions Credit card authorization & transactions Firewall(s) FirewalL Datacenter: Perimeter: high performance control and inspection of all traffic Segmentation into zones of similar security profile Private WAN eCommerce Customer support & management Before we talk about how to secure the POS environment. Let’s talk about opportunities to bring better security to the core of you network. It’s worth noting that many of the high-profile retail breaches that were targeted at the POS and credit card data actually intruded of the network from the core through a partner or a phishing campaign against your employee. This is why it’s so important to move from a flat network to a more structured environment where assets of similar profile at grouped in a security zone and isolated from the rest of the network. External Access

END-TO-END PROTECTION AND PREVENTION Warehouse Corporate HQ WMS Inventory/Distribution Tacking and all corporate functions Stores - small to large Store Manager Station POS Internet Wifi Private WAN Private WAN Internet Partners and Suppliers Inventory mgt ERP & corporate functions Internet and extranet DMZ zones Online Consumers Internet Analytics Other corporate functions Firewall(s) FirewalL Credit card authorization & transactions Private WAN eCommerce Customer support & management Virtualized datacenter: Regain visibility and control into East-West traffic (VM-to-VM) Before we talk about how to secure the POS environment. Let’s talk about opportunities to bring better security to the core of you network. It’s worth noting that many of the high-profile retail breaches that were targeted at the POS and credit card data actually intruded of the network from the core through a partner or a phishing campaign against your employee. This is why it’s so important to move from a flat network to a more structured environment where assets of similar profile at grouped in a security zone and isolated from the rest of the network. External Access

And can create a zero trust model And align your controls to what you are protecting Isolation Explicit allow comm. Secure communications Structured secure comms. VM VM VM NGFW IPS WS VM DB IPS WAF

VM-Series Deployment Options VMware vSphere Hypervisor (ESXi) VMware NSX VMware vSphere and vCloud Air VM-1000-HV for NSX deployed as a service with VMware NSX and Panorama Automated deployment, transparent traffic steering, dynamic context- sharing Filter traffic prior to network decisions - Ideal for East-West traffic inspection VM-100, VM-200, VM-300, and VM- 1000-HV deployed as guest VMs on VMware ESXi Deployed as part of virtual network configuration for East-West traffic inspection Protects hybrid cloud when used in vCloud Air VM-100, VM-200, VM-300, and VM-1000-HV deployed as Guest VM on VMware ESXi Virtual Networking configured to pass traffic through VM-Series – L2, L3, vWire, Tap ESXi 4.1 and 5.0 for PAN-OS 5.0 and ESXi 5.5 for PAN-OS 6.0

Software Networking Platform Provides Faithful Reproduction of Network & Security Services in Software Any Network Hardware NSX Platform NSX vSwitch NSX Controller Logical Switch Logical Router Logical Firewall Logical Load Balancer VMware NSX Software Networking Platform Animated Slide Switching Routing Firewalling Load Balancing VPN Connectivity to Physical

VMware NSX: Virtualize the Network Logical Switching NSX vSwitch Hypervisor Logical Routing Load Balancing Physical to Virtual Firewalling & Security Connected to your data center network is your compute infrastructure. One-Click Deployment via Cloud Management Platform

The Need for a Comprehensive Security Solution Sophisticated Security Challenges Applications are not linked to port & protocols Distributed user and device population Modern Malware VMware NSX Platform Palo Alto Networks Next Generation Security NSX Distributed Firewall Next Generation Firewall Line rate access control traffic filtering Visibility and safe application enablement Distributed enforcement at Hypervisor level User, device, and application aware policies VM level zoning without VLAN/VXLAN dependencies Protection against known and unknown threats

Advanced Services Insertion – Example: Palo Alto Networks NGFW NSX Controller Security Admin Security Policy VM VM VM Internet VM Traffic Steering vSwitch vSwitch Hypervisor Hypervisor Physical Host Physical Host

Automated Security in a Software-Defined Data Center Data Center Micro-Segmentation

Automated Security in a Software-Defined Data Center Data Center Micro-Segmentation

Software Defined Data Center Automated Security in a Software Defined Data Center Quarantine Vulnerable Systems until Remediated Security Group = Quarantine Zone Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network} Security Group = Web Tier Policy Definition Standard Desktop VM Policy  Anti-Virus – Scan Quarantined VM Policy  Firewall – Block all except security tools  Anti-Virus – Scan and remediate Software Defined Data Center Virtual Network Service Composer Cloud Management

On Demand Micro-Segmentation Web App Database PRIVATE No external connectivity VM You will hear about Micro-Segmentation at VMworld, which is the combination of Isolation, Segmentation and Advanced Services to provide granular security and policy enforcement. By automating the deployment of VXLAN logical switches which provide isolation, followed by placement of workloads into dynamic security groups based on security policies and tag (which maintains application context and allows the NSX distributed Firewall to provide a controlled communication path between components, enforced directly at the vNIC within the hypervisor) and finally leveraging advanced partner services through service composer which are also linked to security policies – the combination of vCAC and NSX enables secure, automated on-demand Micro-Segmentation.

NSX-PAN Use Case: PCI Zone Segmentation PAN VM-Series FW PANORAMA INTERNET PAN provides Intrusion Prevention (IPS), Application & User Based Access Control and Malware Prevention Legend: DFW Dev Zone Prod Zone PCI Zone

NSX-PAN Use Case: Secure Web DMZ INTERNET PANORAMA Line rate processing of traffic allowed to enter the DC WEB and other protocols deep inspection WEB DMZ WEB DMZ WEB DMZ DFW PAN VM-Series FW APP Tier APP Tier APP Tier DB Tier DB Tier DB Tier

NSX-PAN Use Case: VDI Internet Access Virtual Desktop Virtual Desktop Virtual Desktop WEB Tier APP Tier DB Tier Virtual Desktop Virtual Desktop Virtual Desktop Back End App VDI SDDC INTERNET WEB browsing protocols inspection

Next-generation security for Public Cloud scenarios GlobalProtect remote access VPN Leverage AWS ubiquitous access and built-in resiliency for remote/mobile users Extend full next-generation security policies to all users, all locations, all types of devices VPC-to-VPC protection Gateway + hybrid to control traffic between VPCs; block known and unknown threats from moving laterally Dev App1 App2 Test App1 App2 VPC gateway: Full next-generation firewall security for VPC traffic Enable applications, prevent known/unknown threats, user-based access control Hybrid cloud (IPSec VPN) Extend physical data center/private cloud to AWS; IPSec VPN + full NGFW feature set

Securing the datacenter: physical, cloud, hybrid Consistent NGFW security in both virtual and physical form factors Zero Trust principles protect applications and data Prevent cyber threats – inbound and across VMs Dynamic policy updates eliminate app-vs-security lag Centralized management and orchestration Virtualized Compute, Network and Storage SDDC/Private Cloud Credit Card Zone Public Cloud Virtualized Compute, Network and Storage Our enterprise security platform allows you to protect your datacenter, regardless of your deployment model – physical, virtual, or a hybrid combination of both. The functionality is consistent across all form factors, allowing you to protect your applications and data by classifying all applications, controlling access based on zero trust principles – verifying the application identity, blocking all others; granting access based on user need and identity. Just as you would at the perimeter, advanced threat prevention can be applied to DC traffic to stop known and unknown malware - both inbound and VM-to-VM. To eliminate the policy lag commonly seen in when VMs are spun up, automation features such as VM-Monitoring, Dynamic Address Groups and the API can help ensure policy updates keep pace with VM adds, removals and changes.

More Information HOL-PRT-1672 http://labs.hol.vmware.com/HOL/catalogs/lab/2061 Deploying Palo Alto Networks Next-Generation Security Platform with VMware NSX

Better together to increase your security within Data Center