Presentation is loading. Please wait.

Presentation is loading. Please wait.

Micro segmentation with Next Generation Firewall and Vmware NSX

Published byAustin Pierce Modified over 9 years ago

Similar presentations

Presentation on theme: "Micro segmentation with Next Generation Firewall and Vmware NSX"— Presentation transcript:

1 Micro segmentation with Next Generation Firewall and Vmware NSX
Daniel Bortolazo Thiago Koga

2 $445 100+ CYBERCRIME NOW billion industry CYBER WARFARE nations
What’s changed? THE EVOLUTION OF THE ATTACKER CYBERCRIME NOW $445 billion industry CYBER WARFARE 100+ nations Over the last two years in particular we’ve seen a dramatic change in both the attacker and the techniques they use. By many estimates cybercrime is now a $1+ trillion industry. And like any industry, opportunity fuels more investment and it is clear this “industry” isn’t being deprived. But like any industry investment decisions are made based on the expectation of profit. The best way to get an industry to collapse on itself is take away that potential for profit. Our strategy is quite simple - make it so unbelievably hard for cybercriminals to achieve their objectives that their only recourse is to invest more and more resources to stage a successful attack, or give up and move on to someone else. Today there are more than 100 nations who are actively building cyber military capabilities. Out of the 100 there are about 20 who are considered serious players. These nation states follow a completely different set of motives, and are not concerned about profit. These new units are accelerating the weaponization of vulnerabilities. They’re launching sophisticated campaigns at our employees looking to take advantage of weak defensive links. They are not motivated by profit. They’re motivated by warfare, terrorism, theft of secrets that may give their country an advantage. Equally so, we need to make it unbelievably hard for these nations to achieve their objectives. To achieve this we must consider a new approach. Facts & Credits The $445B comes from a study administered by the Center for Strategic and International Studies (CSIS) and released June 2014. Peter W. Singer, director of the Center for 21st Century Security and Intelligence at the Brookings Institution, said 100 nations are building cyber military commands, and of that there are about 20 that are serious players and a smaller number could carry out a complete cyberwar campaign. The barrier to entry for attackers has come down significantly in the last couple of years with the accessibility of exploit kits that may be easily purchased online with full support.

3 What’s changed? Organizational risk THE EVOLUTION OF THE ATTACK
Mobility threat Organizational risk Identity compromise Zero-day exploits / vulnerabilities Unknown & polymorphic malware Evasive command-and-control Known threats This new approach must account for the realities that today’s attacks are not only multi-dimensional in nature, but also use an increasingly sophisticated set of techniques that are constantly in a state of change. As these techniques evolve the risk of breach increases. And as we all know an organization is only as strong as its weakest entry point, therefore an effective strategy must include multiple kill-points working together to prevent all aspects of an attack. This includes Blocking the different techniques attackers might use to evade detection and establish command-and-control channels Preventing installation of malware – including unknown and polymorphic malware Blocking the different techniques that attackers must follow in order to exploit a vulnerability Closely monitoring and controlling communications within the organization to protect against the unabated lateral movement when legitimate identities are hijacked With the evolution of the attack and the attacker as a backdrop, let’s take a quick look at where some of the breakdowns in approaches are occurring. Facts & Credits Today we detect and analyze over 2M forms of new malware within WildFire. This trend line is increasing monthly.

4 Changing data center characteristics
Virtualized Compute, Network and Storage VM VM VM Virtualized Compute, Network & Storage Virtualized Compute, Network & Storage VM VM VM VM VM VM VM VM Hypervisor Today’s data center (Dedicated Servers + Virtualization) Software Defined data center (Private Cloud) Hybrid (Private + Public Cloud) Shift to dynamic, scalable, self-provisioned compute infrastructure Eliminate compute silos and restrictions of where a workload can run In addition to the challenges you face in controlling access to DC apps and data, while protecting them from threats, how many of you have virtualization projects in the works? Many of you may fall into the 2nd or 3rd example here – either a mix of HW and private cloud or a mix of HW/Private/Public cloud There is huge value to your business in this migration but significant challenges around security

5 Our changing landscape
UI UI Service UI APP Storage DB WEB WEB WEB WEB Service Service APP APP APP APP Service Service Service NETWORK COMPUTE STORAGE NETWORK STORAGE COMPUTE DB DB DB DB Service Service Service Storage Storage Storage Storage Service Service Monolithic stack Multi-tiered distributed architecture Composed services on converged infrastructure

6 Hyper-connected compute base
Lateral movement Comingled policy Web W W W W W W App APP APP APP APP APP APP DB DB DB DB DB DB DB Storage VM VM VM VM VM VM

7 Datacenter applications are heavily targeted
Crunchy perimeter, gooey interior? 10 out of 1,395 applications generated 97% of the exploit logs 9 of these were datacenter applications <Optional slide> This is yet another proof point that your DC and infrastructure apps are heavily targetted. This data comes from one of our recent Application usage and threat reports. It’s a global view into enterprise application usage and the associated threats summarized from network traffic assessments conducted across more than 3,000 global organizations. This isn’t a survey, it is real data collected from live traffic. We share our insights in our “Application Usage and Threat Report”. The 2013 report reveals 10 of the 1,395 applications represented 97% of the 60 Million exploit logs found. 9 of those applications are business critical. - internal or infrastructure-related applications that are integral to many business functions. Here are the most heavily targeted – [list a few of them off] – “let me see a show of hands – how many of you can say you are not using any of these applications?” Source: Palo Alto Networks, Application Usage and Threat Report. Jan

8 Requirements for the future
DETECT AND PREVENT THREATS AT EVERY POINT ACROSS THE ORGANIZATION Cloud DATA CENTER DATA CENTER DATA CENTER At the mobile device At the internet edge Between employees and devices within the LAN At the data center edge, and between VM’s Within private, public and hybrid clouds Your architecture must also be able to detect and prevent threats at every point across the organization: Attacks targeting your mobile workers Attacks targeting your perimeter Attacks moving between employees and devices within your LAN, or from guests or other 3rd party contractors that might have access to your network Attacks targeting the heart of your virtualized data center Attacks targeting your cloud-based infrastructure, both private and public

9 APPLIED TO THE CONNECTED INFRASTUCTURE
Warehouse Corporate HQ Stores - small to large Store Manager Station POS Wifi WMS Inventory/Distribution Tacking and all corporate functions Internet Private WAN Private WAN Internet Partners and Suppliers Datacenter(s) Internet and extranet DMZ zones ERP & corporate functions Inventory mgt Analytics Other corporate functions eCommerce Customer support & management Online Consumers Internet Credit card authorization & transactions Private WAN Now that we’ve gone through all aspects of our enterprise platform. How does it apply specifically to a distributed retail environment.? This graphic is meant to be a representative view of what a retail environment might look like. (great opportunity to ask the customer about how many stores they have, their landscape,…) External Access

10 END-TO-END PROTECTION AND PREVENTION
Internet Gateway: Visibility and control of ALL internet traffic Control over partners/suppliers access (segmentation) Inspection of all traffic for known and unknown threats Warehouse Corporate HQ WMS Inventory/Distribution Tacking and all corporate functions Stores - small to large Store Manager Station POS Internet Wifi Private WAN Private WAN Internet Partners and Suppliers Inventory mgt ERP & corporate functions Internet and extranet DMZ zones Online Consumers Internet Analytics Other corporate functions Credit card authorization & transactions Firewall(s) FirewalL Private WAN eCommerce Customer support & management Before we talk about how to secure the POS environment. Let’s talk about opportunities to bring better security to the core of you network. It’s worth noting that many of the high-profile retail breaches that were targeted at the POS and credit card data actually intruded of the network from the core through a partner or a phishing campaign against your employee. This is why it’s so important to move from a flat network to a more structured environment where assets of similar profile at grouped in a security zone and isolated from the rest of the network. External Access

11 END-TO-END PROTECTION AND PREVENTION
Warehouse Corporate HQ WMS Inventory/Distribution Tacking and all corporate functions Stores - small to large Store Manager Station POS Internet Wifi Private WAN Private WAN Internet Partners and Suppliers Inventory mgt ERP & corporate functions Internet and extranet DMZ zones Online Consumers Internet Analytics Other corporate functions Credit card authorization & transactions Firewall(s) FirewalL Datacenter: Perimeter: high performance control and inspection of all traffic Segmentation into zones of similar security profile Private WAN eCommerce Customer support & management Before we talk about how to secure the POS environment. Let’s talk about opportunities to bring better security to the core of you network. It’s worth noting that many of the high-profile retail breaches that were targeted at the POS and credit card data actually intruded of the network from the core through a partner or a phishing campaign against your employee. This is why it’s so important to move from a flat network to a more structured environment where assets of similar profile at grouped in a security zone and isolated from the rest of the network. External Access

12 END-TO-END PROTECTION AND PREVENTION
Warehouse Corporate HQ WMS Inventory/Distribution Tacking and all corporate functions Stores - small to large Store Manager Station POS Internet Wifi Private WAN Private WAN Internet Partners and Suppliers Inventory mgt ERP & corporate functions Internet and extranet DMZ zones Online Consumers Internet Analytics Other corporate functions Firewall(s) FirewalL Credit card authorization & transactions Private WAN eCommerce Customer support & management Virtualized datacenter: Regain visibility and control into East-West traffic (VM-to-VM) Before we talk about how to secure the POS environment. Let’s talk about opportunities to bring better security to the core of you network. It’s worth noting that many of the high-profile retail breaches that were targeted at the POS and credit card data actually intruded of the network from the core through a partner or a phishing campaign against your employee. This is why it’s so important to move from a flat network to a more structured environment where assets of similar profile at grouped in a security zone and isolated from the rest of the network. External Access

13 And can create a zero trust model
And align your controls to what you are protecting Isolation Explicit allow comm. Secure communications Structured secure comms. VM VM VM NGFW IPS WS VM DB IPS WAF

14 VM-Series Deployment Options
VMware vSphere Hypervisor (ESXi) VMware NSX VMware vSphere and vCloud Air VM-1000-HV for NSX deployed as a service with VMware NSX and Panorama Automated deployment, transparent traffic steering, dynamic context- sharing Filter traffic prior to network decisions - Ideal for East-West traffic inspection VM-100, VM-200, VM-300, and VM HV deployed as guest VMs on VMware ESXi Deployed as part of virtual network configuration for East-West traffic inspection Protects hybrid cloud when used in vCloud Air VM-100, VM-200, VM-300, and VM-1000-HV deployed as Guest VM on VMware ESXi Virtual Networking configured to pass traffic through VM-Series – L2, L3, vWire, Tap ESXi 4.1 and 5.0 for PAN-OS 5.0 and ESXi 5.5 for PAN-OS 6.0

15 Software Networking Platform
Provides Faithful Reproduction of Network & Security Services in Software Any Network Hardware NSX Platform NSX vSwitch NSX Controller Logical Switch Logical Router Logical Firewall Logical Load Balancer VMware NSX Software Networking Platform Animated Slide Switching Routing Firewalling Load Balancing VPN Connectivity to Physical

16 VMware NSX: Virtualize the Network
Logical Switching NSX vSwitch Hypervisor Logical Routing Load Balancing Physical to Virtual Firewalling & Security Connected to your data center network is your compute infrastructure. One-Click Deployment via Cloud Management Platform

17 The Need for a Comprehensive Security Solution
Sophisticated Security Challenges Applications are not linked to port & protocols Distributed user and device population Modern Malware VMware NSX Platform Palo Alto Networks Next Generation Security NSX Distributed Firewall Next Generation Firewall Line rate access control traffic filtering Visibility and safe application enablement Distributed enforcement at Hypervisor level User, device, and application aware policies VM level zoning without VLAN/VXLAN dependencies Protection against known and unknown threats

18 Advanced Services Insertion – Example: Palo Alto Networks NGFW
NSX Controller Security Admin Security Policy VM VM VM Internet VM Traffic Steering vSwitch vSwitch Hypervisor Hypervisor Physical Host Physical Host

19 Automated Security in a Software-Defined Data Center Data Center Micro-Segmentation

20 Automated Security in a Software-Defined Data Center Data Center Micro-Segmentation

21 Software Defined Data Center
Automated Security in a Software Defined Data Center Quarantine Vulnerable Systems until Remediated Security Group = Quarantine Zone Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network} Security Group = Web Tier Policy Definition Standard Desktop VM Policy  Anti-Virus – Scan Quarantined VM Policy  Firewall – Block all except security tools  Anti-Virus – Scan and remediate Software Defined Data Center Virtual Network Service Composer Cloud Management

22 On Demand Micro-Segmentation
Web App Database PRIVATE No external connectivity VM You will hear about Micro-Segmentation at VMworld, which is the combination of Isolation, Segmentation and Advanced Services to provide granular security and policy enforcement. By automating the deployment of VXLAN logical switches which provide isolation, followed by placement of workloads into dynamic security groups based on security policies and tag (which maintains application context and allows the NSX distributed Firewall to provide a controlled communication path between components, enforced directly at the vNIC within the hypervisor) and finally leveraging advanced partner services through service composer which are also linked to security policies – the combination of vCAC and NSX enables secure, automated on-demand Micro-Segmentation.

23 NSX-PAN Use Case: PCI Zone Segmentation
PAN VM-Series FW PANORAMA INTERNET PAN provides Intrusion Prevention (IPS), Application & User Based Access Control and Malware Prevention Legend: DFW Dev Zone Prod Zone PCI Zone

24 NSX-PAN Use Case: Secure Web DMZ
INTERNET PANORAMA Line rate processing of traffic allowed to enter the DC WEB and other protocols deep inspection WEB DMZ WEB DMZ WEB DMZ DFW PAN VM-Series FW APP Tier APP Tier APP Tier DB Tier DB Tier DB Tier

25 NSX-PAN Use Case: VDI Internet Access
Virtual Desktop Virtual Desktop Virtual Desktop WEB Tier APP Tier DB Tier Virtual Desktop Virtual Desktop Virtual Desktop Back End App VDI SDDC INTERNET WEB browsing protocols inspection

26 Next-generation security for Public Cloud scenarios
GlobalProtect remote access VPN Leverage AWS ubiquitous access and built-in resiliency for remote/mobile users Extend full next-generation security policies to all users, all locations, all types of devices VPC-to-VPC protection Gateway + hybrid to control traffic between VPCs; block known and unknown threats from moving laterally Dev App1 App2 Test App1 App2 VPC gateway: Full next-generation firewall security for VPC traffic Enable applications, prevent known/unknown threats, user-based access control Hybrid cloud (IPSec VPN) Extend physical data center/private cloud to AWS; IPSec VPN + full NGFW feature set

27 Securing the datacenter: physical, cloud, hybrid
Consistent NGFW security in both virtual and physical form factors Zero Trust principles protect applications and data Prevent cyber threats – inbound and across VMs Dynamic policy updates eliminate app-vs-security lag Centralized management and orchestration Virtualized Compute, Network and Storage SDDC/Private Cloud Credit Card Zone Public Cloud Virtualized Compute, Network and Storage Our enterprise security platform allows you to protect your datacenter, regardless of your deployment model – physical, virtual, or a hybrid combination of both. The functionality is consistent across all form factors, allowing you to protect your applications and data by classifying all applications, controlling access based on zero trust principles – verifying the application identity, blocking all others; granting access based on user need and identity. Just as you would at the perimeter, advanced threat prevention can be applied to DC traffic to stop known and unknown malware - both inbound and VM-to-VM. To eliminate the policy lag commonly seen in when VMs are spun up, automation features such as VM-Monitoring, Dynamic Address Groups and the API can help ensure policy updates keep pace with VM adds, removals and changes.

28 More Information HOL-PRT-1672
Deploying Palo Alto Networks Next-Generation Security Platform with VMware NSX

29 Better together to increase your security
within Data Center

Download ppt "Micro segmentation with Next Generation Firewall and Vmware NSX"

Similar presentations

Network Systems Sales LLC

Network Systems Sales LLC
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.

11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Software Defined Networking.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Software Defined Networking.
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.

RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.
MIGRATION FROM SCREENOS TO JUNOS based firewall

MIGRATION FROM SCREENOS TO JUNOS based firewall
CON7349 - Software-Defined Networking in a Hybrid, Open Data Center Krishna Srinivasan Senior Principal Product Strategy Manager Oracle Virtual Networking.

CON Software-Defined Networking in a Hybrid, Open Data Center Krishna Srinivasan Senior Principal Product Strategy Manager Oracle Virtual Networking.
Automating Datacenter Using System Center 2012 Harpreet Singh Rana Consultant Microsoft Corporation MGT328.

Automating Datacenter Using System Center 2012 Harpreet Singh Rana Consultant Microsoft Corporation MGT328.
© 2015 VMware Inc. All rights reserved. Software-Defined Data Center: Security for the new battlefield Rob Randell, CISSP Director/Principal Architect.

© 2015 VMware Inc. All rights reserved. Software-Defined Data Center: Security for the new battlefield Rob Randell, CISSP Director/Principal Architect.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Exploring the Network Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Exploring the Network Introduction to Networks.
Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.

Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.
LB VIP:Input Endpoint Internal Endpoint foo.cloudapp.net  VIP.

LB VIP:Input Endpoint Internal Endpoint foo.cloudapp.net  VIP.
©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties Building Your Security Strategy with 3D.

©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties Building Your Security Strategy with 3D.

Similar presentations

Ads by Google