VMware NSX is a network virtualization platform that allows organizations to virtualize their network infrastructure and implement micro-segmentation. Traditional perimeter-based security has proven insufficient, while micro-segmentation through physical networking is operationally infeasible. NSX addresses this by providing micro-segmentation through software by extending the virtual network to workloads. This allows for security policies to be applied and enforced across any application, on any server, in any location. NSX provides both security isolation and network visibility and context that is not possible with traditional approaches.
2. CONFIDENTIAL 2
Disclaimer
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these
features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or
sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not
been determined.
3. CONFIDENTIAL 3
Traditional Data Center
Any Application
L2/L3 or
Proprietary Network
Guidance from Giants
Modern SaaS
Data Center
Custom Application
IP Network
Security
Fault Isolation
Service Chaining
Discovery
Load balancing
Security
Fault Isolation
Service Chaining
Discovery
Load balancing
Opex/Capex = $$$$
Innovation = HW design cycle
Opex/Capex = $
Innovation = SW design cycle
12. CONFIDENTIAL 12
2010 2011 2012 2013
IT Spend Security Spend Security Breaches
A Picture of Diminishing Returns
The only thing outpacing security spend is security losses
13. CONFIDENTIAL 13
A Modern Attack
Malware/attack vectors tested against known signatures & are often VM-aware
11
Human Recon
22
Attack Vector R&D
33
Primary Attack
1 PREP
14. CONFIDENTIAL 14
44
Compromise
Primary Entry Point
(Phishing, Waterholes, etc.)
55
Install Command
& Control I/F
Strain B
Dormant
Strain A
Active
2 INTRUSION
Leverage endpoints that circumvent perimeter controls
15. CONFIDENTIAL 15
66
Escalate Privileges on
Primary Entry Point
3 RECON
Strain A
Active 77
Lateral
Movement
88
Install C2 I/F
Wipe Tracks
Escalate Priv
88
88
Leverage hyper-connected computing base, accessible topology info & shared components
16. CONFIDENTIAL 16
99
Wake Up & Modify
Next Dormant Strain
Strain A
Active
4 RECOVERY
Attack
Identified
Response
Strain B
Active
Strain C
Dormant
Sensor, alerts and logs easily accessible
17. CONFIDENTIAL 17
5 ACT ON INTENT
1010
Break into
Data Stores
1111
Parcel &
Obfuscate
1212
Exfiltrate
1313
Cleanup
6 EXFILTRATION
Exploit weak visibility and limited internal control points
19. CONFIDENTIAL 19
A Modern Kill Chain
… is highly targeted, interactive and stealthy
INTRUSION2 RECOVERY4 ACT ON INTENT5 EXFILTRATION6RECON3IPREP1
8
Install C2 I/F
Wipe Tracks
Escalate Priv.
9
Wake Up & Modify Next
Dormant Strain
10
Break into Data
Stores
11
Parcel &
Obfuscate
12
Exfiltrate
13
Cleanup
5
Install Command &
Control (C2) I/F
6
Escalate Privileges on
Primary Entry Point
7
Lateral Movement
8
8
1
Recon
2
Attack Vector R&D
3
Primary Attack
4
Compromise
Primary Entry
Point
Strain A
Active
Strain B
Dormant
Strain B
Active
Strain C
Dormant
Attack
Identified
Response
Perimeter-Centric
80% of resources focused
on preventing intrusion
Limited visibility and control
inside the datacenter
to detect and respond to attacks
22. CONFIDENTIAL 22
Problem: Data Center Network Security
Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Little or no
lateral controls
inside perimeter
Internet Internet
Insufficient Operationally
Infeasible
23. CONFIDENTIAL 23
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter
Firewalls
Cloud
Management
Platform
24. CONFIDENTIAL 24
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter
Firewalls
Cloud
Management
Platform
25. CONFIDENTIAL 25
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter
Firewalls
Cloud
Management
Platform
26. CONFIDENTIAL 26
Using Network Virtualization For Micro-Segmentation
Internet
Security Policy
Perimeter
Firewalls
Cloud
Management
Platform
27. CONFIDENTIAL 27
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter
Firewalls
Cloud
Management
Platform
28. CONFIDENTIAL 28
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter
Firewalls
Cloud
Management
Platform
29. CONFIDENTIAL 29
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter
Firewalls
Cloud
Management
Platform
30. CONFIDENTIAL 30
Using Network Virtualization For Micro-Segmentation
Internet
Perimeter
Firewalls
Cloud
Management
Platform
33. CONFIDENTIAL 33
Trading Off Context and Isolation
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
High Context
Low Isolation
High Isolation
Low Context
No Ubiquitous Enforcement
Traditional Approach
34. CONFIDENTIAL 34
Delivering Both Context and Isolation
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
High Context
High Isolation
Ubiquitous Enforcement
Secure Host Introspection
35. CONFIDENTIAL 35
Broad Impact Across Many Security Verticles
Gain previously impossible vulnerability
intelligence based on application
purpose, data class and user roles to
drive rich, policy driven response,
including in-place quarantine.
Vulnerability Management Malware Protection Network Protection
Real-time, dynamic threat response
that follows applications as they migrate
between hosts, data centers and cloud
environments.
Leverages platform to move IPS
features from dedicated edge function
to distributed enforcement with rich,
policy-driven response, including
in-place quarantine.